Domain: inet-one.com
Stories and comments across the archive that link to inet-one.com.
Comments · 21
-
Re:I have a very long term solutionEasily circumvented--at least in principle.
Tunnelling does not imply a direction in which a connection is initiated.
Take for example, SSH--port forwarding is possible both from the "server" and the "client" sides. All the client has to do is accept inbound connections across the SSH tunnel. This can even be configured so the "server" accepts incoming connections from third hosts, which are then forwarded to the client.
Taking this to its logical conclusion, what I could see is a virtual IP stack residing on top of some application; maybe a packet forwarding equivalent of FreeNet. Applying the principle that you can tunnel anything across anything else, even a single TCP port open anywhere would sort of negate all this silly talk of packet filtering.
Proxies aren't an issue either, as anyone who's ever used something like this can attest.
-
Re:FORTRAN lives
Mod parent +1 funny?
You really, really don't want to use floating point for currency values. Eventually the logarithmic nature of floating point data formats will cause your calculations to be just a penny or two off.
Much better to use a BCDish class or dedicated decimal type, depending on your programming language. Worst case, do all your calculations in the smallest unit possible, e.g. cents in the US.
-
Re:Brin went ballistic!
-
Brin went ballistic!Robert Hettinga's review described the new techniques as a solution to "David Brin's world of ubiquitous surveillance". Someone forwarded the review to Brin and he went ballistic!
Read his response here. The last thing David Brin wants to see is "translucent databases". He wants more openness and transparency, not less.
-
Ian Goldberg isn't worriedOne of the people to whom Lucky Green attributes the calculation that Bernstein's machine is practical is cryptographer Ian Goldberg. Ian is well known in the crypto community and has broken a number of publicly fielded cryptosystems.
However, in a follow-up post to the cypherpunks mailing list, Ian said that he did not agree with the calculations.
In fact he says that the physical properties of the factoring machine seem "implausible", and that there is no reason to believe that the result applies to "real" key lengths like 1024 bit keys.
-
The Original SSSCA
From a posting by Peter Trei on the Cypherpunks mailing list:
The Original SSSCA.
Statement of Yakval Enti, spokesman of the MPAA (Mnemonists, Praise-singers, and Anthemists Association) to His Highness Hammurabi, King of Sumeria:
Your Majesty: I wish to call you attention to a severe threat to the security of your kingdom, and the livelihoods of thousands of your subjects.
After Shamash sets and the people kick back after a long day of growing millet, they desire entertainment. Their favorite forms are stories, tales, and sagas, told by the members of the MPAA. Talented boys spend up to 12 years learning the tales by heart at the feet of the masters. Any evening MPAA members can be found in the taverns singing the old tales, praising the praiseworthy, and creating new tales from the old.
This system has worked well since the beginning of time - there were storytellers at your coronation, there were storytellers at your father's coronation, and there were storytellers in the caves of our ancestors.
This natural arrangement is now threatened from an unexpected direction - the scribes and accountants. The geeks' system of recording numbers and quantities has been perverted to freeze speech onto clay.
Understand the threat to our business model. At the moment, if someone wants to hear 'The Tale of the Ox, the Ass and the Sumerian', they find an MPAA member, pay him, and sit back to listen to the whole four hour saga. While anyone could recall and tell others the general outline, only MPAA members know every detail and can give the listener the whole story. If you want to hear it again, you pay again. Thousands of MPAA members rely on this fact for their livelihoods.
With the recent invention of "writing" the system is in danger of collapse. We've found that some scribes are actually "recording" entire sagas onto clay. Any scribe can "read" these out to people for free or for money, complete and word-for-word, without being a member of or paying the MPAA! A scribe who has obtained a set of tablets of an story can even read it an unlimited number of times, or (worst of all) make copies. This is starting to have an economic impact on our membership. Consider Rimat-Ninsun, whose masterwork "The Epic of Gilgamesh" took him three years to create, and who looked to it to put bread on his table into his old age, as he told it for money, or let others tell it under paid license after learning it from him. 'Gilgamesh' is now circulating on 12 clay tablets, and Rimat is starving. Who will bother to create new tales if they are just going to be written down?
"Writing" presents insidious dangers to your kingdom as well. It can be anonymous. Before writing, any message arrived with a person to speak it, who could be held accountable for their speech. With writing, it is impossible to tell what scribe "wrote" a message. Anonymous threats, kidnap notes, and untraceable sedition are now possible. Clearly "writing" carries with it far greater problems for our civilization than it does advantages.
However, scribes, accountants, and their skills are essential to business, contracts, laws, and the collection of taxes. We just need to make sure that they are controlled properly.
I therefore propose the Scribal Stylus Safety Control Act. (SSSCA). This requires every scribe to have an MPAA approved, "literate" slave with him at all times, peering over his shoulder. If a scribe is seen to be "writing' something other then accounting information, for example a story (stories are the province of MPAA storytellers), or a message (which should have been given to a paid mnenomist for delivery), or anything seditious, then the slave will take away the scribe's stylus and call the authorities. I ask you to have this Act "written" into your Code of Law.
Is this difficult? Yes. Is it expensive? Yes. However, it is clear that without strict controls, widespread "writing" will not only destroy the entertainment industry, it will threaten civilisation itself!
(end satire)
----------------The SSSCA threatens to return us to a Stone Age model of information use.
Disclaimer:
The above are strictly the personal opinions of myself, and I'd be astonished if my employer had any official position on the matter (so don't pretend otherwise).
Feel free to copy this document in its entirety, with proper attribution.
Peter Trei
-
Re:Not about login password
The easiest answer I can think of is "keyboard buffers", like you'll find in applications like Z-Term - a serial console for the Macintosh that supports X, Y and Z-term file transfers.
Disabling the Nagle algorithm in telnet clients is fairly common because the character you see on the screen is usually echoed to you by the server. Having to wait 200ms for the characters to appear on your screen in clumps would be very distracting.
Having a keyboard buffer means that you will no longer use the built-in scroll-back buffer of shells such as bash or zsh. If the keyboard buffer is implemented well, it should provide you with similar functionality. In a GUI environment, you have the added advantage of copy/paste. Ideally, all keyboard interaction would be handled by a local shell (CLI or GUI), with data only sent over the network when Enter is pressed.
A big advantage of keyboard buffers is that keystroke timing over the network becomes impossible (unless, of course, you're running the terminal application under the X11 Windows System over a network). Attackers would have to resort to measuring the length of your command lines or passwords, to try to guess what you're typing (great! we know that the root password on that host is 7 characters long!).
As far as typing analysis in general is concerned, there's a mention in The Code Book by Simon Singh. He talks about traffic analysis during World War II. The French Resistance was apparently able to track Panzer divisions by the location of their radio transmissions. They could uniquely identify the Panzer division by the "fist" (tapping characteristics) of the morse-code operator, even though they couldn't decrypt the actual message.
Using a keyboard buffer helps overcome congestion (in a friendlier way than the Nagle algorithm does), avoids people identifying you through biometrics, and especially prevents hostiles using biometrics to find out what you're typing in your SSH session.
Nagle Algorithm References:
- SearchNetworking Article (explicitly states why interactive sessions will disable Nagling)
- IBM RS-6000 Support describes the rules used by the Nagle algorithm to decide which data gets delayed by up to 200ms
- RFC 896 - Congestion Control in IP/TCP Internetworks
Traffic Analysis references:
- Traffic Analysis and Cover Traffic, a posting to Cypherpunks mailing list
- The Code Book (it's dead trees, follow the link to find ISBN to buy or borrow)
-
What about benevolent hacker tools and viruses?Granted, there might not be a lot, but there are some. Would a virus like KOH which asks if you'd like to encrypt and protect your information be illegal? The encryption can be fairly robust even.
If American sites are liable in Austrailian courts what can be done about a site more informative than this one? Would my link of this site where one can chose to download KOH for their MSDOS 3.1 machine or one of the other less friendly viruses be a no no? Who gets the 10 years, me or CmdTaco? Is hyperbole the primary cause of a receeding hair line?
But enough about viruses. What about trojans? Back Orifice has features similar to carbon copy and pcAnywhere. The primary difference being that the creators gave both the source and program away for free. Not to mention that it uses less resources, and can typically do more (for good or ill). Is it illegal because it doesn't cost $50 dollars and come in a non-returnable shrinkwrapped box? To say nothing of spyware.
Personally, I think the world could use a few more good viruses. I think a nice macro virus that effectivly muted spam could be a wonderful gift to all those outlook express users.
-
Unconquered? Same planet, same people, doh.
Sounds like a neat idea if it works but..
Closed source network hardware + Promiscuity between security layers = Lower security
So this is the latest "unbreakable" huh? I'm sure nobody at the NSA, CIA, or KGB wants to know what's in those networks too. Cute.
How do you know this isn't just opening a big fat vpn tunnel right into your company so other people can look at your network? Cuts both ways.
Oh, check out www.invicta.com -- Looks like they haven't bothered to buy up their domain for a whole year. That's confidence I suppose.. Guess there's no site to have taken down.
Another story from a year ago here.
I haven't seen anything except untechnical fluff articles and only a couple over a year. The idea of a Russian guy calling his system Latin for "Unconquered" isn't slick, it's dumb. You just need someone at their physical location, something he should know about. What idiot will trust him to install the thing? -
Re:Two questions..
So you are saying that her nasty libel was a punishment for him not talking? That sounds like blackmail.
Blackmail isn't a word that scares me, but I don't know if it applies in this case. "Punishment", however, very much does. If Hafner had said to Mitnick something along the lines of "How else is your side of the story going to appear in my book if you don't let me ask you a few questions?", then in some way that might be an unpleasant level of pressure, but nothing a reporter for Newsweek wouldn't be using in the daily course of business anyway. Many subjects don't want to be interviewed, especially when they know their cases are notorious and already overblown, and when the wife of the journalist who got your face on the front page of the New York Times as an FBI's Most Wanted Computer Hacker is there with a pen and a notebook, you already know the article/book being researched isn't going to laud your existence anyway. Mitnick, who was not exactly resplendent in monetary fortune, is not all that out of line to ask for compensation to tell his exclusive story to a couple of book authors who are going to rake in some bucks for splattering his name across the front of their primary-colored book on "Outlaws on the Computer Frontier". And Markoff/Hafner wouldn't be the first authors to not stay their hands in writing about their subject after they're turned down.
By the way, I'm not the first to delve into the intricacies of this debate. And I'm sure I won't be the last.
- Jason Scott
textfiles.com -
spammers, trolls, flooders, script-kiddies
Part of the problem is that there are a lot more assholes who delight in destroying newsgroups and filling them up with garbage.
One of these characters is Gary Burnore. Some of you San Francisco Bay Area people might remember him as one who managed to piss off most of the ISPs around there and anyone heavily involved in database management. More of you might remember him as the one who harassed Jeff Burchell into shutting down the Huge Cajones anonymous remailer because someone fingered him for child molestation; a change for which he was subsequently convicted. In revenge, he had his now wife impersonate a lawyer to get the nonexistant logs of Huge Cajones shortly after Helena Kobrin harassed Jeff to get the same nonexistant logs. Jeff shut the remailer because of this.
Gary violated probation by leaving California for Raleigh, NC where he offers network services primarily to trolls, flooders, spammers, and other vandals and shields them from complaints. He and his syncophants have been known to threaten lawsuits, make physical threats, launch denial of service attacks, and make up stories to get critics kicked off their ISPs.
Usenet is attracting many more psychopaths just like Gary. They don't care how many people they piss off, nor are they concerned about possible legal consequences or retaliations.
Desert Rat
-
I don't have much faith in the FBI's software!After all, they have to ask convicted, admitted pedophile, Patrick Naughton inventor of Java (the language of choice for pedophiles), to write software for them.
Imagine the logic here! Pedophile Patrick was supposed to be some sort of software genius, yet he was tricked into talking to a Fed in an IRC chat room. How smart could he be?
-
Re:Paco Rabanne
Actually, most people thought that the earth flyby of the Cassini probe was the object of Nostradamus' prophecy.
-
Re:This is something NEW, folks> So what this really is is something like Java on steroids
Gee, that's all we need! Another pedo phi le programming language for PERVERTS only good for writing applications like this!
--- Speaking only for myself, -
napster + paypal = tipsterhttp:// www.inet-one.com/cypherpunks/dir.2000.07.24-2000.
0 7.30/msg00387.html"if the ID3 spec was extended to store an unlimited amount of data encoded as XML, right inside the MP3 file, one of the many cool things you could store is a digital signature. Note that this does not mean that the files are encrypted. They simply have a digital signature appended onto the end of them which can only have been created by a certain private key. Given the corresponding public key, which you need anyway to validate the signature, you can now have cryptographically secure voluntary transactions with the person who signed the file."
is that not fucking cool or what? ideally, i'd like to see this built into the ogg vorbis codec (http://www.xiph.org/ogg/vorbis/ -- an open codec to mp3 obsolete, baby) right its inception. goddamn, we could actually yank the rug out from under the mpaa, the riaa, and all the other motherfuckers who are trying to achieve complete control over the means of distribution!
please, i beg of you, spread the memes! as a semi-serious musician, and a semi-serious cypherpunk who thinks that patterns can never be property (but that making music is a service), i think that the tipster protocol (or an fda-approved substitute
;) ) is exactly what the world needs with respect to the current "starving artists vs. record companies vs. incredible ease of distribution" digital music debate. -
Unix Is Not Windows
Wow, it seems Miguel was more taken by Microsoft and COM/COM+/DCOM than was obvious from the last time he mentioned components on slashdot. Miguel is right that Unix would benefit from a component model but he needs to put things in historical context.
COM is descended from Object Linking and Embedding which was a way to have objects created in one application to be reusable by another. Basically MSFT's entire component revolution can be traced back to the "drag and drop an Excel spreadsheet into a Word document" problem. Everything that has occurred since then COM+ (reusable components independent of language), DCOM (distributed reusable components) and now .NET (cross language inheritance of objects/components) can all be traced back to trying to solve that problem and variations thereof. The early implementations of COM were not some grand ngineering effort to great a modular componentized system but sophisticated hacks to solve the drag N drop problem. This is not to say that MSFT's COM is has not come a long way, after all it has enabled them to create what has been described as the largest software engineering feat of all time. 35 million lines of code and counting.
Now on the other hand, Unix applications until very recently did not have the cross communication problem that Windows apps had. Everything is a file, if I want to communicate between applications I simply use a pipe. All files I could possibly want to edit can be viewed in Emacs. To put it simply there was no need for a reusable component model simply to share data between applications.
Now decades after Unix was invented (which predates Windows and COM by over a decade) maybe time has come for that paradigm to shift.
-
Re:This was predicted some time agoPGP's real importance was that you _could_ use it, and you could get it easily, and everybody rubbed the government's face in the fact that the laws against crypto publishing directly violated the First Amendment, plus Phil had the guts to stand up to them publicly, with good lawyers backing him. This not only had excellent PR value, but got a lot of people interested in crypto. From a more practical standpoint, it was Netscape's decision to include SSL, even with wimpy crypto, that moved the public perception of crypto from "something only spies and paranoids and occasional political activists use" to "of course I use it, how else would I send my credit card number across the Internet without getting ripped off!" Even now most of the public doesn't send much encrypted email (even the cypherpunks don't send huge amounts of encrypted email), but everybody knows you can, and everybody knows you should always use encrypted form for your credit cards and other sensitive personal information, because otherwise Hakk3rZ will steal it, and that's a good start. (Sigh - if you can't get the public to use a term correctly, at least you should exploit the heck out of their misuse
:-)
The real place that cryptography has been left out has been the Voice-over-IP telephony world. The de facto standard H.323 doesn't do it, though some of the newer protocols like SIP and MGCP provide hooks or full mechanisms for it, and most of the proprietary Internet telephony programs don't appear to support it either. This means that we're building an easily wiretapped infrastructure for international calls, and starting to build one for US domestic calls as well (and at least in the UK, wiretapping ISPs is easier legally than wiretapping telephones.) On the other hand, H.323 is somewhat of a lowest-common-denominator protocol, and the newer protocols will probably be adopted because of increased functionality; until then we'll need to get IP telephony services to adopt IPSEC.
IPSEC is still only marginally ready for prime time, but capabilities and compatibility of free and commercial implementations are improving, and there's substantial business demand pulling them. The automotive industry ANX network jumpstarted it, but the cost advantages of dial internet compared to running your own modem pools are one of the big drivers, and for some industries, the ability to use the internet instead of private frame or ATM networks for corporate traffic is also a big economic win, though that's more dependent on communication patterns.
I suspect end-to-end encryption for cellphones will be a small niche market for a long time, as opposed to encrypting the airlink from the phone to the cell site. What may change it is the obvious interconnection between voice over IP and cellphones merging into internet telephony to the cellphone. Cellphones already digitize and compress voice, which is one of the hard parts, but cellphones take a telephony-centered view of mobile connectivity which will take some work to merge with the still-evolving mobile IP technology. The obvious first level of integration is gateways between the cellphone carriers and the internet voice carriers, which makes it easy to still charge by the minute for cellphones. In countries that use handiphone service (mostly Asia - it's the "you can use the phone anywhere but we don't switch cells, so you can't move very far" dumb cheap technology), it wouldn't be too hard to integrate a handiphone base station with DSL so anybody could run their own microcell and get their cut of the cellphone charges, which has viral marketing possibilities that are harder to implement in a usable-while-moving true cellular system.
-
It's a Good basic introductionThe article hits many of the basic topics,
though I'd like to see Diffie-Hellman Key Exchange mentioned, and some coverage of the Web Of Trust and other key-cert approaches.
The big thing it needs is pointers to other resources - things like pgp.com, counterpane.com and Bruce Schneier's Applied Cryptography book, the Cypherpunks Archive, Ron Rivest's pages, and of course digicrime.com. -
New URL for this excellent summary
That URL is now out of date and the article has been archived here.
-
New URL
The post got moved out of "current". It's here now:
http:// www.inet-one.com/cypherpunks/dir.1999.12.27-2000.0 1.02/msg00064.html -
Re: Attacks on (2n){Crypto-system}
From what I've read, and further extrapolated, even-numbered layers of crypto (2DES, 6DES, 8-Blowfish, etc...) are (or may be) vulnerable to meet-in-the-middle attacks that take only a little more time than (N-1)Algorithm and maybe 2{Algorithm}. I don't know if this makes the risk terribly significant for [468..]DES/Blowfish since I'm not a crypto expert.
http://www.inet-one.com/cypherpunks/dir.95.10.25-
9 5.10.31/msg00136.html has a little bit about MITM and 2DES.The FreeS/WAN project has a more explicit explanation: http://www.xs4all.nl/~freeswan/freeswan_trees/fre
e swan-1.00/doc/glossary.html#meet on MITM attacks and what it entails.-Paul