Re: AOL Help : About AOL® PassCode
On Tue, Jan 04, 2005 at 08:44:11PM +, Ian G wrote: | R.A. Hettinga wrote: | | http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 | Have questions? Search AOL Help articles and tutorials: | . | If you no longer want to use AOL PassCode, you must release your screen | name from your AOL PassCode so that you will no longer need to enter a | six-digit code when you sign on to any AOL service. | | To release your screen name from your AOL PassCode | 1. Sign on to the AOL service with the screen name you want to | release from your AOL PassCode. | | | OK. So all I have to do is craft a good reason to | get people to reset their PassCode, craft it into | a phishing mail and send it out? Nope! All you have to do is exploit your attack and steal money in realtime. A securid has no way to authenticate its server, and what's really needed to stop phishing is server auth. Adam
Re: AOL Help : About AOL® PassCode
On Tue, Jan 04, 2005 at 08:44:11PM +, Ian G wrote: | R.A. Hettinga wrote: | | http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 | Have questions? Search AOL Help articles and tutorials: | . | If you no longer want to use AOL PassCode, you must release your screen | name from your AOL PassCode so that you will no longer need to enter a | six-digit code when you sign on to any AOL service. | | To release your screen name from your AOL PassCode | 1. Sign on to the AOL service with the screen name you want to | release from your AOL PassCode. | | | OK. So all I have to do is craft a good reason to | get people to reset their PassCode, craft it into | a phishing mail and send it out? Nope! All you have to do is exploit your attack and steal money in realtime. A securid has no way to authenticate its server, and what's really needed to stop phishing is server auth. Adam
Re: Blinky Rides Again: RCMP suspect al-Qaida messages
On Sat, Dec 11, 2004 at 10:24:09PM +0100, Florian Weimer wrote: | * R. A. Hettinga quotes a news article: | | There have been numerous media reports in recent years that terrorist | groups, including al-Qaida, were using steganographic techniques. | | As far as I know, these news stories can be tracked back to a | particular USA Today story. There's also been a bunch of stories how | a covert channel in TCP could be used by terrorists to hide their | communication. There's very good evidence that Al Qaida does *not* use strong crypto. I blogged on this at http://www.emergentchaos.com/archives/000561.html is was the first time I'd given such a talk since 9/11. It wasn't useful after we'd made the decision to stop hemorrhaging money by shutting down the Freedom Network. (That was May or June of 2001.) So I did a fair bit of reading about Al Qaeda's use of crypto. One of the more interesting techniques I found was the 'draft message' method. (http://www.jihadwatch.org/archives/002871.php) It seems consistent that Al Qaeda prefers being 'fish in the sea' to standing out by use of crypto. Also, given the depth and breadth of conspiracies they believe in, it seems that they might see all us cryptographers as a massive deception technique to get them to use bad crypto. (And hey, they're almost right! We love that they use bad crypto.) There's other evidence for this. In particular, the laptops captured have been exploited very quickly, in one case by a Wall St Journal reporter. So rumors of steganography or advanced crypto techniques have a burden of proof on them. And see the link there to Ian Grigg's http://www.financialcryptography.com/mt/archives/000246.html
Re: Blinky Rides Again: RCMP suspect al-Qaida messages
On Sat, Dec 11, 2004 at 10:24:09PM +0100, Florian Weimer wrote: | * R. A. Hettinga quotes a news article: | | There have been numerous media reports in recent years that terrorist | groups, including al-Qaida, were using steganographic techniques. | | As far as I know, these news stories can be tracked back to a | particular USA Today story. There's also been a bunch of stories how | a covert channel in TCP could be used by terrorists to hide their | communication. There's very good evidence that Al Qaida does *not* use strong crypto. I blogged on this at http://www.emergentchaos.com/archives/000561.html is was the first time I'd given such a talk since 9/11. It wasn't useful after we'd made the decision to stop hemorrhaging money by shutting down the Freedom Network. (That was May or June of 2001.) So I did a fair bit of reading about Al Qaeda's use of crypto. One of the more interesting techniques I found was the 'draft message' method. (http://www.jihadwatch.org/archives/002871.php) It seems consistent that Al Qaeda prefers being 'fish in the sea' to standing out by use of crypto. Also, given the depth and breadth of conspiracies they believe in, it seems that they might see all us cryptographers as a massive deception technique to get them to use bad crypto. (And hey, they're almost right! We love that they use bad crypto.) There's other evidence for this. In particular, the laptops captured have been exploited very quickly, in one case by a Wall St Journal reporter. So rumors of steganography or advanced crypto techniques have a burden of proof on them. And see the link there to Ian Grigg's http://www.financialcryptography.com/mt/archives/000246.html
Re: Academics locked out by tight visa controls
On Mon, Sep 20, 2004 at 10:03:57AM -0400, John Kelsey wrote: | Academics locked out by tight visa controls | U.S. SECURITY BLOCKS FREE EXCHANGE OF IDEAS | By Bruce Schneier | | I guess I've been surprised this issue hasn't seen a lot more | discussion. It takes nothing more than to look at the names of the | people doing PhDs and postdocs in any technical field to figure out | that a lot of them are at least of Chinese, Indian, Arab, Iranian, | Russian, etc., ancestry. And only a little more time to find out that | a lot of them are not citizens, and have a lot of hassles with respect | to living and working here. What do you suppose happens to the US | lead in high-tech, when we *stop* drawing in some large fraction of | the smartest, hardest-working thousandth of a percent of mankind? Those people don't get a vote. The politicians in question will be dead and gone before the slope of the curve changes anything. Why *would* we discuss it? Adam the cynic.
Re: Academics locked out by tight visa controls
On Mon, Sep 20, 2004 at 10:03:57AM -0400, John Kelsey wrote: | Academics locked out by tight visa controls | U.S. SECURITY BLOCKS FREE EXCHANGE OF IDEAS | By Bruce Schneier | | I guess I've been surprised this issue hasn't seen a lot more | discussion. It takes nothing more than to look at the names of the | people doing PhDs and postdocs in any technical field to figure out | that a lot of them are at least of Chinese, Indian, Arab, Iranian, | Russian, etc., ancestry. And only a little more time to find out that | a lot of them are not citizens, and have a lot of hassles with respect | to living and working here. What do you suppose happens to the US | lead in high-tech, when we *stop* drawing in some large fraction of | the smartest, hardest-working thousandth of a percent of mankind? Those people don't get a vote. The politicians in question will be dead and gone before the slope of the curve changes anything. Why *would* we discuss it? Adam the cynic.
Re: Textual analysis
On Sun, Dec 14, 2003 at 10:36:02AM -0500, John Kelsey wrote: | Textual analysis correctly identified the author of _Primary Colors_, | though that was from a pretty small field of people with the right level of | inside knowledge. Does anyone know whether there have been real randomized | trials of any of the textual analysis software or techniques? E.g., is Not as far as I know, and I spent a bit of time reading through both Author Unknown, by Don Foster (who named Klien) and Analyzing for Authorship, by Jill Farringdon. Foster is an English professor, and reads the work under analysis, and then works by the potential authors. His technique would be described as intuitive, but the human brain has large power to make linkages. Analysing for Authorship, from the University of Wales press. Analyzing for Authorship really didn't strike me as better. It uses a technique called CUSUM, but the methodology and graphs (as I recall) vary from text to text, and neither I, nor Alice, who read the book for ZKS, wondering if we could build this stuff into a product, was very impressed by it. | It's not obvious to me how you'd change your writing style to defeat these | textual analysis schemes--would it really be as simple as changing the | average length of sentences and getting rid of the big words, or would | there still be ways to determine your identity from that text? I'm | thinking especially of long discussions of technical topics--if I wrote a | five page essay on what to look at when trying to cryptanalyze a new block | cipher, I think it would be hard to keep readers who knew me from having a | pretty good guess about the author, even if I tried changing terms, being | more mathematical and less conversational, etc. (Though this is more of a | problem with humans familiar with my writing style, rather than with | automated analysis.) So, the question boils down to economics. There's how much you need to communicate, how much someone is willing to spend to tag you, and how good their proof needs to be. I suspect that for most purposes, proof does not need to be very strong in relation to your need to communicate. That is, if Tricky Dick thinks you're Deep Throat, or Saddam thinks you're the guy who betrayed him, etc. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Textual analysis
On Sun, Dec 14, 2003 at 10:36:02AM -0500, John Kelsey wrote: | Textual analysis correctly identified the author of _Primary Colors_, | though that was from a pretty small field of people with the right level of | inside knowledge. Does anyone know whether there have been real randomized | trials of any of the textual analysis software or techniques? E.g., is Not as far as I know, and I spent a bit of time reading through both Author Unknown, by Don Foster (who named Klien) and Analyzing for Authorship, by Jill Farringdon. Foster is an English professor, and reads the work under analysis, and then works by the potential authors. His technique would be described as intuitive, but the human brain has large power to make linkages. Analysing for Authorship, from the University of Wales press. Analyzing for Authorship really didn't strike me as better. It uses a technique called CUSUM, but the methodology and graphs (as I recall) vary from text to text, and neither I, nor Alice, who read the book for ZKS, wondering if we could build this stuff into a product, was very impressed by it. | It's not obvious to me how you'd change your writing style to defeat these | textual analysis schemes--would it really be as simple as changing the | average length of sentences and getting rid of the big words, or would | there still be ways to determine your identity from that text? I'm | thinking especially of long discussions of technical topics--if I wrote a | five page essay on what to look at when trying to cryptanalyze a new block | cipher, I think it would be hard to keep readers who knew me from having a | pretty good guess about the author, even if I tried changing terms, being | more mathematical and less conversational, etc. (Though this is more of a | problem with humans familiar with my writing style, rather than with | automated analysis.) So, the question boils down to economics. There's how much you need to communicate, how much someone is willing to spend to tag you, and how good their proof needs to be. I suspect that for most purposes, proof does not need to be very strong in relation to your need to communicate. That is, if Tricky Dick thinks you're Deep Throat, or Saddam thinks you're the guy who betrayed him, etc. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Freedomphone
http://www.wired.com/news/technology/0,1282,61289,00.html?tw=wn_tophead_7 We allow everyone to check the security for themselves, because we're the only ones who publish the source code, said Rop Gonggrijp at Amsterdam-based NAH6. Gonggrijp, who helped develop the software, owns a stake in Germany's GSMK. Alas, the phones are 3500 Euro a pair. At that price it is targeting executives, lawyers and bankers who regularly swap market sensitive information on mergers and lawsuits, and for whom privacy is worth paying for. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Freedomphone
http://www.wired.com/news/technology/0,1282,61289,00.html?tw=wn_tophead_7 We allow everyone to check the security for themselves, because we're the only ones who publish the source code, said Rop Gonggrijp at Amsterdam-based NAH6. Gonggrijp, who helped develop the software, owns a stake in Germany's GSMK. Alas, the phones are 3500 Euro a pair. At that price it is targeting executives, lawyers and bankers who regularly swap market sensitive information on mergers and lawsuits, and for whom privacy is worth paying for. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
FBI, Lackawanna, and lack of informers
http://www.nytimes.com/2003/10/12/nyregion/12LACK.html?hp=pagewanted=printposition= A very long article on the FBI and the 6 fellows in upstate NY who travelled the world to hang out with religious nutballs. One of the most interesting things about the case is that the FBI did not catch these folks; they were turned in by someone having second thoughts. That fellow, who then turned informer, is in jail anyway. Bad informer management, but no one asked me. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Mexifornia Driver's License
On Mon, Sep 15, 2003 at 04:07:02PM -0700, Bill Stewart wrote: | Tim May wrote: | http://vikingphoenix.com/immigration/davis_sign_illegal.htm | | Does anybody remember 10+ years ago when a Driver's License | wasn't quite a National ID Card or a Citizenship Credential Yeah. The real problem with all these other uses is that they create a negative feedback loop: the more useful the card is, the more people are motivated to get involved in fradulent issue, and the more rationalizations there are for DMV employees to engage in it. So we spend more and more to secure the cards, and the only people who win are the hologram manufacturers. Unfortunately, the people actually relying on the cards don't realize this as fast as the users of the system. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Mexifornia Driver's License
On Mon, Sep 15, 2003 at 04:07:02PM -0700, Bill Stewart wrote: | Tim May wrote: | http://vikingphoenix.com/immigration/davis_sign_illegal.htm | | Does anybody remember 10+ years ago when a Driver's License | wasn't quite a National ID Card or a Citizenship Credential Yeah. The real problem with all these other uses is that they create a negative feedback loop: the more useful the card is, the more people are motivated to get involved in fradulent issue, and the more rationalizations there are for DMV employees to engage in it. So we spend more and more to secure the cards, and the only people who win are the hologram manufacturers. Unfortunately, the people actually relying on the cards don't realize this as fast as the users of the system. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Your papers please [what color is John Gilmore?]
First answer: He's in red, no green, argggh! Second answer: We've changed the name of the program to ITAR so his lawsuit goes back to square 1! That's the plan! Third answer: CAPPS was just a clever distraction, the real program remains classified. Please step over here. Adam On Tue, Sep 09, 2003 at 02:27:23PM -0700, Bill Stewart wrote: | What color is John? He's Tie-Dyed, of course... | | You were expecting a single category they knew what to do with? | | Major Variola (ret.) wrote: | Most people will be coded green and sail through. But up to 8 | percent of passengers who board the nation's 26,000 daily flights will | be coded yellow and will undergo additional screening at the | checkpoint, according to people familiar with the program. An estimated | 1 to 2 percent will be labeled red and will be prohibited from | boarding. These passengers also will face police questioning and may be | arrested. | | http://www.washingtonpost.com/ac2/wp-dyn/A45434-2003Sep8?language=printer -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Anyone Remember Zero Knowledge Systems?
On Wed, Sep 10, 2003 at 11:32:29AM -0400, R. A. Hettinga wrote: | http://www.cryptonomicon.net/modules.php?name=Newsfile=printsid=455 | | Cryptonomicon.Net - | | Anyone Remember Zero Knowledge Systems? | Date: Wednesday, September 10 @ 11:15:00 EDT | Topic: Commercial Operations / Services | Unfortunately, they never quite made a compelling enough argument | for mass adoption of their system and eventually morphed the company | into a manufacturer or more conventional privacy tools. Freedom still | exists as a product, thought it is aimed at web users, only runs on | Windows clients, and routes requests through proxy servers owned by | Zero Knowledge Systems. Freedom Websecure is a different protocol set from Freedom.net. Websecure runs on linux, see http://websecure4linux.sourceforge.net/ The Freedom.net code is available for non-commercial use, see http://slashdot.org/articles/02/02/16/0320238.shtml?tid=158 or the shmoo group cvs server, http://cvs.shmoo.com/view/projects/freedom-server/ The problem with running Napster over Freedom was bandwidth costs. Users may be more willing to pay today, given the clear risk of paying $10,000 or more in fines. I'm sure that ZKS would be happy to sell someone a commercial use license. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Your papers please [what color is John Gilmore?]
First answer: He's in red, no green, argggh! Second answer: We've changed the name of the program to ITAR so his lawsuit goes back to square 1! That's the plan! Third answer: CAPPS was just a clever distraction, the real program remains classified. Please step over here. Adam On Tue, Sep 09, 2003 at 02:27:23PM -0700, Bill Stewart wrote: | What color is John? He's Tie-Dyed, of course... | | You were expecting a single category they knew what to do with? | | Major Variola (ret.) wrote: | Most people will be coded green and sail through. But up to 8 | percent of passengers who board the nation's 26,000 daily flights will | be coded yellow and will undergo additional screening at the | checkpoint, according to people familiar with the program. An estimated | 1 to 2 percent will be labeled red and will be prohibited from | boarding. These passengers also will face police questioning and may be | arrested. | | http://www.washingtonpost.com/ac2/wp-dyn/A45434-2003Sep8?language=printer -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: JAP back doored
On Tue, Sep 02, 2003 at 12:47:34PM -0700, Steve Schear wrote: | http://www.heise.de/newsticker/data/jk-02.09.03-005/ | | German police have searched and seized the rooms (dorm?) of one of the JAP | developers. They were on the look for data that was logged throughout the | period when JAP had to log specific traffic. The JAP-people say that the | seizure was not conform with German law. They suggest that the police was | afraid that they wouldn't gain the right to use this data before a normal | court. So they stole it to make things clear. And since the JAP team did | cooperate with them the previous time they now have the logs to get seized. | | I'll bet the logs weren't encrypted. Fools. That's the cool bit about playing by the law; they can ignore it, ruin people's lives, and then get a month off with pay while their actions are investigated. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: JAP back doored
On Tue, Sep 02, 2003 at 12:47:34PM -0700, Steve Schear wrote: | http://www.heise.de/newsticker/data/jk-02.09.03-005/ | | German police have searched and seized the rooms (dorm?) of one of the JAP | developers. They were on the look for data that was logged throughout the | period when JAP had to log specific traffic. The JAP-people say that the | seizure was not conform with German law. They suggest that the police was | afraid that they wouldn't gain the right to use this data before a normal | court. So they stole it to make things clear. And since the JAP team did | cooperate with them the previous time they now have the logs to get seized. | | I'll bet the logs weren't encrypted. Fools. That's the cool bit about playing by the law; they can ignore it, ruin people's lives, and then get a month off with pay while their actions are investigated. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Is it time to kill the JAP backdoor cretins and their families?
On Mon, Aug 25, 2003 at 08:27:20PM -0700, Len Sassaman wrote: | However, even when setting aside the issue that our understanding of the | math involved may be flawed, JAP quickly becomes less appealing choice | once the other factors are considered. | | University / government funded research relies on grants for its | existence. This makes the operators beholden to the source of grant funds. | It also eliminates an economic incentive to put users first. | | Private companies offering privacy/anonymity services are faced with a | direct correlation between revenue and delivery of such services. Should a | company like Anonymizer violate its stated privacy policy and misrepresent | its level of security, as JAP did, the results would be devastating to the | viability of the company. The JAP group, on the other hand, is facing | nothing more than a little bad PR and the loss of some users. (Many of | those 30,000 probably are unaware of the silent compromise of JAP | security). Much as we'd like reputational issues to rule, I think your final parenthetical is important. I would be willing to bet that Lance *could* take FBI money to rat out users without it reaching the userbase. I'd also be willing to bet that Lance *wouldn't,* but that bet would obviously be smaller. So, to the question of, is a private company better than a research lab? Probably. But could a privacte company comprimise its users without imploding? Probably. The right system is probably something like Tarzan, running low-latency traffic inside the file trading cloud. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: domestic terrorism, fat lazy amerikans ducks
John, you write like a Republican speechwriter on a bad trip. On Tue, Aug 26, 2003 at 12:45:55PM -0700, John Young wrote: | Nonshit, Robert, Ray's an organ-eating anarchist not a | vapid tea-sip socialist. A while back Ray yanked a | capitalist apologist's lawyer's cold dead dried nut heart | from behind a Kevlar diamond-studded vest and lipped | and tongued it like a lady's freeze-dried private then | swallowed it whole, burping at the lawyer never missing a | syllable in a diatribe against outlaws, yodeling in Harvard | Law speak that cyber jesse james are the worst evil in | the marketplace for riggers of such places.
Re: Computer Voting Expert, Dr. Rebecca Mercuri, Ousted From Elections Conference
Well, if you can't win on the truth, win on the procedures. At least Dr. Mercuri is in fine company there, ranging all the way back to Socrates and Galileo. Little consolation, I know, as our democracy gets replaced by a kleptocracy, but what can you do? Maybe she should set up stealdemocracy.com, a new voting machine company. Sell machines that explicitly let you steal elections. Get some press. Adam On Wed, Aug 06, 2003 at 11:08:38AM -0400, R. A. Hettinga wrote: | Notice they did this to Chaum, too... | | Cheers, | RAH | | --- begin forwarded text | | | Status: U | To: johnmac's living room [EMAIL PROTECTED] | Cc: Dave Farber [EMAIL PROTECTED] | From: John F. McMullen [EMAIL PROTECTED] | Mailing-List: list [EMAIL PROTECTED]; contact [EMAIL PROTECTED] | Delivered-To: mailing list [EMAIL PROTECTED] | Date: Mon, 4 Aug 2003 23:31:49 -0400 (EDT) | Subject: [johnmacsgroup] Computer Voting Expert, Dr. Rebecca Mercuri, Ousted From Elections | Conference | | Computer Voting Expert Ousted From Elections Conference | | Lynn Landes | freelance journalist | www.EcoTalk.org | | Denver CO Aug 1 - Dr. Rebecca Mercuri, a leading expert in voting machine | security, had her conference credentials revoked by the president of the | International Association of Clerks, Records, Election Officials, and | Treasurers (IACREOT), Marianne Rickenbach. The annual IACREOT Conference | and Trade Show, which showcases election systems to elections officials, | is being held at the Adam's Mark Hotel in Denver all this week. | | Mercuri believes that her credentials were revoked because of her position | in favor of voter-verified paper ballots for computerized election | systems. I guess in a very troubling way it makes sense that an | organization like IACREOT, that supports paperless computerized voting | systems, which are secret by their very design, would not want computer | experts who disagree with that position at their meetings. | | Dr. Mercuri said that her credentials were approved for the first three | days of the conference. She attended meetings of other groups and visited | the exhibitors hall. But it was only on Thursday as she sat down to attend | her first meeting at the IACREOT that President Marianne Rickenbach took | Mercuri out of the room and told her that her credentials were being | revoked. Rickenbach said that Mercuri had not filled out the forms | correctly. Mercuri protested, but was refused reinstatement. | | David Chaum, the inventor of eCash and a member of Mercuri's | 'voter-verified paper ballot' group, had his credentials revoked on the | first day of the conference. On the second day his credentials were | partially restored. Chaum was allowed to visit the exhibitors hall, but | not attend the IACREOT meetings. | | Rickenbach was unavailable for comment as of this report. Mercuri can be | reached at the Adam's Mark Hotel through Saturday. | | --- | | | When you come to the fork in the road, take it - L.P. Berra | Always make new mistakes -- Esther Dyson | Be precise in the use of words and expect precision from others - |Pierre Abelard | Any sufficiently advanced technology is indistinguishable from magic |-- Arthur C. Clarke | Bobby Layne never lost a game. Time just ran out. -- Doak Walker | | John F. McMullen | [EMAIL PROTECTED] ICQ: 4368412 Fax: (603) 288-8440 [EMAIL PROTECTED] | http://www.westnet.com/~observer | NOYFB,P | | | | | | | Yahoo! Groups Sponsor -~-- | Buy Ink Cartridges or Refill Kits for Your HP, Epson, Canon or Lexmark | Printer at Myinks.com. Free s/h on orders $50 or more to the US Canada. http://www.c1tracking.com/l.asp?cid=5511 | http://us.click.yahoo.com/sO0ANB/LIdGAA/ySSFAA/XgSolB/TM | -~- | | To unsubscribe from this group, send an email to: | [EMAIL PROTECTED] | | | | Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ | | --- end forwarded text | | | -- | - | R. A. Hettinga mailto: [EMAIL PROTECTED] | The Internet Bearer Underwriting Corporation http://www.ibuc.com/ | 44 Farquhar Street, Boston, MA 02131 USA | ... however it may deserve respect for its usefulness and antiquity, | [predicting the end of the world] has not been found agreeable to | experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Computer Voting Expert, Dr. Rebecca Mercuri, Ousted From Elections Conference
On Wed, Aug 06, 2003 at 01:49:26PM -0700, Steve Schear wrote: | At 11:54 2003-08-06 -0400, Adam Shostack wrote: | Well, if you can't win on the truth, win on the procedures. | | At least Dr. Mercuri is in fine company there, ranging all the way | back to Socrates and Galileo. Little consolation, I know, as our | democracy gets replaced by a kleptocracy, but what can you do? | | Maybe she should set up stealdemocracy.com, a new voting machine | company. Sell machines that explicitly let you steal elections. Get | some press. | | A better solution, already available to voters, is to request an absentee | voter form. If a substantial number of voters asked to vote this way it | would overwhelm the voting machinery and completely negate any cost savings | expected from the distrusted automated systems. Huh? Voters don't control the security of the voting system any more than we control the security of the credit rating/id theft system. And similarly, your choice to not play doesn't protect you. Tim's idea of using the voting system's security to accelerate the de-legitimization of the system is a fine one, although it has the risk that the statists will get awfully violent as we try to ignore them out of existance. I don't see how an absentee ballot is going to make anything any better. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: [Brinworld] Car's data recorder convicts driver
On Wed, Jun 18, 2003 at 12:58:56AM -0400, John Kelsey wrote: | At 06:29 AM 6/17/03 +0159, Anonymous wrote: | Adam Shostack wrote: | | PS: Bob Blakely once defined privacy as the right to lie and get away | with it, which fits into some of what many people mean by privacy. | | So privacy is only of value to the dishonest? I don't think so! | I post anonymously, but not to lie. | | | Fred, did you post that crap to cypherpunks? Are you a slacker, McFly? -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: [Brinworld] Car's data recorder convicts driver
On Tue, Jun 17, 2003 at 09:30:35PM -0700, Tim May wrote: | On Tuesday, June 17, 2003, at 03:48 PM, Thomas Shaddack wrote: | | Adam | | PS: Bob Blakely once defined privacy as the right to lie and get away | with it, which fits into some of what many people mean by privacy. | | Another possible definition is the right to tell the truth and get away | with it. | | But both definitions are rather about free speech than about privacy, | but | then we'd get to a fight over definitions which is in this context | better | to leave on the shoulders of people making encyclopedias. | | | Maybe I have a minor corollary to Somebody's Law: All debates about | privacy eventually degenerate into foolish and off-target debates about | the meaning of truth. | | It never makes sense to argue about a right to lie or a right to | tell the truth. One man's lie is another man's truth. And even | _asking_ for a true response is usually an overstepping, as it presumes | the asker knows what is true and what is not. Pilate said it all 2000 | years ago. I wasn't arguing, I was quipping. I find the many meanings of the word privacy to be fascinating. So when someone commented that the car's tattle-box is or isn't a privacy invasion, I thought I'd offer up a definition under which it is. Its a definition that lots of people use, as John points out. Perhaps better than 'right' would be 'ability,' 'The ability to lie and get away with it.' Adam -- 'No, honey, I was working late at the office.'
Re: [Brinworld] Car's data recorder convicts driver
On Wed, Jun 18, 2003 at 09:11:58AM -0700, Tim May wrote: | On Wednesday, June 18, 2003, at 05:17 AM, Adam Shostack wrote: | | I wasn't arguing, I was quipping. | | I find the many meanings of the word privacy to be fascinating. So | when someone commented that the car's tattle-box is or isn't a privacy | invasion, I thought I'd offer up a definition under which it is. | Its a definition that lots of people use, as John points out. | | Perhaps better than 'right' would be 'ability,' 'The ability to lie | and get away with it.' | | I wasn't picking on you or your points, that's for sure. In fact, I | barely noticed whose message I was replying to. Gives new meaning to anonymous postings. ;) | My point was a larger one, that nearly all such debates about privacy | eventually come round to issues of what have you got to hide? and | issues of truth and lies. | | This is why I like the Congresss shall make no law and shall not be | infringed absoluteness of the original Constitution. The language does | not natter about truthful speaking shall not be infringed. | | And this is why more recent legislation allowing government to regulate | commercial speech or to decide which speech is true and which is | false (as in advertising claims) is so corrosive to liberty. Indeed. The European data protection laws are fundamentally unamerican. Unfortunately, Congress has made laws, numbering each of us, and then tries to regulate the abuse of that (free, freely usable, legally enforced) numbering scheme. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Diners club switches to passwords
I just called Diner's Club, and was suprised to be asked for a password to (replace? supplement?) my mother's maiden name. Is this something that Citibank in general is doing? How long before this becomes a standard of due care? Also, I'm curious what the forgot-my-password recovery mechanisms will be... Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: An attack on paypal -- secure UI for browsers
On Sat, Jun 14, 2003 at 11:20:16AM -, a Microsoft employee wrote: | Adam Shostack writes: | | Actually, most of the features of Nogsuccob are features that I | want, like integrity protected, authenticated boot. The problem, | bundled with those features, is the ability of the system to attest to | its secure boot. This can be fixed by not letting the host know if | you've exported its host key or not, which makes it possible to run a | virtualized, trusted copy in your emulation environment. | | Nothing forces you to tell anyone else that you booted securely. At most | someone may offer to give you something in exchange for such a proof, | but you're not obligated to take them up on it. Well, sure. And no one forces me to run Microsoft office, either, except Microsoft's monoploy. And when the document format can phone home to prevent piracy or openoffice from running, no one will be 'obligating' me to pay monopoly rents to Microsoft. In the same way, no one forces me to have a drivers license. But its damned hard living life without one. | It's not clear what you're getting at about exporting the host key. | These systems (TCs) are generally designed to make that difficult or | impossible to accomplish. The security of the whole system is built on | that assumption. If you actually did manage to pull out the host key | then you could make it attest to any falsehood you wanted, although you | might get caught eventually. The security of the system to make attestations is built on that assumption. However, there are other values that a TBC can offer, like secure key storage or trusted boot of a known OS image, that I might like. My ability to attest to any falsehood is limited by the statements the key is expected to sign. How broad are those? I thought they were quite limited. | Trusted Computing lets people convincingly tell the truth about what | software they are running. This is seen as a horrific threat in certain | circles. It's easy to see why liars wouldn't like it. What does an | honest man have to lose? Interoperability. Fair use. Market Choice. Archives. Control over their own computers. Ability to decide when to patch. The ability to run purchased software.. ... privately. ... when there are bugs in the license code. ... when the license server or the network is unavailable. That's off the top of my head. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Microsoft, TCPA, your wallet and the real ending of the story.
On Sat, Jun 14, 2003 at 03:17:22PM -0400, Sunder wrote: | Indeed. | | If it's coming from Redmond, and as usual if it smells of evil, there is | an utterly simple solution in dealing with it: don't buy it. Don't buy | Microsoft software, don't buy motherboards that include TCPA capabilities. | When you're up for getting yourself a new PC, get a generic one without | such options, or if you insist, call the vendor and tell them you want a | box without evil-inside and without a Redmond OS pre-installed. Which CPU vendor will sell me a CPU without TCPA? And besides, I WANT a TCPA machine. I just don't want remote attestation, or keys that I can't back-up and relocate. | Buy a generic intel/amd machine without the Secure processor, or give | Steve Jobs some of your cash for a nice G4/G5 machine, or you can go to a IBM is starting to add TCPA to the powerpc line. And much as I enjoy my Mac, the DVD player still has this bug where fast-forward doesn't work sometimes. Really annoying when you need to yank a DVD for cleaning, and watch the previews 3 or 4 times. http://www-3.ibm.com/chips/products/powerpc/newsletter/mar2003/ppc_process_at_work.html Sparc may be an option if Sun stays in business, but again, I want a TCPA chip that I can control. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: An attack on paypal -- secure UI for browsers
A charming naivete. *Plonk* On Sat, Jun 14, 2003 at 04:29:23PM -0400, Sunder wrote: | Oh get over it. There are other formats. You ever heard of | XML? HTML? RTF? | | If the day comes where MS Office DRM only works with MS Office DRM, how | many people will switch to it? If your company is willing to switch to | it, then they'll give you a PC with it on it. If they don't, then they | can't expect you to interact with them via such formats and can't require | you to do so. | | You sound like someone's holding a gun to your head and requiring you to | have MS Office. | | Either way, you can ask them to export to other document formats which you | can read. Even now Office will export to HTML for example which is | readable by Mozilla and other browsers. | | Microsoft is not the DMV. You don't need to use their software. | | And no, I will never be part of your problem because the documents I will | create for non work use will be made with Open Office or will be plain | text, html, or xml files. | | If I'm required to use a DRM'ed Office for work, then fine, my company | owns those documents anyway and they can do whatever the fuck they like | with them either way. It doesn't matter to me at all -- it's their call, | it's their company, it's their documents. | | But, for personal use, I won't buy any upgrades or new Microsoft | software. End of story. | | Either way, how much a revolt do you think there will be if Microsoft | decides to lock down their tools (such as word) to the point where they | can no longer export to HTML, plain text, RTF should the author wish | it to do so and provides whatever passphrases or ID's needed to unlock | the document and export it out? | | Who would buy such a dog of a product? Do you think businesses are so | stupid that they'd put up with a product that jails them in? Get real | son, you're howling at the moon! | | On one hand you're bitching that you have to use Microsoft software on the | other you're complaining that I'm using it while I'm telling you I don't | want to and don't care to and won't upgrade to it. | | You want to make a difference? Go ahead, wipe every bit of Microsoft | wares off all your machines and burn the CD's you've installed them | from. Go all open source and show others the right way. At least I'd | have some respect for you for voting with your wallet and practicing what | you preach. | | Right now all you're doing is bitching that you're forced to buy and use | Microsoft Office. I say that's bullshit, and you know it. | | | --Kaos-Keraunos-Kybernetos--- | + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ | \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ | --*--:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ | /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD.\|/ | + v + : The look on Sadam's face - priceless! | [EMAIL PROTECTED] http://www.sunder.net | | On Sat, 14 Jun 2003, Adam Shostack wrote: | | Sure. And I'm glad you work with a small group of people who | understand that you don't read their documents. After many years of | refusal, I finally gave up. I work with lots of customers who expect | documents in MS formats, and look at you askance for giving them | anything else. You only get so many explanations before customers go | elsewhere, and I chose not to spend them on this. Similarly, I could | choose to speak to everyone I meet in, say, Russian. And some folks | would understand. Others would walk away. So, you can argue that | you're effectively required to speak English to do business in North | America. I would argue that you're similarly required to use MS | Office. | | | You'll be part of the problem when Nogsuccob is apon us, because the | documents you create won't be readable in OpenOffice, and Crossover | won't run. | | | Office Nogsuccob will only interoperate with itself. Companies will end | up deploying it to interact with other versions, not for any real | feature. | | You don't like the word force, I suggest quitting all use of .DOC, | .PPT, and .XLS formats. Please educate the world on how much better | the alternatives are. Me, I'll pay my $200 to not bother today, and | regret it tomorrow. | | And by the way, do you have a driver's license, or other state-issued | ID card? | -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: An attack on paypal -- secure UI for browsers
On Fri, Jun 13, 2003 at 11:04:42PM +0200, Thomas Shaddack wrote: | The problem (among others) is that this allows a virus to steal the | client cert. If it is protected by a password, the malware must hang | around long enough for the user to unlock the cert (perhaps because the | malware sent a spoofed email calling for the user to visit the site, | even the real site!). It can then read the user's keystrokes and acquire | the password. Now it has the cert and password and can impersonate the | user at will. | | The solution to this is Palladium (NGSCB). | | BAH! *shudders* | | All we need for this is an external cryptographic token - a smartcard with | a keypad, an USB device, a Bluetooth-enabled thingy. You plug it into the | machine, the server you connect to sends its certificate name and | challenge to the browser, which passes it unchanged to your token. The ... | get as low as few dollars, can easily interface with just about any OS | including PDAs, and doesn't require The Megacorp Whose Name Shouldn't Be | Spoken to take over your machine. Actually, most of the features of Nogsuccob are features that I want, like integrity protected, authenticated boot. The problem, bundled with those features, is the ability of the system to attest to its secure boot. This can be fixed by not letting the host know if you've exported its host key or not, which makes it possible to run a virtualized, trusted copy in your emulation environment. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: The Streisand imagecriminal lives 2-3 parcels away from me
On Tue, Jun 03, 2003 at 11:00:07AM -0400, Sunder wrote: | That's all nice and good, but why should it be on cypherpunks? Where's | the relevance to this list? Why is Ken, or his addres or helipad an | interest to the cypherpunks? Why is PGE's monopolistic's actions against | him relevant to the topics of this list? | | What's next? The Cypherpunk Equirer? We can hope they return. http://www.haven.boston.ma.us/~benji/wheels.html http://cypherpunks.venona.com/date/1997/03/msg00102.html -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: What shall we do with a bad government...
On Thu, Mar 20, 2003 at 10:57:12PM -0500, Tim Meehan wrote: | an okay economy but too many yuppies and climbers (and crappy pot). | Montreal is the best, but you're better off if you speak Freedom -- | and like hash. The local pharma retail business seems to be quite flexible in supplying regulars with whatever they demand. The trouble with being anonymous is that you're indistinguishable from a cop. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: What shall we do with a bad government...
On Thu, Mar 20, 2003 at 10:57:12PM -0500, Tim Meehan wrote: | an okay economy but too many yuppies and climbers (and crappy pot). | Montreal is the best, but you're better off if you speak Freedom -- | and like hash. The local pharma retail business seems to be quite flexible in supplying regulars with whatever they demand. The trouble with being anonymous is that you're indistinguishable from a cop. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Fatherland Security measures more important than Bennetton tags!
On Sat, Mar 15, 2003 at 08:47:15PM +, Michael Shields wrote: | In article [EMAIL PROTECTED], | Adam Shostack [EMAIL PROTECTED] wrote: | (New York just | announced the abolition of tokens, making all subway travel | linkable.) | | The last time I was in New York, you could buy a Metrocard for cash. | As far as I know, there are no plans to change this. Sure. But I said linkable, not traceable. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Fatherland Security measures more important than Bennetton tags!
On Sat, Mar 15, 2003 at 08:47:15PM +, Michael Shields wrote: | In article [EMAIL PROTECTED], | Adam Shostack [EMAIL PROTECTED] wrote: | (New York just | announced the abolition of tokens, making all subway travel | linkable.) | | The last time I was in New York, you could buy a Metrocard for cash. | As far as I know, there are no plans to change this. Sure. But I said linkable, not traceable. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Identification of users of payphones
On Fri, Mar 14, 2003 at 05:36:28PM +0100, Thomas Shaddack wrote: | Couple months ago, our local Telecom decided to switch over from | easy-to-emulate EPROM-based dumb smartcards (described at | http://www.phrack.com/show.php?p=48a=10 ) to Eurochip ones. Today seemed | a good day to learn more about them, so I sniffed around a bit (eg, | http://gsho.thur.de/phonecard/advanced_e.htm ) and stumbled over some data | that could have unpleasant implications. | | | In Europe, chip cards for paying in payphones are common. However, the | cards have serial numbers, usually assigned sequentially during the | manufacture. | | It is possible to keep track of the serial numbers vs shipments. The | phones may record (or even online-report (eg, for fraud prevention)) the | serial numbers of the cards used. Then it could be possible to list all | calls done from the same card, possibly indirectly identify the person who | made that call from a public payphone by matching their calling patterns. | It could be also possible to identify where and approximately when the | card was bought, putting more constraints to its owner's possible identity. | | I can't assess the real proportions of this threat, but it is another | thing to be aware of. Its possible, but expensive; this was done in the Tim MViegh trial; they linked all his calls, and then traced it to him. With computers, this gets easier and cheaper. Social network analysis is an obvious outgrowth of the traffic analysis NSA has been doing for 60 years. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Identification of users of payphones
On Fri, Mar 14, 2003 at 05:36:28PM +0100, Thomas Shaddack wrote: | Couple months ago, our local Telecom decided to switch over from | easy-to-emulate EPROM-based dumb smartcards (described at | http://www.phrack.com/show.php?p=48a=10 ) to Eurochip ones. Today seemed | a good day to learn more about them, so I sniffed around a bit (eg, | http://gsho.thur.de/phonecard/advanced_e.htm ) and stumbled over some data | that could have unpleasant implications. | | | In Europe, chip cards for paying in payphones are common. However, the | cards have serial numbers, usually assigned sequentially during the | manufacture. | | It is possible to keep track of the serial numbers vs shipments. The | phones may record (or even online-report (eg, for fraud prevention)) the | serial numbers of the cards used. Then it could be possible to list all | calls done from the same card, possibly indirectly identify the person who | made that call from a public payphone by matching their calling patterns. | It could be also possible to identify where and approximately when the | card was bought, putting more constraints to its owner's possible identity. | | I can't assess the real proportions of this threat, but it is another | thing to be aware of. Its possible, but expensive; this was done in the Tim MViegh trial; they linked all his calls, and then traced it to him. With computers, this gets easier and cheaper. Social network analysis is an obvious outgrowth of the traffic analysis NSA has been doing for 60 years. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Brinwear at Benetton.
On Fri, Mar 14, 2003 at 01:22:44PM -0500, Trei, Peter wrote: | You're not thinking this through. As the item goes through the door (in | either direction) the check is made Is this individual tag on this store's | 'unsold inventory' list?. If so, raise the alarm. The tags are not fungible; | they each have a unique number. When you purchase an item, it's tag | number is transfered from the 'unsold inventory' list to the 'Mike Rosing' | list, or, if no link to a name can be found, 'John Doe #2345'. | | As you walk up to the counter, the tag in your jockey shorts is read, | and you are greeted by name, even if you've never been in that store | before. People will find this spooky, and it will stop, but how much you've spent over the last year will still be whispered into the sales clerk's ear bug, along with advice the woman in the green jacket 12 feet from you spends an average of $1,000 per visit, go fawn on her. And remind her that the jacket is nearly a year old. Very last season. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Brinwear at Benetton.
On Thu, Mar 13, 2003 at 11:57:27AM -0500, Tyler Durden wrote: | If I build the mugger's little | helper, a PDA attachement that scans for real prada bags, then perhaps | the RFID tag will be removed at the counter after the first lawsuit. | | Nice! Possibly, it might not even be necessary for the Little Helper to | read the tag, only detect its presence. Counterfeit bags probably won't | have the tag, and if they do (and the copies are good enough), the mugger | won't care. We designed the Pickpocket's pal to detect large amounts of currency this way. It just helps you size up your victim, or at least size up their wad of cash. (There were some complications, because the tags do try not to chat at the same time, but hey, how well designed do you think a 10c item is?) Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Brinwear at Benetton.
On Thu, Mar 13, 2003 at 08:24:35AM -0800, Mike Rosing wrote: | On Thu, 13 Mar 2003, Adam Shostack wrote: | | On Thu, Mar 13, 2003 at 10:22:14AM -0500, Trei, Peter wrote: | The other motivator is liability. If I build the mugger's little | helper, a PDA attachement that scans for real prada bags, then perhaps | the RFID tag will be removed at the counter after the first lawsuit. | | I think economics would be a better argument. If the manufacturer | can recycle the tags for inventory control they can save a lot of money. | 10 cents per item isn't much, but at millions of items it becomes worth | while. Having the tag removed at the counter so they can be sent back to | the manufacturer along with returns and defects saves money, and that | argument carries more weight to someone trying to make a profit than | anything else. Having a counter clerk mess with a 10c embedded item is a loss. Longer lines, less throughput, etc. It may not matter at Prada, but it does at the grocery store. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Brinwear at Benetton.
On Thu, Mar 13, 2003 at 10:22:14AM -0500, Trei, Peter wrote: | Some research is being done in RSA Labs to produce more | privacy-enhanced protocols for RFIDs, but it's a long way from | publication, and its unclear what would motivate a tag manufacturer | to include them. The biggest motivators I can see are law and liability. If you can make the case to Europe's data protection commissioners that these tags will be linked to individual information, and can then be used to track people, then perhaps the tags will include privacy tech of some sort. (Although Ari presented at FC this year, and pointed out just how few gates there are to work with.) The other motivator is liability. If I build the mugger's little helper, a PDA attachement that scans for real prada bags, then perhaps the RFID tag will be removed at the counter after the first lawsuit. (Naturally, we'll sell the mugger's little helper as a tool for undercover counterfeit investigations. We can't help that the street finds its own uses for things.) Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Brinwear at Benetton.
On Thu, Mar 13, 2003 at 11:57:27AM -0500, Tyler Durden wrote: | If I build the mugger's little | helper, a PDA attachement that scans for real prada bags, then perhaps | the RFID tag will be removed at the counter after the first lawsuit. | | Nice! Possibly, it might not even be necessary for the Little Helper to | read the tag, only detect its presence. Counterfeit bags probably won't | have the tag, and if they do (and the copies are good enough), the mugger | won't care. We designed the Pickpocket's pal to detect large amounts of currency this way. It just helps you size up your victim, or at least size up their wad of cash. (There were some complications, because the tags do try not to chat at the same time, but hey, how well designed do you think a 10c item is?) Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Blacknet Delta CAPPS II Boycott?
I think the thing to do is to get RTmark or the YESmen or some other organization that's used to be sued involved. On Mon, Mar 10, 2003 at 09:52:04AM -0500, Tyler Durden wrote: | Just wondering... | | Would there be an easy blacknet way to offer those t-shirts that would be | un-shutdownable? | | Also, as an added (perhaps necessary) benefit, the ability to protect | (through anonymity) those that ran the site? | | Plus, another thought occurs to me. Is it possible, perhaps, via Blacknet | for the site operator to put up the site for a predefined time period, | during which it is impossible even for the site operator to take it down? | How would that work as a legal defense? (Sorry Delta. My site is on an | autonymous Server and even I can not shut it down until its expiration date | on 6/22/03. Indeed, I do not even know where the server or service provider | is.) | | -TD | | | | | | | | | | | | | | From: Bill Stewart [EMAIL PROTECTED] | To: [EMAIL PROTECTED] | Subject: CAPPS II pilot at San Jose - Delta to CAPPS II Boycotters: No | more Coffee Mugs | Date: Sun, 09 Mar 2003 22:42:40 -0800 | | Breaking news - The three airports in Delta's pilot project include San | Jose. | --- | | Last week Bill Scannell [EMAIL PROTECTED] announced the | BoycottDelta.org protest against Delta's collaboration with the CAPPS II | pass-law pilot project. Among other publicity activities, | BoycottDelta.org had T-shirt for sale on CafePress.com, | but Delta has filed a intellectual property complaint to stop them, | in spite of the Supreme Court's position that parody is protected, | and if you've seen the BoycottDelta.org logo, it's clearly just parody. | - | | | | Delta Shuts Down BoycottDelta Shop | | CAPPS II Collaborator Stops T-Shirt Sales, Continues Privacy Invasion | | Austin, TX (8 March 2003) -- BoycottDelta, an on-line website advocating a | total boycott of Delta Air Lines (NYSE: DAL) until the airline stops all | cooperation with a test of the CAPPS II program, had its on-line | 'BoycottDelta Action Tools' store closed down as a result of an | intellectual | property rights violation alleged and filed by Delta with the store's host, | CafePress.com . | | The store sold t-shirts, coffee mugs and stickers affixed with the | BoycottDelta logo, allowing activists to show their support for the | campaign. The BoycottDelta logo consists of an all-seeing eye within a red | and blue triangle. All BoycottDelta products were sold at cost. | | BoycottDelta founder Bill Scannell expressed astonishment with Delta's | move. | | Delta Air Lines has been deluged with thousands of emails and calls from | their customers over the past week complaining about their CAPPS II | testing, | and the best Delta can come up with is to say 'don't wear a t-shirt'? This | is corporate arrogance at its finest. | | Over 200,000 unique visitors have visited the BoycottDelta website since it | went live on the 3rd of March. | | Alternate sources of BoycottDelta protest tools are being identified. A | new | on-line store will be launched shortly. | | The Google cache of the store can be seen at: | | http://216.239.57.100/search?q=cache:HSkdQ1hc4coJ:www.cafeshops.com/boycottd | elta+boycottdelta+action+toolshl=enie=UTF-8 | | | _ | Protect your PC - get McAfee.com VirusScan Online | http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- It is seldom that liberty of any kind is lost all at once. -Hume
Stupid security measures, a contest
Human rights watchdog Privacy International has launched a quest to find the World's Most Stupid Security Measure. http://www.theregister.co.uk/content/55/29279.html -- It is seldom that liberty of any kind is lost all at once. -Hume
Stupid security measures, a contest
Human rights watchdog Privacy International has launched a quest to find the World's Most Stupid Security Measure. http://www.theregister.co.uk/content/55/29279.html -- It is seldom that liberty of any kind is lost all at once. -Hume
P4 Docs?
WASHINGTON, Jan. 2 ? A 19-year-old University of Chicago student was arrested in Los Angeles today and charged with stealing trade secrets from DirecTV, the nation's leading satellite television provider http://www.nytimes.com/2003/01/03/technology/03PIRA.html According to prosecutors, Mr. Serebryany sent hundreds of digital documents to three satellite pirate Web sites in September and October. For my archive of cryptographic information , I'd like to get copies of these docs. Anyone been able to find them? Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
P4 Docs?
WASHINGTON, Jan. 2 ? A 19-year-old University of Chicago student was arrested in Los Angeles today and charged with stealing trade secrets from DirecTV, the nation's leading satellite television provider http://www.nytimes.com/2003/01/03/technology/03PIRA.html According to prosecutors, Mr. Serebryany sent hundreds of digital documents to three satellite pirate Web sites in September and October. For my archive of cryptographic information , I'd like to get copies of these docs. Anyone been able to find them? Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Privacy qua privacy (Was: Photographer Arrested For Taking Pictures...)
On Tue, Dec 31, 2002 at 01:21:52AM -0800, Bill Stewart wrote: | At 03:57 PM 12/19/2002 -0500, Adam Shostack wrote: | On Mon, Dec 16, 2002 at 04:56:12PM -0500, John Kelsey wrote: | | I think this would help, but I also think technology is driving a lot of | | this. You don't have to give a lot more information to stores today than | | you did twenty years ago for them to be much more able to track what you | | buy and when you buy it and how you pay, just because the available | | information technology is so much better. Surveilance cameras, DNA | | testing, identification by iris codes, electronic payment mechanisms that | | are much more convenient than cash most of the time, all these contribute | | to the loss of privacy in ways that are only partly subject to any kind | of | | government action (or inaction) or law. | | But you *do* have to provide a lot more information to your bank | than you used to, and to your mailbox company, and to the government-run | post-offices that can bully private mailbox companies around, | and to hotels, and to driver-safety-and-car-taxation enforcers, | and to airlines, because governments either require them to collect more, | or encourage them to collect more data, and to collect it in forms that | are easier to correlate than they have been in the past, What's information, Mr. Smith? If I walk in and say my name's John Doe, here's my cash, and there isn't any government ID, who can question me? | Yep. A lot of it, however, freeloads on the government certification | of identity. Without the legal threats, it would be much harder to | assemble the data. (Other things, like credit, also become much | harder. That may become less of an issue as id theft makes credit | visibly a two-edged sword. | | While some of it is freeloading on the identity certification, | much of it is done because it's so cheap to do so they might as well, | and it's cheap because of the government regulations | as well as because computation keeps getting radically cheaper. The cheap to do is freeloading. If you take all the government issued ID out of your wallet, how much of what's left has the same name on it? Rummaging through my wallet...a grocery card in the name of Hughes, a credit card with the name Shostack, and an expired membership card in the name Doe. If I pull out all three, the cost of doing it shoots way up, and I pay in cash. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Dossiers and Customer Courtesy Cards
On Tue, Dec 31, 2002 at 11:02:48AM -0800, Tim May wrote: | On Tuesday, December 31, 2002, at 09:49 AM, Kevin Elliott wrote: | | At 12:12 -0500 on 12/31/02, Adam Shostack wrote: | Rummaging through my wallet...a grocery card in the name of Hughes, a | credit card with the name Shostack, and an expired membership card in | the name Doe. | | Interesting point on grocery cards... Why do they have your name at | all? Every grocery card I've ever gotten they've said here's your | card and application, please fill out the application and mail it in. | I say thank you ma'am, walk out the door and toss the application | in the trash. Not exactly strong (or any) name linkage... | | * No store I have used has ever _checked_ that a name is valid...they | don't even care when my credit card or check says Timothy C. May but | my Customer Courtesy Card says J. Random Cypher, or Eric Hughes, or | Vlad the Impaler...or is just unattached to any name. And as you say below, checking that a name is valid is hard, except when you can free-load off the effort of the state to issue identities. Grocery stores don't bother, which was my point to Bill. Free-loading off the identity infrastructure of the state is a huge problem. Fair and Issac, Experian and the rest are parasites whose gossip/cross-referencing/credit scoring/libel is only possible because of the state's investment in identity cards. That problem is getting worse because none of that information is private, and many credentials, like drivers licenses, are very valuable in relation to how hard they are to get. And so identity theft, inability to get a mortgage, etc, will have to be balanced against al that cool credit that's made possible by the tracking system. In the end, it won't be worthwhile to many people to be finger and iris printed as part of their daily lives. Or maybe it will. Note that I'm not saying that they're easy to get: Thats irrelevant. Such things are more valuable to get then they are difficult, and will remain that way. Drivers licenses, trusted traveller cards, etc, will always be worth getting if you're a fraudster. Adam | * All in all, not a very interesting example of ID and tracking. Things | will get much more interesting, and worrisome, if there is ever a | national ID system (in the U.S.) and some kind of legislated | requirement (albeit unconstitutional!) that citizen-units must ID | themselves with valid ID for all purchases, or at least of certain | classes of purchases (beyond guns, for example). -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Privacy qua privacy (Was: Photographer Arrested For Taking Pictures...)
On Tue, Dec 31, 2002 at 09:49:28AM -0800, Kevin Elliott wrote: | At 12:12 -0500 on 12/31/02, Adam Shostack wrote: | Rummaging through my wallet...a grocery card in the name of Hughes, a | credit card with the name Shostack, and an expired membership card in | the name Doe. | | Interesting point on grocery cards... Why do they have your name at | all? Every grocery card I've ever gotten they've said here's your | card and application, please fill out the application and mail it | in. I say thank you ma'am, walk out the door and toss the | application in the trash. Not exactly strong (or any) name | linkage... Pollution. Cards without names can be purged, cards with names confuse them. Is that the same Mr. Hughes with Richard Nixon's SSN who seems to shop vegitarian in San Jose, but buys pork in large quantities in Oakland? And look, Mr. Clinton here lives at the same address... Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
[dave@farber.net: [IP] Do unto others ..]
- Forwarded message from Dave Farber [EMAIL PROTECTED] - Date: Tue, 31 Dec 2002 13:31:07 -0500 Subject: [IP] Do unto others .. From: Dave Farber [EMAIL PROTECTED] To: ip [EMAIL PROTECTED] X-Spam-Status: No, hits=-0.5 required=5.0 tests=TO_LOCALPART_EQ_REAL,AWL version=2.20 -- Forwarded Message From: [EMAIL PROTECTED] Date: Tue, 31 Dec 2002 12:34:19 -0600 To: [EMAIL PROTECTED] Subject: [USDemocrat] Digest Number 853 This one certainly deserves wider exposure. :-) Note in particular how shredding personal documents would have made little difference regarding the intrusiveness of this technique. The original article at wweek.com is a fascinating and worthwhile read! Begin Forwarded Message Date: 30 Dec 2002 09:48:23 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [USDemocrat] Digest Number 853 Message: 1 Date: Sun, 29 Dec 2002 05:57:08 -0600 From: Kelley Kramer [EMAIL PROTECTED] Subject: Privacy advocates strike back in Portland - Hilarious! Well its not really privacy advocates, just a couple small-time reporters .. This is too funny! Portland has had a big stink (no pun intended) going on about whether its legal for the police to go through your trash. The Police chief, Mayor and DA all came out in favor of it.. saying that once you put the can out on the street it is no longer private property. Well, well, well! Some reporters decided to go pick-up those three officials garbage and take a look at what was there. Then they published a detailed list of what they found! Needless to say, the officials position on garbage took a dramatic change when they got wind of what happened!! Check out the article on the link below. Click and read it, takes about 3 minutes, see them get a taste of their own medicine! ... hilarious! Thanks Kelley Kramer --- RUBBISH! Portland's top brass said it was OK to swipe your garbage--so we grabbed theirs. http://www.wweek.com/flatfiles/News3485.lasso (credit Interesting Times for this one http://interestingtimes.blogspot.com/2002_12_22_interestingtimes_archive.htm l#86563172 ) End Forwarded Message Gordon Peterson http://personal.terabites.com/ 1977-2002 Twenty-fifth anniversary year of Local Area Networking! Support the Anti-SPAM Amendment! Join at http://www.cauce.org/ 12/19/98: Partisan Republicans scornfully ignore the voters they represent. 12/09/00: the date the Republican Party took down democracy in America. -- End of Forwarded Message - You are subscribed as [EMAIL PROTECTED] To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ - End forwarded message - -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Privacy qua privacy (Was: Photographer Arrested For Taking Pictures...)
On Tue, Dec 31, 2002 at 09:49:28AM -0800, Kevin Elliott wrote: | At 12:12 -0500 on 12/31/02, Adam Shostack wrote: | Rummaging through my wallet...a grocery card in the name of Hughes, a | credit card with the name Shostack, and an expired membership card in | the name Doe. | | Interesting point on grocery cards... Why do they have your name at | all? Every grocery card I've ever gotten they've said here's your | card and application, please fill out the application and mail it | in. I say thank you ma'am, walk out the door and toss the | application in the trash. Not exactly strong (or any) name | linkage... Pollution. Cards without names can be purged, cards with names confuse them. Is that the same Mr. Hughes with Richard Nixon's SSN who seems to shop vegitarian in San Jose, but buys pork in large quantities in Oakland? And look, Mr. Clinton here lives at the same address... Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Privacy qua privacy (Was: Photographer Arrested For Taking Pictures...)
On Tue, Dec 31, 2002 at 01:21:52AM -0800, Bill Stewart wrote: | At 03:57 PM 12/19/2002 -0500, Adam Shostack wrote: | On Mon, Dec 16, 2002 at 04:56:12PM -0500, John Kelsey wrote: | | I think this would help, but I also think technology is driving a lot of | | this. You don't have to give a lot more information to stores today than | | you did twenty years ago for them to be much more able to track what you | | buy and when you buy it and how you pay, just because the available | | information technology is so much better. Surveilance cameras, DNA | | testing, identification by iris codes, electronic payment mechanisms that | | are much more convenient than cash most of the time, all these contribute | | to the loss of privacy in ways that are only partly subject to any kind | of | | government action (or inaction) or law. | | But you *do* have to provide a lot more information to your bank | than you used to, and to your mailbox company, and to the government-run | post-offices that can bully private mailbox companies around, | and to hotels, and to driver-safety-and-car-taxation enforcers, | and to airlines, because governments either require them to collect more, | or encourage them to collect more data, and to collect it in forms that | are easier to correlate than they have been in the past, What's information, Mr. Smith? If I walk in and say my name's John Doe, here's my cash, and there isn't any government ID, who can question me? | Yep. A lot of it, however, freeloads on the government certification | of identity. Without the legal threats, it would be much harder to | assemble the data. (Other things, like credit, also become much | harder. That may become less of an issue as id theft makes credit | visibly a two-edged sword. | | While some of it is freeloading on the identity certification, | much of it is done because it's so cheap to do so they might as well, | and it's cheap because of the government regulations | as well as because computation keeps getting radically cheaper. The cheap to do is freeloading. If you take all the government issued ID out of your wallet, how much of what's left has the same name on it? Rummaging through my wallet...a grocery card in the name of Hughes, a credit card with the name Shostack, and an expired membership card in the name Doe. If I pull out all three, the cost of doing it shoots way up, and I pay in cash. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Dossiers and Customer Courtesy Cards
On Tue, Dec 31, 2002 at 11:02:48AM -0800, Tim May wrote: | On Tuesday, December 31, 2002, at 09:49 AM, Kevin Elliott wrote: | | At 12:12 -0500 on 12/31/02, Adam Shostack wrote: | Rummaging through my wallet...a grocery card in the name of Hughes, a | credit card with the name Shostack, and an expired membership card in | the name Doe. | | Interesting point on grocery cards... Why do they have your name at | all? Every grocery card I've ever gotten they've said here's your | card and application, please fill out the application and mail it in. | I say thank you ma'am, walk out the door and toss the application | in the trash. Not exactly strong (or any) name linkage... | | * No store I have used has ever _checked_ that a name is valid...they | don't even care when my credit card or check says Timothy C. May but | my Customer Courtesy Card says J. Random Cypher, or Eric Hughes, or | Vlad the Impaler...or is just unattached to any name. And as you say below, checking that a name is valid is hard, except when you can free-load off the effort of the state to issue identities. Grocery stores don't bother, which was my point to Bill. Free-loading off the identity infrastructure of the state is a huge problem. Fair and Issac, Experian and the rest are parasites whose gossip/cross-referencing/credit scoring/libel is only possible because of the state's investment in identity cards. That problem is getting worse because none of that information is private, and many credentials, like drivers licenses, are very valuable in relation to how hard they are to get. And so identity theft, inability to get a mortgage, etc, will have to be balanced against al that cool credit that's made possible by the tracking system. In the end, it won't be worthwhile to many people to be finger and iris printed as part of their daily lives. Or maybe it will. Note that I'm not saying that they're easy to get: Thats irrelevant. Such things are more valuable to get then they are difficult, and will remain that way. Drivers licenses, trusted traveller cards, etc, will always be worth getting if you're a fraudster. Adam | * All in all, not a very interesting example of ID and tracking. Things | will get much more interesting, and worrisome, if there is ever a | national ID system (in the U.S.) and some kind of legislated | requirement (albeit unconstitutional!) that citizen-units must ID | themselves with valid ID for all purchases, or at least of certain | classes of purchases (beyond guns, for example). -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: How robust is SpeakFreely?
On Sat, Dec 21, 2002 at 07:40:34PM +0100, Thomas Shaddack wrote: | | http://www.speakfreely.org/ is a nice, open-source cross-platfor VoIP | software. Supports encryption by DES, Blowfish, and IDEA. | | Had anyone knowledgeable ever looked at its code? How secure this | implementation is? Is better to use Blowfish or IDEA? Where are the | potential holes there? Use Blowfish, you avoid worrying about if you have to worry about patent issues. There are probably buffer overflows, and other problems with the code. But its probably no worse than other VOIP code, and is clearly more secure than code which doesn't encrypt. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Constant Encrypted Stream
On Thu, Dec 19, 2002 at 10:10:25PM -0600, [EMAIL PROTECTED] wrote: | Nothing serious, just throwing a quick thought out... | | It has been mentioned that you should always use crypto. If you wait until | you actually have something private to send, then an adversary will know | exactly which message is important. Encrypting everything gives equal | suspicion to each message and nobody has the resources to attack all of your | mail. | | So, I was thinking that rather than just encrypt each message, why not just | keep a constant encrypted stream open? So, even when you are asleep, | computers at each node are bombarding each other with encrypted junk | files. Your noise to signal ratio would be phenomenal. | | The main problem to solve as I see it would be for legitimate recipients to | be able to determine when a message is real and not trash, without letting | an adversary know. And then there's economics. Someone has to pay for that noise to signal ratio. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: How robust is SpeakFreely?
On Sat, Dec 21, 2002 at 07:40:34PM +0100, Thomas Shaddack wrote: | | http://www.speakfreely.org/ is a nice, open-source cross-platfor VoIP | software. Supports encryption by DES, Blowfish, and IDEA. | | Had anyone knowledgeable ever looked at its code? How secure this | implementation is? Is better to use Blowfish or IDEA? Where are the | potential holes there? Use Blowfish, you avoid worrying about if you have to worry about patent issues. There are probably buffer overflows, and other problems with the code. But its probably no worse than other VOIP code, and is clearly more secure than code which doesn't encrypt. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Constant Encrypted Stream
On Thu, Dec 19, 2002 at 10:10:25PM -0600, [EMAIL PROTECTED] wrote: | Nothing serious, just throwing a quick thought out... | | It has been mentioned that you should always use crypto. If you wait until | you actually have something private to send, then an adversary will know | exactly which message is important. Encrypting everything gives equal | suspicion to each message and nobody has the resources to attack all of your | mail. | | So, I was thinking that rather than just encrypt each message, why not just | keep a constant encrypted stream open? So, even when you are asleep, | computers at each node are bombarding each other with encrypted junk | files. Your noise to signal ratio would be phenomenal. | | The main problem to solve as I see it would be for legitimate recipients to | be able to determine when a message is real and not trash, without letting | an adversary know. And then there's economics. Someone has to pay for that noise to signal ratio. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Privacy qua privacy (Was: Photographer Arrested For Taking Pictures...)
On Mon, Dec 16, 2002 at 04:56:12PM -0500, John Kelsey wrote: | At 12:53 PM 12/15/02 -0500, Adam Shostack wrote: | ... | I think that a law which re-affirmed the rights to be anonymous, to | call yourself what you will, to be left alone, to not carry or show ID | would transform the debate about privacy into terms in which the issue | could be solved. (At least as it affects private companies.) | Companies would be able to do what they want with your data as long as | you had a meaningful and non-coercive choice about handing it over. | | I think this would help, but I also think technology is driving a lot of | this. You don't have to give a lot more information to stores today than | you did twenty years ago for them to be much more able to track what you | buy and when you buy it and how you pay, just because the available | information technology is so much better. Surveilance cameras, DNA | testing, identification by iris codes, electronic payment mechanisms that | are much more convenient than cash most of the time, all these contribute | to the loss of privacy in ways that are only partly subject to any kind of | government action (or inaction) or law. | | The records are being created and kept by both government and private | entities. The question is whether to try to regulate their use (with huge | potential free-speech issues, and the possibility of companies being able | to, say, silence criticism of their products or services) or leave them | alone (with the certainty that databases will grow and continue to be | linked, creating pretty comprehensive profiles of almost everyone's | reading, musical, spending, and travel patterns, and with anyone who takes | serious measures to avoid being profiled having obvious gaps in their | profiles to indicate their wish for privacy in some area). Yep. A lot of it, however, freeloads on the government certification of identity. Without the legal threats, it would be much harder to assemble the data. (Other things, like credit, also become much harder. That may become less of an issue as id theft makes credit visibly a two-edged sword. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: BigBrotherWare
On Thu, Dec 19, 2002 at 10:54:57AM -0800, Tim May wrote: | (Much has been made of how the Microsoft- and Intel-backed security | regimes will be opt in or voluntary. This seems dubious. It is | precisely the non-volunteers who these companies, and Hollywood, and | the Nation States, will be most concerned about. So I would expect this | opt in approach to not be the full picture.) Aww, c'mon, Tim! It'll be as voluntary as Clipper was! Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Privacy qua privacy (Was: Photographer Arrested For Taking Pictures...)
On Mon, Dec 16, 2002 at 04:56:12PM -0500, John Kelsey wrote: | At 12:53 PM 12/15/02 -0500, Adam Shostack wrote: | ... | I think that a law which re-affirmed the rights to be anonymous, to | call yourself what you will, to be left alone, to not carry or show ID | would transform the debate about privacy into terms in which the issue | could be solved. (At least as it affects private companies.) | Companies would be able to do what they want with your data as long as | you had a meaningful and non-coercive choice about handing it over. | | I think this would help, but I also think technology is driving a lot of | this. You don't have to give a lot more information to stores today than | you did twenty years ago for them to be much more able to track what you | buy and when you buy it and how you pay, just because the available | information technology is so much better. Surveilance cameras, DNA | testing, identification by iris codes, electronic payment mechanisms that | are much more convenient than cash most of the time, all these contribute | to the loss of privacy in ways that are only partly subject to any kind of | government action (or inaction) or law. | | The records are being created and kept by both government and private | entities. The question is whether to try to regulate their use (with huge | potential free-speech issues, and the possibility of companies being able | to, say, silence criticism of their products or services) or leave them | alone (with the certainty that databases will grow and continue to be | linked, creating pretty comprehensive profiles of almost everyone's | reading, musical, spending, and travel patterns, and with anyone who takes | serious measures to avoid being profiled having obvious gaps in their | profiles to indicate their wish for privacy in some area). Yep. A lot of it, however, freeloads on the government certification of identity. Without the legal threats, it would be much harder to assemble the data. (Other things, like credit, also become much harder. That may become less of an issue as id theft makes credit visibly a two-edged sword. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Suspending the Constitution
On Wed, Dec 18, 2002 at 03:17:21PM -0800, Petro wrote: | On Sat, Dec 14, 2002 at 03:18:09PM -0800, Mike Rosing wrote: | On Sat, 14 Dec 2002, Tim May wrote: | Lincoln's notion that the Constitution is suspendable during a war, or | other emergency conditions, was disgraceful. Nothing in the | Constitution says that it is suspended when a President declares it to | be suspended. | Power is what power does. He got away with it, that's all that counts. | | Then the consitution is meaningless babble. The Volkh conspiracy blog had this Learned Hand quote recently: I often wonder whether we do not rest our hopes too much upon constitutions, upon laws and upon courts. These are false hopes; believe me, these are false hopes. Liberty lies in the hearts of men and women; when it dies there, no constitution, no law, no court can even do much to help it. While it lies there it needs no constitution, no law, no court to save it. The entirety is at http://www.criminaljustice.org/public.nsf/\ENews/2002e67?opendocument. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: [IP] Limits Sought on Wireless Internet Access (fwd)
On Tue, Dec 17, 2002 at 05:12:35PM -0800, Lucky Green wrote: | In other words, the new WaveLAN cards are shipping with a remote | off-switch held by minor government officials. Let's recap the | initiatives currently underway by both governments and major software | vendors: | | Remote disabling of your OS. | Remote disabling of your applications. | Remote disabling of your network connectivity. | Remote invalidation, if not downright alteration, of your digital | documents. | | I wonder what they'll announce next. Local disabling of your cynicism, in room 101. -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Suspending the Constitution
On Wed, Dec 18, 2002 at 03:17:21PM -0800, Petro wrote: | On Sat, Dec 14, 2002 at 03:18:09PM -0800, Mike Rosing wrote: | On Sat, 14 Dec 2002, Tim May wrote: | Lincoln's notion that the Constitution is suspendable during a war, or | other emergency conditions, was disgraceful. Nothing in the | Constitution says that it is suspended when a President declares it to | be suspended. | Power is what power does. He got away with it, that's all that counts. | | Then the consitution is meaningless babble. The Volkh conspiracy blog had this Learned Hand quote recently: I often wonder whether we do not rest our hopes too much upon constitutions, upon laws and upon courts. These are false hopes; believe me, these are false hopes. Liberty lies in the hearts of men and women; when it dies there, no constitution, no law, no court can even do much to help it. While it lies there it needs no constitution, no law, no court to save it. The entirety is at http://www.criminaljustice.org/public.nsf/\ENews/2002e67?opendocument. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Short story?
On Mon, Dec 16, 2002 at 03:03:29PM -0800, Petro wrote: | Permanently behind on my email: | | On Sat, Nov 23, 2002 at 03:22:41PM -0500, Adam Shostack wrote: | I'm trying to remember details (author, title) of a short story that I | read once. Its main feature, or the one that's standing out in my | mind, is the obsessive hacker who studies a target to figure out his | password, at which he only has one guess. The zinger is that the very | security concious target has selected that password as a booby trap, | and there's a second password which our hacker doesn't have. | Does this ring a bell for anyone? | | Yes--except that the password wasn't a booby trap, what the user did | was to aways enter a wrong password first, then the right password. | | In the story the password guesser was an adult in (IIRC) a 5 year | olds body, and his partner in this crime had his brain burned out by | certain Organized Crime individuals who were not happy with the | passports the password theft made possible. | | It was either in an anthology of William Gibsons work, or in an | anthology of cyberpunk stuff from the 80s or early 90s. | | Sorry I can't remember any more. Dogwalker, Orson Scott Card. But thanks! Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Short story?
On Mon, Dec 16, 2002 at 03:03:29PM -0800, Petro wrote: | Permanently behind on my email: | | On Sat, Nov 23, 2002 at 03:22:41PM -0500, Adam Shostack wrote: | I'm trying to remember details (author, title) of a short story that I | read once. Its main feature, or the one that's standing out in my | mind, is the obsessive hacker who studies a target to figure out his | password, at which he only has one guess. The zinger is that the very | security concious target has selected that password as a booby trap, | and there's a second password which our hacker doesn't have. | Does this ring a bell for anyone? | | Yes--except that the password wasn't a booby trap, what the user did | was to aways enter a wrong password first, then the right password. | | In the story the password guesser was an adult in (IIRC) a 5 year | olds body, and his partner in this crime had his brain burned out by | certain Organized Crime individuals who were not happy with the | passports the password theft made possible. | | It was either in an anthology of William Gibsons work, or in an | anthology of cyberpunk stuff from the 80s or early 90s. | | Sorry I can't remember any more. Dogwalker, Orson Scott Card. But thanks! Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Privacy qua privacy (Was: Photographer Arrested For Taking Pictures...)
On Sun, Dec 15, 2002 at 12:22:30PM -0500, Declan McCullagh wrote: | EPIC is in favor of using technologies to limit the information that | people disclose. It is in favor of limiting law enforcement [...] | But EPIC sharply diverges with some cypherpunks over the question of | what regulations should be imposed on private entities. It supports -- | may even be the most vocal supporter -- of laws telling you, in Tim's | words, you must forget someone's previous commercial interactions with | you past a certain date. It supports broad and intrusive regulations | aimed at companies' data collection and use practices. It would like | to establish a European-style (not exactly the same, perhaps, but | close) data protection regime in the U.S., despite all the free | speech problems we've seen with it in Europe: I think the issue of data protection vs privacy goes deeper than free speech. It falls back to Americans being willing to express their distrust than most Europeans. American privacy law derives from the 1st and 4th amendments: Congress shall make no law, be secure in their persons and papers... However, there is no modern American privacy law which talks about anonymity, the right to be left alone, or information self-determination (ironically, a German phrase.) Its all based on the assumption that privacy law is about fair information sharing, rather than American-style suspicion of information sharing. I think that a law which re-affirmed the rights to be anonymous, to call yourself what you will, to be left alone, to not carry or show ID would transform the debate about privacy into terms in which the issue could be solved. (At least as it affects private companies.) Companies would be able to do what they want with your data as long as you had a meaningful and non-coercive choice about handing it over. As you point out, this won't solve the issue of coercive government programs which require ID, or the creeping uses of that data as authorized by law. But the fundamental, underlying issue is that data protection law is un-American, and all the new that claim to protect privacy (GLB, HIPAA, DMCA) are really data protection laws. They contain an assumption that some level of data sharing is fair and necessary. Those levels are determined by back-room deal making between interest groups, and the public is rarely represented. (There's a lot of standard analysis of regulatory capture, public policy making a la Mancur Olsen, etc that applies here.) This causes everyone a lot more pain than is really needed. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Gilmore's response
On Fri, Dec 13, 2002 at 02:47:37PM -0800, Steve Schear wrote: | Dare you to do this with your Groucho glasses on :-) | | Oh, you saw me at RSA, eh? (Last year I guess it was, the RSA's staff | allowed me to be photo ID'd wearing them as long as I promised to wear them | on the show floor, which I did). I think I still have them. I'd be up for | it. In one of their books, Penn and Teller suggest gluing a small bit of red foam to an ID over your nose. Then as you hand over the ID, slip a clown nose on, and continue as if nothing had happened. -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Gilmore's response
On Fri, Dec 13, 2002 at 10:54:06AM -0800, Marshall Clow wrote: | At 1:38 PM -0500 12/13/02, Adam Shostack wrote: | PS: Current news in Canada includes the gun registry having undergone | a 12x cost overrun, and its not clear what will happen to it. A large | reason for the overruns have been people making mistakes in filling | out the complex forms, and thus slowing down implementation. | http://cbc.ca/stories/2002/12/12/guns011212 | | I think its time for me to go get a gun permit, and help the proces | along. | | Adam - | | The article that you linked to claims that the projected cost of the | gun registry was $2 million, and the actual cost was (so far) $680 million. | | That's a bit more than 12x :-) Yeah, that was a marketing claim as they put the program forward, as I recall. The original budgeted number was 85 million, and current projections are that it will cost upwards of a billion to complete. Of course, I could be totally off. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Gilmore's response
On Fri, Dec 13, 2002 at 02:47:37PM -0800, Steve Schear wrote: | Dare you to do this with your Groucho glasses on :-) | | Oh, you saw me at RSA, eh? (Last year I guess it was, the RSA's staff | allowed me to be photo ID'd wearing them as long as I promised to wear them | on the show floor, which I did). I think I still have them. I'd be up for | it. In one of their books, Penn and Teller suggest gluing a small bit of red foam to an ID over your nose. Then as you hand over the ID, slip a clown nose on, and continue as if nothing had happened. -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Extradition, Snatching, and the Danger of Traveling to Other Countries
On Fri, Dec 13, 2002 at 08:17:27AM -0800, Mike Rosing wrote: | All represive regiemes are short lived in a historical context. | Living thru them is hell. This one has already begun a rather | interesting hypocrisy - they say they support gun ownership, but | they have no problem with letting the courts say the opposite. | So far they are picking their targets small enough that the masses | aren't actually worried that they will be next. But to take total | control, they will have to scare the masses in a more effective way. | And it's unlikely that they will be able to scare them into | giving up weapons. And that's the point of an armed citizenry, | to overthrow represive regiems. | | When we can't vote, we can fight. So far the number of horror | stories is small. But when everyone has a personal friend or | relative that's been shot, abused, tortured or even just roughed | up - then they'll know they might be next. And they might vote to change | things. So from a purely machivellian perspective, the faster | they become more repressive and the more people they harm, | the faster things will change. | | We just have a few years of hell to go thru, that's all. Your comments remind me greatly of the Gulag Archipeligo, especially the bits about those crushed early after the revolution. -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Gilmore's response
On Fri, Dec 13, 2002 at 10:15:22AM -0800, Steve Schear wrote: | At 12:43 PM 12/13/2002 -0500, you wrote: | Gilmore's legal response to secret laws, etc. | | http://cryptome.org/gilmore-v-usa-god.htm | | I have a possible trip coming up soon. I intend to have my tickets | purchased by a third party and fly under an assumed name (maybe Tyler | Durden ;-) I will carry no ID on my person. Perhaps there is now a need to | have large numbers of refusnik travelers assume the same nom de avion | identity. Sort of like the Killroy in WW II. Let us know how it goes. Duncan would doubtless argue that there are already large numbers of travellers using assumed names, including migrant mexican workers, US government employees, terrorists, actors and actresses, etc. The immigration laws have done a good job of making it easy to get quality secondary id. The response of the apparatchiks is to increase the penalties until we're all cowed, like they did in the old war on drugs. Adam PS: Current news in Canada includes the gun registry having undergone a 12x cost overrun, and its not clear what will happen to it. A large reason for the overruns have been people making mistakes in filling out the complex forms, and thus slowing down implementation. http://cbc.ca/stories/2002/12/12/guns011212 I think its time for me to go get a gun permit, and help the proces along. -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Gilmore's response
On Fri, Dec 13, 2002 at 10:54:06AM -0800, Marshall Clow wrote: | At 1:38 PM -0500 12/13/02, Adam Shostack wrote: | PS: Current news in Canada includes the gun registry having undergone | a 12x cost overrun, and its not clear what will happen to it. A large | reason for the overruns have been people making mistakes in filling | out the complex forms, and thus slowing down implementation. | http://cbc.ca/stories/2002/12/12/guns011212 | | I think its time for me to go get a gun permit, and help the proces | along. | | Adam - | | The article that you linked to claims that the projected cost of the | gun registry was $2 million, and the actual cost was (so far) $680 million. | | That's a bit more than 12x :-) Yeah, that was a marketing claim as they put the program forward, as I recall. The original budgeted number was 85 million, and current projections are that it will cost upwards of a billion to complete. Of course, I could be totally off. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Short story?
I'm trying to remember details (author, title) of a short story that I read once. Its main feature, or the one that's standing out in my mind, is the obsessive hacker who studies a target to figure out his password, at which he only has one guess. The zinger is that the very security concious target has selected that password as a booby trap, and there's a second password which our hacker doesn't have. Does this ring a bell for anyone? Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Q: opportunistic email encryption
On Fri, Nov 22, 2002 at 09:23:57PM +0100, Eugen Leitl wrote: | Question: if you control the traffic layer you can easily disrupt | opportunistic encryption (STARTTLS Co) by killing public key exchange, | or even do a MITM. | | Is there any infrastructure in MTAs for public key caching, and admin | notification if things look fishy? (Fishy: a host which used to do PKI | with you suddenly says it can't, or its key differs from key you cached). | | (Okay, it's unlikely, but maybe people have been anticipating this). Not that we've found. I did a little experimenting with huge SSL session timeouts and high log levels, but saw nothing logged that indicated that someone who should have had a key didn't. While what you propose is useful enough that I spent time looking for it, lets not let the best become the enemey of the good. Needing to disrupt a network connection is a huge cost for an Eve who prefers to avoid detection. Not an unpayable one, but not to be ignored. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Torture done correctly is a terminal process
On Wed, Nov 20, 2002 at 04:30:42PM -0800, Tim May wrote: | On Wednesday, November 20, 2002, at 12:49 PM, dmolnar wrote: | | On Wed, 20 Nov 2002, Tyler Durden wrote: | | to have a big jpg of a hand with middle finger extended...) More than | this, | they will have unknowingly destroyed the real data. (Perhaps a 3rd | key is | needed that DOESN'T destroy the original data, just 'hides' it a la | Rubberhose.) | | The question I've seen asked about this is then -- how do you get them | to | stop beating you? If they know you might have some number of duress | keys, | one of which might undetectably hide the data, what stops them from | beating you until | | 1) you give them a key that shows them what they want to see | 2) you die | | Maybe this isn't that different from the ordinary unencrypted case, | where | if they don't find it on your HD they can accuse you of burying disks | in | the backyard or something. Or is the goal protecting the data and not | protecting your life? | | From my reading of tradecraft, as practiced by SAVAK, MOSSAD, GRU, | etc., there is rarely anything to be gained by letting the target of | torture survive. If he or she survives, she screams to the newspapers, | 60 Minutes, etc. There's also rarely anything to be gained from torture, as people will invent all sorts of crap to get out from physical pain. | The United States draws heavily on Israel for torture methods, as their | methods come from some of the best torturers the world has ever seen, | their teachers at Auschwitz and Berlin Central. The Russians, Americans and I believe others have moved from physical to psychological methods which have proven to work better than actual physical pain. I recall reading a story on Abdul Murad, the Al Qaeda member arrested in 1995 in the Philipines, where the way they finally got him to talk ws threatening him with being turned over to the Israelis. http://www.opinionjournal.com/editorial/feature.html?id=95001363 The Russians reputedly used sensory deprivation as a means of convincing western spies to talk. 24 to 48 hours in a tank broke nearly anyone. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Torture done correctly is a terminal process
On Wed, Nov 20, 2002 at 04:30:42PM -0800, Tim May wrote: | On Wednesday, November 20, 2002, at 12:49 PM, dmolnar wrote: | | On Wed, 20 Nov 2002, Tyler Durden wrote: | | to have a big jpg of a hand with middle finger extended...) More than | this, | they will have unknowingly destroyed the real data. (Perhaps a 3rd | key is | needed that DOESN'T destroy the original data, just 'hides' it a la | Rubberhose.) | | The question I've seen asked about this is then -- how do you get them | to | stop beating you? If they know you might have some number of duress | keys, | one of which might undetectably hide the data, what stops them from | beating you until | | 1) you give them a key that shows them what they want to see | 2) you die | | Maybe this isn't that different from the ordinary unencrypted case, | where | if they don't find it on your HD they can accuse you of burying disks | in | the backyard or something. Or is the goal protecting the data and not | protecting your life? | | From my reading of tradecraft, as practiced by SAVAK, MOSSAD, GRU, | etc., there is rarely anything to be gained by letting the target of | torture survive. If he or she survives, she screams to the newspapers, | 60 Minutes, etc. There's also rarely anything to be gained from torture, as people will invent all sorts of crap to get out from physical pain. | The United States draws heavily on Israel for torture methods, as their | methods come from some of the best torturers the world has ever seen, | their teachers at Auschwitz and Berlin Central. The Russians, Americans and I believe others have moved from physical to psychological methods which have proven to work better than actual physical pain. I recall reading a story on Abdul Murad, the Al Qaeda member arrested in 1995 in the Philipines, where the way they finally got him to talk ws threatening him with being turned over to the Israelis. http://www.opinionjournal.com/editorial/feature.html?id=95001363 The Russians reputedly used sensory deprivation as a means of convincing western spies to talk. 24 to 48 hours in a tank broke nearly anyone. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: (Being able to) sell votes
On Mon, Nov 18, 2002 at 07:02:40AM -0800, Mike Rosing wrote: | On Mon, 18 Nov 2002, Tyler Durden wrote: | | Me, I don't like the idea of people actualy selling votes, but I think I | like the idea of people BEING ABLE to sell their votes. | | But then votes are property, and property can be transfered, so | you could sell your vote from your will, and dead voters could | be very powerful :-) If I were Bill Gates, I'd like the idea too. Ross Perot demonstrated that you can buy your way into an election now. Maybe we should just admit that that's the case. Could it be worse than the unofficially sold elections and gerrymandered districts we have now? Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: (Being able to) sell votes
On Mon, Nov 18, 2002 at 07:02:40AM -0800, Mike Rosing wrote: | On Mon, 18 Nov 2002, Tyler Durden wrote: | | Me, I don't like the idea of people actualy selling votes, but I think I | like the idea of people BEING ABLE to sell their votes. | | But then votes are property, and property can be transfered, so | you could sell your vote from your will, and dead voters could | be very powerful :-) If I were Bill Gates, I'd like the idea too. Ross Perot demonstrated that you can buy your way into an election now. Maybe we should just admit that that's the case. Could it be worse than the unofficially sold elections and gerrymandered districts we have now? Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Workshop on HCI and Security at CHI2003
I think that the intersection of usability and security is of tremendous import, and wanted to share an under-advertised sort of workshop announcement: http://www.acm.org/sigchi/ The conference home page is http://www.chi2003.org/ The workshop page is http://www.iit.nrc.ca/~patricka/CHI_2003/HCISEC/workshop.html I thought that the workshop info would be accessible from the conference site, but that appears not to be the case (at least not yet). Feel free to forward the URL to anyone else you think might be interested. Since it's at CHI, I expect we'll get plenty of people from that community, but we also really want attendees from the security community as well. - Chris
Workshop on HCI and Security at CHI2003
I think that the intersection of usability and security is of tremendous import, and wanted to share an under-advertised sort of workshop announcement: http://www.acm.org/sigchi/ The conference home page is http://www.chi2003.org/ The workshop page is http://www.iit.nrc.ca/~patricka/CHI_2003/HCISEC/workshop.html I thought that the workshop info would be accessible from the conference site, but that appears not to be the case (at least not yet). Feel free to forward the URL to anyone else you think might be interested. Since it's at CHI, I expect we'll get plenty of people from that community, but we also really want attendees from the security community as well. - Chris
Re: Workshop on HCI and Security at CHI2003
Since posting, I got a better web page: http://www.iit.nrc.ca/~patricka/CHI2003/HCISEC/index.html Adam On Mon, Nov 11, 2002 at 09:54:51AM -0500, Adam Shostack wrote: | I think that the intersection of usability and security is of | tremendous import, and wanted to share an under-advertised sort of | workshop announcement: | | http://www.acm.org/sigchi/ | | The conference home page is | | http://www.chi2003.org/ | | The workshop page is | | http://www.iit.nrc.ca/~patricka/CHI_2003/HCISEC/workshop.html | | I thought that the workshop info would be accessible from the | conference site, but that appears not to be the case (at least not | yet). | | Feel free to forward the URL to anyone else you think might be | interested. Since it's at CHI, I expect we'll get plenty of people | from that community, but we also really want attendees from the | security community as well. | | - Chris | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Photos in transport plane of prisoners: Time for eJazeera?
On Sat, Nov 09, 2002 at 08:10:22PM -0800, Mike Rosing wrote: | As long as there are people in the military who are willing and able to | inform us on what they are *really* doing, we actually can feel pretty | comfortable with their missions. It's gonna take a full polilce state | to prevent the dissemination of this kind of info. A full police state can't prevent anything, it can just make some things less common. For example, samizdat in the USSR still got copied and passed around. Drug use is a problem in US prisons. Etc. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Photos in transport plane of prisoners: Time for eJazeera?
On Sat, Nov 09, 2002 at 08:10:22PM -0800, Mike Rosing wrote: | As long as there are people in the military who are willing and able to | inform us on what they are *really* doing, we actually can feel pretty | comfortable with their missions. It's gonna take a full polilce state | to prevent the dissemination of this kind of info. A full police state can't prevent anything, it can just make some things less common. For example, samizdat in the USSR still got copied and passed around. Drug use is a problem in US prisons. Etc. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: What email encryption is actually in use?
On Sun, Nov 03, 2002 at 11:23:36AM -0800, Tim May wrote: | I think most users, even casual ones, would accept this advice: | | Look, encrypted text is just a rearrangement of text. Compose your | message in whatever editor or word processor you want, apply the | encryption directly to that text, then paste in or otherwise send that | new text out. Expecting encryption to be closely tied in to to | ever-changing mailers, word processors, news readers, and multiple | iterations of OSes, is just too big a chore for developers to keep up | with. Most users think text comes in colors, and don't understand why documents produced by MS Word are different from text. This is inevitable as we shift towards a world of ubiquitous computing: The average user understands less and less. To put it another way, if most users could accept that advice, most of my business email would be encrypted after someone sent me an NDA. The person cares about confidentiality, but doesn't know how to achieve it, and doesn't understand why its not in their mailer. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: What email encryption is actually in use?
On Sun, Nov 03, 2002 at 11:23:36AM -0800, Tim May wrote: | I think most users, even casual ones, would accept this advice: | | Look, encrypted text is just a rearrangement of text. Compose your | message in whatever editor or word processor you want, apply the | encryption directly to that text, then paste in or otherwise send that | new text out. Expecting encryption to be closely tied in to to | ever-changing mailers, word processors, news readers, and multiple | iterations of OSes, is just too big a chore for developers to keep up | with. Most users think text comes in colors, and don't understand why documents produced by MS Word are different from text. This is inevitable as we shift towards a world of ubiquitous computing: The average user understands less and less. To put it another way, if most users could accept that advice, most of my business email would be encrypted after someone sent me an NDA. The person cares about confidentiality, but doesn't know how to achieve it, and doesn't understand why its not in their mailer. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Integrated crypto sounds useful, but it's fragile and ultimately a lose
On Sun, Nov 03, 2002 at 12:41:11PM -0800, Tim May wrote: | To expand on this point a bit, I suspect one of the main reasons people | who once used PGP stop using it, either privately or at corporations | (as we have heard folks here testify about), is because something | changes and things break. | | They upgrade their OS, they get a new release of a mailer, and things | break. And they don't have the time, energy, or inclination to track | down all of the little gotchas that may have cause things to break. I | know this happened to me several times over the years with various | versions of PGP, Eudora, and Mac OS 7, 8, and 9. These breaks have three causes: 1) changes in the PGP 'api,' 2) changes in the OS causing PGP to break, 3) changes in PGP causing it to not interoperate. My experience (mostly on unix) says that 1 and 3 are responsble for far more problems than 2. That is to say, PGP beaks because it isn't stable, not because the OS or apps aren't stable. PGP API changes used to be explainable by the need to do something else not previously thought of. Now it seems to be fashionable to make changes in minor versions (gpg 1.06 to 1.07 for example, changed a bunch of things, rather than holding them back to 1.2) PGP developers need to recognize this and make their APIs stable. Changes in PGP are of two forms: First is message encoding (PGP/Mime, x-application-pgp, what have you. Those seem to be fewer in number, although I still don't know if mutt's default encoding is right or not. The second was the penchant of PGP to add new algorithms for first patent and then speed reasons. Patent reasons are understandable, but the speed of PGP was never enough reason to add CAST and make it a default. So, almost all of these reasons are things that fall under the control of people doing development, who need to understand that their choices (new algorithms, new APIs, new message formats) are making it too much of a bother to get even half-decent message privacy. They don't have a lot to do with the mailers, newsreaders, or OS changes that are outside developers control. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: What email encryption is actually in use?
An interesting tidbit in the September Information Security Bulletin is the claim from MessageLabs that only .005% of the mail they saw in 2002 is encrypted, up from .003% in 2000. (MessageLabs is an outsourcing email anti-virus company.) At this thrilling rate of growth, it will be on the order of between 30 and 40 years before we see most email being encrypted. And about 10 years before we start to see any real hope of a fax effect. Lets be sure to consider that the PGP model is working. After all, thats faster than the adoption of the, ummm, well, I'm sure someone can take comfort from it. Maybe even someone other than the eavesdroppers. Now, it may be that they have a unusual sampling because only a nutcase company would send all its email through a 3rd party processor. But I don't believe that to be true. Most companies send their email unencrypted through a single ISP. Messagelabs only has it slightly easier when it comes to eavesdropping. Last month, about 5% of my email was sent PGP encrypted, about 2% STARTTLS encrypted, and about 25% SSH encrypted to people on the same mail server, where POP and IMAP only function via SSH. I'd be interested to hear how often email content is protected by any form of crypto, including IPsec, Starttls, ssh delivery, or PGP or SMIME. There's probably an interesting paper in going out and looking at this. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Confiscation of Anti-War Video
On Tue, Oct 29, 2002 at 07:13:52PM -0500, John Kelsey wrote: | Your list left out the obvious technique, which I think is more-or-less | used by El Al: Screen your passengers really well, probably using secret | databases, various kinds of racial profiling, etc. Routinely turn | passengers away, or make boarding the plane such an ordeal that they elect | not to fly anymore. (One of the many problems with this is that most | flights are within the US; make flying sufficiently nasty, and people will | take trains, busses, or their own cars. I think this is already happening | a great deal, which is one reason most airlines are doing so poorly.) What are you going to screen for? The Israelis have a relatively small set of populations who fly El Al or otherwise via Tel Aviv (Jews, Muslim and Christian Arabs, Christian holy land tourists, backpackers, businesspeople.) All attacks to date have fit a set of profiles. (Passengers, as far as I know, are rarely actually turned away, they're just submitted to more and more intense scrutiny. Which is ok because there are air marshalls on most flights. The US has more diversity in travellers, destinations, etc. Are you going to throw British citizens of Jamaican heritage on your list (Richard Reid)? What about hispanics (Jose Padilla)? Irish Americans (Tim McViegh)? Saudis? Maybe its easier to assemble a list of people who don't get searched extra hard (Mormons). But then you have the problem that you can't train and monitor enough people to do the deep screenings without a few bad apples getting through. Which means that bad guys will know about the screening techniques. (See the Carnival Booth paper.) I think a resiliant system requires people roughly as well armed as the hijackers might be in the way of a hijacking attempt. Air marshalls or otherwise. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Confiscation of Anti-War Video
On Wed, Oct 30, 2002 at 10:32:17AM -0500, Sunder wrote: | It's interesting to see how much stuff that was in the interest of | national security being declassified and available after 50 years. Lots | of cool stuff on the history channel lately. I wonder what evil will | surface fifty years from now on the history channel about the | present? (Assuming that we don't actually turn into a dictatorship of | course... grand assumption that.) You mean remain? There are multiple American citizens being held on nothing more than the order of the President. There are restrictions on free speech, free assembly, etc, etc. | It is seldom that liberty of any kind is lost all at once. | -Hume | | Except in the case of national security and terrorist acts? Hmmm, we used | to have the four horsemen of the apocalypse. I guess the horseman of | terror has become the meta-horseman. I stand by Hume. Such losses are indeed seldom. Little insidious losses are far more common. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: A non-political issue
On Wed, Oct 30, 2002 at 01:34:12AM +0100, Anonymous via the Cypherpunks Tonga Remailer wrote: | (possible duplicate message) | | What technology is available to create a 2048-bit RSA key pair so that: | | 1 - the randomness comes from quantum noise | | 2 - no one knows the secret part, | | 3 - The secret part is kept in the box and it is safe as long as the box is |physically secured (expense of securing the box is a don't care). | | 4 - box can do high-speed signing (say, 0.1 mS per signature) over some kind of |network interface | | 5 - you can reasonably convince certain people (that stand to lose a lot and have |huge resources) in 1, 2, 3 and 4. | | 6 - The operation budget is around $1m (maintenance not included). | | 7 - attacker's budget is around $100m | | 8 - the key must never be destroyed, so backup is essential. | | In other words, convincing translation of a crypto problem into physical security |problem. | | | It looks like the key gets created on the same box(es) on which it | is stored, which all interested parties inspected to any desireable | level. Once everyone is comfortable the button gets pressed to | create/distribute the key, and then you put goons with AKs around the | boxes and pray that no one fucked with the microprocessor ... this may | mean buying the components at random. Look at NCipher, and host in the Bunker. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Confiscation of Anti-War Video
On Mon, Oct 28, 2002 at 04:13:31PM -0500, Trei, Peter wrote: | Actually, the DoT has already ruled positively that one fuel cell from | Polyfuel | can be carried on board. They appear to have a cartridge for the methanol, | similar to a ink cartridge. It's a pity it's methanol - I want to be able to | tell | the stewardess Bring me a double Absolut! My laptop is running low! | Even if this company turns vaporware, others won't. The rules, Mr. Trei, are what we say the rules are. Now you will be taking hold of your ankles without further delay! (Changing the rules on a regular basis has some security value, as it makes it likely that plans will be ruined. But it has the cost that passengers can't plan..) But as anyone who has ever tried flying without ID knows, the rules are not rules, employees are not trained on them, and a little social engineering went a long way. PS: http://www.apfa.org/public/articles/News-Events/STUPID_RULES.HTML Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Confiscation of Anti-War Video
On Mon, Oct 28, 2002 at 04:13:31PM -0500, Trei, Peter wrote: | Actually, the DoT has already ruled positively that one fuel cell from | Polyfuel | can be carried on board. They appear to have a cartridge for the methanol, | similar to a ink cartridge. It's a pity it's methanol - I want to be able to | tell | the stewardess Bring me a double Absolut! My laptop is running low! | Even if this company turns vaporware, others won't. The rules, Mr. Trei, are what we say the rules are. Now you will be taking hold of your ankles without further delay! (Changing the rules on a regular basis has some security value, as it makes it likely that plans will be ruined. But it has the cost that passengers can't plan..) But as anyone who has ever tried flying without ID knows, the rules are not rules, employees are not trained on them, and a little social engineering went a long way. PS: http://www.apfa.org/public/articles/News-Events/STUPID_RULES.HTML Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: internet radio - broadcast without incurring royalty fees
On Fri, Oct 25, 2002 at 02:37:32AM +0100, Adam Back wrote: | Seems to me this would pass current IP laws because it is like a radio | station which broadcast the name of a song and the user is expected to | insert the CD in his player and play along to keep up with the | commentary, only automated and with open APIs for the load and play | this CD track instructions so people can hook it up to whatever is | convenient to them. Sounds like it will sound like contributory infringement and 100k in legal costs to RIAA. Happy fun court is not amused. But I am. -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: internet radio - broadcast without incurring royalty fees
On Fri, Oct 25, 2002 at 02:37:32AM +0100, Adam Back wrote: | Seems to me this would pass current IP laws because it is like a radio | station which broadcast the name of a song and the user is expected to | insert the CD in his player and play along to keep up with the | commentary, only automated and with open APIs for the load and play | this CD track instructions so people can hook it up to whatever is | convenient to them. Sounds like it will sound like contributory infringement and 100k in legal costs to RIAA. Happy fun court is not amused. But I am. -- It is seldom that liberty of any kind is lost all at once. -Hume
QuizID
http://news.bbc.co.uk/2/hi/technology/2334491.stm and www.quizid.com A credit-card sized device, which could potentially be issued to thousands of citizens, is being heralded as a major breakthrough in the search for establishing secure identification on the internet. ... Users are issued with a card and a personal code, based on a set of colour keys on the card. Each time they wish to conduct a secure transaction, they punch in the colour code and a random number is generated. The card works in conjunction with the Quizid vault - a large collection of computers that can process 600 authentications per second. The system cost millions of pounds to develop. (Oooh! six hundred! Impressive! :) I don't see anything on their site about the technology, but I do question if 4 colored buttons, with a probable pin length of 4-6, is worth 10-70 pounds per year..For that price you can get securid cards, which aren't nearly as pretty, but that's nothing Ideo couldn't fix in a week. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: QuizID?
On Thu, Oct 17, 2002 at 02:39:55PM -0400, Rich Salz wrote: | Marc Branchaud wrote: | Any thoughts on this device? At first glance, it doesn't seem | particularly impressive... | | http://www.quizid.com/ | | Looks like hardware S/Key, doesn't it? | | If I could fool the user into entering a quizcode, then it seems like I | could get the device and the admin database out of sync and lock the | user out of the system. Aww, Rich, that trick never works! More seriously, most of the vendors will search forwards and back through the expected codes to make the attack less likely to work. (If authentication is centralized, searching backwards may not be a security risk.) I think the most interesting part of this is the unit looks cool, and its spun slightly differently than other tokens have been. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
QuizID
http://news.bbc.co.uk/2/hi/technology/2334491.stm and www.quizid.com A credit-card sized device, which could potentially be issued to thousands of citizens, is being heralded as a major breakthrough in the search for establishing secure identification on the internet. ... Users are issued with a card and a personal code, based on a set of colour keys on the card. Each time they wish to conduct a secure transaction, they punch in the colour code and a random number is generated. The card works in conjunction with the Quizid vault - a large collection of computers that can process 600 authentications per second. The system cost millions of pounds to develop. (Oooh! six hundred! Impressive! :) I don't see anything on their site about the technology, but I do question if 4 colored buttons, with a probable pin length of 4-6, is worth 10-70 pounds per year..For that price you can get securid cards, which aren't nearly as pretty, but that's nothing Ideo couldn't fix in a week. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: QuizID?
On Thu, Oct 17, 2002 at 02:39:55PM -0400, Rich Salz wrote: | Marc Branchaud wrote: | Any thoughts on this device? At first glance, it doesn't seem | particularly impressive... | | http://www.quizid.com/ | | Looks like hardware S/Key, doesn't it? | | If I could fool the user into entering a quizcode, then it seems like I | could get the device and the admin database out of sync and lock the | user out of the system. Aww, Rich, that trick never works! More seriously, most of the vendors will search forwards and back through the expected codes to make the attack less likely to work. (If authentication is centralized, searching backwards may not be a security risk.) I think the most interesting part of this is the unit looks cool, and its spun slightly differently than other tokens have been. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Proofs of security
Has anyone done any research into how much better new cryptosystems with proofs of security do, as opposed to their unproven cousins? It seems that having a proof of security doesn't actually improve the odds that a system will survive attacks. But thats my intuition, not a proven fact. ;) Has anyone read a stack of papers and done some statistics? -- It is seldom that liberty of any kind is lost all at once. -Hume
