CodeCon submission deadline reminder
Here's a reminder that the deadline for submissions to CodeCon 2006 is this week. Feel free to forward this to project developers who might not otherwise see it. --Len. -- CodeCon 2006 February 10-12, 2006 San Francisco CA, USA www.codecon.org Call For Papers CodeCon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what's going on in their community. All presentations must include working demonstrations, ideally accompanied by source code. Presentations must be done by one of the active developers of the code in question. We emphasize that demonstrations be of *working* code. We hereby solicit papers and demonstrations. * Papers and proposals due: December 15, 2005 * Authors notified: January 1, 2006 Possible topics include, but are by no means restricted to: * community-based web sites - forums, weblogs, personals * development tools - languages, debuggers, version control * file sharing systems - swarming distribution, distributed search * security products - mail encryption, intrusion detection, firewalls Presentations will be 45 minutes long, with 15 minutes allocated for QA. Overruns will be truncated. Submission details: Submissions are being accepted immediately. Acceptance dates are November 15, and December 15. After the first acceptance date, submissions will be either accepted, rejected, or deferred to the second acceptance date. The conference language is English. Ideally, demonstrations should be usable by attendees with 802.11b connected devices either via a web interface, or locally on Windows, UNIX-like, or MacOS platforms. Cross-platform applications are most desirable. Our venue will be 21+. To submit, send mail to submissions-2006 at codecon.org including the following information: * Project name * url of project home page * tagline - one sentence or less summing up what the project does * names of presenter(s) and urls of their home pages, if they have any * one-paragraph bios of presenters, optional, under 100 words each * project history, under 150 words * what will be done in the project demo, under 200 words * slides to be shown during the presentation, if applicable * future plans General Chair: Jonathan Moore Program Chair: Len Sassaman Program Committee: * Bram Cohen, BitTorrent, USA * Jered Floyd, Permabit, USA * Ian Goldberg, Zero-Knowledge Systems, CA * Dan Kaminsky, Avaya, USA * Ben Laurie, The Bunker Secure Hosting, UK * Nick Mathewson, The Free Haven Project, USA * David Molnar, University of California, Berkeley, USA * Jonathan Moore, Mosuki, USA * Meredith L. Patterson, University of Iowa, USA * Len Sassaman, Katholieke Universiteit Leuven, BE Sponsorship: If your organization is interested in sponsoring CodeCon, we would love to hear from you. In particular, we are looking for sponsors for social meals and parties on any of the three days of the conference, as well as sponsors of the conference as a whole and donors of door prizes. If you might be interested in sponsoring any of these aspects, please contact the conference organizers at codecon-admin at codecon.org. Press policy: CodeCon provides a limited number of passes to qualifying press. Complimentary press passes will be evaluated on request. Everyone is welcome to pay the low registration fee to attend without an official press credential. Questions: If you have questions about CodeCon, or would like to contact the organizers, please mail codecon-admin at codecon.org. Please note this address is only for questions and administrative requests, and not for workshop presentation submissions. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: automatic toll collection, was Japan Puts Its Money on E-Cash
Some Americans, analysts note, are already using a version of e- cash to bypass toll lanes on highways. Don't take that as a sign of consumer acceptance, though. In Illinois, if you won't pre-pay your tolls in $40 increments, you will pay double the rate in cash at the toolbooth. Here in the northeast where E-ZPass is much more established, the discounts for using the pass are much smaller unless you get a commuter plan, but they're extremely popular because they save a great deal of time. In New Jersey, they've redone several high-volume toll plazas so the road splits with the right lanes going to toll booths and the left lanes running under a grid of pass readers where you don't even slow down. The prepay increment is only $15. And the electronic system is anything but anonymous. No argument there. I always figured that I'll use my pass for normal travel but wrap it in foil and pay cash when I'm disposing of my political opponents' bodies. Couldn't have been me, my car has a pass. Look at all these toll logs. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: secure links using classical (i.e., non-quantum) physics
I am discussing implementing a very simple version of this with the author. If anyone else is interested in participating or just watching, email me and I'll keep you in the loop. -- http://www.lightconsulting.com/~travis/ -- P=NP if (P=0 or N=1) My love for mathematics is like 1/x as x approaches 0. GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: X.509 / PKI, PGP, and IBE Secure Email Technologies
On Mon, 12 Dec 2005 10:59:05 -0600, Travis H said: Not to side track the discussion, but frequently I've heard PKI compared to PGP's model. Isn't PGP's trust model the same as everyone being their own CA? You need to clarify the trust model. The OpenPGP standard does not define any trust model at all. The standard merely defines fatures useful to implement a trust model. AFAIK, PGP provides two different trust models; with GnuPG you may also select between 4 trust models. However this is implementation specific and not part of the standard. The classic web of trust is just the commonly used one. It is a pity that many commonly used mail programs don't even make use of any real trust model but use the always trust model. The newer trust model pgp makes use of the advanced OpenPGP features and allows implementing a hierarchical model very similar to the X.509 one. In fact it is a superset of the X.509 model. Salam-Shalom, Werner - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto for the average programmer
Travis H. [EMAIL PROTECTED] writes: In Peter Gutmann's godzilla cryptography tutorial, he has some really good (though terse) advice on subtle gotchas in using DH/RSA/Elgamal. I learned a few no-nos, such as not sending the same message to 3 seperate users in RSA (if using 3 as an encryption exponent). I should point out that what's in the tutorial isn't an exhaustive list of potential pitfalls, it simply contains examples of some of the easiest-to- explain ones. The reason for adding that section was that I've seen a number of cases of people using raw PKC ops (e.g. raw, unpadded RSA) because their boss told them Use RSA encryption and their crypto toolkit provides an rsaEncrypt() function, the result being that they encrypt a 10MB file with RSA in ECB mode. Java is the main offender here, they make it pretty trivial to do this even though it makes no sense, so people who are told to encrypt this with RSA end up using the RSA-ECB that their tools give them. My question is, what is the layperson supposed to do, if they must use crypto and can't use an off-the-shelf product? Is there any site tracking such gotchas as they show up in the literature? I don't know if there's any site tracking this, but (as the tutorial says) you can either go with PKCS #1 (the de facto standard, easy to implement and widely used) or if you want to put in the effort of tracking things through the literature to see which one is currently in fashion, take your pick of OAEP, RSA-PSS, Simple RSA, and so on ad nauseum. The P1363 work tracks progress in this area pretty closely, although you'll need some sort of P1363- to-english phrasebook to figure out what they're saying. Are there APIs written specifically so that a crypto-naive programmer can safely use them? Uhh, do you want a non-off-the-shelf product or an off-the-shelf product? If off-the-shelf is OK, grab any crypto toolkit that handles this for you and use that, you know that if it's used in any standard protocol and interoperates with a pile of other software then there's a good chance they've got it right. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Deal on EU data retention law
[http://www.europarl.eu.int/news/expert/infopress_page/019-3536-348-12-50-902-20051206IPR03225-14-12-2005-2005--false/default_en.htm] Deal on EU data retention law The European Parliament adopted today by 378 votes in favour, 197 against and 30 abstentions a directive on data retention in first reading. The final text negotiated beforehand with the Council aims to facilitate judicial co-operation in criminal matters by approximating Member States' legislation on the retention of data processed by telecommunications companies. The directive covers traffic and location data generated by telephony, SMS and internet, but not the content of the information communicated. The new EU law will help national authorities to track down possible criminals and terrorists by granting them access to a list of all telephone calls, SMS or Internet connections made by suspects during the previous few months. The amendments finally adopted were a compromise between the PES and EPP groups with the Council and differed in some key points to the draft directive adopted initially by the Civil Liberties Committee. The GUE, Greens and UEN groups and some members from the ALDE group voted against the directive in the final vote. Alexander Nuno ALVARO (ALDE, DE) was unhappy with the result of the compromise adopted and withdrew his name as rapporteur. Limited access to data In the final text adopted, Parliament is proposing a number of amendments to the Commission text to restrict the use of retained data and ensure that the future law fully respects the privacy of the telephone and internet users. On the aim of the directive, MEPs agree with the need to retain data for the detection, investigation and prosecution of crime, but only for “specified forms” of serious criminal offences (terrorism and organised crime), and not for the mere “prevention” of all kinds of crime. MEPs feel that the concept of prevention is too vague and could lead to abuse of the system from national authorities. The directive will provide for data to be retained by the telecommunications companies for a minimum of six months and a maximum of 24. MEPs also added a provision for “effective, proportionate and dissuasive” penal sanctions for companies who fail to store the data or misuse the retained information. Only the competent authorities determined by Member States should have access to the retained data from phone or internet providers. Furthermore, each national government will designate an independent authority responsible for monitoring the use of the data. MEPs also establish that access to retained data should be limited to specific purpose and on a case by case basis (push system): each time, the authorities would need to request to the telecom company that the data related to a concrete suspect, instead of having granted access to the whole database. As for the type of data to be retained, MEPs finally supported the registration of location data on calls, SMS and internet use, including unsuccessful calls. This point was controversial due to the fact that telecom companies do not currently register lost calls for billing purposes and so to do this using new technologies would be expensive. Spanish MEPs strongly supported the Council position to include the retention of unsuccessful calls, since the terrorist attacks in Madrid were prosecuted thanks to the investigation of specific lost calls from mobile phones. Who foots the bill? Finally, MEPs decided to delete the paragraph in which it was mandatory for Member States to reimburse telecom companies for all additional costs of retention, storage and transmission of data. In the draft directive adopted by the Civil Liberties Committee, MEPs had initially called for the full reimbursement of costs. --- Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ --- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
How security could benefit from high volume spam
How security could benefit from high volume spam The parliament of the European Union today has passed a law that electronical call detail records, such as phone numbers, e-mail addresses, web accesses of all 450 million EU citizens are to be recorded and stored for 6 to 24 months. So everyone will be subject of complete surveillance of telecommunication. No place to hide. The given reasons are the need to investigate and prosecute terrorism and severe crime. But there is no evidence that this law actually has this effect, and that it is worth to sacrifice democracy and civil rights. Our constitution protects the right to communicate confidentially, for all citizens, and especially for lawyers, journalists, priests, etc. So terrorists finally begin to succeed in destructing our european, modern, democratic, and free way of life and civil rights. It is ridiculous that the modern world has not been attacked by a large army, but by just about 30-40 people with knives and a few bombs. The attack is not the primary attack itself. The main attack is to provocate overextended counter measures. Technically spoken, a denial-of-civil-rights-attack. And the EU proved to be vulnerable to this kind of attack. A patch is not available yet. Another threat to privacy and civil rights is the intellectual property industry. We have seen Sony attacking and sabotaging private computers, revealing private data, taking secretly control over people's communication and working equipment. We have seen a mother of five been sued into bankruptcy in the USA just for listening to music. This is perverse. We currently see governments considering to outlaw open source software or any kind of data processing or communication device without a digital rights management. There are good reasons to assume, that the European Union's collection of all telecommunication details will be abused to allow the intellectual property industry to completely track every communication. Just having received any e-mail from someone who had illegally downloaded music could be enough to have your home searched, your computer confiscated, and find yourself sued or prosecuted. The art and science of communication security will have to realign and focus on new goals. When designing telecommunication protocols we have to take much more care about what communication could reveal about the communication parties and the contents. It is not enough to just put some kind of simple encryption on a message body. We need to protect against traffic analysis, in particular the one without democratic legitimation. What does that mean? When designing a protocol we should take more care than we did to describe its vulnerability for and resistance against traffic analysis. Not just whether the contents are encrypted, but what an eavesdropper can tell about the communicating parties. We need to incorporate techniques like oblivious transfer and traffic hiding. An important component of such protection methods is noise. Plenty of noise. Something to hide in, to cover, to overload recording of call details. We should think about and research how to produce noise. We already have some noise. Its called spam. Some of you might know that I am one of the early days fighters against spam. I tried to eliminate as much spam as possible. But now, there could be a positive aspect about spam, virus mails, and other mass mails. Maybe it could become an advantage to receive a million mails per day from any senders. Maybe that is what is needed to hide my personal e-mails. Maybe that's the answer I have to give when someone blames me to have received e-mail from the wrong person: I have no idea what you are talking about. I received about 150,000 virus and spam e-mails that day from arbitrary addresses, and didn't read a single one of them. I have just deleted them. When designing measures against spam, we should take this into consideration. Maybe in near future the advantages of that noise produced by millions of bots will outweigh the disadvantages? Comments are welcome. Hadmut Danisch - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto for the average programmer
On 12/14/05, Peter Gutmann [EMAIL PROTECTED] wrote: I don't know if there's any site tracking this, but (as the tutorial says) you can either go with PKCS #1 (the de facto standard, easy to implement and widely used) ... Actually, I'm embarassed to admit this but I've seen PKCS before but never with enough context to know what it was; I thought it was some kind of RSA proprietary mumbo-jumbo. But, oh dear, it involves ASN.1. That rules out use by the layperson. I've run into ASN.1 before with regard to SNMP, and it struck me as infinitely more complex than anything I'd ever need to query packet counts on my router. MIBs, subtype constraints, multiple sets of encoding rules, schemata? Hopeless. The descriptions of ASN.1 I've seen are more complicated than any cryptographic primitive I've ever run across. I'd trust an ASN.1 codec library about as much as I'd trust a DCE/RPC codec, give or take an order of magnitude. I'm not trying to be excessively curmudgeonly today, but I have to note that the top google hit for ASN.1 has a list of myths about ASN.1, of which the last two are true, a tutorial that begins with me writing an ASN.1 specification with no guidance or introduction whatsoever, and defines ASN.1 as a formalism for the specification of abstract data types. Oh, well that clears it up. Does it help me adopt new paradigms of data representation in a dynamic, fast-paced environment? And with that, I'm out. :-P -- http://www.lightconsulting.com/~travis/ -- P=NP if (P=0 or N=1) My love for mathematics is like 1/x as x approaches 0. GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: crypto for the average programmer
On 12/14/05, Peter Gutmann [EMAIL PROTECTED] wrote: I don't know if there's any site tracking this, but (as the tutorial says) you can either go with PKCS #1 (the de facto standard, easy to implement and widely used) ... Actually, I'm embarassed to admit this but I've seen PKCS before but never with enough context to know what it was; I thought it was some kind of RSA proprietary mumbo-jumbo. But, oh dear, it involves ASN.1. That rules out use by the layperson. I've run into ASN.1 before with regard to SNMP, and it struck me as infinitely more complex than anything I'd ever need to query packet counts on my router. Have a look at PKCS#1. There's hardly any ASN.1 in it at all and the structures are relatively simple. There's also a PKCS examples document that talks you through it. William - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[EMAIL PROTECTED]: [Politech] E.U. Parliament votes to force data retention on telecom, Net firms [priv]]
--- begin forwarded text Date: Wed, 14 Dec 2005 14:24:50 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: [Politech] E.U. Parliament votes to force data retention on telecom, Net firms [priv]] --- begin forwarded text Date: Wed, 14 Dec 2005 17:20:03 +0100 From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: [Politech] E.U. Parliament votes to force data retention on telecom, Net firms [priv]] User-Agent: Mutt/1.5.9i Sender: [EMAIL PROTECTED] Just as well, I can spare writing up a blurb. - Forwarded message from Declan McCullagh declan@well.com - From: Declan McCullagh declan@well.com Date: Wed, 14 Dec 2005 08:00:49 -0800 To: politech@politechbot.com Subject: [Politech] E.U. Parliament votes to force data retention on telecom, Net firms [priv] User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) Previous Politech messages: http://www.politechbot.com/2005/12/05/european-data-retention/ http://www.politechbot.com/2005/09/23/european-commission-proposes/ http://www.politechbot.com/2005/06/16/feds-contemplate-forcing/ Original Message Subject: EU Parliament agrees to data retention Date: Wed, 14 Dec 2005 16:20:00 +0100 From: Ralf Bendrath [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Declan McCullagh declan@well.com Declan, something for Politech? Very bad news from Europe. The European Parliament this morning voted in favour of a backroom deal that had been made between the two big parties in Brussels and the Council of Ministers, currently chaired by the UK. The deal completely ignored the amendmends proposed by the Parliament's Rapporteur and by the Justice and Civil Liberties Committee that was (well - officialy) in charge of the process. After a hot debate and a number of signs of cracks in the party blocks, a majority of 378 parliamentarians voted in favour of mandatory retention of telecommunications data, 197 against, 30 abstained. This is in short what we will get now: - retention of telephone and internet connection data (including email addresses) and location data for mobile phone calls - no harmonisation of the retention period (6 to 24 months but longer is allowed: Poland wants 15 years) - no harmonisation of cost reimbursement for the needed investments on the providers' side - no limitation to certain types of crimes for which access is allowed - retention of unsuccessful call attempts - no independent evaluation - no extra privacy safeguards - follow-up committee without representation from civil rights organisations Civil liberties organizations, consumers organizations and all the telco industry associations as well as journalists associations had been fighting like hell against this major and unprecedented surveillance plan until the last minute. We did not win (the outcome is in fact the worst possible, exactly what the UK home affairs minister Clarke wanted), but we at least raised a lot of awareness and disturbed the conservative and social-democrat party lines. But the UK council presidency had pushed so hard after the London bombings that this directive will enter the EU history as the one which took the shortest time ever from the first Commission draft to the final vote (less than three months - normally they need years). The next steps will be the adoption by the Council of Ministers (before christmas) and then the implementation process into national laws. There will be challenges to this plan before the constitutional courts. I am pretty sure that the German constitutional court will not like it, as it recently had ruled unconstitutional a major eavesdropping plan on phone calls - and that one was only directed at suspicious persons, whereas the EU directive applies to every single communication of all 450 Million inhabitants of the EU. More information, including recordings of the EP debate, is available at http://wiki.dataretentionisnosolution.com/. Ralf (European Digital Rights, www.edri.org) ___ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/) - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may