Re: Trojan-modified Sendmail floating around - 8.12.6 - Since Sept. 28th or earlier.

2002-10-10 Thread Eric Murray 

On Wed, Oct 09, 2002 at 11:01:21PM +0100, Ben Laurie wrote:
 Bill Stewart wrote:
  Somebody backdoored the source code for Sendmail on the official server.
  So if you recompile from scratch, your sendmail is 0wned.
  Another reason not to run mail systems as root
 
 In this case, as I understand it, it bites when you compile. 

Running 'configure' has always made me nervous.
Its a little difficult to read for exploit code.

 So, its 
 another reason not to build them as root.

But you're _supposed to_ run rpm -b as root!-- someone
who should know better since I'd just spent an hour
explaining what to look for to see if his install
of sendmail had gotten him 0wned.

Sigh.


Eric

Re: Echelon-like...

2002-10-10 Thread David Howe 

 I assume everyone knows the little arrangement that lotus
 reached with the NSA over its encrypted secure email?
 I'm new here, so do tell if I am wrong. Are you referring to the two
levels
 of Encryption available in Bogus Notes?
More or less, yes. Lotus knew nobody would buy a 40 bit version of their
crypto, so there is a two-level encryption all right, but not along
those lines - in the export version, some of the session key is
encrypted using a PKI work reduction factor key in the message header;
this section of header is important, as lotus gateways won't accept
messages that have had it disturbed. by decoding this block, the NSA
have the actual keysize they need to block reduced to the legal export
level of 40 bits; one government found this out *after* rolling it out
to all their billing and contract negotiation departments... belgum or
sweden by memory . Lotus thought it would be ok if only the NSA (and
other US government orgs) could break the key, rather than letting
everyone have an equal chance (and indeed, letting their customers know
their crypto was still only 40 bit vs USA intel agencies)
Still, even the domestic version was only 64 bits, which is painfully
small even by the standards of the day. certainly, even strong lotus
could have been crackable by the NSA, who after all own their own fab
plant to make custom VLSI cracking chips.

Re: Echelon-like...

2002-10-10 Thread Sunder 

B

--Kaos-Keraunos-Kybernetos---
 + ^ + :NSA got $20Bil/year |Passwords are like underwear. You don't /|\
  \|/  :and didn't stop 9-11|share them, you don't hang them on your/\|/\
--*--:Instead of rewarding|monitor, or under your keyboard, you   \/|\/
  /|\  :their failures, we  |don't email them, or put them on a web  \|/
 + v + :should get refunds! |site, and you must change them very often.
[EMAIL PROTECTED] http://www.sunder.net 

On 10 Oct 2002, anonimo arancio wrote:

 This relates to an issue I've wanted to discuss with Cypherpunks for several years.
 Over the years, I've seen several commentators (including Timothy May) appear 
suprised when discussing the US's encryption export policies.
 The basic argument is that, if good encryption is available overseas or easily 
downloadable, it doesn't make sense to make export of it illegal.
 
 Is the above statement a) wrong, b) obvious c) mentioned previously on the 
cypherpunks boards, or d)hey! We never thought of that

Re: Echelon-like...

2002-10-10 Thread Tyler Durden 

I assume everyone knows the little arrangement that lotus
reached with the NSA over its encrypted secure email?

I'm new here, so do tell if I am wrong. Are you referring to the two levels 
of Encryption available in Bogus Notes? (ie, the North American and the 
International, the International being legal for export.)
At one of my previous employers, we were told the (apocryphal?) story of 
some dude who got arrested on an airplane for having the more secure version 
of Notes on his laptop.



From: David Howe [EMAIL PROTECTED]
To: Email List: Cypherpunks [EMAIL PROTECTED]
Subject: Re: Echelon-like...
Date: Thu, 10 Oct 2002 18:38:36 +0100

On Wednesday, October 9, 2002, at 07:28  PM, anonimo arancio wrote:
  The basic argument is that, if good encryption is available overseas
  or easily downloadable, it doesn't make sense to make export of it
  illegal.
Nope. The biggest name in software right now is Microsoft, who wasn't
willing to face down the government on this. no export version of a
Microsoft product had decent crypto while the export regulations were in
force - and the situation is pretty poor even now. If microsoft were
free to compete in this area (and lotus, of notes fame) then decent
security *built into* the operating system, the desktop document suite
or the email package - and life would get a lot, lot worse for the
spooks.  I assume everyone knows the little arrangement that lotus
reached with the NSA over its encrypted secure email?




_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

Re: Echelon-like...

2002-10-10 Thread David Howe 

On Wednesday, October 9, 2002, at 07:28  PM, anonimo arancio wrote:
 The basic argument is that, if good encryption is available overseas
 or easily downloadable, it doesn't make sense to make export of it
 illegal.
Nope. The biggest name in software right now is Microsoft, who wasn't
willing to face down the government on this. no export version of a
Microsoft product had decent crypto while the export regulations were in
force - and the situation is pretty poor even now. If microsoft were
free to compete in this area (and lotus, of notes fame) then decent
security *built into* the operating system, the desktop document suite
or the email package - and life would get a lot, lot worse for the
spooks.  I assume everyone knows the little arrangement that lotus
reached with the NSA over its encrypted secure email?

Re: Echelon-like...

2002-10-10 Thread Eric Murray 

On Thu, Oct 10, 2002 at 02:28:26AM -, anonimo arancio wrote:
[..]

 But I am wondering if Cypherpunks have mentioned the 'obvious'.
 
 The government knows exactly what it's doing. It wants to discourage the use of 
encryption by any means necessary, because of sheer numbers.
 Basically, the more messages that are encypted, the more hardware (and therefore 
$$$) will be needed to decrypt them.
 Therefore, the only way they can stay ahead of the game is to keep the numbers as 
low as possible, so they can continue to outspend the problem.
 This is, from their perspective, a perfectly reasonable approach to decrypting large 
numbers of messages, a small fraction of which may contain interesting information.
 
 Is the above statement a) wrong, b) obvious c) mentioned previously on the 
cypherpunks boards, or d)hey! We never thought of that


B and C, extensively.

The US Government has pretty much given up on restricting crypto
exports.  There is just enough of a vestigial restriction there to
maintain the illusion that the government has a right to control crypto
exports.  If there was anything more, it would be challenged in court
and most likely get thrown out.  The government backed off on
previous challenges (Bernstein, Zimmerman) to avoid that.

Eric

Re: Echelon-like...

2002-10-10 Thread Major Variola (ret) 

Not only is EM correct, but:
* many attacks are possible without worrying about keylength.  Got
Scarfo?
* NIST/NSA picked the lamest AES.  If I told you what lame meant, I'd
have to kill you.
* (Lack of) User motivation (related to man-machine issues) is still the
spooks' best friend.  As
well as legacy systems, and inadequately designed total systems.  Got
Redmond?

However, stego and decent opsec and cash and leo buffoonery still let
you coordinate the occasional urban skyline
reconstruction, poking holes in boats, etc.  Got Dead Drops?  Mr.
Hanssen?  Mr Ames?



At 08:09 AM 10/10/02 -0700, Eric Murray wrote:
On Thu, Oct 10, 2002 at 02:28:26AM -, anonimo arancio wrote:
 The government knows exactly what it's doing. It wants to discourage
the use of encryption by any means necessary, because of sheer numbers.
 Basically, the more messages that are encypted, the more hardware
(and therefore $$$) will be needed to decrypt them.
 Therefore, the only way they can stay ahead of the game is to keep
the numbers as low as possible, so they can continue to outspend the
problem.
 This is, from their perspective, a perfectly reasonable approach to
decrypting large numbers of messages, a small fraction of which may
contain interesting information.

 Is the above statement a) wrong, b) obvious c) mentioned previously
on the cypherpunks boards, or d)hey! We never thought of that


B and C, extensively.

The US Government has pretty much given up on restricting crypto
exports.  There is just enough of a vestigial restriction there to
maintain the illusion that the government has a right to control crypto

exports.  If there was anything more, it would be challenged in court
and most likely get thrown out.  The government backed off on
previous challenges (Bernstein, Zimmerman) to avoid that.

Eric

Re: Echelon-like...

2002-10-10 Thread Sarad AV 

hi,

  The government knows exactly what it's doing. It
 wants to discourage the use of encryption by any
 means necessary, because of sheer numbers.

Does n't govt intervension always increase the
numbers?

  Basically, the more messages that are encypted,
 the more hardware (and therefore $$$) will be needed
 to decrypt them.
  Therefore, the only way they can stay ahead of the
 game is to keep the numbers as low as possible, so
 they can continue to outspend the problem.

Why don't we have encrypted spams over the internet
rather than plain text spam ?Thats one way we can all
benefit frm spam.

 


 The US Government has pretty much given up on
 restricting crypto
 exports. 

Why did that happen?


Regards Sarath.

__
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos  More
http://faith.yahoo.com