Denmark, update on Echelon
Hi Just a short notice on the Echelon-discussion in Denmark The danish parliament Folketinget has declined to aid the EU committee which is investigating Echelon. The EU committee formally contacted the head of the parliaments permanent select committee for controlling the intelligence-services -- in danish: kontroludvalget for efterretningstjenesterne -- asking for information regarding parliamentary control with the danish intelligence services. No confidential information was asked for. Just the basic info on how the select committee works. The head of the committee, Thor Pedersen from the liberal party Venstre declined to aid the EU committee. He did this without informing the select committee or the parliament. This caused some uproar when we disclosed his doings in Ekstra Bladet, but later the decision has been upheld at a meeting in the select committee. Complaints have now been filed against Thor Pedersen. This means that Denmark is one of only two EU-countries parliaments have declined to help the EU committee: The other declining parliament is the british. No other EU countries have stepped aside. Indeed they have been rather helpful with the EU committee. Thor Pedersens decision has infuriated the members of EU-parliament Lone Dybkjaer, (party: Det Radikale Venstre, married to our prime minister) and Torben Lund, (party: Socialdemokratiet, which is the governing party in Denmark) Both are members of the EU committee, and both have declared they have no doubt Echelon exists. Meanwhile, the danish signals intelligence-service Forsvarets Efterretningstjeneste is continuing to upgrade their equipment. The SIGINT-site at Skibsbylejren has been equipped with three satellite dishes, all 18 meters across. There are plans to erect further three dishes of the same size. The dishes are solely planned for interceptions. According to building plans a radius around the area must be cleared of all electronic emissions, including cell phone towers and welding equipment. Also tall buildings will be prohibited in the area around the 30 meters tall radomes containing the dishes. Yours Bo Elkjaer, Denmark EOT
Re: Knowing your customer
Nomen Nescio wrote: I guess an equivalent ID will do. in germany, you need your ID card to open a bank account (um, for those not in the know: we have state-issue ID cards in addition to passports. the passport is a travel document, used to visit non-EU countries. the ID card is used inside the EU and for national purposes (identification, mostly). you are NOT required to have it with you all the time or somesuch, but some activities, such as opening a bank account, require an ID card. driving license or other documents will do in many cases, but I think not for bank accounts). How often must your ID card be renewed? What information does it (or the ID database) contain that a German passport does not? it must be renewed every 10 or 5 years (there's two periods, I'm not sure which one applies in what cases). it contains: name, birthday and birth town, nationality, your signature (as you made it on the form), some string of number that contains your birth date and some other information I'm not sure about but which has most likely been published on the web somewhere. on the backside it contains addresse, height, colour of eyes and the issuing authority. there is also a field where you can have a pseudonym or religious name printed if you want to use it for any "official" activities (say, you're a rock star, actor or author and much more people know you under your pseudonmyn than under your real name). height and eye-colour are whatever you put in the form. I doubt it's ever checked. I know mine have been different on all ID cards I've had so far. the frontside also contains a picture of you, almost forgot that. I have no idea what kind of information is linked to this, i.e. what exactly a cop can pull out of his database by entering your ID number.
Re: IBM Uses Keystroke-monitoring in NJ Mob Case (was Re:
Petro wrote: R. A. Hettinga wrote: [...] As I've written, the FBI should run quality house cleaning services in large cities. How do you know they don't? In every office or factory I've ever been in, including government ones where we kept paper copies of tax returns (yes folks, I have worked for the Inland Revenue) there are cleaners. They seem to come in 3 kinds - middle-aged black women, African students working their way through college, and people with vaguely asiatic features who sound as if they are speaking Portuguese. (Sometimes you get a few white students working their way through college but they are more likely to get jobs in bars) If I wanted to hire spies or assassins, I'd go for the middle-aged black women. Preferably short and dumpy and shabbily dressed. Someone who looks like a granny. They can go anywhere, no-one ever stops them or asks them who they are. An invisible woman to match Chesterton's Invisible Man. Ken
Gates to Privacy Rescue? Riiight! (was Re: BNA's Internet LawNews (ILN) - 12/8/00)
At 8:30 AM -0500 on 12/8/00, BNA Highlights wrote: THOUGH TECHNOLOGY MIGHT HELP PRIVACY A meeting of business leaders in Redmond, Washington led to a frank debate over the insufficiency of North American action on consumer privacy and the potential for technology to play a key role in protecting such privacy. For example, Bill Gates announced that the next version of IE would better allow consumers to ascertain Web site privacy policies. http://www.nytimes.com/2000/12/08/technology/08SECU.html -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
$B:#Lk$O$3$A$i$G(B
$B$$$D$b$N7G<(HD!&=P2q$$!&%a!<%k%U%l%s%I%5%$%H$r$4MxMQBW$-(B $BM-$jFq$&$4$6$$$^$9!#(B $BK\F|$O?7$7$$%5%$%H$N$40FFb$r$5$;$FBW$-$^$9!#(B http://homepage2.nifty.com/degedock/mori/ $B$b$7!"$4ITMW$G$7$?$i:o=|$7$F2<$5$$!#(B $B:#8e!"$3$N$40FFb%a!<%k$4ITMW$N>l9g$O!"(B $B$*!&$446A[$J$I!"$41sN8$J$/$3$A$i$^$G(B [EMAIL PROTECTED]
Re: Questions of size...
On Thu, 7 Dec 2000, petro wrote: Mr. Brown (in the library with a candlestick) said: (RAH might have called it a geodesic political culture if he hadn't got this strange Marxist idea that politics is just an emergent property of economics :-) Just by the way, how widespread is this use of the word 'geodesic'? Offhand, I'd refer to many of the things I've seen it used for here as 'distributed' or 'fractal'. Is 'geodesic' an accepted term of art for a network or protocol in which all the parts work roughly the same way? Bear
Re: Questions of size...
-BEGIN PGP SIGNED MESSAGE- At 8:46 AM -0800 on 12/8/00, Ray Dillinger wrote: Just by the way, how widespread is this use of the word 'geodesic'? Not especially. :-). Offhand, I'd refer to many of the things I've seen it used for here as 'distributed' or 'fractal'. Is 'geodesic' an accepted term of art for a network or protocol in which all the parts work roughly the same way? As with everything else I know of any use, I stole it. :-). It comes from Peter Huber's 1986 "The Geodesic Network", containing (Huber's?) observation that as the price of switches gets lower, like with Moore's "law", the price of network nodes gets lower versus the price of network lines, and the network changes from a hierarchical network with expensive switches with the most expensive switches at the top to a geodesic one, with most switches tending toward the same price in the aggregate. Huber stole "geodesic" from Bucky Fuller, who in turn stole it from topology, where it means the straightest line across a surface. In three dimensions it's a great circle, for instance, the straightest line across a sphere, which is what "geodesic" translates to literally. Bucky called his domes geodesic, because when you pushed on a point on the dome force radiated out in all directions to the ground. Of course, the internet is the mother of all geodesic networks, right? :-). I've expropriated the word "geodesic" in all kinds of outlandish ways, like a cash settled auction-priced single intermediary (with lots of competing intermediaries, of course, just one between each buyer and seller) internet market is a geodesic market, like my claim that societies map to their communication architectures and thus we're moving from a hierarchical society to a geodesic one, and so on. There's a collection of essays on geodesic markets on http://www.ibuc.com, and pointers there to other rants of mine with the "G" word in them, as well. Cheers, RAH -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com iQEVAwUBOjEXhsUCGwxmWcHhAQGDigf+KobTrRn4xHJGvGHKauWEtsH90BVG+tJj Z1hIyFD9O5I6Az5+SNt1SO8dYyBqKwk103GzWmu8Gbm+mUJdgy/dp+Aoxou5nPt/ n/Mi2FVpYnzdnRPRbnE10R6hqeBqWoerjonfhhSbWur3TGJUPsJUdbWKeglaygMW 4eMPGCBNeVUufvvbUcQ5iqkA0nxxa+46XREqtFhKybSzBYaA2LfcHPTRoMbzWM8J c7+uias/tuT75pWo0xUA2vX5p2BQM8yHVrs46gunxBkAk2Lz8Ri7P9Pi2c0jOjwa yyYy32ElXgw0gdR16DupSVw/2tTRtZPFyv664FsT8g+Q7/PsNPYiyg== =fx+a -END PGP SIGNATURE- -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Gates to Privacy Rescue? Riiight! (was Re: BNA's Internet Law News (ILN) - 12/8/00)
On Fri, Dec 08, 2000 at 09:07:38AM -0500, R. A. Hettinga wrote: | | At 8:30 AM -0500 on 12/8/00, BNA Highlights wrote: | | | THOUGH TECHNOLOGY MIGHT HELP PRIVACY | A meeting of business leaders in Redmond, Washington led to | a frank debate over the insufficiency of North American | action on consumer privacy and the potential for technology | to play a key role in protecting such privacy. For example, | Bill Gates announced that the next version of IE would | better allow consumers to ascertain Web site privacy | policies. | http://www.nytimes.com/2000/12/08/technology/08SECU.html http://dailynews.yahoo.com/h/zd/20001207/tc/forrester_exec_injects_security_summit_with_harsh_truths_1.html REDMOND, Wash. -- Just a few hours after Bill Gates opened Microsoft Corp.'s (Nasdaq:MSFT - news) SafeNet 2000 security summit here Thursday on an optimistic note, Forrester Research Inc.'s (Nasdaq:FORR - news) John McCarthy blew it all up. -- "It is seldom that liberty of any kind is lost all at once." -Hume
Re: Gates to Privacy Rescue? Riiight!
[[EMAIL PROTECTED] removed from the distribution list. They claimed not to want any politics discussion, and they are a closed list, so why is political discussion going to it?] At 11:50 AM -0500 12/8/00, Adam Shostack wrote: On Fri, Dec 08, 2000 at 09:07:38AM -0500, R. A. Hettinga wrote: | | At 8:30 AM -0500 on 12/8/00, BNA Highlights wrote: | | | THOUGH TECHNOLOGY MIGHT HELP PRIVACY | A meeting of business leaders in Redmond, Washington led to | a frank debate over the insufficiency of North American | action on consumer privacy and the potential for technology | to play a key role in protecting such privacy. For example, | Bill Gates announced that the next version of IE would | better allow consumers to ascertain Web site privacy | policies. | http://www.nytimes.com/2000/12/08/technology/08SECU.html http://dailynews.yahoo.com/h/zd/20001207/tc/forrester_exec_injects_security_summit_with_harsh_truths_1.html REDMOND, Wash. -- Just a few hours after Bill Gates opened Microsoft Corp.'s (Nasdaq:MSFT - news) SafeNet 2000 security summit here Thursday on an optimistic note, Forrester Research Inc.'s (Nasdaq:FORR - news) John McCarthy blew it all up. I read the article (thanks for the URL). Nothing new, and, in fact, several of the old chestnuts about why regulation is needed. The author also mentions that consumers dislike (so?) tracking of their purchases...and then in the next paragraphs cites the Firestone tire recall as an example of better policy than most Web sites have (or something like this...I re-read his analogy several times and still wasn't sure what his claim was). But the irony of juxtaposing Firestone and "customers dislike tracking" is delicious indeed! It is the existence of customer records--generally voluntarily provided by the customer--that allowed Firestone and Ford to contact hundreds of thousands of Explorer owners. I wonder if the author appreciates the irony here? All of this folderol about laws being needed to control privacy must be fought at every stage. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)
Re: Questions of size...
At 08:46 AM 12/8/00 -0800, Ray Dillinger wrote: On Thu, 7 Dec 2000, petro wrote: Mr. Brown (in the library with a candlestick) said: (RAH might have called it a geodesic political culture if he hadn't got this strange Marxist idea that politics is just an emergent property of economics :-) Just by the way, how widespread is this use of the word 'geodesic'? It depends on how many hops away from Bob Hettinga you are :-) Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Re: Re: Re: Re: Fractal geodesic networks
At 3:57 PM -0800 12/8/00, Ray Dillinger wrote: On Fri, 8 Dec 2000, Jim Choate wrote: Fractal simply means non-integer dimension. Yeah, that's where it started. But I'm using it more in the sense of meaning the properties that fractal structures have; self-similarity across scales, for one, as in the big nodes work the same way as the little nodes and larger patterns are emergent from the interaction of simple rules. Computer networks, at least copper or fiber based, can't be fractal. Physically, true. There is a minimum size feature, in the sense that some computing hardware and memory is required of every node. In terms of the flow of information, I'm not as sure. Argg. Anyone claiming that something "can't be fractal," as Choate apparently does in the section you quote, just doesn't understand the meaning of fractal. Or, in Choateworld, "Since all physical things have three spatial dimensions, there are no non-integer dimensions, and hence fractals cannot exist." Like Choatian physics, Choatian economics, Choatian law, and Choatian history, such crankish ideas are neither useful nor interesting. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)
Re: Re: Fractal geodesic networks
At 5:49 PM -0800 on 12/8/00, Bill Stewart wrote: At 02:47 PM 12/8/00 -0600, Jim Choate emetted: 'fractal geodesic network' is spin doctor bullshit. Well, buzzword bingo output anyway. :-). "Neological" is so much more... euphemisitic... And the Internet is most certainly NOT(!) geodesic with respect to packet paths. more like a geodesic dome filled with boiled spaghetti... Depends on what dimension you're measuring. For fun, I pick time. I leave a definition of fractal time to the more mathematically creative out there. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Fractal geodesic networks
perhaps the scale larger than the highest layer nodes is no longer recognisable as being part of the fractal. Likewise the nodes at each ppp have some organization as to how they handle data internaly. The shape of a shoreline is often used to illustrate fractal self similarity, but you quickly reach a point where it is hard to call it a shoreline anymore, it becomes grains of sand, pebbles, or boulders. So say you -could- estimate a fractal dimension for the internet. What would the number be good for? - Original Message - From: "Jim Choate" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 08, 2000 8:33 PM Subject: Re: Fractal geodesic networks On Fri, 8 Dec 2000, Bill Stewart wrote: more like a geodesic dome filled with boiled spaghetti... If you think about it this is actually one way to view the Internet. Consider the highest layer nodes. Place them equidistant on a sphere and interconnect them with links. Whether they are geodesic or not isn't relevant (unless you'r using a shortest-path algorithm, which we don't). Anyway. The next thing you do is connect each single user machine to it's appropriate node. Cluster them in a similar manner. You get a globe with little partial globe 'bumps' centered on each 'parent' node. Then from each of these parent nodes, using a different length path for distinguishing, list the multi-user nodes. Then interconnect these nodes. Repeat add infinitum (well you can't realy since the lowest level link, a single ppp link for example can't be broken down into smaller physical links, the net is pseudo-fractal at best at this scale). You can also do them as 'sea urchins'. The reality is that the Internet, as big as it is, is simply too small by several orders of magnitude to be modelled by anything approaching a true fractal. However, by looking at it from the perspective of emergent behaviour from simple rules we can probably gain more understanding and control over its use. Something akin to cellular automatons with simple neighborhood rules interconnected by 'small network' models. Before a larger group can see the virtue of an idea, a smaller group must first understand it. "Stranger Suns" George Zebrowski The Armadillo Group ,::;::-. James Choate Austin, Tx /:'/ ``::/|/ [EMAIL PROTECTED] www.ssz.com.', `/( e\ 512-451-7087 -~~mm-'`-```-mm --'-
No Subject
update HONG KONG--Siemens has a solution for people who constantly forget computer passwords: a mouse that recognizes fingerprints. Called the ID Mouse, the device uses biometrics to take advantage of the unique features of people's fingerprints. German electronics maker Siemens, which showed off the ID Mouse this week at the ITU Asia Telecom 2000 fair, said the device works by allowing pre-authorized people to retrieve information from their PCs or laptops. By lightly tapping the fingertip sensor located at the top of the mouse, the device verifies the fingerprint against reference templates already input into the PC's system. Once a fingerprint is authenticated, the person can then access the PC's main operating system. Siemens is one of numerous companies headed in the direction of using unique features for identification. The mouse is powered by 65,000 sensing elements on the 0.25 square-inch fingertip chip that enables the device to scan and capture the fine details of a fingerprint. The system is so sensitive that it will recognize an authorized person even if there is a cut on the fingertip. For added security, if the mouse user takes a break, the screensaver is activated until the person touches the ID Mouse again. Other than that, the ID Mouse operates just like any Microsoft mouse. It has a wheel scroll for navigation and requires at least Microsoft Windows 98 and a USB connection. This week's conference is the International Telecommunications Union's 23rd telecom show since its 1971 debut in Geneva. The six-day fair, which ends Saturday, took place in Hong Kong this year and was expected to attract at least 50,000 visitors from more than 50 countries. Singapore.CNET.com's Priscilla Wong reported from Hong Kong.
Microsoft banned from security email list
By Stephen Shankland Staff Writer, CNET News.com December 8, 2000, 1:05 p.m. PT URL: http://news.cnet.com/news/0-1003-200-4062758.html The administrator of a popular computer security mailing list banned postings from Microsoft on Thursday after the company stripped detailed information out of its advisories, but a compromise is likely on the way. Microsoft last week pared down the security warnings it sends by email to the Bugtraq and NT-Bugtraq mailing lists as well as to 130,000 other subscribers who want to know about vulnerabilities and fixes to Microsoft software, said Scott Culp, Microsoft's security program manger. Instead, the emails include a link to a Web page with additional details. Microsoft made the change so customers get the most up-to-date and accurate information rather than potentially out-of-date news from an archived email. "The goal is to make sure the information is as useful as it can be, it's timely, and it's accurate," he said. But he acknowledged Microsoft still must send new email out if the Web site changes. Bugtraq moderator Elias Levy thought the change was a step in the wrong direction. "I will no longer be approving any advisories with little or no content that point you to some other place for information," he said in a posting Wednesday. The change meant information is a step farther away, not archived and available in a single central source that might not always be available, he said. The dispute marks another chapter in the sometimes rocky relationship between Microsoft and security experts. While outside programmers often find problems with Microsoft's software, sometimes they earn Microsoft's ire by publishing the vulnerability before Microsoft has time to fix it. Levy wasn't the only one to complain. In a note Friday, programmer Forrest Cavalier voted to resurrect the older format, saying Microsoft has been known to move Web pages so older addresses no longer work. "There was a time that Microsoft URLs had a half-life of a few months," he said. Russ Cooper, moderator of a different security mailing list called NT-Bugtraq, applauded Microsoft's change. "Its very easy to have conflicting information about the scope of a vulnerability depending on which email version of the bulletin you're looking at," he said in a Wednesday posting. Culp, who spoke Friday with Levy at a Microsoft security conference, said Microsoft expects to change the format of the advisories to compromise. "There's a trade-off between how often can you send the (advisory) vs. the extra step of going to the Web page. Somewhere in there is a middle ground," Culp said. Levy began posting text versions of the Microsoft Web pages, but he said Microsoft told him "in no uncertain terms" that reproducing the information "would be considered an act of copyright violation." "So until Microsoft changes their policy or changes their email bulletins back to the old format, you won't see them on the list," Levy said. Microsoft is seeking email comment on the new advisory format. About 1,500 people so far have sent their opinions to the [EMAIL PROTECTED] email address, he said. Levy couldn't be reached for comment today. Another change that comes with the new format is that Microsoft can track who is reading its Web advisories through the use of invisible tracking software called Web bugs, according to Privacy Foundation chief technology officer Richard Smith, who noted that he didn't see that as "a big deal." "One thing that Microsoft is learning here is what bulletins people consider important," he said in a posting to Bugtraq. "With the older format, where all the info was in an email message, they did not get this feedb
NYT:The Nexus of Privacy and Security
By JOHN SCHWARTZ EDMOND, Wash., Dec. 7 Ñ Trust us. Please? That is the message from leaders of high-technology businesses and advocacy groups at SafeNet 2000, a Microsoft-sponsored conference on computer security and privacy. The stated purpose of the conference, which opened here today, is to reach a consensus on issues like when and how to publicize vulnerabilities in a vendor's software Ñ like, say, Microsoft's Ñ that could compromise privacy or data security. But the freewheeling panel discussions today touched on all the major policy issues facing high technology companies. And it showed, as Microsoft's chairman, William H. Gates, said in a keynote address, that privacy and security "are tied together in a very deep way." Announcing a Microsoft initiative on consumer privacy, Mr. Gates said the next version of the company's Internet Explorer software for browsing the Internet would incorporate a technology that could make it easier to ascertain the privacy policies on Web sites. The conversation at the conference was remarkably frank, and sometimes quarrelsome. In a discussion of privacy issues, Nick Mansfield of Shell Services International, a computer services subsidiary of the Royal Dutch/Shell Group, praised consumer privacy rules passed by the European Union and said that in contrast, "I don't see anything intelligent in the privacy field in North America." The comment elicited a murmur of irritation in the packed meeting room, but a few minutes later, Microsoft's own chief privacy officer, Richard Purcell, said much the same thing. Consumers, he said, merely see an industry that is squabbling over position in the market, not one that is moving forward with any coherence on privacy issues. "How do we get to that vocabulary, that purpose and that channel of communication," he asked, "that assures consumers that we aren't a lot of evil-headed monsters?" It was notable, though little remarked by the attendees, that the conference's host has often been at the center of the privacy and security debate. Some of the most prominent computer virus attacks, including the "I Love You" program started early this year in the Philippines and the Melissa program last year, took advantage of the vulnerability of Microsoft's wares and their near- ubiquity around the globe. Some who did not attend the conference were not so gentle. "The irony of it is amazing," Jeff Bates, editor of the online technology news site known as Slashdot, said in an e- mail interview. He accused Microsoft of being "a company that leaves me vulnerable to security holes so that it can make my screen look prettier." Others at the conference noted that one of the meeting's goals Ñ to come up with standard procedures for reporting software flaws Ñ would serve Microsoft well, since it has long been the victim of "gotcha" announcements that describe bugs before the company has had a chance to fix them. A former hacker who goes solely by the name of Mudge, who now works as a security consultant, defended Microsoft for having changed since the days when he and his friends would gleefully publish examples of its software flaws on the Internet. "There was a time when they would treat an information release quite differently," he said, by trying to sweep the problem under a rug. In recent years, Microsoft has poured money and personnel into responding to bugs, and has improved its relations with those who publicize them, Mudge said. Describing the new privacy features in Internet Explorer, Mr. Gates said they would let consumers decide what level of privacy protection they need Ñ whether, for example, the machine should accept cookies, the software deposited in consumers' PC's by Web sites to track visitors. The system, known as Platform for Privacy Preferences Project, or P3P, has long been under independent development. But the announcement means that Microsoft is pulling back from a simpler approach to giving consumers more control over their cookies by letting them block all "third party" cookies, those originating from sites other than the one that the Web surfer is visiting. Such cookies irk many privacy advocates, who say that they expose consumers to scrutiny by advertising firms, for example, without their knowledge or consent. On the security side, Mr. Gates said Microsoft, which suffered an embarrassing series of hacker intrusions in October, had been trying to act as a model for other companies by instituting a pilot program using "smart cards" to restrict access to the inner workings of the company's computer networks. The project put the cards into the hands of about 1,000 system administrators, who must insert them into special readers on their computers to make any changes on the company's networks. Barry Steinhardt of the American Civil Liberties Union said the example showed the frequent tension between privacy and security, since the technology allows a
Personal Firewalls Fail the Leak Test
By Brian McWilliams In an attempt to show that personal firewalls may afford their users little protection against serious threats, a respected PC security expert has released a new software tool that pokes holes in many of the leading desktop security packages. Security-conscious Internet users, especially those on broadband connections, have made desktop firewall software into a booming business for companies like Symantec and Network Associates. But according to Steve Gibson, president of Gibson Research, almost all of these utilities only provide "pseudo protection" against attacks. That's because they put most of their effort into blocking incoming hacker attacks, while paying only scant attention to what he calls internal extrusion. "I really believe the problem of software in your computer misbehaving is much bigger than the problem of hacker attacks. Most people don't have any vulnerabilities; there's nothing a hacker can do to you. So I argue against the necessity of any kind of inbound blocking tool," said Gibson. To prove his point, Gibson has developed a free utility called LeakTest. The 27-Kbytes program is a trojan-horse/spyware simulator that attempts to slip past a personal firewall's defenses and connect to a server on the Internet. Not surprisingly, popular intrusion detection programs like BlackIce Defender from Network Ice fail to catch the outgoing connection and report it to the user. But more disturbingly, several firewalls that claim to offer outbound detection are also fooled by LeakTest. Among them, the best selling Norton Personal Firewall and McAfeeFirewall. Both are among a small number of desktop firewall programs that attempt to address the problem of unauthorized outbound leakage, but Gibson says they fall short and can be easily fooled or bypassed because they come pre-programmed to allow some applications to pass through the firewall. "This idea of allowing all these apps pre-approval is ludicrous. It's trivial to get permission out of the firewall without notifying the user," said Gibson, who observed that only one firewall, ZoneLab's ZoneAlarm, prevents malware from masquerading as a trusted program. "They do a cryptographic signature of the programs you're allowing. That's not hard to do, but they're the only ones who do it," he said. Tom Powledge, Symantec's product manager for Norton Internet Security, said the risks outlined by Gibson are low if users are running both a firewall and anti-virus software. And he said Symantec knows of no instances of programs that specifically target Norton Personal Firewall, which is shipped with NIS. But in response to Gibson's critique, Symantec plans to revise the application integrity checking feature in NIS, with an update available to users over Live Update by early next week. In the meantime, Powledge said concerned users can turn off automatic firewall rule creation. Judging by comments on the LeakTest message board at Gibson's site, plenty of users are concerned about the newly exposed porosity of their favorite firewall software. But Symantec's Powledge said their fears could have been avoided if Gibson had given vendors the customary advance notice before releasing LeakTest. "We were seeing no concern about this, and no exploits have been written. And while this makes customers aware of a potential issue, it also makes hackers aware," said Powledge. But Gibson, who had an earlier run-in with RealNetworks over the privacy behavior of its RealDownload product, said he's learned that unless pressure is brought to bear, companies are resistant to change. "These firewalls are not going to get better unless there's someone saying and able to prove -- and to enable the user to prove -- that these things are junk."
RE: Signatures and MIME Attachments Getting Out of Hand
At 10:14 AM -0500 12/8/00, Trei, Peter wrote: File: SMIME.txt Sean writes: ASCII plain text *is* The Way. But guess what, PGP/MIME *is* plain text. You can even parse it with your eyeballs. Sean: Guess what: Your message comes as an attachment, which I have to open seperately. Peter By the way, the same problems with MIME, HTML, attachments, etc. is hitting the Newsgroups as well. Some of the newsgroup folks are posting reminders (from charters, FAQs) not to do this. Here's one I just saw in the comp.lang.ruby group: " (a) General format guidelines: - Use *plain* text; don't use HTML, RTF, or Word. - Include examples from files as *in-line* text; don't use attachments. - PLEASE NOTE! Include quoted text from previous posts *BEFORE* your responses. And *selectively* quote as much as is relevant. " Good advice for our list as well. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)
Re: Knowing your customer
"R. A. Hettinga" wrote: [...] I am not, of course, a banking lawyer, but I certainly hang out with enough of those folks these days, I've certainly had enough of this stuff shoved into my head over the years, and, I expect that to get a bank account without a Social Security number in most states of the US, you probably need to prove that you are indeed a foreign national, *and* provide a valid passport as proof of same, and that, frankly, the passport number would be used *somewhere* as a proxy for SSN where possible. I manage to pay some US income tax (on some share dividends) without ever having a US SSN. They seem happy not to identify you when they are taking your money. Funny that :-) [...] Modern nation-states have bound up so much of their regulatory and tax structure into book entry settlement, that it is very hard, more probably impossible, to get a bank account in this country without being completely, positively, whatever that means, identified -- biometrically identified, if it were cheap enough, and certainly with a state-issued identification number. UK domestic bank accounts usually require some proof of id, though not our equivalent of your SSN (The "national insurance number" - I suspect most people don't know theirs, but it is printed on every payslip probably hard to keep secret). There is no official government id in UK, except for passports which of course many people have not got. Banks are very keen on proof of address, they ask to see "official" letters (like the gas bill - or an account from another bank) addressed to your name at your house. In fact it is all but impossible to get a bank account without a permanent address. As these days many employers only pay wages through bank accounts... well, that's just one of the reasons the number of homeless people in London went steadily up during the 1980s early 1990s when employment and prosperity were increasing the value of welfare benefits was falling. [...] Ken