The point is that they're deliberately kept underfunded and underpowered, thus any decisions they make will be by nature be essentially, "Did the lawyers dot their T's and cross their I's?"
That's all they're paid to do, that's the only infrastructure they can put together.
An advisory committee is, sadly, a PR move. Their corruption runs pretty deep; their own head stated quite plainly he'd patent a legal argument if he could get away with it. It's not corruption in the personal sense; they're just an agency with a subverted mission and a gigantic loophole. The best the agency could do would be reject every single Net related patent--and watch themselves get taken over by a new administration.
Patents are an extraordinarily powerful tool of control, and quite a few law schools are churning out people who are more than capable of taking advantage of that. Don't expect a Citizen Action Committee to be able to do too much to change this, unfortunately.
It's an excellent gesture, though, and ESR is a great pick.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Nobody disputes the author's right to redistribution under whatever terms he wants, as often as he wants.... but he cannot revoke his initial GPL on his code.
No, he cannot revoke the original GPL.
He can, however, incorporate in into a private codebase without any concerns, particularly without infecting the rest of the codebase.
Or--here's a neat one--the author of a piece of code, perhaps a whole source file, who adds it to a project under the GPL and then, a week later, at work, decides to include it in a closed-source, commercial project there. Can code be un-GPLed?
This is wrong, wrong, wrong.
An author can reuse code all they want. They can license the code into the GPL common pool, and then turn around and do whatever they like with it--make their own secret derivations without deriving the source, most obviously.
This actually starts to get a bit sticky when core developers take patches from the outside world on GPL terms and then, since they're the copyright owner, incorporate those into closed source releases. But it's generally accepted that primary authors who do the initial work of coding the app, as well as all the request handling and patch integration, do have the legitimate right(as long as the patches are not too extensive) to relicense privately. Alladin, with Ghostscript, does this commonly to give printer manufacturers customized Postscript capabilities.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
To believe that no one has ever held the "source" for humans and other living things is akin to believing that you could find an intricate piece of machinery (a watch, for example) lying on the ground that had somehow assembled itself and was designed by no one.
Whoa there, McCarthy. I'm not saying there's no God, or Allah, or Yehova, or anything else of that nature. I just prefer not to limit that guiding force to any single moment of creation, saying that It(the correct pronoun doesn't exist) needed to have all time and all thought forged at once.
What could be more interesting to a Creator than a universe he did not Create? Think about that. Think about how cool self-optimizing code is to us hackers. Look at the talk of genetic algorithms. Are you saying we can pull off stuff our own creator can't?
Actually, that'd be really interesting wouldn't it...
(I actually wouldn't have replied to this, but I've been having an inordinate amount of fun reading the online comic strip Acid Reflux, which really should be read from the beginning but has a pretty good summary right about here...call me a blasphemer if you like; I just love the concept behind this strip!)
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
First off, this lawsuit goes back to 1994, long before popup ads could be turned off.
Secondly, the ability to turn the ads off isn't particularly simple to find(remember, this is a service that built its success on knowing exactly how to make things simple to find; anything that wasn't simple within AOL was made intentionally not simple.
Finally, and this is important, the ads would come back on their own. In security, we make things a pain in the ass when we want to convince the users to use a more secure alternative(i.e. ssh-agent and RSA keys vs. passwords at every prompt). For AOL, it's "Watch the ads, and you won't have to keep turning them off."
They'll settle out of court; they really don't want their advertising dirty laundry getting aired. Remember, this is the company that got UCITA in their state before anyone else.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
And so on, so forth, for 33Mb worth...Chromosome 22.
It's a bit dump, folks, with two bits per character. That's it. cat/dev/sequencer | gendump. (Yeah, yeah, abuse of unix commands. Too simple to resist.) Of course, what made this so ungodly difficult was the getting the sequences straight--vast amounts of data, no headers, and a flaky character mode device. Not simple to get this data; they essentially needed to repeatedly run the data through the analyzer and look for patterns which constantly repeated to determine how everything lined up within the chromosome.
We don't know what any of it does, of course. We have ideas, implemented using the crudest of methods. The last time I tried to figure out what a piece of code did by commenting it out, I actually felt pretty good about myself--that's what genetics researchers do, and it is what they're wanting to patent, right or wrong.
We've got the bits. Now we've got to figure out what they do. The entire field of computational biology has been created to decode this mess...I'm truly looking forward to seeing open source genome analysis tools come out of this.
Open Source analysis of a system within which Source has never existed. That should be interesting.
Entertaining tidbit: The CEO of Celera will likely have his own genome sequenced and released publically. Contrary to popular belief, this has nothing to do with the Human Genome Project's threat that "your ass is mine." (Kidding;-)
Yours Truly,
Dan Kaminsky
DoxPara Research http://www.doxpara.com
AOL is really a useless ISP. Basically it's like comparing Barney and Friends or Teletubbies to say Hamlet.
AOL merged with Time Warner owns your Cable Modem connection. AOL stopped fighting for others to be able to share that connection just as soon as Time Warner agree to merge with it and make Steve Case its new public figurehead. AOL is the first major company to be covered by UCITA.
You forget just how popular Barney and Teletubbies are in comparison to Hamlet.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Everybody reading this message knows somebody affected directly by UCITA, because almost all of us know somebody who uses America Online.
That's right, AOL is covered by the laws and institutions of the State of Virginia.
So if anything about UCITA scares you, somebody you know is being threatened, even if they live next door.
You're their friends. You're their family. You're the one they go to to keep them safe from the black hats of the world.
Black Hats learned long ago--social engineering is more effective than almost any hack. Legal engineering, my friends, is an order of magnitude worse. Welcome to UCITA, and the new breed of Cracker.
Want to protect your friends? Do something to fight Virginia.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
These things are an absolute nightmare for any politician, and here's why:
There's a standing expectation of a shakeout throughout e-commerce. Nobody knows when it'll happen, but companies are being valued less than the cash they have in the bank. Yeouch.
Any politician who applies the tax before the crash will get blamed for that crash, and will see his career disappear with the stock value. Any politician who applies the tax after the crash will find himself kicking an industry when their down, and blamed if it doesn't get back up again.
The only thing that might work is if an e-commerce tax is used to pay for an Internet Bailout. I actually see that as the most likely exit strategy for alot of institutional investors--Be There For The Bailout.
Could be wrong, though.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Sales Tax is levied against the state of sale, not the state of purchase. If your company has legal presence in Pennsylvania, and purchases something in Pennsylvania, you're obviously liable for Sales Tax.
However, if your company has legal presence in Pennsylvania, and you're purchasing something from Illinois, then the right to apply Sales Tax to that purchase falls to Illinois, not Pennsylvania. (Of course, if you've got legal presence in Illinois as well, they're going to make you pay.)
If Pennsylvania is attempting to tax a sale that did not occur within their jurisdiction, they're likely violating interstate commerce laws. At minimum, you might be able to argue away the penalties on the basis that you couldn't reasonably have been expected to interpret the tax code in the same way as the auditor. Most likely, you should retain a genuine taxation attorney and ask his or her advice. It's likely to be less than the cost of your painful tax bill.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Just took a course in Law And Society. Interesting class, actually. Taught by, of all things, an IP Lawyer. (Yes, I actually screwed up and exposed my opinion of his profession. I've never been so profusely embarassed;-)
One of the books we studied was The Process Is The Punishment. One of its central tenets is, when you get down to it, the bureaucracy isn't accidental or undesired. It's part of the process of criminal law, meant to break down and assault those caught in its maw.
The lines that Katz complains about aren't just there accidentally. They enforce discipline, respect, and fear. Fear of a wasted day, fear of an inexplicable fine, fear of a missing sheet of paper.
If you never had to wait in line, maybe you'd never realize there was a government out there who could do much, much worse to you if you didn't pay your taxes.
Think of DMV as the PR branch for the IRS.;-)
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Information Hiding, via Encryption. Secret Sharing, via Split Chunks and Recipes.
As an encryption system, this fails. Madore admits this. But it's still an encryption system in one very classical sense: You have one block which is equal to ciphertext.
Not two, not three, not m of n.
One.
And it's one block, which never changes. One block, which can be easily identified. One block, which is dependant upon network retrieved keying material.
There are far, far better ways of doing steganography, secret sharing, and cryptography as a whole. That's my point.
If you've got a cogent point to add, please, do so. I don't hold the monopoly on clues; I expect to fuck up pretty harshly in my life. It's part of crypto; you fuck up.
This was billed as a means of encryption; it fails miserably in that regard. Key material is retrieved over a network, or is compromised when it is submitted to a network. Methodologies of dealing with files greater that 128kb aren't even mentioned. Recipes end up causing a single block to be the non-innocent one. No block that is innocent really is functionally that.
And so on! Really, I'd love a better response. Crypto's what I do, and I wrote the previous rant on not *too* much sleep. You've gotta admit, Madore's system just isn't very good crypto, but if I missed the reasons why it isn't, I'm all ears.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
The obfuscation isn't actually in the.DOC format; it's in the fact that Word itself reads the statements contained within the.DOC format in confusing and illogical ways.
Yet, this readability has been maintained from Office 95 thru Office 97 to Office 2000. (Lets not even talk about Word for Mac!)
This just isn't possible unless Microsoft has internal conformance specifications that they follow from revision to revision.
We know the specs exist because it literally would have been impossible for Microsoft to have functioned without them.
98% of Word documents don't use any advanced Word features. In fact, 98% of Word documents should be saved in RTF format, and lose nothing of value in the translation. With these specifications, the #1 thing companies could do would be to implement a DOC->RTF filter *at the mail gateway* and be done with 98% of Macro Virii.
Will it happen? Nah. The Word Monopoly is just too critical to Microsoft's success. It really is.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Can't imagine why. It's like, couple words out of Shannon saying a system can be provably uncrackable, as long as it's far too annoying to actually use, and people convert that to:
Lets just make it not annoying to use.
Problem is, the security comes from that annoyance, and degrades ungracefully: Very, very ungracefully. As in, the moment one pad gets compromised, or even reused, boom. Game over. You're done.
Compound that by having key material retrieved by the encryptor over a network(as this system depends on), and you're even more done. Lets analyze what's going on here a bit.
All cryptosystems are essentially engines for extracting the secrecy from a set of data. Secrecy is something even more intangible than the raw data that itself is secret; a very large quantity of information can be stored and transfered, but a secret can only be transfered if that data can be understood. Cryptography essentially works by allowing the comprehensibility of data--though not the data itself--to be extracted and simplified down to some other piece of data.
Now, often that data can be much, much smaller. Broadbridge Media, for instance, takes direct advantage of this for reasonably secure mass data distribution of music videos on CDs--some large ciphertext gets mass distributed on CDs or DVDs, while a small, personalized transaction over the Internet allows an individual to retrieve the key which decrypts the ciphertext into plaintext. The mass data is moved, but remains incomprehensible until a relatively tiny amount of key material is transmitted to the destination host.
Madore's system is somewhat similar; he still has a chunk of extracted secrecy composed of a "recipe of pads" which, when XOR'ed together, reveal the plaintext. This recipe can be as small as literally two pads; an innocent "complete works of Shakespeare" page and some extension thereof.
First problem? Madore gets his pad indexes from the first couple of bytes of whatever pad he's come across. PGP has survived reasonably well with a 2^^32 complexity attack against its public keyspace indexes(it's called the DEADBEEF attack); Madore's system however is likely to find collisions in everyday use.
It never ceases to amaze cryptographers that, for all the functionality of the fixed-output, one way hash(password storage, small indexes to arbitrarily sized inputs), people don't use them. There really aren't that many flat out solved problems in all of crypto, this is one of them. IF YOU'RE NOT STORING YOUR PASSWORDS AS EITHER MD5 OR SHA-1 HASHES, YOU'RE WAITING TO GET HACKED. *sigh*
Anyway, beyond that small chunk of data which gives the recipe of which block to use, there's also the censorworthy-but-XOR-obfuscated block which will supposedly diffuse itself throughout the network. Whereas Broadbridge got its incomprehensible data out the door on CDs, Madore's system invokes the distributed nature of many, many XORable keyblocks to hide which block on the network is the actual censor-worthy block.
But how many blocks do I need to use for a recipe? Suppose I have 200 random blocks to choose from, and I download one block of random key material. Wait. Lets say I'm really paranoid, and I generate my own random block to XOR against, and upload it to a server. OK. So I've gotten my single block to XOR against, I do so, and I upload my data-containing block to the padservers.
I've already lost.
Whether I downloaded my keyblock from the network, or uploaded it to the network, anybody sniffing my network traffic will see the exact block I used to encrypt against. They'll either watch it leaving the keyserver or going back in.
Worse, lets assume there was no sniffer--just 201 random blocks, any two of which can be XORed together to reach plaintext. The complexity isn't one of fifty billion, it's 201*201, or a good 40,401 operations. Use of two pads isn't particularly specified...but then, use of this as a viable encryption system isn't particularly specified either. You can tell, by this line:
"Your first task is to locate an announcement stating that the data you want are recoverable by XORing such a set of pads."
Oh, that's all.
"Go find your key."
Obviously, with no special complexity applied to locating your key, there's nothing that separates You As Reader from You As Censor. And, since whoever determines a key used *once* for secret information determines it for all time...boom.
But, lets be fair. Madore's goal mainly seems to be able to give websites the capability to host information they can't recognize. Freenet did this; Madore doesn't actually even come close. Among other things, the system isn't particularly fault tolerant. Good secret sharing systems allow m-of-n functionality, i.e. retrieval of any m number of shares from n total(like 3-of-5) reveals the data. This system? Any block is missing--and there doesn't need to be more than two--and your data is gone. Loss of a single pad archive is likely to cause some data to disappear forever. Ouch.
Honestly, I'm putting too much energy into this. Madore writes the following:
The pads, of course, are just named by their 16-hex-digit names (thus, strictly speaking, the announcement makes it possible to recover the first eight characters of the data; but that should not be a problem).
Any cryptosystem which leakes information about the plaintext in the key material never should have left the drawing boards. I congratulate Madore on noticing this, of many flaws in his design, but this really is Bad Crypto. It's timely, and it's useful, and it'll hopefully prevent people from falling for other Pad scams by sheer nature of the/. reaction, but it's still Bad Crypto.
*Sigh* At least he wasn't trying to sell us anything.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
You've got security clearance. This clearance is dependent upon those associated with you giving valid impressions of your character.
You've got somebody intentionally poisoning said impressions of your character. This makes it more difficult for a background checker to determine whether a negative statement about you from *anyone* derives from a valid observation or an intentionally falsified statement. Meanwhile, you're still in a situation where you're directly involved with improving the national security of this country.
You could be trustworthy, but since the feds would be left unable to verify you as such, you'd lose your clearance. Since this loss was unwarranted, national security's been harmed.
You could be untrustworthy, but since the feds have been left unable to believe statements made by your peers, you'd keep your clearance. Since this retention of priveledges was unwarranted, national security's been harmed.
Now obviously, they're more likely to make more mistakes towards the former than the latter. But each unjustified strippage ends up reducing their power and their ability to do their jobs. You want to tell me that these guys would never go ballistic on some asshole spreading rumors trying to get laid? People like that provide camoflague for those who genuinely do arouse suspicion in those around them.
Ever wonder why the Secret Service responds so quickly to threats against the President's life? It's because the empty threats themselves mask the importance of the valid ones. It's simple signal to noise.
Of course, government generally tries not to be too intrusive, but these guys make their living being intrusive. If somebody's spreading counterintelligence to get laid, I'd assume he'd get notified of just Why You Don't Do That.
Last I checked, government folk didn't take kindly to somebody running spoof operations on them.
A couple Men In Black showing up on the doorstep of somebody directly, intentionally, and maliciously threatening the validity of their very precious data sources(a.k.a. the average citizenry) has a way of instilling newfound respect for the social values of honesty in such an individual, wouldn't ya think?
That said, though, I can recall hearing nothing but cheers on/. the last time a M$ internal memo got leaked...
Microsoft is the kind of company that would ship a remotely controllable testicle vice with every Windows CD and make you agree to wear it as a condition of your EULA if they figured they could get away with it.
Someone else uses your serial number? *Squoosh*
About all they've been able to get away with thus far is just refusing to ship installation routines with their operating systems anymore. Install Linux? Want to go back? *Squooosh* goes your data, imaged to oblivion.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
And...? The subscription model doesn't? Hell, the DVD-Audio model doesn't?
Isn't it ironic that everyone wants the CD dead? Techies want compressed digital audio, industry wants your ossicles to be trade secreted.
And yet, I can't imagine anything else that could have killed the CD...
Record industry may be unwilling to support this transition (gut their bottom line)
And...? An existing oligopoly might be afraid of making less money?
Record stores (Tower Records) obsoleted.
This is incriminating? Boy. CD Now is screwed.
Of all the things to call incriminating, these sure don't qualify. Transitioning an entire industry into a new level of technology which lowers margins for some players and entirely eliminates others...last I checked, we did have some kind of public policy which advocated competition. This is starting to reflect the ugliest aspects of the Microsoft trial.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Slashdot Mirror
The point is that they're deliberately kept underfunded and underpowered, thus any decisions they make will be by nature be essentially, "Did the lawyers dot their T's and cross their I's?"
That's all they're paid to do, that's the only infrastructure they can put together.
An advisory committee is, sadly, a PR move. Their corruption runs pretty deep; their own head stated quite plainly he'd patent a legal argument if he could get away with it. It's not corruption in the personal sense; they're just an agency with a subverted mission and a gigantic loophole. The best the agency could do would be reject every single Net related patent--and watch themselves get taken over by a new administration.
Patents are an extraordinarily powerful tool of control, and quite a few law schools are churning out people who are more than capable of taking advantage of that. Don't expect a Citizen Action Committee to be able to do too much to change this, unfortunately.
It's an excellent gesture, though, and ESR is a great pick.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Nobody disputes the author's right to redistribution under whatever terms he wants, as often as he wants.... but he cannot revoke his initial GPL on his code.
No, he cannot revoke the original GPL.
He can, however, incorporate in into a private codebase without any concerns, particularly without infecting the rest of the codebase.
--Dan
This is absolutely hilarious, for all the most subtle of reasons! :-)
Bravo!!!
--Dan
Or--here's a neat one--the author of a piece of code, perhaps a whole source file, who adds it to a project under the GPL and then, a week later, at work, decides to include it in a closed-source, commercial project there. Can code be un-GPLed?
This is wrong, wrong, wrong.
An author can reuse code all they want. They can license the code into the GPL common pool, and then turn around and do whatever they like with it--make their own secret derivations without deriving the source, most obviously.
This actually starts to get a bit sticky when core developers take patches from the outside world on GPL terms and then, since they're the copyright owner, incorporate those into closed source releases. But it's generally accepted that primary authors who do the initial work of coding the app, as well as all the request handling and patch integration, do have the legitimate right(as long as the patches are not too extensive) to relicense privately. Alladin, with Ghostscript, does this commonly to give printer manufacturers customized Postscript capabilities.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
To believe that no one has ever held the "source" for humans and other living things is akin to believing that you could find an intricate piece of machinery (a watch, for example) lying on the ground that had somehow assembled itself and was designed by no one.
Whoa there, McCarthy. I'm not saying there's no God, or Allah, or Yehova, or anything else of that nature. I just prefer not to limit that guiding force to any single moment of creation, saying that It(the correct pronoun doesn't exist) needed to have all time and all thought forged at once.
What could be more interesting to a Creator than a universe he did not Create? Think about that. Think about how cool self-optimizing code is to us hackers. Look at the talk of genetic algorithms. Are you saying we can pull off stuff our own creator can't?
Actually, that'd be really interesting wouldn't it...
(I actually wouldn't have replied to this, but I've been having an inordinate amount of fun reading the online comic strip Acid Reflux, which really should be read from the beginning but has a pretty good summary right about here...call me a blasphemer if you like; I just love the concept behind this strip!)
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
First off, this lawsuit goes back to 1994, long before popup ads could be turned off.
Secondly, the ability to turn the ads off isn't particularly simple to find(remember, this is a service that built its success on knowing exactly how to make things simple to find; anything that wasn't simple within AOL was made intentionally not simple.
Finally, and this is important, the ads would come back on their own. In security, we make things a pain in the ass when we want to convince the users to use a more secure alternative(i.e. ssh-agent and RSA keys vs. passwords at every prompt). For AOL, it's "Watch the ads, and you won't have to keep turning them off."
They'll settle out of court; they really don't want their advertising dirty laundry getting aired. Remember, this is the company that got UCITA in their state before anyone else.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Want to see something interesting?
Go to this page within the Entrez browser of Genbank. Click Begin Download...and watch:
And so on, so forth, for 33Mb worth...Chromosome 22.
It's a bit dump, folks, with two bits per character. That's it. cat /dev/sequencer | gendump. (Yeah, yeah, abuse of unix commands. Too simple to resist.) Of course, what made this so ungodly difficult was the getting the sequences straight--vast amounts of data, no headers, and a flaky character mode device. Not simple to get this data; they essentially needed to repeatedly run the data through the analyzer and look for patterns which constantly repeated to determine how everything lined up within the chromosome.
We don't know what any of it does, of course. We have ideas, implemented using the crudest of methods. The last time I tried to figure out what a piece of code did by commenting it out, I actually felt pretty good about myself--that's what genetics researchers do, and it is what they're wanting to patent, right or wrong.
We've got the bits. Now we've got to figure out what they do. The entire field of computational biology has been created to decode this mess...I'm truly looking forward to seeing open source genome analysis tools come out of this.
Open Source analysis of a system within which Source has never existed. That should be interesting.
Entertaining tidbit: The CEO of Celera will likely have his own genome sequenced and released publically. Contrary to popular belief, this has nothing to do with the Human Genome Project's threat that "your ass is mine." (Kidding ;-)
Yours Truly,
Did you know that Virginia is home to the world's largest naval base--and the Pentagon!?
I bet the Pentagon is a huge fan of Self-Help.
--Dan
There was a bit of a head-to-head between the two memory patches; which one is in the test?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
AOL is really a useless ISP. Basically it's like comparing Barney and Friends or Teletubbies to say Hamlet.
AOL merged with Time Warner owns your Cable Modem connection. AOL stopped fighting for others to be able to share that connection just as soon as Time Warner agree to merge with it and make Steve Case its new public figurehead. AOL is the first major company to be covered by UCITA.
You forget just how popular Barney and Teletubbies are in comparison to Hamlet.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Everybody reading this message knows somebody affected directly by UCITA, because almost all of us know somebody who uses America Online.
That's right, AOL is covered by the laws and institutions of the State of Virginia.
So if anything about UCITA scares you, somebody you know is being threatened, even if they live next door.
You're their friends. You're their family. You're the one they go to to keep them safe from the black hats of the world.
Black Hats learned long ago--social engineering is more effective than almost any hack. Legal engineering, my friends, is an order of magnitude worse. Welcome to UCITA, and the new breed of Cracker.
Want to protect your friends? Do something to fight Virginia.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Kaa--
Makes sense--means that you can't buy anything cheaper simply from going out of state.
Thanks for the info.
--Dan
These things are an absolute nightmare for any politician, and here's why:
There's a standing expectation of a shakeout throughout e-commerce. Nobody knows when it'll happen, but companies are being valued less than the cash they have in the bank. Yeouch.
Any politician who applies the tax before the crash will get blamed for that crash, and will see his career disappear with the stock value. Any politician who applies the tax after the crash will find himself kicking an industry when their down, and blamed if it doesn't get back up again.
The only thing that might work is if an e-commerce tax is used to pay for an Internet Bailout. I actually see that as the most likely exit strategy for alot of institutional investors--Be There For The Bailout.
Could be wrong, though.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
(Warning: I am not an accountant.)
Now wait a second.
Sales Tax is levied against the state of sale, not the state of purchase. If your company has legal presence in Pennsylvania, and purchases something in Pennsylvania, you're obviously liable for Sales Tax.
However, if your company has legal presence in Pennsylvania, and you're purchasing something from Illinois, then the right to apply Sales Tax to that purchase falls to Illinois, not Pennsylvania. (Of course, if you've got legal presence in Illinois as well, they're going to make you pay.)
If Pennsylvania is attempting to tax a sale that did not occur within their jurisdiction, they're likely violating interstate commerce laws. At minimum, you might be able to argue away the penalties on the basis that you couldn't reasonably have been expected to interpret the tax code in the same way as the auditor. Most likely, you should retain a genuine taxation attorney and ask his or her advice. It's likely to be less than the cost of your painful tax bill.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Just took a course in Law And Society. Interesting class, actually. Taught by, of all things, an IP Lawyer. (Yes, I actually screwed up and exposed my opinion of his profession. I've never been so profusely embarassed ;-)
;-)
One of the books we studied was The Process Is The Punishment. One of its central tenets is, when you get down to it, the bureaucracy isn't accidental or undesired. It's part of the process of criminal law, meant to break down and assault those caught in its maw.
The lines that Katz complains about aren't just there accidentally. They enforce discipline, respect, and fear. Fear of a wasted day, fear of an inexplicable fine, fear of a missing sheet of paper.
If you never had to wait in line, maybe you'd never realize there was a government out there who could do much, much worse to you if you didn't pay your taxes.
Think of DMV as the PR branch for the IRS.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Hartwell--
There are two components here:
Information Hiding, via Encryption.
Secret Sharing, via Split Chunks and Recipes.
As an encryption system, this fails. Madore admits this. But it's still an encryption system in one very classical sense: You have one block which is equal to ciphertext.
Not two, not three, not m of n.
One.
And it's one block, which never changes. One block, which can be easily identified. One block, which is dependant upon network retrieved keying material.
There are far, far better ways of doing steganography, secret sharing, and cryptography as a whole. That's my point.
--Dan
The legacy code issue would be logical except for its surprising portability to alternate platforms, i.e. Macintosh.
--dan
mdpopescu--
If you've got a cogent point to add, please, do so. I don't hold the monopoly on clues; I expect to fuck up pretty harshly in my life. It's part of crypto; you fuck up.
This was billed as a means of encryption; it fails miserably in that regard. Key material is retrieved over a network, or is compromised when it is submitted to a network. Methodologies of dealing with files greater that 128kb aren't even mentioned. Recipes end up causing a single block to be the non-innocent one. No block that is innocent really is functionally that.
And so on! Really, I'd love a better response. Crypto's what I do, and I wrote the previous rant on not *too* much sleep. You've gotta admit, Madore's system just isn't very good crypto, but if I missed the reasons why it isn't, I'm all ears.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
You know, I've been thinking about this.
.DOC format; it's in the fact that Word itself reads the statements contained within the .DOC format in confusing and illogical ways.
The obfuscation isn't actually in the
Yet, this readability has been maintained from Office 95 thru Office 97 to Office 2000. (Lets not even talk about Word for Mac!)
This just isn't possible unless Microsoft has internal conformance specifications that they follow from revision to revision.
We know the specs exist because it literally would have been impossible for Microsoft to have functioned without them.
98% of Word documents don't use any advanced Word features. In fact, 98% of Word documents should be saved in RTF format, and lose nothing of value in the translation. With these specifications, the #1 thing companies could do would be to implement a DOC->RTF filter *at the mail gateway* and be done with 98% of Macro Virii.
Will it happen? Nah. The Word Monopoly is just too critical to Microsoft's success. It really is.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
*Sigh*
/. reaction, but it's still Bad Crypto.
Everybody loves the One Time Pad.
Can't imagine why. It's like, couple words out of Shannon saying a system can be provably uncrackable, as long as it's far too annoying to actually use, and people convert that to:
Lets just make it not annoying to use.
Problem is, the security comes from that annoyance, and degrades ungracefully: Very, very ungracefully. As in, the moment one pad gets compromised, or even reused, boom. Game over. You're done.
Compound that by having key material retrieved by the encryptor over a network(as this system depends on), and you're even more done. Lets analyze what's going on here a bit.
All cryptosystems are essentially engines for extracting the secrecy from a set of data. Secrecy is something even more intangible than the raw data that itself is secret; a very large quantity of information can be stored and transfered, but a secret can only be transfered if that data can be understood. Cryptography essentially works by allowing the comprehensibility of data--though not the data itself--to be extracted and simplified down to some other piece of data.
Now, often that data can be much, much smaller. Broadbridge Media, for instance, takes direct advantage of this for reasonably secure mass data distribution of music videos on CDs--some large ciphertext gets mass distributed on CDs or DVDs, while a small, personalized transaction over the Internet allows an individual to retrieve the key which decrypts the ciphertext into plaintext. The mass data is moved, but remains incomprehensible until a relatively tiny amount of key material is transmitted to the destination host.
Madore's system is somewhat similar; he still has a chunk of extracted secrecy composed of a "recipe of pads" which, when XOR'ed together, reveal the plaintext. This recipe can be as small as literally two pads; an innocent "complete works of Shakespeare" page and some extension thereof.
First problem? Madore gets his pad indexes from the first couple of bytes of whatever pad he's come across. PGP has survived reasonably well with a 2^^32 complexity attack against its public keyspace indexes(it's called the DEADBEEF attack); Madore's system however is likely to find collisions in everyday use.
It never ceases to amaze cryptographers that, for all the functionality of the fixed-output, one way hash(password storage, small indexes to arbitrarily sized inputs), people don't use them. There really aren't that many flat out solved problems in all of crypto, this is one of them. IF YOU'RE NOT STORING YOUR PASSWORDS AS EITHER MD5 OR SHA-1 HASHES, YOU'RE WAITING TO GET HACKED. *sigh*
Anyway, beyond that small chunk of data which gives the recipe of which block to use, there's also the censorworthy-but-XOR-obfuscated block which will supposedly diffuse itself throughout the network. Whereas Broadbridge got its incomprehensible data out the door on CDs, Madore's system invokes the distributed nature of many, many XORable keyblocks to hide which block on the network is the actual censor-worthy block.
But how many blocks do I need to use for a recipe? Suppose I have 200 random blocks to choose from, and I download one block of random key material. Wait. Lets say I'm really paranoid, and I generate my own random block to XOR against, and upload it to a server. OK. So I've gotten my single block to XOR against, I do so, and I upload my data-containing block to the padservers.
I've already lost.
Whether I downloaded my keyblock from the network, or uploaded it to the network, anybody sniffing my network traffic will see the exact block I used to encrypt against. They'll either watch it leaving the keyserver or going back in.
Worse, lets assume there was no sniffer--just 201 random blocks, any two of which can be XORed together to reach plaintext. The complexity isn't one of fifty billion, it's 201*201, or a good 40,401 operations. Use of two pads isn't particularly specified...but then, use of this as a viable encryption system isn't particularly specified either. You can tell, by this line:
"Your first task is to locate an announcement stating that the data you want are recoverable by XORing such a set of pads."
Oh, that's all.
"Go find your key."
Obviously, with no special complexity applied to locating your key, there's nothing that separates You As Reader from You As Censor. And, since whoever determines a key used *once* for secret information determines it for all time...boom.
But, lets be fair. Madore's goal mainly seems to be able to give websites the capability to host information they can't recognize. Freenet did this; Madore doesn't actually even come close. Among other things, the system isn't particularly fault tolerant. Good secret sharing systems allow m-of-n functionality, i.e. retrieval of any m number of shares from n total(like 3-of-5) reveals the data. This system? Any block is missing--and there doesn't need to be more than two--and your data is gone. Loss of a single pad archive is likely to cause some data to disappear forever. Ouch.
Honestly, I'm putting too much energy into this. Madore writes the following:
The pads, of course, are just named by their 16-hex-digit names (thus, strictly speaking, the announcement makes it possible to recover the first eight characters of the data; but that should not be a problem).
Any cryptosystem which leakes information about the plaintext in the key material never should have left the drawing boards. I congratulate Madore on noticing this, of many flaws in his design, but this really is Bad Crypto. It's timely, and it's useful, and it'll hopefully prevent people from falling for other Pad scams by sheer nature of the
*Sigh* At least he wasn't trying to sell us anything.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
DD--
You've got security clearance. This clearance is dependent upon those associated with you giving valid impressions of your character.
You've got somebody intentionally poisoning said impressions of your character. This makes it more difficult for a background checker to determine whether a negative statement about you from *anyone* derives from a valid observation or an intentionally falsified statement. Meanwhile, you're still in a situation where you're directly involved with improving the national security of this country.
You could be trustworthy, but since the feds would be left unable to verify you as such, you'd lose your clearance. Since this loss was unwarranted, national security's been harmed.
You could be untrustworthy, but since the feds have been left unable to believe statements made by your peers, you'd keep your clearance. Since this retention of priveledges was unwarranted, national security's been harmed.
Now obviously, they're more likely to make more mistakes towards the former than the latter. But each unjustified strippage ends up reducing their power and their ability to do their jobs. You want to tell me that these guys would never go ballistic on some asshole spreading rumors trying to get laid? People like that provide camoflague for those who genuinely do arouse suspicion in those around them.
Ever wonder why the Secret Service responds so quickly to threats against the President's life? It's because the empty threats themselves mask the importance of the valid ones. It's simple signal to noise.
Of course, government generally tries not to be too intrusive, but these guys make their living being intrusive. If somebody's spreading counterintelligence to get laid, I'd assume he'd get notified of just Why You Don't Do That.
--Dan
DD--
Last I checked, government folk didn't take kindly to somebody running spoof operations on them.
A couple Men In Black showing up on the doorstep of somebody directly, intentionally, and maliciously threatening the validity of their very precious data sources(a.k.a. the average citizenry) has a way of instilling newfound respect for the social values of honesty in such an individual, wouldn't ya think?
--Dan
That said, though, I can recall hearing nothing but cheers on /. the last time a M$ internal memo got leaked...
Microsoft is the kind of company that would ship a remotely controllable testicle vice with every Windows CD and make you agree to wear it as a condition of your EULA if they figured they could get away with it.
Someone else uses your serial number? *Squoosh*
About all they've been able to get away with thus far is just refusing to ship installation routines with their operating systems anymore. Install Linux? Want to go back? *Squooosh* goes your data, imaged to oblivion.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Shut up, Dan. You're way off base.
If you've got a reason to say so, do. If I'm wrong, I'll admit it.
You're obviously seeing this in a much different light than I am. I'd be interested in hearing what you have to say.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Napster brings about death of the CD
And...? The subscription model doesn't? Hell, the DVD-Audio model doesn't?
Isn't it ironic that everyone wants the CD dead? Techies want compressed digital audio, industry wants your ossicles to be trade secreted.
And yet, I can't imagine anything else that could have killed the CD...
Record industry may be unwilling to support this transition (gut their bottom line)
And...? An existing oligopoly might be afraid of making less money?
Record stores (Tower Records) obsoleted.
This is incriminating? Boy. CD Now is screwed.
Of all the things to call incriminating, these sure don't qualify. Transitioning an entire industry into a new level of technology which lowers margins for some players and entirely eliminates others...last I checked, we did have some kind of public policy which advocated competition. This is starting to reflect the ugliest aspects of the Microsoft trial.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com