Re: NSA offering 'billions' for Skype eavesdrop solution

2009-02-14 Thread Adam Fields
On Fri, Feb 13, 2009 at 11:24:35AM -0500, Steven M. Bellovin wrote:
 Counter Terror Expo: News of a possible viable business model for P2P
 VoIP network Skype emerged today, at the Counter Terror Expo in London.
 An industry source disclosed that America's supersecret National
 Security Agency (NSA) is offering billions to any firm which can
 offer reliable eavesdropping on Skype IM and voice traffic.
 
 
 
 http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/

Of course, this could just be a smokescreen to try to convince people
that they can't already do it.

The voice traffic may be hard to break, but the fact that every client
can download my entire IM history when logging into a new machine kind
of kills the it's p2p so we can't track it argument. Those messages
are stored somewhere.

-- 
- Adam

** Expert Technical Project and Business Management
 System Performance Analysis and Architecture
** [ http://www.adamfields.com ]

[ http://workstuff.tumblr.com ] ... Technology Blog
[ http://www.aquick.org/blog ]  Personal Blog
[ http://www.adamfields.com/resume.html ].. Experience
[ http://www.flickr.com/photos/fields ] ... Photos
[ http://www.twitter.com/fields ].. Twitter
[ http://www.morningside-analytics.com ] .. Latest Venture
[ http://www.confabb.com ]  Founder

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


ANNOUNCING allmydata.org Tahoe, the Least-Authority Filesystem, v1.3

2009-02-14 Thread zooko

Folks:

We make some strong security claims about this distributed storage  
system (I guess it's called Cloud Storage now):


This filesystem is encrypted and distributed over multiple peers in  
such a way it continues to function even when some of the peers are  
unavailable, malfunctioning, or malicious.


Such ambitious security goals benefit greatly from public criticism  
and review, so please kick the tires and let us know what you think.


Regards,

Zooko

ANNOUNCING allmydata.org Tahoe, the Least-Authority Filesystem, v1.3

We are pleased to announce the release of version 1.3.0 of Tahoe, the
Least Authority Filesystem.

Tahoe-LAFS is a secure, decentralized, fault-tolerant filesystem.  All
of the source code is available under a choice of two Free Software,
Open Source licences.

This filesystem is encrypted and distributed over multiple peers in
such a way it continues to function even when some of the peers are
unavailable, malfunctioning, or malicious.

Here is the one-page explanation of the security and fault-tolerance
properties that it offers:

http://allmydata.org/source/tahoe/trunk/docs/about.html

This is the successor to v1.2, which was released July 21, 2008 [1].
This is a major new release, adding a repairer, an efficient backup
command, support for large files, an (S)FTP server, and much more.

See the NEWS file [2] and the known_issues.txt file [3] for more
information.

In addition to the many new features of Tahoe itself, a crop of related
projects have sprung up, including Tahoe frontends for Windows and
Macintosh, two front-ends written in JavaScript, a Tahoe plugin for
duplicity, a Tahoe plugin for TiddlyWiki, a project to create a new
backup tool, CIFS/SMB integration, an iPhone app, and three incomplete
Tahoe frontends for FUSE. See Related Projects on the wiki: [4].


COMPATIBILITY

The version 1 branch of Tahoe is the basis of the consumer backup
product from Allmydata, Inc. -- http://allmydata.com .

Tahoe v1.3 is fully compatible with the version 1 branch of Tahoe.
Files written by v1.3 clients can be read by clients of all versions
back to v1.0 unless the file is too large -- files greater than about
12 GiB (depending on the configuration) can't be read by older clients.
v1.3 clients can read files produced by clients of all versions since
v1.0.  v1.3 servers can serve clients of all versions back to v1.0 and
v1.3 clients can use servers of all versions back to v1.0 (but can't
upload large files to them).

This is the fourth release in the version 1 series.  We believe that
this version of Tahoe is stable enough to rely on as a permanent store
of valuable data.  The version 1 branch of Tahoe will be actively
supported and maintained for the forseeable future, and future versions
of Tahoe will retain the ability to read files and directories produced
by Tahoe v1 for the forseeable future.


WHAT IS IT GOOD FOR?

With Tahoe, you can distribute your filesystem across a set of
computers, such that if some of the computers fail or turn out to be
malicious, the entire filesystem continues to be available, thanks to
the remaining computers.  You can also share your files with other
users, using a simple and flexible access control scheme.

Because this software is new, we do not categorically recommend it as
the sole repository of data which is extremely confidential or
precious.  However, we believe that erasure coding, strong encryption,
Free/Open Source Software and careful engineering make Tahoe safer than
common alternatives, such as RAID, removable drive, tape, or on-line
storage or Cloud storage systems.

This software comes with extensive unit tests [5], and there are no
known security flaws which would compromise confidentiality or data
integrity.  (For all currently known issues please see the
known_issues.txt file [2].)

This release of Tahoe is suitable for the friendnet use case [6] --
it is easy to create a filesystem spread over the computers of you and
your friends so that you can share disk space and files.


LICENCE

You may use this package under the GNU General Public License, version
2 or, at your option, any later version.  See the file COPYING.GPL
[7] for the terms of the GNU General Public License, version 2.

You may use this package under the Transitive Grace Period Public
Licence, version 1.0.  The Transitive Grace Period Public Licence has
requirements similar to the GPL except that it allows you to wait for
up to twelve months after you redistribute a derived work before
releasing the source code of your derived work. See the file
COPYING.TGPPL.html [8] for the terms of the Transitive Grace Period
Public Licence, version 1.0.

(You may choose to use this package under the terms of either licence,
at your option.)


INSTALLATION

Tahoe works on Linux, Mac OS X, Windows, Cygwin, and Solaris, and
probably most other systems.  Start with docs/install.html [9].


HACKING AND COMMUNITY

Please join us on the mailing list [10].  Patches that extend and

preparing a web 2.0 crypto talk

2009-02-14 Thread Travis
Hi,

I've been working on a presenation for the local OWASP chapter, and here it is:

http://www.subspacefield.org/security/web_20_crypto.pdf

I'd like suggestions on how to stretch this talk out a bit.  I would 
particularly
like good examples of real web apps that have done crypto wrong - and how.

Unfortunately, I found this talk, Cryptography for Pen Testers, after
writing mine:

http://video.google.com/videoplay?docid=-5187022592682372937

It has a lot of similar material, but I think his talk is much better
because it goes into how it would actually be attacked.  He also must
have powerpoint-fu whereas I'm using lyx

Any opinions?
-- 
Crypto ergo sum.  http://www.subspacefield.org/~travis/
Do unto other faiths as you would have them do unto yours.
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Property RIghts in Keys

2009-02-14 Thread Nicholas Bohm
In responding to what Steven M. Bellovin wrote about GeoTrust, I
mentioned the low UK copyright law requirement for creativity.

As a postscript to that observation, I draw attention to s9(3) of the UK
Copyright, Designs and Patents Act 1988:

(3) In the case of a literary, dramatic, musical or artistic work which
is computer-generated, the author shall be taken to be the person by
whom the arrangements necessary for the creation of the work are undertaken.

And s178 provides the definition:  computer-generated, in relation to
a work, means that the work is generated by computer in circumstances
such that there is no human author of the work.

These provisions seem to me to work quite aptly to encompass a key-pair.

Nicholas Bohm
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285(+44 1279 870285)
Mobile  07715 419728(+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: preparing a web 2.0 crypto talk

2009-02-14 Thread Adam Shostack
On Fri, Feb 13, 2009 at 08:08:34PM -0600, Travis wrote:
| http://video.google.com/videoplay?docid=-5187022592682372937
| 
| It has a lot of similar material, but I think his talk is much better
| because it goes into how it would actually be attacked.  He also must
| have powerpoint-fu whereas I'm using lyx
| 
| Any opinions?

If his talk is already better, why don't you ask if you can use his
deck?  It seems foolish to reinvent the wheel, poorly, and doubly so
when you know you're doing that.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com