[discuss] Tue, Dec 16: EFF-A CyberDawg (fwd)
-- Forwarded message -- Date: Mon, 1 Dec 2003 16:36:29 -0600 From: David Nunez [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [discuss] Tue, Dec 16: EFF-A CyberDawg Tuesday! Tuesday! Tuesday! Get ready for chills, thrills and bone-crushing spills! More excitement and more mud than ever before! Hear the screaming crowd, hear the crushing of metal, and feel the adrenaline of the CyberDAWWG! That's right, it's time for CyberDAG Madness! Tuesday! Tuesday! TESDAY! Be there! Please RSVP by sending email to [EMAIL PROTECTED] EFF-Austin MegaEvent on Dec 16th, 2003 Opal Divine's in Austin (6th and Rio Grande) * 6:00-8:00 - eVoting Dinner Discussion (serious discussion) * 8:00-close - CyberDawg 2003 (wild party) BuyYerOwnDinner for the eVoting Discussion... Light snacks served at Cyberdawg. Cash bar. Everyone showing up gets a free EFF bumper sticker and instigator badge! All new 2004 exclusive EFF-A T-shirts will be on sale. (http://www.eff-austin.org) = Calling all cyberhippies, geeks, artists, filmmakers, WiFi Superheroes, technovangelists, computer builders/programmers/networkers/users, robotic mad scientists and their cyborganic chimpanzee lab assistants, liberty-lovin' lawyers, techeductors, wonks, weirdos, walruses, open source hackers, octopodes, and friends of all of the above. Come one, come all, and bring 20 of your friends. This is NOT the event to miss. Please help us by forwarding along this invitation to your friends and fellow cybernauts. = EFF-Austin (http://www.eff-austin.org) proudly brings you the CyberDawg 2003 World Tour*** December 16th at Opal Divines in Austin, TX. 6:00-8:00 - eVoting Roundtable: Join Dan Wallach, Computer science professor and security expert from Rice University, for dinner and discussion on eVoting for the December edition of the EFF-Austin Policy Roundtable. Dan Wallach is a member of the team, organized by Avi Rubin of Johns Hopkins, which conducted a scathing analysis of the Diebold voting system earlier this year. Dan will discuss the threat model for electronic voting. What can go wrong with evoting systems, what was wrong with the market-leading Diebold system, and what can geek activists do about it? 8:00-close - CyberDawg: What happens when you bring together smart, creative, and passionate minds together to do nothing but talk, laugh, and instigate? We're not sure. We think it'll be an earth-shattering event, though... The Singularity, even. What is EFF-Austin? Who's working behind the scenes? What is it up to these days? What madcap adventures are planned for 2004? Calendar of events? How can YOU get involved in the fray? These questions and more will be answered at the Cyberdawg. If nothing else, you'll be in the same room with movers, shakers, and instigators in the Austin Tech/Art/and Cyberliberties scene... That's gotta be worth something, right? = *** CyberDawg 2003 will not actually go on a world tour. Just Austin... For that matter, there probably won't be too many thrills, chills, and spills or the gnashing of metal or screaming fans, either. But it will be fun, nonetheless. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: e voting (receipts, votebuying, brinworld)
Thomas Shaddack wrote: On Wed, 26 Nov 2003, Neil Johnson wrote: Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote! -- Ben Franklin And if they are all armed ? They all starve. Lambs can eat grass, which is usually unarmed. It is not. Grass is stuffed full of all sorts of complicated chemicals that can cause confusion to creatures that chomp it. Not to mention nassty little silica crystals. Lambs can eat grass because they are toughened and honed grass-killers, fitted by millions of years of evolution to survive everything the grass can throw at them. And even then they only cope with some kinds of grass. When a cat eats grass it gets sick. It doesn't take much intelligence to sneak up on a leaf, but it takes one hell of a digestive system to eat it. Us mammals are downstream of a 200-million-year evolutionary race between ourselves and green plants - they evolve a new poison, we evolve to tolerate it. Then we put it in hot drinks. Why else do so many plant compounds have such powerful drug effects on animals? At the time of writing there is no winner in sight. It isn't impossible to imagine one side winning in the end though. The plants really did beat the bacteria way back in the Palaeozoic - wood is about the only living tissue that bacteria can't eat. Which is why there is so much coal around. Fungi got the better of them later. Democracy tries to get the majority of participants through to the next round of the game. Natural selection kills nearly everybody, nearly all the time. Which is why it is so effective. But, given the choice, I'll take democracy. Trust me, I'm a botanist.
Re: Silly Linux Kernel Bug
At 01:09 AM 12/2/03 -0800, Eric Cordian wrote: As reported today on Slashdot, in linux kernels prior to 2.4.23, it is possible to map the kernel into user space with brk(), since apparently no one ever bothered to check that the argument passed was in the lower 3 gig of the address space. Question from a BSDer: Was this bug in the NSA's secure version?
People getting high == threat to homeland security
Query: What, nowadays, is *not* a threat to homeland security? 1. Airport drug bust heightens debate over non-federal forces By Chris Strohm A recent drug bust at Kennedy International Airport shows that the use of workers from private companies in sensitive security jobs poses a substantial risk, federal airport screeners argued Monday. Government agents arrested 20 baggage and cargo handlers at Kennedy last Tuesday and charged them with slipping tens of millions of dollars worth of cocaine and marijuana past security checkpoints during the last decade. Authorities said the workers were employed by American Airlines, Delta Airlines, United Airlines and five smaller companies: Globe Ground North American, Evergreen Eagle, Hudson General, Swissport USA and Flying Foods. The operation represented a potential threat to homeland security, said Michael Garcia, acting head of the Bureau of Immigration and Customs Enforcement. Full story: http://www.govexec.com/dailyfed/1203/120103c1.htm http://www.govexec.com/dailyfed/1203/120103c1.htm
25x faster RFIDs
Infineon has just released new RFID silicon with 25x the speed. Available in quantities starting 2004. It's 13.56 MHz (Phase Jitter Modulation, 8 channels), and can read up to 500 tags/s (limit hitherto 30 tags/s). No idea about the package size nor the reading range. Use a dekrautizer of your choice: http://golem.de/0312/28756.html -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 0.97c removed an attachment of type application/pgp-signature]
Re: Silly Linux Kernel Bug
Eric Cordian wrote: An interesting occurrence, because it demonstrates that massive numbers of open source participants auditing the code aren't sufficient to ferret out every giant coding blunder. I've heard that argument before (last time I heard it was a problem with a PGP implementation) and I never understand what people are trying to prove when they say it. Are you saying that the Open Source model isn't as good as proprietary we'll-fix-it-if-we-feel-like-it models? Are you saying that Open Source isn't the promised land like you were... um, promised? Are you saying that Open Source model shouldn't be used for anything that concerns security? I honestly don't know what you're getting at. So Open Source is not a perfect solution. In its defense: - you had the opportunity to hire a team of 50 to examine the code - the solution was made known to you - you can reject this solution and write your own if you prefer none of which would have been true if this were proprietary code. There's so many good things about this model - it seems silly to argue that Open Souce doesn't live up to the unrealistic hype that the guys on Slashdot promised you. - Eric Tully
Re: [johnmacsgroup] Diebold query for the Group
[cc'd to cryptography (where clues reside...), and to cypherpunks (yeah, I know, don't feed the animals :-))] At 8:32 PM -0800 12/1/03, Donald L. Luskin wrote: I see that Krugman's column today is about Diebold and his voting machines. I recall that this discussion group had a thread going about that several weeks ago that seemed quite involved, but I never read it. Would someone be so kind as to remind me what that was all about? Thanks! Coming from someone whose primary interest is (still?...) financial cryptography these days, and internet bearer financial cryptography in particular, the answer here is a simple -- if you will -- paradox: --- You cannot have a perfectly secret electronic vote unless everybody can sell their votes. --- The most anonymous protocols for electronic voting are the same protocols that were invented for electronic bearer transactions like anonymous digital cash, bearer bonds/stock, etc. You're given a unique, anonymous, blinded, non-forgeable glop of bits, which you produce in exchange for a single operation of the voting protocol at the time of your vote. The problem is, you can sell said glop of bits -- for, say, another glop of bits representing a requisite amount of cash in the fiat, or commodity-backed, currency of your choice. Thus, more important, and to turn the above paradox on its head, the *only* way you can prevent the sale of that glop of bits is with some form of direct observation of the voter, complete with is-a-person identity schemes and/or other forms of virtual state-sponsored proctology. As an anarchocapitalist, of course, selling votes is fine by me. Monopolies on force are evil anyway, so selling my franchise for a mess o' pottage doesn't carry nearly the moral suasion that it used to. Moore's law and the internet can't price force-monopoly out of business fast enough, if you ask me. But, for your average demopublican (okay, I vote congenitally Republican, somebody stop me, I know it only encourages them -- but then again I go to church, too, silly atavist me...) selling votes is the highest sacrilege against the State there is. Something on the order of eating the wafer before the wine, or vice-versa, or whatever. For anarchocapitalists, selling your vote (aka equity), is something you're *supposed* to be able to do, something you're *honor-bound* to do, borrowing votes, if necessary, and selling them *short*... Cheers, RAH Whose last Financial Cryptography conference, in the Caymans in 2001, was spent pointing out that the previous stolen election was not a *financial* problem, 4 hours of the best and brightest's vociferous disputation through lunch to the contrary. Camels, fleas, and princes exist everywhere. -- Persian proverb The direct use of physical force is so poor a solution to the problem of limited resources that it is commonly employed only by small children and great nations. -- David Friedman, _The_Machinery_of_Freedom_ No matter who you vote for, the government gets elected. --Lizard, fronting an old chestnut, he says When I was your age we didn't have Tim May! We had to be paranoid on our own! And we were grateful! --Alan Olsen -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: People getting high == threat to homeland security
On Tue, Dec 02, 2003 at 12:23:29PM -0500, Declan McCullagh wrote: Query: What, nowadays, is *not* a threat to homeland security? Anything that advances the cause of repealing the Constitution. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not http://www.rant-central.com is the new scytale Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss
Silly Linux Kernel Bug
As reported today on Slashdot, in linux kernels prior to 2.4.23, it is possible to map the kernel into user space with brk(), since apparently no one ever bothered to check that the argument passed was in the lower 3 gig of the address space. This is almost as funny as early linux kernels in which the LDT was user writable. In any case, the patch is to stick the following check in do_brk() in /mm/mmap.c if ((addr + len) TASK_SIZE || (addr + len) addr) return -EINVAL; This is of course a serious bug, since anyone on a vulnerable machine has access to kernel memory by writing a terse no-brainer C program, of which I will not give an example, because enough people on the Internet hate me already. :) An interesting occurrence, because it demonstrates that massive numbers of open source participants auditing the code aren't sufficient to ferret out every giant coding blunder. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division Do What Thou Wilt Shall Be The Whole Of The Law
Re: Silly Linux Kernel Bug
On Tue, Dec 02, 2003 at 01:09:31AM -0800, Eric Cordian wrote: An interesting occurrence, because it demonstrates that massive numbers of open source participants auditing the code aren't sufficient to ferret out every giant coding blunder. I don't know that I'd call it auditing exactly; to my knowledge, no audit as such has been undertaken with the kernel. That said, evidently, a pair of the many eyes did ferret this one out, about 9 weeks ago: http://linux.bkbits.net:8080/linux-2.4/diffs/mm/[EMAIL PROTECTED]@1.1148.2.2 Unfortunately, he did not see it as critical enough to throw out security alerts and make a new release right then, so anyone with untrusted local users was completely unprotected. Including Debian, apparently. Regards, petard
Re: Silly Linux Kernel Bug
At 1:09 AM -0800 12/2/03, Eric Cordian wrote: As reported today on Slashdot, in linux kernels prior to 2.4.23, it is possible to map the kernel into user space with brk(), since apparently no one ever bothered to check that the argument passed was in the lower 3 gig of the address space. Rule 1: When you audit code for security, be sure there is a complete check of all input parameters. Make at least one pass through the code where this is the only check you make. As can be seen by multiple problems of this type, it's easy to forget. Cheers - Bill - Bill Frantz| There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet. -- Dean Tribble | Los Gatos, CA 95032
Re: Silly Linux Kernel Bug
Eric Tully writes: I've heard that argument before (last time I heard it was a problem with a PGP implementation) and I never understand what people are trying to prove when they say it. Let me simplify. I found it startling that a Redmond-level bug was in a mature open-source project, the result of many years of hard work and evolution, deemed Ready for the Enterprise. This isn't a slap at Open Source. It's just mild bemusement. Are you saying that the Open Source model isn't as good as proprietary we'll-fix-it-if-we-feel-like-it models? Are you saying that Open Source isn't the promised land like you were... um, promised? Are you saying that Open Source model shouldn't be used for anything that concerns security? I honestly don't know what you're getting at. Well, let's see. I think Open Source is better than the Closed Source proprietary It's not a bug, it's a feature model. I've never been promised anything by Open Source, so it's certainly not the second thing.. While I wouldn't say Open Source should not be used for secure code, there seems to be a bit of overconfidence in this area, particular in the lack of realization that Open Source clones of rock solid pieces of software like PGP and SSH are probably exploitable and buggy when they are first released. But all in all, I think Open Source is an excellent idea, as long as one does not have unrealistic expectations. I wouldn't use Open Source to run an artificial heart, but for most of the things it is used for, it is probably quite satisfactory. So Open Source is not a perfect solution. In its defense: - you had the opportunity to hire a team of 50 to examine the code - the solution was made known to you - you can reject this solution and write your own if you prefer none of which would have been true if this were proprietary code. Quite true. There's so many good things about this model - it seems silly to argue that Open Souce doesn't live up to the unrealistic hype that the guys on Slashdot promised you. I have not been promised anything by the guys on Slashdot. I simply found the error amusing. Let's not get our blood pressure in an uproar simply because virtually every Linux system in the world was just discovered to have a user readable/writable kernel. It will be fixed, and life will move on. This is a dumb coding error. Not a referendum in the eyes of God on the worthiness of the Open Source movement. Chill. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division Do What Thou Wilt Shall Be The Whole Of The Law
Japan police arrest two Winny/Freenet users
http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39159923-39001150t-3905c Japan police arrest two P2P users By Staff, CNETAsia 3/12/2003 URL: http://asia.cnet.com/newstech/security/0,39001150,39159923,00.htm A Japanese peer-to-peer (P2P) file-sharing network which claimed to keep user identities untraceable has failed to work--two users in Japan have been arrested. The developer of the P2P software has also had his home searched by police, according to a report in the Mainichi Daily. There are around a quarter of a million users of the supposedly anonymous file-trading network, called Winny, which rides on the more well-known Freenet network. Such networks differ from other file trading software such as Kazaa in that they claim to be able to hide the Internet Protocol (IP) addresses of users. It is not known how the police managed to track down the two users, or why criminal action is being taken against them. In other countries, P2P users have been hit with civil lawsuits instead. The creator of Freenet, Ian Clarke, has cast doubt on whether Winny uses Freenet's full identity-cloaking features or its cryptography, according to a report in New Scientist. Freenet is an open-source project and is most prominent of a growing number of projects aimed at giving people the ability to communicate online without being tapped, traced or monitored. The software marks an attempt to create a network that exists as a parallel Internet, where content of any kind can be uploaded and downloaded without any way to track who created a given site. Unlike other peer systems, Freenet has a built-in method of pushing content between different computers, so that a given file can migrate around the network between different people's hard drives until it is stored near regions where it is most often used. The arrested are two men, aged 41 and 19, said the Mainichi Daily report. Among other charges, the older man is accused of sharing the Hollywood movie A Beautiful Mind while the teenager is being held for making the game Super Mario Advance available online. Several companies, including game maker Nintendo, are pressing charges against the pair. This is the first known case of legal action being taken on users on anonymous file-sharing networks. In Korea and Taiwan, lawsuits have been filed against users of P2P networks. A copyright body in Taiwan is suing three users of file sharing networks while in Korea, recording companies are threatening to do the same. In both countries, creators of file sharing software have been brought to court, but defendants are arguing they are not responsible for what people choose to share. Both cases involve homegrown P2P networks sharing local-language music. In Taiwan, the International Federation of the Phonographic Industry (IFPI) has sued three P2P users who are said to have shared files on the locally-popular Kuro and Ezpeer networks. Unlike internationally popular networks such as Kazaa, both Taiwanese services are fee-based. The Recording Industry Association of Korea (RIAK) is said to be mulling suing end users of free-use P2P software Soribada. Soribada's 4.5 million users have lost the recording industry millions in revenue, claimed the RIAK. The makers of the software have been slapped with a US$16,300 fine, despite claiming that they are not responsible for the actions of its users. In the U.S., the Recording Industry Association of America (RIAA) has targeted hundreds of P2P users for legal action. There is some evidence that the controversial RIAA lawsuits against ordinary computer users are making a dent in the file-swapping world. According to Web analysis firm Nielsen/NetRatings, weekly usage of the Kazaa software in the United States plummeted from a high of 7 million people in early June to just 3.2 million people in late October. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: e voting (receipts, votebuying, brinworld)
On Tue, Dec 02, 2003 at 04:06:43PM +, ken wrote: Thomas Shaddack wrote: On Wed, 26 Nov 2003, Neil Johnson wrote: Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote! -- Ben Franklin And if they are all armed ? They all starve. Lambs can eat grass, which is usually unarmed. It is not. Grass is stuffed full of all sorts of complicated chemicals that can cause confusion to creatures that chomp it. Not to mention nassty little silica crystals. Lambs can eat grass because they are toughened and honed grass-killers, fitted by millions of years of evolution to survive everything the grass can throw at them. And even then they only cope with some kinds of grass. When a cat eats grass it gets sick. Right, in fact if sheep (and sometimes cattle) eat Phalaris sp., for instance, they get the staggers, depending on the time of year and other environmental conditions, and also upon the alkaloid makeup of the particular cultivar. Phalaris, of course, contains fairly large amounts of tryptamines, like dimethyltriptamine (DMT), as do many other plants. And thank the Goddess for that -- but sheep don't like it. Or maybe they do, and just aren't saying.