Re: [EMAIL PROTECTED]: [IP] more on U.S. passports to receive RFID implants start
Tyler Durden wrote: One thing to think about with respect to the RFID passports... Um, uh...surely once in a while the RFID tag is going to get corrupted or something...right? I'd bet it ends up happening all the time. In those cases they probably have to fall back upon the traditional passport usage and inspection. The only question is, what could (believably) damage the RFID? EMP? Could be tuned, even, since the RFID is resonant at a known frequency. There's a standard for excitation field strength, so all one should need to do would be hit the chip with 50-100x the expected input. Unless the system is shunted with a zener or some such, you should be able to fry it pretty easily. Now put that chip-cooker in a trash can right by the main entrance to an airport and perform some public service. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT Dspam-pprocmail-/dev/null-bliss http://www.rant-central.com
Re: Surreptitious Tor Messages?
cyphrpunk wrote: On 10/3/05, Tyler Durden [EMAIL PROTECTED] wrote: Can anyone suggest a tool for checking to see if my Tor client is performing any surreptitious signaling? The Tor protocol is complicated and most of the data is encrypted. You're not going to be able to see what's happening there. tinfoil_hat What about a trojan that phones home directly, then phones home when the Tor tunnel is set up, giving its owner a correlation between your True IP and Tor IP? Useful, in a black-hatted way? /tinfoil_hat -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [EMAIL PROTECTED]: Re: Wikipedia Tor]
Quoting Bill Stewart [EMAIL PROTECTED]: One way to build a psuedo-pseudonymous mechanism to hang off of Tor that would be easy for the Wikipedians to deal with would be to have a server that lets you connect to it using Tor, log in using some authentication protocol or other, then have it generate different outgoing addresses based on your ID. So user #37 gets to initiate connections from 10.0.0.37, user #258 gets to initiate connections from 10.0.1.2, etc. The problem I see with this is that it continues to train Wikipedia to use IP addresses as credentials. That's a Bad Thing IMHO. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [EMAIL PROTECTED]: Wikipedia Tor]
Quoting R.A. Hettinga [EMAIL PROTECTED]: At 8:43 AM -0700 9/27/05, James A. Donald wrote: In the long run, reliable pseudonymity will prove more valuable than reliable anonymity. Amen. And, at the extreme end of the curve, perfect psedudonymity *is* perfect anonymity. Character. I wouldn't buy anything from a man with no character if he offered me all the bonds in Christendom. -- J. Pierpont Morgan, Testimony to Congress, 1913. Reputation is *everything* folks. Damn good point. Now that I think of it, all the classic examples of anonymous publication were really pseudonymous. (Publius, et al) -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [EMAIL PROTECTED]: Re: Wikipedia Tor]
[yes, I know I'm preaching to the choir] - Forwarded message from Roger Dingledine [EMAIL PROTECTED] - A potential for cooperation is the proposal below for authenticated access to Wikipedia through Tor. I will not speak to any particular design here, but if Wikipedia has a notion of clients trusted to post to Wikipedia, it should be possible to work with them to have an authentication server that controls access to Wikipedia through Tor. As I understand it, Jimmy is hoping that we will develop and maintain this notion. We would run both halves of the Tor network, and when they complain about a user, we would cut that user out of the authenticated side. A non-good idea, as it goes against what Tor is all about. The problem to be overcome here really has nothing to do with Tor, as such. Wikipedia already needs this sort of thing because of AOL IPs -- they have similar characteristics to Tor, in that a single IP produces lots of behavior, some good some bad. So Wikipedia understands that the transport layer isn't to blame, yet they persist in asking for changes in the Tor transport to address the problem of malicious users? *groan* (One might argue that it's hard for Wikipedia to change their perception and learn about any good Tor uses, firstly because good users will blend in and nobody will notice, and secondly because they've prevented them all from editing so there are no data points either way.) That's not the perception they need to change. They need to realize that if an avenue for action without responsibility exists, someone will use it. Wikis get defaced all the time *without* AOL or Tor, because the philosophy allows anyone to edit. It is that philosophy that is in error, not the transport layers used by the vandals. Wiki, as someone mentioned to me in a private mail, is the SMTP of web publishing; it doesn't scale well in the presence of large concentrations of assholes. In summary, I'm not too unhappy with the status quo for now. Tor needs way more basic development / usability work still. In the absence of actual volunteers-who-code on the side of Tor _or_ Wikipedia to resolve the problem, I'm going to focus on continuing to make Tor better, so down the road maybe we'll be able to see better answers. Roger gets it. The Wikipedians don't. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia]
- Forwarded message from cypherpunk [EMAIL PROTECTED] - From: cypherpunk [EMAIL PROTECTED] Subject: Re: Hello directly from Jimbo at Wikipedia As an occasional Tor and Wikipedia user, let me add a couple of points. First, in case it is not obvious, the problem with the present system is that Tor users can no longer edit on Wikipedia. I have done so in the past, in what I like to think is a constructive manner, but cannot do so since this summer. I have valid although perhaps unpopular contributions to make, and not only is my freedom to express myself limited, the quality of the material on Wikipedia suffers due to the absence of my perspective. The status quo is not acceptable and we should work to find a solution. Leaving aside the qualitative discussion, let's remember that the freedom to express onesself does not imply the obligation for any other party to listen. Looking at the proposals for authentication servers and such, I see a major issue which is not being addressed. That is, how does the web server distinguish authenticated Tor users from unathenticated ones? If this is via a complicated protocol, there is no point as the servers won't use it. The problem at hand does not require authenticated Tor users. It requires authenticated Wikipedia users. This does not necessarily mean building complex authentication protocols into the Tor network, and having two classes of traffic flowing around. It could be that this authenticated Tor is a separate network. It only lets users in who are authenticated, and owns a specific set of IP addresses which servers can whitelist. The regular Tor exit nodes can be blacklisted as they are now. Tor is transport layer. Authentication for a specific service (such as Wikipedia) is the responsibility of that service and belongs in the session layer. An authenticated network and an anonymizing network are mutually exclusive. What does Wikipedia need? What is the minimum level of service they require? Presumably, it is similar to what they can get via ISPs, who also map many users to a fixed set of IP addresses. Wikipedia can complain to the ISP, and it will get back in some form to that user. No, Wikipedia needs to realize that the IP address correlation they enjoy outside of Tor is a happy accident, and that they should stop treating IP addressess as user credentials. If they want credentials, they need to implement them. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [EMAIL PROTECTED]: Re: [EMAIL PROTECTED]: Re: [EMAIL PROTECTED]: Re: Wikipedia Tor]]]
Quoting Alan Barrett [EMAIL PROTECTED]: - Forwarded message from Jimmy Wales [EMAIL PROTECTED] - We are not looking for a perfect solution. Yes, Wikis will be vandalized. We're prepared to deal with that, we do deal with that. But what I am seeking is some efforts to think usefully about how to helpfully reconcile our dual goals of openness and privacy. Wikipedia should allow Tor users to register Wikipedia nyms. Then they could block: Tor users trying to edit without a nym; Tor users trying to edit with a nym that has a bad reputation; and they could rate-limit Tor users trying to edit with a nym that has insufficient history to be classified as good or bad; while not blocking Tor users trying to edit with a nym that has a good reputation. s/Tor/all/g This is an excellent summation, except that there is no compelling reason to treat Tor-carried traffic differently than any other traffic. Credentialing and reputation tracking are good ideas, and should be applied universally. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [EMAIL PROTECTED]: Wikipedia Tor]
Quoting Eugen Leitl [EMAIL PROTECTED]: - Forwarded message from Arrakis Tor [EMAIL PROTECTED] - This is a conversation with Jimmy Wales regarding how we can get Wikipedia to let Tor get through. I completely fail to comprehend why Tor server operators consistently refuse to take responsibility for their crazed users. On one hand, this shows a deep misunderstanding of Tor and its purposes. On the other, I remain disappointed in the number of vandals that take advantage of Tor and other anonymizing services. On the gripping hand, perhaps the Wiki philosophy is flawed. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Gubmint Tests Passport RFID...
Quoting Tyler Durden [EMAIL PROTECTED]: And since one's passport essentially boils down to a chip, why not implant it under the skin? You say that as though it hasn't been considered. As for the encryption issue, can someone explain to me why it even matters? It doesn't, actually. There is no clear and compelling reason to make a passport remotely readable, considering that a Customs agent still has to visually review the document. And if the agent has to look at it, s/he can certainly run it through a contact-based reader in much the same way the current design's submerged magnetic strip is read. It would seem to me that any on-demand access to one's chip-stored info is only as secure as the encryption codes, which would have to be stored and which will eventually become public, no matter how much the government says, Trust us...the access codes are secure. http://wired-vig.wired.com/news/privacy/0,1848,67333,00.html?tw=wn_story_related This story says the data will be encrypted, but the key will be printed on the passport itself in a machine-readable format. Once again, this requires manual handling of the passport, so there's *still* no advantage to RFID in the official use case. (ie, they want to be able to read your RFID wihtout you having to perform any additional actions to release the information.) Yup. Bruce Schneier nailed the real motivation almost a year ago: http://www.schneier.com/blog/archives/2004/10/rfid_passports.html Interestingly, even the on-document keying scheme doesn't address the fundamental problem. Nowhere is it said that the whole of the remotely readable data will be encrypted. If a GUID is left in the clear, the passport is readily usable as a taggant by anyone privy to the GUID-meatspace map. Without access to the map, the tag still identifies its carrier as a U.S passport holder. Integrating this aspect into munitions is left as an exercise for the reader. The only way I see it making a difference is perhaps in the physical layer...encryption + shielding is probably a lot more secure than encryption without shielding, given an ID phisher wandering around an airport with a special purpose briefcase. This isn't about phishing. That's just a bonus. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Private Homes may be taken for public good
Quoting Tyler Durden [EMAIL PROTECTED]: How do you take out a bulldozer? (Remember, bulldozer operators can easily be replaced.) RPG7 should do it. They're known to be able to take out a Bradley. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Anonymous Site Registration
Justin wrote: On 2005-05-26T13:17:38-0400, Tyler Durden wrote: OK, what's the best way to put up a website anonymously? Tor? It's not immune from traffic analysis, but it's nearly the best you can do to hide the server's location/isp from clients. i2p is another possibility. You can try, but good physical anonymity for commerce is difficult unless you construct a fake identity good enough that you can use it to open bank accounts... without leaving any compromising fingerprints that your bank can turn over to the authorities. Assuming you want your own SLD name, yes. But if you can be satisfied with a third-level, there are a lot of domains at freedns.afraid.org that will let you tag on a subdomain with just a registration (and you can probably supply a @dodgeit.com address). Then just add a web forward pointing to the Tor gateway. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: WiFi Launcher?
Damian Gerow wrote: In theory, all you're doing is: - Finding an AP - Associating with the AP - this could mean just setting your SSID, it could mean cracking WEP keys, it could mean providing authentication... - Grabbing an address (DHCP) At this point, you're looking at around five seconds of work. Which, at the aforementioned 18kph, gives you another 15 seconds to send off any mail. If you run a local DNS server (faster), you'll save yourself a few seconds. The actual MTA transmission only takes a few seconds; that is, unless you're spamming, in which case it may take longer. Why run a DNS server? Cache expiry would still require some lookups. Just pre-populate your hosts file before your transmission sortie. I need to look into whether mixminion tolerates casual connections. ISTR incoming connections are checked against the local key cache, but I'm not sure if that includes the known address of the node. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [IP] No expectation of privacy in public? In a pig's eye! (fwd from dave@farber.net)
Re: the embedded item: http://timesunion.com/AspStories/storyprint.asp?StoryID=322152 Ruling gives cops leeway with GPS Decision allows use of vehicle tracking device without a warrant By BRENDAN LYONS, Staff writer First published: Tuesday, January 11, 2005 In a decision that could dramatically affect criminal investigations nationwide, a federal judge has ruled police didn't need a warrant when they attached a satellite tracking device to the underbelly of a car being driven by a suspected Hells Angels operative. Just out of curiosity, if the man doesn't need a warrent to place a surveilance device, shouldn't it be within your rights to tamper with, disable or remove such a device if you discover one? By extension, is there a business opportunity for bug-sweeping? Either a storefront or a properly equipped pickup truck with bright signage. (oh, yeah... I'm sure *that* would go over well with the Powers That Be) -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: California Bans a Large-Caliber Gun, and the Battle Is On
Tyler Durden wrote: And come to think of it, Bowling for Columbine has the accidental affect of making it clear that Guns themselves are not the problem in the US. What leads you to believe that was accidental? -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: An interesting thread...Hacking Bluetooth
Tyler Durden wrote: There's some guy (German Guy) spouting some coherent-sounding conspiracy theories over here: http://www.godlikeproductions.com/bbs/message.php?page=23topic=10message=54181mpage=1showdate=12/18/04 I wouldn't normally post something like this, but the guy's done a little bit of homework on a huge variety of topics, so it's really an excellent hoax, seen from a distance. Here's on thing giving me some doubts, though (but of course if this is true he may have just pulled it from Google somewhere): Here4s another myth: you cannot hack bluetooth from a distance of more than 40 metres. Not true. My technical partner Felix can crack it at over half a kilometre. Which is why he enjoys driving around so much in areas where we know British, American, Israeli or Russian ops are living or working. The great thing about many German cities is that most affordable residences are within metres of the street anyway. Any comments? http://www.engadget.com/entry/3093445122266423/ I believe they went a bit over a kilometer at Defcon (against a knowing volunteer, so they say) from a hotel rooftop. The rest sounds perfectly plausible, as well. WEP is Swiss cheese, guys tell their girlfriends too much and girlfriends gossip amongst themselves. Nothing to see here. Move along. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: tangled context probe
R.W. (Bob) Erickson wrote: (curious thing about this spew, it keeps disappearing into the bit bucket, Yawn. Roboposting this babble doesn't really increase its chances of getting read. I work through JY because I know there's uranium in that ore. But I'm about 2 posts away from ensconcing RWBE in my procmail file next to TM, choate and proffr. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Timing Paranoia
Steve Thompson wrote: --- R.W. (Bob) Erickson [EMAIL PROTECTED] wrote: Imagine a paranoia involving mysterious e-mail delays and the length of time it takes to catagorize Imagine hordes of otherwise unemployable psychologists and cognitive psychologists deployed on mailing lists and Usenet, harassing the fuck out of `persons of interest'. Imagine using observed timing to conclude that your agent provocateur operates from geostationary orbit. R. W. may be annoying, but at least he's derivative. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Declaration of Expulsion: A Modest Proposal
On Wed, 2004-11-03 at 23:30 -0500, R.A. Hettinga wrote: http://www.humaneventsonline.com/article.php?print=yesid=5652 HUMAN EVENTS ONLINE: The National Conservative Weekly Since 1944 Declaration of Expulsion: A Modest Proposal It's Time to Reconfigure the United States Chuckle-worthy, if not outright funny. Interestingly, I could see a liberal making exactly the same case, but without the ad hominem attacks. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Declaration of Expulsion: A Modest Proposal
John Young wrote: A map of the expulsion civil war declaration: http://img.photobucket.com/albums/v331/ninjagurl/new_map.jpg There seems to be an assumption that Alaska will be included in Jesusland. Whoever is advancing this theory clearly never lived in Alaska (or if they did, only lived in Anchorage, which isn't *really* Alaska). -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Why you keep losing to this idiot
On Wed, 2004-11-03 at 14:01 -0800, Eric Cordian wrote: I think this is the answer: Simplicity, simplicity, simplicity. Isn't that what Democracy is all about? The 51% simpletons imposing their will on the 49% non-simpletons? Proportional representation is our friend. Kornbluth was right. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Financial identity is *dangerous*? (was re: Fake companies, real money)
Dave Howe wrote: Roy M. Silvernail wrote: I'd thought it was so Microsoft could offer an emulation-based migration path to all the apps that would be broken by Longhorn. MS has since backed off on the new filesystem proposal that would have been the biggest source of breakage (if rumors of a single-rooted, more *nix-like filesystem turned out to be true). To be fair to MS, that is already here - you can mount NFS volumes as subfolders in 2K and above, just like unix. however, MS don't really seem to want to crow about that - just in case someone points out unix did this literally decades ago I was thinking more of the rumor that Longhorn's filesystem would start at '/', removing the 'X:' and the concept of separate drives (like unix has done for decades :) ). When I first saw this discussed, the consensus was that it would break any application that expected to use 'X:\PATH'-style filenames or chdrive() (or whatever that lib call to change the default drive is). Someone suggested that MS might ship an emulator to handle translation (at some non-trivial cost in performance, else no one would have an incentive to refactor) until the vendors could rewrite their apps to use the new native filesystem. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: US Retardation of Free Markets (was Airport insanity)
On Tue, 2004-10-26 at 21:10 -0700, James A. Donald wrote: -- James A. Donald: Moral equivalence, the rationale of those who defend tyranny and slavery. Roy M. Silvernail Moral superiority, the rationale of both sides of any given violent conflict. The winner gets to use the victory to proclaim the correctness of their interpretation. A claim that presupposes that the west is just as totalitarian as its enemies, that well known reality is not to be trusted, that newsmen and historians are servants of the vast capitalist conspiracy, No claim in evidence. Just the observation that any justificaton for a violent conflict is necessarily subjective. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: US Retardation of Free Markets (was Airport insanity)
On Tue, 2004-10-26 at 14:19 -0700, James A. Donald wrote: Moral equivalence, the rationale of those who defend tyranny and slavery. Moral superiority, the rationale of both sides of any given violent conflict. The winner gets to use the victory to proclaim the correctness of their interpretation. When the conflict is of a historic scale, the loser is often too dead to object. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: US Retardation of Free Markets (was Airport insanity)
On Tue, 2004-10-26 at 18:38 -0400, R.A. Hettinga wrote: At 6:23 PM -0400 10/26/04, Roy M. Silvernail wrote: Moral superiority, the rationale of both sides of any given violent conflict. The winner gets to use the victory to proclaim the correctness of their interpretation. When the conflict is of a historic scale, the loser is often too dead to object. ...and your point is? Oh, sorry... I thought we were stating and restating the very obvious. Same as it ever was, Indeed. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: US Retardation of Free Markets (was Airport insanity)
On Sun, 2004-10-24 at 03:43 -0700, James A. Donald wrote: McViegh did not target innocents. Bin Laden did target innocents. I'm confused. Is Mr. Donald saying McVeigh did not surveil his target sufficiently to know that there was a day care center in the damage pattern? Or is he saying it only takes one non-innocent in a damage zone to justify an attack? (in which case, how is he privy to Bin Laden's attack plan, such that he can rule out any non-innocent targets) Or is the problem perhaps that any reasonable definition of terrorist must describe both McVeigh and Bin Laden? Ends do not justify means. A reasonable man would argue that attacking an occupied building with highly destructive weapons is an act intended to incite terror, without needing to even consider the motive. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: How to fuck with airports - a 1 step guide for (Redmond) terrorists.
Sunder wrote: Q: How do you cause an 800-plane pile-up at a major airport? A: Replace working Unix systems with Microsoft Windows 2000! Details: http://www.techworld.com/opsys/news/index.cfm?NewsID=2275 Got to love the spin... The servers are timed to shut down after 49.7 days of use in order to prevent a data overload, a union official told the LA Times. That would be 49.71026961805556 days, or (curiously enough) 4294967295 (0x) milliseconds. Known problem with Win95 ('cept they call Win95 a server). -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: A nice little dose of pop conspiracy theory...
On Sat, 2004-09-11 at 10:34, Tyler Durden wrote: Actually, despite some of the fairly dubious what about this! points, there are some things that are a little unsettling. No way that's a Boeing 757, and it's not like they can just lose one (ie, there should have been one unaccounted for). And I was unaware of the possibility that the FBI had quickly confiscated tapes that would show the 'plane' more clearly. So for what it's worth... http://pixla.px.cz/pentagon.swf Interesting stuff. The plane in the Pentagon camera shots is definitely no 757. Question is, where did the flight 77 equipment (the 757 that supposedly crashed into the Pentagon) finally end up? -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Progress, like reality, is not optional. - R. A. Hettinga SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Remailers an unsolveable paradox?
Nomen Nescio wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Are remailers an unsolveable paradox? Yes. Adios, Lemuria. Hate to see you go, but I understand completely. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Another John Young Sighting
On Mon, 2004-08-23 at 21:09, An Metet wrote: John's an anarchist now! LMAO! This is a perfect example of media bias and manufacture of enemies. Collecting public material at one place *is* anarchism today. You may laugh but 74% (or whatever is the % who believes Saddam personally piloted all 9/11 planes) of americans will believe it. So Mr. Young is anarchist for all practical purposes and consequences. And you are all his associates. Thanks for reminding me. I'd been putting off ordering my CD set. OTGH, I'm noticing a fair number of self-described anarchists who say they'll vote Bush, but only because it will hasten the inevitable final breakdown. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Progress, like reality, is not optional. - R. A. Hettinga SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: GPS, phones, toothing
On Sat, 2004-07-03 at 22:28, Major Variola (ret) wrote: The cool thing about 'toothing' is that the party you're arranging to mutually stimulate is within a finite physical range. An amusing unintended consequence. Not so unintended if you ask me. The chief drawback of semi-anon methods of negotiating assignations is the lack of geographical data. Certain adult telephone chat services suffer from aggregating widely strewn patrons. A patron in Cincinnati may discover suddenly that the object of his/her pursuit is actually in Nashville, hardly a quick drive. I think toothing has grown popular *because* of the proximity limitations. One has a reasonable assurance that the object of pursuit is close enough to close escrow, as Lenny Nero would say. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Progress, like reality, is not optional. - R. A. Hettinga SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [IP] more on more on E-mail intercept ruling - good grief!! (fwd from dave@farber.net)
Sunder wrote: On Fri, 2 Jul 2004, Roy M. Silvernail wrote: Call me cynical (no... go ahead), but if VOIP is found to have no 4th Amendment protection, Congress would first have to agree that this *is* a problem before thay could fix it. Given the recent track record of legislators vs. privacy, I'm not at all confident Congress would recognize the flaw, much less legislate to extend 4th Amendment protection. After all, arent more and more POTS long-distance calls being routed over IP? The only difference, really, is the point at which audio is fed to the codec. If the codec is in the central office, it's a voice call. If it's in the handset or local computer, it's VOIP. I think we can count on the Ashcroftians to eventually notice this and pounce upon the opportunity. And as for the SCOTUS, all they have to do is sit back on a strict interpretation and such intercepts aren't wiretaps at all. If VOIP gets no protection, then you'll see a lot of digital bugs in various spy shops again - and they'll all of a sudden be legal. I thought the Feds busted lots of people for selling bugging equipment, etc. because they're an invasion of privacy, etc. Interesting counterpoint. Those busts were predicated on the violation of existing laws, where of course the feds get to break those laws with a good story and a judge's rubber sta.. er, I mean permission. So the question becomes how does the fed keep their ability to intercept legally unprotected commo and at the same time, keep Joe Beets from doing the same thing. Ditto for devices that intercept digital cellular phone conversations, spyware software that turns on the microphone in your computer and sends the bits out over the internet, ditto for tempest'ing equipment (But your honor, it's stored for 1/60th of a second in the phosphor! It's a storage medium!), etc. The Tempest argument is a stretch, only because you're not actually recovering the information from the phosphor itself. But the Pandora argument is well taken. Hey, they can't have their cake and eat it too. It's either protected or it isn't. Not that they won't try, though. Or that they wouldn't opt toward unprotecting everything if the opportunity presented itself. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [IP] more on more on E-mail intercept ruling - good grief!! (fwd from dave@farber.net)
Eugen Leitl forwarded: The constitutional question is whether users have a reasonable expectation of privacy in VOIP phone calls. Since the 1960's, the Supreme Court has found a 4th Amendment protection for voice phone calls. Meanwhile, it has found no constitutional protection for stored records. In an article coming out shortly from the Michigan Law Review, I show why VOIP calls quite possibly will be found NOT to have constitutional protection under the 4th Amendment. It would then be up to Congress to fix this, or else have the Supreme Court change its doctrine to provide more protections against future wiretaps. Article at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=490623 . Call me cynical (no... go ahead), but if VOIP is found to have no 4th Amendment protection, Congress would first have to agree that this *is* a problem before thay could fix it. Given the recent track record of legislators vs. privacy, I'm not at all confident Congress would recognize the flaw, much less legislate to extend 4th Amendment protection. After all, arent more and more POTS long-distance calls being routed over IP? The only difference, really, is the point at which audio is fed to the codec. If the codec is in the central office, it's a voice call. If it's in the handset or local computer, it's VOIP. I think we can count on the Ashcroftians to eventually notice this and pounce upon the opportunity. And as for the SCOTUS, all they have to do is sit back on a strict interpretation and such intercepts aren't wiretaps at all. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Shuffling to the sound of the Morlocks' dinner bell
On Sun, 2004-06-27 at 20:38, J.A. Terranson wrote: BTW - I just got back from F9/11: good movie, regardless of your stance on shrub. I just saw it, as well, and I have to agree with you. I find it interesting that (a) Although it is raking in money like crazy (my performance was close to 100% full, no passes are being accepted, etc.), (b) only a single theater within 50 miles of St. Louis, yes, you saw that right, a major city, has booked this show, and, (c) the movie plays only through tonight - a three day run. You close a movie thats making money? There are three theaters around Cincinnati running it, which considering the Republican slant of the state I found interesting. Don't know how long it's scheduled to play, though. I didn't see any final performance posters (and of course. moviefone.com doesn't show closing dates). -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Progress, like reality, is not optional. - R. A. Hettinga SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [IP] When police ask your name, you must give it, Supreme Court says (fwd from dave@farber.net)
Morlock Elloi wrote: incriminating, and the State has a substantial interest in knowing who you are -- you may need medicating, or you may owe the government money, or Exactly ... and maybe you are on this consumer list: http://bmj.bmjjournals.com/cgi/content/full/328/7454/1458 Thanks for ruining my day! Now I'm going to go home and watch Equilibrium again. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Reverse Scamming 419ers
On Fri, 2004-06-11 at 14:41, Eric Cordian wrote: Roy M. Silvernail wrote: Think of it as evolution in action. I think we've identified another applicant on the short list for Tim May's old job. :) But I didn't come right out and *say* they need killing. :) -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: (SOT) [Full-Disclosure] Possible First Crypto Virus Definitely Discovered! (fwd)
On Sat, 2004-06-12 at 10:13, Adam wrote: On Tue, 8 Jun 2004 12:25:36 -0500 (CDT) J.A. Terranson [EMAIL PROTECTED] wrote: Submitted primarily for it's entertainment value, but with a crypto nexus. Yours J.A. Terranson Is this Bilano guy serious? Or is it pulling some inane prank? I vote prank. Looks like BIFF!!1! got hisself a EmCeeEssEE. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Reverse Scamming 419ers
Eric Cordian wrote: It's certainly unethical for Nigerians to try and make a living by bilking foreigners with elaborate schemes that promise vast riches in return for an advance fee. Granted. But Nigeria is a very poor country, with high unemployment, where people are forced by economic circumstances to do almost anything to try and feed their families. I see no reason to be proud of reverse-scamming a Nigerian out of $80 when it might be his entire family's food money for the month. The 419 scam has been going on for the best part of half a century. The advent of the net and email has only allowed it to spread farther and wider, while law enforcement has been unable to stem it significantly. If reverse-scamming some Nigerian fraudster out of the month's food budget incents him to seek out legal means of income, that's one less 419er. If a few of his friends drop their fraud careers after seeing one of them get taken, that's more ex-419ers. It seems to me the relationship between affluent Americans and poor Nigerians is an example of a dominant class/subordinate class structure, and in such a structure, the subordinate class has rights, and the dominant class has responsibilities. Including the responsibility to tacitly underwrite a massive, national-scale fraud campaign? Somehow, I don't think so. It is beneath the station of those those with the power to define, describe, and profile the world to pick the pocket of some poor black man in Africa, while encouraging him to pose for funny pictures that will be laughed at on some comfortably well off white person's web site. But it's the proper station of that poor black African to attempt picking the pocket of any number of comfortably well-off white people? 419ers are criminals. They steal money by dint of deception. They break the social contract. I can't get too worked up about turning the tables on them. Think of it as evolution in action. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: Satellite eavesdropping of 802.11b traffic
R. A. Hettinga wrote: At 12:35 PM -0400 5/27/04, John Kelsey wrote: Does anyone know whether the low-power nature of wireless LANs protects them from eavesdropping by satellite? It seems to me that you'd need a pretty big dish in orbit to get that kind of resolution. The Keyholes(?) are for microwaves, right? Where better to put the big dish than in orbit? Clarke-belt birds are separated by what, 10 km? So a 5 km dish would be feasible. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not http://www.rant-central.com is the new scytale Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss
Re: [IP] One Internet provider's view of FBI's CALEA wiretap push
On Thu, 2004-04-22 at 14:53, Major Variola (ret) wrote: I wonder how quickly one could incinerate a memory card in the field with high success rate? Destroy the data and the passphrases don't help. The first thing that popped into my mind is a USB key with a small cake of potassium permanganate affixed to the flash chip and a rupturable bladder filled with glycerin on top. In case of problem, squeeze to rupture the bladder and throw it somewhere. If outside and near weeds, it'll be very hard to find before the misture does its exothermic thing. That mixture will ignite thermite... should be able to do a number on a flash chip pretty well. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: U.S. in violation of Geneva convention?
On Tuesday 16 December 2003 21:01, [EMAIL PROTECTED] wrote: In a message dated 12/15/2003 9:44:03 PM Eastern Standard Time, [EMAIL PROTECTED] writes: There are specific clauses which refer to not publically humiliating a prisoner. I'm surprised the Agitprop Division didn't show video of Saddam taking his first dump while in custody. Saddam is not a good guy. But this went beyond the pale. You're one-hundred percent correct. I saw that sack of shit Rumsfeld on a press conference this afternoon where he answered the specific question of does parading Saddam around violate the Geneva convention. His answer was that some things are more important, that it was necessary to show to the world that Saddam was in custody and he wasn't going to be back in power, etc. He added that Saddam is being treated humanly, and he takes offense to anyone who suggests otherwise. In other words, yes. Following in the footsteps of Richard Perle. I think in this case international law stood in the way of doing the right thing. (http://www.guardian.co.uk/Iraq/Story/0,2763,1089158,00.html) 'Scuse me whilst I go vomit.
Re: Anti-globalization
On Thursday 11 December 2003 22:00, Neil Johnson wrote: What I object to are corporations who utilize their power (money) to influence governments to make laws that benefit them at the expense of others. - The DMCA - Tariffs AND Free Trade Agreements - H1-B visas And now... tarrifs for filming movies in Canada. Just heard that one on NPR today, and I nearly drove off the road. The plan is to raise the cost of filming in Canada so that there's no longer an economic advantage. Made me want to puke. Even Ayn Rand weaves this into Atlas Shrugged where the competitors of Reardon Steel get the government to try and force him to give them his formula for his high-strength steel because it's putting them out business and unfair. I guess Canada is Reardon Pictures.
Re: Speaking of Reason
On Tuesday 09 December 2003 19:57, Eric Murray wrote: Ok, bye! plonk Eric (just to make it crystal clear, Tim's going in my _personal_ killfile) Shit, mine too. I really don't get what's happened to Tim. He used to be a great resource. Now he's even forgotten how to troll well. shrug
Re: People getting high == threat to homeland security
On Tue, Dec 02, 2003 at 12:23:29PM -0500, Declan McCullagh wrote: Query: What, nowadays, is *not* a threat to homeland security? Anything that advances the cause of repealing the Constitution. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not http://www.rant-central.com is the new scytale Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss
Re: e voting
On Friday 21 November 2003 12:19, Tim May wrote: On Nov 21, 2003, at 8:16 AM, Major Variola (ret.) wrote: Secretary of State Kevin Shelley is expected to announce today that as of 2006, all electronic voting machines in California must be able to produce a paper printout that voters can check to make sure their votes are properly recorded. http://www.latimes.com/news/local/la-me-shelley21nov21,1,847438.story? coll=la-headlines-california Without the ability to (untraceably, unlinkably, of course) verify that this vote is in the vote total, and that no votes other than those who actually voted, are in the vote total, this is all meaningless. Quite true. But given the fact that we don't have that ability *now*, what exactly is the difference? Other than streamlining and centralizing the present distributed corruption?
Freenet and DHCP
In looking over the Freenet FAQ (specifically the Firewall/NAT stuff), it looks like a static public IP address is assumed/needed. My DSL connection is DHCP, so my visible IP changes periodically. Even more fun, the visible IP isn't visible from my side. (I get a 10.x.x.x address from my DSL modem) I can do some sneaky stuff to recover the visible IP, but can Freenet work under these conditions?
Re: If you didn't pay for it, you've stolen it!
Steve Schear writes: Why not have each individual's PC which offered to lend do the accounting. This means their PC must be on-line whenever someone who didn't pay wants to listen, limiting the number of copies available, but it could be fully decentralized. You'd have to piggyback this on some P2P app. Otherwise, the lender would have to run an accessable server. That can be a trick if you're behind a NAT or your ISP takes exception to unsolicited incoming packets. Also, how do you handle check-in, or more importantly, lack of check-in? Timeout? Can you queue checkout requests? Interesting idea, but it sounds kind of cumbersome to roll out. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not http://www.rant-central.com is the new scytale Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss
Re: If you didn't pay for it, you've stolen it!
On Friday 24 October 2003 02:46, Steve Schear wrote: Why couldn't this be applied on-line to music. Under current fair use provisions readers and listeners who have purchased a work are allowed to lend it out freely. Surely the number of people who want to read or listen to a work are much smaller at any particular moment than the number of people who have ripped/downloaded a work (perhaps only 1 in 100 at most). If some mechanism could be made part of the P2P systems purchasers of the work could 'lend' it to others to read, view or hear when they are not using it. As long as the system gave some assurance to Hollywood that the works were not being enjoyed at any one moment by more people than had paid for the works then the spirit of a lending library would be maintained. Someone else must have thought up this idea, but I don't recall seeing it. Please inform me nicely if you have seen it proposed before. This sounds a lot like the SunnComm DRM system that got so much publicity recently. (the one that relies on Windows' CD Autorun feature) That system allows the user of a protected CD to make expiring copies of some tracks to share. The problem with the central premise, of course, is that without some Big (Brother) Central Server, there's just no way to track simultaneous usage, so there's no way to assure that the number of users = the number of owners. You can be sure that [MP|RI]AA will accept nothing less than perfect accounting. And if the system relies on my destroying my physical CDs to share the MP3 copies, forget it. The MP3s are backups for my CDs, but my CDs are also backups for the MP3 files. I've already re-ripped my whole collection once to change bitrates and unify tag information. When OGG hardware gets more widespread, there's at least one more ripping party in the offing. If that's what it takes to share, then I'll just remain a stingy bastard.
Re: If you didn't pay for it, you've stolen it!
Major Variola writes: What *is* a library? 1. A library is legal. A library needn't be licensed by any state entity. 2. Thus, I can declare my computer a library. The only requirement is that I own a license to what I lend, and that only 1 user exercise that license at a time. That is what a library is. Well stated. A legal assault on this mechanism is an assault on bricks and mortar libraries, ie the right to lend a book to an associate. Even if that associate xeroxes the book without our knowing it. Perhaps these features could be added to KaZaa. (Simply: when a file is uploaded from your disk, you move it from shared to not shared directory for a day. You also have some lameass clickthrough library-patron contract.) Gentlemen, start your lawyers. Indeed. I'd guess the [MP|RI]AA wouldn't like this at all. But your point is inescapable and I'd /really/ like to watch this court battle. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not http://www.rant-central.com is the new scytale Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss
Re: Software protection scheme may boost new game sales
On Saturday 11 October 2003 04:38, Steve Schear wrote: What the program does is make unauthorized copies of games slowly degrade, by exploiting the systems for error correction that computers use to cope with CD-ROMs or DVDs that have become scratched. Software protected by Fade contains fragments of subversive code designed to seem like scratches, which are then arranged on the disc in a pattern that will be used to prevent copying. The C-64 headbanger comes to the 21st century! Can parameter patches be far behind? Bruce Everiss of Codemasters says, The beauty of this is that the degrading copy becomes a sales promotion tool. People go out and buy an original version. Stupid fucking game! toss Next!
Re: Nuking USG: not just for cypherpunks anymore
On Saturday 11 October 2003 00:14, Major Variola (ret.) wrote: 'If I could just get a nuclear device inside Foggy Bottom, I think that's the answer', he said. --Pat Robertson, republican presidential candidate Robertson was quoting columnist Joel Mowbray, who has written a book entitled Dangerous Diplomacy: How the State Department Threatens American Security. The threat was Mowbray's. Interesting that the State Department goes after Robertson rather than Mowbray. Could it have anything to do with the idea that few(er) people know who Mowbray is?
[cdr] Re: DC Security Geeks Talk: Analysis of an Electronic Voting System
On Thursday 25 September 2003 12:46, Major Variola (ret) wrote: Someone needs to inject a story about e-voting fraud into the popular imagination. Is Tom Clancy available? Maybe an anonymous, detailed, plausible, (but secretly fictional) blog describing how someone did this in their podunk county... then leak this to a news reporter.. Think http://aflightrisk.com/. Take advantage of a blog's temporal immediacy and pick an election somewhere. Then chronicle the fraud as it progresses. Failure to be *able* to assure that this *didn't* happen in that podunk county would make an important point. I believe you are correct.
[cdr] Re: Elngsih (was )
On Monday 22 September 2003 18:39, Thomas Shaddack wrote: Please write if you have questions, thoughts, comments, etc. Could be the l33t sp3ak next generation for the cases when the communication is monitored by automated tools for keywords. Could foil both alerting on keywords and keyword searching on intercepted and stored material (unless the keyword search would look also for all the possible permutations of the words). No, the channel is better than that. The true keywords aren't even in the message. Only some stego binary codes that are translated after recovery, so one need not even be as obvious as Pick up the 2 cases of beer at Simon's on the way home. Srue, it's obvoius if you try to sutff too much itno one cleratxet, but that would be a rookie mistake.
[cdr] Re: The Register - eBay to Fees: come and get what you want (fwd)
On Saturday 20 September 2003 11:06, martin f krafft wrote: also sprach Jim Choate [EMAIL PROTECTED] [2003.09.20.1638 +0200]: http://www.theregister.co.uk/content/6/32936.html Don't want to open a can of worms here, but is cypherpunks secondary function to be Jim's link distribution list? I mean, we all know The Register and we all look around. slashdot You're new here, aren't you? /slashdot That can of worms has been opened many times before. Think of it as nature teaching you to learn about filter rules.
Re: CAPPS II -- The Latest Red Scare
On Tuesday 09 September 2003 16:47, Tyler Durden wrote: Stop expressing yourself and everything will be OK. Shut up, keep your head down and stay with the pack. All hail mediocrity!
Re: DoS of spam blackhole lists
On Monday 01 September 2003 05:03, Andrew Thomas wrote: The above is useful information. Specifically, the recognition of duplicate mail receipts is a concept that is new to me, though that would require that both email addresses would receive an equal amount of 'publicity' on newsgroups, mailing lists, etc in order that they are both acquired by a potential spammer. That 'publicity' may be easier to come by than you think. I migrated to my present domain from a much older one just 4 months ago. Now, a quick check of my spam folder shows that fully 5% of the received spam is directed to the new domain address. Considering that the old domain had a 7-year history, I'd say the harvest bots are working harder than one might otherwise think.
Re: spam blacklists and lne CDR
On Wednesday 27 August 2003 11:52, Eric Murray wrote: Hi. The last couple days I've gotten a lot of mail bounces from cpunks subscribers who are blocking lne.com because it's on the osirusoft spam blacklist. There is no way to get off this list; in fact the site appears to be down. Down, indeed. In fact, it's gone. http://slashdot.org/article.pl?sid=03/08/27/0214238mode=nestedtid=111tid=126 This caused me to have to polish my SpamAssassin rules a bit to remove the Osirusoft contribution to scoring. Gotta love email. Monday, I had to add an alternate port to my hosted mailserver to get around the new Fuse.net policy of blocking outbound port 25. I just hope they don't start blocking inbound 22. That would be bad.
Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']
On Friday 15 August 2003 22:29, Chris Kuethe wrote: On Fri, 15 Aug 2003, Harmon Seaver wrote: Somehow I have difficulty believing the these people could be so totally lame as to be running mission-critical stuff like this on windoze. Please say it isn't true. it's scary just how much mission-critical stuff runs on windows. i'll confess right now to being a unix zealot, so the thought of anything mission critical (beyond hotmail and freecell) on windows is scary. It's not just the reliance on Windows that's scary. It's the mindset of the industrial controls industry, where the concept of security is percieved as a hassle for the end customer, and therefore something to be avoided. 10 years ago, I was developing a data collection and reporting program for the aircraft industry. The project suffered from creeping featurism, and one of the desired features was adding dialup data exchange, so the collection apps could send their data to a central location via modem. When I asked how much security was wanted on the dialup port, I was told that none was necessary because no one would ever attack the system, and anyway, the data were not interesting to outside parties. 10 years ago, perhaps that was an understandable position, though certainly naive. (I still put in a minimal challenge/response layer, if only to discourage the C-64 kids with wardiallers) A few weeks ago, I sat in on a meeting to talk over design of a TCP/IP Ethernet interface for an existing control system. When I asked what security provisions were envisioned for this interface, I was told that the system was not intended for deployment on publicly routed network segments, so there was no need for any security protocol. i know of some fairly large installations running control systems for power generation on windows. these same sites then give the vendors access to the system via vpn across the internet. sure there are firewalls, but i don't have faith in the long-term maintenance of the vendor sites. I've just returned from an extensive training seminar on OPC controls technology. The acronym stands for OLE for Process Control, and it's a Microsoft-centric technology built on top of DCOM. Agt the lower end, OPC would let you control a PLC from Excel. Given the compressed schedule of the course (normally three weeks, it was compressed to two for our class) and my previous experiences, I didn't try to discuss security at all. But I noticed no authentication layer at all. Apparently, the security Microsoft natively provides for controlling DCOM traffic is all that such an application has available. And as far as I can tell, that would be none. I suppose I do get a bit of entertainment from the looks on the engineers' faces when I bring up threat models and attack scenarios. Most of them are indifferent. Some are confused. Some are annoyed. And one or two have understood the threat, but told me that I shouldn't talk to corporate about such things because it would make the sales force nervous. The reactions of sales droids (and even management) has been either dismissive (there is no threat) or hostile (I'm the threat). The most entertaining episode was back when UPS was first deploying their DIAD electronic clipboard, and I asked what steps were being taken to protect the signature data in transit. (There was no protection at all; the signature data were retained in the clear and could be dumped by any device that knew the protocol. I believe this is still the case.) That eventually produced a regional manager who visited the small company where I was employed. He was visibly irritated that anyone would even ask about such things, and answered every threat scenario I presented with That would never happen! He stalked off in a huff after I asked him how he would feel if his digitized signature, obtained legitimately when he received a package, were to appear at the bottom of an incriminating document faxed to his general manager. Ironically, several of my jobs have included IT duties along with my usual engineering tasks. Those same sales droids and engineers that scoffed at the need for security in their industrial controls applications came running to me frantically when their workstations became infected with SirCam or Klez. Security, as Schneier says, is a process. It's also a mindset, and I think one either has the mindset or he doesn't. And for those that don't have it, it is *very* difficult to impart.
In the matter of Mr. Fuq
When I suggested a few weeks ago that someone would eventually argue for a constitutionally guaranteed right to be heard, members of the list both reminded me (quite correctly) that no such right does or can exist, and opined that because of the obvious fallacy of the claim, no one would make that argument. It would seem that Mencken [1] was correct, as well as Costello [2]. [1] http://www.bartleby.com/59/3/nooneeverwen.html [2] http://www.brainyquote.com/quotes/quotes/e/q108965.html
Tunneling through a hostile proxy?
This may have been discussed before, but a Google search has turned up lacking. Given internet access from a private intranet, through an HTTP proxy out of the user's control, is it possible to establish a secure tunnel to an outside server? I'd expect that ordinary SSL connections will secure user - proxy and proxy - server separately, with the proxy able to observe cleartext. Could an SSH connection be made under these conditions? Pointers appreciated, thanks. -- Roy M. Silvernail Proprietor, scytale.com [EMAIL PROTECTED]