nCipher says co-founder Nicko van Someren steps down from board

2007-12-24 Thread R . A . Hettinga

http://www.hemscott.com/news/latest-news/item.do?newsId=57266946539337

Hemscott



London: 15:16, 24 Dec

Home  News  Latest News  nCipher says co-founder Nicko van Someren  
steps down from board


nCipher says co-founder Nicko van Someren steps down from board

LONDON (Thomson Financial) - Software company nCipher PLC said co- 
founder Nicko van Someren will step down from the board on Dec 31.


The company said van Someren was chief technology officer for more  
than 11 years, but had reduced his working commitments earlier in the  
year.


He has agreed to provide advice and support to the company for the  
first six months of 2008, nCipher added.
The company said it expects to announce new executive appointments in  
the new year.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[EMAIL PROTECTED]: [Politech] E.U. Parliament votes to force data retention on telecom, Net firms [priv]]

2005-12-14 Thread R. A. Hettinga

--- begin forwarded text


 Date: Wed, 14 Dec 2005 14:24:50 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject:  [EMAIL PROTECTED]: [Politech] E.U. Parliament votes to force
  data retention on telecom, Net firms [priv]]


 --- begin forwarded text


  Date: Wed, 14 Dec 2005 17:20:03 +0100
  From: Eugen Leitl [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Subject: [EMAIL PROTECTED]: [Politech] E.U. Parliament votes to force
data retention on telecom, Net firms [priv]]
  User-Agent: Mutt/1.5.9i
  Sender: [EMAIL PROTECTED]

  Just as well, I can spare writing up a blurb.

  - Forwarded message from Declan McCullagh declan@well.com -

  From: Declan McCullagh declan@well.com
  Date: Wed, 14 Dec 2005 08:00:49 -0800
  To: politech@politechbot.com
  Subject: [Politech] E.U. Parliament votes to force data retention on
   telecom, Net firms [priv]
  User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716)

  Previous Politech messages:
  http://www.politechbot.com/2005/12/05/european-data-retention/
  http://www.politechbot.com/2005/09/23/european-commission-proposes/
  http://www.politechbot.com/2005/06/16/feds-contemplate-forcing/

   Original Message 
  Subject: EU Parliament agrees to data retention
  Date: Wed, 14 Dec 2005 16:20:00 +0100
  From: Ralf Bendrath [EMAIL PROTECTED]
  Reply-To: [EMAIL PROTECTED]
  To: Declan McCullagh declan@well.com

  Declan, something for Politech? Very bad news from Europe.

  The European Parliament this morning voted in favour of a backroom deal
  that had been made between the two big parties in Brussels and the Council
  of Ministers, currently chaired by the UK. The deal completely ignored the
  amendmends proposed by the Parliament's Rapporteur and by the Justice and
  Civil Liberties Committee that was (well - officialy) in charge of the
  process. After a hot debate and a number of signs of cracks in the party
  blocks, a majority of 378 parliamentarians voted in favour of mandatory
  retention of telecommunications data, 197 against, 30 abstained.

  This is in short what we will get now:

  - retention of telephone and internet connection data (including email
  addresses) and location data for mobile phone calls
  - no harmonisation of the retention period (6 to 24 months but longer is
  allowed: Poland wants 15 years)
  - no harmonisation of cost reimbursement for the needed investments on the
  providers' side
  - no limitation to certain types of crimes for which access is allowed
  - retention of unsuccessful call attempts
  - no independent evaluation
  - no extra privacy safeguards
  - follow-up committee without representation from civil rights organisations

  Civil liberties organizations, consumers organizations and all the telco
  industry associations as well as journalists associations had been
  fighting like hell against this major and unprecedented surveillance plan
  until the last minute. We did not win (the outcome is in fact the worst
  possible, exactly what the UK home affairs minister Clarke wanted), but we
  at least raised a lot of awareness and disturbed the conservative and
  social-democrat party lines. But the UK council presidency had pushed so
  hard after the London bombings that this directive will enter the EU
  history as the one which took the shortest time ever from the first
  Commission draft to the final vote (less than three months - normally they
  need years).

  The next steps will be the adoption by the Council of Ministers (before
  christmas) and then the implementation process into national laws. There
  will be challenges to this plan before the constitutional courts. I am
  pretty sure that the German constitutional court will not like it, as it
  recently had ruled unconstitutional a major eavesdropping plan on phone
  calls - and that one was only directed at suspicious persons, whereas the
  EU directive applies to every single communication of all 450 Million
  inhabitants of the EU.

  More information, including recordings of the EP debate, is available at
  http://wiki.dataretentionisnosolution.com/.

  Ralf
  (European Digital Rights, www.edri.org)

  ___
  Politech mailing list
  Archived at http://www.politechbot.com/
  Moderated by Declan McCullagh (http://www.mccullagh.org/)

  - End forwarded message -
  --
  Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org
  __
  ICBM: 48.07100, 11.36820http://www.ativel.com
  8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

  [demime 1.01d removed an attachment of type application/pgp-signature
 which had a name of signature.asc]

 --- end forwarded text


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may

Japan Puts Its Money on E-Cash

2005-12-13 Thread R. A. Hettinga

--- begin forwarded text


 Date: Mon, 12 Dec 2005 19:10:44 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: Japan Puts Its Money on E-Cash

 No, not *that* E-Cash(tm), but you get the idea...

 Cheers,
 RAH
 ---

 
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/11/AR2005121101097_pf.html

 The Washington Post

 Japan Puts Its Money on E-Cash
 While Saving Time, Consumers May Spend More

 By Anthony Faiola
 Washington Post Foreign Service
 Monday, December 12, 2005; A01

 TOKYO -- Toru Nashimoto, a trim 36-year-old with nary a coin in the pockets
 of his slick pinstripe suit, confidently strode toward the cashier at a
 bustling sushi bar to settle his $45 lunch tab. He whipped out a thin
 electronic card and placed it above a scanner that quickly blinked neon
 blue before emitting a computerized ka-ching.

 It was the telltale sound of Japan's new electronic money. In seconds,
 Nashimoto had paid for his meal of sea urchin, eel and raw fish and was
 hustling back to work. No change from the cash register, no waiting for
 confirmation, no pin code to enter. Who needs to carry real money? said
 the commercial real estate manager. I often don't even carry a wallet with
 me anymore.

 Nashimoto is part of the latest trend in Japan, where society is rethinking
 commerce by doing away with the increasingly arcane concept of cash.

 Technology analysts say the use of electronic money amounts to a leap
 forward in commerce and shopping. Using cell phones that transmit infrared
 signals -- or, as in Nashimoto's case, a smart card that doubles as a set
 of electronic keys and lets him earn airline miles with each use --
 Japanese consumers are whisking through checkout lines, buying everything
 from sushi to furniture without ever yanking out their wallets.

 Users can add value to their cards or cell phones at thousands of automated
 docking stations around the country, where they insert paper money and get
 credit for e-cash. They can also use credit cards to replenish e-cash on
 the Internet.

 Electronic money emerged four years ago as a convenient tool for fast-paced
 train commuters. The Japan Research Institute, an economic research group,
 estimates that at least 15 million people here are now using e-cash, a
 figure projected to reach 40 million -- about one in every three Japanese
 -- by 2008. The number of e-cash transactions reached 15.8 million per
 month in 2005, more than double last year's figure, according to Japan's
 two largest electronic money providers.

 E-cash is being accepted at convenience stores, department stores, cafes,
 restaurants, newsstands and electronics retailers -- enabling users to go
 shopping carrying nothing but their cell phones. At some supermarkets, up
 to 40 percent of all purchases are made with electronic money.

 Vending machines that dispense sodas and snacks with a flash of a cell
 phone are popping up on street corners and inside office buildings across
 Japan. Tokyo's subway system -- the world's second busiest after Moscow's
 -- will begin accepting electronic money next year. Experts cite the rise
 of e-cash as a reason for a drop last July in the circulation of yen coins,
 the first decline since 1971.

 Japan is moving toward the cashless society, said Makoto Yamada, an
 executive at bitWallet Inc., operator of Japan's largest virtual money
 service and a partnership jointly owned by the Sony Group, the Toyota
 Group, All Nippon Airways, two large Japanese banks and NTT DoCoMo, Japan's
 largest cell phone operator. Electronic money is taking us there.

 The smart cards and phones used are embedded with antennas and integrated
 circuit chips that allow the devices to receive and emit electronic
 signals. When the devices are placed near a scanner at a checkout, for
 instance, a signal is emitted and e-money is deducted.

 Similar electronic money concepts are being tried in North America and
 Europe. Analysts say the Japanese version requires some fine-tuning before
 it can be exported.

 Many note that the idea works well here partly because concerns about
 safety and security are quite low -- in Japan, even lost wallets are often
 returned to their owners intact. So the loss of a card or a cell phone
 loaded with hundreds of dollars of e-cash represents a comparatively small
 risk.

 Electronic money also banks on consumers who are willing to pay for their
 purchases in advance, the opposite philosophy of a credit card. That works
 well in debt-averse Japan, where only 9 percent of consumer transactions
 are settled by credit card. But would it work in a place like the United
 States, where 24 percent of transactions are made on credit?

 Some Americans, analysts note, are already using a version of e-cash to
 bypass toll lanes on highways. In the U.S., use of credit cards and debit
 cards is already very well developed, so it's unclear how electronic money
 will take off there, said Shigeru

[Clips] Hacker attacks in US linked to Chinese military: researchers

2005-12-13 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 12 Dec 2005 19:39:51 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Hacker attacks in US linked to Chinese military: researchers
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html

 BREITBART.COM -

 Hacker attacks in US linked to Chinese military: researchers


 Dec 12 5:56 PM US/Eastern


 A systematic effort by hackers to penetrate US government and industry
 computer networks stems most likely from the Chinese military, the head of
 a leading security institute said. The attacks have been traced to the
 Chinese province of Guangdong, and the techniques used make it appear
 unlikely to come from any other source than the military, said Alan Paller,
 the director of the SANS Institute, an education and research organization
 focusing on cybersecurity.


  These attacks come from someone with intense discipline. No other
 organization could do this if they were not a military organization,
 Paller said in a conference call to announced a new cybersecurity education
 program.

  In the attacks, Paller said, the perpetrators were in and out with no
 keystroke errors and left no fingerprints, and created a backdoor in less
 than 30 minutes. How can this be done by anyone other than a military
 organization?

  Paller said that despite what appears to be a systematic effort to target
 government agencies and defense contractors, defenses have remained weak in
 many areas.

  We know about major penetrations of defense contractors, he said.

  Security among private-sector Pentagon contractors may not be as robust,
 said Paller, because they are less willing to make it hard for mobile
 people to get their work done.

  Paller said the US government strategy appears to be to downplay the
 attacks, which has not helped the situation.

  We have a problem that our computer networks have been terribly and
 deeply penetrated throughout the United States ... and we've been keeping
 it secret, he said.

  The people who benefit from keeping it secret are the attackers.

  Although Paller said the hackers probably have not obtained classified
 documents from the Pentagon, which uses a more secure network, it is
 possible they stole extremely sensitive information.

  He said it has been documented that US military flight planning software
 from its Redstone Arsenal was stolen.

  Pentagon officials confirmed earlier this year that US Defense Department
 websites are probed hundreds of times a day by hackers, but maintained that
 no classified site is known to have been penetrated by hackers.

  The US military has code-named the recent hacker effort Titan Rain and
 has made some strides in counter-hacking to identify the attackers, Paller
 said. This was first reported by Time magazine.

  Paller said a series of attacks on British computer networks reported
 earlier this year may have similar goals, but seems to use different
 techniques.

  In the United States, he said there are some areas of improvement such as
 the case of the Air Force, which has been insisting on better security from
 its IT vendors. But he argued that the fundamental error is that America's
 security strategy relies on writing reports rather than hardening systems.


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] MIT Real ID Conference a Success: Participate in New Virtual Civic Conversation

2005-12-12 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 10 Dec 2005 17:48:40 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] MIT Real ID Conference a Success: Participate in New Virtual
  Civic Conversation
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  Date: Sat, 10 Dec 2005 13:01:20 -0800 (PST)
  From: Daniel J. Greenwood [EMAIL PROTECTED]
  Reply-To: [EMAIL PROTECTED]
  Subject: MIT Real ID Conference a Success: Participate in New Virtual
 Civic Conversation
  To: [EMAIL PROTECTED]

  This note is to inform you that the MIT Public Forum
  on the Real ID Act of 2005 was held on Monday,
  December 5th and we will be streaming video of the
  entire day from the MIT Media Lab web site within the
  next few days.  To those of you who participated,
  thank you for making this event a true success.

  We plan a series of activities for the future,
  including publication of proceedings, further activity
  on the MIT Real ID Public Forum Blog, additional
  events and of course continued work with the
  Department of Homeland Security and other federal and
  state governmental agencies to provide a neutral forum
  within which to meet, hear from the public and
  interest groups and to consider opportunities for
  cross boundary cooperation.

  We intend to use publication of the final report of
  the proceedings of the day to highlight the many
  valuable perspectives and ideas that came forward
  throughout the event.  Again, we encourage each of you
  to share any thoughts you may have regarding this
  important new federal statute.  After the Department
  of Homeland Security published their draft regulations
  under the law, we anticipate another round of activity
  to support discussion and meaningful response.

  Finally, the MIT E-Commerce Architecture Program,
  hosted at the MIT Media Lab Smart Cities group, is now
  working with partners to make available a new more
  efficient mode of public dialog on important affairs
  of the day.  Currently called “Virtual Civic
  Conversations”, this simple approach uses existing
  blog technology (including RSS feeds and track-back
  features), to set up shared meta-search terms for
  specific issues, allowing participants to post a topic
  on their blog and for it to appear as a new post on a
  large-scale multi-party communications blog.  In this
  way, the many interest groups, governmental agencies,
  individuals and others who are all speaking to the
  same topic (next steps on the Real ID Act, in this
  case), can use a blog (such as the MIT Real ID Public
  Forum Blog) to compile all posts on all blogs related
  to that topic.  In addition, it is possible for
  participants to respond to the posts across threads,
  blogs and topics, thereby creating a bounded but very
  open knowledge zone on that issue.  We are setting up
  a Virtual Civic Conversation for the Real ID Act this
  weekend and early next week.  Stay tuned for more
  information on exactly how to participate and to
  encourage others with relevant blogs to participate.

  MIT is pleased to use new technology and our capacity
  to convene to serve the civic interest.  Thank you for
  your interest.

  Regards,
   - Dan Greenwood

  
  Daniel J. Greenwood, Esq.
  Lecturer, Massachusetts Institute of Technology
  The Media Lab, Program of Media Arts and Science
  Principal, CIVICS.com  The InfoSociety Consultancy
  http://ecitizen.mit.edu  http://civics.com
  1770 Mass. Ave, #205, Cambridge, MA 02140  USA
  M: 857-498-0962
  E: [EMAIL PROTECTED]
  

 --- end forwarded text


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Pentagon Intelligence Agency Gathers Domestic Intelligence

2005-12-12 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 10 Dec 2005 20:51:58 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Pentagon Intelligence Agency Gathers Domestic Intelligence
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://www.drudgereport.com/flash5.htm

 The Drudge Report


 Support The DrudgeReport; Visit Our Advertisers



  Pentagon Intelligence Agency Gathers Domestic Intelligence
  Sat Dec 10 2005 18:20:11 ET

  Day after day, reports of suspicious activity filed from military bases
 and other defense installations throughout the United States flow into the
 Counterintelligence Field Activity, or CIFA, a three-year-old Pentagon
 agency whose size and budget remain classified, the WASHINGTON POST is
 planning to report on Sunday, newsroom sources tell DRUDGE.

  The Talon reports, as they are called, are based on information from
 civilians and military personnel who stumble across people or information
 they think might be part of a terrorist plot or threat against defense
 facilities at home or abroad.

  It is unclear how many Talon reports are filed each year. But just one of
 the military services involved in the program, the Air Force, generated
 1,200 of them during 14 months, the paper reveals.

  The documents can consist of ``raw information reported by concerned
 citizens and military members regarding suspicious incidents,'' said a 2003
 memo signed by then-Deputy Defense Secretary Paul Wolfowitz. The reports
 ``may or may not be related to an actual threat, and its very nature may be
 fragmented and incomplete,'' the memo said.

  The Talon system is part of the Defense Department's growing effort to
 gather intelligence within the United States, which officials argue is
 imperative as they work to detect and prevent potentially catastrophic
 terrorist assaults. The Talon reports _ how many are generated is
 classified, a Pentagon spokesman said _ are collected and analyzed by CIFA,
 an agency at the forefront of the Pentagon's counterterrorism program.

  The Pentagon's emphasis on domestic intelligence has raised concerns among
 some civil liberties advocates and intelligence officials.

  Developing...


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Engineer Outwits Fingerprint Recognition Devices with Play-Doh

2005-12-10 Thread R. A. Hettinga
Same story, different malleable substance...

Cheers,
RAH
---
--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 10 Dec 2005 11:08:14 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Engineer Outwits Fingerprint Recognition Devices with
Play-Doh
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://www.linuxelectrons.com/article.php/20051209175034721


  Web LinuxElectrons

 Engineer Outwits Fingerprint Recognition Devices with Play-Doh

  Friday, December 09 2005 @ 05:50 PM CST
  Contributed by: ByteEnable
 Potsdam, New York - Eyeballs, a severed hand, or fingers carried in ziplock
 bags. Back alley eye replacement surgery. These are scenarios used in
 recent blockbuster movies like Steven Spielberg's Minority Report and
 Tomorrow Never Dies to illustrate how unsavory characters in high-tech
 worlds beat sophisticated security and identification systems.

 Sound fantastic? Maybe not. Biometrics is the science of using biological
 properties, such as fingerprints, an iris scan, or voice recognition, to
 identify individuals. And in a world of growing terrorism concerns and
 increasing security measures, the field of biometrics is rapidly expanding.

  Biometric systems automatically measure the unique physiological or
 behavioral 'signature' of an individual, from which a decision can be made
 to either authenticate or determine that individual's identity, explained
 Stephanie C. Schuckers, an associate professor of electrical and computer
 engineering at Clarkson University. Today, biometric systems are popping
 up everywhere - in places like hospitals, banks, even college residence
 halls - to authorize or deny access to medical files, financial accounts,
 or restricted or private areas.

  And as with any identification or security system, Schuckers adds,
 biometric devices are prone to 'spoofing' or attacks designed to defeat
 them.

  Spoofing is the process by which individuals overcome a system through an
 introduction of a fake sample. Digits from cadavers and fake fingers
 molded from plastic, or even something as simple as Play-Doh or gelatin,
 can potentially be misread as authentic, she explains. My research
 addresses these deficiencies and investigates ways to design effective
 safeguards and vulnerability countermeasures. The goal is to make the
 authentication process as accurate and reliable as possible.

  Schuckers' biometric research is funded by the National Science Foundation
 (NSF), the Office of Homeland Security and the Department of Defense. She
 is currently assessing spoofing vulnerability in fingerprint scanners and
 designing methods to correct for these as part of a $3.1 million
 interdisciplinary research project funded through the NSF. The project,
 ITR: Biometrics: Performance, Security and Societal Impact, investigates
 the technical, legal and privacy issues raised from broader applications of
 biometric system technology in airport security, computer access, or
 immigration. It is a joint initiative among researchers from Clarkson, West
 Virginia University, Michigan State University, St. Lawrence University,
 and the University of Pittsburgh.

  Fingerprint scanning devices often use basic technology, such as an
 optical camera that take pictures of fingerprints which are then read by
 a computer. In order to assess how vulnerable the scanners are to spoofing,
 Schuckers and her research team made casts from live fingers using dental
 materials and used Play-Doh to create molds. They also assembled a
 collection of cadaver fingers.

 Clarkson University Associate Professor of Electrical and Computer
 Engineering Stephanie C. Schuckers, with imitation fingers. Simple casts
 made from a mold and material such as Play-doh, clay or gelatin can be used
 to fool most fingerprint recognition devices. Schuckers, an expert in
 biometrics, the science of using biological properties, such as
 fingerprints or voice recognition, to identify individuals, is a partner in
 a $3.1 million interdisciplinary biometrics research project funded by the
 National Science Foundation with support from the Department of Homeland
 Security.
  In the laboratory, the researchers then systematically tested more than 60
 of the faked samples. The results were a 90 percent false verification rate.

  The machines could not distinguish between a live sample and a fake one,
 Schuckers explained. Since liveness detection is based on the recognition
 of physiological activities as signs of life, we hypothesized that
 fingerprint images from live fingers would show a specific changing
 moisture pattern due to perspiration but cadaver and spoof fingerprint
 images would not.

  In live fingers, perspiration starts around the pore, and spreads along
 the ridges, creating a distinct signature of the process. Schuckers and her
 research team designed a computer algorithm that would detect this pattern
 when

[Clips] Study Finds Mass Data Breaches Not as Risky as Smaller Lapses

2005-12-09 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 8 Dec 2005 15:59:25 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Study Finds Mass Data Breaches Not as Risky as Smaller
Lapses
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://online.wsj.com/article_print/SB113380595757914237.html

 The Wall Street Journal

  December 8, 2005
  FISCALLY FIT
  By TERRI CULLEN



 Study Finds Mass Data Breaches
  Not as Risky as Smaller Lapses
 December 8, 2005

 Two scenarios: a) You're notified by an online retailer that you're among
 millions of customers whose account information was lost or stolen; or b)
 you learn a former staffer has stolen employee names, addresses and Social
 Security numbers from your small business.

 Which one puts you at greater risk for identity theft?

 If you chose b, you'd be correct, according to a study released Wednesday
 by ID Analytics, a San Diego company that helps companies combat fraud
 using pattern-recognition technology. The company examined billions of bits
 of identifiable information, such as Social Security numbers, cellphone
 numbers, dates of birth and credit-card account numbers, from consumers who
 were victims of security breaches. The study analyzed four cases of
 security breaches, two involving the theft or loss of sensitive data,
 including names and Social Security numbers, and two involving credit-card
 account information only.
 SHARE YOUR THOUGHTS
  What do you think?1 Are corporate notifications of data security breaches
 necessary to prevent identity theft, or do they cause unnecessary panic?
 What should companies do to aid customers when they discover sensitive
 consumer data have been lost or stolen? Write to me at [EMAIL PROTECTED]

 Turns out size does matter: The study found that individuals involved in
 mass data security breaches are less likely to have their information
 misused than victims of smaller data breaches.

 The sheer volume of consumers affected slows identity thieves down, says
 Mike Cook, vice president of product services at ID Analytics and one of
 the company's co-founders. We applied identity theft to real work terms,
 eight-hour days, with breaks and vacation time, and found that it would
 take a fraudster 40 years to work a million stolen IDs, he says.

 Some disclosure: ID Analytics, which is in the business of detecting
 identity theft for companies such as financial-services firms and
 retailers, initiated the study at the request of the companies whose
 security breaches were examined. The companies didn't sponsor the study,
 but ID Analytics provides services to one of the breached companies and
 provided services to another of the companies in the past.

 The ID Analytics study also found that mass data security breaches didn't
 result in the identity theft free-for-all many had feared. The odds are
 less than one in 1,000 that misuse or fraud will be detected for
 individuals whose sensitive information is compromised in cases of
 large-scale security breaches.

 Identity theft was more common when there was an intentional effort to
 steal information, as opposed to security lapses that occurred by accident,
 the study found. So, for example, you're more likely to be a victim if a
 thief intentionally steals a laptop to access the sensitive consumer data
 it holds, rather than if the thief steals the laptop simply to hock it for
 cash.

 The study comes in the wake of a series of highly publicized mass security
 breaches this year, which raised concern about the potential for widespread
 identity theft. In June, for example, MasterCard International Inc.
 reported3 that someone had broken into the computer network of CardSystems
 Solutions Inc., an Atlanta company that processes credit-card transactions.
 The breach gave the thief access to names, account numbers and card
 security codes on more than 40 million credit-card accounts.

 When breaches such as this are disclosed, many consumers have no idea how
 likely it is that their information will be used to commit fraud, says Jay
 Foley, co-executive director of the Identity Theft Resource Center in San
 Diego, a nonprofit organization that assists victims of identity theft.

 What [ID Analytics] is doing is identifying quite accurately where the
 greatest potential danger is, he says. The study emphasizes the types of
 breaches [that] businesses and government need to look at closely and take
 seriously.

 What constitutes a higher-risk intentional breach? The riskiest category is
 one-on-one crimes, where a thief targets a victim to steal identification
 or account information. When information on thousands of individuals is
 stolen, however, the chances of one person in that group becoming a victim
 falls considerably, according to the study. As you pass information stolen
 on 200 people or more in one incident, the risk drops off sharply, he says.

 Consumers

[Clips] Diebold insider alleges company plagued by technical woes

2005-12-07 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Tue, 6 Dec 2005 21:41:23 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Diebold insider alleges company plagued by technical woes
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
http://rawstory.com/news/2005/Diebold_insider__alleges_company_plagued_1206.html

 The Raw Story
 Originally published on Tuesday December 6, 2005
 Last Updated: 12/6/2005


 Diebold insider alleges company plagued by technical woes, Diebold defends
 'sterling' record

 Miriam Raftery


 In an exclusive interview with RAW STORY, a whistleblower from electronic
 voting heavyweight Diebold Election Systems Inc. raised grave concerns
 about the company's electronic voting technology and of electronic voting
 in general, bemoaning an electoral system the insider feels has been
 compromised by corporate privatization.

 The Diebold insider, who took on the appellation Dieb-Throat in an
 interview with voting rights advocate Brad Friedman (BradBlog.com), was
 once a staunch supporter of electronic voting's potential to produce more
 accurate results than punch cards.

 But the company insider became disillusioned after witnessing repeated
 efforts by Diebold to evade meeting legal requirements or implementing
 appropriate security measures, putting corporate interests ahead of the
 interests of voters.
 Advertisement


 I've absolutely had it with the dishonesty, the insider told RAW STORY.
 Blasting Wally O'Dell, the current president of Diebold, the whistleblower
 went on to explain behind-the-scenes tactics of the company and its
 officers.

 There's a lot of pressure in the corporation to make the numbers: `We
 don't tell you how to do it, but do it.' [O'Dell is] probably the number
 one culprit putting pressure on people, the source said.

 Diebold spokesman David Bear rebuts the charges. Diebold has a sterling
 reputation in the industry, Bear said. It's a 144-year-old company and is
 considered one of the best companies in the industry.

 Previous revelations from the whistleblower have included evidence that
 Diebold's upper management and top government officials knew of backdoor
 software in Diebold's central tabulator before the 2004 election, but
 ignored urgent warnings-such as a Homeland Security alert posted on the
 Internet.

 This is a very dangerous precedent that needs to be stopped-that's the
 corporate takeover of elections, the source warned. The majority of
 election directors don't understand the gravity of what they're dealing
 with. The bottom line is who is going to tamper with an election? A lot of
 people could, but they assume that no one will.

 Concerns about Georgia, Ohio elections

 The insider harbors suspicions that Diebold may be involved in tampering
 with elections through its army of employees and independent contractors.
 The 2002 gubernatorial election in Georgia raised serious red flags, the
 source said.

 Shortly before the election, ten days to two weeks, we were told that the
 date in the machine was malfunctioning, the source recalled. So we were
 told 'Apply this patch in a big rush.' Later, the Diebold insider learned
 that the patches were never certified by the state of Georgia, as required
 by law.

 Also, the clock inside the system was not fixed, said the insider. It's
 legendary how strange the outcome was; they ended up having the first
 Republican governor in who knows when and also strange outcomes in other
 races. I can say that the counties I worked in were heavily Democratic and
 elected a Republican.

 In Georgia's 2002 Senate race, for example, nearly 60 percent of the
 state's electorate by county switched party allegiances between the
 primaries and the general election.

 The insider's account corroborates a similar story told by Diebold
 contractor Rob Behler in an interview with Bev Harris of Black Box Voting.

 Harris revealed that a program patch titled rob-georgia.zip was left on
 an unsecured server and downloaded over the Internet by Diebold technicians
 before loading the unauthorized software onto Georgia voting machines.
 They didn't even TEST the fixes before they told us to install them,
 Behler stated, adding that machines still malfunctioned after patches were
 installed.

 California decertified Diebold TSX touch screen machines after state
 officials learned that the vendor had broken state election law.

 In California, they got in trouble and tried to doubletalk. They used a
 patch that was not certified, the Diebold insider said. They've done this
 many times. They just got caught in Georgia and California.

 The whistleblower is also skeptical of results from the November 2005 Ohio
 election, in which 88 percent of voters used touch screens and the outcome
 on some propositions changed as much as 40 percent from pre-election exit
 polls.

 Amazing, the Diebold insider said.

 Diebold is headquartered in Ohio. Its

[Clips] RSA buys Cyota for $145 million

2005-12-06 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 5 Dec 2005 14:38:43 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] RSA buys Cyota for $145 million
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
http://www.infoworld.com/article/05/12/05/HNrsacyota_1.html?source=NLC-SEC2005-12-05

 InfoWorld

 RSA buys Cyota for $145 million
 Acquisition gives RSA broader range of authentication techniques
  By Nancy Gohring, IDG News Service
 December 05, 2005
  Print this


 RSA Security (Profile, Products, Articles) on Monday said it plans to buy
 Cyota, the provider of online security and antifraud products, for $145
 million.

 The acquisition will allow RSA to offer customers a broader range of
 authentication techniques. RSA hopes to offer a risk-based  authentication
 approach, allowing customers to choose an authentication method to meet the
 specific risks they face. Customers  will be able to choose from a
 portfolio that includes watermarking, digital certificates, tokens, and
 smart cards.

 In addition to the authentication offerings, RSA also plans to offer
 Cyota's services such as its antifraud service, which  includes fraudulent
 site shut-down, detection of phishing attacks as well as a
 transaction-protection service that authenticates  credit card users and
 identifies fraudulent activity in accounts.

 RSA expects the acquisition will add as much as $25 million in revenue in
2006.

 The price for the privately held company includes $136 million in cash for
 Cyota stock, $5.5 million in cash to fund a three-year  retention pool and
 $3.5 million for outstanding Cyota stock options. The deal is expected to
 close within 30 days.

 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-04 Thread R. A. Hettinga
At 2:29 PM -0800 12/3/05, John Gilmore wrote:
 ...how many people on this list use or have used online banking?
 To start the ball rolling, I have not and won't.

Dan, that makes two of us.

The only thing I ever use it for is to make sure the wires are in before I
spend money. :-)

Cheers,
RAH
Still living at the bottom of the bathtub curve...
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Call for IFCA Conference Sponsors, Financial Cryptography and Data Security '06

2005-12-04 Thread R. A. Hettinga
Um, what's Data Security?

;-)

Cheers,
RAH
---
--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sun, 4 Dec 2005 19:10:25 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips]
  Call for IFCA Conference Sponsors, Financial Cryptography and
  Data Security '06
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  To: Robert Hettinga [EMAIL PROTECTED]
  From: Patrick McDaniel [EMAIL PROTECTED]
  Subject: Call for IFCA Conference Sponsors, Financial Cryptography and
 Data Security '06
  Date: Sun,  4 Dec 2005 18:52:19 -0500 (EST)

  Dear Robert,

  The Financial Cryptography and Data Security '06 is celebrating its
  10th year in Anguilla, British West Indies from February 27 to March
  2, 2006.  This conference has become a yearly touch-stone for those
  involved in the construction and use of technology in commercial
  environments.  To this end, the conference brings together top
  cryptographers, data-security specialists, and scientists with
  economists, bankers, implementers, and policy makers.

  Intimate and colorful by tradition, the FC'06 program will feature
  invited talks, academic presentations, technical demonstrations, and
  panel discussions. In addition, we will celebrate this 10th year
  edition with a number of initiatives, such as: especially focused
  session, technical and historical state-of-the-art panels, and one
  session of surveys.

  As a past attendee, IFCA wishes to make a plea for your sponsorship.
  The importance of this conference to the larger security community is
  clear, and it is largely sustainable through the generous support of
  its sponsors.  The benefit to your organization is also well worth the
  sacrifice: sponsors receive the kinds unique exposure to the
  cognoscenti that can only be received at these events.  Sponsorship
  opportunities are available at modest levels and beyond.

  If you are interested in sponsoring, we would be very interested in
  talking to you.  Please visit the conference website:

http://siis.cse.psu.edu/fc06/

  Feel free reply to this message or send email to myself
  ([EMAIL PROTECTED]) or contact me via phone (814) 863-3599 for
  further information.

  Sincerely,
  Patrick McDaniel, General Chair, FC '06

 --- end forwarded text


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Banks Seek Better Online-Security Tools

2005-12-02 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 1 Dec 2005 16:54:00 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Banks Seek Better Online-Security Tools
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://online.wsj.com/article_print/SB113339543967610740.html

 The Wall Street Journal

 December 1, 2005

 Banks Seek Better Online-Security Tools
 New Software Adds Layers
  To Verify Users' Identities;
  Ease of Use Remains Worry
 By RIVA RICHMOND
 DOW JONES NEWSWIRES
 December 1, 2005; Page B4

 More banks, driven by rising online identity theft and regulators'
 concerns, are shopping for security technology to help ensure those logging
 into accounts are the customers they claim to be.

 But while banks want security that is stronger than standard user names and
 passwords, they also don't want the technology to turn off customers by
 diminishing the convenience of online banking.

 Software makers are aiming to help banks strike a tricky balance between
 security and convenience, with several, including Corillian Corp. and
 Entrust Inc., recently introducing systems that raise the bar for risky or
 suspect transactions. The software works behind the scenes to apply extra
 security measures when there is unusual or questionable activity -- say,
 account access from a cybercafe in Prague or a large money transfer that
 isn't a normal bill-payment routine.

 The emergence of these products reflects the industry's concerns that email
 identity-theft scams, called phishing, and hacker programs that steal
 consumers' account information could hurt online banking, which is valued
 by banks as a low-cost way of doing business.

 In the U.S., the Federal Financial Institutions Examination Council, a
 group that sets standards for banks, credit unions and thrifts, in October
 urged that online-banking security move beyond simple passwords by the end
 of next year. Its recommendation carries the force of regulation because
 banks' failure to comply would earn them black marks from bank examiners.

 Many of the new products would help banks respond to the FFIEC, which
 didn't endorse specific security technologies but encouraged banks to
 choose measures appropriate to the risk. Other suppliers of software for
 tightening security include closely held firms Cyota Inc., New York, and
 PassMark Security Inc., Menlo Park, Calif.

 The banks are being pushed to bring in stronger authentication, but match
 it to the risk of the transaction and to the user experience and their
 desires, said Chris Voice, a vice president at Entrust, of Addison, Texas.
 Authentication is a security measure for verifying a customer or
 transaction.

 Industry analysts think banks will employ several techniques to weigh risk
 and verify identities. One way is to halt any transactions from certain
 computers or countries with a high fraud risk. In addition to a user name
 and password, some of these new security systems add a fairly obscure
 personal question, such as What was your high-school mascot? Some also
 allow banks facing a suspicious transaction to send an extra four-digit
 security code for use online to a customer's cellphone.

 The idea is similar to credit-card-fraud systems that trigger phone calls
 to cardholders when they detect unusual activity, while letting the vast
 majority of transactions through without incident.

 Corillian, of Hillsboro, Ore., already provides the technology behind the
 online-banking operations of many banks and credit unions. Woodforest
 National Bank, which has 190 branches in Texas and North Carolina, is
 rolling out Corillian's security technology during the first half of 2006.
 Corillian also has sold the technology to three credit unions and says it
 is in talks with three of the top-10 U.S. banks.

 The key to keeping this channel open is keeping it secure, said Charles
 Manning, president and chief information officer of Woodforest, which
 operates most of its branches inside Wal-Mart stores.

 Corillian's Intelligent Authentication package, launched Oct. 25, tracks
 the behavior of online-banking customers and builds histories of their
 habits to create access signatures. Its files don't include personal
 information. But they do track the characteristics of the computers and
 Internet-service providers that a customer typically uses. It also records
 the normal geographic locations and the times of day a customer prefers to
 bank online, flagging exceptions for scrutiny.

 Meanwhile, security-software maker Entrust unveiled a major new version of
 its IdentityGuard product on Nov. 8 that offers a menu of user-verification
 methods banks can choose from to beef up security on transactions they deem
 risky. It has sold IdentityGuard to Miami-based Commercebank NA, a unit of
 Mercantil Servicios Financieros of Venezuela, and a number of European
 banks. European customers of Entrust's software

Anon_Terminology_v0.24

2005-11-30 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 21 Nov 2005 12:14:40 +0100
 From: Andreas Pfitzmann [EMAIL PROTECTED]
 To: undisclosed-recipients: ;
 Subject: Anon_Terminology_v0.24
 Sender: [EMAIL PROTECTED]

 Hi all,

 Marit and myself are happy to announce

Anonymity, Unlinkability, Unobservability,
Pseudonymity, and Identity Management -
A Consolidated Proposal for Terminology
(Version v0.24   Nov. 21, 2005)

 for download at

http://dud.inf.tu-dresden.de/Anon_Terminology.shtml

 We incorporated clarification of whether organizations are subjects
 or entities; suggestion of the concept of linkability brokers by
 Thomas Kriegelstein; clarification on civil identity proposed by Neil
 Mitchison;

 But most importantly: The terminology made it to another language.

Stefanos Gritzalis, Christos Kalloniatis:
Translation of essential terms to Greek

 Many thanx to both of them, in accompany with our kind request to
 translate two newly introduced terms.

 Translations to further languages are welcome.

 Enjoy - and we are happy to receive your feedback.

 Marit and Andreas

 --
 Andreas Pfitzmann

 Dresden University of Technology Phone   (mobile) +49 170 443 87 94
 Department of Computer Science   (office) +49 351 463 38277
 Institute for System Architecture (secretary) +49 351 463 38247
 01062 Dresden,  Germany  Fax  +49 351 463 38255
 http://dud.inf.tu-dresden.de e-mail[EMAIL PROTECTED]



 ___
 NymIP-res-group mailing list
 [EMAIL PROTECTED]
 http://www.nymip.org/mailman/listinfo/nymip-res-group

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Cyberterror 'overhyped,' security guru says

2005-11-30 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 24 Nov 2005 14:08:41 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Cyberterror 'overhyped,' security guru says
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://news.com.com/2102-7348_3-5968997.html?tag=st.util.print

 CNET News

  Cyberterror 'overhyped,' security guru says

  By Tom Espiner

  Story last modified Wed Nov 23 07:41:00 PST 2005


 Fears of cyberterror could actually hurt IT security, a threats expert
asserts.

  Bruce Schneier, who has written several books on security and is the
 founder of Counterpane Internet Security, told ZDNet UK that officials
 claiming terrorists pose a serious danger to computer networks are guilty
 of directing attention away from the threat faced from criminals.

  I think that the terrorist threat is overhyped, and the criminal threat
 is underhyped, Schneier said Tuesday. I hear people talk about the risks
 to critical infrastructure from cyberterrorism, but the risks come
 primarily from criminals. It's just criminals at the moment aren't as
 'sexy' as terrorists.

  Schneier was speaking after the SANS Institute released its latest
 security report at an event in London. During this event, Roger Cummings,
 director of the U.K. National Infrastructure Security Coordination Center,
 said that foreign governments are the primary threat to the U.K.'s critical
 infrastructure.

  Foreign states are probing the (critical infrastructure) for
 information, Cummings said. The U.K.'s (critical infrastructure) is made
 up of financial institutions; key transport, telecom and energy networks;
 and government organizations.

  Schneier, though, is concerned that governments are focusing too much on
 cyberterrorism, which is diverting badly needed resources from fighting
 cybercrime.

 We should not ignore criminals, and I think we're underspending on crime.
 If you look at ID theft and extortion--it still goes on. Criminals are
 after money, Schneier said.

  Cummings also said that hackers are already being employed by both
 organized criminals and government bodies, in what he termed the malicious
 marketplace.

  Schneier agrees this is an issue.

  There is definitely a marketplace for vulnerabilities, exploits and old
 computers. It's a bad development, but there are definitely conduits
 between hackers and criminals, Schneier said.


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Sony DRM infection removal vulnerability uncovered

2005-11-16 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 16 Nov 2005 12:55:50 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Sony DRM infection removal vulnerability uncovered
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://www.theinquirer.net/print.aspx?article=27714print=1


 The Inquirer

 Sony DRM infection removal vulnerability uncovered

 Tool is worse than original infection

 By:  Charlie Demerjian  Tuesday 15 November 2005, 20:45

 SONY PULLS OFF ANOTHER blatant stupidity in the 'cure is worse than the
 disease' category. No, not the DRM infection itself, not the security
 compromising removal agreement, but the removal tool itself. Yes, this one
 appears to put you in MORE danger than the original rootkit. Silly Sony, no
 cookie.

  According to Freedon To Tinker, the web based installer is a worse
 vulnerability than the original rootkit. More on the story here, FTT goes
 into detail. It seems the 'cure' from Sony involves downloading an ActiveX
 control called CodeSupport. This is a signed control that lets just about
 anyone download, install and execute arbitrary code on your machine.

  See a problem? See a big problem? To make matters even funnier, the
 uninstaller, supposedly anyway, leaves this control on your machine. So,
 the Sony uninstaller is not a total uninstaller, it leaves a hole you can
 drive a truck through on your system, silently of course.

  The more disturbing part is that it appears the control is signed. I
 wonder who at MS approved this, and how this blatant security hole got
 through the barest minimum of QC? Moral, if you bought Sony products, you
 are screwed. If it causes you problems, you are screwed more. If you
 uninstall, you are screwed yet harder. If you uninstall it yourself, you
 are a criminal under the DMCA. If you use an antivirus program to uninstall
 it, you spent money to fix Sony's problems, and you are still a criminal.
 That's what you get for buying music.µ





 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Sony suspends copy-protection scheme on CDs

2005-11-13 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Fri, 11 Nov 2005 18:13:46 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Sony suspends copy-protection scheme on CDs
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
http://www.siliconvalley.com/mld/siliconvalley/business/technology/personal_technology/13143693.htm?template=contentModules/printstory.jsp

 The San Jose Mercury News

 Posted on Fri, Nov. 11, 2005?

 Sony suspends copy-protection scheme on CDs




 WASHINGTON (AP) - Stung by continuing criticism, the world's second-largest
 music label, Sony BMG Music Entertainment, promised Friday to temporarily
 suspend making music CDs with antipiracy technology that can leave
 computers vulnerable to hackers.

 Sony defended its right to prevent customers from illegally copying music
 but said it will halt manufacturing CDs with the ``XCP'' technology as a
 precautionary measure. ``We also intend to re-examine all aspects of our
 content protection initiative to be sure that it continues to meet our
 goals of security and ease of consumer use,'' the company said in a
 statement.

 The antipiracy technology, which works only on Windows computers, prevents
 customers from making more than a few copies of the CD and prevents them
 from loading the CD's songs onto Apple Computer's popular iPod portable
 music players. Some other music players, which recognize Microsoft's
 proprietary music format, would work.

 Sony's announcement came one day after leading security companies disclosed
 that hackers were distributing malicious programs over the Internet that
 exploited the antipiracy technology's ability to avoid detection. Hackers
 discovered they can effectively render their programs invisible by using
 names for computer files similar to ones cloaked by the Sony technology.

 A senior Homeland Security official cautioned entertainment companies
 against discouraging piracy in ways that also make computers vulnerable.
 Stewart Baker, assistant secretary for policy at DHS, did not cite Sony by
 name in his remarks Thursday but described industry efforts to install
 hidden files on consumers' computers.

 ``It's very important to remember that it's your intellectual property,
 it's not your computer,'' Baker said at a trade conference on piracy. ``And
 in the pursuit of protection of intellectual property, it's important not
 to defeat or undermine the security measures that people need to adopt in
 these days.''

 Sony's program is included on about 20 popular music titles, including
 releases by Van Zant and The Bad Plus.

 ``This is a step they should have taken immediately,'' said Mark
 Russinovich, chief software architect at Winternals Software who discovered
 the hidden copy-protection technology Oct. 31 and posted his findings on
 his Web log. He said Sony did not admit any wrongdoing, nor did it promise
 not to use similar techniques in the future.

 Security researchers have described Sony's technology as ``spyware,''
 saying it is difficult to remove, transmits without warning details about
 what music is playing, and that Sony's notice to consumers about the
 technology was inadequate. Sony executives have rejected the description of
 their technology as spyware.

 Some leading antivirus companies updated their protective software this
 week to detect Sony's antipiracy program, disable it and prevent it from
 reinstalling.

 After Russinovich criticized Sony, it made available a software patch that
 removed the technology's ability to avoid detection. It also made more
 broadly available its instructions on how to remove the software
 permanently. Customers who remove the software are unable to listen to the
 music CD on their computer.

 --

 On the Web:

 Sony's XCP Page: http://cp.sonybmg.com/xcp

 Russinovich's Blog: www.sysinternals.com/Blog

 Symantec warning:

 http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html

 Computer Associates warning:

 http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=76345


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward

[Clips] Feds mull regulation of quantum computers

2005-11-13 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sat, 12 Nov 2005 12:34:00 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Feds mull regulation of quantum computers
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://news.com.com/2102-11395_3-5942445.html?tag=st.util.print

 CNET News

  Feds mull regulation of quantum computers

  By Declan McCullagh
 
http://news.com.com/Feds+mull+regulation+of+quantum+computers/2100-11395_3-5942445.html


  Story last modified Wed Nov 09 14:18:00 PST 2005


 WASHINGTON--Quantum computers don't exist outside the laboratory. But the
 U.S. government appears to be exploring whether it should be illegal to
 ship them overseas.

 A federal advisory committee met Wednesday to hear an IBM presentation
 about just how advanced quantum computers have become--with an eye toward
 evaluating when the technology might be practical enough to merit
 government regulation.

 I like to say we're back in 1947 at the time transistors were invented,
 David DiVincenzo, an IBM researcher who focuses on quantum computing, told
 the committee.

 Only rough prototypes of quantum computers presently exist. But if a
 large-scale model can be built, in theory it could break codes used to
 scramble information on the Internet, in banking, and within federal
 agencies.

 A certain class of encryption algorithms relies for security on the
 near-impossibility of factoring large numbers quickly. But quantum
 computers, at least on paper, can do that calculation millions of times
 faster than a conventional microprocessor.

 It's clear there are promising avenues for doing this, DiVincenzo said of
 quantum computing research. There's lots and lots of work done at the
 basic research level and a sense of progress in the community.

 The technology industry has been long bedeviled by federal export
 regulations, which were born during the Cold War and renewed by executive
 order. And although the highly regulatory approach of the mid-'90s has been
 relaxed, the export of high-performance computers is still subject to
 several rules, as is encryption software.

 It's not clear what steps the federal government might take next, and no
 proposals were advanced during the meeting. The charter of the panel,
 called the Information Systems Technical Advisory Committee, calls for the
 panel to advise the Commerce Department on export regulations and what
 technology is presently available.

 A practical quantum computer may still be far off, but the use of quantum
 physics already appears in some commercially-available technology. An
 approach known as quantum cryptography provides encryption that is
 theoretically impossible to crack--and, at the moment, carries a hefty
 price tag.

 The federal advisory committee didn't address quantum cryptography in its
 open session. A closed session was scheduled for Thursday.

 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] Spies in the Server Closet

2005-11-13 Thread R. A. Hettinga
If this most recent darknet-as-IP-bogeyman meme persists, Hollywood et al.
is probably going to make Tim May famous.

*That* should be interesting.

:-)



Cheers,
RAH
---
--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Sun, 13 Nov 2005 12:59:42 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Spies in the Server Closet
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 http://www.cio.com/archive/110105/tl_filesharing.html?action=print

 NOVEMBER 1, 2005 | CIO MAGAZINE
 FILE SHARING
 Spies in the Server Closet
 BY MICHAEL JACKMAN



 The Supreme Court might have stirred up a bigger problem than it settled
 when it ruled last June that file-sharing networks such as Grokster could
 be sued if their members pirated copyrighted digital music and video.

 Since then, some programmers have announced they would pursue so-called
 darknets. These private, invitation-only networks can be invisible to even
 state-of-the-art sleuthing. And although they're attractive as a way to get
 around the entertainment industry's zeal in prosecuting digital piracy,
 they could also create a new channel for corporate espionage, says Eric
 Cole, chief scientist for Lockheed Martin Information Technology.

 Cole defines a darknet as a group of individuals who have a covert,
 dispersed communication channel. While file-sharing networks such as
 Grokster and even VPNs use public networks to exchange information, with a
 darknet, he says, you don't know it's there in the first place.

 All an employee has to do to set one up is install file-sharing software
 written for darknets and invite someone on the outside to join, thus
 creating a private connection that's unlikely to be detected. The Internet
 is so vast, porous and complex, it's easy to set up underground networks
 that are almost impossible to find and take down, says Cole.

 He advises that the best-and perhaps only-defense against darknets is a
 combination of network security best practices (such as firewalls,
 intrusion detection systems and intrusion prevention systems) and keeping
 intellectual property under lock and key. In addition, he says, companies
 should enact a security policy called least privilege, which means users
 are given the least amount of access they need to do their jobs. Usually
 if a darknet is set up it's because an individual has too much access,
 Cole says.



 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
When I was your age we didn't have Tim May! We had to be paranoid
on our own! And we were grateful! --Alan Olsen

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] MIT Real ID Meeting Postponed to December 5th, AND Homeland Security to Propose Regulations - Join the Discussion

2005-11-10 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 9 Nov 2005 18:43:07 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] MIT Real ID Meeting Postponed to December 5th, AND Homeland
  Security to Propose Regulations - Join the Discussion
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


 Date: Wed, 9 Nov 2005 15:16:43 -0800 (PST)
 From: Daniel J. Greenwood [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Subject: MIT Real ID Meeting Postponed to December 5th, AND Homeland
 Security to Propose Regulations - Join the Discussion
 To: [EMAIL PROTECTED]

  ** In-Person Event Postponed to December 5th, 2005 **

 This note is to inform you that the MIT Real ID Forum
 in-person meeting will take place on Monday, December
 5th, 2005 at the Media Lab at MIT.  The event will
 take place from 9am to 3pm.  I encourage you to
 register, if you had not already, at
 http://ecitizen.mit.edu/realid.html and to participate
 in our pre-conference online discussion, at
 http://ecitizen.mit.edu/realid.html.

 The program had to be postponed from November 17th due
 to a last minute important meeting called by the
 Department of Homeland Security on regulations
 implementing the Real ID Act related to privacy.
 Understandably, key privacy advocates and relevant
 Homeland Security individuals must now attend this
 meeting in Washington, DC.  For this reason, we have
 decided to postpone the event to December 5th.  We
 apoligize for any inconvenience this may cause.

 ** Regulations Under Real ID -- Join the Discussion **

 I invite anybody on this list who may have opinions
 you wish to share on the topic of Real ID regulatory
 issues to post those ideas to our online forum under
 the new topic Homeland Security Regulations.  This
 topic thread is for participants in this Online Forum
 on the Real ID Act to share ideas you may have on
 problems and prospects associated with potential
 regulations under this federal law.

 All comments posted to this thread will be presented,
 as part of our conference proceedings, and published
 as part of our in-person conference to happen on
 December 5, 2005.  The conference proceedings will
 also be presented to the Department of Homeland
 Security, as a record of the remarks made by
 participants, for their considerations as they
 determine how to implement the Real ID Act.  I
 encourage you to attend the in-person meeting on
 December 5th at MIT and to participate in the dialog
 at the Online Forum.

 Best regards,
   - Daniel Greenwood

 
 Daniel J. Greenwood, Esq.
 Lecturer, Massachusetts Institute of Technology
 The Media Lab, Program of Media Arts and Science
 Principal, CIVICS.com The InfoSociety Consultancy
 http://ecitizen.mit.edu  www.civics.com
 1770 Mass. Ave, #205, Cambridge, MA 02140 USA
 [EMAIL PROTECTED]
 

 --- end forwarded text


 --
 -
 R. A. Hettinga mailto: [EMAIL PROTECTED]
 The Internet Bearer Underwriting Corporation http://www.ibuc.com/
 44 Farquhar Street, Boston, MA 02131 USA
 ... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Clips] [EMAIL PROTECTED]: [IP] Apple tries to patent 'tamper-resistant software']

2005-11-10 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 10 Nov 2005 12:00:24 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] [EMAIL PROTECTED]: [IP] Apple tries to patent
  'tamper-resistant software']
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]


 --- begin forwarded text


  Date: Thu, 10 Nov 2005 13:44:24 +0100
  From: Eugen Leitl [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Subject: [EMAIL PROTECTED]: [IP] Apple tries to patent 'tamper-resistant
software']
  User-Agent: Mutt/1.5.9i
  Sender: [EMAIL PROTECTED]

  - Forwarded message from David Farber [EMAIL PROTECTED] -

  From: David Farber [EMAIL PROTECTED]
  Date: Wed, 9 Nov 2005 23:47:04 -0500
  To: ip@v2.listbox.com
  Subject: [IP] Apple tries to patent 'tamper-resistant software'
  X-Mailer: Apple Mail (2.746.2)
  Reply-To: [EMAIL PROTECTED]



  Begin forwarded message:

  From: Dewayne Hendricks [EMAIL PROTECTED]
  Date: November 9, 2005 7:44:54 PM EST
  To: Dewayne-Net Technology List [EMAIL PROTECTED]
  Subject: [Dewayne-Net] Apple tries to patent 'tamper-resistant software'
  Reply-To: [EMAIL PROTECTED]

  Apple tries to patent 'tamper-resistant software'

  By Ina Fried
  http://news.com.com/Apple+tries+to+patent+tamper-resistant+software/
  2100-1045_3-5942107.html

  Story last modified Wed Nov 09 11:16:00 PST 2005

  Apple Computer, which is in the process of switching to computers
  based on the omnipresent Intel processor, has filed a patent
  application describing a method for securely running Mac OS X on
  specific hardware.

  The Mac maker has applied for a patent to cover a system and method
  for creating tamper-resistant code. Apple describes ways of ensuring
  that code can be limited to specific hardware, even in a world in
  which operating systems can be run simultaneously, in so-called
  virtual machines. The patent application was made in April of 2004,
  but only made public last Thursday.

  In its application, Apple describes a means of securing code using
  either a specific hardware address or read-only memory (ROM) serial
  number. Apple also talks about securing the code while interchanging
  information among multiple operating systems. Mac OS X, Windows and
  Linux are called out specifically in the filing.

  This invention relates generally to the field of computer data
  processing and more particularly to techniques for creating tamper-
  resistant software, Apple says in its patent filing. Specifically,
  Apple refers to the technique of code obfuscation, in which
  software makers employ techniques that make it harder for those using
  debuggers or emulators to figure out how a particular block of code
  is working.
  Apple's patent application comes as the company prepares to offer its
  Mac OS X operating system for Intel-based chips, with the first
  machines slated to go on sale next year.

  Historically, the company has had to worry less about the Mac running
  on non-Apple hardware because it has used different chips and other
  components from those that power Windows PCs. With its move to Intel
  chips, though, the innards of the Mac will become more similar to
  those of its Windows-based counterparts.

  The company said it is not planning on supporting Windows or other
  operating systems on the Intel-based Macs it sells but has also said
  it doesn't plan on taking steps to prevent Mac owners from running
  other operating systems.
  We won't do anything to preclude that, Apple Senior Vice President
  Phil Schiller told CNET News.com in June.

  However, Schiller also said Apple has no plans to allow its operating
  system to run on non-Apple hardware. We will not allow running Mac
  OS X on anything other than an Apple Mac, he said. An Apple
  representative declined to comment Wednesday on the patent filing.
  Clearly, though, Apple is gearing up the intellectual property push
  around the Intel move.

  The company has reportedly been beefing up the technology that
  constrains the Intel versions of Mac OS X to run only on authorized
  machines, to this point a set of test Macs given to developers. The
  company has also applied for a trademark on Rosetta, its technology
  for running existing Mac programs on the Intel chips.

  Weblog at: http://weblog.warpspeed.com


  -
  You are subscribed as [EMAIL PROTECTED]
  To manage your subscription, go to
   http://v2.listbox.com/member/?listname=ip

  Archives at: http://www.interesting-people.org/archives/interesting-people/

  - End forwarded message -
  --
  Eugen* Leitl a href=http://leitl.org;leitl/a
  __
  ICBM: 48.07100, 11.36820http://www.leitl.org
  8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

  [demime 1.01d removed an attachment of type application/pgp-signature
 which had a name of signature.asc]

 --- end

[Clips] Sony BMG's DRM provider does not rule out future use of stealth

2005-11-09 Thread R. A. Hettinga

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 9 Nov 2005 10:50:05 -0500
 To: Philodox Clips List [EMAIL PROTECTED]
 From: R. A. Hettinga [EMAIL PROTECTED]
 Subject: [Clips] Sony BMG's DRM provider does not rule out future use of
stealth
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 
http://www.tgdaily.com/2005/11/04/f4i_says_sony_bmg_xcp_is_not_rootkit/print.html

 Tom's Guide Daily

 Sony BMG's DRM provider does not rule out future use of stealth
 By Scott M. Fulton, III
 Published Friday 4th November 2005 22:27 GMT


 Oxfordshire (UK) - The CEO of the company which provides digital rights
 management tools and software to global music publisher Sony BMG, and which
 developed the XCP system that was the subject of controversy this week,
 told TG Daily in an exclusive interview that, despite what some security
 software engineers, news sources, and bloggers have suggested, XCP is not,
 and was never designed to be, a rootkit.

 We believe there are some comments that have been misunderstood in the
 media, said Matthew Gilliat-Smith, chief executive officer of First 4
 Internet, the manufacturers of XCP. Our view is that this is a 'storm in a
 teacup,' as we say over here in the UK ... I want to confirm that this is
 not malware. It's not spyware. There's nothing other than pure content
 protection, which is benign.



 As we reported yesterday
 (http://www.tgdaily.com/2005/11/03/sony_bmg_xcp_is_it_a_rootkit/), security
 software engineer Mark Russinovich discovered, through the use of a program
 he wrote called RootkitRevealer, that drivers deposited on his system from
 a Sony BMG audio CD he purchased were using stealth techniques to hide
 their appearance not only from the user, but also from portions of the
 Windows operating system. These drivers had been installed in such a way
 that they were run perpetually, loaded automatically - even in safe mode -
 and were referenced in the Windows System Registry using a method that
 could not be deleted without extensive reworking of the Registry, to enable
 the operating system to recognize the CD-ROM drive again. In his
 investigation, he identified these drivers as part of the XCP copy
 protection system.

 Russinovich's story, posted to his company's Web site
 (http://www.sysinternals.com/Blog/), was widely read and generated enormous
 response from bloggers, some of whom believed either that Russinovich was
 suggesting, or that his evidence had substantiated, that XCP constituted a
 rootkit. Under the more technical definition of that term, it would have to
 open up an unmonitored Internet connection with a remote host, probably
 with the intention of delivering a malicious payload in a very undetectable
 manner. No such allegations were made of such behavior by Russinovich, yet
 the characterization hung in the air.

 There's areas of misinformation which I'd be very happy to set straight,
 Gilliat-Smith told us. The first is [the allegation that XCP is some form
 of] rootkit technology, in the form that would be used to spread malware.
 What it is, it's using cloaking techniques that are similar to a rootkit,
 for the purpose of making speed bumps on the content protection, to make it
 more difficult to circumvent the protection.

 Gilliat-Smith said his software does not open up any connection between the
 stealth driver and its host. Ours does not do that, he said. All we're
 doing is using a hook and a redirect, so when you look for a file, it is
 hidden. It is very widely used...since way back in 1994, by many shareware
 companies and anti-virus companies.

 A paper describing what appears to be the hook and redirect method to
 which Gilliat-Smith refers, published by the online hacker magazine
 Phrack.org, defines rootkit as a program designed to control the behavior
 of a given machine. This is often used to hide the illegitimate presence of
 a backdoor and other such tools. It acts by denying the listing of certain
 elements when requested by the user, affecting thereby the confidence that
 the machine has not been compromised. By backdoor, the paper can be
 presumed to mean a method by which a remote party can take control of the
 system undetected. Gilliat-Smith denies any such methods are, or have ever
 been, used by XCP.

 Furthermore, Gilliat-Smith stated, the version of XCP which utilized this
 hook and redirect method to hide the presence of the persistent driver,
 is no longer being used in new audio CDs. At the time these concerns arose,
 he said, we had already created the new version of the software, which
 provides a range of additional features for the consumer. We have moved
 away from the cloaking technology that gives rise to these concerns.

 First 4 Internet (F4i) has made available to Sony BMG a removal tool, which
 users can download from Sony BMG's Web site
 (http://cp.sonybmg.com/xcp/english/updates.html), that removes the XCP
 driver from users' systems and cleans up the mess

[ShmooCon-News] First selected BoF run by Jon Callas, CTO, PGP Corporation

2004-10-07 Thread R. A. Hettinga

--- begin forwarded text


Date: Wed, 6 Oct 2004 19:34:24 -0400
To: [EMAIL PROTECTED]
Cc:
From: [EMAIL PROTECTED]
Subject: [ShmooCon-News] First selected BoF run by Jon Callas, CTO,
PGP Corporation
Reply-To: [EMAIL PROTECTED]
List-Id: News about Shmoocon  shmoocon-news.lists.shmoo.com
List-Post: mailto:[EMAIL PROTECTED]
List-Help: mailto:[EMAIL PROTECTED]
List-Subscribe: https://lists.shmoo.com/mailman/listinfo/shmoocon-news,
mailto:[EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

We're pleased to announce our first selected though-provoking and
potentially controversial BoF for ShmooCon 2005 will be run by Jon
Callas, CTO, PGP Corporation.  For more information check out:

http://www.shmoocon.org/program.html#callas

We look forward to folks discussing how Information wants to be free,
but programmers want to eat.  Check it out!

Sincerely,

Beetle
___
Shmoocon-News mailing list
[EMAIL PROTECTED]
https://lists.shmoo.com/mailman/listinfo/shmoocon-news

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Big guns board Intertrust DRM bandwagon

2004-10-06 Thread R. A. Hettinga
http://www.theregister.co.uk/2004/10/05/coral_consortium/print.html

The Register


 Biting the hand that feeds IT

The Register » Internet and Law » Digital Rights/Digital Wrongs »

 Original URL: http://www.theregister.co.uk/2004/10/05/coral_consortium/

Big guns board Intertrust DRM bandwagon
By Faultline (peter at rethinkresearch.biz)
Published Tuesday 5th October 2004 15:36 GMT

Intertrust, Philips and Sony have added more top consumer electronics,
content and technology heavyweights to their attempt to create an open
interoperable Digital Rights Management environment.

The system promised at the turn of the year in interview with Philips has
taken a step closer to becoming a reality today with a new DRM clustering
of companies calling itself the Coral Consortium. Lining up with the
expected triumvirate of Intertrust and its two owners Philips and Sony, are
more powerful names in the form of Panasonic, Samsung, Hewlett-Packard and
the News Corp controlled film company Twentieth Century Fox.


Coral describes itself as a cross-industry group to promote
interoperability between digital rights management (DRM) technologies used
in the consumer media market and it is expected to put its weight behind
the Nemo technology emerging from Intertrust. Nemo will act as a bridge
between varying DRM systems, including Intertrust's partners systems and
Microsoft Windows Media DRM.

In Nemo there are defined a set of roles such as client, authorizer,
gateway and orchestrator, and it assumes that they talk to each other over
an IP network, and work is allocated to each of them such as authorization,
peer discovery, notification, services discovery, provisioning, licensing
and membership creation.

The client simply uses the services of the other three peers, the
authorizer decides if the requesting client should have access to a
particular piece of content; the gateway takes on the role of a helper that
will provide more processing power to negotiate a bridge to another
architecture and the orchestrator is a special form of gateway that handles
non-trivial co-ordination such as committing a transaction.

The Consortium says its aim is to end up with an open technology framework
offering a simple and consistent experience to consumers. Most DRM systems,
such as Apple's Fairplay used in its iTunes service and on the iPod,
prevent consumers from playing content packaged and distributed using one
DRM technology on a device that supports a different DRM technology.

Coral's answer is to separate content interoperability from choice of DRM
technology by developing and standardizing a set of specifications focused
on interoperability between different DRM technologies rather than
specifying DRM technologies.

Interoperability

The resulting interoperability layer supports the coexistence of multiple
different DRM technologies and permits devices to find appropriately
formatted content in the time it takes to press the play button, without
consumer awareness of any disparity in format or DRM .

In a recent interview with Faultline, Ruud Peters, the chief executive of
Philips's intellectual property and standards unit told us: We cannot
force Microsoft to join. This whole thing has to be done on a voluntary
basis, but if Microsoft systems means that there are devices which cannot
play content, and if that content can play on all other devices, then it is
Microsoft that will be seen as not friendly.

He also explained that when moving a piece of content from under the
control of one piece of DRM software to another, if it was to involve a
Trust Authority deciphering the content using an authorized key, and then
re-encrypting using another key, then there is never any need to break
the encryption system in a competing DRM standard.

Coral says it will provide interoperability for secure content distribution
over web and home network-based devices and services but has yet to say
anything in detail about the technology it will be using. More details will
emerge at www.coral-interop.org (http://www.coral-interop.org/).

This grouping speaks for over half the Hollywood feature films on the
planet, around 25 per cent of all popular recorded music and substantially
more of the branded consumer electronics goods, and probably has the
strength to hold a standoff with Microsoft's PC based DRM. Twentieth
Century Fox is also reported this week to have agreed to adopt the Blu-ray
disc standard for next-generation DVD players. Not surprising, considering
who its new DRM friends are.

With Sony, its recently acquired MGM Studios and Fox backing the Blu-ray
standard, it's almost a slam dunk for the Sony, Philips, Panasonic standard
over the DVD Forum's HD DVD competing standard, which is still not ready.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity

National IDs for everybody?

2004-10-05 Thread R. A. Hettinga
 to get a U.S.
passport, obtain Social Security benefits, or even wander into a federal
courthouse. States would be strong-armed into complying. Warns Barry
Steinhardt of the American Civil Liberties Union: Congress shouldn't be
providing a blank check to the Department of Homeland Security to design a
national driver's license.

 It's not just a liberal sentiment. Says Stephen Lilienthal, a policy
analyst at the conservative Free Congress Foundation: Many conservatives
have expressed concern that proposals such as the Dreier bill are placed on
the books with a limited set of objectives but will expand bit by bit to
include all sorts of other information and be monitored constantly by the
government to keep track of individuals from cradle to grave.

 Dreier should take note. Talking loudly about ID cards may boost his
re-election bid next month, but voters won't be pleased when they've
figured out what it actually means.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Credentica Web site is up

2004-10-05 Thread R. A. Hettinga

--- begin forwarded text


From: Stefan Brands [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Credentica Web site is up
Date: Tue, 5 Oct 2004 13:55:30 -0400

Dear All,

This e-mail is to inform you that our corporate Web site at
http://www.credentica.com is up. We welcome any suggestions for
improvement, and encourage you to establish links to our home-page from
your blogs, news postings, and Web sites!

Best regards,
Stefan Brands
Credentica
740 Notre Dame W, #1500
Montreal, QC
Canada H3C 3X6
Tel: +1 (514) 866.6000

PS Pages that may be of particular interest:

- http://www.credentica.com/about.php (overview of what we do and how we
differ)

- http://www.credentica.com/solutions.php  submenus (explanations of
product benefits in key markets)

- http://www.credentica.com/the_mit_pressbook.php (the entire MIT Press
book available for free download)

White papers and product data sheets are in preparation and will be
posted in the next couple of months.

PPS The site is best viewed with a Javascript-enabled browser, and has
been tested only with leading browsers.

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


QC Hype Watch: Quantum cryptography gets practical

2004-10-04 Thread R. A. Hettinga
 infrastructure equipment. Quantum repeaters are under
development to extend that range much farther. Finally, the end points of
these QKD systems must reside in secure locations. However, since they are
tamper-proof, if attempts are made to compromise them, they will stop
running or fire off an alarm, thus ensuring ultimate information protection.

 The practical development of QKD systems has made them applicable for a
number of industries such as financial services, biotech and
telecommunications along with government sectors such as intelligence and
the military. They don't require a physicist or an engineer to administer
them. These appliances fit in standard racks, plug into existing networks,
and are reliable around the clock. QKD systems interoperate with security
standards such as IPsec-based VPNs providing an added layer of security to
networks.

 Ask the right questions

As you look for better ways to protect your company's most important
information, QKD may be an option. However, be sure you understand the
strengths and drawbacks of quantum key distribution by asking the right
questions:

1.   What does your organization's security policy say about the
threat profile for high-value assets?

2.  How frequently are your encryption keys changed and by what method?

3.  What is the total cost of ownership for QKD products? Are there
additional costs in support and training?

4.  Are your competitors implementing QKD systems?

5.  What infrastructure requirements must be met?

6.  What personnel/staffing levels are required?

7.  How does this QKD system work with existing cryptography systems?

8.  What are the distance limitations of this system?

QKD isn't an everyday desktop tool, but the technology makes sense for
those organizations that have the resources and the capacity to use it
effectively.

 Bob Gelfond is founder and CEO of MagiQ Technologies Inc., a vendor of
quantum information processing services and products in New York.





 



Additional Content

 White Papers


 Read up on the latest ideas and technologies from companies that sell
hardware, software and services.


View all whitepapers
Research Report

 This IDC white paper demonstrates growth in value of distributed
applications accessed over the Web, especially for eCommerce applications,
and analyses the requirements needed for performance management of
distributed applications in today's complex heterogeneous environments.
 Distributed Applications Performance Management: The VERITAS i3 Approach


Featured Webcast


Network Computing Web Event
 See the latest innovations, including Sun servers and workstations based
on AMD Opteron[tm], new Sun StorEdge[tm] solutions, and breakthrough
technologies in Solaris[tm] 10.





Sponsored Links

A smart plan for assuring application quality:New webcast from Compuware
Distributed Applications Performance Management: The VERITAS i3 Approach
  Download this free white paper from IDC



Enterprise Solutions for Federal Government An IT infrastructure starts
with robust technology.




The IP migrationA wake-up call



Enterprise Grid AllianceHelping make grid computing work for you

About Us Contacts Editorial Calendar Help Desk Advertise  Privacy Policy
 



 

 
 Copyright © 2004 Computerworld Inc. All rights reserved.  Reproduction in
whole or in part in any form or medium without express  written permission
of Computerworld Inc. is prohibited. Computerworld and Computerworld.com
and the respective logos are trademarks of International Data Group Inc.


 

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


CFP: Privacy Enhancing Technologies (PET 2005)

2004-10-04 Thread R. A. Hettinga
, University of Texas at Arlington, USA

Papers should be at most 15 pages excluding the bibliography and
well-marked appendices (using an 11-point font), and at most 20 pages
total.  Submission of shorter papers (from around 4 pages) is strongly
encouraged whenever appropriate.  Papers must conform to the Springer
LNCS style.  Follow the Information for Authors link at
http://www.springer.de/comp/lncs/authors.html.

Reviewers of submitted papers are not required to read the appendices
and the paper should be intelligible without them.  The paper should
start with the title, names of authors and an abstract.  The
introduction should give some background and summarize the
contributions of the paper at a level appropriate for a non-specialist
reader.  A preliminary version of the proceedings will be made
available to workshop participants.  Final versions are not due until
after the workshop, giving the authors the opportunity to revise their
papers based on discussions during the meeting.

Submit your papers in Postscript or PDF format.  To submit a paper,
compose a plain text email to [EMAIL PROTECTED]
containing the title and abstract of the paper, the authors' names,
email and postal addresses, phone and fax numbers, and identification
of the contact author (to whom we will address all subsequent
correspondence).  Attach your submission to this email and send it.
By submitting a paper, you agree that if it is accepted, you will sign
a paper distribution agreement allowing for publication, and also that
an author of the paper will register for the workshop and present the
paper there.  Our current working agreement with Springer is that
authors will retain copyright on their own works while assigning an
exclusive 3-year distribution license to Springer.  Authors may still
post their papers on their own Web sites.  See
http://petworkshop.org/2004/paper-dist-agreement-5-04.html for the 2004
version of this agreement.

Submitted papers must not substantially overlap with papers that have
been published or that are simultaneously submitted to a journal or a
conference with proceedings.

Paper submissions must be received by February 7.  We acknowledge all
submissions manually by email.  If you do not receive an
acknowledgment within a few days (or one day, if you are submitting
right at the deadline), then contact the program committee chairs
directly to resolve the problem.  Notification of acceptance or
rejection will be sent to authors no later than April 4 and authors
will have the opportunity to revise for the preproceedings version by
May 6.

We also invite proposals of up to 2 pages for panel discussions or
other relevant presentations.  In your proposal, (1) describe the
nature of the presentation and why it is appropriate to the workshop,
(2) suggest a duration for the presentation (ideally between 45 and 90
minutes), (3) give brief descriptions of the presenters, and (4)
indicate which presenters have confirmed their availability for the
presentation if it is scheduled.  Otherwise, submit your proposal by
email as described above, including the designation of a contact
author.  The program committee will consider presentation proposals
along with other workshop events, and will respond by the paper
decision date with an indication of its interest in scheduling the
event.  The proceedings will contain 1-page abstracts of the
presentations that take place at the workshop.  Each contact author
for an accepted panel proposal must prepare and submit this abstract
in the Springer LNCS style by the Camera-ready copy for
preproceedings deadline date.



___
NymIP-rg-interest mailing list
[EMAIL PROTECTED]
http://www.nymip.org/mailman/listinfo/nymip-rg-interest

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Tor 0.0.9pre1 is out (fwd from [EMAIL PROTECTED])

2004-10-04 Thread R. A. Hettinga

--- begin forwarded text


Date: Fri, 1 Oct 2004 10:46:39 +0200
From: Eugen Leitl [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Tor 0.0.9pre1 is out (fwd from [EMAIL PROTECTED])
User-Agent: Mutt/1.4i
Sender: [EMAIL PROTECTED]

From: Roger Dingledine [EMAIL PROTECTED]
Subject: Tor 0.0.9pre1 is out
To: [EMAIL PROTECTED]
Date: Fri, 1 Oct 2004 03:19:44 -0400
Reply-To: [EMAIL PROTECTED]

We've fixed quite a few bugs. We've also added compression for
directories, and client-side directory caching on disk so you'll have
a directory when Tor restarts.

tarball:   http://freehaven.net/tor/dist/tor-0.0.9pre1.tar.gz
signature: http://freehaven.net/tor/dist/tor-0.0.9pre1.tar.gz.asc
(use -dPr tor-0_0_9pre1 if you want to check out from cvs)

Changes from 0.0.8:
  o Bugfixes:
- Stop using separate defaults for no-config-file and
  empty-config-file. Now you have to explicitly turn off SocksPort,
  if you don't want it open.
- Fix a bug in OutboundBindAddress so it (hopefully) works.
- Improve man page to mention more of the 0.0.8 features.
- Fix a rare seg fault for people running hidden services on
  intermittent connections.
- Change our file IO stuff (especially wrt OpenSSL) so win32 is
  happier.
- Fix more dns related bugs: send back resolve_failed and end cells
  more reliably when the resolve fails, rather than closing the
  circuit and then trying to send the cell. Also attach dummy resolve
  connections to a circuit *before* calling dns_resolve(), to fix
  a bug where cached answers would never be sent in RESOLVED cells.
- When we run out of disk space, or other log writing error, don't
  crash. Just stop logging to that log and continue.
- We were starting to daemonize before we opened our logs, so if
  there were any problems opening logs, we would complain to stderr,
  which wouldn't work, and then mysteriously exit.
- Fix a rare bug where sometimes a verified OR would connect to us
  before he'd uploaded his descriptor, which would cause us to
  assign conn-nickname as though he's unverified. Now we look through
  the fingerprint list to see if he's there.
- Fix a rare assert trigger, where routerinfos for entries in
  our cpath would expire while we're building the path.

  o Features:
- Clients can ask dirservers for /dir.z to get a compressed version
  of the directory. Only works for servers running 0.0.9, of course.
- Make clients cache directories and use them to seed their router
  lists at startup. This means clients have a datadir again.
- Configuration infrastructure support for warning on obsolete
  options.
- Respond to content-encoding headers by trying to uncompress as
  appropriate.
- Reply with a deflated directory when a client asks for dir.z.
  We could use allow-encodings instead, but allow-encodings isn't
  specified in HTTP 1.0.
- Raise the max dns workers from 50 to 100.
- Discourage people from setting their dirfetchpostperiod more often
  than once per minute
- Protect dirservers from overzealous descriptor uploading -- wait
  10 seconds after directory gets dirty, before regenerating.

--

--
Eugen* Leitl a href=http://leitl.org;leitl/a
__
ICBM: 48.07078, 11.61144http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net

[demime 1.01d removed an attachment of type application/pgp-signature]

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


'Frustrated' U.S. Cybersecurity Chief Abruptly Resigns

2004-10-04 Thread R. A. Hettinga
http://www.local6.com/print/3776699/detail.html?use=print

local6.com

'Frustrated' U.S. Cybersecurity Chief Abruptly Resigns

POSTED: 11:32 AM EDT October 1, 2004
WASHINGTON -- The government's cybersecurity chief has abruptly resigned
after one year with the Department of Homeland Security, confiding to
industry colleagues his frustration over what he considers a lack of
attention paid to computer security issues within the agency.

 Amit Yoran, a former software executive from Symantec Corp., informed the
White House about his plans to quit as director of the National Cyber
Security Division and made his resignation effective at the end of
Thursday, effectively giving a single's day notice of his intentions to
leave.

 Yoran said Friday he felt the timing was right to pursue other
opportunities. It was unclear immediately who might succeed him even
temporarily. Yoran's deputy is Donald Andy Purdy, a former senior adviser
to the White House on cybersecurity issues.

 Yoran has privately described frustrations in recent months to colleagues
in the technology industry, according to lobbyists who recounted these
conversations on condition they not be identified because the talks were
personal.

 As cybersecurity chief, Yoran and his division - with an $80 million
budget and 60 employees - were responsible for carrying out dozens of
recommendations in the Bush administration's National Strategy to Secure
Cyberspace, a set of proposals to better protect computer networks.

 Yoran's position as a director -- at least three steps beneath Homeland
Security Secretary Tom Ridge -- has irritated the technology industry and
even some lawmakers. They have pressed unsuccessfully in recent months to
elevate Yoran's role to that of an assistant secretary, which could mean
broader authority and more money for cybersecurity issues.

 Amit's decision to step down is unfortunate and certainly will set back
efforts until more leadership is demonstrated by the Department of Homeland
Security to solve this problem, said Paul Kurtz, a former cybersecurity
official on the White House National Security Council and now head of the
Washington-based Cyber Security Industry Alliance, a trade group.

 Under Yoran, Homeland Security established an ambitious new cyber alert
system, which sends urgent e-mails to subscribers about major virus
outbreaks and other Internet attacks as they occur, along with detailed
instructions to help computer users protect themselves.

 It also mapped the government's universe of connected electronic devices,
the first step toward scanning them systematically for weaknesses that
could be exploited by hackers or foreign governments. And it began
routinely identifying U.S. computers and networks that were victims of
break-ins.

 Yoran effectively replaced a position once held by Richard Clarke, a
special adviser to President Bush, and Howard Schmidt, who succeeded Clarke
but left government during the formation of the Department of Homeland
Security to work as chief security officer at eBay Inc.

 Yoran cofounded Riptech Inc. of Alexandria, Va., in March 1998, which
monitored government and corporate computers around the world with an
elaborate sensor network to protect against attacks. He sold the firm in
July 2002 to Symantec for $145 million and stayed on as vice president for
managed security services.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Reverse DMCA: Copyright Holder Held Liable in Landmark Legal Ruling

2004-10-04 Thread R. A. Hettinga
http://www.linuxelectrons.com/article.php/20040930201813382   
LinuxElectrons -


Reverse DMCA: Copyright Holder Held Liable in Landmark Legal Ruling
  
 Thursday, September 30 2004 @ 08:18 PM
 Contributed by: ByteEnable


In a landmark case, a California district court has determined that
Diebold, Inc., a manufacturer of electronic voting machines, knowingly
misrepresented that online commentators, including IndyMedia and two
Swarthmore college students, had infringed the company's copyrights. This
makes the company the first to be held liable for violating section 512(f)
of the Digital Millennium Copyright Act (DMCA), which makes it unlawful to
use DMCA takedown threats when the copyright holder knows that infringement
has not actually occured.

The Electronic Frontier Foundation (EFF) and the Center for Internet and
Society Cyberlaw Clinic at Stanford Law School sued on behalf of nonprofit
Internet Service Provider (ISP) Online Policy Group (OPG) and the two
students to prevent Diebold's abusive copyright claims from silencing
public debate about voting.

Diebold sent dozens of cease-and-desist letters to ISPs hosting leaked
internal documents revealing flaws in Diebold's e-voting machines. The
company claimed copyright violations and used the DMCA to demand that the
documents be taken down. One ISP, OPG, refused to remove them in the name
of free speech, and thus became the first ISP to test whether it would be
held liable for the actions of its users in such a situation.

This decision is a victory for free speech and for transparency in
discussions of electronic voting technology, said Wendy Seltzer, an EFF
staff attorney who worked on the case. Judge Fogel recognized the fair use
of copyrighted materials in critical discussion and gave speakers a remedy
when their speech is chilled by improper claims of copyright infringement.

OPG Executive Director Will Doherty said, This ruling means that we have
legal recourse to protect ourselves and our clients when we are sent
misleading or abusive takedown notices.

In his decision, Judge Jeremy Fogel wrote, No reasonable copyright holder
could have believed that the portions of the email archive discussing
possible technical problems with Diebold's voting machines were proteced by
copyright . . . the Court concludes as a matter of law that Diebold
knowingly materially misrepresented that Plaintiffs infringed Diebold's
copyright interest.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


A Proposed Nomenclature for the Four Horseman of The Infocalypse

2004-10-04 Thread R. A. Hettinga
I've been talking about this for the last decade, and never found a
reference on the web whenever I was thinking about it. Thanks to
Google, it was well within my prodigiously diminished attention span
this morning.

Given the events on the net over the past few years, I figure we
might as well have fun with the idea. Humor is good leverage, and
these days we need *lots* of leverage.

In arbitrary order (in other words, *I* chose it. :-)), and with
apologies to Toru Iwatani, by way of Michael Thomasson at
http://www.gooddealgames.com/articles/Pac-Man%20Ghosts.html, here
it is:


A Proposed Nomenclature for the Four Horseman of The Infocalypse

   Horseman Color  Character   Nickname

1  TerrorismRedShadow  Blinky
2  NarcoticsPink   Speedy  Pinky
3  Money Laundering Aqua   Bashful Inky
4  Paedophilia  Yellow Pokey   Clyde

It is acceptable to refer to a horseman by any of the above, i.e.,
Horseman No. 1, The Red Horseman, Shadow, or Blinky.

Apparently there was a, um, pre-deceased, dark-blue ghost, used in
Japanese tournament play, named Kinky, I leave that particular
horseman for quibblers.


Cheers,
RAH


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Swiss on a Roll With Quantum Crypto

2004-09-29 Thread R. A. Hettinga
http://www.lightreading.com/document.asp?site=lightreadingdoc_id=60160

Light Reading - Networking the Telecom Industry

SEPTEMBER 29, 2004 ?


Swiss on a Roll With Quantum Crypto

GENEVA -- Deckpoint and id Quantique, two private companies active in the
field of information technology and based in Geneva, Switzerland, and the
University of Geneva announce, as a world premiere, the official opening of
a data archiving network secured using quantum cryptography technology. A
ceremony will take place on September 29th 2004, at 11 :00 am in Geneva.
Carlo Lamprecht, the Minister of Economy, Labor and Foreign Affairs of the
Republic and Canton of Geneva, as well as Professor André Hurst, the Dean
of the University of Geneva, will attend this ceremony.

 In a world where the reliance on electronic data transmission and
processing is becoming every day more prevalent, data archiving plays a
critical role in the ability of an organization to operate continuously
under all circumstances. In order to guarantee the highest availability of
information, the use of remote backup solutions on several sites is
increasing strongly. In such a scenario, the confidentiality and the
integrity of sensitive information exchanged between two sites is of the
utmost importance.

 Current cryptographic techniques used to guarantee this confidentiality
are based on mathematical theories. In spite of the fact, that they are
very widespread, they do not offer a foolproof security. They are in
particular vulnerable to increasing computing power and theoretical
advances in mathematics. On the contrary, quantum cryptography exploits the
laws of quantum physics to guarantee in an absolute fashion the
confidentiality of data transmission. « Quantum cryptography constitutes a
revolution in the field of information security » says Professor Nicolas
Gisin, of the University of Geneva. « It is the only solution offering long
term confidentiality and which cannot be compromised by scientific or
technological advances ».

 The University of Geneva, where research on quantum cryptography started
in the early 90's, played a pioneer role in the development of this
technology. At the end of 2001, four researchers, who were convinced of the
potential of this technology, founded the company id Quantique to develop
commercial applications.

 id Quantique and Deckpoint joined forces to develop and implement the
first data archiving network secured using quantum cryptography. The data
saved on a farm of 30 servers of the Deckpoint Housing Center, in the
Acacias district of Geneva, are replicated on servers located at the Cern
Internet Exchange Point, in Meyrin, in the suburbs of Geneva. The distance
between the two sites is about 10 kilometers. This application, which will
initially last about one month, constitutes a world premiere.

 id Quantique, the first company to bring quantum cryptography to the
market, provided the hardware used in this application. « This world
premiere is an excellent illustration of the of the potential of this
technology » says Gregoire Ribordy, CEO. « The company confirms thus its
leading position in applications of quantum technologies. »

 « We are convinced that security has become critical, in particular with
the implementation of the Basel II standards in the banking industry as of
2006. The economic world cannot afford anymore not to have a complete
information security strategy » adds Dominique Perisset, director of
Deckpoint. Seduced by the ambitions and visionary nature of this project,
Deckpoint granted access to its infrastructure and offered technical
support to make the implementation of this network possible.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Federal judge rejects part of Patriot Act

2004-09-29 Thread R. A. Hettinga
http://msnbc.msn.com/id/6131670/print/1/displaymode/1098/
  MSNBC.com

Federal judge rejects part of Patriot Act
Provision giving FBI access to business records overturned
Reuters
Updated: 12:11 p.m. ET Sept. 29, 2004


NEW YORK - A federal judge Wednesday found unconstitutional a part of the
United States' anti-terror Patriot Act that allows authorities to demand
customer records from businesses without court approval.

 U.S. District Judge Victor Marreo ruled in favor of the American Civil
Liberties Union, which challenged the power the FBI has to demand
confidential financial records from companies as part of terrorism
investigations.

 The ruling was the latest blow to the Bush administration's anti-terrorism
policies.

 In June, the U.S. Supreme Court ruled that terror suspects being held in
places like Guantanamo Bay can use the American judicial system to
challenge their confinement. That ruling was a defeat for the president's
assertion of sweeping powers to hold enemy combatants indefinitely after
the Sept. 11, 2001, attacks.

 The ACLU sued the Department of Justice, arguing that part of the Patriot
legislation violated the Constitution because it authorizes the FBI to
force disclosure of sensitive information without adequate safeguards.

 The judge agreed, stating that the provision effectively bars or
substantially deters any judicial challenge.

 Under the provision, the FBI did not have to show a judge a compelling
need for the records and it did not have to specify any process that would
allow a recipient to fight the demand for confidential information.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Airlines Told to Turn Over Passenger Data

2004-09-22 Thread R. A. Hettinga
http://apnews.myway.com/article/20040921/D8586D6G1.html

My Way News

Airlines Told to Turn Over Passenger Data

Sep 21, 1:36 PM (ET)

By LESLIE MILLER


WASHINGTON (AP) - The Transportation Security Administration announced on
Tuesday that it will order domestic airlines to turn over personal
information about passengers to test a system that will compare their names
to those on terrorist watch lists.

 The system, called Secure Flight, replaces a previous plan that would have
checked passenger names against commercial databases and assigned a risk
level to each. That plan, which cost $103 million, was abandoned because of
privacy concerns and technological issues.

 The airlines will have 30 days to comment on the proposed order, which
Congress gave the TSA authority to issue. Air carriers will then have 10
days to turn over data that it gathered in June, called passenger name
records.

 The amount of data in passenger name records varies by airline, but it
typically includes name, flight origin, flight destination, flight time,
duration of flight and form of payment. It can also include credit card
numbers, address, telephone number and meal requests, which can indicate a
person's ethnicity.

 Justin Oberman, who heads the office that's developing Secure Flight, said
he hopes that the program can be implemented by mid to late spring. He said
he expects the airlines to cooperate.

 We are going to work very closely with them, Oberman said.

 The TSA will also conduct a limited test in which they'll compare
passenger names with information from commercial databases to see if they
can be used to detect fraud or identity theft.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


FSTC Project Update

2004-09-21 Thread R. A. Hettinga
.
The business goals are to enable standards-based plug-and-play integration
capabilities between institutions and customer platforms, whether ERP,
Treasury Work Station (TWS), or desktop.

A core group of financial institutions and technology companies has
committed to launching this initiative in the second half of 2004.  This
project is considered on-hold until later this year.
__

4.  Transformation to Open Mission Critical Systems

The transformation of systems from higher cost or proprietary delivery to
open systems is one of the most hotly debated and discussed topics in
financial services IT.  While there is great promise in the flexibility and
efficiencies gained, there is also risk and cost. An FSTC project will soon
form up to determine answers to such key questions as, Are those
transformations viable? and What are the costs and processes by which a
successful transformation program will be run? The vision of this
initiative is to bring together financial institutions to investigate the
needs, processes, best practices, technology issues, risk factors,
organizational issues and lessons-learned for transformation projects which
move core business processes from legacy IT assets to open systems.  We will
provide additional details shortly.  If you are interested in joining an
interest group around this topic, please contact us.
__

5.  Minimum Essential Finance (MEF)

In its early stages, FSTC and its members are in dialog with numerous
government and industry organizations to explore interest in an initiative
to identify the minimum essential elements of our financial system, and to
develop a plan and process to ensure that it remains operational in the
event of a disruption to normal operations.  A workshop is currently being
planned for this fall for multiple public and private sector organizations
to develop this concept further.  If you are interested in joining this
dialog, please contact Zach Tumin at [EMAIL PROTECTED] .
__

##









To subscribe or unsubscribe from this elist use the subscription
manager: http://ls.fstc.org/subscriber

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


AOL to Sell Secure ID Tags to Fight Hackers

2004-09-21 Thread R. A. Hettinga
http://www.reuters.com/newsArticle.jhtml?type=internetNewsstoryID=6284760

Reuters



AOL to Sell Secure ID Tags to Fight Hackers
 Mon Sep 20, 2004 06:18 PM ET

  NEW YORK (Reuters) - America Online will begin offering to sell members a
security device and service that has been used to safeguard business
computer networks, the world's largest Internet service provider said on
Monday.

 AOL, a unit of Time Warner Inc. (TWX.N: Quote, Profile, Research) , signed
a deal with Internet security company RSA Security Inc. (RSAS.O: Quote,
Profile, Research) , to launch its new AOL PassCode, designed to add an
additional layer of protection to member accounts.

 PassCode users will be provided with a small handheld six-digit numeric
code key.

 To log onto an AOL account equipped with the service, users will have to
type in the six-digits, which refresh on the device every 60 seconds, on
top of using the regular password.

The code-key device will cost $9.95. Monthly service costs range from $1.95
to $4.95.

 AOL PassCode is like adding a deadbolt to your AOL account by
automatically creating a new secondary password every 60 seconds, said Ned
Brody, senior vice president of AOL Premium Services.

 Hackers coined the term phishing in 1996 to refer to the act of
swindling unsuspecting AOL customers into giving up their passwords through
phony e-mails or instant messages.
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


America Online To Launch Secure Password Service

2004-09-21 Thread R. A. Hettinga
http://online.wsj.com/article_print/0,,BT_CO_20040921_16,00.html

The Wall Street Journal


 September 21, 2004

 UPDATE: America Online To Launch Secure Password Service


DOW JONES NEWSWIRES
September 21, 2004


(Adds VeriSign announcement and comments from expert in paragraphs four
through nine, and additional comment in paragraphs 14-15.)
   By Riva Richmond
   Of DOW JONES NEWSWIRES

NEW YORK -- Password-generating devices long used by employees to securely
access corporate networks are finally coming to consumers.

Citing increased concerns among customers about rising identity theft
online, Time Warner Inc. (TWX) unit America Online said it will launch on
Tuesday a new, paid service that will allow members to log into their AOL
accounts using devices, or tokens, made by RSA Security Inc. (RSAS).

The gadgets, which can be put on a keychain, display six-digit passcodes
that change every 60 seconds and are synchronized with AOL's servers,
making it nearly impossible for fraudsters to access accounts with stolen
passwords.

Also on Tuesday, VeriSign Inc. (VRSN) plans to launch two token products
that would compete with RSA. But the company, acknowledging that its rival
has largely wrapped up the corporate market for remote employees' use,
plans to market its devices to companies, particularly banks, as something
business partners and customers could use to access corporate networks more
safely.

For instance, VeriSign is in negotiations with two financial-services firms
that are interested in providing tokens to partner firms and high net worth
clients. It has also worked with i-SAFE, a non-profit group that promotes
safe Internet use for children, in a pilot program to provide students
tokens that allow them to enter age-restricted chat rooms and access
college Web sites where they can securely take tests. They hope to get
government funding to take the project nationwide.

Both of VeriSign's tokens plug into computers' USB ports and use smartcard
technology, which can store multiple digital credentials. One of the tokens
also has a screen that displays a changing six-digit passcode.

The new interest in bringing so-called strong authentication to consumers
reflects the significantly more hostile Internet they now face. Consumers
have found themselves under assault from a wave of viruses, phishing
attacks and spyware programs designed to steal their personal financial
information for use in identity-theft fraud.

We've seen the threats now changing to target individuals because they're
not as sophisticated as corporations, says Howard Schmidt, former White
House cybersecurity czar.

The way to solve these (problems) in a fairly easy manner is by strong
authentication, he said. Hacking can be reduced because people can't log
in as other people. Fraud goes down because you have the ability to do
instant validation If people can't harvest user IDs and passwords,
phishing becomes irrelevant.

AOL, Dulles, Va., said its main goal is to better protect its members, who
use their accounts to make financial transactions and take care of other
sensitive business, from such blights. AOL has been providing the devices
to customers who called its agents expressing fears about the security of
their accounts, making these members part of the company's testing effort.

The impetus here really has to do with the deluge of spammers, scammers,
con artists, phishers, hackers and other malcontents that are trying to
dupe consumers into giving up their passwords or the security of their
accounts, said AOL spokesman Nicholas J. Graham. It's another virtual
deadbolt on the front door of their online experience.

AOL already provides its members with free anti-spyware technology,
parental controls, pop-up blocking and spam filtering. It also scans
incoming and outgoing e-mail for viruses for free, while offering a
premium full-blown antivirus service. Both services are provided by
McAfee Inc. (MFE).

For now, however, AOL's service won't allow single sign-on into other Web
sites, such as banks and e-commerce sites, where members do business.
Members who sign up for AOL's service, dubbed AOL PassCode, will be
prompted when logging into AOL to enter the number shown on the token along
with their screen name and normal password. AOL will charge subscribers
$9.95 for each device and a monthly service fee of $1.95 to $4.95,
depending on how many devices are associated with account screen names.

But Schmidt thinks AOL's move will add momentum behind a move to this sort
of federated identity, where one digital credential is recognized by
multiple companies' Web sites, particularly since Microsoft Corp. (MSFT) is
building support for RSA tokens into the next version of its Windows
operating system.

That's the vision, and I think that's realistic sooner than later, he said.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street

VeriSecure Systems, Inc. Demonstrates Check 21 Fraud Prevention

2004-09-20 Thread R. A. Hettinga
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_viewnewsId=20040920005169newsLang=en



Search Results for Google
 


 
 September 20, 2004 09:00 AM US Eastern Timezone

VeriSecure Systems, Inc. Demonstrates Check 21 Fraud Prevention

  FORT LAUDERDALE, Fla.--(BUSINESS WIRE)--Sept. 20, 2004--VeriSecure
Systems(TM), Inc. announced that its Check Fraud Prevention System (CFPS)
was tested under the auspices of the Financial Services Technology
Consortium, whose members include the largest financial institutions in the
US, as well as community banks, check clearing exchanges and other
institutions. VeriSecure Systems technology was demonstrated to survive the
check truncation, imaging and exchange and to offer security value
throughout the process.


 In October of 2003, Congress passed legislation known as Check 21. This
legislation becomes effective October 2004 and enables the banking industry
to exchange bank check images in lieu of paper bank checks. Called
Controlling Fraud in a Truncated Check Environment, the purpose of the
project was to assess the survivability, performance and viability of
next-generation document security features in image based operations for
bank checks, by conducting real life simulated exchanges among ten
institutions.

 VeriSecure Systems employed its Check Fraud Prevention System (CFPS) for
the project, which is based on its US Patent #5,432,506 Counterfeit
Document Detection System. The technology uses cryptography to create a
unique code for each check. The security feature is applied as a standard
printed barcode symbol by the check issuer. VeriSecure's software,
developed in conjunction with Inlite Research, Inc., can provide a fully
automated solution to read and validate the codes from either the actual
paper documents or from the images of the documents. The software rapidly
verifies the authenticity of the information printed on the checks, and
identifies any alterations, thus preventing the most prevalent forms of
fraud.

 Tom Chapman, VeriSecure's founder and the inventor of the technology said,
This project has certainly helped to demonstrate how cryptography can
easily and conveniently be put to use, to validate any type of physical
documents or their images. Along with fraud losses, this technology has the
potential to reduce operating expenses of financial institutions as well as
remittance processing for corporations.

 Gene Manheim, President of Inlite Research explained that Industry
standard barcodes serve as the robust foundation to secure check images,
and enable innovative technologies like CFPS to provide fraud prevention
across a huge range of images.

 Frank Jaffe, project manager for FSTC, said Based on the results of the
project, and given the magnitude of the risks of loss from check fraud,
FSTC believes that financial institutions and check issuers will be well
served by the adoption of these new document security features.

 About VeriSecure Systems

 The Company licenses its patented technology which is designed to verify
the authenticity of physical documents and/or captured images. It is
located in Plantation, Florida. (954) 401-8378
http://www.verisecuresystems.com

 About Inlite Research

 Since 1992, Inlite Research Inc. offers its Image Processing and Barcode
Recognition technologies to OEMs and solution providers in markets that
demand the utmost accuracy, productivity and quality in business processes.
It is located in Sunnyvale, California. (408) 737-7092
http://www.inliteresearch.com

 About The Financial Services Technology Consortium

 The Financial Services Technology Consortium (FSTC.ORG) is a consortium of
leading North American-based financial institutions, technology vendors,
independent research organizations, and government agencies. New York, NY.
(212) 461-7116 http://www.fstc.org
 Contacts
VeriSecure Systems, Inc., Plantation, Fla.
Tom Chapman, 954-401-8378 Print this Release

Terms of Use   |© Business Wire 2004

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Time for new hash standard

2004-09-19 Thread R. A. Hettinga
 security technologist. His latest book
is Beyond Fear: Thinking Sensibly About Security in an Uncertain World. He
can be reached at www.schneier.com. This article first appeared in his
monthly newsletter Crypto-Gram and is reproduced with permission. Copyright
rests with the author.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Symantec to acquire @Stake

2004-09-17 Thread R. A. Hettinga
http://www.siliconvalley.com/mld/siliconvalley/9682511.htm?template=contentModules/printstory.jsp

The San Jose Mercury News

Posted on Thu, Sep. 16, 2004

Symantec to acquire digital security company




CUPERTINO, Calif. (AP) - Symantec Corp. said Thursday it is acquiring
digital security consulting firm stake Inc.

Financial details were not disclosed. The deal is expected to close next month.

Cupertino, Calif.-based Symantec is one of the world's biggest information
security companies, selling consulting services and software such as the
Norton AntiVirus program. The company does business with individuals and
corporations in more than 35 countries.

Cambridge, Mass.-based stake sells consulting services and computer
programs to protect networks from hackers and other security risks.
Businesses that have purchased the company's SmartRisk and other products
include six of the world's top 10 financial institutions and four of the
world's 10 top independent software companies.

``Our customers are looking to us for a broad range of security
expertise,'' said Gail Hamilton, a Symantec executive vice president. ``By
joining forces with the leader in application security consulting, we
expand the capacity and capabilities of our consulting organization.''

Symantec shares rose 31 cents to close at $51.32 Thursday on the Nasdaq
Stock Market.

--

On the Net:

Symantec: http://www.symantec.com

stake: http://www.atstake.com/




-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Openswan dev] [Announce] Openswan 2.2.0 released

2004-09-17 Thread R. A. Hettinga

--- begin forwarded text


Date: Fri, 17 Sep 2004 17:48:25 +0200 (MET DST)
From: Paul Wouters [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [Openswan dev] [Announce] Openswan 2.2.0 released
List-Id: Openswan developer mailinglist dev.openswan.org
List-Archive: http://lists.openswan.org/pipermail/dev
List-Post: mailto:[EMAIL PROTECTED]
List-Help: mailto:[EMAIL PROTECTED]
List-Subscribe: http://lists.openswan.org/mailman/listinfo/dev,
mailto:[EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]


Xelerance is proud to release Openswan 2.2.0

It is available at the usual locations:

http://www.openswan.org/code/openswan-2.2.0.tar.gz
ftp://ftp.openswan.org/openswan/openswan-2.2.0.tar.gz

A seperate NAT-traversal patch and seperate KLIPS patch are available as well.

RPMS have been released for RedHat-9, Fedora Core 2 and 3-test1, RHEL3 and
Suse 9.1.  (RedHat-9 still requires KLIPS support in the kernel).

All released files have been signed with the [EMAIL PROTECTED] GPG key
available from the keyservers.

The following are the most important changes:

* Added RFC 3706 DPD support (see README.DPD)
* Added AES from JuanJo's ALG patches
* Fixes for /proc filesystem issues that started to appear in 2.4.25
* Merge X.509 1.5.4 + latest security fixes (CAN-2004-0590)
* Updated .spec for building RPMS compatible with Kernel 2.6
* Merge X.509 security fixes from 1.6.3
* Fixes for NAT-T on 2.6 pulled up from 2.1.x (Herbert Xu)
* Fixes for SA Selectors on 2.6 pulled up from 2.1.x (Herbert Xu)

Bugs can be reported via http://bugs.openswan.org/ or via one of the mailing
lists at http://lists.openswan.org/

Paul
___
Announce mailing list
[EMAIL PROTECTED]
http://lists.openswan.org/mailman/listinfo/announce
___
Dev mailing list
[EMAIL PROTECTED]
http://lists.openswan.org/mailman/listinfo/dev

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


No Paper for Md. Anti-Touchscreen Voters

2004-09-14 Thread R. A. Hettinga
http://www.telegram.com/apps/pbcs.dll/article?Date=20040914Category=APAArtNo=409141037SectionCat=Template=printart

Article published Sep 14, 2004

No Paper for Md. Anti-Touchscreen Voters

By TOM STUCKEY
Associated Press Writer

 Maryland's highest court Tuesday rejected demands for additional
safeguards for touchscreen voting machines, saying elections officials have
done everything necessary to ensure the paperless devices are accurate and
secure.

The Court of Appeals also rejected a call to allow citizens who do not
trust touchscreen voting to use paper ballots in the Nov. 2 general
election.

The decision came in a two-paragraph order issued less than three hours
after the judges heard arguments on a suit brought by TrueVoteMD. The
citizens group alleges the electronic machines, used statewide for the
first time in March, are vulnerable to fraud and that the state cannot
guarantee fair and accurate election results.

Lead plaintiff Linda Schade said that although the decision was not a
surprise, it means voters are going to be forced to vote on an insecure
system.

Schade said the state delayed the suit so long that judges found
themselves challenged to find a remedy for this upcoming election that
could be implemented in time.

Linda Lamone, state election laws administrator, said outside the courtroom
that making significant changes in the voting system at this late date
would have created chaos on Election Day.

Asked about the security of the state's 16,000 Diebold AccuVote-TS
electronic machines, Lamone said, I'm very confident they are accurate and
secure.

TrueVoteMD wants the state to equip all electronic machines with printers
that would make a copy of each vote, although it acknowledged in court that
it was too late to do that for the November election.

For the upcoming vote, the group had sought paper ballots for voters who
mistrust the computer voting system, as well as additional security
measures, such as installing Microsoft Windows software patches on the
computers used to tabulate votes.

The group contends paper records would ensure that votes were properly
recorded and could be used for recounts.

We're basically playing Russian roulette, TrueVoteMD lawyer Ryan Phair
said as he listed potential problems with electronic machines. We know
there is vulnerability. It is just a matter of time until it happens.

Assistant Attorney General Michael Berman said more than 20 successful
elections have been held in Maryland using the Diebold machines with no
evidence of fraud or allegations of inaccurate vote counts.

Phair mentioned allegations of glitches with computerized systems in other
states, but said it might be impossible to detect widespread fraud such as
rewriting of software to skew election results.

Phair said TrueVoteMD will continue its legal battle to force the state to
use printers on electronic machines in future elections.

Also Tuesday, a local election judge was ordered to return to the
Montgomery County elections board an electronic voting machine that U.S.
Sen. Barbara Mikulski, D-Md., had trouble using in a weekend demonstration.
The machine marked the wrong vote when Mikulski's hand brushed against the
screen, and it took her several attempts to correct the vote.

The election judge, Stan Boyd, had tests performed on the machine, but
would not elaborate on the tests or any findings.

Kevin Karpinski, an attorney for the county board, said any problems
testing might uncover could be misleading because the machine was only for
demonstration purposes and does not have updated software that will be used
in the November election.
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


On the Voting Machine Makers' Tab

2004-09-13 Thread R. A. Hettinga
http://www.nytimes.com/2004/09/12/opinion/12sun2.html?th=pagewanted=printposition=

The New York Times
September 12, 2004

On the Voting Machine Makers' Tab

As doubts have grown about the reliability of electronic voting, some of
its loudest defenders have been state and local election officials. Many of
those same officials have financial ties to voting machine companies. While
they may sincerely think that electronic voting machines are so trustworthy
that there is no need for a paper record of votes, their views have to be
regarded with suspicion until their conflicts are addressed.

Computer scientists, who understand the technology better than anyone else,
have been outspoken about the perils of electronic voting. Good government
groups, like Common Cause, are increasingly mobilizing grass-roots
opposition. And state governments in a growing number of states, including
California and Ohio, have pushed through much-needed laws that require
electronic voting machines to produce paper records.

 But these groups have faced intense opposition from election officials. At
a hearing this spring, officials from Georgia, California and Texas
dismissed concerns about electronic voting, and argued that
voter-verifiable paper trails, which voters can check to ensure their vote
was correctly recorded, are impractical. The Election Center, which does
election training and policy work, and whose board is dominated by state
and local election officials, says the real problem is people who scare
voters and public officials with claims that the voting equipment and/or
its software can be manipulated to change the outcome of elections.

What election officials do not mention, however, are the close ties they
have to the voting machine industry. A disturbing number end up working for
voting machine companies. When Bill Jones left office as California's
secretary of state in 2003, he quickly became a consultant to Sequoia
Voting Systems. His assistant secretary of state took a full-time job
there. Former secretaries of state from Florida and Georgia have signed on
as lobbyists for Election Systems and Software and Diebold Election
Systems. The list goes on.

Even while in office, many election officials are happy to accept voting
machine companies' largess. The Election Center takes money from Diebold
and other machine companies, though it will not say how much. At the
center's national conference last month, the companies underwrote meals and
a dinner cruise.

 Forty-three percent of the budget of the National Association of
Secretaries of State comes from voting machine companies and other vendors,
and at its conference this summer in New Orleans, Accenture, which compiles
voter registration databases for states, sponsored a dinner at the Old
State Capitol in Baton Rouge.

 There are also reports of election officials being directly offered gifts.
Last year, the Columbus Dispatch reported that a voting machine company was
offering concert tickets and limousine rides while competing for a contract
worth as much as $100 million, if not more.

When electronic voting was first rolled out, election officials and voting
machine companies generally acted with little or no public participation.
But now the public is quite rightly insisting on greater transparency and
more say in the decisions. If election officials want credibility in this
national discussion, they must do more to demonstrate that their only
loyalty is to the voter.

Making Votes Count: Editorials in this series remain online at
nytimes.com/makingvotescount.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


FSTC Issues Call for Participation for Two New Projects

2004-09-08 Thread R. A. Hettinga
)



To subscribe or unsubscribe from this elist use the subscription
manager: http://ls.fstc.org/subscriber

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Wireless security remains as main threat to mobility

2004-09-08 Thread R. A. Hettinga
http://www.ottawabusinessjournal.com/283824489528668.php

Ottawa Business Journal - News

Wireless security remains as main threat to mobility
By Ottawa Business Journal Staff
Mon, Sep 6, 2004 12:00 AM EST



 The wireless industry needs a lasting solution to one of its biggest
threats: outside intrusion.

 According to Victor Shevchenko, director of business development for the
Global Mobile Enterprise 2004 Conference, wireless security will be a main
discussion point at the conference, Sept. 14 to 16 at the Brookstreet Hotel.

 Mainly, we're talking about the protection of electronic data transported
and received by Palm Pilots, mobile phones and computers connected through
wireless networks, said Mr. Shevchenko, who organized the conference with
Zora Arnautovic, director of the organizing committee.

 The general trend is to get people mobile when they're offsite, but the
key challenges are: how can we ensure that the communication is secure,
that no data is compromised and that access to corporate networks through
secure wireless channels is safe? said Mr. Shevchenko. Protecting the
access and integrity of data being sent back and forth is the real
challenge.

 There is no universal standard acknowledged by the wireless industry as
the safest, he added. Virtual private networks (VPNs) are one way a company
can improve its wireless security, he said, adding new-generation
standards, such as WiMAX, are another.

 One of the main purposes of our conference will be to determine what the
most promising (standard) is so the industry can move forward, he said.

 Mark Zimmerman, vice-president of sales at Toronto-based Nextair Corp.,
said there is no one-size-fits-all solution to the issue of standards.
Mr. Zimmerman will attend the conference with Nextair CEO Ron Close, who
will lead a discussion on wireless applications.

 There have been a number of hiccups along the way when securing
information that's being delivered over the air (between two wireless
devices), said Mr. Zimmerman, describing the early wireless fidelity
standards as not very good from a security perspective.

 In the past, officials from the federal government's Communications
Security Establishment (CSE) warned that cellphones, for example, should
not be relied on for transmitting sensitive data.

 (They) could very easily be compromised, said Richard MacLean, a CSE
communications security engineer, at a May conference on wireless security.

 In a bid to ensure the encryption capability of public sector cellphones
is up to date, the CSE is testing global system for mobile phones equipped
to handle top-secret voice data.

 Now we're approaching a level where (wireless standards) are secure for
many applications, if not for all, said Mr. Zimmerman. The one thing not
talked about is securing wireless devices themselves, he added.

 When you look at PDAs that leave a (company's) building, they often have
the corporate crown jewels on them. In most cases, we do have the
technology, but we need to spend more time educating the marketplace and
our customers about using that technology and building it into products,
rather than turning to security as an afterthought.

 Mr. MacLean's advice is to use approved cryptography solutions, strong
passwords that are changed often and anti-virus software on PDAs and PCs
that can be updated frequently.

 The threat of outside intrusion is very viable because of ample hardware
and software capable of compromising wireless connectivity, said Mr.
Shevchenko.

 Such equipment can have serious implications for corporate productivity,
revenue and data, he added.

 While BlackBerries and other handheld e-mail devices are widely used by
businesspeople, users should know that, without private keys that can
encrypt the data, sensitive information can easily be poached, said Mr.
MacLean.

 The medical and financial fields have led by example when it comes to
wireless security, said Mr. Zimmerman, mostly because it's critical
security failures are avoided in these fields.

 Currently, new medical standards are being worked on to ensure there is no
electromagnetic interference with other pieces of medical equipment.

 In the transport industry, wireless security has become paramount, as
airports adopt wireless baggage handling systems.

 To protect its wireless system, Toronto's Pearson International Airport,
for example, uses additional software that encrypts and protects all
baggage-related transmissions to ensure no one from the outside can
manipulate the information in any way, according to Gary Long, general
manager of information technology at the Greater Toronto Airport Authority.

 The transport industry will be the subject of a wireless case study at the
conference, said Mr. Shevchenko.

 We want to see where this is going and how it can be ensured. In all
honesty, I'm as eager as anyone to get some answers to some of these
questions.



-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED

PGP Identity Management: Secure Authentication and Authorization over the Internet

2004-09-06 Thread R. A. Hettinga
., Lampson, B., Rivest, R. SPKI Certificate Theory.
RFC 2693, September 1999

[BFL]
 Blaze, M., Feigenbaum, J., and Lacy, J. Decentralized Trust Management.
Proceedings 1996 IEEE Symposium on Security and Privacy.

 [PGPTICKET]
 Moscaritolo, V. PGPticket - A Secure Authorization Protocol. Mac-Crypto
Workshop, October 1998

Moscaritolo, V., Mione, A. draft-ietf-pgpticket-moscaritolo-mione-02.txt

 [PGPUAM]
 Moscaritolo, V. PGPuam - Public Key Authentication for AppleShare-IP.
Mac-Crypto Workshop, October 1998

Now that applications have shifted to the Internet, the use of secret
passwords is not scalable or secure enough. Instead, there are ways to
implement federated identity management using strong cryptography and same
PGP key infrastructure that is widely deployed on the Internet today.

 - Vinnie Moscaritolo, PGP Cryptographic Engineer

Related Links
*   Expert  advice from Jon Callas: Encryption 101 - Triple DES
Explained
*   Video:  HNS interview with Jon Callas
*Summary:  HNS interview with Jon Callas
Company | Privacy Statement | Legal Notices | Site Map ©2002-2004 PGP
Corporation. All Rights Reserved.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Spam Spotlight on Reputation

2004-09-06 Thread R. A. Hettinga
http://www.eweek.com/print_article/0,1761,a=134748,00.asp

EWeek

 Spam Spotlight on Reputation


Spam Spotlight on Reputation

September 6, 2004
 By   Dennis Callaghan



As enterprises continue to register Sender Protection Framework records,
hoping to thwart spam and phishing attacks, spammers are upping the ante in
the war on spam and registering their own SPF records.

E-mail security company MX Logic Inc. will report this week that 10 percent
of all spam includes such SPF records, which are used to authenticate IP
addresses of e-mail senders and stop spammers from forging return e-mail
addresses. As a result, enterprises will need to increase their reliance on
a form of white-listing called reputation analysis as a chief method of
blocking spam.

E-mail security appliance developer CipherTrust Inc., of Alpharetta, Ga.,
also last week released a study indicating that spammers are supporting SPF
faster than legitimate e-mail senders, with 38 percent more spam messages
registering SPF records than legitimate e-mail.

The embrace of SPF by spammers means enterprises' adoption of the framework
alone will not stop spam, which developers of the framework have long
maintained.

Enter reputation analysis. With the technology, authenticated spammers
whose messages get through content filters would have reputation scores
assigned to them based on the messages they send. Only senders with
established reputations would be allowed to send mail to a user's in-box.
Many anti-spam software developers already provide such automated
reputation analysis services. MX Logic announced last week support for such
services.

There's no question SPF is being deployed by spammers, said Dave
Anderson, CEO of messaging technology developer Sendmail Inc., in
Emeryville, Calif.

Companies have to stop making decisions about what to filter out and start
making decisions about what to filter in based on who sent it, Anderson
said.

The success of reputation lists in organizations will ultimately depend on
end users' reporting senders as spammers, Anderson said. In the system
we're building, the end user has the ultimate control, he said.

Scott Chasin, chief technology officer of MX Logic, cautioned that
authentication combined with reputation analysis services still won't be
enough to stop spam. Chasin said anti-spam software vendors need to work
together to form a reputation clearinghouse of good sending IP addresses,
including those that have paid to be accredited as such.

There is no central clearinghouse at this point to pull all the data that
anti-spam vendors have together, said Chasin in Denver. We're moving
toward this central clearinghouse but have to get through authentication
first.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


First quantum crypto bank transfer

2004-08-21 Thread R. A. Hettinga

--- begin forwarded text


From: Andrew Thomas [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: First quantum crypto bank transfer
Date: Fri, 20 Aug 2004 09:05:58 +0200
Sender: [EMAIL PROTECTED]

  Cryptography system goes underground (Aug 19)
  http://physicsweb.org/article/news/8/8/13
   A group of scientists in Austria and Germany has installed an optical
   fibre quantum cryptography system under the streets of Vienna and
used
   it to perform the first quantum secure bank wire transfer (A Poppe et
   al. 2004 Optics Express 12 3865). The quantum cryptography system
   consisted of a transmitter (Alice) at Vienna's City Hall and a
receiver
   (Bob) at the headquarters of an Austrian bank. The sites were linked
by
   1.45 kilometres of single-mode optical fibre.

-- 
Andrew G. Thomas

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Data watchdog slams ID card plans

2004-08-17 Thread R. A. Hettinga
http://www.theregister.co.uk/2004/08/16/id_card_surveillance_fears/print.html

The Register


 Biting the hand that feeds IT

The Register » Internet and Law » Digital Rights/Digital Wrongs »

 Original URL:
http://www.theregister.co.uk/2004/08/16/id_card_surveillance_fears/

Data watchdog slams ID card plans
By John Leyden (john.leyden at theregister.co.uk)
Published Monday 16th August 2004 14:05 GMT

Britain is at risk sleepwalking into a surveillance society because of
David Blunkett's identity card scheme and other UK government plans,
according to the UK's Information Commissioner.

Richard Thomas also cited plans for a population register by the Office for
National Statistics and a database on children, in warning of a slide
towards a Big Brother-style system of ubiquitous surveillance in the UK.
Thomas predicted Britain risks moving towards an East German Stasi-style
snooping culture if current plans are followed through.

Thomas's comments came in an interview
(http://www.timesonline.co.uk/article/0,,2-1218615_2,00.html) with The
Times published today. He said: My anxiety is that we don't sleepwalk into
a surveillance society where much more information is collected about
people, accessible to far more people shared across many more boundaries
than British society would feel comfortable with.

The Information Commissioner is not opposed to ID cards on principle. But
he is concerned about what he sees as the Home Office's failure to clearly
define a purpose for ID cards, the amount of information that would be held
on any card and who might be able to access this information. Clamping down
on benefit fraud, control illegal immigration and preventing terrorism have
been cited as the main reason why Britain needs ID cards by the Home Office
at one time or another.

The government proposed ID card scheme will involve the establishment of a
national register of citizens' personal details, widely accessible to
government departments. This approach gives the UK's Information watchdog
the fear.

In response to the Home Office's consultation on identity cards, Thomas
concludes whilst I am not fundamentally opposed to the introduction of ID
cards I do have significant concerns about the current proposals. The
privacy implications of an extensive national identity register are, in
many ways, of far greater concern for individuals. This aspect needs more
of a public debate.
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Cardholders clueless on chip and pin

2004-08-16 Thread R. A. Hettinga
http://www.theregister.co.uk/2004/08/13/clueless_chip_and_pin/print.html

The Register


 Biting the hand that feeds IT

The Register » Business » Small Biz »

 Original URL: http://www.theregister.co.uk/2004/08/13/clueless_chip_and_pin/

Cardholders clueless on chip and pin
By Startups.co.uk (press.releases at theregister.co.uk)
Published Friday 13th August 2004 08:46 GMT

Retailers will be bracing themselves for what could be a chaotic festive
season following the news that more than half of British cardholders know
little or nothing about the new chip and pin card system.

Up to 120 million new chip and pin cards will be winging there way to
Christmas shoppers in time for the 1 January 2005 deadline, when retailers
will be required to introduce the new system.?

The new cards are designed to combat fraud by replacing magnetic strips
with information stored on a microchip which customers must verify by
keying in a four digit pin number.

IT consultant and fraud specialists, Detica, who commissioned the research
said that it had come across incidents where retailers had refused to serve
customers failing to remember their pin or even refusing to use it in the
first place.

According to David Porter, Head of Fraud  Security at Detica, a lot needs
to be done between now and December. He said: Retailers need to act
quickly to help their customers. Nearly three-quarters of the public are
confident chip and pin will reduce theft and fraud once it's explained to
them, but retailers can't afford to begin educating everyone individually
at the busiest time of the shopping year. They need to begin a prominent
education system in stores now. With 117 shopping days to Christmas, the
clock is ticking.

With the number of pin numbers to remember set to increase, analysts are
also worried that cardholders may change all their pins to one number or
share their pins, a danger that could adversely increase the likelihood of
fraud.

At present among those who have more than one pin or security code to
remember, almost half pin-share for two or more things requiring a code.

With one in three people affected by card fraud and a cost to the UK of
£425m in 2002, Detica are still confident that the new system will
significantly reduce card crime.

However there are those who remain cautious about the immediate impact of
chip and pin. A chip and pin spokeswoman said of Detica's findings: This
contradicts all the research we have done. Transaction times are reduced
with chip and pin, not necessarily in the first instance, but beyond that
it is faster to use a pin than a signature.

Copyright © 2004, (http://www.startups.co.uk/)

Related stories

Chip and PIN gathers pace
(http://www.theregister.co.uk/2004/05/21/chip_and_pin/)
UK terminally unready for Chip and PIN
(http://www.theregister.co.uk/2004/05/18/chip_and_pin_retail_survey/)
Visa trials RF credit cards
(http://www.theregister.co.uk/2004/04/28/visa_contactless_creditcard/)

© Copyright 2004

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Wrong Time for an E-Vote Glitch

2004-08-16 Thread R. A. Hettinga
 not to push the bill forward during this legislative session, which
ends Aug. 31. This means legislators will have to reintroduce a new bill
next January when they reconvene.

 The bill (PDF), introduced by Johnson and state Senator Don Perata
(D-Oakland), had bipartisan support and the backing of Secretary of State
Kevin Shelley.

 I'm a little mystified why the committee has stalled the bill, Swatt
said. E-voting machines, like them or not, are here to stay in California.
It is clear that if we are going to be living with e-voting machines the
only way to protect voters and to ensure that their votes are counted
accurately is to have a paper trail.

 Swatt said she hoped the public would pressure the legislature to push the
bill forward before the session ends.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Websites, Passwords, and Consumers (Re: CRYPTO-GRAM, August 15, 2004)

2004-08-15 Thread R. A. Hettinga
/
http://www.internetweek.com/e-business/showArticle.jhtml?articleID=2210
0149 or http://tinyurl.com/54b4g

The Trojan:
http://news.com.com/Pop-up+program+reads+keystrokes%2C+steals+passwords
/2100-7349_3-5251981.html or http://tinyurl.com/yqeoe
http://www.pcworld.com/news/article/0%2Caid%2C116761%2C00.asp

A shorter version of this essay originally appeared in IEEE Security
and Privacy:
http://csdl.computer.org/comp/mags/sp/2004/04/j4088abs.htm

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RPOW - Reusable Proofs of Work

2004-08-15 Thread R. A. Hettinga

--- begin forwarded text


To: [EMAIL PROTECTED]
Subject: RPOW - Reusable Proofs of Work
Date: Sun, 15 Aug 2004 10:43:09 -0700 (PDT)
From: [EMAIL PROTECTED] (Hal Finney)
Sender: [EMAIL PROTECTED]

I'd like to invite members of this list to try out my new
hashcash-based server, rpow.net.

This system receives hashcash as a Proof of Work (POW) token, and in
exchange creates RSA-signed tokens which I call Reusable Proof of Work
(RPOW) tokens.  RPOWs can then be transferred from person to person and
exchanged for new RPOWs at each step.  Each RPOW or POW token can only
be used once but since it gives birth to a new one, it is as though the
same token can be handed from person to person.

Because RPOWs are only created from equal-value POWs or RPOWs, they are
as rare and valuable as the hashcash that was used to create them.
But they are reusable, unlike hashcash.

The new concept in the server is the security model.  The RPOW server
is running on a high-security processor card, the IBM 4758 Secure
Cryptographic Coprocessor, validated to FIPS-140 level 4.  This card
has the capability to deliver a signed attestation of the software
configuration on the board, which any (sufficiently motivated) user
can verify against the published source code of the system.  This lets
everyone see that the system has no back doors and will only create RPOW
tokens when supplied with POW/RPOW tokens of equal value.

This is what creates trust in RPOWs as actually embodying their claimed
values, the knowledge that they were in fact created based on an equal
value POW (hashcash) token.

I have a lot more information about the system at rpow.net, along with
downloadable source code.  There is also a crude web interface which
lets you exchange POWs for RPOWs without downloading the client.

This system is in early beta right now so I'd appreciate any feedback
if anyone has a chance to try it out.  Please keep in mind that if there
are problems I may need to reload the server code, which will invalidate
any RPOW tokens which people have previously created.  So don't go too
crazy hoarding up RPOWs quite yet.

Thanks very much -

Hal Finney

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Cyber Fears On Fed's Web Plan

2004-08-15 Thread R. A. Hettinga
http://www.nypost.com/business/18671.htm

The New York Post


  CYBER FEARS ON FED'S WEB PLAN
  By HILARY KRAMER



 Email Archives
 Print Reprint

August 15, 2004 --  With little fanfare, the Federal Reserve will begin
transferring the nation's money supply over an Internet-based system this
month - a move critics say could open the U.S.'s banking system to cyber
threats.

 The Fed moves about $1.8 trillion a day on a closed, stand-alone computer
network. But soon it will switch to a system called FedLine Advantage, a
Web-based technology.

 Proponents say the system is more efficient and flexible. The current
system is outdated, using DOS - Microsoft's predecessor to the Windows
operating system.

 But security experts say the threat of outside access is too big a risk.

 The Fed is now going to be vulnerable in two distinct ways. A hacker
could break in to the Fed's network and have full access to the system, or
a hacker might not have complete access but enough to cause a denial or
disruptions of service, said George Kurtz, co-author of Hacking Exposed
and CEO of Foundstone, an Internet security company.

 If a security breach strikes the very heart of the financial world and
money stops moving around, then our financial system will literally start
to collapse and chaos will ensue.

 FedLine is expected to move massive amounts of money. Currently, Fedwire
transfers large-dollar payments averaging $3.5 million per transaction
among Federal Reserve offices, financial institutions and federal
government agencies.


 Patti Lorenzen, a spokeswoman for the Federal Reserve, said the agency is
taking every precaution.

 Of course, we will not discuss the specifics of our security measures for
obvious reasons, she said. We feel confident that this system adheres to
the highest standards of security. Without disclosing the specifics, it is
important to note that our security controls include authentication,
encryption, firewalls, intru sion detection and Federal Reserve conducted
reviews.

 Ron Gula, president of Tenable Network Security and a specialist in
government cyber security, said he's sure the Fed is taking every
precaution. But no system is 100 percent foolproof.

 If the motive was to manipulate the money transferring, there are Tom
Clancy scenarios where there are ways to subvert underlying technologies,
Gula said. For example, a malicious programmer can put something in the
Fed's network to cause the system to self-destruct or to wire them money.

 The biggest concern isn't the 13-year-old who hacks into the Fedwire and
sends himself some money - it's terrorism.

 On July 22, the Department of Homeland Security released an internal
report saying a cyber attack could result in widespread disruption of
essential services ... damag(ing) our economy and put(ting) public safety
at risk.

 But the Fed's undertaking of this massive overhaul is considered a necessity.

 Our strategy is to move to Web-based technology because there are
inherent limitations with DOS based technology and our goal is to provide
better and robust product offerings to meet our customers' needs, said
Laura Hughes, vice president of national marketing at the Chicago Fed,
which has spearheaded this program.




-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


The New Digital Media: You Might Have It, But Not Really Own It

2004-08-15 Thread R. A. Hettinga
, for instance, be able to make a copy of the Toy
Story 4 DVD for your laptop -- but not do the same thing with Charlie's
Angels 5.

Those variations will likely require some form of labeling on DVDs so
consumers will know what they're getting, according to companies involved
in planning them.

Alan Davidson, associate director of the civil liberties group Center for
Democracy and Technology, says he isn't opposed to DRM, but worries
consumers may not understand what rights come with content they purchase.
DRM underscores the point that consumers are going to have to become a lot
more sophisticated about what they're buying, he says.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Cryptome on ABC Evening News?

2004-08-13 Thread R. A. Hettinga
There's a teaser for tonight's 6:30 news about a wesite that publishes
pipeline maps and the names and addresses of government employees. The
horror.

:-)

Cheers,
RAH

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Hydan: Information Hiding in Program Binaries

2004-08-13 Thread R. A. Hettinga
http://crazyboy.com/hydan/




Hydan [hI-dn]:

Old english, to hide or conceal.


Intro:

Hydan steganographically conceals a message into an
application. It exploits redundancy in the i386 instruction
set by defining sets of functionally equivalent instructions.
It then encodes information in machine code by using the
appropriate instructions from each set.

Features:

- Application filesize remains unchanged
- Message is blowfish encrypted with a user-supplied
  passphrase before being embedded
- Encoding rate: 1/110

Primary uses for Hydan:

- Covert Communication: embedding data into binaries
  creates a covert channel that can be used to
  exchange secret messages.

- Signing: a program's cryptographic signature can
  be embedded into itself. The recipient of the
  binary can then verify that it has not been
  tampered with (virus or trojan), and is really
  from who it claims to be from. This check can be
  built into the OS for user transparency.

- Watermarking: a watermark can be embedded to
  uniquely identify binaries for copyright purposes,
  or as part of a DRM scheme. Note: this usage is not
  recommended as Hydan implements fragile watermarks.

If you think of anything else, do let me know :)


Platforms Supported:

- {Net, Free}BSD i386 ELF
- Linux i386 ELF
- Windows XP PE/COFF


Download:

Version 0.13


News:

Update: I've  finally updated the hydan code, after a long time off.
The encoding rate has been improved to 1/110 (thanks to a tip from
sandeep!), and the code is now much cleaner too. In the mean time,
hydan has been presented at:

CansecWest 04
BlackHat Vegas 04
DefCon 04

A paper is to be published soon as well:
Hydan:  Hiding Information in Program Binaries
Rakan El-Khalil and Angelos D. Keromytis.

Which is to appear in the proceedings of the 6th International
Conference on Information and Communications Security (ICICS),
Malaga, Spain. To be published in Springer Verlag's LNCS.

Hydan was initially presented at CodeCon on 02/23/2003.

The following is a list of articles online from that presentation:

- The Register: Hydan Seek
  (same article at BusinessWeek, and SecurityFocus)
- Slashdot: Program Hides Secret Messages in Executables
  (could it be? crazyboy survived slashdotting?)
- Punto-Informatico: Un tool cela segreti nei programmi
  (intl coverage! been getting a lot of hits from them)
- Bruce Schneier's Crypto-Gram: March 15, 2003 Issue
  (and not in the snake-oil section either ;)


Like my Work?

Buy me books!


Contact:

Rakan El-Khalil rfe3 at columbia dot edu

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Cryptome on ABC Evening News?

2004-08-13 Thread R. A. Hettinga

--- begin forwarded text


Date: Thu, 12 Aug 2004 20:41:05 -0700
To: [EMAIL PROTECTED]
From: John Young [EMAIL PROTECTED]
Subject: Re: Cryptome on ABC Evening News?
Sender: [EMAIL PROTECTED]

There a text version of the report on abcnews.com and a video
is available to subscribers.

To keep the nation secure the web site is not named. Google
search appears to do it based on hate mail coming in.

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Too Much Information?

2004-08-13 Thread R. A. Hettinga
http://abcnews.go.com/sections/WNT/US/internet_sensitive_info_040812.html
 

Too Much Information?
Web Site Raises Questions About Public Access to Sensitive Government Info
By JakeTapper
ABCNEWS.com

Aug. 12, 2004- John Young, a 69-year-old architect, was contacted a few
weeks ago by Department of Homeland Security officials, who expressed
concern about what he was posting on his Web site.

Officials questioned Young about information he had posted about the 2004
Democratic National Convention, including satellite photos of the
convention site and the location of specific police barricades referred to
on the site as a complete joke.

 In response to a complaint, two special agents from the FBI's
counterterrorism office in New York City interviewed Young in November 2003.

 They said, 'Why didn't you call us about this? Why are you telling the
public?' And we said, 'Because it's out there and you can see it. You folks
weren't doing anything,'  Young told ABC News.

 The agents, according to Young, stressed they knew that nothing on the
site was illegal. Young added: They said, 'What we'd like you to do, if
you're approached by anyone that you think intends to harm the United
States, we're asking you to let us know that.' 

 I know there are a lot of people in the government who find him
troublesome, said former White House terrorism adviser Richard Clarke, now
an ABC News consultant. There is a real tension here between the public's
right to know and civil liberties, on the one hand, and security on the
other.

 But Young argues his actions enhance national security, since he points
out to the public vulnerabilities the government does not want to
acknowledge.

 Like others who run similar Web sites, Young does so by using information
from the public domain, such as:

 * Photographs of preparations for the upcoming Republican National
Convention at New York City's Madison Square Garden

 * Detailed maps of bridges and tunnels leading in and out of Manhattan

 * Maps of New York City's single natural gas pipeline

 * The location of an underground nuclear weapons storage complex in New Mexico

 Enabling the Enemy?

 I think it's very, very bad for the country to have anyone putting
together information that makes it easier for anyone that wants to injure
Americans to do so, said Rep. Chris Cox, R-Calif., chair of the House
Homeland Security Committee.

 Law enforcement officials were particularly upset that Young posted the
satellite photos and addresses for the homes of top Bush administration
officials.

 We think public officials should be totally transparent. There should be
no secrecy, said Young. We are opposed to government secrecy in all of
its forms.

 Officials call that argument outrageous and argue some secrecy is necessary.

 The Department of Homeland Security has taken aggressive measures to
protect critical infrastructure across the country, said a Department of
Homeland Security spokeswoman. We discourage Web posting of detailed
information about critical infrastructure. This information is not helpful
to our ongoing efforts to protect the American people and our nation's
infrastructure.

 When asked how he would respond to those who consider his Web site
unpatriotic since it could provide useful information for those who seek to
harm the United States, Young said, If this is not done, more Americans
are going to die. More harm is going to come to the United States. It is
more patriotic to get information out than to withhold it.

 Officials acknowledge there is not much they can do; Young has not broken
any laws.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


ONLamp.com: Anonymous, Open Source P2P with MUTE

2004-08-13 Thread R. A. Hettinga
start their own project, add the features, and release their own version of
MUTE. My contribution is anonymous file-sharing.

HW: Do you need volunteers? What skills and contributions do you need the most?

JR: I have been looking for people who have an idea for a feature that can
be added to MUTE in a modular fashion, with a clean API separating it from
the rest of the MUTE code.

HW: What advice do you have for those who might want to modify the MUTE source?

JR: MUTE is a layered architecture. The bottom layer is a secure socket
implementation that is used to encrypt the contents of neighbor
connections. Above that is the MUTE routing layer, which features a very
clean API for controlling a MUTE node and sending or receiving messages
through it. The file-sharing layer is built on top of the routing API, and
it has a clean API of its own, which supports various file-sharing
operations, like searching and downloading. The user interfaces are built
on top of the file-sharing API, and two are included in the source: a
text-based interface and a wxWindows GUI.

If you want to build your own communication service on top of MUTE routing,
I would suggest taking a look at the routing API. If you want to build a
new client for file sharing - for example, a platform-specific GUI, then
the file-sharing API will be useful. Understanding these layer APIs will
also help you to modify the existing MUTE client.

HW: As a programmer, what are some of the things you've been learning as
you've been working on MUTE?

JR: I have been programming for years, but my coding techniques improve
every day. I'm always looking for more elegant ways to do things, and
looking back at last year's code can be frustrating. I find the same to be
true for any creative process, including writing, visual arts, and music:
Since you constantly improve, your past work feels particularly shoddy in
retrospect. My coding has improved in many subtle ways that I cannot
necessarily put my finger on.

In terms of more dramatic changes, the use of a layered architecture has
made the MUTE project very easy to manage and understand. I have never used
a layered architecture before, but I plan to use it in the future.

HW: Have you considered the legal ramifications of what you're doing and
prepared for any possible legal action? As everybody knows, the RIAA and
its international counterparts have been going after both users and
developers of P2P software quite aggressively.

JR: So far, these organizations have confined their attacks to corporations
that are peddling P2P and making money off of it. There is no precedent for
a suit against an individual P2P developer who is releasing non-commercial,
open-source software. Selling a product that helps people break the law is
very different from giving it away. Furthermore, there is no explicit law
against software like MUTE.

That said, I could always be the precedent, and I am ready for anything. I
believe that coding is part of my right to free speech, and I also believe
that I have the right to encourage people to break an unjust law as a form
of social protest. Many people look at the MUTE web site, which refers
directly to how MUTE circumvents the RIAA's spy tactics, and say, Whoa,
friend, I would be careful if I were you.

Sure, many other P2P developers and companies blatantly lie about what
their software is for, but I refuse to lie. You can write a book that
encourages people to break the law - for example, The Anarchist Cookbook.
Why can't I write a web site that does the same thing?

To be honest, I think it is highly unlikely I will be sued, but only time
will tell.

HW: It's inevitable that a third-generation P2P service is probably on the
horizon. Will you be so bold to say that yours, MUTE, is it?

JR: Whatever the third-generation P2P system will be, it will certainly be
anonymous. All past P2P innovations have been spurred by the legal tactics
of the day. I don't see why the next leap will be any different.

MUTE is probably more of a vanguard than the be-all, end-all
third-generation P2P system, much like Gnutella was the vanguard for the
second generation. Other P2P developers may be inspired by MUTE and start
thinking about how to make P2P anonymous. Unfortunately, if history repeats
itself, the most popular third-generation network may be owned by a
corporation that was ultimately inspired by my work on MUTE.

It would be nice to see an open-source and open-protocol network win this
round, if only to ensure that at least one open-source application was on
the majority of people's desktops.

Howard Wen is a freelance writer who has contributed frequently to O'Reilly
Network and written for Salon.com, Playboy.com, and Wired, among others.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end

SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement

2004-08-12 Thread R. A. Hettinga
--- begin forwarded text


Date: Tue, 10 Aug 2004 09:56:44 -0700
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
From: Bill Stewart [EMAIL PROTECTED]
Subject: SF Bay Area Cypherpunks August 2004 Physical Meeting
  Announcement
Cc: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

Rick Moen suggested we have a Cypherpunks meeting in August, so:

SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement

General Info:
DATE: Saturday 14 August 2004
TIME: 12:00 - 5:00 PM (Pacific Time)
PLACE:   Stanford University Campus - Tressider Union courtyard

Agenda: Our agenda is a widely-held secret.  (This will be our first
meeting since April 2003, so the agenda is somewhat up for grabs.
Among upcoming events to note is the 7th annual Information Security
Conference, aka ISC04, Sept. 27-29 at Xerox PARC, http://isc04.uncc.edu/ .

Also of note:  Our friendly Federalistas seem to be imposing
unprecedented visa restrictions on visiting foreign cryptographers.
Is it time for all international cryptography conferences to move
off-shore?  See:  http://www.schneier.com/crypto-gram-0407.html#3 )

As usual, this is an Open Meeting on US Soil, and the public is invited.


Location Info:

The meeting location will be familiar to those who've been to our outdoor
meetings before, but for those who haven't been, it's on the Stanford
University campus, at the tables outside Tressider Union, at the end of
Santa Theresa, just west of Dinkelspiel Auditorium.
We meet at the tables on the west side of the building, inside the
horseshoe U formed by Tresidder. Ask anyone on campus where Tressider
is and they'll help you find it.

Food and beverages are available at the cafe inside Tresidder.

Location Maps:

Stanford Campus (overview; Tressider is dead-center).
http://campus-map.stanford.edu/campus_map/bldg.jsp?cx=344cy=471zoomto=50zoomfrom=30bldgID=02-300
Tressider Union (zoomed detail view).
http://campus-map.stanford.edu/campus_map/results.jsp?bldg=Tresidder
Printable Stanford Map (407k).
http://www.stanford.edu/home/visitors/campus_map.pdf

[ This announcement sent to the following mailing lists:
 [EMAIL PROTECTED], [EMAIL PROTECTED],
 [EMAIL PROTECTED], [EMAIL PROTECTED]
   Mailing list complaints or address corrections to [EMAIL PROTECTED]
   Agenda and Location questions to Rick Moen, [EMAIL PROTECTED]
]



Bill Stewart  [EMAIL PROTECTED]

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Microcontrollers bring cryptography onboard - Microchip Technology

2004-08-12 Thread R. A. Hettinga
http://www.electronicstalk.com/news/ari/ari172.html

Electronicstalk


Product news
 received on 12 August 2004
 from Microchip Technology (contact details)

Microcontrollers bring cryptography onboard

Two new PIC Flash microcontrollers feature integrated Keeloq cryptographic
peripherals, providing a complete solution for remotely controlled security
systems and authentication applications.
Two new PIC Flash microcontrollers feature integrated Keeloq cryptographic
peripherals, providing a complete solution for remotely controlled security
systems and authentication applications.
Designers of such systems need an integrated solution that provides control
of system power consumption and ensures reliable battery-powered operation.
The new PIC12F635 and PIC16F636 microcontrollers meet these requirements by
providing the Keeloq cryptographic peripheral, nanoWatt Technology power
management modes, and reliable battery reset and detect features,
including: programmable low voltage detect (PLVD), a wake-up reset (WUR)
function, software-controlled brownout reset (BOR) and an extended watchdog
timer (EWDT).
Applications for the PIC12F635 and PIC16F636 include: remote security
control (remote keyless entry, passive keyless entry and remote door locks
and gate openers); authentication (property and identity); security systems
(remote sensors and their communications); and other general purpose
applications.
The successful Keeloq technology is based on a proprietary, nonlinear
encryption algorithm that creates a unique transmission on every use,
rendering code capture and resend schemes useless.
The new devices now feature this encryption algorithm as a hardware
peripheral integrated within the PIC microcontroller.
Key additional features of these two new PIC microcontrollers include: an
8MHz internal oscillator with software clock switching; ultra-low-power
wakeup (ULPW); up to 3.5Kbyte of Flash program memory, and up to 256byte of
EEPROM data memory; 64 or 128byte of RAM; and analogue comparators.
The PIC12F635 and PIC16F636 are supported by Microchip's world-class
development tools, including the MPLAB integrated development environment,
MPLAB ICE 2000 in-circuit emulator, MPLAB PM3 universal device programmer,
PICstart Plus low-cost development system, MPLAB ICD 2 in-circuit
debugger/programmer and the PICkit 1 Flash starter kit.
The two new PIC microcontrollers are available today for general sampling
and volume production.
The PIC12F635 offers a choice of 8-pin PDIP, SOIC and DFN-S packages, and
the PIC16F636 comes in 14-pin PDIP, SOIC and TSSOP outlines.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Hackers download College's Patriot database

2004-08-12 Thread R. A. Hettinga

--- begin forwarded text


Date: Thu, 12 Aug 2004 02:18:19 -0500 (CDT)
From: InfoSec News [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ISN] Hackers download SIUE data, police say
Reply-To: [EMAIL PROTECTED]
List-Id: InfoSec News isn.attrition.org
List-Archive: http://www.attrition.org/pipermail/isn
List-Post: mailto:[EMAIL PROTECTED]
List-Help: mailto:[EMAIL PROTECTED]
List-Subscribe: http://www.attrition.org/mailman/listinfo/isn,
mailto:[EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

http://www.stltoday.com/stltoday/news/stories.nsf/News/Metro+East/A3F75AB9CA0230BB86256EEE0012DF3B?OpenDocumentHeadline=Hackers+download+SIUE+data,+police+say

By Trisha Howard
Of the Post-Dispatch
08/11/2004

The names and passport information of more than 500 foreign students
at Southern Illinois University Edwardsville was illegally downloaded
last week by a fellow student at the school, according to a search
warrant filed Wednesday by university police.

Greg Conroy, an SIUE spokesman, said Wednesday that three students had
been questioned Friday after university officials discovered the
security breach.

Conroy said he expected the university to seek criminal charges in the
case.

The search warrant, filed in Madison County Circuit Court, said that
the hacker downloaded the information from a special database set up
to comply with provisions of the federal Patriot Act. The data
included names, dates of birth, Social Security numbers and visa
information, Sgt. Marty Tieman of the SIUE Police Department said in
his affidavit.

Conroy said that employees in the university's Office of Information
Technology found out about the breach on Friday while doing their
daily check of activity logs. The log showed that someone had
downloaded the information early that morning.

Computer experts then tracked the computer to one of three students
who share an apartment at Cougar Village, Conroy said. On Friday
afternoon, police seized three computers from the apartment and
questioned the three students, Conroy said.

Tieman said in his affidavit that police were greeted at the door by
one of the three students, who admitted that he had seen his roommate
access the server and download the information.

Conroy said that officials had not yet determined a motive.

For all I know, these students could have been doing this as a
prank, Conroy said. At this point, I don't know what they wanted to
do with the information.

Conroy said investigators from a Metro East law enforcement computer
task force were examining all three computers for evidence.

He emphasized that the system does not allow hackers to change vital
information. But he said that the breach was possible because an
employee had failed to disable a feature that gives people access to
the system without a password.

The students were scanning the system, they found the flaw, and they
started downloading files, Conroy said. It's an unfortunate mistake,
but it happened.



_
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable -
http://www.osvdb.org/

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[ISN] Hack . . . hack back . . . repeat

2004-08-12 Thread R. A. Hettinga
 Survivor,
when it was good.

There wasn't exactly a book on how to organize your team or set
strategy for this sort of thing. But our winning strategy as a team
was organization. We organized everything from a rotating cat nap
schedule to divvying up jobs along lines of expertise.

Because offense was 80% of the overall score, you had to maintain
support for your front-line attackers. The trick was to not ignore
your defenses. If your defenses slipped, other teams could get in and
score. As the Ghetto Hackers pointed out at the awards ceremony, we
were solid attackers - not significantly better than other teams - but
we had very good defense and were able to keep other teams from
stealing flags from us.

Most attacks we saw were levied against information in the database.
Someone would figure out how to run the Wiki (a piece of server
software that lets users freely create and edit Web page content using
any Web browser) and do some obscure set of queries that would reveal
flag data. Or someone would go into the Multi-User Dungeon, online
game environments that use a great deal of bandwidth, and figure out
if you walked north through the forest just the right way you'd be
able to pick up a flag.

We saw many failed attacks. Someone tried to buffer overflow the Web
server with 800,000-byte null packets. Someone else tried to go after
SNMP services to gain entry. Teams even attempted to capture their
incoming Scorebot traffic and replay that same traffic in the
direction of our machines in the hopes that our services would mistake
them for the actual Scorebot and give up flags to them.

If I were to apply my experiences to a more everyday situation than
what was taking place at the off-the-strip Alexis Park hotel, five
points would bubble to the top of the security cauldron:

Unsecure, unnecessary services - such as terminal services and SNMP -
are running on most Windows machines. You've got to take care to shut
down or firewall all unnecessary ports used by these services.

* Passwords are revealed frequently. To defend against this,
  periodically change all passwords, including those that give access
  to Web services and databases.

* Customized Web applications typically leak critical information. To
  defend against this, applications must be modified so they do not
  have commands that give too much information without proper
  authorization or let users modify objects out of turn.

* Unmonitored services are dangerously open to attack. Watch your logs
  like a hawk.

* Hack attacks happen. Be very, very afraid.

Thayer is principal investigator with Canola  Jones, a security
research firm in Mountain View, Calif. He can be reached at
[EMAIL PROTECTED]


Acknowledgements

Thanks to the Ghetto Hackers for running a great contest. They put
together a complex game and made it run under very stressful
conditions and it worked great. Thanks also to Sk3wl of R00t for
letting me join in.



_
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable -
http://www.osvdb.org/

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Brin/FedWorld: Transparent Privacy

2004-08-12 Thread R. A. Hettinga
 as the people's protectors. Exactly the way the
government people picture themselves. Everyone is great at rationalizing
why they should be elites. Funny how it always boils down to protecting the
people by preventing them from seeing.

 But the real miracle of our civilization is that we're the only one in all
of history that ever had the knack of holding elites accountable. We've
done this, in part, by siccing our elites on each other, which is why
alliances between corporate, aristocratic and government power are
especially dangerous.

 The other way we've found of achieving this miracle is by learning to have
the habit of looking.


Q: Looking around us?

 A: Looking alpha monkeys in the eye. These people who suggest we're going
to save our freedom by blinding alpha apes -- by denying sight and
knowledge to big money, big government, big aristocrats -- they never
explain how! Try this experiment. Go down to the zoo, climb into the baboon
enclosure and try to poke a pointed stick into the eye of the biggest
baboon.

 He won't let you.

 Elites won't let us blind them. All we'll accomplish by privacy
regulations, as Robert Heinlein put it, is to make the spy bugs smaller. In
that recent row over Total Information Awareness, the DARPA program, all
the ruckus did was drive the same research deeper into shadows, where we
know less about it.

 If there were a Big Brother, that's exactly what he'd want.


Q: When you speak about these small spy bugs, I'm wondering about your
thoughts on privacy and the new wave of subdermal RFIDs that can be
implanted into people. There are good uses for them, medical histories and
the like.

 A: Subcutaneous tags are good for finding lost pets, and people will
routinely install them to protect their kids. Until the kids get big enough
and learn enough to cut the damn things out themselves. The next
generation's rite of passage, I guess. Their equivalent of long hair or
piercings. I want to forbid any tags that a teenager can't learn to safely
remove when the time is right.

 Hey, you can look at the future and shiver with fear, or you can peer
ahead and say, 'How can we maximize the good while minimizing the bad?'

 It's a question that dichotomy pushers refuse ever to ask, and it's the
only question that ever makes any sense. How can we get all the good stuff
without having any of the bad?

 The mere fact that some people consider that question naive is not proof
of the naivety of the question. It's proof that they've not even begun to
think. Because maximizing the good and minimizing the bad is exactly what
we do. It's why we fought for civil rights and the environment and
universities and free schools for the poor while getting space telescopes,
personal computers, 500 channels and 50 types of ethnic cuisine.

 Sure, we're only halfway to the efficient technologies and habits that
will let everybody on Earth share a cake that's growing without limits.
Still, more people have vastly more justice and freedom and safety and hope
and cool toys and education and compassion and even cooler toys than ever
before. The percentage of human beings who are healthy and happy has never
been higher. The positive-sum goal has been proved possible.

 Anyway, just ask the world's have-nots what they want. They want all of
that -- the universities and freedom and clean water and toys too.

 It's the only goal worth having. And we'll get there, if we cooperate and
compete fairly with open eyes.

Shane Peterson
Associate Editor


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Interview with Bruce Schneier, Counterpane Internet Security

2004-08-12 Thread R. A. Hettinga
 monoculture that allows malware programmers to make
broadly-correct assumptions about the operating and application
environments?

A. Certainly the monoculture exacerbates the problem, but it isn't the core
of the problem. Insecure, unreliable, and buggy software is endemic to
software in general, and not just Microsoft in particular. This software
causes security vulnerabilities, and would continue to do so even if there
were several equally popular operating systems. What the Microsoft
monoculture does is magnify the effects of these vulnerabilities, so that
they are more disastrous to the Internet as a whole.

One of the ways to maintain security - especially with insecure tools - is
through diversity. Monoculture flies in the face of that security strategy.

Q.  You've said that you are a fan of open source: what in particular do
you like about it?

A. Open source isn't a solution to the world's computer problems, but it is
a compelling alternative to proprietary software. Remember, though, that
open source software isn't magically more secure. It has the potential to
be more secure, because more people are looking at it, but it also has the
potential to be equally insecure. The important thing is to have good
security analysis: proprietary software vendors can buy it, and open source
systems can get it for free. But it's also possible for both proprietary
and open source software to ignore the need for security analysis.

Q.  If those writing software became liable for its faults, as you suggest,
what would be the situation for open source software?

A. I don't know. I presume there would be some exemption for open source,
just as the United States has a good Samaritan law protecting doctors who
help strangers in dire need. Companies could also make a business wrapping
liability protection around open source software and selling it, much as
companies like Red Hat wrap customer support around open source software.

Q.  Your books describe an interesting passage from optimism that
technology can be a solution to computer security problems, to a rather
more pessimistic view; how much of a danger do you think there is that
things might get so bad that people will just disconnect themselves from
the Internet - as is already starting to happen with email because of the
unacceptably high levels of spam?

A. I think it's very likely. People and companies make risk management
decisions about network security. If they can't do something securely, at
least some of them will decide not to do it at all.

Q.  If you were designing a replacement for the abandoned Internet, and had
a completely free hand, what would you do differently in order to render it
intrinsically more secure than Net 1.0?

A. The problem isn't the Internet. The problem is the horribly insecure
computers attached to the Internet. I would rather rewrite Windows than
TCP/IP.
Posted by glyn at August 16, 2004 08:57 AM  | Subscribe
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Johansen breaks AirPort Express encryption

2004-08-12 Thread R. A. Hettinga
http://macnn.com/print/25830

MacNN


Johansen breaks AirPort Express encryption

Wednesday, August 11, 2004 @ 7:20pm



 Jon Lech Johnasen, author of DeCSS, has discovered the public key that the
AirPort Express uses to allow software to play audio through it. Johnasen
says that the audio stream is encrypted with AES and that the AES key is
encrypted with RSA. The public key is available on his blog as well as a
software application (for Windows command-line) that streams Apple Lossless
MPEG-4 audio to an AirPort Express. Though JustePort is Windows-only
software at the moment, it should be only days before graphical software
exists for the Mac now that the public key is out in the open. Apple could
choose to change it via an AirPort Express firmware update, but it should
still be possible to retrieve the new key. This is a huge step forward in
giving standard applications the ability to use an Express for audio
output, according to one developer.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


NSA Overcomes Fiber-Optic and Encryption

2004-08-10 Thread R. A. Hettinga

--- begin forwarded text


Date: Mon, 09 Aug 2004 20:19:35 -0700
To: [EMAIL PROTECTED]
From: John Young [EMAIL PROTECTED]
Subject: NSA Overcomes Fiber-Optic and Encryption
Sender: [EMAIL PROTECTED]

Excerpt below from a Baltimore Sun article of August 8, 2004.
Some of it could be true, but.


http://cryptome.org/dirnsa-shift.htm

-

Director of NSA shifts to new path

By Scott Shane
Sun National Staff

August 8, 2004

...

Technology revolution

Given the dire assessments a few years ago, it is notable that Hayden
says the communications revolution has on the whole been a plus, not a
minus, for the NSA.

The NSA director declines to elaborate. But interviews with outside
experts suggest that the agency has managed to overcome the challenges
posed by fiber-optic cable and encryption.

My opinion is that at this point, those are little more than a speed
bump to NSA, says Steve Uhrig, president of SWS Security, a Harford
County firm that builds eavesdropping and counter-eavesdropping systems
for U.S. and foreign police agencies. They have a virtually unlimited
budget, and they can put amazing resources to work on a problem.

Several sources who regularly speak with NSA officials say they believe
Uhrig is right. Although they do not know the details, they say the
agency has almost certainly managed to tap fiber cables on a large-scale
basis, making access to the information inside less of a problem than its
overwhelming volume.

The NSA has also found a silver lining to the use of encrypted e-mail:
Even if a particular message cannot be read, the very use of encryption
can flag it for NSA's attention. By tracking the relatively few Internet
users in a certain country or region who take such security measures, NSA
analysts might be able to sketch a picture of a terrorist network.

Information 'in motion'

And by focusing their electronic tricks on messages as they are first
typed on a computer or when they are read on the other end - what
security experts call information at rest - NSA technical experts might
be able to bypass otherwise-unbreakable encryption used when the
information is in motion.

Meanwhile, the popularity of e-mail and particularly of cell phones has
worked to the NSA's advantage in the battle against terrorism.

The NSA's computers can track and sort huge volumes of e-mail far more
easily than they can manage telephone intercepts, because text is
consistently represented in digital code.

And cell phones - as handy for terrorist plotters as for everyone else -
provide not just an eavesdropping target but also a way to physically
track the user.

Uhrig, who has installed cellular intercept systems in several countries,
says that as cell phones have proliferated, the cells served by a tower
or other antenna have correspondingly grown smaller. A big hotel may
have a cell for every other floor. Every big office building is its own
cell, he says.

Easier tracking

By following a switched-on cell phone as it shifts from cell to cell,
you can watch the person move, Uhrig says. You can tell the direction
he's moving. If he's moving slow, he's walking. If he's moving fast, he's
in a car. The tracking is sometimes of much more interest than the
contents of a call.

-

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


How a Digital Signature Works

2004-08-10 Thread R. A. Hettinga
http://www.businessweek.com/print/technology/content/aug2004/tc20040810_3053_tc024.htm?tc

Business Week


 AUGUST 10, 2004

  NEWS ANALYSIS :TECH
 By Stephen H. Wildstrom





How a Digital Signature Works

Microsoft's new Service Pack makes life tough for programs lacking the
proper electronic credentials. Here's why
 A technology called public key cryptography makes it possible for you to
make sure that the publisher of any piece of software that claims to be
from Microsoft (MSFT ) or any other publisher really came from there. It
has the added benefit of insuring that the contents weren't maliciously
altered or damaged in transmission. Here's how it works:

 The publisher first has to obtain a digital certificate from a recognized
certificate authority or CA (VeriSign (VRSN ) is the largest and best
known CA in the U.S.). The publisher receives a private and a public key,
each of which is a long number of about 300 digits. These are used to
create a digital signature for each program (see BW Online, 8/10/04,
Windows of Vulnerability No More?).

 When the software is ready to be posted for download, the publisher runs
it through a mathematical process called a one-way hash which reduces it to
a long number called the message digest. The message digest is then
encrypted using the publisher's private key, and the result, which looks
like a string of gibberish when displayed, is appended to the program when
it's downloaded.

HASH SLINGING.  The trick of public key encryption -- the best known
approach is called RSA for the initials of its inventors -- is that one key
can be used to scramble the data while a different, mathematically related,
key is used to unscramble it. When you download a digitally signed program,
the first thing your computer does is check the Web site's digital
certificate. It then queries the CA that issues the certificate to make
sure it's still valid and to obtain the public key.

 When the download is complete, your computer uses the public key to
decrypt the message digest. It also runs the same one-way hash procedure on
the downloaded software. If everything is as it should be, the decrypted
message digest and the one just created should be identical. If they differ
by a single bit, something is wrong and the downloaded software will be
rejected.

 For the curious, here's the message digest of the five paragraphs above
(as plain text), created using the MD5 algorithm from RSA Data Security
Inc: c21196eb8e026d47a67883d746c72c8d.



 Wildstrom is Technology  You columnist for BusinessWeek. Follow his Flash
Product Reviews, only at BusinessWeek Online


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Spawning a culture of secrecy

2004-08-09 Thread R. A. Hettinga
 group.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Fingerprinting Your Files

2004-08-09 Thread R. A. Hettinga
 with it. On May 11, 1993, NIST proclaimed SHA
as the nation's Secure Hash Algorithm. But the ink was barely dry on this
decree when NIST announced that it had made a mistake. For reasons that
would not be revealed at the time, NIST published a modified version of the
Secure Hash Algorithm-the algorithm that we now call SHA-1.

The conspiracy theorists in the cryptography community (and there are many)
had a field day. Was SHA so powerful that the NSA had decided that it had
to be dumbed down? Or had NSA perhaps planted a back door in SHA-and
somebody at NIST had found out? Were both algorithms equally secure, and
the cryptographers at the NSA were just messing with people's minds?

In August 1998, the world more-or-less learned the answer to the SHA vs.
SHA-1 mystery. Florent Chabaud and Antoine Joux, two French cryptographers,
came up with a theoretical attack against the first version of SHA-an
attack against which SHA-1 just happened to be secure. Almost certainly,
the folks at NSA knew about this attack and proposed SHA-1 as a
countermeasure. What's interesting here is that NSA's cryptographers
probably didn't know about the attack when SHA was first proposed in
1993-which means that the world's top cryptographic agency was only five
years ahead of the cryptographers in academia.

Today hash functions are also commonly used to generate repeatable but
unpredictable random numbers, for converting typed passwords into values
suitable for using as encryption keys. Instead of storing passwords
directly, many computer systems store the hash of a password. This prevents
somebody who breaks into a computer from learning everybody's password.

Hash functions have been proposed as a way to fight spam and as the basis
for digital cash systems. Mathematician Peter Wayner published a book
called Translucent Databases a few years ago in which he showed how hash
functions could be used for storing information in a database in a way
that's protected by the organization that's running the database. A college
admissions department, for example, could store student social security
numbers in the database so that these numbers could still be used as
identifiers on applications, but so that nobody in the admissions office
could sit down at a terminal and get a list of students and their numbers.
So far, though, none of those approaches have really gotten off the ground.

All in all, cryptographic hashes are one of the most interesting and useful
mathematical techniques that cryptographers have come up with over the past
20 years-and we're still finding new uses for them all the time.



Simson Garfinkel is the author of nine books on computing, including
Database Nation.
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Is Source Code Is Like a Machine Gun?

2004-08-09 Thread R. A. Hettinga
 the
moving parts and thus does the functioning.

 Another way to put it is that all that a computer does is to manipulate
text. The input is text, the program is text, and the output is text. And
all that source code, or any other code, is is text.

 Now, of course, the protections of the first amendment are not absolute,
so the writing and publication of source code, like any other text, can be
forbidden if there is a strong enough justification. But, since code in no
way resembles a machine gun, its resemblance to a machine gun cannot be
that justification.

 And by the way, the fact that some text may be too ``functional'' to be
copyrighted in no way suggests that it is not protected by the first
amendment. If a text is useless there is, in fact, little reason to give it
first amendment protection.

 This was written in considerable haste and undoubtedly contains large gaps
in its reasoning. I have, however, some other work to do, and so I will end
it here.

 After I posted that response to the Cyberprof list, I received the
following inquiry off list:
 Just out of curiosity, would you liken software to the thought processes
that are used to control the computer (and the machine gun)? If so, would
restrictions on source code be more akin to thought control, rather then
restrictions on devices?

 Here is my response to that question:
 [T]he quick answer is that I think of computers properly programmed as
prosthetics that help us think (and perceive) like glasses and hearing aids
and paper and pencils (and the invention of the alphabet and of
mathematical notations) and so I do think that restrictions of software and
also on computers amount to thought control.

 Consider the fact that there is hardly anyone left in the world who can
calculate square roots now that it is so easy to do the calculation using a
calculator.

 I consider doing arithmetical and logical calculations to be a (very
small) part of what is involved in thought, but they definitely are thought
processes.

 (I wouldn't say though that the thought processes are programs if one
considers a program to be text. Programs are not processes, they are
descriptions of or instructions for implementing a process.)2

For discussions of related issues see the entries on Expression Has Nothing
to Do with It, Publishing Bombmaking Information and the First Amendment,
and Copyright and the Confusion of ``Software''.


 Next: August 2, 2004  Up: August 6, 2004  Previous: August 6, 2004   
Contents  Peter D. Junger 2004-08-07
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


name of the Tor twin?

2004-08-09 Thread R. A. Hettinga

--- begin forwarded text


Date: Sun, 8 Aug 2004 23:44:17 +0200
From: Eugen Leitl [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: name of the Tor twin?
User-Agent: Mutt/1.4i
Sender: [EMAIL PROTECTED]

I recall a TCP/IP traffic remixing network (not a socks proxy like
Tor) coming over the list a while back. My bookmarks are away, what's the
name of the thing? Not p2net, something similiar.

Hello Brain, this is Pinky. Please help.

--
Eugen* Leitl a href=http://leitl.org;leitl/a
__
ICBM: 48.07078, 11.61144http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net

[demime 1.01d removed an attachment of type application/pgp-signature]

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Cryptography Research Joins Smart Card Alliance

2004-08-03 Thread R. A. Hettinga
http://biz.yahoo.com/prnews/040803/sftu064_1.html

Yahoo! Finance


Press Release
Source: Cryptography Research, Inc.

Cryptography Research Joins Smart Card Alliance
Tuesday August 3, 8:10 am ET

Patented Countermeasures Help Industry Protect Against Differential Power
Analysis Security Risks

SAN FRANCISCO, Aug. 3 /PRNewswire/ -- Furthering its mission to help the
smart card industry understand, evaluate and implement differential power
analysis (DPA) resistant solutions, Cryptography Research, Inc. today
announced it has joined the Smart Card Alliance, an industry group
committed to the development and deployment of smart cards within the
United States. With its broad portfolio of patents covering countermeasures
to DPA vulnerabilities, Cryptography Research is able to help licensed chip
manufacturers and smart card systems integrators protect their products
against DPA-related security risks.

ADVERTISEMENT
 We look forward to working closely with Smart Card Alliance members to
help the industry develop secure products, said Kit Rodgers, director of
licensing at Cryptography Research. We are excited about contributing to
the Alliance's efforts to increase the success of the North American smart
card market.

Cryptography Research has long been a pioneer in developing and analyzing
techniques for protecting smart cards against DPA and other attacks, said
Randy Vanderhoof, executive director of the Smart Card Alliance. I am
pleased to welcome Cryptography Research to the Smart Card Alliance. Their
expertise and innovative contributions to smart card security make them a
significant addition to the group.

Smart Card Security Efforts at Cryptography Research

Cryptography Research develops security technologies that are used in smart
cards. The company's DPA-related patents provide the basis for implementing
effective DPA countermeasures in smart cards and other devices. The company
also provides the DPA Workstation(TM) to help companies improve resistance
to DPA attacks, and to help unlicensed vendors recognize the need to obtain
licenses and protect their products.

Differential power analysis and related attacks were first discovered at
Cryptography Research by Paul Kocher, Joshua Jaffe and Benjamin Jun. DPA
involves monitoring the fluctuating electrical power consumption of smart
cards and other devices then applying advanced statistical methods to infer
secret keys and other information. Effective resistance to DPA is required
to prevent counterfeiting of digital cash, impersonation, piracy of digital
content, election fraud and other attacks.

Cryptography Research has been awarded a portfolio of fundamental patents
covering countermeasures to DPA attacks, including U.S. patents #6,654,884;
#6,539,092; #6,381,699; #6,298,442; #6,327,661; #6,278,783; and #6,304,658.
Other Cryptography Research patents are issued and pending in the United
States, Europe, Japan, Canada and other countries.

About the Smart Card Alliance

The Smart Card Alliance is a not-for profit, multi-industry association of
over 100 member firms working to accelerate the widespread acceptance of
multiple application smart card technology. Through specific projects such
as education programs, market research, advocacy, industry relations, and
open forums the Alliance keeps its members connected to industry leaders
and innovative thought. The Alliance also is the single industry voice for
smart cards, leading industry discussion on the impact and value of smart
cards in the U.S. More information about the Alliance is available at
http://www.smartcardalliance.org .

According to the Smart Card Alliance, in 2003 the United States became the
third largest market for microprocessor-based smart cards in the world,
with more than 70 million smart cards shipped to customers.

About Cryptography Research, Inc.

Cryptography Research, Inc. provides consulting services and technology to
solve complex security problems. In addition to security evaluation and
applied engineering work, CRI is actively involved in long-term research in
areas including tamper resistance, content protection, network security,
and financial services. Security systems designed by Cryptography Research
engineers annually protect more than $60 billion of commerce for wireless,
telecommunications, financial, digital television, and Internet industries.
For additional information or to arrange a consultation with a member of
our technical staff, please contact Jennifer Craft at 415-397-0123, ext.
329 or visit www.cryptography.com.



 Source: Cryptography Research, Inc.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire

NASA preps for launch of smart ID tags

2004-08-02 Thread R. A. Hettinga
 comply
with GSC-IS version 2, just as the NASA cards do. The DOD is said to be
ready to issue 2 million to 3 million of the new cards annually.

 But the U.S. government is still moving cautiously. Rather than embrace a
dual contact and contactless interface technology, it is requiring a
separate contactless chip alongside the contact chip used to store digital
credentials for use with computer and payment applications.

 NASA's cards use far less memory and are more basic than the next-gen DOD
cards. The Philips Mifare DESFire V0.6 chip used in the cards incorporates
4 kbytes of E2PROM, a contactless interface, an 80C51 microcontroller core
and additional gates for a Data Encryption Standard (DES) co-processing
engine. It's designed to offer a fixed, common set of data exchange
functions and features a 424-kbit/second data interface between smart card
and reader.

 NASA this summer will carry out a field trial at the Marshall Space Flight
Center in Huntsville, Ala., with potential expansion to 2,000 employees. If
the trial is successful, NASA plans to deploy more than 100,000 smart cards
for government employees and contractors by the end of the 2005 fiscal year.

Transportation stronghold
Sources at Philips said the relatively small number of cards requested for
NASA access cards did not concern the Dutch company, which has already
secured a stronghold for its Mifare chips in such transportation-related
applications as contactless ticketing.

In its efforts to comply with the GSC-IS spec, Duverne said, Philips
worked very closely with the U.S. administration on this.

 The DESFire access-control technology on which the NASA card is based was
developed a couple of years ago as a follow-on to the original Mifare chip,
which features a cryptography scheme proprietary to Philips. The new
technology's DES engine lets others build their own cryptographic
algorithms, with attention to higher security levels.

 According to Philips, the development of DESFire was necessary to
accommodate the needs of a broader user community, including the U.S.
government, which objects to the use of products based on proprietary
technology. Production of the V0.6 chips has ramped up in the past few
months, Duverne said.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
Several times a week, to enter a TV studio say, or to board a plane, I
have to produce a tiny picture of my face.  -- Christopher Hitchens

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Stepping on Big Brother's Toes

2004-08-01 Thread R. A. Hettinga
 unstable
environment for privacy, said Davies. The proclaimed need for protection
of children and the fight against terrorism is often shamelessly used as
the pretext for privacy invasion.

 This September, Privacy International plans to publish a comprehensive
study of antiterrorism policy developments worldwide.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


How They Could Steal the Election This Time

2004-08-01 Thread R. A. Hettinga
. Greg Palast and Martin Luther King III have more than 80,000
signatures on their petition against paperless touch-screens and the
purging of voter rolls. Global Exchange, the San Francisco-based
organization, is inviting twenty-eight nonpartisan foreign observers to
monitor the US election. Eleven members of Congress asked Kofi Annan to
send UN monitors. Cindy Cohn of the Electronic Frontier Foundation is
organizing attorneys for litigation against paperless electronic voting.

 In mid-June the California secretary of state approved the nation's first
set of standards for a verified paper trail for touch-screen machines. A
recent Voting, Vote Capture and Vote Counting symposium at Harvard's
Kennedy School of Government has produced an Annotated Best Practices,
available at www.ljean.com/files/ABPractices.pdf. On June 29 the Leadership
Conference on Civil Rights and the Brennan Center for Justice, with the
endorsement of Common Cause, the NAACP, People for the American Way and
most of the leading scientific critics of paperless touch-screen voting,
sent the nation's local election officials a call for new security
measures for electronic voting machines, including local retention of
independent security experts; the full report is available at
www.civilrights.org/issues/voting/lccr_brennan_report.pdf.

 Douglas Kellner, the New York City election expert, believes the best
practical remedy for the dangers of computerized vote-counting is voting on
optical-scan systems, posting the election results in the precincts and
keeping the ballots with the machines in which they were counted. In all
computerized vote-counting situations the precinct results should be
publicly distributed and posted in the precincts before they are
transmitted to the center for final counting, Kellner says. Once they are
sent from the precinct the audit trail is lost.

 Citizens can stay current on election developments via several websites:
electionline.org, a reliable and up-to-date source; VerifiedVoting.org,
Dill's group; notablesoftware.com, Mercuri's site; blackboxvoting.org, Bev
Harris's site; countthevote.org, the site of the Georgia group led by
Jekot; and these will key into many others. For a steady flow of news
stories on this subject (and a few others) from around the country, get on
the e-mail list of [EMAIL PROTECTED] Official information concerning each
state is available online at each state's website for its secretary of
state.

 People should go down to their local election departments and ask their
supervisor of elections how they are going to know that their votes are
counted--and refuse to take Trust us, or Trust the machines, for an
answer. They can be poll watchers. Many organizations are fostering poll
watching, including People for the American Way's Election Protection 2004
project. Common Cause has made election monitoring a major project, a
spokesperson says. VerifiedVoting.org is concentrating on having people
watch election technology, including pre-election testing as well as the
procedures on election day. Bev Harris is organizing people to do such work
(see her website).

 Rebecca Mercuri says that if you believe an election has been corrupted
through voting equipment, you should collect affidavits from voters; get
the results from every voting machine for all precincts; get the names and
titles of everyone involved; inventory the equipment, including the
software, and try to have it impounded; demand a recount; and go to the
press. Noting that all counties that have rushed to purchase DRE voting
systems also have paper-ballot systems in place to handle absentee voters,
motor-voters and emergency ballots for when the system breaks down, she
suggests mothballing the DREs and using paper ballots. Counties are saying
there's nothing they can do but use the DREs in November, and that is
simply untrue, Mercuri declares.

 Much of this would be unnecessary if Congress enacted either the
Graham-Clinton or the Holt bill, which would empower voters to verify their
own votes and create a paper trail.

 The computerized voting companies have precipitated a crisis for the
integrity of democracy. Three months to go.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


ECC 2004

2004-07-30 Thread R. A. Hettinga
 to be
added to the mailing list for the third announcement, please send a
brief email to [EMAIL PROTECTED] The announcements are also
available from the web site
www.cacr.math.uwaterloo.ca/conferences/2004/ecc2004/announcement.html
---


REGISTRATION:

The website for registration is open and can be found at:
http://www.ruhr-uni-bochum.de/hgi/tanja.html

For this year the full conference fee is 170 EUR, we offer a reduced
fee of 80 EUR for students. Please register as soon as possible as
the number of participants is limited.
--

ACCOMMODATIONS:

We set aside a number of rooms on a first-come first-serve basis at
following hotels.  To get the prices listed below include the
respective quotations when making your reservation


Hotel Acora
http://www.acora.de/html/bochum.html
Tel.: (+49)234 68 96 0
Fax: (+49)234 68 96 700
Nordring 44-50 (center of Bochum)
single 66,50 EUR
double 80,50 EUR
both including breakfast
mention ECC-Workshop
These rooms are set aside till 30.07.2004.

Holiday Inn Bochum
http://www.ichotelsgroup.com/h/d/hi/394/de/hd/bocge
Tel.: 49-234-9690
Fax: 49-234-969
Massenbergstrasse 19-21 (center, close to main station)
single 85,00 EUR incl. breakfast
mention ECC-Workshop
These rooms are set aside till 13.08.2004.


Hotel Haus Oekey
http://www.oekey.de/
Tel.: (+49)234 388 13 0
Fax: (+49)234 388 13 88
Auf dem Alten Kamp 10 (halfway between university and city center)
single 52 EUR
double 70 EUR
both including breakfast
mention Ruhr-University, Lange
These rooms are set aside till 10.08.2004.


Hotel IBIS am Hauptbahnhof
http://www.ibishotel.com
Tel.:   (+49)234/91430
Fax :   (+49)234/680778
Kurt- Schumacher- Platz 13-15 (next to main station)
single 58 EUR
double 67 EUR
(The prices include breakfast for 9 EUR.) The fee includes free public
transport in Bochum
mention ECC
These rooms are set aside till 12.08.2004.

Hotel Kolpinghaus
http://www.kolpinghaus-bochum.de/html/hotel.html
Maximilian-Kolbe-Str. 14-18 (close to main station, center)
single 46 EUR
double 24 EUR
including breakfast. Facilities include linen and have communal
bathrooms on each floor.
Please make your booking via Tanja Lange [EMAIL PROTECTED] and mention
with whom you would like to share a room.
These rooms are available till 09.08.2004.


Other hotels can be found at

http://www.bochum.de/english/
http://www.bochum.de/bochum/bohotel.htm
(the hotel page is available in German only)

==


FURTHER INFORMATION:

For further information, please contact:

Tanja Lange
Information Security and Cryptography
Ruhr-University Bochum

e-mail:   [EMAIL PROTECTED]
Fax:  +49 234 32 14430
Tel:  +49 234 32 23260

==

---

---

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[Meetingpunks] SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement

2004-07-28 Thread R. A. Hettinga

--- begin forwarded text


Date: Tue, 27 Jul 2004 09:10:21 -0700
To: [EMAIL PROTECTED]
From: Bill Stewart [EMAIL PROTECTED]
Old-Subject: [Meetingpunks] SF Bay Area Cypherpunks August 2004 Physical
Meeting Announcement
Subject: [Meetingpunks] SF Bay Area Cypherpunks August 2004 Physical
  Meeting Announcement
Approved: LISTMEMBER CPUNK
Sender: [EMAIL PROTECTED]

Rick Moen suggested we have a Cypherpunks meeting in August, so:

SF Bay Area Cypherpunks August 2004 Physical Meeting Announcement

General Info:
DATE: Saturday 14 August 2004
TIME: 12:00 - 5:00 PM (Pacific Time)
PLACE:   Stanford University Campus - Tressider Union courtyard

Agenda: Our agenda is a widely-held secret.  (This will be our first
meeting since April 2003, so the agenda is somewhat up for grabs.
Among upcoming events to note is the 7th annual Information Security
Conference, aka ISC04, Sept. 27-29 at Xerox PARC, http://isc04.uncc.edu/ .

Also of note:  Our friendly Federalistas seem to be imposing
unprecedented visa restrictions on visiting foreign cryptographers.
Is it time for all international cryptography conferences to move
off-shore?  See:  http://www.schneier.com/crypto-gram-0407.html#3 )

As usual, this is an Open Meeting on US Soil, and the public is invited.


Location Info:

The meeting location will be familiar to those who've been to our outdoor
meetings before, but for those who haven't been, it's on the Stanford
University campus, at the tables outside Tressider Union, at the end of
Santa Theresa, just west of Dinkelspiel Auditorium.
We meet at the tables on the west side of the building, inside the
horseshoe U formed by Tresidder. Ask anyone on campus where Tressider
is and they'll help you find it.

Food and beverages are available at the cafe inside Tresidder.

Location Maps:

Stanford Campus (overview; Tressider is dead-center).
http://campus-map.stanford.edu/campus_map/bldg.jsp?cx=344cy=471zoomto=50zoomfrom=30bldgID=02-300
Tressider Union (zoomed detail view).
http://campus-map.stanford.edu/campus_map/results.jsp?bldg=Tresidder
Printable Stanford Map (407k).
http://www.stanford.edu/home/visitors/campus_map.pdf

[ This announcement sent to the following mailing lists:
 [EMAIL PROTECTED], [EMAIL PROTECTED],
 [EMAIL PROTECTED], [EMAIL PROTECTED]
   Mailing list complaints or address corrections to [EMAIL PROTECTED]
]



Bill Stewart  [EMAIL PROTECTED]
___
Meetingpunks mailing list
[EMAIL PROTECTED]
http://lists.cryptorights.org/mailman/listinfo/meetingpunks



Bill Stewart  [EMAIL PROTECTED]

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Feds and Yahoo Muzzle DNC Security Whistleblower

2004-07-28 Thread R. A. Hettinga

--- begin forwarded text


Date: Sun, 25 Jul 2004 14:39:14 -0700
To: [EMAIL PROTECTED]
From: John Young [EMAIL PROTECTED]
Subject: Feds and Yahoo Muzzle DNC Security Whistleblower
Sender: [EMAIL PROTECTED]

It appears that the Feds and LEA at the DNC Convention
have ordered Yahoo to axe the mail list TSCM-L run by James
Atkinson for his blistering attack on security at the convention.

  http://cryptome.org/dncsec-yahoo.htm

Jim's reports on the inferior security:

  http://cryptome.org/dnc-insec.htm

  http://cryptome.org/dnc-dauphine.htm

The mail list had nothing to do with these reports, and the
gag appears to be spite against Atkinson for whistleblowing.

However, the mail list purpose is likely to have scared them
more than his insecurity reports:


http://finance.groups.yahoo.com/group/TSCM-L/

TSCM-L Technical Security Mailing List

Dedicated to TSCM specialists engaging in expert technical
and analytical research for the detection, nullification, and
isolation of eavesdropping devices, wiretaps, bugging devices,
technical surveillance penetrations, technical surveillance
hazards, and physical security weaknesses. This also includes
bug detection, bug sweep, and wiretap detection services.

Special emphasis is given to detecting and countering
espionage and other threats and activities directed by foreign
intelligence services against the United States Government,
United States corporations, establishments, and citizens.

The list includes technical discussion regarding the design and
construction of SCIF facilities, Black Chambers, and Screen
Rooms. This list is also for discussing DIAM 50-3, NSA-65,
and DCID 1/21, 1/22 compliance.

The primary goal and mission of this list is to raise the bar
and increase the level of professionalism present within the
TSCM business.

The secondary goal of this list is and increase the quality and
effectiveness of our efforts so that we give spies and
eavesdroppers no quarter, and to neutralize all of their espionage
efforts.

This mailing list is moderated by James M. Atkinson and
sponsored by Granite Island Group as a public service to the
TSCM, Counter Intelligence, and technical security community.

--

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Lost Record '02 Florida Vote Raises '04 Concern

2004-07-28 Thread R. A. Hettinga
, are programmed not to record two
votes, and if no vote is recorded, they say, it means the voter did not
cast one.

But The Sun-Sentinel of Fort Lauderdale, in a recent analysis of the March
presidential primary, reported that voters in counties using touch-screen
machines were six times as likely to record no vote as were voters in
counties using optical-scan machines, which read markings on paper ballots.

The A.C.L.U. of Florida and several other voting rights groups have sued to
overturn the recount rule, saying it creates unequal treatment of voters.
Counties that use optical-scan machines can conduct recounts, though only
in extremely close races.

 Mr. Kaplan says that the system crashes had erased data from other
elections besides Ms. Reno's, the most recent being municipal elections in
November 2003. Under Florida law, ballot records from elections for state
and local office need be kept for only a year. For federal races, the
records must be kept for 22 months after an election is certified. It was
not immediately clear what the consequences might be of breaching that law.

Mr. Kaplan said the backup system was added last December.

An August 2002 report from Miami-Dade County auditors to David Leahy, then
the county elections supervisor, recommended that all data from
touch-screen machines be backed up on CD's or elsewhere. Professor Jones
said it was an obvious practice long considered essential in the corporate
world.

 Any naïve observer who knows about computer system management and who
knows there is a requirement that all the records be stored for a period of
months, Professor Jones said, would say you should obviously do that with
computerized voting systems.

Buddy Johnson, the elections supervisor in Hillsborough County, which is
one of the state's largest counties and which also uses touch-screen
machines, said his office still had its data from the 2002 elections on
separate hard drives.

Mr. Kaplan of the Miami-Dade elections office could not immediately explain
on Tuesday afternoon the system crashes in 2003.

 Martha Mahoney, a University of Miami law professor and member of the
election reform group, said she requested the 2002 audit data because she
had never heard an explanation of the supposedly lost votes that the
A.C.L.U. documented after the Reno-McBride election.

People can never be sure their vote was recorded the way it was cast, but
these are the best records we've got, she said. And now they're not
there.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Energy Dept. Shelves Removable Disks

2004-07-25 Thread R. A. Hettinga
http://www.washingtonpost.com/ac2/wp-dyn/A10205-2004Jul23?language=printer

The Washington Post

washingtonpost.com

Energy Dept. Shelves Removable Disks
Response to Security Breach at Lab


 Associated Press
 Saturday, July 24, 2004; Page A02

 The Energy Department, in response to a security scandal at the Los Alamos
weapons lab, ordered a halt yesterday to classified work at as many as two
dozen facilities that use removable computer disks like those missing at
the New Mexico lab.

 Energy Secretary Spencer Abraham said the stand-down at operations using
the disks, containing classified material involving nuclear weapons
research, is needed to get better control over the devices.

 The disks, known as controlled removable electronic media, or CREM, have
been at the heart of an uproar over lax security at the Los Alamos National
Laboratory, where work has been stopped as scientists search for two of the
disks reported missing on July 7.

 Nineteen workers have been suspended pending the outcome of an
investigation into the missing data devices and an incident in which an
intern was injured recently in a laser accident.

 The missing Los Alamos disks raised concern at the Energy Department about
the handling of the devices at other facilities involved in nuclear weapons
research, department officials said.

 Abraham said he wants to minimize the risk of human error or malfeasance
that could compromise the classified nuclear-related information held in
the devices, which are used at Energy Department facilities nationwide in
nuclear-related work.

 While we have no evidence that the problems currently being investigated
are present elsewhere, we have a responsibility to take all necessary
action to prevent such problems from occurring at all, Abraham said in a
statement.

 The stand-down involves classified work across the government's nuclear
weapons complex wherever the CREM storage devices are used, the official
said. It will continue until an inventory of the devices is completed and
new control measures on their use is put in place, said Energy Department
spokesman Joe Davis. Employees using the disks must also undergo security
training.

 Among the facilities that are preparing for an interruption of classified
work are the Argonne National Laboratory outside Chicago; the nuclear
weapons plant in Oak Ridge, Tenn.; and the Sandia National Laboratories in
Albuquerque, where a missing classified disk was reported found last week.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Cryptographers and U.S. Immigration

2004-07-23 Thread R. A. Hettinga

--- begin forwarded text


Date: Fri, 23 Jul 2004 00:08:30 -0400 (EDT)
From: Atom 'Smasher' [EMAIL PROTECTED]
To: undisclosed-recipients: ;
Subject: Cryptographers and U.S. Immigration
List-Id: GnuPG development gnupg-devel.gnupg.org
List-Help: mailto:[EMAIL PROTECTED]
List-Post: mailto:[EMAIL PROTECTED]
List-Subscribe: http://lists.gnupg.org/mailman/listinfo/gnupg-devel,
mailto:[EMAIL PROTECTED]
List-Archive: /pipermail
Sender: [EMAIL PROTECTED]



...atom

  _
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -

When the government fears the people, you have liberty.
 When the people fear the government, you have tyranny.
--Thomas Jefferson




http://www.schneier.com/crypto-gram-0407.html#3

Cryptographers and U.S. Immigration

Seems like cryptographers are being questioned when they enter the U.S.
these days. Recently I received this (anonymous) comment: It seems that
the U.S. State Department has a keen interest in foreign cryptographers:
Yesterday I tried to renew my visa to the States, and after standing in
line and getting fingerprinted, my interviewer, upon hearing that my
company sells [a cryptography product], informed me that due to new
regulations, Washington needs to approve my visa application, and that to
do so, they need to know exactly which companies I plan to visit in the
States, points of contact, etc. etc. Quite a change from my last visa
application, for which I didn't even have to show up.

I'm curious if any of my foreign readers have similar stories. There are
international cryptography conferences held in the United States all the
time. It would be a shame if they lost much of their value because of visa
regulations.



___
Gnupg-devel mailing list
[EMAIL PROTECTED]
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


U. of Tokyo, Fujitsu advance towards quantum cryptography

2004-07-23 Thread R. A. Hettinga
 wavelengths and verified single photon transmission at the
former wavelength. Verification of the latter is one of the upcoming goals
for the team. The project hopes to develop a practical single photon
generator by 2007 and Arakawa predicts commercial systems based on the
technology could be available in 5 years.

 Details of the research are scheduled to be presented at the 27th
International Conference on the Physics of Semiconductors, which will begin
in Arizona, U.S., on July 26.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Identity theft case could be largest so far

2004-07-22 Thread R. A. Hettinga
http://www.cnn.com/2004/LAW/07/21/cyber.theft/index.html

CNN



Identity theft case could be largest so far

 Wednesday, July 21, 2004 Posted: 10:49 PM EDT (0249 GMT)


WASHINGTON (CNN) -- A Florida man was indicted Wednesday in an alleged
scheme to steal vast amounts of personal information, and the Justice
Department said it might be the largest illegal invasion and theft of
personal data to date.

The 144-count indictment against Scott Levine, 45, also includes charges of
conspiracy, fraud, money laundering and obstruction of justice, according
to the Justice Department.

Levine's alleged target was Acxiom Corp., one of the world's largest
companies managing personal, financial and corporate data, federal
authorities said.

Levine is accused of stealing vast amounts of personal information from the
company via the Internet.

Federal officials said the theft of approximately 8.2 gigabytes of data
resulted in losses of more than $7 million.

The protection of personal information stored on our nation's computer
systems is critical to public trust in those networks and to the health of
our economy, said Assistant Attorney General Christopher Wray at a news
conference in Washington.

We will aggressively pursue those who steal private information from
computer networks and make it clear that there are serious consequences for
such crimes, he said.

Levine, a resident of Boca Raton, Florida, is described in the indictment
as the controlling force in Snipermail.com Inc., a Florida corporation
engaged in distributing advertisements via the Internet on behalf of
advertisers and brokers.

Acxiom, headquartered in Little Rock and Conway, Arkansas, stores and
processes millions of bits of data on behalf of a wide range of clients
that include IBM, GE, Microsoft and many major credit card companies.

The invasions from Snipermail were discovered during another investigation
of another intrusion at Acxiom last year, authorities said.

The FBI's regional computer forensics laboratory in Dallas, Texas, and
computer forensic experts from the FBI and the Secret Service were
unleashed on the cyber intruders.

The indictment alleges that Levine and others at the company attempted to
hide computers from investigators.

Six employees at the company agreed to cooperate with the investigation,
authorities said.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


EZ Pass and the fast lane ....

2004-07-08 Thread R. A. Hettinga

--- begin forwarded text


Date: Fri, 2 Jul 2004 21:34:20 -0400
From: Dave Emery [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: EZ Pass and the fast lane 
User-Agent: Mutt/1.4.1i
Sender: [EMAIL PROTECTED]

Having been inspired by some subversive comments on cypherpunks,
I actually looked up the signaling format on the EZ-Pass toll
transponders used throughout the Northeast.  (On the Mass Pike, and most
roads and bridges in NYC and a number of other places around here).

They are the little square white plastic devices that one
attaches to the center of one's windshield near the mirror and which
exchange messages with an interrogator in the FAST LANE that debits
the tolls from an account refreshed by a credit card (or other forms of
payment).   They allow one to sail through the toll booths at about
15-20 mph without stopping and avoid the horrible nuisance of digging
out the right change while rolling along at 70 mph in heavy traffic.

Turns out they use Manchester encoded on-off keying (EG old
fashioned pulsed rf  modulation) at 500 kilobits/second on a carrier
frequency of 915 mhz at a power a little under 1 mw (0 dbm).

The 915 mhz is time shared - the units are interrogated by being
exposed to enough 915 mhz pulsed energy to activate a broadband video
detector looking at energy after a 915 mhz SAW filter (presumably around
-20 dbm or so).  They are triggered to respond by a 20 us pulse and will
chirp in response to between a 10 and 30 us pulse.   Anything longer and
shorter and they will not respond.

The response comes about 100-150 us after the pulse and consists
of a burst of 256 bits followed by a 16 bit CRC.  No present idea what
preamble or post amble is present, but I guess finding this out merely
requires playing with a transponder and DSO/spectrum analyzer.

Following the response but before the next interrogation the
interrogator can optionally send a write burst which also presumably
consists of 256 bits and CRC.

Both the interrogators and transponders collect two valid
(correct) CRC bursts on multiple interrogations and compare bit for bit
before they decide they have seen a valid message.

Apparently an EEPROM in the thing determines the partition
between fixed bits set at the factory (eg the unit ESN) and bits that
can get written into the unit by the interrogators.   This is intended
to allow interrogators at on ramps to write into the unit the ramp ID
for units at off ramps to use to compute the toll... (possibilities for
hacking here are obvious for the criminally inclined - one hopes the
system designers were thoughtful and used some kind of keyed hash).

No mention is made of encryption or challenge response
authentication but I guess that may or may not be part of the design
(one would think it had better be, as picking off the ESN should be duck
soup with suitable gear if not encrypted).

But what I have concluded is that it should be quite simple
to detect a response from one's transponder and activate a LED or
beeper, and hardly difficult to decode the traffic and display it
if it isn't encrypted.   A PIC and some simple rf hardware ought
to do the trick, even one of those LED flashers that detect cellphone
energy might prove to work.

Perhaps someone more paranoid (or subversive) than I am will
follow up and actually build such a monitor and report whether there
are any interogations at OTHER than the expected places...

-- 
   Dave Emery N1PRE,  [EMAIL PROTECTED]  DIE Consulting, Weston, Mass 02493

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Third announcement ECC 2004

2004-06-29 Thread R. A. Hettinga
 for registration is open and can be found at:
http://www.ruhr-uni-bochum.de/hgi/tanja.html

For this year the full conference fee is 170 EUR, we offer a reduced
fee of 80 EUR for students. Please register as soon as possible as
the number of participants is limited.
--

ACCOMMODATIONS:

We set aside a number of rooms on a first-come first-serve basis at
following hotels.  To get the prices listed below include the
respective quotations when making your reservation


Hotel Acora
http://www.acora.de/html/bochum.html
Tel.: (+49)234 68 96 0
Fax: (+49)234 68 96 700
Nordring 44-50 (center of Bochum)
single 66,50 EUR
double 80,50 EUR
both including breakfast
mention ECC-Workshop
These rooms are set aside till 30.07.2004.


Hotel Haus Oekey
http://www.oekey.de/
Tel.: (+49)234 388 13 0
Fax: (+49)234 388 13 88
Auf dem Alten Kamp 10 (halfway between university and city center)
single 52 EUR
double 70 EUR
both including breakfast
mention Ruhr-University, Lange
These rooms are set aside till 10.08.2004.


Hotel IBIS am Hauptbahnhof
http://www.ibishotel.com/
Tel.:   (+49)234/91430
Fax :   (+49)234/680778
Kurt- Schumacher- Platz 13-15 (next to main station)
single 49 EUR
breakfast is available for 9 EUR. The fee includes free public
transport in Bochum
mention ECC
These rooms are set aside till 12.08.2004.

Hotel Kolpinghaus
http://www.kolpinghaus-bochum.de/html/hotel.html
Maximilian-Kolbe-Str. 14-18 (close to main station, center)
single 46 EUR
double 24 EUR
including breakfast. Facilities include linen and have communal
bathrooms on each floor.
Please make your booking via Tanja Lange [EMAIL PROTECTED] and mention
with whom you would like to share a room.
These rooms are available till 09.08.2004.


Other hotels can be found at

http://www.bochum.de/english/
http://www.bochum.de/bochum/bohotel.htm
(The hotel page is available in German only)

==


FURTHER INFORMATION:

For further information, please contact:

Tanja Lange
Information Security and Cryptography
Ruhr-University Bochum

e-mail:   [EMAIL PROTECTED]
Fax:  +49 234 32 14430
Tel:  +49 234 32 23260

==

---

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Cryptography Research's Nate Lawson to Speak at USENIX '04

2004-06-28 Thread R. A. Hettinga
http://biz.yahoo.com/prnews/040628/sfm086_1.html

Yahoo! Finance
  

Press Release
Source: Cryptography Research, Inc.

Cryptography Research's Nate Lawson to Speak at USENIX '04
Monday June 28, 9:05 am ET

Presents Lessons Learned in Secure Storage for Digital Cinema

SAN FRANCISCO, June 28 /PRNewswire/ -- Digital cinema transforms the
protection and physical transport of film cans into an outsourced storage
security problem, but security expert Nate Lawson believes that
conventional IT solutions are not up to the task. Lawson, senior security
engineer at Cryptography Research, Inc., has used open source software to
rapidly prototype digital cinema storage solutions and will offer advice on
how to maintain security throughout the entire cinema life cycle, from
filming and production to projection, at the USENIX '04 Annual Technical
Conference.

ADVERTISEMENT
Lawson's presentation, Building a Secure Digital Cinema Server Using
FreeBSD, is scheduled for 3:30 p.m. on Tuesday, June 29 in the Boston
Marriott Copley Place Hotel.

Traditional storage security solutions are designed to operate within a
data center under the data owner's physical management and control, but in
digital cinema, the data representing the film passes through multiple
parties with different incentives and levels of security, said Lawson.
While encryption is important, it is not sufficient to ensure data
integrity or provide the evidence needed to ensure accountability and
mitigate leaks at critical junctures in film production and distribution.

According to Lawson, the projection booth at the local cinema is rapidly
taking on many of the aspects of a traditional IT data center, with racks
of computers and storage devices, high-bandwidth LANs and SANs, and other
equipment. Digital cinema is still in an embryonic stage, with about 90
digital cinema-ready theaters across the U.S. Lawson's talk will present
new criteria for evaluating storage security solutions, from disk
encryption or file system encryption to other storage security products,
and show how open source software supported the rapid development of a
prototype digital cinema server in a proprietary environment. Lawson will
also discuss the importance of standardization efforts, including the
Digital Cinema Initiative.

Nate Lawson, senior security engineer at Cryptography Research, is focused
on the design and analysis of platform and network security. Previously, he
was the original developer of ISS RealSecure and various products for
digital cinema, storage security, network mapping, and IPSEC. Nate has
evaluated cryptographic systems for FIPS 140 and other secure standards. He
is a FreeBSD developer in his spare time, contributing a SCSI target driver
and working on ACPI and CAM. Nate holds a B.S. computer science degree from
Cal Poly and is a member of USENIX and SMPTE.

USENIX, the Advanced Computing Systems Association, supports and
disseminates practical research, provides a neutral forum for discussion of
technical issues and encourages computing outreach into the community at
large. USENIX conferences have become essential meeting grounds for the
presentation and discussion of advanced developments in all aspects of
computing systems.

About Cryptography Research, Inc.

Cryptography Research, Inc. provides consulting services and technology to
solve complex security problems. In addition to security evaluation and
applied engineering work, CRI is actively involved in long-term research in
areas including tamper resistance, content protection, network security,
and financial services. This year, security systems designed by
Cryptography Research engineers will protect more than $60 billion of
commerce for wireless, telecommunications, financial, digital television,
and Internet industries. For additional information or to arrange a
consultation with a member of our technical staff, please contact Jennifer
Craft at 415-397-0329 or visit www.cryptography.com.



 Source: Cryptography Research, Inc.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[ISN] Network Associates Up For Sale, Sources Say

2004-06-22 Thread R. A. Hettinga

--- begin forwarded text


Date: Tue, 22 Jun 2004 05:58:53 -0500 (CDT)
From: InfoSec News [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ISN] Network Associates Up For Sale, Sources Say
Reply-To: [EMAIL PROTECTED]
List-Id: InfoSec News isn.attrition.org
List-Archive: http://www.attrition.org/pipermail/isn
List-Post: mailto:[EMAIL PROTECTED]
List-Help: mailto:[EMAIL PROTECTED]
List-Subscribe: http://www.attrition.org/mailman/listinfo/isn,
mailto:[EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

http://www.crn.com/sections/breakingnews/breakingnews.jhtml;jsessionid=UBOYD1ZT3NRE0QSNDBESKHA?articleId=22101131

By Dan Neel
CRN
Jun. 21, 2004

Network Associates is for sale, and Microsoft is rumored to be the
buyer.

The maker of McAfee antivirus and security products has not made it
public, but a for sale sign figuratively hangs from Network
Associates' front door, according to Wall Street sources and channel
partners.

A public announcement concerning either the pending or closed sale of
the company to a buyer could come as early as July 1 when Network
Associates also plans to announce layoffs associated with the
company's for-sale status, these sources said.

Network Associates executives declined to comment and would neither
confirm nor deny that the Santa Clara, Calif.-based company is for
sale or planning layoffs.

Network Associates' reseller partners across the United States said
more than a few of the company's field representatives have recently
begun circulating resumes. A lot of [Network Associates] salespeople
have opened up feelers for where they are going to land, one partner
said.

Some Network Associates employees gave partners July 1 as the date
Network Associates planned to execute the layoffs. The partners asked
to remain anonymous.

Microsoft enters the picture as a potential buyer based on the
Redmond, Wash.-based software giant's desire to ascend to a level in
the security market competitive with Network Associates rivals such as
Symantec, Computer Associates International and Trend Micro, sources
said.

Microsoft is armed with a number of antivirus tools for Windows and is
rolling out a next-generation application layer firewall, a VPN and a
Web cache solution. But possession of Network Associates' extensive
intellectual property would complete a security offering for Microsoft
that could go head-to-head with Symantec, CA, Trend Micro and others.
Microsoft representatives said it was policy not to comment on the
company's acquisition plans.

Still, Microsoft may also be the only willing buyer, Wall Street
sources said, as few companies with the wherewithal to purchase
Network Associates are interested.

It appears that Network Associates has been grooming itself to fit the
bill for an acquisition by Microsoft, many Network Associates partners
said.

One partner, who is also a veteran of the Digital Equipment
Corp./Compaq merger, said the signs coming from Network Associates are
similar to that of pre-merger DEC, citing Network Associates' sale of
its PGP encryption product line, its Gauntlet firewall business and
most recently its Sniffer network monitoring division. The partner
said Network Associates' downsizing was exactly what DEC did in order
to fit within Compaq. It was a divestiture of all the things Compaq
didn't want, the partner said.

The sudden, announced departure of Donna Troy, Network Associates'
executive vice president of worldwide channel sales, and the sudden,
unannounced departure of Gary Brand, director of channel sales, each
resonated with partners as signs of impending change.

At Network Associates' recent Partner Symposium in San Antonio
partners were repeatedly encouraged to make sure their product
licensing was up to date, another sign that the company was trying to
set its house in order prior to a sale, partners said.



_
ISN mailing list
Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an
InfoSec junkie!
(Broke? Spend 15 minutes a day on the project!)

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Antipiracy bill targets technology

2004-06-19 Thread R. A. Hettinga
http://news.com.com/2102-1028_3-5238140.html?tag=st.util.print

CNET News

 Antipiracy bill targets technology

 By  Declan McCullagh
 Staff Writer, CNET News.com
 http://news.com.com/2100-1028-5238140.html

 Story last modified June 17, 2004, 5:32 PM PDT


A forthcoming bill in the U.S. Senate would, if passed, dramatically
reshape copyright law by prohibiting file-trading networks and some
consumer electronics devices on the grounds that they could be used for
unlawful purposes.

News.context

What's new:
 A bill called the Induce Act is scheduled to come before the Senate
sometime next week. If passed, it would make whoever aids, abets, induces
(or) counsels copyright violations liable for those violations.

 Bottom line:If passed, the bill could dramatically reshape copyright law
by prohibiting file-trading networks and some consumer electronics devices
on the grounds that they could be used for unlawful purposes.

More stories on this topic

The proposal, called the Induce Act, says whoever intentionally induces
any violation of copyright law would be legally liable for those
violations, a prohibition that would effectively ban file-swapping networks
like Kazaa and Morpheus. In the draft bill seen by CNET News.com,
inducement is defined as aids, abets, induces, counsels, or procures and
can be punished with civil fines and, in some circumstances, lengthy prison
terms.

 The bill represents the latest legislative attempt by influential
copyright holders to address what they view as the growing threat of
peer-to-peer networks rife with pirated music, movies and software. As
file-swapping networks grow in popularity, copyright lobbyists are becoming
increasingly creative in their legal responses, which include proposals for
Justice Department lawsuits against infringers and action at the state
level.

 Originally, the Induce Act was scheduled to be introduced Thursday by Sen.
Orrin Hatch, R-Utah, but the Senate Judiciary Committee confirmed at the
end of the day that the bill had been delayed. A representative of Senate
Majority Leader Bill Frist, a probable co-sponsor of the legislation, said
the Induce Act would be introduced sometime next week, a delay that one
technology lobbyist attributed to opposition to the measure.

 Though the Induce Act is not yet public, critics are already attacking it
as an unjustified expansion of copyright law that seeks to regulate new
technologies out of existence.

 They're trying to make it legally risky to introduce technologies that
could be used for copyright infringement, said Jessica Litman, a professor
at Wayne State University who specializes in copyright law. That's why
it's worded so broadly.

 Litman said that under the Induce Act, products like ReplayTV,
peer-to-peer networks and even the humble VCR could be outlawed because
they can potentially be used to infringe copyrights. Web sites such as
Tucows that host peer-to-peer clients like the Morpheus software are also
at risk for inducing infringement, Litman warned.

 Jonathan Lamy, a spokesman for the Recording Industry Association of
America, declined to comment until the proposal was officially introduced.

 It's simple and it's deadly, said Philip Corwin, a lobbyist for Sharman
Networks, which distributes the Kazaa client. If you make a product that
has dual uses, infringing and not infringing, and you know there's
infringement, you're liable.

 The Induce Act stands for Inducement Devolves into Unlawful Child
Exploitation Act, a reference to Capitol Hill's frequently stated concern
that file-trading networks are a source of unlawful pornography. Hatch is a
conservative Mormon who has denounced pornography in the past and who
suggested last year that copyright holders should be allowed to remotely
destroy the computers of music pirates.

 Foes of the Induce Act said that it would effectively overturn the Supreme
Court's 1984 decision in the Sony Corp. v. Universal City Studios case,
often referred to as the Betamax lawsuit. In that 5-4 opinion, the
majority said VCRs were legal to sell because they were capable of
substantial noninfringing uses. But the majority stressed that Congress
had the power to enact a law that would lead to a different outcome.

 At a minimum (the Induce Act) invites a re-examination of Betamax, said
Jeff Joseph, vice president for communications at the Consumer Electronics
Association. It's designed to have this fuzzy feel around protecting
children from pornography, but it's pretty clearly a backdoor way to
eliminate and make illegal peer-to-peer services. Our concern is that
you're attacking the technology.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire

Feds: VoIP a potential haven for terrorists

2004-06-18 Thread R. A. Hettinga
VOIP operators: The fifth horsemen of the infocalypse?

Cheers,
RAH
---

http://zdnet.com.com/2102-1105_2-5236233.html?tag=printthis



Feds: VoIP a potential haven for terrorists
 By  Declan McCullagh
 CNET News.com
 June 16, 2004, 10:54 AM PT
 URL:  http://zdnet.com.com/2100-1105-5236233.html

 WASHINGTON--The U.S. Department of Justice on Wednesday lashed out at
Internet telephony, saying the fast-growing technology could foster drug
trafficking, organized crime and terrorism.

 Laura Parsky, a deputy assistant attorney general in the Justice
Department, told a Senate panel that law enforcement bodies are deeply
worried about their ability to wiretap conversations that use voice over
Internet Protocol (VoIP) services.


Get Up to Speed on...
VoIP?
Get the latest headlines and
company-specific news in our
expanded GUTS section.?I am here to underscore how very important it is
that this type of telephone service not become a haven for criminals,
terrorists and spies, Parsky said. Access to telephone service,
regardless of how it is transmitted, is a highly valuable law enforcement
tool.

 Police been able to conduct Internet wiretaps for at least a decade, and
the FBI's controversial Carnivore (also called DCS1000) system was designed
to facilitate online surveillance. But Parsky said that discerning what
the specific (VoIP) protocols are and how law enforcement can extract just
the specific information are difficult problems that could be solved by
Congress requiring all VoIP providers to build in backdoors for police
surveillance.

 The Bush administration's request was met with some skepticism from
members of the Senate Commerce committee, who suggested that it was too
soon to impose such weighty regulations on the fledgling VoIP industry.
Such rules already apply to old-fashioned telephone networks, thanks to a
1994 law called the Communications Assistance for Law Enforcement Act
(CALEA).

 What you need to do is convince us first on a bipartisan basis that
there's a problem here, said Sen. Ron Wyden, D-Ore. I would like to hear
specific examples of what you can't do now and where the law falls short.
You're looking now for a remedy for a problem that has not been documented.

 Wednesday's hearing was the first to focus on a bill called the VoIP
Regulatory Freedom Act, sponsored by Sen. John Sununu, R-N.H. It would ban
state governments from regulating or taxing VoIP connections. It also says
that VoIP companies that connect to the public telephone network may be
required to follow CALEA rules, which would make it easier for agencies to
wiretap such phone calls.

 The Justice Department's objection to the bill is twofold: Its wording
leaves too much discretion with the Federal Communications Commission,
Parsky argued, and it does not impose wiretapping requirements on
Internet-only VoIP networks that do not touch the existing phone network,
such as Pulver.com's Free World Dialup.

 It is even more critical today than (when CALEA was enacted in 1994) that
advances in communications technology not provide a haven for criminal
activity and an undetectable means of death and destruction, Parsky said.

 Sen. Frank Lautenberg, D-N.J., wondered if it was too early to order VoIP
firms to be wiretap-friendly by extending CALEA's rules. Are we premature
in trying to tie all of this down? he asked. The technology shift is so
rapid and so vast.

 The Senate's action comes as the FCC considers a request submitted in
March by the FBI. If the request is approved, all broadband Internet
providers--including companies using cable and digital subscriber line
technology--will be required to rewire their networks to support easy
wiretapping by police.

 Wednesday's hearing also touched on which regulations covering 911 and
universal service should apply to VoIP providers. The Sununu bill would
require the FCC to levy universal service fees on Internet phone calls,
with the proceeds to be redirected to provide discounted analog phone
service to low-income and rural American households.

 One point of contention was whether states and counties could levy taxes
on VoIP connections to support services such as 911 emergency calling.
Because of that concern, I would not support the bill as drafted and I
hope we would not mark up legislation at this point, said Sen. Byron
Dorgan, D-N.D.

 Sen. Conrad Burns, R-Mont., added: The marketplace does not always
provide for critical services such as emergency response, particularly in
rural America. We must give Americans the peace of mind they deserve.

 Some VoIP companies, however, have announced plans to support 911 calling.
In addition, Internet-based phone networks have the potential to offer far
more useful information about people who make an emergency call than analog
systems do.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may

Breaking Iranian Codes (Re: CRYPTO-GRAM, June 15, 2003)

2004-06-15 Thread R. A. Hettinga
other intelligence source of theirs.

During the 1950s, the Americans dug under East Berlin in order to
eavesdrop on a communications cable.  They received all sorts of
intelligence until the East Germans discovered the tunnel.  However,
the Soviets knew about the operation from the beginning, because they
had a spy in the British intelligence organization.  But they couldn't
stop the digging, because that would expose George Blake as their spy.

If the Iranians knew that the U.S. knew, why didn't they pretend not to
know and feed the U.S. false information?  Or maybe they've been doing
that for years, and the U.S. finally figured out that the Iranians
knew.  Maybe the U.S. knew that the Iranians knew, and are using the
fact to discredit Chalabi.

The really weird twist to this story is that the U.S. has already been
accused of doing that to Iran.  In 1992, Iran arrested Hans Buehler, a
Crypto AG employee, on suspicion that Crypto AG had installed back
doors in the encryption machines it sold to Iran -- at the request of
the NSA.  He proclaimed his innocence through repeated interrogations,
and was finally released nine months later in 1993 when Crypto AG paid
a million dollars for his freedom -- then promptly fired him and billed
him for the release money.  At this point Buehler started asking
inconvenient questions about the relationship between Crypto AG and the
NSA.

So maybe Chalabi's information is from 1992, and the Iranians changed
their encryption machines a decade ago.

Or maybe the NSA never broke the Iranian intelligence code, and this is
all one huge bluff.

In this shadowy world of cat-and-mouse, it's hard to be sure of anything.


Hans Buehler's story:
http://www.aci.net/kalliste/speccoll.htm

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Post-9/11 laws expand to more than terrorism

2004-06-15 Thread R. A. Hettinga
surveillance. The Patriot Act wasn't needed when police searched library
records in the hunt for Unabomber Ted Kaczynski or the effort to track New
York's Zodiac killer, Mello noted.

 Many government activities under the Patriot Act remain shrouded in
secrecy. One of the provisions not expiring is an expansion of police
powers to obtain sneak-and-peek warrants allowing surveillances -
including break-ins - without notifying the people being watched.

 The government is being more aggressive in asking courts for surveillance
warrants. The Justice Department last year made a record 1,727 requests for
wiretap approvals from the secretive Foreign Intelligence Surveillance
Court, but does not publicly disclose how many investigations that might
involve.

 Attorney General John Ashcroft told the Senate Judiciary Committee last
week that the Patriot Act has been used judiciously, and he urged Congress
to give speedy consideration to extending it.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


He Pushed the Hot Button of Touch-Screen Voting

2004-06-15 Thread R. A. Hettinga
 father also served in Congress and the
California Legislature, where, he was one of two lawmakers to vote against
the internment of Japanese-Americans in World War II.

My dad's vote seems like a no-brainer now, Mr. Shelley said. But at the
time, it spoke to who he was and what he believed in, and he passed that on
to me. (Jack Shelley died of lung cancer in 1974, when his son was 18.)

Mr. Shelley began his career as a legislative director in Washington for
Representative Phil Burton, a liberal icon in California. He was elected to
the San Francisco Board of Supervisors and then the State Assembly, where
he served for the allowable limit of three two-year terms and became
majority leader.

He said he ran for secretary of state because he wanted to counteract the
decline in voting, though he has used the office to highlight other issues,
like domestic partner rights and corporate responsibility. Mr. Shelley did
not deny an interest in the governor's office someday but said his goal for
now was to make policy and set precedent; it has nothing to do with my
future.

Eric Jaye, a political consultant here and longtime associate of Mr.
Shelley, said he had transformed what was essentially an administrative
post into a bully pulpit.

Several recent analyses have bolstered Mr. Shelley's view that touch
screens need more security. These include a recommendation by the chairman
of the federal Election Assistance Commission that every voting
jurisdiction that uses touch screens enhance their security, with either
paper trails or other methods, by November.

 A joint report issued yesterday by the Kennedy School of Government at
Harvard and the National Science Foundation endorsed touch screens with
paper trails as the most effective voting system.

Still, many officials who run elections believe the push for paper trails
is more window-dressing than a necessary expense.

San Bernardino County, which is among those suing Mr. Shelley, plans to
ignore his directive to provide separate paper ballots for those
uncomfortable with touch screens. It would be an expression of a lack of
confidence in the machines, for which the county just spent $14 million,
said David Wert, a spokesman for the county supervisors.

In May, the supervisors noted that Mr. Shelley had certified the county's
system before the March 2 primary and that absolutely nothing has occurred
since that certification to call the system's performance or reliability
into question.

 To those who say he is only fanning fears, Mr. Shelley laughs.

If a machine breaks down in San Diego, and it breaks down in Georgia, and
they break down in Maryland, and they break down in Alameda and we have
high schools where they can hack into the systems, the deficiencies are in
the machines, he said.

Look, he added, I believe these machines have a very, very firm place in
our future, but I also believe that in responding to the chaos in Florida
in 2000 these machines were rushed out before all the kinks were worked
out.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


[osint] TIA Offices Discovered - Where Big Brother Snoops on Americans

2004-06-09 Thread R. A. Hettinga
.©—

DARPA tried to interest Groxis in becoming part of the TIA project but the
company declined, saying the project was neither feasible nor ethical. 
Hawken says he knows people with the National Security Agency who refused to
work on TIA because of ethical concerns.

The dangers of TIA have created a coalition of strange bedfellows. The
American Civil Liberties Union has teamed up with conservative Phyllis
Schlafly©–s Eagle Forum and even the Heritage Foundation to fight not only
TIA but other abuses of Constitutional rights under the USA Patriot Act.
Even former member of Congress Bob Barr, a conservative firebrand, has
joined the effort.

Yet even with all this attention, TIA still exists and still watches
Americans 24/7 from the office building on Fairfax Drive in Arlington.
Although employees who work in the building are supposed to keep their
presence there a secret, they regularly sport their DARPA id badges around
their necks when eating at restaurants near the building. The straps
attached to the badges are printed with ©¯DARPA©— in large letters.

©¯Yeah, they©–re the spooks who work in the building over there,©— says Ernie,
the counterman at a deli near 3701 Fairfax Drive. ©¯If this is how they keep
secrets, I guess we should really be worried.©—


© Copyright  2004 by Capitol Hill Blue





 Yahoo! Groups Sponsor ~--
Yahoo! Domains - Claim yours for only $14.70
http://us.click.yahoo.com/Z1wmxD/DREIAA/yQLSAA/TySplB/TM
~-

--
Want to discuss this topic?  Head on over to our discussion list,
[EMAIL PROTECTED]
--
Brooks Isoldi, editor
[EMAIL PROTECTED]

http://www.intellnet.org

  Post message: [EMAIL PROTECTED]
  Subscribe:[EMAIL PROTECTED]
  Unsubscribe:  [EMAIL PROTECTED]


*** FAIR USE NOTICE. This message contains copyrighted material whose use
has not been specifically authorized by the copyright owner. OSINT, as a
part of The Intelligence Network, is making it available without profit to
OSINT YahooGroups members who have expressed a prior interest in receiving
the included information in their efforts to advance the understanding of
intelligence and law enforcement organizations, their activities, methods,
techniques, human rights, civil liberties, social justice and other
intelligence related issues, for non-profit research and educational
purposes only. We believe that this constitutes a 'fair use' of the
copyrighted material as provided for in section 107 of the U.S. Copyright
Law. If you wish to use this copyrighted material for purposes of your own
that go beyond 'fair use,' you must obtain permission from the copyright
owner.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Yahoo! Groups Links

* To visit your group on the web, go to:
 http://groups.yahoo.com/group/osint/

* To unsubscribe from this group, send an email to:
 [EMAIL PROTECTED]

* Your use of Yahoo! Groups is subject to:
 http://docs.yahoo.com/info/terms/


--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


High hopes for unscrambling the vote

2004-06-08 Thread R. A. Hettinga
 site to make sure the
encrypted sequence corresponds to what's posted. Or, if they choose, they
can hand their receipt to a trusted organization like the League of Women
Voters and ask them to do the verification.

 It's conceptually easy, Neff said during an interview at the conference
sponsored by Rutgers University's theoretical computer science center. But
it has to be plugged into the process that (voting machine) vendors use.

 Concocting arcane mathematical formulae is almost trivial, compared with
the arduous process of convincing vendors and state election officials to
adopt verifiable, encrypted systems. Neither group is known as an
aggressive early adopter of new technologies.

 Hundreds of millions of dollars are at stake. State governments are racing
to install electronic voting machines as a result of the federal Help
America Vote Act, which was enacted after the 2000 election and gives
states hefty federal grants if they meet certain deadlines.

 One key date: Any state accepting those grants must replace all its punch
card and lever machines by Nov. 2, 2004. Because of that looming deadline,
many states have already bought replacements for their oldest systems and
are reluctant to write a second set of checks to add encrypted receipt
technology. In addition, Chaum's system won't be in production until after
the November election.

 Neff expressed frustration at the difficulty of convincing voting vendors
such as Diebold Election Systems to license VoteHere's technology and
produce encrypted receipts. They're just not technically savvy, Neff
said. They've got incredibly limited technical abilities, and they're
desperately clinging to the hope that all this (concern about e-voting)
will blow over. They want to sing the praises of the little box they plop
on someone's table and not worry about it. The other conjecture is that
somewhere, they appreciate the fact that, moving toward the future, the
verification technology follows what Microsoft did to hardware in the early
days. It becomes more important than the box.

 So far, Neff's VoteHere company has inked a deal with Sequoia Voting
Systems to license its encrypted receipt technology, though it's
nonexclusive. Unlike Chaum's system that requires a special viewfinder, any
electronic voting machine equipped with a printer can produce the receipts.
State election officials aren't exactly biting, but Neff says it looks
very realistic that we can do a pilot in California or Maryland for the
November election.

 Diebold has attracted the most criticism of any e-voting machine maker. In
April, the California Secretary of State took the drastic step of banning
Diebold-made systems from being used in some counties. Last November,
California began investigating allegations of illegal vote tampering with
Diebold machines. An earlier blow came in June 2003, when university
researchers concluded that a voter could cast unlimited ballots without
detection.

 Neff of VoteHere acknowledged that encrypted ballots aren't a complete
solution for all voting problems. For instance, election officials must be
trusted to prevent people from voting twice under different names or at
multiple voting locations. We've addressed 80 percent of the threats and
100 percent of the really bad threats, Neff said. We can't (seem to) get
beyond that remaining 20 percent.

 But skeptic Mercuri argued that even that number is optimistic. I don't
agree you've addressed 80 percent of the threats, she said. It depends on
your threat model.

Related News
*   Fight over e-voting leaves election plans as casualties  May 20, 2004
http://news.com.com/2100-1028-5216643.html

*   California votes against Diebold  April 22, 2004
http://news.com.com/2100-1028-5197870.html

*   E-voting smooth on Super Tuesday  March 2, 2004
http://news.com.com/2100-1028-5168670.html

*   Voting machine fails inspection  July 24, 2003
http://news.com.com/2100-1009-5054088.html

*   Get this story's Big Picture
http://news.com.com/2104-1028-5227789.html

  
Copyright ©1995-2003 CNET Networks, Inc. All rights reserved.

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


WPES04 submission deadline extended

2004-06-07 Thread R. A. Hettinga
 Commission/Ontario, Canada
Susan Landau, Sun Microsystems Laboratories, USA
Andreas Pfitzmann, Dresden University of Technology, Germany
Andrew Patrick, National Research Council, Ottawa, Canada
Marc Rennhard, ETH Zurich, Switzerland
Pierangela Samarati, University of Milan, Italy
Matthias Schunter, IBM Zurich Research Laboratory, Switzerland
Tomas Sander, Hewlet Packard, USA
Marianne Winslett, U. of Illinois Urbana-Champaign, USA

___
NymIP-res-group mailing list
[EMAIL PROTECTED]
http://www.nymip.org/mailman/listinfo/nymip-res-group

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Not Ready For Prime Time

2004-06-04 Thread R. A. Hettinga
http://www.sitnews.us/HowardDean/060104_dean.html
 
Stories in the News

Electronic Voting - Not Ready  For Prime Time
By Howard Dean

  

June 01, 2004, 2004
 Tuesday


 In December 2000, five Supreme Court justices concluded that  a recount in
the state of Florida's presidential election was  unwarranted. This,
despite the desire of the Florida Supreme  Court to order a statewide
recount in an election that was decided  by only 537 votes. In the face of
well-documented voting irregularities  throughout the state, the U.S.
Supreme Court's decision  created enormous cynicism about whether the votes
of every American  would actually be counted. Although we cannot change
what happened  in Florida, we have a responsibility to our democracy to
prevent  a similar situation from happening again.

 Some politicians believe a  solution to this problem can be found in
electronic voting. Recently,  the federal government passed legislation
encouraging the use  of touch screen voting machines even though they
fail to provide a verifiable record that can be used in a recount.
Furthermore, this equipment cannot even verify as to whether  a voter did
indeed cast a ballot for their intended candidate.  Unfortunately, this
November, as many as 28% of Americans - 50  million people - will cast
ballots using machines that could  produce such unreliable and unverifiable
results.

 Only since 2000 have touch  screen voting machines become widely used and
yet they have already  caused widespread controversy due to their
unreliability. For instance, in Wake County, N.C. in 2002, 436 votes were
lost as  a result of bad software. Hinds County, Miss. had to re-run an
election because the machines had so many problems that the will  of the
voters could not be determined. According to local election officials in
Fairfax County, Va., a recent election resulted  in one in 100 votes being
lost. Many states, such as New Hampshire  and most recently Maine, have
banned paperless touch screen voting  and many more are considering doing
so.

 Without any accountability  or transparency, even if these machines work,
we cannot check  whether they are in fact working reliably. The American
public  should not tolerate the use of paperless e-voting machines until
at least the 2006 election, allowing time to prevent ongoing  errors and
failures with the technology. One way or another,  every voter should be
able to check that an accurate paper record  has been made of their vote
before it is recorded.

 Both Democrats and Republicans  have a serious interest in fixing this
potentially enormous blow  to democracy. A bipartisan bill, sponsored by
Rep. Rush Holt  (D-N.J.), is one of several paper trail bills in the House
and  Senate and it should be passed as soon as possible. A grassroots
movement for verified voting, led by organizations like VerifiedVoting.org,
is gaining momentum nationwide.

 There is nothing partisan about  the survival of our democracy or its
legitimacy. We cannot and  must not put the success of one party or another
above the good  of our entire country and all our people. To the
governments  of the fifty states, Republican or Democrat, I ask you to put
paperless e-voting machines on the shelf until 2006 or until  they are
reliable and will allow recounts. In a democracy you always count the votes
no matter who wins. To abandon that principle  is to abandon America.

  
Email Howard Dean at  [EMAIL PROTECTED]

 

Howard Dean, M.D. and former  governor of Vermont, is the founder of
Democracy  for America, a grassroots organization that supports socially
progressive and fiscally responsible political candidates.


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: [ISN] Simple passwords no longer suffice

2004-06-04 Thread R. A. Hettinga

--- begin forwarded text


Date: Fri, 4 Jun 2004 01:29:59 -0500 (CDT)
From: InfoSec News [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ISN] Simple passwords no longer suffice
Reply-To: [EMAIL PROTECTED]
List-Id: InfoSec News isn.attrition.org
List-Archive: http://www.attrition.org/pipermail/isn
List-Post: mailto:[EMAIL PROTECTED]
List-Help: mailto:[EMAIL PROTECTED]
List-Subscribe: http://www.attrition.org/mailman/listinfo/isn,
mailto:[EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]

Forwarded from: [EMAIL PROTECTED]

I consider password security to be most important. I understand
regular users cannot think of thousands of passwords and not write
them down. Because my memory is also not perfect I have developed the
following password scheme:

I memorized 8 difrent sequences of alphanumerical characters, let's
call them SAC's. (just inventing a new abbreviation here).

Each difrent in size and using some Uppercase letters. I give them all
a number (so SAC1, SAC2, SAC3 etc.)

For every account I select three of these sequances of alphanumerical
characters, and put them in a certain order. That is my password.  I
then write down the order in a password protected database. (with a
simpler password, don't care that much if the database is compromised)

So for example:

For hotmail I might use sequance SAC4, SAC5, SAC2.

I just add to my password database Hotmail 452 and I know what the
password is.

For sequance SAC1, SAC8, SAC3 I use with my mail certificate the note
I have written down is mail certificate 183

Somewhere else I have as a reminder a list of all my SAC's but only
with the first two characters being correct, the rest is put there as
desinformation. So I actually look only at the first two characters
and then remember what that SAC was again.

So I have a list that looks like this:

SAC# written down  - real password
SAC1 fuh355y9wtga9 - fuh5y05edh
SAC2 g8betb8g - g8bs=hb56hRRTYsh
SAC3 l;kyh35h9 - l;g588bas3DR
SAC4 aBfbvsdh4 - aBbdnitbAA$
SAC5 GgfasdG - Gggrw422a~
SAC6 GSDFGWRw444  - GAEB53th8g3e
SAC7 BbgRhgw52354 - Bdghbwtrb53
SAC8 6775u3ed5us - 67hJ^$6493

So for example when I need my password to get into hotmail I just open
my password database or grab my paperprint out of the list and lookup
the hotmail account, I see Hotmail 452. I also look up my SAC list
up here and by looking at the first few characters I remember what
each SAC is.

So the password is aBbdnitbAA$Gggrw422a~g8bs=hb56hRRTYsh without the
quotes.


Once you have the discipline to set up something similar and stick to
it your password security will be increadable. (and it's worth the
look on peoples faces when they see you enter passwords of more then
20 characters at lightning speed, try to sneak up that one =D )

Also I try to maintain my habit to type in numbers on the number
keypad and as I do so cover up my hand with the other hand so it
cannot really be seen or recorded by camera's. Just as one would
protect their pin-code. (also considering those credit thieves that
build in camera's in ATM machines and devices that record your
magnetic strip. Haha, have fun with my strip, but you couldn't see my
pin code :P)


Greetings,
Da paranoid android ;-)


 -Oorspronkelijk bericht-
 Van: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Namens InfoSec News
 Verzonden: Thursday, June 03, 2004 09:31
 Aan: [EMAIL PROTECTED]
 Onderwerp: [ISN] Simple passwords no longer suffice

 http://www.cnn.com/2004/TECH/ptech/06/01/beyond.passwords.ap/i
 ndex.html

 June 1, 2004

 (AP) -- To access her bank account online, Marie Jubran opens a Web
 browser and types in her Swedish national ID number along with a
 four-digit password.

 For additional security, she then pulls out a card that has 50
 scratch-off codes. Jubran uses the codes, one by one, each time she
 logs on or performs a transaction. Her bank, Nordea PLC,
 automatically sends a new card when she's about to run out.

 As more Web sites demand passwords, scammers are getting more clever
 about stealing them. Hence the need for such passwords-plus
 systems.

 Scandinavian countries are among the leaders as many online
 businesses abandon static passwords in favor of so-called two-factor
 authentication.

 A password is a construct of the past that has run out of steam,
 said Joseph Atick, chief executive of Identix Inc., a Minnesota
 designer of fingerprint-based authentication. The human mind-set is
 not used to dealing with so many different passwords and so many
 different PINs.

 When a static password alone is required, security experts recommend
 that users combine letters and numbers and avoid easy-to-guess
 passwords like 1234 or a nickname.



_
ISN mailing list
Sponsored by: OSVDB.org

--- end forwarded text


-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its

  1   2   3   >