Re: no anon conversations?
An Metet wrote: What technologies currently exist for receiving a/psuedononymous message? With Mixmaster, sending mail, posting news, and even blog posting are possible, However, receiving replies securely or, better, holding a private conversation is difficult or impossible. Best bet seems is to encrypt and spam somewhere very public? Ugly, ugly. No technological method, just a few trust me remailers. Other options? Nyms, or alt.anonymous.messages are both contenders. speaking of the former - what nymservers are recommended these days?
no anon conversations?
What technologies currently exist for receiving a/psuedononymous message? With Mixmaster, sending mail, posting news, and even blog posting are possible, However, receiving replies securely or, better, holding a private conversation is difficult or impossible. Best bet seems is to encrypt and spam somewhere very public? Ugly, ugly. No technological method, just a few trust me remailers. Other options?
Re: no anon conversations?
On Fri, 2004-04-30 at 14:12, An Metet wrote: What technologies currently exist for receiving a/psuedononymous message? With Mixmaster, sending mail, posting news, and even blog posting are possible, However, receiving replies securely or, better, holding a private conversation is difficult or impossible. Best bet seems is to encrypt and spam somewhere very public? Ugly, ugly. No technological method, just a few trust me remailers. Other options? Also, the mixminion Type-III anonymous remailer which is currently in development (www.mixminion.net) supports secure replies to anonymous messages. This technology is, however, still very much in alpha phases. Usable, but not secure. Worth looking at and following, but not useful for anonymity right now. Joss
Re: no anon conversations?
On Fri, 2004-04-30 at 14:12, An Metet wrote: What technologies currently exist for receiving a/psuedononymous message? With Mixmaster, sending mail, posting news, and even blog posting are possible, However, receiving replies securely or, better, holding a private conversation is difficult or impossible. Best bet seems is to encrypt and spam somewhere very public? Ugly, ugly. No technological method, just a few trust me remailers. Other options? A simple option is to use a free webmail account and access it via an anonymizing proxy. You can send mail that way too. The great advantage of this is that it does not brand you as an anonymous mail user and thereby call attention to your activities. You look like just another of the millions of people who use such services. For anonymizing proxies, do a google search on anonymous web surfing. There are many more companies than anonymizer.com, although it is the oldest and probably the best. You can also begin experimenting with the onion routing network at http://www.freehaven.net/tor. This is like a free version of the old ZKS Freedom network where you construct a path through a number of forwarding nodes. You could also combine these and use TOR to access anonymizer.com and go from there to hotmail.com, etc. There's a new proposal out called the Pynchon Gate from Len Sassaman and Bram Cohen, http://www.freehaven.net/doc/pynchon-gate/. Sassaman is one of the main Mixmaster/Mixminion developers, and Cohen of course has revolutionized the P2P file sharing scene this past year with his BitTorrent. These guys have a pretty good pedigree for getting stuff done, and they claim to be in the process of implementing this new system. The Pynchon Gate will use a crypto protocol called Private Information Retrieval to let people receive messages anonymously. The way PIR works, all the incoming messages for all users are stored in a big database which is replicated at several servers. Recipients connect to each server and download a packet of data, which is combined at the local machine to reconstruct one incoming message. However the algorithm is such that each individual server learns nothing about which message is being fetched, protecting the receiver's anonymity. Here's a simple example of how it would work. The method relies on two properties of XOR: XORing a value with itself yields zero; and the result of XORing a random value with a predetermined pattern is still a random value. Suppose there are only two database servers, each holding 8 messages, where the messages are all split or padded to be a standard size: M1 M2 M3 M4 M5 M6 M7 M8 Suppose you want to fetch M4. Now you create a random 8-bit binary string: 1 0 1 0 0 0 0 1 Make a copy of that string and XOR in the bit position of the message we want, in this the 4th bit: 1 0 1 1 0 0 0 1 Note that because of the 2nd property of XOR listed above, both bit strings are individually indistinguishable from random and neither by itself gives any information about which bit was XOR'd. Send the first bit string to the first server and the 2nd bit string to the 2nd server. Each server XOR's the messages corresponding to the 1 bits and returns the results, which will be the size of single standard message: Server 1: M1 xor M3 xor M8 Server 2: M1 xor M3 xor M4 xor M8 The recipient xors these two messages together: (M1 xor M3 xor M8) xor (M1 xor M3 xor M4 xor M8) = (M1 xor M1) xor (M3 xor M3) xor (M8 xor M8) xor M4 = M4 The result is the required message. Individually, each server saw a random bit string and neither one by itself had any indication about which message was being fetched, hence the recipient's anonymity was protected. The same method can be generalized to larger numbers of servers, and that is the intention with the Pynchon Gate system. The privacy threat with this approach is that if the servers combine their information, they can deduce which message the recipient was fetching, by XORing all their bit strings together. However, as long as even one server is honest and refuses to go along with this, the other servers can learn nothing about which message was being fetched. This security guarantee is similar to that of a remailer chain, where if they all colluded they could track user messages, but if at least one is honest then privacy is protected. Hence it is a good match for users who rely on remailers. It's not yet clear that this method can be really practical, can scale to a reasonable number of users, resist flooding, and avoid leaking information in terms of how many requests a given user makes in a given period of time. These are serious practical issues that need to be solved. But they do have one really good idea, which is that the user-end software will be an agent that executes this protocol on a regular basis to fetch messages, then makes them available to the mail client by acting as a local POP server.
Credentica (Re: Is there a Brands certificate reference implementation?)
Hello Steve, From: Steve Furlong [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Fwd: [EMAIL PROTECTED], [EMAIL PROTECTED] Date: 25 Apr 2004 12:14:30 -0400 Does anyone know of a reference implementation for Stefan Brands's digital certificate scheme? Alternatively, does anyone have an email address for Brands so I can ask him myself? (I haven't gotten anything back from ZKS's contact us address. But I don't know if Brands is still at ZKS.) I am one of the lead developers of Credentica, which is Stefan Brands' latest venture after his amicable departure from ZKS quite some time ago. We are exclusively focused on the development of identity and access management technology based on Stefan's Digital Credential work. Following our closing of investment from Nokia earlier this year, we started with the design and implementation of a Software Development Toolkit for Digital Credentials. We are exploring the idea of releasing parts of it under an open-source license, and intend to post updates here from time to time on our progress. More information will be available on our upcoming Web site, which should be up soon. Meanwhile, if you are interested in getting a glimpse of what we are doing, check out Stefan's keynote materials at a recent NIST PKI workshop, which you can find here: http://middleware.internet2.edu/pki04/proceedings/ Kind regards, Christian Paquin Cryptographic Developer Credentica
Fwd: [ISN] Mobile flaws expose executives to bugging
*Took* 'em long enough... Cheers, RAH --- begin forwarded text Date: Fri, 30 Apr 2004 02:30:16 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] Mobile flaws expose executives to bugging Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Unsubscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://business.timesonline.co.uk/article/0,,8209-1092789,00.html By Steve Boggan April 30, 2004 EXECUTIVES at some of Britain's biggest companies are using mobile phones that can be secretly tracked and bugged, despite a series of Times investigations demonstrating gaping holes in handset security. During tests at the offices of Shell, BP, HSBC and Goldman Sachs, The Times identified 95 phones potentially vulnerable to a new form of hacking known as bluesnarfing. Under the process, which threatens mobile phones that use Bluetooth wireless technology, hackers can download text messages, phone lists and even remotely tamper with handsets to enable them to be used as listening devices. Last week The Times identified 46 phones that could have been vulnerable to attack during a 12-minute test in the central lobby of the Palace of Westminster. During our latest experiment, we had the ability to access the phone of a Shell employee supplying aviation fuel to aircraft companies and bug the handsets of chauffeurs driving executives. At the offices of Shell, a passive scan showed that 19 phones would have accepted an unauthorised Bluetooth connection. None was made, to avoid infringement of the Computer Misuse Act. Of these, 13 were Nokias and five were Ericssons. The Nokia 6310 and 6310i, the most popular business phones in the UK, and the Ericsson T610, one of the best-selling picture phones, have proved to be the most insecure. Outside, a group of chauffeurs were waiting in seven identical and consecutively-numbered Volvos. An attack on any of their phones would have allowed us to set up a divert to a handset of our choice. We could then have instructed their phones to call us secretly, leaving a channel open through which we could have heard executives conversations in the cars. At BPs office in St Jamess Square, Westminster, we identified 24 potentially vulnerable phones while at Goldman Sachs in Fleet Street, the figure was 35 phones. We scanned in a smoking area outside the offices of HSBC in Canary Wharf during a ten-minute period. Seventeen potentially vulnerable phones were identified. The latest cause for concern involving the Nokia 6310s and Sony Ericsson T610s involves secret tracking. Commercial companies offer phone tracking services to businesses and individuals who want to locate sales forces quickly. An SMS message is sent to the relevant mobile phone with an activation code. Once activated, the phones location is shown on an internet website map. Bluesnarfing allows the activation code to be diverted to an attacker, so that an account is set up without the handset owners knowledge. He or she could then be tracked, without their knowledge, 24 hours a day. Nokia admits there are problems with its 6310s and 8910s but says it is working on a solution that will be available to users from this summer. Sony Ericsson says it has cured the text message and divert problems in new phones but phone lists, calendars and pictures can still be accessed. It promises a cure for that problem in the second half of the year. Shell and BP said they never commented on security; Goldman Sachs was aware of the problem and had issued advice to staff; and HSBC said its technical staff were looking into the problem. _ ISN mailing list Sponsored by: OSVDB.org --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Lowering the Bar for Threats
An Metet writes: Eric Cordian quotes: FBI Shill: Are we gonna exterminate the rat? Hale: I'm going to fight within the law and, but, ... if you wish to, ah, do anything, yourself, you can. You're such a liar. I don't know why I even bother to respond to you. You left off the next few lines: So that makes it clear, Hale added. Consider it done, Evola said. Good, Hale replied. And now you know... the rest of the story. So the story is that the FBI Shill solicited murder, and Hale made the mistake of saying the equivalent of um hmmm. I'm so unimpressed. I encourage anyone interested in the case to read the details online. By most accounts, jurors did a good job of seeing through Hale's obfuscations and careful attempts at plausible deniability. Hale didn't initiate anything. It seems to me that one shouldn't be able to get convicted in a free country when someone working for the government comes to you with plans for a crime, just because you didn't denounce them loudly enough while being recorded. To quote a favorite poster of mine in alt.abuse.recovery... ``Failure to Condemn'' is an age-old tactic--a dirty trick, actually--used to smear somebody by association when you can't actually get anything concrete on him. I know this one backwards and forwards; it's been used on me dozens of times. The Sheeple have been well-trained to use the legal process to screw anyone with racist views. Juries in such trials have admitted aftwards that they were proud of imprisoning people because of their racist views, and awarding their property to do-gooders on flimsy evidence. Free speech is one thing. Soliciting murder is something else. Yes. FBI Shills should stop doing that. But let's say you're right and the government cracks down on criticism. Which is easier, to get government to change, or to ignore the restrictions and continue to publish critical essays, protected by cryptographic anonymity? Wars are won by superior weaponry, not by superior essays. What are you going to do, throw your pen at them, stamp your feet, and threaten to hold your breath until you turn blue? As I've said many times, What the world needs is a fifty dollar weapon that sinks aircraft carriers. AmeriKKKa is founded on the principle that they are most easily governed, who believe that they govern themselves. People need to learn that a voting choice between evil and slightly less evil does not a democracy make. I look forward to proclaiming after the upcoming presidential election that There are no civilians in AmeriKKKa. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division Do What Thou Wilt Shall Be The Whole Of The Law