Re: ATM machine security
Lee Parkes wrote: Hi, I'm working on a project that requires a benchmark against which to judge various suppliers. The closest that has similar requirements is the ATM industry. To this end I'm looking for any papers, specifications or published attacks against ATM machines and their infrastructure. I'm also looking for what type of networks they use and the crypto they use to protect comms. Also any standards would be good that the ATM industry has to adhere to. messages/networks tend to be some flavor of iso8583 (used for both credit and debit). most associations have requirement for DUKPT (derived unique key per transaction) DES and transition to 3DES. do search engine some flavor of 8583, dukpt, and/or x9 (x9 is the us/ansi financial standards organization ... they have some recognition at places like NIST where they've gotten around to saying that they no longer have to rewrite X9 crypto standards for FIPS ... but can directly reference the X9 documents). lots of the attacks aren't directly on the ATM machines ... but on the cards used at ATM machines ... aka skimming attacks. there is the stuff about overlays on the front of ATM machines to capture information as the card passes thru for valid transations. the captured information is then used to manufactor counterfeit cards (i think there was even a scene on this on one of last seasons CSI tv shows). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Digital Water Marks Thieves
My complaint is against the parroting of patently absurd claims by manufacturers (or governments, for that matter) under the guide of journalism. If you need the reason to be concrete, here's one: I might buy this magic water and apply it to some of my stuff, figuring I don't have to shell out for a second pint because Robert Andrews has assured me the thieves can't determine that it's on my Thing-1 but not my Thing-2. There are tens of thousands of places inside a vehicle that a VIN# can be stashed. Sometimes you don't always want the attacker to know where the marks are. The point is that the thief should think anything expensive is protected, by which I mean it's too traceable to fence. At least right now, this is working. Hard to argue with success. --Dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: SHA-1 results available
http://theory.csail.mit.edu/~yiqun/shanote.pdf No real details, just collisions for 80 round SHA-0 (which I just confirmed) and 58 round SHA-1 (which I haven't bothered with), plus the now famous work factor estimate of 2^69 for full SHA-1. As usual, Technical details will be provided in a forthcoming paper. I'm not holding my breath. A preprint was circulating at the RSA conference; Adi Shamir had a copy. Similar techniques were used by Vincent Rijmen and Elizabeth Oswald, in their paper available at .http://eprint.iacr.org/2005/010. William - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Digital Water Marks Thieves
On Feb 22, 2005, at 10:57, Dan Kaminsky wrote: The point is that the thief should think anything expensive is protected, by which I mean it's too traceable to fence. That would be the thinking of a thief who read the article and took it at face value. A more clever thief would realize that the magic water would respond to *his* ultraviolet light just as well as the police's. (And in today's climate, the counter-counteraction will be a measure to outlaw ultraviolet lights in the hands of private citizens ...) Let's vary piracy / with a little burglary! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code name Killer Rabbit: New Sub Can Tap Undersea Cables
On Feb 18, 2005, at 19:47, R.A. Hettinga wrote: It does continue to be something of a puzzle as to how they get this stuff back to home base, said John Pike, a military expert at GlobalSecurity.org. I should think that in many cases, they can simply lease a fiber in the same cable. What could be simpler? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Many Wireless Security Breaches Reported At (RSA) Security Conference
(As I've said many times, security breaches reported at conferences full of security people don't count as a predictor of what's out in the real world as a threat. But, it makes for interesting reading and establishes some metric on the ease of the attack. iang) I also recommend the brief discussion between Marcus Ranum and Bill Cheswick on the very same topic in the aftermath of the recent USENIX Security Symposium: http://www.usenix.org/publications/login/2004-12/openpdfs/wireless.pdf Cheers, Stefan. Unsere Anschrift und Telefonnummer haben sich geaendert! Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Straße 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ --- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
I'll show you mine if you show me, er, mine
http://www.theregister.co.uk/2005/02/21/crypto_wireless/print.html The Register Biting the hand that feeds IT The Register » Security » Identity » Original URL: http://www.theregister.co.uk/2005/02/21/crypto_wireless/ I'll show you mine if you show me, er, mine By Lucy Sherriff (lucy.sherriff at theregister.co.uk) Published Monday 21st February 2005 17:11 GMT Security researchers have developed a new cryptographic technique they say will prevent so-called stealth attacks against networks. A stealth attack is one where the attacker acts remotely, is very hard to trace, and where the victim may not even know he was attacked. The researchers say this kind of attack is particularly easy to mount against a wireless network. The so-called delayed password disclosure protocol was developed by Jakobsson and Steve Myers of Indiana University. The protocol allows two devices or network nodes to identify themselves to each other without ever divulging passwords. The protocol could help secure wireless networks against fraud and identity theft, and protect sensitive user data. The technique will be particularly useful in ad-hoc networks, where two or more devices or network nodes need to verify each others' identity simultaneously. Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password. The researchers say that this will prevent consumers connecting to fake wireless hubs at airports, or in coffee shops. It could also be used to notify a user about phishing attacks, scam emails that try to trick a user into handing over their account details and passwords to faked sites, provide authentication between two wireless devices, and make it more difficult for criminals to launder money through large numbers of online bank accounts. Jakobsson is hoping to have beta code available for Windows and Mac by the spring, and code for common mobile phone platforms later in 2005. More info available here (http://www.stealth-attacks.info). ® Related stories Hotspot paranoia: try to stay calm (http://www.theregister.co.uk/2005/01/24/wi_fi_hotspot_security/) Crypto researchers break SHA-1 (http://www.theregister.co.uk/2005/02/17/sha1_hashing_broken/) Cyberpunk authors get the girls (http://www.theregister.co.uk/2005/02/17/cyberpunk/) © Copyright 2005 -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FW: ATM machine security
Hi, I'm working on a project that requires a benchmark against which to judge various suppliers. The closest that has similar requirements is the ATM industry. To this end I'm looking for any papers, specifications or published attacks against ATM machines and their infrastructure. I'm also looking for what type of networks they use and the crypto they use to protect comms. Also any standards would be good that the ATM industry has to adhere to. My Apologies to the original poster here, but does this seem like a little human engineering to anyone else? I mean sounds to me like your project is a search for weakness in the ATM system in preparation for an attack, or have I misjudged and you are the well meaning integrating party who have commissioned a number of 'suppliers' build a new ATM system (or ATM like system) while methodically attempting to avoid past errors. If you are accepting bids from suppliers who already produce ATMs ie NEC or the like, how would your request help ? would you be expecting them to subvert the existing standards to prevent attacks ? Interestingly, I think the comment was tossed around here a few weeks ago, that building a new 'atm system' wouldn't be possible these days, given the competing standards, differing levels of what would be considered secure etc. Just curious, or was it paranoid, - who said that ? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: I'll show you mine if you show me, er, mine
-- On 24 Feb 2005 at 2:29, Peter Gutmann wrote: Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah. (Either this is a really bad idea or the details have been mangled by the Register). It is a badly bungled implementation of a really old idea. An idea, which however, was never implemented on a large scale, resulting in the mass use of phishing attacks. Mutual authentication and password management should have been designed into SSH/PKI from the beginning, but instead they designed it to rely wholly on everyone registering themselves with a centralized authority, which of course failed. SSH/PKI is dead in the water, and causing a major crisis on internet transactions. Needs fixing - needs to be fixed by implementing cryptographic procedures that are so old that they are in danger of being forgetten. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG Dn3N69hcbr+mL/HUTw8OhGtKmD9rHYOMN4NTBkIY 47AOCXrb7e35xm5QBsHbFVr/jfm+XwTUvzdiytKpG - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: I'll show you mine if you show me, er, mine
--- begin forwarded text To: [EMAIL PROTECTED] Subject: Re: I'll show you mine if you show me, er, mine Date: Wed, 23 Feb 2005 12:14:04 -0800 (PST) From: [EMAIL PROTECTED] (Hal Finney) Sender: [EMAIL PROTECTED] Markus Jakobsson is a really smart guy who's done some cool stuff, so I think this is probably better than it sounds in the article. His web site is http://www.informatics.indiana.edu/markus/ but I don't see any papers there that sound like what the article describes. I tried to reverse engineer the protocol from the article, and the results are below. But first let me put this into context. The security property seems to be that you send something to the server, and it sends you back something that proves that it knows your password. But neither a passive eavesdropper nor a MITM can learn anything about your password from observing or influencing the exchange. The best an attacker can do is to try to brute force your password by guessing it repeatedly and trying each guess out at the server. And this can be easily prevented by having the server refuse to answer more than a few bad password attempts. Note that this is different from simple PK based authentication, because the secret is human memorizable. And it's different from, say, having the server respond with a keyed hash of your passphrase, because an eavesdropper could then do an offline brute force search. The key feature is that the only attack is online brute forcing. There are already a lot of protocols in the literature which do this, often performing key agreement at the same time. The original one and most famous was SPEKE. There is a long list of such protocols at http://grouper.ieee.org/groups/1363/passwdPK/submissions.html. I don't know what properties this new protocol has that the old ones don't. Maybe it does have some and I am missing the point. Or there might be some patent issues that it is trying to work around. Anyway, here's my attempt at mimicking the protocol, based on the description of envelopes and carbon paper. You have a password, and so does the site you will login to. (Or, maybe the site has a salted hash of your password; you could use that instead.) You set up a homomorphic encryption system. This is one where you can send an encrypted value to someone else, and he can do certain operations on the encrypted value, like multiplying it by a constant. In this case I think we only need to encrypt the value 1, and let the other guy multiply by his constant, which makes it simpler. I think ElGamal could work: you encrypt 1 as (g^k, y^k), where you'd make up a key y = g^x on the spot. You send this to the other guy who picks a random power j and raises both elements to that power, then multiplies the 2nd one by c: (g^(k*j), y^(k*j) * c), and sends it back to you. This is now a valid ElGamal encryption of c. But an observer can't tell what c is. For a first cut at this protocol, you take each bit of the password (or salted hash) and create two encryptions of m = 1. It would look like this: E(1) E(1) E(1) E(1) E(1) ... E(1) E(1) E(1) E(1) E(1) ... You send all these to the server. The server knows your password (or salted hash) and, for each pair of encrypted values, multiplies the one corresponding to password bit b_i by some constant c_i. The other one of the pair, corresponding to !b_i, it multiplies by a random r_i. The server sets it up so that the sum of all the c_i is zero. Then it sends all of them back to you. If your passphrase started 01101... it would be: E(c_1) E(r_2) E(r_3) E(c_4) E(r_5) ... E(r_1) E(c_2) E(c_3) E(r_4) E(c_5) ... Now, you decrypt just the ones corresponding to the bits b_i and add up the decrypted plaintexts, giving you sum of c_i. If the result is zero, you know the server knew your password (or salted hash). Actually this is not quite right, because the article says that you are not supposed to be able to decrypt both ciphertext values in the pair that corresponds to a password bit. Otherwise an imposter might be able to figure out your passphrase by doing one interaction with the server, then finding an element from each pair such that they all sum to zero. This is kind of knapsacky and it might not be that hard, I'm not sure. So I think what you could do is to send a valid ElGamal encryption of 1, and a bogus value which is not an ElGamal encryption of anything. But the remote party wants to be sure that you can't decrypt them both. One way to achieve this is to arrange that the first members of each pair, g^k in the good encryption, multiply to some fixed value F for which the discrete log is not known. Maybe it's the hash of I don't know if this will work. You can't know the DL of that hash, so you can't find two g^k values which multiply to that hash. That means that if you have a pair of ElGamal ciphertexts which have this property, only one is a real, valid ElGamal ciphertext and so only one is
Re: SHA-1 results available
* Jack Lloyd: http://theory.csail.mit.edu/~yiqun/shanote.pdf Thanks for the pointer. No real details, just collisions for 80 round SHA-0 (which I just confirmed) and 58 round SHA-1 (which I haven't bothered with), plus the now famous work factor estimate of 2^69 for full SHA-1. As usual, Technical details will be provided in a forthcoming paper. I'm not holding my breath. In addition, there's no trace of the second-preimage attack some persons recently alluded to. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [IP] One cryptographer's perspective on the SHA-1 result
Burt Kaliski posted the following to Dave Farber's IP list. I was about to post something similar myself. Beyond that, it is now clear that the industry needs an open evaluation process -- like the Advanced Encryption Standard competition -- to establish a new hash function standard for the long term, or at least an alternative if SHA-256 and above turn out still to be good enough after review. As he quite eloquently pointed out, we have a near-monoculture of hash algorithms. Virtually every well-known hash algorithm, with the exception of Whirlpool, is derived from MD2/MD4/MD5. At the time SHA-0 was released, in fact, there was a great deal of speculation that NSA had copied Rivest's framework to avoid disclosing any new principles for hash function construction. I have no idea if that's true or not. As we all know, even NSA found SHA more problematic than they would have hoped; witness the release of SHA-1 not all that long afterwards. When NIST released SHA256/384/512 shortly after AES, but without a public competition, the word was that they didn't have the resources to run two simultaneous large-scale, open processes. That's a fair statement, and given the choice between an openly-chosen encryption algorithm and an openly-chosen hash function I think most of us would have made the same decision. I don't know if there's quite the need for open process for a hash function as there was for a secrecy algorithm. The AES process, after all, had to cope with the legacy of Clipper and key escrow, to say nothing of the 25 years of DES paranoia that was only laid to rest by the reinvention of differential cryptanalysis. (The Deep Crack machine only confirmed another part of the paranoia, of course, but the essential parameter it exploited -- key size -- was both obviously insufficient in 1979 and obviously sufficient from the requirements of the AES competition.) It is clear, as Burt said, that we need a large-scale effort to produce new and better hash functions. To try to repair the MD*/SHA* family is to risk the cry of epicycles. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FW: [IP] One cryptographer's perspective on the SHA-1 result
Full disclosure: Burt Kaliski and I share an employer. Peter Trei -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Farber Sent: Wednesday, February 23, 2005 7:48 PM To: Ip Subject: [IP] One cryptographer's perspective on the SHA-1 result From: Kaliski, Burt [EMAIL PROTECTED] Subject: One cryptographer's perspective on the SHA-1 result To: [EMAIL PROTECTED] Date: Wed, 23 Feb 2005 19:43:43 -0500 Hi Dave -- As you might expect, the recent breakthrough on SHA-1 hash was a topic of widespread discussion at the annual RSA Conference last week in San Francisco. Commercial cryptography is one of few fields in IT which has totally absorbed the open review process. We know from experience that an ongoing and aggressive analysis of our current technology, searching out potential weaknesses, is a critical part of the process by which we strengthen it for the future. RSA Laboratories has just posted a brief note on the recent SHA-1 result, to supplement our earlier notes about MD5 and other hashes, at http://www.rsasecurity.com/rsalabs. In my opinion, the latest result on SHA-1 -- once confirmed -- will be one of the most significant results in cryptanalysis in the last decade. Hard work indeed brings a profit, as the proverb says, and the perseverance of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu appears to have paid off with this unexpected special attack on SHA-1 that can find collisions in less than the promised 2^80 threshold. It is a delight to congratulate the Shandong University team on their achievement, and especially Dr. Yiqun Lisa Yin, for many years my colleague at RSA Laboratories, and one of the co-inventors of RSA Security's RC6 block cipher. This attack seems to have uncovered an unexpected weakness in one of the essential properties of SHA-1, a one-way hash function with a 160-bit output. Essentially, this new research suggests that it is considerably less difficult than expected to create two somewhat different data files that can be reduced and compressed to an identical hash value. Cryptographers call these collisions in hash outputs. A hash function takes a variable-length digital input and coverts it into a fixed-length pseudo-random hash value that can serve as a useful fingerprint for the input file. A one-way hash function like SHA-1 is easy to compute in one direction, but it's very difficult to reconstitute the initial file from the hash value. A good hash function is also expected to be collision-free. That is, it should be hard to generate two input files which, put through the hash function, generate the same hash value. (Hash functions collisions must exist, of course, since the hash inputs can be longer than the outputs -- but the design goal is to make them hard to find in practice.) These attributes have made the one-way hash one of the most useful primitives in modern cryptography. Hash functions are, for example, essential in deriving message authentication codes (MACs) and message digests, the small file that is actually cryptographically signed to create a digital signature for larger files, in a typical public key crypto application. MIT Professor Ron Rivest, one of the founders of RSA Security, created three one-way hashes that were widely used by cryptographers over the past 20 years (MD2, MD4, and MD5), but each of those was eventually deprecated as subtle weaknesses were discovered that suggested that the internal design was less robust than desired against potential future attacks. Any successful attack on SHA-1 based on the new result would still involve a huge amount of computer processing, so this latest research is unlikely (as many have said) to have any significant impact on past or current applications. It is, however, a wake-up call for cryptographers and the industry leaders concerned with the long-term vitality of our technology. The SHA (aka SHA-0) hash function was developed for the US government in 1995 for use within the Digital Signature Standard. Its design was based on MD4. SHA was upgraded to SHA-1 early in its life cycle, apparently to address undisclosed weaknesses discovered by the NSA, and today SHA-1 is the industry standard. It is widely used and has been trusted by both developers and applied crypto engineers, although routine efforts to enhance SHA-1 with longer output values have led to the quiet development of SHA-256, SHA-385, and SHA-512 as design options for long-term applications. Although RSA Security, and most standards organizations, have recommended the use of SHA-1 for several years, Rivest's MD5 is still widely used in many applications despite research in the 1990s that discovered pseudo collisions within the internal operations of MD5. Then, last summer, there were additional results on MD5 that led many cryptographers to urge the abandonment of MD5 for SHA-1, which had withstood a great deal of analysis and was widely believed to be still secure. It is easy to
Chatter Punks
--- begin forwarded text Date: Thu, 24 Feb 2005 12:25:10 -0800 To: [EMAIL PROTECTED] From: John Young [EMAIL PROTECTED] Subject: Chatter Punks Sender: [EMAIL PROTECTED] Maybe it's been mentioned here but the book, Chatter: Dispatches from the Secret World of Global Eavesdropping, by Patrick Radden Keefe mentions cypherpunks and a slew of people who've been around here, or discussed, cited, admired, attacked and hated here. Crypto is featured, along with the TLAs, the fools who run them, the lackies who suck their tits, the congress critters who give them a free pass no matter what fuck-ups damage the US and the unwary targets of spooks, 9/11 only one of many. It's a lively read, and a lot of its smooth-narrative content won't be new to avid readers of disputatious, thankfully ungrammatically cpunks, but it does get the slick word out to the public in an easy to swallow fashion. For us jacket addicts, there are favorable blurbs by David Kahn and Seymour Hersh. Keefe calls John Gilmore, Duncan Campbell, and other uninstitutionalized insurgents outcasts, but IEDs are where it's at, right? He also claims the NSA is a pitiful giant, protected against change by ever increasing secrecy blessed by congress and the administration, and that most of its new hires are security guards to protect against knowing what's inside, not the personnel truly needed. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
No Encryption for E-Passports
http://www.wired.com/news/print/0,1294,66686,00.html Wired News No Encryption for E-Passports By Ryan Singel? Story location: http://www.wired.com/news/privacy/0,1848,66686,00.html 02:00 AM Feb. 24, 2005 PT Despite widespread criticism from security experts that a proposed high-tech upgrade to Americans' passports actually introduces new security risks, the government is declining to encrypt data on new high-tech e-passports, according to proposed new rules published last week. In response to this outside criticism and some public questioning by one of its own contractors, the State Department delayed its rollout of the chip-equipped passports and hired additional companies to provide prototypes. Other countries are also wrangling with the issue, as the United States is requiring all 27 countries whose citizens do not need visas to visit America to begin issuing e-passports by October. So far only Belgium has started production, and it is likely the deadline, which was originally October 2004, will be pushed back another year. The new passports will include a radio frequency identification tag, a chip that will store all the information on the data page of the passport, including name, date and place of birth, and a digitized version of the photo passport, according to the proposal in the Federal Register. RFID chips are widely used in automatic toll-payment systems such as FasTrak, or identification chips implanted in the necks of pets. The chips are activated by a reader using certain radio frequency waves, which the chips use as an energy source to send back the encoded information. Border agents, equipped with readers, would be able to pull up passport information on a screen and visually compare the digitized photo against the passport bearer. Agents will also be able to use facial identification software to compare the person to the digitized photo, which is not feasible with current passports. The State Department, which has responsibility for passports and visas, hopes the measure will improve security and help curb passport forgery. The government will use chips that can only be written to once, and a further safeguard is provided in the form of a digital signature, which allows readers to verify that the information on the chip is the information originally written to it. But the rules, which are open for comment until April 4, rule out encrypting the bearer's name, birth date and digital photo, saying such a move would impede worldwide adoption of e-passports and that encrypted data would slow down entry and exit at customs. The lack of encryption baffles privacy advocates and security researchers, who say the new passports are vulnerable to skimming, an attack that uses an unauthorized reader to gather information from the RFID chip without the passport owner's knowledge. The State Department concedes that skimming is a legitimate threat, but says the chips will have a read range of inches, that eavesdropping at border stations would be very conspicuous and that the passports will have a shielding mechanism -- perhaps a foil case or a weave in the cover that will cloak the chip when the passport is closed. That does little to satisfy critics such as Lee Tien, an attorney at the Electronic Frontier Foundation. The State Department has not responded in any meaningful way to any of the privacy community, Tien said. They are offering the equivalent of duct tape and baling wire as far (as) protecting peoples' information from being read. It is my understanding it's possible to read this information from 10 to 30 feet away with the right equipment, Tien said. When you think about the issues Americans have, especially when they travel abroad -- do you really want your passport to be broadcasting your name and nationality? This isn't good for privacy or the physical security of Americans abroad. Bruce Schneier, a security expert and author who founded Counterpane Internet Security, questions how much shielding helps, since travelers often have to show identification to exchange currency or check into a hotel. Shielding is a good idea, but the problem is if you travel in Europe you are asked to show your passport a lot, Schneier said. So all that shielding means is that someone who wants to sniff my passport just has to pick his location. Schneier, who just renewed his passport to make sure he will not have an unencrypted passport for another 10 years, says he has yet to hear a good argument as to why the government is requiring remotely readable chips instead of a contact chip -- which could hold the same information but would not be skimmable. A contact chip would be so much safer, Schneier said. The only reason I can think of is the government wants surreptitious access. I'm running out of other explanations. I'd love to hear one. Not everyone in the RFID industry thinks the proposed rules compromise security more than they help. The goal is to
Senators Boxer, Clinton Unveil Count Every Vote Act of 2005
http://dailykos.com/story/2005/2/26/204031/168 Daily Kos :: Political Analysis and other daily rants on the state of the nation. Senators Boxer, Clinton Unveil Count Every Vote Act of 2005 by Hunter Sat Feb 26th, 2005 at 17:40:31 PST The email alerts on this were sent out last week. In case you missed it, here's the press release from Boxer. WASHINGTON, DC- U.S. Senators Hillary Rodham Clinton (D-NY) and Barbara Boxer (D-CA) today unveiled comprehensive voting reform legislation to make sure that every American is able to vote and every vote is counted. Senators Clinton and Boxer announced the legislation today in a press conference joined by Representative Stephanie Tubbs Jones (D-OH), who will sponsor the legislation in the House of Representatives, and voting rights advocates. [...] The Count Every Vote Act of 2005 will provide a voter verified paper ballot for every vote cast in electronic voting machines and ensures access to voter verification for all citizens, including language minority voters, illiterate voters and voters with disabilities. The bill mandates that this ballot be the official ballot for purposes of a recount. The bill sets a uniform standard for provisional ballots so that every qualified voter will know their votes are treated equally, and requires the Federal Election Assistance Commission to issue standards that ensure uniform access to voting machines and trained election personnel in every community. The bill also improves security measures for electronic voting machines. To encourage more citizens to exercise their right to vote, the Count Every Vote Act designates Election Day a federal holiday and requires early voting in each state. The bill also enacts no-excuse absentee balloting, enacts fair and uniform voter registration and identification, and requires states to allow citizens to register to vote on Election Day. It also requires the Election Assistance Commission to work with states to reduce wait times for voters at polling places. In addition, the legislation restores voting rights for felons who have repaid their debt to society. The Count Every Vote Act also includes measures to protect voters from deceptive practices and conflicts of interest that harm voter trust in the integrity of the system. In particular, the bill restricts the ability of chief state election officials as well as owners and senior managers of voting machine manufacturers to engage in certain kinds of political activity. The bill also makes it a federal crime to commit deceptive practices, such as sending flyers into minority neighborhoods telling voters the wrong voting date, and makes these practices a felony punishable by up to a year of imprisonment. Boxer, Clinton, and Tubbs Jones deserve our support on this one -- the Republican strategy will be to attempt to ignore this completely, and bury it long before it could ever reach the floor. Let's make that a painful strategy to have, by singling out each opponent of voting reform as they fling themselves in front of this bus. Having accurate vote counts should not be a partisan issue. The fact that it is says volumes about the cowardice and reliance on grass-roots thuggery of the current Republican party. And yeah, Jeb -- I'm talking about you. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SpookAir, redux: No Secrets -- Eyes on the CIA
http://www.msnbc.msn.com/id/7037720/site/newsweek/print/1/displaymode/1098/ MSNBC.com No Secrets: Eyes on the CIA Newsweek March 7 issue - Aviation obsessives with cameras and Internet connections have become a threat to cover stories established by the CIA to mask its undercover operations and personnel overseas. U.S. intel sources complain that plane spotters-hobbyists who photograph airplanes landing or departing local airports and post the pix on the Internet-made it possible for CIA critics recently to assemble details of a clandestine transport system the agency set up to secretly move cargo and people-including terrorist suspects-around the world. Google searches revealed that plane spotters Web-posted numerous photos of two private aircraft-one a small Gulfstream jet and the other a midsize Boeing 737-registered to obscure companies suspected of CIA connections. Some of the pictures were taken at airports in foreign countries where CIA activities could be controversial. When the 737 last year went through a change of tail number and ownership-a suspicious company in suburban Boston apparently transferred the plane to a similar company in Reno, Nev.-Internet searches of aviation and public-record databases disclosed details of the plane's new owners and registration number. One critical database, accessible via Google, was a central aircraft registry maintained by the government's own Federal Aviation Administration. A U.S. intel source acknowledged that the instant availability of such data and photos on the Internet is not helpful if your object is clandestinity. (To see how it works, check the Web for info on a business jet carrying the Liechtenstein tail number HB-IES. The search should turn up pictures of that plane at a European airport, as well as public records and news stories describing how the plane, registered to a company called Aviatrans, once belonged to Saddam Hussein.) Intel sources say the CIA's own lawyers years ago decreed that under U.S. law the agency must register its aircraft-including their tail numbers and the front companies that own them-with public authorities like the FAA, even though this could provide clues to clandestine activity. Agency officials and lawyers have discussed the possibility of changing U.S. laws and regulations to make it easier for the agency to hide its activities. That may be difficult, so for now, plane spotters can keep their eyes on the CIA. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Italian GSM provider warns: too many wiretaps
Mr-Rogers Now, boys and girls, try not to laugh *too* hard, and be sure you swallow your Wheaties before you read this... /M-R Cheers, RAH --- http://www.edri.org/edrigram/number3.4/wiretap | EDRI EDRI-gram » EDRI-gram - Number 3.4, 24 February 2005 Italian GSM provider warns: too many wiretaps 24 February, 2005 » Privacy | Wiretapping The Italian mobile operator TIM, one of the largest mobile phone companies in Italy has issued a unique warning that the number of wiretaps has reached the limit. In a fax sent to all Italian public prosecutors they say that they have already over-stretched their capacity from 5.000 to 7.000 simultaneously intercepted mobile phones. New requests now have to be processed on a 'first come first serve' basis, they write. Even more unique in the current secretive environment of law enforcement, the Italian Minister of Justice Roberto Castelli (right-wing Lega Nord) has provided the newspaper Repubblica with statistics about the number of wiretaps and costs. The number of wiretaps has doubled every two years, he said, from 32.000 intercepts in 2001, to 45.000 in 2002, to 77.000 in 2003. He estimates the number of wiretaps in 2004 to be 100.000, costing the Justice department aprox 300.00 million euro in cost reimbursements. In 2003 the department of Justice spent 225 million euro on the intercepts, in 2002 230 million and in 2001 165 million. Castelli admitted the number of police intercepts in Italy was very high. Currently Italy has aprox 58 million inhabitants. With 100.000 intercepts in 2004, Italy orders 172 judicial intercepts per 100.000 inhabitants. There is no information about wiretaps ordered by secret services in any country. Castelli referred to the report of the German Max Planck Institute which already concluded Italy was the wiretapping champion of the (western) world with 76 intercepts per 100.000 inhabitants (44.000 wiretaps in 1996). The number two on the European wiretapping list in 1996, the Netherlands, refuses to provide any recent statistics. According to unofficial estimates the Netherlands intercepted 12.000 phones (fixed and mobile) in 2004. If those numbers are correct, the Netherlands have 75 intercepts per 100.000 inhabitants. In the United States, the most recent public statistics date from 2002. They mention 1.273 court ordered intercepts on a population of aprox 293 million, totalling 0,43 intercepts per 100.000 inhabitants. The UK Communication Commissioner mentions a total of 1.983 warrants for intercepts in 2003 on a population of 59,5 million, totalling 3,3 intercepts per 100.000 inhabitants. One possible explanation for the explosion of the number of wiretaps in Italy is their short duration. An order is valid for 15 days and can only be extended with a new motivation from a magistrate. Only for investigations into organised crime an intercept can last 40 days. In many other countries, intercepts have a duration of 1 to 3 months. Vodafone and Wind, two other major mobile phone companies, are also reaching their maximum wiretapping capacity, reports Repubblica. While Castelli used the occasion to warn against overuse of wiretapping in investigations, the Italian magistracy doesn't seem to agree. Edmondo Bruto Liberati, President the National Association of Magistrates (association of both judges and public prosecutors) stressed that wiretapping is much cheaper than individual covert surveillance. He complained about the vast under-financing the judicial apparatus is currently suffering from. This public debate between the Minister and the magistracy points at a more fundamental division in Italian politics. By stressing the immense costs of wiretapping the Minister of Justice adds weight to his attempt to shift the costs to the Ministry of Internal Affairs. Generally the Minister pictures an image of a foolish magistracy that abundantly spends public money. This comes as no surprise to many Italians, given the tense relationship between Berlusconi and the magistracy. MP Giovanni Russo Spena (left wing opposition, Rifondazione Comunista) has demanded an explanation from the government about the massive use of wiretapping in investigations and wishes to be informed how citizens are protected against this potential and actual invasion of their privacy rights. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SpookAir, redux: No Secrets -- Eyes on the CIA
-- On 27 Feb 2005 at 18:53, R.A. Hettinga wrote: March 7 issue - Aviation obsessives with cameras and Internet connections have become a threat to cover stories established by the CIA to mask its undercover operations and personnel overseas. U.S. intel sources complain that plane spotters-hobbyists who photograph airplanes landing or departing local airports and post the pix on the Internet-made it possible for CIA critics recently to assemble details of a clandestine transport system the agency set up to secretly move cargo and people-including terrorist suspects-around the world. Brinworld: They may be watching us, but we are also watching them. The large number of surveillance cameras popping up in American cities has turned out to be no threat to liberty. Most of them are privately owned, and their private owners have no inclination to review their records, unless a real crime has been committed, and no inclination to hand over to authorities records that would primarily reveal their own activities. In recent incidents where private surviellance camera records were given to authorities, the authorities received only selected excerpts, only what the owner of the records chose to reveal. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG PS5fDA87MKS6uCbiF0gJ/R+39ekRuwLazrAsTyAa 4MxSlekoFzNrLXER1RoAItoikUPxKn3udKQokRxkB - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Colliding X.509 Certificates
Hi all, We announce the construction of two different valid X.509 certificates that have identical signatures. This is based on MD5 collisions. One could e.g. construct the to-be-signed parts of the certificates, and get the one certificate signed by a CA. Then a valid signature for the other certificate is obtained, while the CA has not seen proof of possession of the private key of this second certificate. The certificates we constructed can be downloaded from http://www.win.tue.nl/~bdeweger/CollidingCertificates/. From this site some more technical information can be downloaded as well. We provide a short paper explaining in detail our method. It is available on the website, and on the Cryptology ePrint Archive, at http://eprint.iacr.org/2005/067. This is joint work with Arjen Lenstra (Lucent Bell Labs and TU Eindhoven) and Xiaoyun Wang (Shandong University). Grtz, Benne de Weger = Technische Universiteit Eindhoven Coding Crypto Groep Faculteit Wiskunde en Informatica Den Dolech 2 Postbus 513 5600 MB Eindhoven e-mail: [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED] www: http://www.win.tue.nl/~bdeweger = - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
MD5 collision in X509 certificates
Cute. I expect we'll see more of this kind of thing. http://eprint.iacr.org/2005/067 Executive summary: calculate chaining values (called IV in the paper) of first part of the CERT, find a colliding block for those chaining values, generate an RSA key that has the collision as the first part of its public key, profit. BTW, reading this made me notice that Dan Kaminsky's attacks are wrong in detail, if not in essence. Because the output of the MD5 block function depends on the chaining values from previous blocks, it is not the case that you can prepend arbitrary material to your colliding block, as he claims. However, you can (according to the paper above) generate collisions with any IV, so if you know what the prepended material is, then Kaminsky's attack will still work. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: MD5 collision in X509 certificates
Ben, Semantic gap, and I do apologize if I didn't make this clear. Wang adapts to any initial state, so you can create arbitrary content to prepend your collision set with, adapt to its output, and then append whatever you like. The temporal ordering is indeed important though; you can't create the doppelganger set before you know what's prepended to it. The fact that we can have arbitrary content adapted to allows for a critical expansion of the applied risks (i.e. we wouldn't be seeing colliding certs w/o it). I don't think it's fair to say my attacks -- in some vague, general sense -- are wrong, given what was at best a small difference in interpretation. The x.509 cert collision is a necessary consequence of the earlier discussed prime/not-prime collision. Take the previous concept, make both prime, and surround with the frame of an x.509 cert, and you get the new paper. Still nice to see...Rescorla specifically thought it wasn't possible. I look forward to actually having the code to work on this myself. --Dan Ben Laurie wrote: Cute. I expect we'll see more of this kind of thing. http://eprint.iacr.org/2005/067 Executive summary: calculate chaining values (called IV in the paper) of first part of the CERT, find a colliding block for those chaining values, generate an RSA key that has the collision as the first part of its public key, profit. BTW, reading this made me notice that Dan Kaminsky's attacks are wrong in detail, if not in essence. Because the output of the MD5 block function depends on the chaining values from previous blocks, it is not the case that you can prepend arbitrary material to your colliding block, as he claims. However, you can (according to the paper above) generate collisions with any IV, so if you know what the prepended material is, then Kaminsky's attack will still work. Cheers, Ben. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: MD5 collision in X509 certificates
Dan Kaminsky wrote: The x.509 cert collision is a necessary consequence of the earlier discussed prime/not-prime collision. Take the previous concept, make both prime, and surround with the frame of an x.509 cert, and you get the new paper. Actually, not - an RSA public key is not prime. Generating colliding public keys takes quite a bit more work. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: MD5 collision in X509 certificates
Ben Laurie wrote: Dan Kaminsky wrote: The x.509 cert collision is a necessary consequence of the earlier discussed prime/not-prime collision. Take the previous concept, make both prime, and surround with the frame of an x.509 cert, and you get the new paper. Actually, not - an RSA public key is not prime. Generating colliding public keys takes quite a bit more work. *laughs* Yes, I suppose it would be difficult for pq to be prime now wouldn't it :) So they've basically solved: md5(pq) == md5(p'q') For integer values of p, q, p' and q'. You are right, this is much more work. --Dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FYI: paper about Metcalfe's Law
--- begin forwarded text Date: Wed, 2 Mar 2005 23:20:58 -0600 (CST) From: Andrew Odlyzko [EMAIL PROTECTED] To: Andrew Odlyzko [EMAIL PROTECTED] Subject: FYI: paper about Metcalfe's Law Dear Colleagues, Sorry for the spam, but I thought you might be interested in the paper described below. Comments are invited. Andrew A refutation of Metcalfe's Law and a better estimate for the value of networks and network interconnections Andrew Odlyzko Digital Technology Center University of Minnesota [EMAIL PROTECTED] Benjamin Tilly [EMAIL PROTECTED] Abstract Metcalfe's Law states that the value of a communications network is proportional to the square of the size of the network. It is widely accepted and frequently cited. However, there are several arguments that this rule is a significant overestimate. (Therefore Reed's Law is even more of an overestimate, since it says that the value of a network grows exponentially, in the mathematical sense, in network size.) This note presents several quantitative arguments that suggest the value of a general communication network of size n grows like n*log(n). This growth rate is faster than the linear growth, of order n, that, according to Sarnoff's Law, governs the value of a broadcast network. On the other hand, it is much slower than the quadratic growth of Metcalfe's Law, and helps explain the failure of the dot-com and telecom booms, as well as why network interconnection (such as peering on the Internet) remains a controversial issue. FULL PAPER AT: http://www.dtc.umn.edu/~odlyzko/doc/metcalfe.pdf --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: FUD about CGD and GBDE
In message [EMAIL PROTECTED], Thor Lancelot Simon writes: On Thu, Mar 03, 2005 at 05:31:34PM +0100, Poul-Henning Kamp wrote: In message [EMAIL PROTECTED], ALeine writes: Not necessarily, if one were to implement the ideas I proposed I believe the performance could be kept at the same level as now. I gave up on journalling myself because IMO it complicates things a lot and the problem it solves is very very small. The impact in disk seeks is non-trivial to predict, but it is very hard to argue that it will not lead to an increase in disk seeks. (This is really a variant of the age old argument between jounaling filesystems and traditional filesystems) I can only recommend that you try :-) We need more ideas and more people trying out ideas. I could not disagree more. When it comes to nonstandard homebrewed cryptosystems foisted off on unsuspecting users with a bundle of claims of algorithm strength that they're not competent to evaluate for themselves, we do not need more ideas, nor more people trying out ideas; we need less. Standard, widely analyzed cryptographic algorithms are good. What Thor said. It's instructive to quote from Vol. 2 of Knuth: With all the precautions taken in Algorithm K, doesn't it seem plausible that it would produce at least an infinite supply of unbelievably random numbers? No! In fact, when this algorithm was first put onto a computer, it almost immediately converged to the 10-digit value 6065038420, which---by extraordinary coincidence---is transformed into itself by the algorithm (see Table 1). With another starting number, the sequence began to repeat after 7401 values, in a cyclic period of length 3178. The moral to this story is that *random numbers should not be generated with a method chosen at random*. Some theory should be used. And Knuth was talking about a situation without an adversary. I don't claim that there's a flaw. I do assert that that I haven't seen a threat model that would justify extra complexity. Let me go one step further. The cryptographic literature is full of examples of broken protocols. My favorite is the flaw in the original Needham-Schroeder protocol, from 1978, that went unnoticed until 1996, when an automated tool found it. I should add that once pointed out, the flaw is blindingly obvious -- but it went unnoticed for 18 years, in the oldest protocol in the open literature. Btw, in modern terms this protocol is 3 lines long. One more quote, this time a remarkably prescient one from that Needham and Schroeder: Finally, protocols such as those developed here are prone to extremely subtle errors that are unlikely to be detected in normal operation. The need for techniques to verify the correctness of such protocols is great, and we encourage those interested in such problems to consider this area. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: I'll show you mine if you show me, er, mine
Reading the description from http://www.stealth-attacks.info/, it seems that Peter might be right. I think this is just a re-hash of already well established ideas. In the case of a sending the password back to B, its a very similar scenario to scene III where Athena suggests to Euripides that the ticket life-time be once off (once use), Euripides goes it would make using services on the network too difficult why not give it a time stamp for the duration of the person's work day - a ticket generating ticket. The play goes on from there, in the end Charon which is then quickly renamed Kerberos is made. Then 1988 now 2005, I would say thats about 13 years... :) Name of play is Designing An Authentication System: A Dialogue In Four Scence by Bill Bryant Arash Be one who knows what they don't know, Instead of being one who knows not what they don't know, Thinking they know everything about all things. http://www.partow.net - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: FW: ATM machine security
On Thu, Feb 24, 2005 at 02:24:38AM +1100, Chris Trott wrote: My Apologies to the original poster here, but does this seem like a little human engineering to anyone else? No problem. As it happens the project I'm working on isn't for ATMs but for a system that shares some similarities: * Located in potentially hostile environments * Subject to abuse and civil disobedience * Use of crypto and anti tampering devices * Compliance with a standard outlined by the police and understood in the legal system [1] [1] The standards are 9 years old, but they were, at the time, in line with what the financial industry used. However, as we all know, industry has moved on and we are looking to see if the vendors are keeping up with better practice than was available 9 years ago. One of the main things I'm looking for is not so much *how* to break into an ATM, but what happens when one is, for example, are the keys (if pre-shared) deleted? One vendor of the system has the key encryption key (KEK) stored on a smartcard, which won't be deleted if power is lost. This goes against the police guidelines, but there may be a precedent in the financial industry that says Hey, that's ok if you do X,Y and Z. My employer is looking for that sort of information, especially if it is easily understood by lawyers. The financial industry provided the best background for a legal system to understand. I mean sounds to me like your project is a search for weakness in the ATM system in preparation for an attack, or have I misjudged and you are the well meaning integrating party who have commissioned a number of 'suppliers' build a new ATM system (or ATM like system) while methodically attempting to avoid past errors. I work for a large global Professional Services company, but I prefer to keep queries like this to my private email address. But, and you'll just _have_ to trust me on this one, I don't do anything illegal because I know I'd get caught :) Besides, doing fun stuff and getting paid for it is far better than being in jail.. If you are accepting bids from suppliers who already produce ATMs ie NEC or the like, how would your request help ? would you be expecting them to subvert the existing standards to prevent attacks ? See above, but basically the bidders need to be able to justify that the system they are going to use has safeguards in place. We aren't talking about money here, but there is a watertight need to maintain evidential integrity of the data transmitted across the network. The network itself will be protected via VPN *BUT* it will be assumed to be a hostile network, and potentially an attacker could harvest enough packets to make a brute force attack viable. competing standards, differing levels of what would be considered secure etc. Standards, so many to choose from :) Just curious, or was it paranoid, - who said that ? /me looks over his shoulder :) Lee -- -- [EMAIL PROTECTED] DOC #25 GLASS #136 I Need A Reason To Stand Up And Fight Need To Believe What I See - The Silver Drop - Mnemic - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]