This is probably the best one-sentence summary of export controls I've seen.
It predates the recent Wassenaar announcement by about half a day, but is even
more appropriate in the aftermath:
"The real aim of current policy is to ensure the continued effectiveness of US
information warfare
I've had a request for the text of the NSA objections to the 3DES ballot, it's
included below along with the ballot cover sheet for anyone who's interested,
with the serial numbers filed off both documents.
I've already asked this earlier, does anyone know any more about the planned
TC68/SC2
In their ongoing efforts to impose the US's export controls on their own
countries, it looks like Australia and New Zealand are moving more and more
into line with the requirements set by the NSA. A recent story in The Age (a
Melbourne, Australia newspaper), "Export ban kills Nexus' WHO deal"
For those who don't recognise the name, Menwith Hill in the UK is the largest
RSOC ("spy base") in the world, and vaccuums up communications from all over
Europe for use by the NSA. Recently the ukcrypto list discussed Menwith Hill
Tours, which has been organising sightseeing trips over and
Does anyone know how the enabling of Fortezza LEAF suppression works? Since you
have to return the cards to the vendor so the LEAF suppression feature can be
added, it looks like there's an uploadable firmware patch available which would
turn off the GAK on any Fortezza card. I'd guess it's
The transcript of the Australian Channel 9's "Sunday" program "Big Brother is
listening" has been made available on their web site, acknowledging Australian
participation in Echelon and the UKUSA alliance. A general outline is
available at http://sunday.ninemsn.com.au/sun_cover.asp?id=817:
In
Steve Mynott [EMAIL PROTECTED] writes:
You can disable 40 bit crypto via 'SecurityNavigatorConfigure SSL v2/3'
That doesn't necessarily work. I don't know about SSL, but it's impossible to
truly disable 40-bit RC2 for S/MIME no matter what you do - it's the Freddy
Kruger of crypto algorithms,
r personal
use. You're covered.
Isn't that true only for US citizens ?
Peter Gutmann erased his floppy.
You can take it out of the country for personal use iff you keep it to
yourself at all times and you return it to the point of origin (all this
does is acknowledge what people were doing any
"William H. Geiger III" [EMAIL PROTECTED] writes:
In v0421012db3be70faae9c@[207.244.108.87], on 07/23/99
at 03:20 PM, Robert Hettinga [EMAIL PROTECTED] said:
The Financial Services Security Laboratory will open July 28 in
Reston, Va. The facility will be used to test software packages
Andreas Bogk [EMAIL PROTECTED] writes:
Udhay Shankar N [EMAIL PROTECTED] writes:
For me, the highlight of the JavaOne Developer Conference in San
Francisco last March was Dallas Semiconductor's iButton with Java -- aka
the Java Ring, a wearable computer that ran Java. It allegedly had a
Bill Frantz [EMAIL PROTECTED] writes:
At 12:26 PM -0700 7/26/99, Rick Smith wrote:
At 10:48 AM 7/26/99 -0700, Tom Perrine wrote:
At that time (1985), every MLS-possible system that had been produced
had been cancelled (or died for other reasons) Sure,
some of these (ours included) had
(That's not quite as momentous as it seems, for reasons given further down).
What happened
-
I've finally (it took more than a month to get a response) managed to get hold
of the General Technology Note and General Software Note from NZ's version of
the Wassenaar control lists (the
"Steven M. Bellovin" [EMAIL PROTECTED] writes:
The obvious protection is for users to check the certificate. Most users, of
course, don't even know what a certificate is, let alone what the grounds are
for accepting one. It would also help if servers used client-side
certificates for
Eric Murray [EMAIL PROTECTED] writes:
On Sat, Sep 04, 1999 at 01:59:01AM +0200, Lucky Green wrote:
On Fri, 3 Sep 1999, Tim Dierks wrote:
Even if the key belongs to the NSA, I suspect that the NSA just wanted to
be able to load classified Crypto Service Providers into Windows and didn't
want to
This topic has problably just about reached its use-by date, but I recently
saw a comment by "J. AndrE9s Hall" [EMAIL PROTECTED] on how to
cripple Microsoft's own CSP's using _NSAKEY:
Because the person posessing the private key corresponding to _NSAKEY can now
take a trusted, signed CSP (even
An EMBASSY is a complete cryptographic and usage measurement system
integrated into hardware on the client PC. It is designed to provide
metered access to executables and information by authorized users, and
host specially programmed services in a secure, tamper-proof environment.
"Steven M. Bellovin" [EMAIL PROTECTED] writes:
So -- how should the back door be installed? In the protocol? In the telco
endpoint? Is it ethical for security people to work on something that lowers
the security of the system? Given that it's going to be done anyway, is it
ethical to refrain,
Robert Hettinga [EMAIL PROTECTED] writes:
Subject: a smartcard of a different color
From: Dan Geer [EMAIL PROTECTED]
Yesterday I saw a smartcard of a different color. In particular, it is the
smartcard chip but in a key-ring thing that is more or less identical to the
Mobil SpeedPass except
"Matt Crawford" [EMAIL PROTECTED] writes:
A while back someone on cypherpunks posted a program that would let you
hear FSK modulation on a normal radio when the program was run, by
modulating PCI traffic.
Shoot, I remember the operators of the CDC 3150 at the local state college
doing this
[I posted this earlier today but it never appeared, apologies if you've seen
it before. In any case the bit about the SigG card has been updated]
Martin Minow [EMAIL PROTECTED] writes:
The Register http://www.theregister.co.uk reports that the Siemens
Digital Signature Chip used for cashless
Rich Salz [EMAIL PROTECTED] writes:
Anyone know anything about these guys?
[I may be having a knee jerk reaction, but this smells snake oily. --pm]
The technology we are talking about is a new cryptographic key distribution
system 97The Constructive Key Management SystemAE (CKMAE) created
John Young [EMAIL PROTECTED] writes:
Phil Karn wrote:
I believe the anti-Tempest provisions have been in the export regs
for some time.
Yes, but when did they appear? We're attempting to trace Tempest's origin --
not easy because of classification of so much stuff. One classified standard
Late last year the Capstone spec ("CAPSTONE (MYK-80) Specifications",
R21-TECH-30-95) was partially declassified as the result of a FOIA lawsuit[0].
The document is stamped "TOP SECRET UMBRA" on every page. UMBRA is a SIGINT
codeword, not an INFOSEC one, so the people who designed the thing
[EMAIL PROTECTED] (Arnold G. Reinhold) writes:
I've always thought that the unique id built into each device and available
to Law Enforcement (LE) without court order would give LE huge leap forward
in traffic analyses.
That's not unique to Clipper though, I bet there are systems out there
Arcot's "software smart cards" have been discussed in the past on these lists,
however the discussion predates the publication of their paper "Software smart
cards via cryptographic camouflage" at the IEEE Symposium on Security and
Privacy halfway through last year
"Phillip Hallam-Baker" [EMAIL PROTECTED] writes:
I think you are probably refering to Ron's paper in FC'98. I presented an
alternative and somewhat radical architecture at RSA'99 which demonstrated
that it was practical to distribute revocation info in real time for a
population of 5 billion
Windows 2000 includes a very dangerous feature as part of its power management
interface which saves the current system state to disk before putting the
system into hibernate mode. Unlike the (already considerable) problems with a
swapfile, which creates the risk that encryption keys, passwords,
An except from Microsoft Knowledge Base Article Q228786:
-- Snip --
Sometimes it is convenient to export/import plain text session keys. However,
the Microsoft Cryptographic Providers (Base and Enhanced) do not support this
feature, for which both CryptExportKey() and CryptImportKey()require
lcs Mixmaster Remailer [EMAIL PROTECTED] writes:
Peter Gutmann writes:
The reason why revocation checking is disabled by default is a pragmatic
one, in practice it acts as a "Delay processing each message by a minute
or two" facility (or at least it did a year or so back), so by
Rich Salz [EMAIL PROTECTED] writes:
Here's an interesting hypothesis that also touches on Perry's followup.
Digital signature "laws" are the result of PKI vendors trying to create a
market.
Just as the Utah digital signature law was also called the "Attorneys Full
Employment Act of 1997" I
Markku-Juhani Saarinen [EMAIL PROTECTED] writes:
By the way, here's the complete factorization of the value of public modulus
that openssl displayed for you:
It's now been confirmed by several sources that this number has small factors,
can someone confirm that MS software will generate more
Markku-Juhani Saarinen [EMAIL PROTECTED] writes:
I now believe you've decoded the below incorrectly because the leading
bit is set, making this a signed number which may have made some of your
tools croak. Decoding by hand, I get the following mod/exp:
Are you saying that under some conditions
[EMAIL PROTECTED] writes:
If your compression algorithm is tuned for normal ASCII text, then UC letter
lc letter may be considered more frequent than UC letterUC letter for
all combinations of values of UC letter, and thus pairs of uppercased
letters may result in longer bit streams than pairs
I reverse-engineered Microsoft's AuthentiCode format a few years ago while,
uhh, investigating its security but never really published the details, here
they are in case anyone finds them useful. There's nothing terribly tricky
about it, it's just a PKCS #7 detached signature inserted as a COFF
"Enzo Michelangeli" [EMAIL PROTECTED] (or someone, the quoting makes it difficult to
tell) writes:
If it may of any comfort (or perhaps enhanced desperation), the S/MIME
community has similar headaches: in these days, the [EMAIL PROTECTED] list is
debating whether, in S/MIME v.3, RSA should be
"Enzo Michelangeli" [EMAIL PROTECTED] writes:
Apart from standards issues, one thing I'd like to see added to popular S/MIME
agents is a mini-CA to issue self-signed certificates. This would allow people
to use S/MIME as they use PGP (who relies on the WoT anyway?), breaking the
dependency from
"Enzo Michelangeli" [EMAIL PROTECTED] writes:
I have an RFC draft for this which I wrote a while back but it was rejected by
the PKIX WG chair(s) ("I am concerned that we not turn PKIX into PGP with ASN.1
syntax"), and I haven't had the motivation to publish it as an independent
draft - would
37 matches
Mail list logo
