Re: Russia Intercepts US Military Communications?
I'm amazed at their claims of radio interception. 1. Look for plaintext. This was rule #1 stated by Robert Morris Sr. in his lecture to the annual Crypto conference after retiring as NSA's chief scientist. You'd be amazed how much of it is floating around out there, even in military communications. 2. Wars are great opportunities to learn what other folks are doing for communications security. Whether or not you are a belligerant in the war, you clearly want to be focusing your interception capabilities on that battlefield and its supply and command trails. Besides operational errors made under stress, which can compromise whole systems, you just learn what works and what doesn't work among the fielded systems. And what works or not in your own interception facilities. Wars are much better than sending probe jets a few miles into an opponent's territory, to show you how their electronics work. One would expect that all US military communications, even trivial ones, are strongly encrypted, given the ease of doing this. Given the ease of writing strong encryption applications, I'm amazed that civilian communications are seldom -- very seldom -- encrypted. Deployment and interoperability without introducing major vulnerabilities is much harder than just designing algorithms and writing code. It involves changing peoples' habits, patterns, and practices. Remember, the cypherpunks cracked Clipper and DES, deployed the world's most widely used email encryption, secured any Web traffic that chooses to be secure, built a lot of the most popular network encryption. We beat back NSA's controlling hand, and encouraged a global spread of encryption expertise. We secured most of the Internet's control traffic (using ssh - thanks Tatu) to make it harder to break into the infrastructure. We're the A-team. But our cellphones are still trivial to track and intercept; the vast majority of email, web, and IM traffic is totally unencrypted; ordinary phone calls are totally wiretap prone; our own new technologies like 802.11 have no decent encryption and no likelihood of a real fix that works everywhere by default; we know the government IS TODAY wiretapping tons of innocents in a feeding frenzy of corruption; the US government has mandated Stasi-like wiretap capabilities in every form of new communication (even where the law gives them no power, they arrogate it and largely succeed); the wiretappers have largely built an international consensus of cops to track and wiretap anybody anywhere; practical anonymity has significantly shrunken in the last decade; and even more traffic is moving onto wireless where legal or illegal interception is undetectable. We still fight endless intra-community battles that delay or derail deployment of existing encryption. The most widespread large-scale hard-to-crack systems are being deployed AGAINST the public interest -- by the copyright mafia. If *we*, the victors in the crypto wars, couldn't get decent encryption deployed, even among ourselves, why would you expect that a government bureacracy could do it among itself and its clients? John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: GPS phones confiscated from reporters in Iraq
http://www.newscientist.com/news/print.jsp?id=ns3567 It's nice to see that the US military realizes the terrible possibilities from tracking the movements of ordinary people (who happen to be soldiers or with soldiers). When will they get on the bandwagon demanding that person-tracking phones be banned -- rather than required -- by the FCC? John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: NSA being used to influence UN votes on Iraq
JI questioned: Why is this even newsworthy? It's the NSA's responsibility to provide sigint and comint. Furthermore, if the delegates are not US citizens, and at least one end of the communication is outside the US, they are not even breaking any laws in doing so. If the US found a similar memo from the French government, you can be sure it would be published immediately as newsworthy. At least in the lapdog US press. NSA's instructions to find tidbits usable to sway Security Council members were newsworthy in the UK, because the UK government is warmongering to suck up to the US, while the UK populace is opposed to the war. So dirty tricks being played by the US and UK governments to impose their will on the world are interesting to the UK populace. Most people regard wiretapping their opponents as an evil act, violative of privacy norms. Some people condone it in international relations on self-defense grounds; if your own life is threatened, then you gouge the other guy's eyes out, or chop off his hand, despite being revolted by doing that in normal life. But when wiretapping is used to overturn a legitimate sovereign government, which poses no obvious threat, then wiretapping is not justifiable on self-defense grounds. Civilized morality, rather than brute survival, becomes the defining standard. And the US is violating the standards of civilized morality by wiretapping its opponents (and its allies and neutrals) in an attempt to start a war of aggression. If the delegations can't be bothered to protect their own communications, it's their tough luck if they get intercepted. Tell me, how well have the cypherpunks done, after a decade, at protecting their own communications? We're still mostly talking in the clear, as far as I can tell. And no cypherpunk, to my knowledge, is well defended against the kinds of miniature bug that would routinely be planted in every suit jacket laundered anywhere near the UN Building. What was most interesting for me about that NSA message was that it said they needed to add surge capacity on some countries on the Security Council. Notably absent from the list was Mexico, which is on the Security Council. I guess NSA is already monitoring Mexican diplomatic communications so well that they didn't need to add any capacity. John PS: I spent a few weeks in Mexico last month. The majority of Mexicans want peace, as does their populist leader. Spain tried to sway Mexican president Vicente Fox from the peace position, and got nowhere. People who have recently experienced war first-hand tend to view it as more of a last resort, compared to people who have only experienced war via TV, videogames, and economic downturns. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NASA/NSA searching for Shuttle encryption system
AP reported on Feb 7 that NASA is looking for a secret device that encrypts communication between the shuttle and ground controllers. If someone else finds it they could study the technology, says the AP. Sounds like fun for cypherpunks. Anybody seen it on eBay? :-) Alternatively, c'punks could plant fake mil-spec DES or CPRM encryption boxes around Louisiana and Texas in the hope that foreign spies will find them and 'crack' them. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: RIAA turns against Hollings bill
How does this latest development change the picture? If there is no Hollings bill, does this mean that Trusted Computing will be voluntary, as its proponents have always claimed? And if we no longer have such a threat of a mandated Trusted Computing technology, how bad is it for the system to be offered in a free market? The detailed RIAA statement tries to leave exactly this impression, but it's the usual smokescreen. Check the sentence in their 7 policy principles joint statement, principle 6: ... The role of government, if needed at all, should be limited to enforcing compliance with voluntarily developed functional specifications reflecting consensus among affected interests. I.e. it's the same old game. TCPA is such a voluntarily developed functional spec. So is the broadcast flag, and the HDCP copy protection of your video cable, and IBM's copy-protection for hard disk drives. Everything is all voluntary, until some competitor reverse engineers one of these, and builds a product that lets the information get out of the little consensus boxes. Consumers want that, but it can't be allowed to happen. THEN the role of government is to eliminate that competitor by outlawing them and their product. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Air ID: Gilmore v. Ashcroft: Friday AM hearing in SF
will argue that the case should not be dismissed, in the courtroom of Judge Susan Illston, on the 19th floor of the San Francisco Federal Building, 450 Golden Gate Avenue at Polk St, at 9AM on January 17, 2003. If you think airport security is out of hand, show up. If you think Total Information Awareness is a terrible idea, show up. (CAPPS 2 is the version of TIA they'll roll out in airports in 2003, and it all hangs on the demand for your ID.) If you think John Ashcroft is a traitor to the Constitution he swore to uphold, show up. If you think every free citizen should not be routinely treated like a suspected terrorist, show up. Wear good clothes and be polite. Impress the judge with the seriousness of your interest in these issues. Oh yes, you'll have to show ID to get into the Federal Building. That's unconstitutional too, but not the subject of this particular case. You can read all the case documents at: http://cryptome.org/freetotravel.htm Thank you. John Gilmore - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DeCSS, crypto, law, and economics
The truly amazing thing about this case is that the crime would not have occured if the studios had used decently-strong crypto. It's ironic that in an age when for cryptographers enjoy a historically-unprecedented lopsided advantage over cryptanalysts, the industry adopted a system that could be cracked by amateurs. This probably wasn't simply due to stupidity in the industry; it is more plausibly attributed to stupidity in the US export regulations which induced the industry to use 40-bit keys. Actually, the scheme was invented in Japan, and the predecessor-in-interest to the DVD-CCA, Matsushita, designed it to be weak because Japanese export laws prevented the export of more than 40-bit encryption. The US had pressured Japan to impose 40-bit crypto export controls. The Japanese laws didn't change, even after EFF's Bernstein lawsuit and commercial firms' political pressure forced US policy to become sensible. Last I heard, crypto export is still a morass in Japan. US law is not the same as Norwegian law. You should not imagine that this case sets a precedent for US courts. Correct, but. One of the basic prongs of the entire DVDCCA trade secret series of cases was that the reverse-engineering had been illegal in Norway. If it wasn't illegal to do it, it wasn't illegal to reproduce the results of it. Since Norwegian courts have determined that it wasn't illegal to reverse-engineer it, there is no case against any of the defendants. Like Matt Pavlovich, Andrew Bunner, and many dozens of other people who DVDCCA have been trying to drag into California courts. You may not have noticed, but EFF and its pro-bono partners have been spending major time on winning these cases. The Norwegian decision will make it much easier. For normal products, market segmentation is neither forbidden by law nor protected by law. ... The law is silent on the issue. This is false. Market segmentation by country is deliberately outlawed by free trade laws and treaties, which exist to benefit consumers by letting them import whatever products they want from other countries. For example, in New Zealand, the DVD region-code system was found to violate their free-trade laws, and therefore New Zealand never permitted one-region players to be sold there. The Coors brewery tried to limit distribution of their beer to certain Western states. They failed. My local liquor store in Washington, DC made a ton of money bringing in semi-loads of Coors, in violation of Coors company policy, and selling them to thirsty expatriate Rocky Mountainers. Similarly, the US Supreme Court recently struck down laws in many US states that prohibited the interstate purchase of wine and other products. These laws were all designed to benefit local producers, at the expense of local consumers. Most of these laws were wrapped up in a cloak of consumer protection against shoddy products or protection of minors but it was easy to pierce that veil to see the monopoly interest. (This is not to say that market segmentation is dead in the US! Many continue. The federally supported Milk Compact deliberately segments the New England market and costs consumers of milk many billions of dollars per year. The federal DMCA has nothing to do with protecting copyrights and everything to do with protecting monopolies, as the judge agreed in the 2600 case. Many state and local laws continue to restrict entry into fields such as lawyering, surveying, haircutting, and even carpentry (union shop laws). Producers are always looking for political opportunities to outlaw their competition, and there are always corrupt people inside governments, who are happy to oblige.) We should try to avoid overwrought arguments about the morality of market segmentation and/or arbitrage. Unfortunately you set the wrong tone by starting as apologist for it. In fact it is easy to demonstrate that _some_ market segmentation is good for society as a whole. The kind of segmentation your graphs rely on can easily be created by *time* segmentation. Producers start off charging high prices for their goods, and then gradually reduce the prices as they ramp up volumes, pay off their startup costs, learn the desires of their market better, etc. This gets the social benefit you desire, without propping up any artificial forms of segmentation. Of course, there are always people who will claim that people aren't free to change their prices up or down over time. (After the earthquake, according to those folks, bottled water should sell for the same price as before, even if at that price the entire supply has sold in two hours, to the people who value the water least.) The closest they could come was to make it slightly hard to get a _multi-region_ player. The manufacturers of player hardware had to do the studios' bidding because of the the controversial (to say the least) anti-circumvention provisions of the 1998 DMCA law. That's not actually true.
Why we spent a decade+ building strong crypto security
The US government's moves to impose totalitarian control in the last year (secret trials, enemies lists, massive domestic surveillance) are what some of the more paranoid among us have been expecting for years. I was particularly amused by last week's comments from the Administration that it'll be too hard to retrain the moral FBI agents who are so careful of our civil rights -- so we'll need a new domestic-spying agency that will have no compunctions about violating our civil rights and wasting our money by spying on innocent people. While there's plenty of fodder for argument among the details, the overall thrust of the effort seems pretty clear. Now's a great time to deploy good working encryption, everywhere you can. Next month or next year may be too late. And even honest ISPs, banks, airlines (hah), etc, may be forced by law or by secret pressure to act as government spies. Make your security work end-to-end. Got STARTTLS? Got IPSEC? Got SSH? Use it or lose it. John Gilmore - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: AIR TRAVELER ID REQUIREMENT CHALLENGED
I was browsing some of my old mail when I came across this. What's the status of Gilmore's case? The regulations I'm challenging purport to require air and train travelers to show a government issued ID. Every traveler has been subjected to these requirements, but it turns out that they aren't really required by any published law or regulation. And if you refuse to meet the supposed requirements, you find out that there are alternative requirements, that they weren't telling you about. The government has responded, as have the airlines. Their response is to ask the court to dismiss the case, as expected. See the web site http://cryptome.org/freetotravel.htm for copies of their motions. The Federal one has the most interesting arguments. In summary, they argue that I can't challenge the no-fly list or anything other than the ID demand because, having not shown ID, the no-fly list was not applied to me; that I can't sue in a District Court anyway because the Court of Appeals is supposed to have original jurisdiction; that the government can make any rule it wants which relates to air security, and penalize the public over violations, without ever telling the public what the rule is; that being refused passage unless I present an ID does not infringe my constitutional right to travel anyway; that being prevented from traveling anoymously does not implicate any First Amendment interests; that every possible form of airport security is a fully constitutional 4th-Amendment search; and that since my right to travel is not being infringed, these searches give me equal protection just like all members of the public, because any 'rational' reason for singling out anonymous travelers will suffice. If everyone shows ID to fly, and they can get away with preventing anonymous travel, it becomes easy for the government to single out e.g. members of the Green Party. (If no ID was required, any persecuted minority would soon learn to book their tickets under assumed names.) The Nixon Administration had its enemies list, who it subjected to IRS audits and other harassment. But even that evil President didn't prevent his enemies from moving around the country to associate with anyone they liked. The Bush Administration's list interferes with freedom of association and with the constitutional right to travel. As my experience on July 4th, 2002, in the San Francisco airport demonstrated, citizens are free to not show ID to fly, if they spend half an hour arguing with security personnel over what the secret rules actually say. But then, catch-22, the citizen can board the plane only if they'll submit to a physical search like the ones that Green Party members and other on the list people are subjected to. So, you can identify yourself to them and be harassed for your political beliefs, unconstitutionally. Or you can stand up for your right to travel anonymously, and be searched unconstitutionally. Or you can just not travel. That's why I'm suing Mr. Ashcroft and his totalitarian buddies. The government motion to dismiss my case is filed at: http://cryptome.org/gilmore-v-usa-fmd.pdf The index to all the related documents is at: http://cryptome.org/freetotravel.htm Has there been a secret trial? No. We will file a response to this motion by approx Dec 1. Then they will file their reply in mid December or so. Both of those will go on the web site. (If anybody wants to OCR the PDFs of the gov't documents, please go for it and email me the text.) Then the court will read all this stuff, and we'll have a hearing, which is tentatively scheduled for mid-January. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Paul Wouters: Update Tapping in the Netherlands
[Paul has been tracking Dutch government requirements that ISPs implement covert wiretaps against their customers -- and the technical standards of the equipment that does it -- for a few years. See www.opentap.org. --gnu] From: Paul Wouters [EMAIL PROTECTED] Update tapping in the Netherlands, August 12, 2002 (also available at: http://www.opentap.org/aug12-update.html) Here is a small update on matters in the Netherlands. Mostly the updates focus around the Dutch organisation for ISP's, NLIP's conference talk at Megabit (www.megabit.nl, now apparently already defunct) but some other information that surfaced in the last weeks has been included as well. Some of the internet media has also been mentioning little bits, I assume as a result of asking what NLIP was going to say at megabit, eg: http://www.webwereld.nl/nieuws/12068.phtml http://www.webwereld.nl/nieuws/12102.phtml In short, the new organisation NBIP has seen the light. Webwereld mentions the ISP's that are in the co-operation: ZonNet, Inter NL Net, IntroWeb, PSInet, Internet Access Facilities en Netland Another 7 committed to joining the organisation when it would see the light, according to Van Stam. This means around 14 ISP's will bundle their tapping equipment, in an attempt to make it affordable. A new central organisation to co-ordinate all tapping, the LIO (Landelijk Interceptie Orgaan) which was planned to take over tapping matters in a few years, has been rushed into existence as a result of September 11, and is expected to be fully operational before the end of the year. I believe it will handle the tapping warrants, and infrastructure (though the latter might be outsourced, but not to ITO) of the government side of lawful interception (eg T1's and prob. some T2's). All tapping requests, wether from regular police (KLPD), a special department (eg taxoffice FIOD) or our security service (AIVD) or the military (MIVD) should go through the LIO. (I think this means the LIO will operate the T1's, the machines to accept the traffic from the ISP's, and perhaps the T2's, the machines that collect/decrypt the suspects data, for some agencies, eg KLPD, FIOD, but I'd guess not the AIVD/MIVD. DGTP, the Directoraat Generaal Telecommunicatie en Post (who now have their own website, http://www.dgtp.nl/) has been moved to a different department as of jul 22nd. formerly part of the Ministerie van Verkeer en Waterstaat ('traffic and waterways') it now falls under the Ministerie van Economische Zaken ('Economic Affairs') In june 2002, the new version of the WIV law (Wet op de inlichtingen- en veiligheidsdiensten) came into effect. For some discussion and a link to the lawtext, see: http://www.netkwesties.nl/editie33/artikel2.html In june, the results of the bake off 1 got formulated in a new version of the tapping specification, TIIT v 0.9.9. This document has not surfaced into the public domain yet. However, a final version of the document, version 1.0.0 is expected in september (expected not meaning released). At that point, a third bake off will start, which focusses on the paperwork side of things, including the electronisc paperwork (eg: HI1 in FuncSpec terms). Only three Vendors were part of the current testing/bake off: - - Pine / ENAI - - Accuris (Group 2000) - - SS8 (Formerly ADC) Currently, the following vendor's are also in testing phases: - - IDD (Innovative Design Delft) - - Heynen (with GTEN) - - Aqsacom (with Riser) - - Digivox - - Verint Systems (formerly Comverse Infosys) A new Directive (Algemene Maatregel van Bestuur) named Beveiliging gegevens Aftappen) is being written. It will contain the requirement for ISP's to have a secure FAX to which the LEA can fax the tap order, along with the NAW (name,address,city) to the LIO and DGTP. Ironically, current law dictates warrants should arrive on CDrom in XML format, but as can be seen from bake off 3, this isn't reality yet. Another interesting item in the Directive is that all ISP's should at least appoint one person as liason to the government regarding tapping. This person will be checked by the BVD (AIVD or whatever you want to call them these days), a so-called antecedenten onderzoek. Another requirement is to sent the LIO an Provider ID neccessary for for the TIIT spec (so the government can see which ISP sent the information). You cannot request a number, you're not assigned a number. You need to make one up, and hope it's not taken, or otherwise come up with a new one. It's inclear to me why they don't just assign ISP's a number. NLIP advices to use your IANA Enterprise Number, but most ISP's probably don't even have one. Buma-Stemra , our local RIAA/MPAA, apparently lost their special rights, and can no longer order a tap (I'm not entirely sure how they could order this in the past) Where Telco's have to have a tap operational in 12 hours, there has not been a set time for ISP's yet. It has been defined as without delay, in article 25 of the new WIV law.
Re: responding to claims about TCPA
I asked Eric Murray, who knows something about TCPA, what he thought of some of the more ridiculous claims in Ross Anderson's FAQ (like the SNRL), and he didn't respond. I believe it is because he is unwilling to publicly take a position in opposition to such a famous and respected figure. Many of the people who know something about TCPA are constrained by NDA's with Intel. Perhaps that is Eric's problem -- I don't know. (I have advised Intel about its security and privacy initiatives, under a modified NDA, for a few years now. Ross Anderson has also. Dave Farber has also. It was a win-win: I could hear about things early enough to have a shot at convincing Intel to do the right things according to my principles; they could get criticized privately rather than publicly, if they actually corrected the criticized problems before publicly announcing. They consult me less than they used to, probably because I told them too many things they didn't want to hear.) One of the things I told them years ago was that they should draw clean lines between things that are designed to protect YOU, the computer owner, from third parties; versus things that are designed to protect THIRD PARTIES from you, the computer owner. This is so consumers can accept the first category and reject the second, which, if well-informed, they will do. If it's all a mishmash, then consumers will have to reject all of it, and Intel can't even improve the security of their machines FOR THE OWNER, because of their history of security projects that work against the buyer's interest, such as the Pentium serial number and HDCP. TCPA began in that protect third parties from the owner category, and is apparently still there today. You won't find that out by reading Intel's modern public literature on TCPA, though; it doesn't admit to being designed for, or even useful for, DRM. My guess is that they took my suggestion as marketing advice rather than as a design separation issue. Pitch all your protect-third-party products as if they are protect-the-owner products was the opposite of what I suggested, but it's the course they (and the rest of the DRM industry) are on. E.g. see the July 2002 TCPA faq at: http://www.trustedcomputing.org/docs/TPM_QA_071802.pdf 3. Is the real goal of TCPA to design a TPM to act as a DRM or Content Protection device? No. The TCPA wants to increase the trust ... [blah blah blah] I believe that No is a direct lie. Intel has removed the first public version 0.90 of the TCPA spec from their web site, but I have copies, and many of the examples in the mention DRM, e.g.: http://www.trustedcomputing.org/docs/TCPA_first_WP.pdf (still there) This TCPA white paper says that the goal is ubiquity. Another way to say that is monopoly. The idea is to force any other choices out of the market, except the ones that the movie record companies want. The first scenario (PDF page 7) states: For example, before making content available to a subscriber, it is likely that a service provider will need to know that the remote platform is trustworthy. http://www.trustedpc.org/home/pdf/spec0818.pdf (gone now) Even this 200-page TCPA-0.90 specification, which is carefully written to be obfuscatory and misleading, leaks such gems as: These features encourage third parties to grant access to by the platform to information that would otherwise be denied to the platform (page 14). The 'protected store' feature...can hold and manipulate confidential data, and will allow the release or use of that data only in the presence of a particular combination of access rghts and software environment. ... Applications that might benefit include ... delivery of digital content (such as movies and songs). (page 15). Of course, they can't help writing in the DRM mindset regardless of their intent to confuse us. In that July 2002 FAQ again: 9. Does TCPA certify applications and OS's that utilize TPMs? No. The TCPA has no plans to create a certifying authority to certify OS's or applications as trusted. The trust model the TCPA promotes for the PC is: 1) the owner runs whatever OS or applications they want; 2) The TPM assures reliable reporting of the state of the platform; and 3) the two parties engaged in the transaction determine if the other platform is trusted for the intended transaction. The transaction? What transaction? They were talking about the owner getting reliable reporting on the security of their applications and OS's and -- uh -- oh yeah, buying music or video over the Internet. Part of their misleading technique has apparently been to present no clear layman's explanations of the actual workings of the technology. There's a huge gap between the appealing marketing sound bites -- or FAQ lies -- and the deliberately dry and uneducational 400-page technical specs. My own judgement is that this is probably deliberate, since if the public had an accurate 20-page
Canadian CSE wiretaps used against US citizens in court
[CSE = Canada's NSA. Supposedly legal under Patriot Act? --gnu] http://cryptome.org/ Canadians Listen in on NSA's Behalf A high-level U.S. intelligence source has revealed exclusively to Intelligence Online that some of the communications surveillance evidence used by the U.S. government to try two Lebanese-born U.S. citizens of running a cigarette smuggling ring and sending cash to Hezbollah was collected by Canada's Communications Security Establishment (CSE), the Canadian counter-part of the National Security Agency and a long-standing partner of Echelon. The Canadian intercept data supplemented FBI wiretap evidence that a federal judge in Charlotte, North Carolina allowed to be entered into evidence in the trial of the two Shi'ite brothers, Mohammed and Chawi Hammoud. On June 21, the Hammoud brothers were convicted on a wide range of charges, with Mohammed specifically being found guilty of aiding a terrorist group. In the past, NSA has denied that it uses its Echelon partners to eavesdrop on U.S. citizens. In the instance, however, judge Graham Mullen allowed Canadian intercept information to be used. The case illustrated changes in electronic surveillance policy that were enacted by Congress following the Sept. 11 terror attacks. Still, charges that Echelon partners help one another out in covert operations aren't entirely new. In the 1980's, Britain's GCHQ was accused of asking its partners abroad to listen in on journalists who were investigating the business affairs of prime minister Margaret Thatcher's son, Mark. Excerpted from Intelligence Online newsletter, No 434, 25 July - 28 August 2002, www.intelligenceonline.com. Cryptome offers the USA v. Mohammed Hammoud, et al case docket (no filings are available online): http://cryptome.org/usa-v-mh-dkt.htm --g71Fwvl02253.1028217537/mx1.redhat.com-- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A risk with using MD5 for software package fingerprinting
A small PS to my last message. In 1978 I was lent an Apple II running the ABBS software (Apple Bulletin Board System), and it ran in a corner of my bedroom for some years as the PCnet ABBS in San Francisco. This was a machine with an 8-bit 1 MHz processor, 48K of RAM, and a custom floppy that held maybe 100 or 200K bytes; no hard drive. It did email for a regular community of dozens of users, and hundreds of assorted visitors, on a single 300-baud phone line. While getting the PCnet (uucp-like packet-switching and email transfer) software running on this beast, I also improved the ABBS software, which was written in Applesoft (Microsoft) BASIC and thus came with its own source code. One day I found a very interesting line in that code. It went something like this: 18520 if (%K.eq.%U5) goto 3700 You needed a lot of context to understand that this was a backdoor in the ABBS software. It compared K, the message number that the caller had just asked the BBS to delete, with the machine address of an I/O port U5 that the BBS used to talk to the modem or something. If the message number and the I/O address matched, it would jump into another bit of BASIC code at line 3700, which was where it handled commands for the local Apple operator of the BBS, including what is now called shell access. So asking the ABBS to delete message number 32547 or so would give you operator privileges. This obscure line among thousands, placed just so, could do that. This is why only someone who actually understands the code at a deep level is likely to find back doors like this. I deleted that line, and put out an alert to other ABBS users that the author of the ABBS software had inserted a back-door in it. I think that was the only deliberately build backdoor I've ever found in a piece of software or hardware. (Well, not counting NSA's designs for cellular phone encryption algorithms, key exchange protocols, and the Clipper chip. Or the weakening of DES in the first place.) (All the variable names and line numbers in this story have been changed to protect the innocent -- and to avoid me having to try to dig out probably nonexistent printouts of that software. But if you have the ABBS BASIC source, look in the 'K' (kill message) command section.) John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PGP GPG compatibility
These days, PGP is effectively useless for interoperable email. If you have not prearranged with the recipient, you can't exchange encrypted mail. And even if you have, one or the other of you will probably have to change your software, which will produce other ripple effects if you are trying to talk to TWO different people or groups using encrypted email. PGP compatibility problems started with Phil Zimmermann's deliberate decision to eliminate compatibility with RSA keys. Once that problem existed, disabling communication with anyone who used PGP before late 1997, nobody else seemed to mind introducing all sorts of lesser incompatibilities, including many mere bugs. Having wrestled with these problems for years, my guess is that we need to abandon PGP and spec something else, probably in the IETF. (Perhaps we might be able to shortcut that process if the OpenPGP standards effort actually produces many compatible implementations including NAI's, and/or if NAI falls apart and every other implementation meets the IETF specs.) Note, however, that there are many things that OpenPGP doesn't do, making encrypted email still a pretty sophisticated thing to do. Brad Templeton has been kicking around some ideas on how to make zero-UI encryption work (with some small UI available for us experts who care more about our privacy than the average joe). http://www.templetons.com/brad/crypt.html John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: FreeSWAN US export controls
Or is there something we should be doing to get RedHat, and Debian, and other US-based distributions to include it? Absolutely. It's already pretty secure. We should just make it trivial to install, automatic, transparent, self-configuring, painless to administer, and free of serious bugs. Then they'll have every reason to drop it in. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Baltimore Sun: MD police seek easier wiretaps
http://www.sunspot.net/news/custom/guns/bal-wiretap03.story?coll=bal-home-headlines Md. police seek law for easier wiretaps Use of technology by criminals outruns current authority By Sarah Koenig Sun Staff Originally published January 2, 2002, 9:16 PM EST Aware that police might be eavesdropping, drug dealers not only watch what they say on their cell phones. They burn their phones, and bust them. They create phantom phone numbers and treat a handset the way a tourist might treat a disposable camera, discarding it after a few good shots. As prosecutors and detectives in Baltimore increase the use of wiretaps against major drug organizations, they have discovered that their targets' phone capabilities outpace their own. To catch up, law enforcement officials from across Maryland are proposing legislative changes that would expand and simplify the use of wiretaps. A principal objective is to be able to quickly switch a wiretap from phone to phone, mirroring a suspect's maneuvers. Over the last couple of years, as we've been doing more of these wiretap investigations, we've come face to face with what the shortcomings are, said city State's Attorney Patricia C. Jessamy, who will hold a news conference on the issue today. But efforts to streamline the wiretap application process, which is now closely re viewed by a judge, are sure to meet some opposition in the General Assembly from the American Civil Liberties Union, among others. There is reason to be concerned that the police will become Big Brother, said Maryland ACLU spokesman Dwight Sullivan. We want police to be aggressive in fighting crime, but we also need to have the barrier between the aggressiveness and the public, and that barrier is the judge. Wiretapping is the most intrusive and sophisticated investigative tool police have, to be used only when more conventional methods are exhausted. Maryland's wiretap laws, which require more judicial oversight and offer less flexibility than those of most other states, were last updated in 1988, back when having a pager was cool. Since then, investigators say, technology and sophistication have shot ahead. It's not unusual for drug organizations to buy cell phones in bulk, making sure not to use one line for more than a few days. In one Baltimore case, a suspect owned about 50 cell phones. Current law is geared more toward the phone than the suspect, requiring investigators to reapply for a new warrant each time they want to listen to a new line -- a process that means writing about 100 pages of affidavits explaining to a judge why the wiretap is crucial to a case. Rewriting the warrant applica tion also slows down an investigation, sometimes at a crucial moment. In July, for instance, Eric L. Buckson, 31, a now-convicted drug dealer serving a 40-year prison sentence, had just met with a cocaine source when he noticed someone following his car. He hit a parked vehicle, then another. His car burst into flames and he ran away, leaving the drugs and his tapped cell phone to get drowned by firefighters. To Buckson, the incident was probably a scare and a nuisance. To investigators it represented a significant obstacle: Within hours, Buckson was using a new phone, but it would take prosecutors much longer to apply for a new wiretap. By the end of the investigation, prosecutors would tap 15 different phones, creating 22,000 pages of evidence. Maj. Anthony G. Cannavale, commander of the Baltimore Police Department's drug enforcement unit, said changes to the law would help reduce the criminals' advantage. It's always a game of wits with the drug dealers, he said. We're really at a breakwater point, where if we don't get a handle on the technology, we're going to be out of business. In the past couple of years, Baltimore has greatly expanded its use of wiretaps in an effort to move from street arrests of low-level drug pushers to kingpins with international narcotics connections. The city Police Department and State's Attorney's Office have created special technology units, and they perform more wiretap investigations than any other jurisdiction in Maryland. Though wiretaps consume enormous amounts of time and money, their success is undeniable, as compiled in a recent report prepared by Jessamy's office: In the past two years, wiretaps have led to the dismantling of nine drug organizations -- a total of 118 defendants with links to Colombia and the Dominican Republic, and the seizure of nearly $800,000, 66 cars, 84 guns, 14 kilos of heroin and 10.5 kilos of cocaine. But criminals are becoming more savvy about wiretaps, thanks in part to the recent investigations. Cannavale said his officers have found wiretap affidavits, which include extensive surveillance details, when doing searches in drug dealers' houses -- documents probably provided by their lawyers. In
Re: Steganography covert communications - Between Silk and Cyanide
generally, imagine you are a consultant to some nefarious organization and think about what it would take to convince them that the method you propose is safe, capable of being taught to their covert agents, and tolerant of the inevitable slip ups in the field (and remember their attitude toward warrantee disclaimers). Along these lines I can't help but recommend reading one of the best crypto books of the last few years: Between Silk and Cyanide Leo Marks, 1999 This wonderful, funny, serious, and readable book was written by the chief cryptographer for the 'nefarious organization' in England which ran covert agents all over Europe during WW2 -- the Special Operations Executive. He found upon arriving (as a teenager) that agents were constantly dying in the field because of poor codes and poor encryption and radio transmission practices. Their bad systems had been penetrated for years, and in some countries such as the Netherlands, all of their agents had been killed or captured by the Germans. He shored up their poor systems until he could work around the bureacracy to get them replaced. He taught the receiving code clerks in England how to decode even garbled messages, rather than asking agents to re-send them. (Re-sends of the same text gave the enemy even more trivial ways to crack the codes.) He trained each outgoing agent in good coding practices, then watched heartbroken as many were captured. He independently reinvented one-time pads, and had them printed on silk. They could be sewn into the linings of clothing for non-detection even during searches by the enemy, and so that as each part was used, it could be cut off and burned to keep previous messages secret (providing forward secrecy). Leo Marks died almost a year ago, but fortunately he wrote down much of the practical knowledge that came from making and breaking codes for a covert organization working in a very hostile environment. Here is his AP obituary: http://surf.bookwire.com/news/authors/2001/01/22/wstm-/2440-1571-Britain-Obit-Marks..html John Gilmore - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Stegdetect 0.4 released and results from USENET search available
Niels Peter, congratulations on finding no secret messages. This is why computers are getting faster -- so we can spend more and more time searching out the lack of any information being communicated. An obvious step is to extend your detector to handle other formats besides JPEG. That would involve more 'research' than merely running it on other collections of images (e.g. JPEGs pulled from the Web in the Internet Archive collection, or from your own crawler). [Other people can also do the work of running your publicly released software against other collections. It would take more talent to write something that processes other formats.] By the way, I'm interested in what steganographic messages you are finding in the plaintext tags in JPEG files. I've heard that some cameras mark each photo with the serial number of the camera, date, etc. You can probably also detect what model of camera produced the image (based on exactly what tags it puts in the image, whether there's a thumbnail, what the filename is, etc). (Jpegdump provides an easy way to see these tags.) Remember how Microsoft Word documents encode the Ethernet address of the PC on which they were created, and how this has been used in several high-profile cases to track documents to individuals? I am a lot more concerned about popular cameras that spy on their own users, than I am about the occasional subliminal message sent through the Usenet. It would be useful to have a tool that removes all the nonessential tags from a jpeg file, a 'stegremover' to delete any spyware that your camera has left behind, as well as a detector, and a hall of shame page for manufacturers who are building that spyware. John PS: Cypherpunks, where *are* you putting your secret messages? Give us a hint! Surely *somebody* in this crew must be leaving some bread-crumbs around for Niels and NSA to find... :-) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: FreeSWAN US export controls
Anonymous said: The major problem that holds back the development of FreeS/WAN is with its management. [Management that cares more about sitting on its pulpit, than getting useful software into the hands of people.] Unless things have changed recently, they still won't accept contributions from the US. This makes no sense. GPG is shipping with every Linux distribution I know of, and the German's take contributions from the US. (From the pulpit:) Once we kick John Asscroft's unconstitutional ash outta town, bush George Bust along with more than a thousand other innocents, and eliminate the spectre of Judd Gregg and other retrograde stalinists 're-regulating' US crypto, then we'll think about polluting the precious bodily fluids of worldwide freeware privacy protection with the stench of US crypto policy. It probably won't happen for a few months. Or hadn't you noticed that the US government is not in much of a mood to follow the constitution or to tolerate dissent or privacy among the sleepy sheeplike citizens? They're doing their best to stamp that radical stuff out right here in the USSA, let alone let it cross the border into parts of the world that they don't have firmly under their thumb. Less than 100% support for every paranoid and senseless twitch of the current Administration is a demonstration not not only of treason but of active support for terrorism, which everyone knows is a terrible thing except when the US or Israel or Great Britain does it. Anybody reading this mailing list is already gonna be first up against the wall once the joy of arresting immigrant movers as 'terrorists' fades, and spying on 'domestic political groups' become fair game. Your packets are already in the lint screen on that big, big vacuum cleaner. And our new policy of maximum sentences for trivial 'crimes', like forgetting to file some form, reduces the expense and bother of actually trying suspects for the crimes that the agencies suspect them of. Of course you can confront your accusers! Did you or did you not jaywalk across Route 1 last July, Mr. May? The primary kernel developers have been willing to integrate crypto into the kernel since the crypto regs were lowered. It's the policy of no US contributions that's holding back Linux IPSEC. The reason I started the IPSEC-for-Linux project those many years ago was because Linux kernel releases used to be built in free countries, unlike the releases of most other operating systems. Now they aren't. Oops. Perhaps mr. or ms. 'anonymous' and the primary kernel developers didn't spend seven years making a principled tilt at the windmill of NSA's export controls. We overturned them by a pretty thin margin. The government managed to maneuver such that no binding precedents were set: if they unilaterally change the regulations tomorrow to block the export of public domain crypto, they wouldn't be violating any court orders or any judicial decisions. I.e. they are not BOUND by the policy change. They changed it voluntarily, in order to sneak out of the court cases by the back door. Even today it is sometimes said that once Dan Bernstein ends his court case (which still continues today), the NSA is ready, willing, and able to slap the controls right back on. And it would take months or years in court -- and lots more volunteer citizen money spent for freedom, while the bastards spend tax money to lock us up -- to get the controls removed again. If the judges haven't changed their minds in the meantime. (You may have noticed that last month, the Second Circuit Court of Appeals accpted Judge Kaplan's half-lies-half-truth judgment 3-0 in the 2600 case appeal: Yes, absolutely, software is First Amendment protected speech. But no, somehow the First Amendment really doesn't mean what it means elsewhere; of *course* they can regulate the publication of software on flimsy grounds. Like that sometime later, somebody somewhere might potentially be somewhat hurt by something somebody else does with the software, if we don't eliminate that option by restricting the publication of that software now. Suppose the next crypto export court case happens in NY rather than CA? EFF would be proud to defend John Young and Perry Metzger, but all its lawyers might be in prison, charged by John Asscroft with aiding terrorists by eroding our national unity and diminishing our resolve.) IMHO: If Freeswan had never been created, an alternate, more mature implementation would already exist in the mainline Linux kernel. Make my day. John Gilmore PS: Of course, the only software worth wasting your time on comes from those macho dudes of the U.S. of A. Those furriners don't even know how to speek the lingua proper, let alone write solid buggy code like Microsoft. High crypto math is all Greek to them. It's just lucky for Linus that he moved to the US, otherwise we'd all know his furrin software was crap too, even tho he tricked us by cloning it from
cypherpunks@toad.com is going away
The cypherpunks list degenerated a long time ago to the point where I have no idea why more than 500 people are still receiving it every day. As part of cleaning up the email system on toad.com, I plan to shut down the cypherpunks-unedited list, which receives all the traffic sent to [EMAIL PROTECTED], within the next week or two. I suggest that anyone who wants to talk or listen about encryption should send mail to: [EMAIL PROTECTED] with a one-line plain text message saying subscribe. This will begin the process of subscribing them to the Cryptography mailing list, which is edited to remove irrelevant postings and to keep the volume down and the discussion focused. (I tried to do this with the cypherpunks list some years ago, but was shouted down by people who complained of censorship. So I just left it unedited, with the expectable result that serious discussions deserted it.) If you were subscribed to the [EMAIL PROTECTED] list because you like to collect spam, talk with me personally and I'll see if I can help you. I have a large collection :-). The old cypherpunks-announce list was superseded many months ago by [EMAIL PROTECTED]. Cypherpunks-announce is no longer in existence. There remains a single encryption-related mailing list on toad.com, coderpunks which is for people who write code. John Gilmore - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: California appeals court holds that DeCSS code is protected speech
Second, the court ruled that the preliminary injunction which the lower court had issued was an unconstitutional prior restraint on speech, but went out of its way not to answer whether damages and/or a permanent injunction after trial would suffer the same fate. Actually, the fact that the issue in question is a prior restraint -- a preliminary injunction issued before a full judicial determination about the merits of the case -- is what dominated their whole analysis. If they had analyzed a permanent injunction, they would have been straying way off into dicta. I think they did it right. They also spent a good bit of time showing how trade secrets don't get the same level of protection as First Amendment speech OR copyright (e.g. trade secrets are not in the constitution). This let them distinguish this case from the far-too-many cases in which preliminary injunctions are issued to censor speech because of an allegation of COPYRIGHT infringement. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Computer Security Division Activities
workshop is scheduled for November 1-2 at NIST. Registration is REQUIRED because of enhanced security procedures (i.e., so that attendees can be admitted to the NIST campus). Please see http://csrc.nist.gov/encryption/kms/workshop2-page.html for registration information. What is this lunacy about registering? Does someone seriously think that terrorists will attack the National Institute of Standards? Or that if they were serious about attacking, they wouldn't just pre-register their real or fake ID's so they'd be allowed in? This sort of idiocy just puts a barrier between the government and the public it is supposedly serving. And of course does nothing to actually improve the actual security. It's particularly galling since the meeting is supposedly among experts in computer security. Wouldn't it be much better to all go home and hide under the covers? That would make us feel much safer. Just like children, which is the way our government is treating us. I will not participate in activities that require me to identify myself to the government, or to be pre-vetted for attendance. John Gilmore - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: chip-level randomness?
The real-RNG in the Intel chip generates something like 75 kbits/sec of processed random bits. These are merely wasted if nobody reads them before it generates 75kbits more in the next second. I suggest that if application programs don't read all of these bits out of /dev/intel-rng (or whatever it's called), and the kernel /dev/random pool isn't fully charged with entropy, then the real-RNG driver should feed some of the excess random bits into the /dev/random pool periodically. When and how it siphons off bits from the RNG is a separate issue; but can we agree that feeding otherwise-wasted bits into a depleted /dev/random would be a good idea? A better way to structure this might be for /dev/intel-rng to register with /dev/random as a source of entropy that /dev/random can call upon if it depletes its pool. /dev/random would then be making decisions about when to stir more entropy into the pool (either in response to a read on /dev/random, or to read ahead to increase the available pool in between such reads). Thus, when demand on /dev/random is high, it would become one of the application programs that would compete to read from /dev/intel-rng. Since /dev/random is the defined interface for arbitrary applications to get unpredictable bits out of the kernel, I would expect that in general, /dev/random is likely to be the MAJOR consumer of /dev/intel-rng bits. (Linux IPSEC uses /dev/random or /dev/urandom for keying material. It can easily consume many thousands of random bits per second in doing IKE's Diffie-Hellman to set up dozens of tunnels. Today this surge demand occurs at boot time when setting up preconfigured tunnels -- a particularly bad time since the system hasn't been collecting entropy for very long. /dev/intel-rng's high-spead stream can significantly improve the quality of this keying material, by replenishing the entropy pool almost as fast IPSEC consumes it. Over time, IPSEC's long-term demand for random bits will increase, since opportunistic encryption allows many more tunnels to be created, with much less effort per tunnel by the system administrator.) Also, the PRNG in /dev/random and /dev/urandom may someday be broken by analytical techniques. The more diverse sources of true or apparent randomness that we can feed into it, the less likely it is that a successful theoretical attack on the PRNG will be practically successful. If even a single entropy source of sufficiently high speed is feeding it, even a compromised PRNG may well be unbreakable. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Criminalizing crypto criticism
Much of the hysteria regarding the DMCA's supposed ability to quash free speech by cryptographic researchers is being whipped up by opponents to the DMCA who are misrepresenting the DMCA in a calculated fashion in order to promote opposition. The anonymous poster's legal analysis was not particularly novel. It states that the exemptions in the DMCA actually cover the things that they were supposedly intended to cover. That would be a refreshing change if it were true, but the law is full of weasel words and exemptions to the exemptions. Only accredited researchers, not cypherpunks, can do research, for example. And you're only exempt if you tell the company first, so they know to sue you before you do the research, rather than after the results are leaking out to the public. Neither my opinion nor the poster's opinion controls, though. What matters is what the judges will say, and how expensive it is to ordinary researchers to find out. In the 2600 case, what the judge said is that even if Jon Johansen might have been able to reverse- engineer DVD players under an exemption (an issue that he didn't decide), 2600 Magazine was unable, under the statute, to publish even *A LINK* to Jon's results. The judge swept aside all the clauses like: 1201(c)(4): Nothing in this section shall enlarge or diminish any rights of free speech or the press for activities using consumer electronics, telecommunications, or computing products. Clearly publication of cryptographic results is a fundamental part of free speech and will not be infringed by the DMCA. The other side argued in the 2600 appeal that this was a standard savings clause inserted in the legislation and was not intended to mean anything. It goes like this: either the law is constitutional or it isn't. If it is constitutional, this clause is inoperative, since clearly those Constitutional rights weren't diminished. If the law violates the Constitution, then the Constitution, not the statute, controls what rights the public has; again this clause doesn't. The judge agreed with the government and Hollywood that it was clearly put in there to buy off some opponents of the DMCA and didn't have any legal effect. The only minor issue is that THOSE SUCKERS ACTUALLY BELIEVED IT, dropped their opposition, and let the DMCA become law. But that wasn't the judge's problem -- only the defendant's. In fact the RIAA takes that same position now, as seen in http://www.eff.org/Legal/Cases/Felten_v_RIAA/20010606_riaa_statement.html. Because the Felten case so clearly shows what's wrong with the DMCA, RIAA is desparately trying to convince the court that it need not, indeed cannot, make any decision in the Felten case. Therefore SDMI/RIAA is lying to the public and the court by saying that it never, *ever*, intended to sue or threaten. It was merely informing people about their rights, you see. They have moved to dismiss the case on the grounds that we agree with the other side's legal analysis, so there's no issue for a court to decide. They only agree long enough to get out of that courtroom, then they'll find some way to be disagreeable again. The judge will decide whether to believe them or not; the papers are still being filed about that. Princeton Professor Edward Felten and his research team were prevented from presenting their results regarding flaws in SDMI at the Information Hiding Workshop, based on a letter from the Recording Industry Association of America which claimed that such publication would violate the DMCA. In this case, the RIAA was mistaken about the application of the DMCA, as the above analysis makes clear. Their mistakenness didn't prevent the RIAA from sending legal threats to every author of the Felten paper, every member of the conference committee that had decided to publish it, AND ALL OF THEIR BOSSES (one of whom, a US Navy commander, shamefully abandoned the soldier-under- fire who was reporting to him). It didn't prevent Adobe from getting its competitor Elcomsoft kicked off of four different spineless ISPs, by sending lawyer letters alleging copyright infringement TO THE ISP, when there was no copyright infringement going on. Mistakes in analysis, reconsidered a week later by Adobe, didn't prevent a US Attorney's office from bringing charges against Dmitry. Attorney General Ashcroft just announced that they're setting up a dozen more similar computer-and-copyright-prosecution task forces around the country -- none of which will have any practical experience with the DMCA yet. Their mistakes are your problem, not their problem, until YOU sue THEM. Will everyone in the infrastructure on whom you depend be as strong as you are in protecting your rights? After you lose your job, your Internet access, and your freedom of motion, because your scientific work threatened some lawyer-infested company's business model, if you have lots of spare money or raise lots of money somehow, you can have