Re: On the orthogonality of anonymity to current market demand
Chris Palmer [EMAIL PROTECTED] writes: James A. Donald writes: Further, genuinely secure systems are now becoming available, notably Symbian. What does it mean for Symbian to be genuinely secure? How was this determined and achieved? By executive fiat. Peter.
Re: On the orthogonality of anonymity to current market demand
Chris Palmer [EMAIL PROTECTED] writes: James A. Donald writes: Further, genuinely secure systems are now becoming available, notably Symbian. What does it mean for Symbian to be genuinely secure? How was this determined and achieved? By executive fiat. Peter.
Re: Multiple passports?
Gregory Hicks [EMAIL PROTECTED] writes: As for applying for one now, I think the deadline for the non-RFID passwords is about 3 days away (31 Oct 2005), but I could be wrong. (In other words, if your application is not in processing by 31 Oct, then you get the new, improved, RFID passport.) Ahh, but if you get one of the first passports issued then there are likely to still be some teething problems present, leading to sporadic failures of the first batch of RFID devices. I have a funny feeling that this is going to happen to my new passport when it arrives. Peter.
Re: Multiple passports?
Gregory Hicks [EMAIL PROTECTED] writes: As for applying for one now, I think the deadline for the non-RFID passwords is about 3 days away (31 Oct 2005), but I could be wrong. (In other words, if your application is not in processing by 31 Oct, then you get the new, improved, RFID passport.) Ahh, but if you get one of the first passports issued then there are likely to still be some teething problems present, leading to sporadic failures of the first batch of RFID devices. I have a funny feeling that this is going to happen to my new passport when it arrives. Peter.
Any comments on BlueGem's LocalSSL?
http://www.bluegemsecurity.com/ claims that they can encrypt data from the keyboard to the web browser, bypassing trojans and sniffers, however the web pages are completely lacking in any detail on what they're actually doing. From reports published by West Coast Labs, it's a purely software-only solution that consists of some sort of (Win9x/Win2K/XP only) low-level keyboard driver interface that bypasses the standard Windows user-level interface and sends keystrokes directly to the application, in the same way that a number of OTFE packages directly access the keyboard driver to try and evade sniffers. The West Coast Labs tests report that they successfully evade all known sniffers, which doesn't actually mean much since all it proves is that LocalSSL is sufficiently 0-day that none of the sniffers target it yet. The use of SSL to get the keystrokes from the driver to the target app seems somewhat silly, if sniffers don't know about LocalSSL then there's no need to encrypt the data, and once they do know about it then the encryption won't help, they'll just dive in before the encryption happens. Anyone else have any additional information/comments about this? Peter.
Any comments on BlueGem's LocalSSL?
http://www.bluegemsecurity.com/ claims that they can encrypt data from the keyboard to the web browser, bypassing trojans and sniffers, however the web pages are completely lacking in any detail on what they're actually doing. From reports published by West Coast Labs, it's a purely software-only solution that consists of some sort of (Win9x/Win2K/XP only) low-level keyboard driver interface that bypasses the standard Windows user-level interface and sends keystrokes directly to the application, in the same way that a number of OTFE packages directly access the keyboard driver to try and evade sniffers. The West Coast Labs tests report that they successfully evade all known sniffers, which doesn't actually mean much since all it proves is that LocalSSL is sufficiently 0-day that none of the sniffers target it yet. The use of SSL to get the keystrokes from the driver to the target app seems somewhat silly, if sniffers don't know about LocalSSL then there's no need to encrypt the data, and once they do know about it then the encryption won't help, they'll just dive in before the encryption happens. Anyone else have any additional information/comments about this? Peter.
TEMPEST PC for sale on ebay
http://cgi.ebay.com/SAIC-V2-Military-Portable-Computer-With-Accessories_W0QQitemZ8707782870QQcategoryZ177QQrdZ1QQcmdZViewItem May possibly run a very cut-down version of Linux, otherwise you'd be stuck with DOS. Peter.
TEMPEST PC for sale on ebay
http://cgi.ebay.com/SAIC-V2-Military-Portable-Computer-With-Accessories_W0QQitemZ8707782870QQcategoryZ177QQrdZ1QQcmdZViewItem May possibly run a very cut-down version of Linux, otherwise you'd be stuck with DOS. Peter.
Looking for crypto iButton specs
During a recent discussion about secure crypto device bootstrap and attestation capabilities, I realised that of the three devices for which this was implemented and for which documentation was available (Fortezza, IBM 4758, and Dallas Crypto iButton), I either don't have any documentation for the Crypto iButton or I've filed it under something sufficiently misleading that I can't find it any more. So: Does anyone still have the documentation for the DS1954 Crypto iButton? Note that I specifically mean the DS1954 Crypto iButton before its Javafuxation, which removed the very nice crypto security model and crypto transaction processing/scripting capability. Dallas systematically excised any traces of the pre-Javafuxated version from databooks and web pages, so it'd be a case of someone having a copy archived somewhere. It was a very nice design and I'd like to have some record of it outside the summary I put in my Godzilla security tutorial. (If whoever did the design is reading this, I'd be interested in hearing from them as well). Peter.
Looking for crypto iButton specs
During a recent discussion about secure crypto device bootstrap and attestation capabilities, I realised that of the three devices for which this was implemented and for which documentation was available (Fortezza, IBM 4758, and Dallas Crypto iButton), I either don't have any documentation for the Crypto iButton or I've filed it under something sufficiently misleading that I can't find it any more. So: Does anyone still have the documentation for the DS1954 Crypto iButton? Note that I specifically mean the DS1954 Crypto iButton before its Javafuxation, which removed the very nice crypto security model and crypto transaction processing/scripting capability. Dallas systematically excised any traces of the pre-Javafuxated version from databooks and web pages, so it'd be a case of someone having a copy archived somewhere. It was a very nice design and I'd like to have some record of it outside the summary I put in my Godzilla security tutorial. (If whoever did the design is reading this, I'd be interested in hearing from them as well). Peter.
Neat security quote
From a private mailing list, therefore anonymised. A European visitor to the US is describing going through the US immigation procedure. His comment on the fingerprinting process: I waited at that moment for messages like freedom is slavery The response: Ignorance is strength already seems to have been adopted... Peter :-).
Neat security quote
From a private mailing list, therefore anonymised. A European visitor to the US is describing going through the US immigation procedure. His comment on the fingerprinting process: I waited at that moment for messages like freedom is slavery The response: Ignorance is strength already seems to have been adopted... Peter :-).
Re: Intel Adds DRM to New Chips part 2
DiSToAGe [EMAIL PROTECTED] writes: it seems now intel say there is no DRM in there chips. No, it's very careful to say that there is no *unannounced* DRM in their chips, in the same way that we have had no undetected penetrations of our security. Peter.
Checkbox security
http://news.yahoo.com/news?tmpl=storyu=/ap/20050607/ap_on_re_us/chain_saw_border Man With Chain Saw Allowed to Enter U.S. On April 25, Gregory Despres arrived at the U.S.-Canadian border crossing at Calais, Maine, carrying a homemade sword, a hatchet, a knife, brass knuckles and a chain saw stained with what appeared to be blood. U.S. customs agents confiscated the weapons and fingerprinted Despres. Then they let him into the United States. I guess he wasn't on the (possibly-a-)terrorist watchlist so they waved him through. Peter.
Checkbox security
http://news.yahoo.com/news?tmpl=storyu=/ap/20050607/ap_on_re_us/chain_saw_border Man With Chain Saw Allowed to Enter U.S. On April 25, Gregory Despres arrived at the U.S.-Canadian border crossing at Calais, Maine, carrying a homemade sword, a hatchet, a knife, brass knuckles and a chain saw stained with what appeared to be blood. U.S. customs agents confiscated the weapons and fingerprinted Despres. Then they let him into the United States. I guess he wasn't on the (possibly-a-)terrorist watchlist so they waved him through. Peter.
Re: Intel Adds DRM to New Chips part 2
DiSToAGe [EMAIL PROTECTED] writes: it seems now intel say there is no DRM in there chips. No, it's very careful to say that there is no *unannounced* DRM in their chips, in the same way that we have had no undetected penetrations of our security. Peter.
Re: SPKI Certs Usage
Jay Listo [EMAIL PROTECTED] writes: I am also not aware of any products or PKIs that use SPKI certs. I would really appreciate if someone could refer me to instances of actual usage of SPKI certs. They were never really used. The great feature of SPKI is that it's not X.509 (so it's a design fit for a purpose rather than being digital ancestor- worship of failed OSI standards from the 1980s). The great failing of SPKI is that it's not X.509 (it's impossible to get any cert mechanism accepted unless it's called X.509). Peter.
Re: SPKI Certs Usage
Jay Listo [EMAIL PROTECTED] writes: I am also not aware of any products or PKIs that use SPKI certs. I would really appreciate if someone could refer me to instances of actual usage of SPKI certs. They were never really used. The great feature of SPKI is that it's not X.509 (so it's a design fit for a purpose rather than being digital ancestor- worship of failed OSI standards from the 1980s). The great failing of SPKI is that it's not X.509 (it's impossible to get any cert mechanism accepted unless it's called X.509). Peter.
Re: On the road to truth and madness
We were somewhere around Barstow on the edge of the desert when the drugs began to take hold. The following was my variant on this from a few years ago, representing the 56th IETF PKIX meeting minutes. Note that this is from the book form, not the film version of the text: -- Snip -- We were somewhere in San Francisco on the edge of the 56th IETF when the drugs began to take hold. I remember saying something like I feel a bit lightheaded; maybe you should take notes And suddenly there was a terrible roar all around us and the sky was full of what looked like huge OIDs, all swooping and screeching and diving around the RFC, which was about a hundred pages long. And a voice was screaming: Holy Jesus! Where are these goddamn business cases? Then it was quiet again. My attorney had taken his shirt off and was pouring beer into his mouth, to facilitate the PKI standards-creation process. What the hell are you yelling about? he muttered, staring up at the neon lights with his eyes closed and covered with wraparound Spanish sunglasses. Never mind, I said. It.s your turn to figure out the interop requirements. I hit the brakes and dropped the Great Pile of Paperwork at the side of the room. No point mentioning those OIDs, I thought. The poor bastard will see them soon enough. We had two bags of X.509 standards, seventy-five pages of PKIX mailing list printouts, five sheets of high-powered constraints, a saltshaker half-full of vendor hype, and a whole galaxy of requirements, restrictions, promises, threats... Also, a quart of OSI, a quart of LDAP, a case of XML, a pint of raw X.500, and two dozen PGPs. Not that we needed all that for the trip, but once you get into a serious PKI RFC binge, the tendency is to push it as far as you can. The only thing that really worried me was the X.500. There is nothing in the world more helpless and irresponsible and depraved than a man in the depths of an X.500 binge, and I knew we'd get into that rotten stuff pretty soon. -- Snip -- Peter.
Re: I'll show you mine if you show me, er, mine
R.A. Hettinga [EMAIL PROTECTED] forwarded: Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password. Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah. (Either this is a really bad idea or the details have been mangled by the Register). Peter.
Re: On the road to truth and madness
We were somewhere around Barstow on the edge of the desert when the drugs began to take hold. The following was my variant on this from a few years ago, representing the 56th IETF PKIX meeting minutes. Note that this is from the book form, not the film version of the text: -- Snip -- We were somewhere in San Francisco on the edge of the 56th IETF when the drugs began to take hold. I remember saying something like I feel a bit lightheaded; maybe you should take notes And suddenly there was a terrible roar all around us and the sky was full of what looked like huge OIDs, all swooping and screeching and diving around the RFC, which was about a hundred pages long. And a voice was screaming: Holy Jesus! Where are these goddamn business cases? Then it was quiet again. My attorney had taken his shirt off and was pouring beer into his mouth, to facilitate the PKI standards-creation process. What the hell are you yelling about? he muttered, staring up at the neon lights with his eyes closed and covered with wraparound Spanish sunglasses. Never mind, I said. It.s your turn to figure out the interop requirements. I hit the brakes and dropped the Great Pile of Paperwork at the side of the room. No point mentioning those OIDs, I thought. The poor bastard will see them soon enough. We had two bags of X.509 standards, seventy-five pages of PKIX mailing list printouts, five sheets of high-powered constraints, a saltshaker half-full of vendor hype, and a whole galaxy of requirements, restrictions, promises, threats... Also, a quart of OSI, a quart of LDAP, a case of XML, a pint of raw X.500, and two dozen PGPs. Not that we needed all that for the trip, but once you get into a serious PKI RFC binge, the tendency is to push it as far as you can. The only thing that really worried me was the X.500. There is nothing in the world more helpless and irresponsible and depraved than a man in the depths of an X.500 binge, and I knew we'd get into that rotten stuff pretty soon. -- Snip -- Peter.
Re: I'll show you mine if you show me, er, mine
R.A. Hettinga [EMAIL PROTECTED] forwarded: Briefly, it works like this: point A transmits an encrypted message to point B. Point B can decrypt this, if it knows the password. The decrypted text is then sent back to point A, which can verify the decryption, and confirm that point B really does know point A's password. Point A then sends the password to point B to confirm that it really is point A, and knows its own password. Isn't this a Crypto 101 mutual authentication mechanism (or at least a somewhat broken reinvention of such)? If the exchange to prove knowledge of the PW has already been performed, why does A need to send the PW to B in the last step? You either use timestamps to prove freshness or add an extra message to exchange a nonce and then there's no need to send the PW. Also in the above B is acting as an oracle for password-guessing attacks, so you don't send back the decrypted text but a recognisable-by-A encrypted response, or garbage if you can't decrypt it, taking care to take the same time whether you get a valid or invalid message to avoid timing attacks. Blah blah Kerberos blah blah done twenty years ago blah blah a'om bomb blah blah. (Either this is a really bad idea or the details have been mangled by the Register). Peter.
Re: How to Stop Junk E-Mail: Charge for the Stamp
Barry Shein [EMAIL PROTECTED] writes: Eventually email will just collapse (as it's doing) and the RBOCs et al will inherit it and we'll all be paying 15c per message like their SMS services. And the spammers will be using everyone else's PC's to send out their spam, so the spam problem will still be as bad as ever but now Joe Sixpack will be paying to send it. Hmmm, and maybe *that* will finally motivate software companies, end users, ISPs, etc etc, to fix up software, systems, and usage habits to prevent this. Peter.
Re: How to Stop Junk E-Mail: Charge for the Stamp
Barry Shein [EMAIL PROTECTED] writes: Eventually email will just collapse (as it's doing) and the RBOCs et al will inherit it and we'll all be paying 15c per message like their SMS services. And the spammers will be using everyone else's PC's to send out their spam, so the spam problem will still be as bad as ever but now Joe Sixpack will be paying to send it. Hmmm, and maybe *that* will finally motivate software companies, end users, ISPs, etc etc, to fix up software, systems, and usage habits to prevent this. Peter.
RE: Dell to Add Security Chip to PCs
Erwann ABALEA [EMAIL PROTECTED] writes: I've read your objections. Maybe I wasn't clear. What's wrong in installing a cryptographic device by default on PC motherboards? I work for a PKI 'vendor', and for me, software private keys is a nonsense. A simple crypto device controlled by the same software is only slightly less nonsensical. That is, the difference between software-controlled keys and a device controlling the keys that does anything the software tells it to is negligible. To get any real security you need to add a trusted display, I/O system, clock, and complete crypto message-processing capability (not just generate a signature like the current generation of smart cards do), and that's a long way removed from what TCPA gives you. You could obviously say that Mr Smith won't be able to move his certificates from machine A to machine B, but more than 98% of the time, Mr Smith doesn't need to do that. Yes he will. That is, he may not really need to do it, but he really, really wants to do it. Look at the almost-universal use of PKCS #12 to allow people to spread their keys around all over the place - any product aimed at a mass- market audience that prevents key moving is pretty much dead in the water. Installing a TCPA chip is not a bad idea. The only effective thing a TCPA chip gives you is a built-in dongle on every PC. Whether having a ready-made dongle hardwired into every PC is a good or bad thing depends on the user (that is, the software vendor using the TCPA device, not the PC user). Peter.
RE: Dell to Add Security Chip to PCs
Tyler Durden [EMAIL PROTECTED] writes: That chip...is it likely to be an ASIC or is there already such a thing as a security network processor? (ie, a cheaper network processor that only handles security apps, etc...) Or could it be an FPGA? Neither. Currently they've typically been smart-card cores glued to the MB and accessed via I2C/SMB. Peter.
RE: Dell to Add Security Chip to PCs
Tyler Durden [EMAIL PROTECTED] writes: That chip...is it likely to be an ASIC or is there already such a thing as a security network processor? (ie, a cheaper network processor that only handles security apps, etc...) Or could it be an FPGA? Neither. Currently they've typically been smart-card cores glued to the MB and accessed via I2C/SMB. Peter.
Re: Unintended Consequences
Steve Furlong [EMAIL PROTECTED] writes: I tried, years before _UC_ came out, to get some friends to name their daughter Chlamydia. They didn't know what the word meant, but for some reason didn't trust my advice. Nor did they like Pudenda. One of the characters in Hercules Returns is called Labia, and lives in the town of Chlamydia. There are a number of other characters with similar names. Peter.
Re: Anti-RFID outfit deflates Mexican VeriChip hype
R.A. Hettinga [EMAIL PROTECTED] forwarded: Promoting implanted RFID devices as a security measure is downright 'loco,' says Katherine Albrecht. Advertising you've got a chip in your arm that opens important doors is an invitation to kidnapping and mutilation. Since kidnapping is sort of an unofficial national sport in Mexico (or at least Mexico City), this is particularly apropos. An implanted RFID seems to be just asking for an express kidnap, something more traditionally used to get money from ATMs. Peter.
Re: Unintended Consequences
Steve Furlong [EMAIL PROTECTED] writes: I tried, years before _UC_ came out, to get some friends to name their daughter Chlamydia. They didn't know what the word meant, but for some reason didn't trust my advice. Nor did they like Pudenda. One of the characters in Hercules Returns is called Labia, and lives in the town of Chlamydia. There are a number of other characters with similar names. Peter.
Re: Anti-RFID outfit deflates Mexican VeriChip hype
R.A. Hettinga [EMAIL PROTECTED] forwarded: Promoting implanted RFID devices as a security measure is downright 'loco,' says Katherine Albrecht. Advertising you've got a chip in your arm that opens important doors is an invitation to kidnapping and mutilation. Since kidnapping is sort of an unofficial national sport in Mexico (or at least Mexico City), this is particularly apropos. An implanted RFID seems to be just asking for an express kidnap, something more traditionally used to get money from ATMs. Peter.
Re: Cell Phone Jammer?
Tyler Durden [EMAIL PROTECTED] writes: Anyone know from first-hand experience about cellphone jammers? I need... 1) A nice little portable, and Try the SH066PL, a nice portable that looks exactly like a cellphone, it's one of the few portables I know of. 2) A higher-powered one that can black out cell phone calls within, say, 50 to 100 feet of a moving vehicle. Google is your friend, there are tons of these around, with varying degrees of sophistication. These are definitely not portable, taking several amps at 6-12V to power them. None of them are exactly cheap. Peter.
Re: Cell Phone Jammer?
Tyler Durden [EMAIL PROTECTED] writes: Anyone know from first-hand experience about cellphone jammers? I need... 1) A nice little portable, and Try the SH066PL, a nice portable that looks exactly like a cellphone, it's one of the few portables I know of. 2) A higher-powered one that can black out cell phone calls within, say, 50 to 100 feet of a moving vehicle. Google is your friend, there are tons of these around, with varying degrees of sophistication. These are definitely not portable, taking several amps at 6-12V to power them. None of them are exactly cheap. Peter.
Re: This Memorable Day
ken [EMAIL PROTECTED] writes: James A. Donald wrote: So far the Pentagon has shattered the enemy while suffering casualties of about a thousand, which is roughly the same number of casualties as the British empire suffered doing regime change on the Zulu empire - an empire of a quarter of a million semi naked savages mostly armed with spears. Be fair. They had a trained and disciplined army. Most of whom would obey orders to the death. That's worth a hell of a lot in battle. You also had to look at what they were up against. Witness the complete massacre at Isandlwana (the classic Zulu bull-and-horns overran the British camp because the troops were too far away from their ammunition to resupply, no doubt copying Elphinstone's tactic in Afghanistan) vs. post-Isandlwana use of Gatling batteries and massed field artillery (some of which was converted Naval artillery), e.g. Ulundi, where post-battle reports were of piles of Zulu dead mown down by Gatlings. The British only thought that the Zulus were just semi-naked savages until Isandlwana. Peter.
Re: This Memorable Day
ken [EMAIL PROTECTED] writes: James A. Donald wrote: So far the Pentagon has shattered the enemy while suffering casualties of about a thousand, which is roughly the same number of casualties as the British empire suffered doing regime change on the Zulu empire - an empire of a quarter of a million semi naked savages mostly armed with spears. Be fair. They had a trained and disciplined army. Most of whom would obey orders to the death. That's worth a hell of a lot in battle. You also had to look at what they were up against. Witness the complete massacre at Isandlwana (the classic Zulu bull-and-horns overran the British camp because the troops were too far away from their ammunition to resupply, no doubt copying Elphinstone's tactic in Afghanistan) vs. post-Isandlwana use of Gatling batteries and massed field artillery (some of which was converted Naval artillery), e.g. Ulundi, where post-battle reports were of piles of Zulu dead mown down by Gatlings. The British only thought that the Zulus were just semi-naked savages until Isandlwana. Peter.
Re: In a Sky Dark With Arrows, Death Rained Down
James A. Donald [EMAIL PROTECTED] writes: I find this very hard to believe. Post links, or give citations. Normally I'd dig up various refs, but since this topic has been beaten to death repeatedly in places like soc.history.medieval, and the debate could well go on endlessly in the manner of the standard What would have happened if the North/South had done X?, I'll just handwave and invite you to dig up whatever sources you feel like yourself. (There were other problems as well, e.g. the unusually high death toll and removal of ancient aristocratic lineages was caused by English commoners who weren't aware of the tradition of capturing opposing nobles and having them ransomed back, rather than hacking them to pieces on the spot. Wrong French nobles were taken prisoner in the usual fashion, but executed because the English King commanded them executed. Nobles expected to surrender to other nobles and be ransomed. Commoners didn't respect this, and almost never took prisoners. Henry's orders didn't make that much difference, at best they were a we'll turn a blind eye notification to his troops. When you have English commoner men-at-arms (front row) meeting French nobles (front row, hoping to nab Henry and other for- ransom nobles, and to some extent because it was unseemly to let the commoners do the fighting, although they should have learned their lesson for that at Courtrai) there's going to be a bloodbath no matter what your leader orders. For the peasants it's get him before he gets me, not a chivalric jousting match for the landed gentry. In addition the enemy nobles had weapons and armour that was worth something, while a ransom was useless to a non-noble (if Bob the Archer did manage to captured Sir Fromage, his lord would grab him, collect the ransom, and perhaps throw Bob a penny for his troubles). (There's a lot more to it than that, but I really don't want to get into an endless debate over this. Take it to soc.history if you must, and if anyone's still interested in debating this there). Peter.
Re: In a Sky Dark With Arrows, Death Rained Down
James A. Donald [EMAIL PROTECTED] writes: I find this very hard to believe. Post links, or give citations. Normally I'd dig up various refs, but since this topic has been beaten to death repeatedly in places like soc.history.medieval, and the debate could well go on endlessly in the manner of the standard What would have happened if the North/South had done X?, I'll just handwave and invite you to dig up whatever sources you feel like yourself. (There were other problems as well, e.g. the unusually high death toll and removal of ancient aristocratic lineages was caused by English commoners who weren't aware of the tradition of capturing opposing nobles and having them ransomed back, rather than hacking them to pieces on the spot. Wrong French nobles were taken prisoner in the usual fashion, but executed because the English King commanded them executed. Nobles expected to surrender to other nobles and be ransomed. Commoners didn't respect this, and almost never took prisoners. Henry's orders didn't make that much difference, at best they were a we'll turn a blind eye notification to his troops. When you have English commoner men-at-arms (front row) meeting French nobles (front row, hoping to nab Henry and other for- ransom nobles, and to some extent because it was unseemly to let the commoners do the fighting, although they should have learned their lesson for that at Courtrai) there's going to be a bloodbath no matter what your leader orders. For the peasants it's get him before he gets me, not a chivalric jousting match for the landed gentry. In addition the enemy nobles had weapons and armour that was worth something, while a ransom was useless to a non-noble (if Bob the Archer did manage to captured Sir Fromage, his lord would grab him, collect the ransom, and perhaps throw Bob a penny for his troubles). (There's a lot more to it than that, but I really don't want to get into an endless debate over this. Take it to soc.history if you must, and if anyone's still interested in debating this there). Peter.
Re: In a Sky Dark With Arrows, Death Rained Down
James A. Donald [EMAIL PROTECTED] writes: Peter Gutmann wrote: Nobles expected to surrender to other nobles and be ransomed. Commoners didn't respect this, and almost never took prisoners. Henry's orders didn't make that much difference, at best they were a we'll turn a blind eye notification to his troops. The english army was well disciplined, and in battle did what it what it was told. About half way through the battle of Agincourt, King Henry decided he could not afford so many troops guarding so many prisoners, and told them kill-em-all. Nobility had nothing to do with it. It did not matter who took you prisoner. As I said in my previous message, this is the topic of endless debate, and in particular the high death toll among the nobles could arisen from any number of causes. For example at Crecy the French king (Philip the something'th) had the oriflamme (French war banner indicating that no prisoners could be taken) displayed because he was worried that the gold-rush for enemy nobles to ransom would screw up the French battle order, resulting in huge losses when the French ended up at the losing end. There's speculation that they did the same thing at Agincourt, because no French chronicler of the time raised even a murmur about the killings. So something like that could have been just as much the cause as any order given by Henry V to dispatch leftovers after the battle (for example the mass slaughter of the first and second lines (battles) of French, bogged down in mud (the battle was fought in a rain- soaked freshly-ploughed field), by English commoners occurred very early in the battle, while the killing of stragglers under Henry's orders didn't happen until the following day, or the very end of the battle for prisoners). If you really want to continue this, please do it in soc.history medieval, there are already thousand-odd-message threads going over every nuance of this. Peter.
Re: In a Sky Dark With Arrows, Death Rained Down
R.A. Hettinga [EMAIL PROTECTED] writes: These were not the sort of sporting arrows skillfully shot toward gayly colored targets by Victorian archery societies (charmingly described by Mr. Soar in later chapters) but heavy bodkin pointed battle shafts that went through the armor of man and horse. That's the traditional Agincourt interpretation. More modern ones (backed up by actual tests with arrows of the time against armour, in which the relatively soft metal of the arrows was rather ineffective against the armour) tend to favour the muddy ground trapping men and horses, lack of room to manoeuver/compression effects, and arrows killing horses out from under the knights, at which point see the muddy ground section. Obviously the machine- gun effect of the arrows was going to cause a number of minor injuries, and would be lethal to unarmoured troops, but they weren't quite the wonder-weapon they're made out to be. (There were other problems as well, e.g. the unusually high death toll and removal of ancient aristocratic lineages was caused by English commoners who weren't aware of the tradition of capturing opposing nobles and having them ransomed back, rather than hacking them to pieces on the spot. Again, arrows didn't have much to do with the loss of so many nobles). Peter.
Re: This Memorable Day
[EMAIL PROTECTED] (=?iso-8859-1?Q?Tiarn=E1n_=D3_Corr=E1in?=) writes: The Russians (for example) conquered Hitler's capital, Berlin. And I believe the Russian zone in Germany was larger than any of the others, reflecting the fact that Stalin bore most of entire burden of defeating Germany, uncomfortable as it may be. The figure that's usually quoted is that 80% of German's military force was directed against Russia. Of the remaining 20%, a lot had already been engaged by France, the UK (via the BEF, the RAF, North Africa), Greece, etc etc before the US got involved in Europe. So the Russians should get most of the credit. Peter.
Re: In a Sky Dark With Arrows, Death Rained Down
R.A. Hettinga [EMAIL PROTECTED] writes: These were not the sort of sporting arrows skillfully shot toward gayly colored targets by Victorian archery societies (charmingly described by Mr. Soar in later chapters) but heavy bodkin pointed battle shafts that went through the armor of man and horse. That's the traditional Agincourt interpretation. More modern ones (backed up by actual tests with arrows of the time against armour, in which the relatively soft metal of the arrows was rather ineffective against the armour) tend to favour the muddy ground trapping men and horses, lack of room to manoeuver/compression effects, and arrows killing horses out from under the knights, at which point see the muddy ground section. Obviously the machine- gun effect of the arrows was going to cause a number of minor injuries, and would be lethal to unarmoured troops, but they weren't quite the wonder-weapon they're made out to be. (There were other problems as well, e.g. the unusually high death toll and removal of ancient aristocratic lineages was caused by English commoners who weren't aware of the tradition of capturing opposing nobles and having them ransomed back, rather than hacking them to pieces on the spot. Again, arrows didn't have much to do with the loss of so many nobles). Peter.
Re: This Memorable Day
[EMAIL PROTECTED] (=?iso-8859-1?Q?Tiarn=E1n_=D3_Corr=E1in?=) writes: The Russians (for example) conquered Hitler's capital, Berlin. And I believe the Russian zone in Germany was larger than any of the others, reflecting the fact that Stalin bore most of entire burden of defeating Germany, uncomfortable as it may be. The figure that's usually quoted is that 80% of German's military force was directed against Russia. Of the remaining 20%, a lot had already been engaged by France, the UK (via the BEF, the RAF, North Africa), Greece, etc etc before the US got involved in Europe. So the Russians should get most of the credit. Peter.
Re: This Memorable Day
James A. Donald [EMAIL PROTECTED] writes: But it is hardly a matter of holding out. So far the Pentagon has shattered the enemy while suffering casualties of about a thousand, We're talking about different things, the War on Bogeymen vs. the War for Oil. In its war on bogeymen, the most notable thing the USG has achieved to date is to create vastly more of them. Its strategy is about as effective as the paras were on Bloody Sunday, i.e. its actions serve mostly as a recruitment drive for the opposition: I swear by Almighty God [...] to fight until we die in the field of red gore of the infidel tyrants and murderers. Of our glorious faith, if spared to fight until not a single trace is left to tell that the Holy soil of our country was trodden by these infidels. Also these robbers and brutes, these unbelievers of our faith, will be driven into the sea, by fire, the knife or by poison cup until we of the true faith clear these infidels from our lands. (Whoever wrote the original was definitely no English lit major). Peter.
Re: This Memorable Day
James A. Donald [EMAIL PROTECTED] writes: But it is hardly a matter of holding out. So far the Pentagon has shattered the enemy while suffering casualties of about a thousand, We're talking about different things, the War on Bogeymen vs. the War for Oil. In its war on bogeymen, the most notable thing the USG has achieved to date is to create vastly more of them. Its strategy is about as effective as the paras were on Bloody Sunday, i.e. its actions serve mostly as a recruitment drive for the opposition: I swear by Almighty God [...] to fight until we die in the field of red gore of the infidel tyrants and murderers. Of our glorious faith, if spared to fight until not a single trace is left to tell that the Holy soil of our country was trodden by these infidels. Also these robbers and brutes, these unbelievers of our faith, will be driven into the sea, by fire, the knife or by poison cup until we of the true faith clear these infidels from our lands. (Whoever wrote the original was definitely no English lit major). Peter.
Re: This Memorable Day
R.A. Hettinga [EMAIL PROTECTED] writes: Germany 1944 does not equal USA 2004, no matter how hard you twist the kaleidoscope. Fighting an unwinnable war always seems to produce the same type of rhetoric, whether it's the war on some drugs, the war on anyone Bush doesn't like, or the war on anything non-German. The only thing that changes over time are the identities of the bogeymen that are used to justify it. (Do you seriously think the war on bogey^H^H^Hterrorism can ever be won? Leaving aside the obvious debate that you can't even tell who you're at war with, how do you know when you've won?. We have always been at war with Terroristia) Peter.
Re: This Memorable Day
Eugen Leitl [EMAIL PROTECTED] writes: On Tue, Nov 02, 2004 at 08:16:41AM -0500, R. A. Hettinga wrote: http://online.wsj.com/article_print/0,,SB109936293065461940,00.html No cypherpunks content. Just local politics. And it's not even original, they've mostly just translated it into English, updated it a bit (e.g. League of Nations - UN), and changed the Russian names and references to Middle Eastern ones. Peter.
Re: This Memorable Day
R.A. Hettinga [EMAIL PROTECTED] writes: At 3:32 AM +1300 11/3/04, Peter Gutmann wrote: Eugen Leitl [EMAIL PROTECTED] writes: On Tue, Nov 02, 2004 at 08:16:41AM -0500, R. A. Hettinga wrote: http://online.wsj.com/article_print/0,,SB109936293065461940,00.html No cypherpunks content. Just local politics. And it's not even original, they've mostly just translated it into English, updated it a bit (e.g. League of Nations - UN), and changed the Russian names and references to Middle Eastern ones. Yup. That's Davis' point, actually. Fuck with the West, we kick your ass. Well it wasn't the point I was trying to make, which was comparing it to predictions made by (the propaganda division of) another super-power in the mid 1940s about winning an unwinnable war because God/righteousness/whatever was on their side, and all they had to do was hold out a bit longer. Compare the general tone of the WSJ article to the one in e.g. the first half of http://www.humanitas-international.org/showcase/chronography/documents/htestmnt.htm. Peter.
Re: This Memorable Day
R.A. Hettinga [EMAIL PROTECTED] writes: Germany 1944 does not equal USA 2004, no matter how hard you twist the kaleidoscope. Fighting an unwinnable war always seems to produce the same type of rhetoric, whether it's the war on some drugs, the war on anyone Bush doesn't like, or the war on anything non-German. The only thing that changes over time are the identities of the bogeymen that are used to justify it. (Do you seriously think the war on bogey^H^H^Hterrorism can ever be won? Leaving aside the obvious debate that you can't even tell who you're at war with, how do you know when you've won?. We have always been at war with Terroristia) Peter.
Re: This Memorable Day
Eugen Leitl [EMAIL PROTECTED] writes: On Tue, Nov 02, 2004 at 08:16:41AM -0500, R. A. Hettinga wrote: http://online.wsj.com/article_print/0,,SB109936293065461940,00.html No cypherpunks content. Just local politics. And it's not even original, they've mostly just translated it into English, updated it a bit (e.g. League of Nations - UN), and changed the Russian names and references to Middle Eastern ones. Peter.
Re: This Memorable Day
R.A. Hettinga [EMAIL PROTECTED] writes: At 3:32 AM +1300 11/3/04, Peter Gutmann wrote: Eugen Leitl [EMAIL PROTECTED] writes: On Tue, Nov 02, 2004 at 08:16:41AM -0500, R. A. Hettinga wrote: http://online.wsj.com/article_print/0,,SB109936293065461940,00.html No cypherpunks content. Just local politics. And it's not even original, they've mostly just translated it into English, updated it a bit (e.g. League of Nations - UN), and changed the Russian names and references to Middle Eastern ones. Yup. That's Davis' point, actually. Fuck with the West, we kick your ass. Well it wasn't the point I was trying to make, which was comparing it to predictions made by (the propaganda division of) another super-power in the mid 1940s about winning an unwinnable war because God/righteousness/whatever was on their side, and all they had to do was hold out a bit longer. Compare the general tone of the WSJ article to the one in e.g. the first half of http://www.humanitas-international.org/showcase/chronography/documents/htestmnt.htm. Peter.
Re: Cyclotrimethylene trinitramine
John Young [EMAIL PROTECTED] writes: Generously, the US government offers a complete set of photos, drawings, process diagrams and descriptions for an RDX manufacturing plant. Library of Congress has the info in its Historic American Engineering Record. It's not all too hard to make from hexamine (although quite inefficient, the bulk manufacture isn't done that way) for someone with access to a bit of chemical equipment. I couldn't believe the fuss they're making over this, it's just another HE, although more brisant than most. The story is about as interesting as Stick of dynamite discovered in Baghdad parking lot, the media is making it sound like someone's absconded with a live nuke. I guess they couldn't spend the necessary 30 seconds or so it'd take to look it up somewhere and see what was involved. Peter.
Re: Cyclotrimethylene trinitramine
John Young [EMAIL PROTECTED] writes: Generously, the US government offers a complete set of photos, drawings, process diagrams and descriptions for an RDX manufacturing plant. Library of Congress has the info in its Historic American Engineering Record. It's not all too hard to make from hexamine (although quite inefficient, the bulk manufacture isn't done that way) for someone with access to a bit of chemical equipment. I couldn't believe the fuss they're making over this, it's just another HE, although more brisant than most. The story is about as interesting as Stick of dynamite discovered in Baghdad parking lot, the media is making it sound like someone's absconded with a live nuke. I guess they couldn't spend the necessary 30 seconds or so it'd take to look it up somewhere and see what was involved. Peter.
Re: Cash, Credit -- or Prints?
Alan Barrett [EMAIL PROTECTED] writes: On Tue, 12 Oct 2004, John Kelsey wrote: but there doesn't seem to be a clean process for determining how skilled an attacker needs to be to, say, scan my finger once, and produce either a fake finger or a machine for projecting a fake fingerprint into the reader. ... or a replacement reader that fakes the signals to the rest of the security system. I've seen a number of smart card/PCMCIA combo devices that to this, they have a discrete fingerprint sensor device connected to a discrete crypto device. You can fake out the fingerprint check portion by tying one of the connecting lines to Vcc or GND. Peter.
At least there's some (attempt at) common sense in airline security
http://www.nzherald.co.nz/storydisplay.cfm?storyID=3600794thesection=newsthesubsection=general Ease off says air security boss 15.10.2004 Security on domestic flights is too strict and should be downgraded, says the head of the Aviation Security Service. General manager Mark Everitt, a former police detective with 21 years' experience, said if he had his way passengers would be able to take Swiss Army knives and other small, sharp objects on board domestic flights. I'm actually an advocate for letting these things back on the aircraft. It's time to back up a little, he told delegates at the Police Association's annual conference yesterday. But New Zealand had to meet international security standards and his personal view was not enough to instigate a review of security standards. Knowing levels of risk was the key to ensuring flights were safe, said Mr Everitt. The banning of small knives did not stop attacks in the air. [...]
Vote-counting glitch in NZ local elections
Looks like you can mess up voting even if there is a paper trail. These are paper votes that are electronically counted, so the problem was in the electronic processing, not the actual voting procedure. http://www.nzherald.co.nz/storydisplay.cfm?storyID=3600391thesection=newsthesubsection=generalthesecondsubsection=reportid=1162640 Let me count the ways ... 14.10.2004 [...] An electronic processing and counting botch-up has left the results for seven city and district councils and 18 district health boards up in the air. Final results, due yesterday, have been delayed indefinitely. Mr Carter blamed the company Datamail, which was contracted by Electionz.com - the company hired by many councils to manage their elections - to count the votes from electronically scanned voting papers. [...] Peter.
Re: Cash, Credit -- or Prints?
Alan Barrett [EMAIL PROTECTED] writes: On Tue, 12 Oct 2004, John Kelsey wrote: but there doesn't seem to be a clean process for determining how skilled an attacker needs to be to, say, scan my finger once, and produce either a fake finger or a machine for projecting a fake fingerprint into the reader. ... or a replacement reader that fakes the signals to the rest of the security system. I've seen a number of smart card/PCMCIA combo devices that to this, they have a discrete fingerprint sensor device connected to a discrete crypto device. You can fake out the fingerprint check portion by tying one of the connecting lines to Vcc or GND. Peter.
At least there's some (attempt at) common sense in airline security
http://www.nzherald.co.nz/storydisplay.cfm?storyID=3600794thesection=newsthesubsection=general Ease off says air security boss 15.10.2004 Security on domestic flights is too strict and should be downgraded, says the head of the Aviation Security Service. General manager Mark Everitt, a former police detective with 21 years' experience, said if he had his way passengers would be able to take Swiss Army knives and other small, sharp objects on board domestic flights. I'm actually an advocate for letting these things back on the aircraft. It's time to back up a little, he told delegates at the Police Association's annual conference yesterday. But New Zealand had to meet international security standards and his personal view was not enough to instigate a review of security standards. Knowing levels of risk was the key to ensuring flights were safe, said Mr Everitt. The banning of small knives did not stop attacks in the air. [...]
Vote-counting glitch in NZ local elections
Looks like you can mess up voting even if there is a paper trail. These are paper votes that are electronically counted, so the problem was in the electronic processing, not the actual voting procedure. http://www.nzherald.co.nz/storydisplay.cfm?storyID=3600391thesection=newsthesubsection=generalthesecondsubsection=reportid=1162640 Let me count the ways ... 14.10.2004 [...] An electronic processing and counting botch-up has left the results for seven city and district councils and 18 district health boards up in the air. Final results, due yesterday, have been delayed indefinitely. Mr Carter blamed the company Datamail, which was contracted by Electionz.com - the company hired by many councils to manage their elections - to count the votes from electronically scanned voting papers. [...] Peter.
Re: Foreign Travelers Face Fingerprints and Jet Lag
R. A. Hettinga [EMAIL PROTECTED] writes: NEWARK, Sept. 30 - Laetitia Bohn walked into Newark Liberty International Airport on Thursday, dazed and sleepy after an eight-hour flight from Paris, and was jolted from her reverie when an immigration officer asked for her photograph and fingerprints along with her passport. The US now has the dubious distinction of being more obnoxious to get through the borders than the former East Germany (actually even without this measure, the checks had become at least as obnoxious as the East German ones). I wonder whether the next step will be building a wall... Peter (who'll be thinking really hard about any future conference trips to the US).
Re: Foreign Travelers Face Fingerprints and Jet Lag
Steve Furlong [EMAIL PROTECTED] writes: On Sun, 2004-10-03 at 05:18, Peter Gutmann wrote: The US now has the dubious distinction of being more obnoxious to get through the borders than the former East Germany (actually even without this measure, the checks had become at least as obnoxious as the East German ones). I wonder whether the next step will be building a wall... Reign in the overheated rhetoric. The East German state built their wall to keep the East Germans from leaving, while the US policies are meant to keep out a demonstrated threat. I never made any comment about who's keeping what in or out (the wall was officially an anti-fascist protection barrier, also meant to keep out a demonstrated threat). What I was pointing out was that having been through both East German and US border controls, the US ones were more obnoxious. Peter.
Re: Foreign Travelers Face Fingerprints and Jet Lag
R. A. Hettinga [EMAIL PROTECTED] writes: NEWARK, Sept. 30 - Laetitia Bohn walked into Newark Liberty International Airport on Thursday, dazed and sleepy after an eight-hour flight from Paris, and was jolted from her reverie when an immigration officer asked for her photograph and fingerprints along with her passport. The US now has the dubious distinction of being more obnoxious to get through the borders than the former East Germany (actually even without this measure, the checks had become at least as obnoxious as the East German ones). I wonder whether the next step will be building a wall... Peter (who'll be thinking really hard about any future conference trips to the US).
Re: Foreign Travelers Face Fingerprints and Jet Lag
Steve Furlong [EMAIL PROTECTED] writes: On Sun, 2004-10-03 at 05:18, Peter Gutmann wrote: The US now has the dubious distinction of being more obnoxious to get through the borders than the former East Germany (actually even without this measure, the checks had become at least as obnoxious as the East German ones). I wonder whether the next step will be building a wall... Reign in the overheated rhetoric. The East German state built their wall to keep the East Germans from leaving, while the US policies are meant to keep out a demonstrated threat. I never made any comment about who's keeping what in or out (the wall was officially an anti-fascist protection barrier, also meant to keep out a demonstrated threat). What I was pointing out was that having been through both East German and US border controls, the US ones were more obnoxious. Peter.
Re: Forest Fire responsible for a 2.5mi *mushroom cloud*?
Major Variola (ret) [EMAIL PROTECTED] writes: AN is extremely deliquescent; perhaps the sulphate was for that? No, it was specifically required as a desensitiser by the European nitrogen cartel, since they felt the pure nitrate was too dangerous for processing into fertiliser. Removing chunks with dynamite is trying rather hard for a Darwin award. As I said, at the time its explosive properties weren't known so this wasn't unreasonable. There are numerous stories of multi-thousand-ton ammonium nitrate piles burning for hours without exploding (Oppau was the first time there was any significant explosion involving it). Even after Texas City, there were cases of (embarrassed) firefighters watching warehouses full of ammonium nitrate quietly burn to the ground without incident. Peter.
Re: Forest Fire responsible for a 2.5mi *mushroom cloud*?
J.A. Terranson [EMAIL PROTECTED] writes: Wow! I had no idea ammonium nitrate (ANFO for all intents and purposes, yes?) could produce that kind of result! How much was there? 4,500 tons, of which only 10% detonated. (The nitrate was desensitised with ammonium sulfate and stored outside, whenever anyone needed any they'd drill holes and blast off chunks with dynamite. Ammonium nitrate has a complex chemical reaction that wasn't really understood until after the Texas City disaster in 1947, there had previously been fires in several bulk ammonium nitrate stores without any explosions. At Oppau it was assumed that amatol (a standard military explosive, ammonium nitrate + TNT) had somehow got into the piles and that was what caused the explosion). Peter.
Re: Forest Fire responsible for a 2.5mi *mushroom cloud*?
Eugen Leitl [EMAIL PROTECTED] writes: About 4.5 kT of 50:50 ammonium nitrate/ammonium sulfate mix. One of the largest, if not *the* largest nonnuclear explosions ever. The largest man-made explosion is usually claimed to be Halifax (about 3000 tons of assorted HE's), but there are a pile of others that also count: Oppau, Texas City, Port Chicago, Lake Denmark, Silvertown, Fauld (more explosives involved than Halifax, but less loss of life, so Halifax seems to get all the publicity), etc etc etc. Peter.
Re: Forest Fire responsible for a 2.5mi *mushroom cloud*?
J.A. Terranson [EMAIL PROTECTED] writes: Wow! I had no idea ammonium nitrate (ANFO for all intents and purposes, yes?) could produce that kind of result! How much was there? 4,500 tons, of which only 10% detonated. (The nitrate was desensitised with ammonium sulfate and stored outside, whenever anyone needed any they'd drill holes and blast off chunks with dynamite. Ammonium nitrate has a complex chemical reaction that wasn't really understood until after the Texas City disaster in 1947, there had previously been fires in several bulk ammonium nitrate stores without any explosions. At Oppau it was assumed that amatol (a standard military explosive, ammonium nitrate + TNT) had somehow got into the piles and that was what caused the explosion). Peter.
Cheesecloth security for hard drives
Globalwin has just introduced an external hard drive enclosure (http://www.htpcnews.com/main.php?id=dorri_1) with built-in 40-bit DES encryption (and if it's the HW I think it is, that's 40-bit DES in ECB mode, and the vendor generates the key for you). Peter.
Re: TERRORISTS ARE AMONG US! (Was: A close look at John Kerry's *real* tech agenda )
The threats on New York, New Jersey and Washington DC serve as a reminder that the terrorists are among us here at home. He went on to remind citizens to stay alert, trust no-one, and keep their lasers handy. Peter.
Re: Giesecke Devrient
Eugen Leitl [EMAIL PROTECTED] writes: Assuming I generate a key on a RSA smart card made by GD, what kind of prestige track do these people have? They seem to be pretty secretive, that's not a good sign. GD produce (or help produce) things like banknotes and passports (and have been doing so for more than a century), the secrecy comes with the territory. Peter.
Re: Giesecke Devrient
Eugen Leitl [EMAIL PROTECTED] writes: I have no smart card background, unfortunately. I've heard GD ignores requests from open source developer people, though. Yup. It's standard banking-industry stuff, unless you're a large bank/government/whatever and are prepared to sign over your firstborn and swear eternal secrecy, they won't talk to you. Are keywords like STARCOS SPK2.3 (Philips P8WE5032 chip), ITSEC E4 certification (with StarCert v 2.2.) etc. associated with a good security track? They're associated with good buzzword-compliance. Since it's impossible to get any technical details out of them, it's rather hard to say. If you've got something like a PKCS #11 driver off them then you should be OK, but if you want to do any low-level work with the card yourself, find another vendor. Features Nothing you can't get from a pile of other vendors who will actually talk to you. Unless you've got some business reason to deal with them, I wouldn't bother (I have nothing against them per se, they just do business in a way that isn't useful to me... and I'm sure they think the same of me). Peter.
Re: TERRORISTS ARE AMONG US! (Was: A close look at John Kerry's *real* tech agenda )
The threats on New York, New Jersey and Washington DC serve as a reminder that the terrorists are among us here at home. He went on to remind citizens to stay alert, trust no-one, and keep their lasers handy. Peter.
Re: Giesecke Devrient
Eugen Leitl [EMAIL PROTECTED] writes: Assuming I generate a key on a RSA smart card made by GD, what kind of prestige track do these people have? They seem to be pretty secretive, that's not a good sign. GD produce (or help produce) things like banknotes and passports (and have been doing so for more than a century), the secrecy comes with the territory. Peter.
Re: Giesecke Devrient
Eugen Leitl [EMAIL PROTECTED] writes: I have no smart card background, unfortunately. I've heard GD ignores requests from open source developer people, though. Yup. It's standard banking-industry stuff, unless you're a large bank/government/whatever and are prepared to sign over your firstborn and swear eternal secrecy, they won't talk to you. Are keywords like STARCOS SPK2.3 (Philips P8WE5032 chip), ITSEC E4 certification (with StarCert v 2.2.) etc. associated with a good security track? They're associated with good buzzword-compliance. Since it's impossible to get any technical details out of them, it's rather hard to say. If you've got something like a PKCS #11 driver off them then you should be OK, but if you want to do any low-level work with the card yourself, find another vendor. Features Nothing you can't get from a pile of other vendors who will actually talk to you. Unless you've got some business reason to deal with them, I wouldn't bother (I have nothing against them per se, they just do business in a way that isn't useful to me... and I'm sure they think the same of me). Peter.
Re: Texas oil refineries, a White Van, and Al Qaeda
Justin [EMAIL PROTECTED] writes: HOUSTON (Reuters) - Law enforcement officials said on Monday they are looking for a man seen taking pictures of two refineries in Texas City, Texas. At Usenix Security a few years back, we [a bunch of random security people, most of whom were foreign nationals] drove around Buckley AFB taking photos of the radomes, SCIF, etc etc. As we were doing this, we noticed a Chinese national doing the same thing. We wondered what the etiquette for this was, do we exchange business cards, offer to trade photos, etc etc? This was before 9/11, no-one took any notice of us at the time. Peter.
Re: Texas oil refineries, a White Van, and Al Qaeda
Tyler Durden [EMAIL PROTECTED] writes: *: A year or two ago someone posted about the blow up of Texas City back in the early 1950s. 1947. Apparently, some kind of tanker hit something else and set of a chain reaction killing thousands and wiping out the town After several earlier events (the biggest being Oppau in Germany in 1921, which left a crater the size of a city block), fire safety folk were given an incentive to discover the true chemistry of ammonium nitrate. Google for Texas city + Grandcamp (the ship carrying the ammonium nitrate) for the full story. Peter.
Re: Texas oil refineries, a White Van, and Al Qaeda
Justin [EMAIL PROTECTED] writes: HOUSTON (Reuters) - Law enforcement officials said on Monday they are looking for a man seen taking pictures of two refineries in Texas City, Texas. At Usenix Security a few years back, we [a bunch of random security people, most of whom were foreign nationals] drove around Buckley AFB taking photos of the radomes, SCIF, etc etc. As we were doing this, we noticed a Chinese national doing the same thing. We wondered what the etiquette for this was, do we exchange business cards, offer to trade photos, etc etc? This was before 9/11, no-one took any notice of us at the time. Peter.
Re: Texas oil refineries, a White Van, and Al Qaeda
Tyler Durden [EMAIL PROTECTED] writes: *: A year or two ago someone posted about the blow up of Texas City back in the early 1950s. 1947. Apparently, some kind of tanker hit something else and set of a chain reaction killing thousands and wiping out the town After several earlier events (the biggest being Oppau in Germany in 1921, which left a crater the size of a city block), fire safety folk were given an incentive to discover the true chemistry of ammonium nitrate. Google for Texas city + Grandcamp (the ship carrying the ammonium nitrate) for the full story. Peter.
Re: vacuum-safe laptops ?
Thomas Shaddack [EMAIL PROTECTED] writes: There are many various embedded computers available on the market, eg. the one from http://www.gumstix.com/. (Question for the crowd: anybody knows other comparable or better Linux-ready affordable embedded computer solutions?) When I investigated this a while back, gumstix were about the best deal. They also have pretty good support, it's a small company and the techies directly answer queries on mailing lists. Peter.
Re: vacuum-safe laptops ?
Thomas Shaddack [EMAIL PROTECTED] writes: There are many various embedded computers available on the market, eg. the one from http://www.gumstix.com/. (Question for the crowd: anybody knows other comparable or better Linux-ready affordable embedded computer solutions?) When I investigated this a while back, gumstix were about the best deal. They also have pretty good support, it's a small company and the techies directly answer queries on mailing lists. Peter.
Re: UBL is George Washington
Tyler Durden [EMAIL PROTECTED] writes: If they took out a few key COs downtown one morning the effect on the economy would be significant. It depends on what your goal is. As someone else on this list pointed out, terrorism is just another form of PR. If OBL took out (say) that huge ATT CO in the center of Manhattan (the skyscraper that looks like something out of a SF film), every cellphone user in the country who's had any dealings with ATT would help him pack the explosives. Sure, there'd be some economic damage, but Joe Sixpack would barely notice, and certainly wouldn't care. OTOH the WTC had enough significance and enough lives involved that everyone had to sit up and take notice. He knew exactly what target to hit to create the biggest mess (I offer the results in the last two years as proof). Peter.
Re: UBL is George Washington
Tyler Durden [EMAIL PROTECTED] writes: If they took out a few key COs downtown one morning the effect on the economy would be significant. It depends on what your goal is. As someone else on this list pointed out, terrorism is just another form of PR. If OBL took out (say) that huge ATT CO in the center of Manhattan (the skyscraper that looks like something out of a SF film), every cellphone user in the country who's had any dealings with ATT would help him pack the explosives. Sure, there'd be some economic damage, but Joe Sixpack would barely notice, and certainly wouldn't care. OTOH the WTC had enough significance and enough lives involved that everyone had to sit up and take notice. He knew exactly what target to hit to create the biggest mess (I offer the results in the last two years as proof). Peter.
Re: UBL is George Washington
Anonymous [EMAIL PROTECTED] writes: But asymm warfare has to accomplish its goal. It's not being very successful. It's been extraordinarily successful. The US is driving itself (and a lot of the rest of the world) nuts with terrorists-under-the-beds paranoia. I recently saw a replay of some speech that Bush made shortly after 9/11 where he said something about the terrorists wanted to demoralise? frighten? us. This has failed, and my reaction was Who are you kidding?. The terrorists have achieved their goals, and then some. The correct response would have been what the UK did in WWII, which was business as usual to let the opposition know that they couldn't be intimidated. In contrast, all Bush is doing is telling them which buttons to push. Peter.
Re: [IP] When police ask your name,
At 01:53 AM 6/25/2004, Eugen Leitl wrote: The transcription rules for furriner names are strict, too. No Phn'glui M'gl wna'f, Cthulhu R'lyeh Wgha Nagl Ftaghn for you. Just as well. They'd probably make you fill the form out in triplicate, In his house at R'lyeh, dead Cthulhu waits knitting? I think a few typos may have crept into that one. and that could be unwise No, you're thinking of Hast(%#^ Error: No route to host.
Re: [IP] When police ask your name,
At 01:53 AM 6/25/2004, Eugen Leitl wrote: The transcription rules for furriner names are strict, too. No Phn'glui M'gl wna'f, Cthulhu R'lyeh Wgha Nagl Ftaghn for you. Just as well. They'd probably make you fill the form out in triplicate, In his house at R'lyeh, dead Cthulhu waits knitting? I think a few typos may have crept into that one. and that could be unwise No, you're thinking of Hast(%#^ Error: No route to host.
Re: crypto on *really* cheap hardware
I presume most people have by now read Cringely's piece on hacked Linux for Linksys WRT54G (and clones): [...] It does VoIP, prioritizes traffic, has currently VPN pass-through and will do IPsec on future mesh-supporting firmware. You forgot to mention sometimes it'll stay up for as long as several hours before crashing/locking up. I guess this is a security feature, if someone breaks in they'll only be able to use it for a short time before it locks up or crashes. Peter (who doesn't own one, but has heard horror stories from owners).
Re: crypto on *really* cheap hardware
I presume most people have by now read Cringely's piece on hacked Linux for Linksys WRT54G (and clones): [...] It does VoIP, prioritizes traffic, has currently VPN pass-through and will do IPsec on future mesh-supporting firmware. You forgot to mention sometimes it'll stay up for as long as several hours before crashing/locking up. I guess this is a security feature, if someone breaks in they'll only be able to use it for a short time before it locks up or crashes. Peter (who doesn't own one, but has heard horror stories from owners).
Re: Breaking Iranian Codes (Re: CRYPTO-GRAM, June 15, 2003)
R. A. Hettinga [EMAIL PROTECTED] forwarded: So now the NSA's secret is out. The Iranians have undoubtedly changed their encryption machines, and the NSA has lost its source of Iranian secrets. But little else is known. Who told Chalabi? Only a few people would know this important U.S. secret, and the snitch is certainly guilty of treason. Someone (half-)remembered reading the Crypto AG story in the Baltimore Sun several years ago, bragged to Chalabi that the US had compromised Iranian crypto, and the story snowballed from there. The story could have started out with a loquacious (Sun-reading) cab driver for all we know. Some reports have suggested the source was drunk, so maybe it was a drunk in a bar. Maybe Chalabi read the story himself and invented the snitch to make it seem more important than it was, or to drive the US security community nuts with an orgy of internal witch-hunting. Given the lack of further information, it could have been just about anything. Peter.
Re: Breaking Iranian Codes (Re: CRYPTO-GRAM, June 15, 2003)
R. A. Hettinga [EMAIL PROTECTED] forwarded: So now the NSA's secret is out. The Iranians have undoubtedly changed their encryption machines, and the NSA has lost its source of Iranian secrets. But little else is known. Who told Chalabi? Only a few people would know this important U.S. secret, and the snitch is certainly guilty of treason. Someone (half-)remembered reading the Crypto AG story in the Baltimore Sun several years ago, bragged to Chalabi that the US had compromised Iranian crypto, and the story snowballed from there. The story could have started out with a loquacious (Sun-reading) cab driver for all we know. Some reports have suggested the source was drunk, so maybe it was a drunk in a bar. Maybe Chalabi read the story himself and invented the snitch to make it seem more important than it was, or to drive the US security community nuts with an orgy of internal witch-hunting. Given the lack of further information, it could have been just about anything. Peter.
The life of a Kiwi contractor in Iraq
There's an interesting look at the situation in Iraq from the point of view of a third-party contractor, in an article in the Sunday Star Times, http://www.stuff.co.nz/stuff/sundaystartimes/0,2106,2908644a6442,00.html. Most quotable quote: The thing that pisses us off is the Yanks had no idea what to do after they'd taken out the Iraqi army. They rocked on in, took them out and then thought: OOh shit, what do we do now? Peter.
Re: Fortress America mans the ramparts
Major Variola (ret) [EMAIL PROTECTED] writes: PS: what happens if your passport's chip doesn't work? Do you get sent back and the airline fined $10K? Do you wait extra time while the still-readable passport number indexes your record online? How much extra time? (Anyone have experience with domestic eg traffic pigs discovering that your magstrip is corrupted?) Are all chip biometrics encrypted with the same key? How much does that cost on BlackNet these days?How much extra should our Seals Flaps and Documents dept charge? Details are available from sources like http://www.icao.int/mrtd/download/documents/Biometrics%20deployment%20of%20Machine%20Readable%20Travel%20Documents.pdf and http://www.icao.int/mrtd/download/documents/PKI%20Digital%20Signatures.PDF (in general the docs are at http://www.icao.int/mrtd/download/documents/, where MRTD = machine-readable travel documents) although you have to be careful what you reference since they're still frantically updating the designs as they go, so any document will be out of date in a few months. It's also being (as far as I can tell) designed by people with little or no security experience, under intense pressure from the US to Do Something About Security. Early technical drafts I saw (not the generic whitepapers on the site, which are pretty vague) were an appalling pile of kludgery. From what I've heard since then it hasn't gotten any better. I dunno whether this is because the work is being contracted out to the Usual Suspects, who don't know much about the area, or whether they did try and get experienced people in and were told that what they were trying to do wouldn't work and/or couldn't be done in less than 5-10 years. Peter.
Re: Fortress America mans the ramparts
Major Variola (ret) [EMAIL PROTECTED] writes: PS: what happens if your passport's chip doesn't work? Do you get sent back and the airline fined $10K? Do you wait extra time while the still-readable passport number indexes your record online? How much extra time? (Anyone have experience with domestic eg traffic pigs discovering that your magstrip is corrupted?) Are all chip biometrics encrypted with the same key? How much does that cost on BlackNet these days?How much extra should our Seals Flaps and Documents dept charge? Details are available from sources like http://www.icao.int/mrtd/download/documents/Biometrics%20deployment%20of%20Machine%20Readable%20Travel%20Documents.pdf and http://www.icao.int/mrtd/download/documents/PKI%20Digital%20Signatures.PDF (in general the docs are at http://www.icao.int/mrtd/download/documents/, where MRTD = machine-readable travel documents) although you have to be careful what you reference since they're still frantically updating the designs as they go, so any document will be out of date in a few months. It's also being (as far as I can tell) designed by people with little or no security experience, under intense pressure from the US to Do Something About Security. Early technical drafts I saw (not the generic whitepapers on the site, which are pretty vague) were an appalling pile of kludgery. From what I've heard since then it hasn't gotten any better. I dunno whether this is because the work is being contracted out to the Usual Suspects, who don't know much about the area, or whether they did try and get experienced people in and were told that what they were trying to do wouldn't work and/or couldn't be done in less than 5-10 years. Peter.
Re: Earthlink to Test Caller ID for E-Mail
Eugen Leitl [EMAIL PROTECTED] writes: A way that works would involve passphrase-locked keyrings, and forgetful MUAs (this mutt only caches the passphrase for a preset time). A way that works *in theory* would involve The chances of any vendor of mass-market software shipping an MUA where the user has to enter a password just to send mail are approximately... zero. Filtering for signed/vs. unsigned mail doesn't make sense, authenticating and whitelisting known senders by digital signature makes very good sense. In that case you can just filter by sender IP address or something (anything) that's simpler than requiring a PKI. Again though, that's just another variant of the Build a big wall dream. In order to have perimeter security you first need a perimeter. If the spammer you're trying to defend against is your own mother (because she clicked on an attachment you sent her, it says so in the From: address, that's actually a spam-bot), you don't have a perimeter. All you have is a big pile of Manchurian candidates waiting to bite you. Peter.
Re: Earthlink to Test Caller ID for E-Mail
R. A. Hettinga [EMAIL PROTECTED] writes: If we really do get cryptographic signatures on email in a way that works, expect 80% of all spam to be blown away as a matter of course. I think you mean: If we really do get cryptographic signatures on email in a way that works, expect 80% of all spam to contain legit signatures from hacked PCs. This is just another variation of the To secure the Internet, build a big wall around it and only let the good guys in idea. Peter.
Re: Earthlink to Test Caller ID for E-Mail
Eugen Leitl [EMAIL PROTECTED] writes: A way that works would involve passphrase-locked keyrings, and forgetful MUAs (this mutt only caches the passphrase for a preset time). A way that works *in theory* would involve The chances of any vendor of mass-market software shipping an MUA where the user has to enter a password just to send mail are approximately... zero. Filtering for signed/vs. unsigned mail doesn't make sense, authenticating and whitelisting known senders by digital signature makes very good sense. In that case you can just filter by sender IP address or something (anything) that's simpler than requiring a PKI. Again though, that's just another variant of the Build a big wall dream. In order to have perimeter security you first need a perimeter. If the spammer you're trying to defend against is your own mother (because she clicked on an attachment you sent her, it says so in the From: address, that's actually a spam-bot), you don't have a perimeter. All you have is a big pile of Manchurian candidates waiting to bite you. Peter.
Re: Earthlink to Test Caller ID for E-Mail
R. A. Hettinga [EMAIL PROTECTED] writes: If we really do get cryptographic signatures on email in a way that works, expect 80% of all spam to be blown away as a matter of course. I think you mean: If we really do get cryptographic signatures on email in a way that works, expect 80% of all spam to contain legit signatures from hacked PCs. This is just another variation of the To secure the Internet, build a big wall around it and only let the good guys in idea. Peter.
Re: Call to the Usual Suspects
Trei, Peter [EMAIL PROTECTED] writes: I'll be in the SF/SJ area the week of the RSA conference. Anyone interested in getting together for dinner one night? Do these things actually get organised? I thought you just bump into other Cpunks via the usual Brownian motion and at some point someone suggests a place to go, half the participants slope off to an alternative establishment on the way there, and that's how dinner gets arranged. Peter.
Re: FCC vs decentralization
Eugen Leitl [EMAIL PROTECTED] writes: On Fri, Feb 13, 2004 at 04:36:56PM +0100, Thomas Shaddack wrote: FCC recently mandated fees for Internet radio broadcasters, based on the You're hailing from .cz, me from .de. Of what relevance is FCC to us? The RIAA/MPAA and US govt.are working on that. Stand by. Peter.
uATX motherboard with built-in crypto
I just noticed that ABIT have a nice uATX motherboard with a built-in Cavium crypto engine capable of processing up to 400Mbps of IPSec traffic or 3,500 RSA operations per second. Details at http://www.abit-usa.com/products/servers/products.php?categories=4model=69. Peter.
Re: U.S. in violation of Geneva convention?
Nomen Nescio [EMAIL PROTECTED] writes: After WWI the winners humiliated the loosers badly. This is one of the main reasons Hitler came to power and got support from the Germans for the aggressions that started the war. He managed to use these feelings of being treated as dogs and paying to heavy for the first war. Also they were very humiliated by the fact that France then occupied part of western Germany. After WWII the winners had learned their lesson from WWI pretty well. Now they did not humilate the people of Germany like after the first war. We got the Mar shal plan and so on. Unfortunately after GulfWarII the winners hadn't learned their lessons from WWII very well. At the end of the war, despite the bombing campaigns, Germany had a vaguely functional administration and (heavily rationed) food, coal, electricity, etc were available. The Allies systematically dismantled all of that, both through apathy (no real planning beyond Move in and occupy the place) and their zeal to rebuild the country in their own image. For example, they prevented anyone who'd ever been a Nazi party member from doing their job. Well the problem was that to do almost anything, you had to be a party member, so they instantly stopped all civil administration, engineering/maintenance work, teachers, the judicial system, the police, you couldn't even deliver the mail without being a party member (since they were government employees). Virtually every male over the age of about 16 had been in the military and had experience with weapons. So you now had a mass of unemployed ex-military who desperately wanted food and clothing, and had access to an almost infinite supply of weaponry. In addition Germany after the war attracted what one of the allied leaders (Eisenhower?) described as the scum of Europe, eager to make a quick buck (in Iraq it's folks eager to beat up the infidels). This lead to sizeable pitched battles between the armed gangs and the occupying military, with the military frequently being outgunned by the gangs. Substitute Germany - Iraq and profit / food - religion /nationalism and the same situation exists today. Peter.
Re: U.S. in violation of Geneva convention?
Nomen Nescio [EMAIL PROTECTED] writes: After WWI the winners humiliated the loosers badly. This is one of the main reasons Hitler came to power and got support from the Germans for the aggressions that started the war. He managed to use these feelings of being treated as dogs and paying to heavy for the first war. Also they were very humiliated by the fact that France then occupied part of western Germany. After WWII the winners had learned their lesson from WWI pretty well. Now they did not humilate the people of Germany like after the first war. We got the Mar shal plan and so on. Unfortunately after GulfWarII the winners hadn't learned their lessons from WWII very well. At the end of the war, despite the bombing campaigns, Germany had a vaguely functional administration and (heavily rationed) food, coal, electricity, etc were available. The Allies systematically dismantled all of that, both through apathy (no real planning beyond Move in and occupy the place) and their zeal to rebuild the country in their own image. For example, they prevented anyone who'd ever been a Nazi party member from doing their job. Well the problem was that to do almost anything, you had to be a party member, so they instantly stopped all civil administration, engineering/maintenance work, teachers, the judicial system, the police, you couldn't even deliver the mail without being a party member (since they were government employees). Virtually every male over the age of about 16 had been in the military and had experience with weapons. So you now had a mass of unemployed ex-military who desperately wanted food and clothing, and had access to an almost infinite supply of weaponry. In addition Germany after the war attracted what one of the allied leaders (Eisenhower?) described as the scum of Europe, eager to make a quick buck (in Iraq it's folks eager to beat up the infidels). This lead to sizeable pitched battles between the armed gangs and the occupying military, with the military frequently being outgunned by the gangs. Substitute Germany - Iraq and profit / food - religion /nationalism and the same situation exists today. Peter.