Seriously, I'm the author of Speex (the speech codec) and I'd be willing to help if someone wanted to design an open-source library to encrypt VoIP packets.
I'd suggest linking against a couple of common block ciphers -- perhaps 3DES, AES, and twofish.
Linking against twofish is trivial --
Niels Ferguson publishes a easy to use free twofish library in portable C. Twofish is unpatented, and the source code is uncopyrighted and license-free; it is free for all uses.
Another more generic option would be to link against the
mcrypt GPL library.
This is a project I can't do only by myself because I lack the knowledge to use crypto stuff currectly (random stuff, padding, etc).
I think it would be nice to have such a library so that any VoIP application writer can easily integrate the crypto functionality.
Any good crypto library should handle the difficult crypto stuff for you, the interesting question is how does VoIP handle session keys?.
I can't easily locate documentation on key exchange for the voice channel for VoIP call setup? All I see are a handful of papers on encryption on the SIP protocol.
Maybe statistical analysis can determine if a given image or other medium is possibly hiding information. But if that information is encrypted, doesn't it look like random data without the key?
Yes. One quick-and-dirty test of the strength of a cryptographic algorithm or hash function is that the output appears random, and a small change in the input results in a large change in the output.
If the steg'd data has obvious headers and block formatting, a weak algorithm could leave enough of a pattern in the output file to be detectable. And of course some applications of stego are used to embed cleartext data...
Without knowing the key or even the cipher used to encrypt it... how can it be shown to actually be information? "That's just random noise/corruption in my images your honor... I dont know what your talking about"
Proponents of stego sometimes suggest it's use in environments where even the suspicion of crypto is enough to risk persecution and/or prosecution.
The other "trick" to detecting stego is that "normal" JPG/BMP/WAV/MP3/AVI/MPEG files tend to not actually show a high degree of random noise -- the seemingly random data in the LSB tends to have a pattern imposed by the encoder used and the input device.
I'd guess that this problem is more of an issue on highly-processed information from clean sources. You wouldn't expect random noise on an MP3 file ripped off the latest pop album release, but it wouldn't be out of place on a.SHN "bootleg" recording of a TMBG live concert from a handheld DAT recorder...
Wiretap abuse in California and Philadelphia.
on
Feds Want to Tap VoIP
·
· Score: 4, Insightful
I'm sorry, troll? the above comment makes sense. I am glad that our government is able to get WARRANTS to tap phone lines. They can't get a warrant without probable cause, and if you're innocent, who cares?
That's assuming you trust your government to follow the rules. That's not always that case.
For example, I have heard from former PacBell CO technicians that the wiretap and pen trace rate in the Los Angeles area is staggeringly high -- in some offices, upwards of 10% of the circuits have some sort of "tap" installed (From a remote terminal, a tap looked the same as a simple trace device that only records the number dialed, not the voice traffic on the line).
You can expect to have a private phone call if you haven't done anything wrong. The possiblity that someone will be listening is very very low (unless you've done something). But for the few times when somebody innocent makes a private phone call and it's tapped into, the chances that it will hurt them is even lower. If a cop knows you just had sex with your dog, who cares? you don't know the cop, i'm sure he doesn't know anybody you know, and nobody you ever come into contact with with know
Unless of course the reason there is a tap on your line is not to produce admissable criminal evidence, but because you (or the line) a politcal activist, a nosy reporter, associated with an unpopular political organization, or just chose to support the wrong candidate in the last election...
Think how many guilty people have been caught due to wire tapping before they have been able to do more bad stuff. I'm probably hurting my karma here by supporting partial "fascism" (and yes, i'm glad they have to get a warrant. at least that keeps them from abusing their power), but I'd like people to look at negative vs. positive side effects of certain things, and wire tapping does a lot more positive.
If you want to know more about government abuse of wiretaps (and increase the likelyhood of being the subject of a wiretap yourself), just do a little research into the past and present of communications intercepts and abuse by the public and private sector -- COINTELPRO, CALEA, RISSNET, MAGLOCLEN, IN-Q-TEL, Takefuji, DSC1000.
It's tough to get all of the parts cheaper than the price of a complete PC at Dell, particularly if you take advantage of the various discounts (free shipping, $100-$200 off, free RAM upgrades) from Dell.
Add in assembly and a warranty, and Dell is cheaper than buying parts.
Dell, Gateway and others have to Pay for it to be assembled, shipped, marketed ect. In addition to that they must make enough to pay for the lights, executives, tech support, and all of the other bills they pay.
For a "good enough" consumer PC for my family, I prefer that they buy a PC from Dell, at about what I'd pay for the parts. They get warranty support from Dell, I get to keep the time I'd have spent assembling a machine from parts.
The mid-range Dell personal desktop machines are actually very good. While I've run into complications upgrading Gateway and Compaq machines, it's easy to add storage, drives, and cards to Dell. Just about anything except the motherboard and powersupply is standard and can be replaced.
This sort of thing is why progress will never be made against spam. The anti-spam camps are far too disjointed to do a thing and far too busy shooting down each others' proposals.
I don't think it's quite as bad as this.
I see two major camps of hardcore antispammers: the fanatic hobbyists for whom this is a personal crusade, and big business (Fortune 1000 and major ISPs) where it's strictly a business problem.
The fanatics may come up with some great ideas, but the corps are where real lasting progress against spam will be made -- all it takes is for one "AOL" class enterprise to implement a technical approach, and suddenly it's an Internet standard (e.g. reverse DNS lookups on SMTP sessions and rejecting on NXDOMAIN in "MAIL FROM").
For big business operating major SMTP receiving servers, the "spam problem" is not a question of politics or personal belief, it's strictly a business issue -- business email requires reliable delivery of messages the company wants to receive inbound, to their corporate mailboxes, or (for ISPs) in to their subscribers, as well as reliable outbound emails. Ignoring broadcast mailings, businesses and ISPs need reliable one-to-one mail in and out of their network. Spam disrupts this service.
Unlike the radical anti-spam fanatics, the corps and ISPs see a direct financial ROI from reducing the volume of bogus mail coming in to their network, and suffer real damages from either letting spam in (in resources consumed and user complaints) or blocking "good" email (in lost business, etc).
IMHO, the big ISPs and the big corps is where to look to for real lasting technical progress on the "spam problem". One potential drawback, corps define the "problem" differently than end-users.
There's a perfectly reasonable convention of prefixing adverts with [ADV] in the subject line so people who dont want to read them dont have to.
The problem with using the subject line is that our mail server still has to do 90% of the work of processing the mail before throwing it away.
We block approximately a quarter million inbound spam messages a day, not counting the millions of messages that we don't ever see because the source IP address is on RBL+, PDL, etc.
For server operators, a major criteria for the effectiveness (cost-effective, etc) of any anti-spam approach is the amount of resources (bandwidth, CPU, disk, hours of human effort) are required.
By that standard, putting ADV on the subject line and telling users "just hit delete" is a failure.
OpenBSE 2.1 booting
spine found at default location
brain at spine 0x01 not configured
brainless at spine 0x02: ver 0.0a
nervebus at 0x01 at spine found
nervebus: fore legs attached
nervebus: hind legs attached
tail erect at spine
Personally, I'd never build my own, as it'd require a lot of precision drilling and tapping, and I'm just not set up for doing that sort of work in my shop.
I think your first mistake is believing anything you read in Applied Cryptography. Its a well-known fact that Bruce Schneier is regarded as a leftist kook in the cryptographic community. Trust me,
Trust you?
I got my PhD from UC Berkeley in cryptographic studies so I know what I'm talking about.
Sure, a guy who trolls under the handle "egg troll" has a PhD from UCB.
Although we must give him credit for writing PGP,
Philip R. Zimmermann is the creator of Pretty Good Privacy. Perhaps you are thinking of Blowfish?
Mr Schneier has since then used his name to promote all sorts of snake-oil get-rich-quick schemes,
Name one.
and is a blathering font of anti-government propoganda.
Tough to argue with that one, though many of his peers might suggest "blathering" and "propaganda" are a bit strong.
I'm sorry, Mr Schneier but had we not listened to your objections about such things as the Clipper chip installed in phones we may have learned about the 9/11 plot before it happened.
There is no evidence that 9/11 plot planning was discussed using encrypted phones, or launched using stego images on porn sites, or any of the other anti-cryto propaganda that appeared in the media following the attacks.
Bruce Schneier isn't always right, and he's often more than a slightly alarmist, but he's a more reliable source than pseudonymous slashdot users from Berkeley.
For every message, I have to check and unpack the header, go out to some PK server, and validate the keys, before I decide to accept/reject? That introduces a big latency into SMTP.
I agree, doing the check in the message header itself doesn't make sense.
It would seem more reasonable to make the change in the SMTP protocol, allowing a remote server to authenticate itself as being a legitimate source for mail from a given domain at the start of a session, then send any number of messages during that connection with the allowed "From" address.
For a server that handles many domains, and can thus legitimately source many different from addresses, they would need to authenticate once per domain.
This wouldn't prevent spamming, but would prevent spoofing the sender address -- tons of spam shows spoofed something@yahoo.com sender addresses, so I can see why Yahoo would be interested in this idea.
Also, this doesn't do anything to stop 'legitimate email marketers'. There's a death penalty (blacklist) for a site or particular sender's key, but nothing to stop a spammer from changing keys and starting over.
Or will everyone have to get their own key pair? Who's going to validate them, and at what cost per key pair?
The way I read the article, sounds like every domain will have their own key pair, and will publish their public keys in their DNS zone for the domain.
As to stopping spammers, one idea that I like is to use PKI, where every domain has their own key pair, and each key can have multiple signatures attached. You could pay Verisign, Tucows, Comodo, or SpamCop to sign your key.
Hosts that accept mail can choose what signing authorities to accept. Yahoo might choose to accept all of the major Verisign-like SSL companies, where I might only accept mail from sites whose key is signed by either Spamcop or Theo de Raadt.
Just after the students come back all flushed with their grants (and no idea that once their board and lodgings are taken into account they have about 5.00 a week to spend of food) the most prevalent kind of ATM theft round here is also the simplest:
Knife in back, 'take out all your money or I'll kill you'.
A few people get stung with that every year... not a lot that can stop it either (cameras help, but they're not everywhere).
What could help is the "duress code".
Many office alarm systems have a feature where entering the disarm code backwards (1234 becomes 4321) will work like the real code, while also triggering a silent alarm, summoning the police.
Since colleges nearly always have an on-campus 24-hour security staff, it should be possible for help to arrive in time to catch the attacker, or at least to rush the victim to the hospital before she bleeds out.
Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music.
- Kristin Wilson, Nintendo, Inc., 1989.
While Kristin claims having originated this joke, so does Marcus Brigstocke, and others attribute the quote to Steven Poole.
It appears that this "joke" is actually only about three years old, google shows the sig file first appears on Usenet in on December 12, 2000, attributed to 'anon' or 'unknown'.
Bruce missed out on a nice revenue stream when he released the binary for free, and really missed the boat when he (finally) followed through on the promise to release source.
I actually installed MSVC++ just to be able to easily create custom builds of pwsafe.exe.
Partly to set the defaults to enforce our own specific password strength policy...
The main reason, forcing a "slashed zero" font in PwFont.cpp.
To protect both the ISP and the innocent, they could implement a feature where after 20 mails in 10 minutes, mails would only be processed at the speed of, say, one mail per 30 seconds, and maybe slowing progressively after each 100 mails. When the mail pipe has been silent for a given amout of time, say ten minutes, the "mail slower" would be reset.
See Spam throttling for qmail. The software is written specifically for qmail, but could be ported to Milter. Supports configurable rates based on source IP address and network ranges, and aggregation of multiple sources within a subnet (VLSM).
By default, hosts exceeding permitted rates temporarily see answers to SMTP commands delayed. Mail gets through, but very slowly.
What happens when one ISP sends legit email to another ISP? It's very likely to have a sustained rate of 1 email per second. If you throttle the connection, email will take several days/weeks to arrrive.
Clearly the default rate needs to be somewhat higher than 1 recipient/second, and some sort of whitelist for legitimate ISP mail gateways would be appropriate.
What I do is reformat the list of network blocks found on the PDL into the spamthrottle configuration file format.
For example, my mailserver is willing to accept no more than one message per second from the DSL dynamic/17 address block used by Ameritech to serve all dynamic DSL customers in downtown Chicago.
That works fine for the one or two DSL users who run their own mail servers and who need to send me mail, but stops bulk scan runs and dictionary attacks.
The same code can be used on an ISP "smarthost" to slow down relayed mail acceptance from their average end user.
Use tech to enforce rules, not punishment!
on
Real Security?
·
· Score: 1
f I'm in charge of security (not just the IT portion of it) and management won't let me put in place a policy that spells out what will happen to employees that subvert the security implementation and back me up when I have to apply the policy's warning and penalty portions, then I'm out of there!
1 - Anyone caught writing their password down on anything will suffer punishment
2 - Anyone allowing anybody else to use their account/password will suffer punishment
3 - Anyone leaving their workstation logged in and not protected with the approved screensave/password will suffer punishment
You could put in place these annoying and draconian policies, and try to enforce them through punishment, or you lobby management for the funds to integrate proximity cards into the staff's existing ID card system.
Five years ago I paid eighty dollars per machine and five dollars per card for a proximity system which would automatically lock and blank the screen on a workstation when the logged in user (actually, their proxcard) moved more than ten feet away. Unlocking when the user returned could be automatic, or require a password.
To keep people from leaving their card at their desk while they step away to get coffee or use the washroom, just make sure that the office is designed such that to get back in from the lunchroom and other facilities involves keycard operated doors, using that same keycard...
All that work, and they could have just installed
one of these on the DMZ and been done with it.
PGP.Com products are notoriously overpriced, but I bet North Korea could negotiate a nice discount on a 22,000,000 seat license with A.T.M. Networks Inc, the South Korean sales agent...
One hitch -- I tried completing the "free download" form with "N.Korea" as the country code, and got this popup:
'In accordance with current US Export restrictions, PGP 8.0 products may be downloaded by individuals throughout the world except those in the following countries: Cuba, Libya, Iran, Iraq, North Korea, Sudan, and Syria. If you are in one of these countries, you may not download PGP software'."
Ah well, GPG doesn't have these petty restrictions!
I can't imagine people really trust PGP anymore. No longer open source, no longer affiliated with Phil Zimmerman... and his statement when he left was scary.
PGP is not "open source", but like Solaris, source code is published, anybody can download full source at no charge.
For those who don't know, Phil stated when he left that every PGP product released while he was there contained no hidden back doors. Knowing that companies like PGP were being pressured, it makes me think the creative differences were them wanting to build something in that he thought shouldn't be in.
Interesting claim. Care to document it?
It seems to me that if Zimmermann felt that way, he wouldn't be on the PGP.Com technical board, and he wouldn't be reselling their products on his web site.
To quote Phil Zimmermann, "There is no backdoor in PGP. Get a life."
I've always thought that a Java implementation of public key encryption would be useful.
For example, I'd like to be able to put up a page on my web site containing a Java applet with my embedded public key.
That way I could finally remove my grandmother's AOL account from the exception list, the last obstacle standing between me and my "all incoming mail must be either signed by somebody I trust or encrypted with my public key" procmail rule.
Requiring the sender to use their own CPU cycles to encrypt messages is a classic variation on the "micropayments" approach to reducing spam volumes...
Only one problem- Symantec, like every other commercial filtering software vendor, does not publish their list of blocked sites, does not make any particular political or religious slant of their filtering public, and will sue anybody who reverse-engineers their blocking list.
You know what, that's part of raising a child. I raise my kid with my beliefs and I filter what I want to filter. You don't equal time. You do not get to enter my home and tell me what my kids should be exposed to./BLoCKQUOTE.
But Symantec, Inc. does?
Don't you mean "subjective", not "unobjectiveness" ?
I agree, "It's a bit rediculus.".
Merriam-Webster:
Objective
. ..
3 a : expressing or dealing with facts or conditions as perceived without distortion by personal feelings, prejudices, or interpretations
Who is being denied this knowledge? No one. People who buy this software and activate the weapons filter don't want to see NRA propaganda. It's that simple. You're blowing smoke.
Keep in mind that children are a captive audience, and will still see all of the Handgun Control Inc. (Sarah Brady) propaganda, and all of the other anti-gun propaganda.
When only one side of the debate is being filtered out, when kids can get all of the "gun porn" they want online so long as they swallow it with a healthy-dose of "2nd amendment does apply to individuals" indoctrination, how can you not call that biased?
What happens when a kid goes to write a report on the Bill of Rights and all of the computers he has access to at school, at the library, and at home have this filter enabled?
After Columbine, they organized a rally in Denver.
This claim is such bullshit that it's almost silly.
The school shooting in Columbine, Colorado happened just before the NRA's annual meeting and convention was scheduled to take place in Denver, Colorado.
The meeting, like most such conventions, was scheduled several years in advance, and would have been all but impossible to move.
Slashdot Mirror
Linking against twofish is trivial -- Niels Ferguson publishes a easy to use free twofish library in portable C. Twofish is unpatented, and the source code is uncopyrighted and license-free; it is free for all uses.
Another more generic option would be to link against the mcrypt GPL library.
Any good crypto library should handle the difficult crypto stuff for you, the interesting question is how does VoIP handle session keys?.I can't easily locate documentation on key exchange for the voice channel for VoIP call setup? All I see are a handful of papers on encryption on the SIP protocol.
If the steg'd data has obvious headers and block formatting, a weak algorithm could leave enough of a pattern in the output file to be detectable. And of course some applications of stego are used to embed cleartext data...
Proponents of stego sometimes suggest it's use in environments where even the suspicion of crypto is enough to risk persecution and/or prosecution.The other "trick" to detecting stego is that "normal" JPG/BMP/WAV/MP3/AVI/MPEG files tend to not actually show a high degree of random noise -- the seemingly random data in the LSB tends to have a pattern imposed by the encoder used and the input device.
I'd guess that this problem is more of an issue on highly-processed information from clean sources. You wouldn't expect random noise on an MP3 file ripped off the latest pop album release, but it wouldn't be out of place on a .SHN "bootleg" recording of a TMBG live concert from a handheld DAT recorder...
For example, I have heard from former PacBell CO technicians that the wiretap and pen trace rate in the Los Angeles area is staggeringly high -- in some offices, upwards of 10% of the circuits have some sort of "tap" installed (From a remote terminal, a tap looked the same as a simple trace device that only records the number dialed, not the voice traffic on the line).
Unless of course the reason there is a tap on your line is not to produce admissable criminal evidence, but because you (or the line) a politcal activist, a nosy reporter, associated with an unpopular political organization, or just chose to support the wrong candidate in the last election... If you want to know more about government abuse of wiretaps (and increase the likelyhood of being the subject of a wiretap yourself), just do a little research into the past and present of communications intercepts and abuse by the public and private sector -- COINTELPRO, CALEA, RISSNET, MAGLOCLEN, IN-Q-TEL, Takefuji, DSC1000.Or just pick up a newspaper and read about the neverending stream of FBI bugging devices found in Philadelphia over the past three months...
Add in assembly and a warranty, and Dell is cheaper than buying parts.
For a "good enough" consumer PC for my family, I prefer that they buy a PC from Dell, at about what I'd pay for the parts. They get warranty support from Dell, I get to keep the time I'd have spent assembling a machine from parts.The mid-range Dell personal desktop machines are actually very good. While I've run into complications upgrading Gateway and Compaq machines, it's easy to add storage, drives, and cards to Dell. Just about anything except the motherboard and powersupply is standard and can be replaced.
I see two major camps of hardcore antispammers: the fanatic hobbyists for whom this is a personal crusade, and big business (Fortune 1000 and major ISPs) where it's strictly a business problem.
The fanatics may come up with some great ideas, but the corps are where real lasting progress against spam will be made -- all it takes is for one "AOL" class enterprise to implement a technical approach, and suddenly it's an Internet standard (e.g. reverse DNS lookups on SMTP sessions and rejecting on NXDOMAIN in "MAIL FROM").
For big business operating major SMTP receiving servers, the "spam problem" is not a question of politics or personal belief, it's strictly a business issue -- business email requires reliable delivery of messages the company wants to receive inbound, to their corporate mailboxes, or (for ISPs) in to their subscribers, as well as reliable outbound emails. Ignoring broadcast mailings, businesses and ISPs need reliable one-to-one mail in and out of their network. Spam disrupts this service.
Unlike the radical anti-spam fanatics, the corps and ISPs see a direct financial ROI from reducing the volume of bogus mail coming in to their network, and suffer real damages from either letting spam in (in resources consumed and user complaints) or blocking "good" email (in lost business, etc).
IMHO, the big ISPs and the big corps is where to look to for real lasting technical progress on the "spam problem". One potential drawback, corps define the "problem" differently than end-users.
We block approximately a quarter million inbound spam messages a day, not counting the millions of messages that we don't ever see because the source IP address is on RBL+, PDL, etc.
For server operators, a major criteria for the effectiveness (cost-effective, etc) of any anti-spam approach is the amount of resources (bandwidth, CPU, disk, hours of human effort) are required.
By that standard, putting ADV on the subject line and telling users "just hit delete" is a failure.
Available for purchase at http://www.openbsd.org/tshirts.html#5
If space is an issue, you can use a "telco frame", basically a standalone pair of heavy-duty standard rails with a flat base for floor mounting.
Bruce Schneier isn't always right, and he's often more than a slightly alarmist, but he's a more reliable source than pseudonymous slashdot users from Berkeley.
OpenBSD ships with spamd.
I'll try not to duplicate my very recent detailed post on qmail-spamthrottle.
Basically, hosts/networks are tracked by messages/second, and rate-limited by slowing down response time to RCPT commands.
Works a treat against dictionary attacks.
It would seem more reasonable to make the change in the SMTP protocol, allowing a remote server to authenticate itself as being a legitimate source for mail from a given domain at the start of a session, then send any number of messages during that connection with the allowed "From" address.
For a server that handles many domains, and can thus legitimately source many different from addresses, they would need to authenticate once per domain.
This wouldn't prevent spamming, but would prevent spoofing the sender address -- tons of spam shows spoofed something@yahoo.com sender addresses, so I can see why Yahoo would be interested in this idea.
The way I read the article, sounds like every domain will have their own key pair, and will publish their public keys in their DNS zone for the domain.As to stopping spammers, one idea that I like is to use PKI, where every domain has their own key pair, and each key can have multiple signatures attached. You could pay Verisign, Tucows, Comodo, or SpamCop to sign your key.
Hosts that accept mail can choose what signing authorities to accept. Yahoo might choose to accept all of the major Verisign-like SSL companies, where I might only accept mail from sites whose key is signed by either Spamcop or Theo de Raadt.
Many office alarm systems have a feature where entering the disarm code backwards (1234 becomes 4321) will work like the real code, while also triggering a silent alarm, summoning the police.
Since colleges nearly always have an on-campus 24-hour security staff, it should be possible for help to arrive in time to catch the attacker, or at least to rush the victim to the hospital before she bleeds out.
It appears that this "joke" is actually only about three years old, google shows the sig file first appears on Usenet in on December 12, 2000, attributed to 'anon' or 'unknown'.
I actually installed MSVC++ just to be able to easily create custom builds of pwsafe.exe.
Partly to set the defaults to enforce our own specific password strength policy...
The main reason, forcing a "slashed zero" font in PwFont.cpp.
By default, hosts exceeding permitted rates temporarily see answers to SMTP commands delayed. Mail gets through, but very slowly.
Clearly the default rate needs to be somewhat higher than 1 recipient/second, and some sort of whitelist for legitimate ISP mail gateways would be appropriate.What I do is reformat the list of network blocks found on the PDL into the spamthrottle configuration file format.
For example, my mailserver is willing to accept no more than one message per second from the DSL dynamic /17 address block used by Ameritech to serve all dynamic DSL customers in downtown Chicago.
That works fine for the one or two DSL users who run their own mail servers and who need to send me mail, but stops bulk scan runs and dictionary attacks.
The same code can be used on an ISP "smarthost" to slow down relayed mail acceptance from their average end user.
Five years ago I paid eighty dollars per machine and five dollars per card for a proximity system which would automatically lock and blank the screen on a workstation when the logged in user (actually, their proxcard) moved more than ten feet away. Unlocking when the user returned could be automatic, or require a password.
To keep people from leaving their card at their desk while they step away to get coffee or use the washroom, just make sure that the office is designed such that to get back in from the lunchroom and other facilities involves keycard operated doors, using that same keycard...
PGP.Com products are notoriously overpriced, but I bet North Korea could negotiate a nice discount on a 22,000,000 seat license with A.T.M. Networks Inc, the South Korean sales agent...
One hitch -- I tried completing the "free download" form with "N.Korea" as the country code, and got this popup:
Ah well, GPG doesn't have these petty restrictions!
Phil Zimmermann is on the "Technical Advisory Board", along with Bruce Scheier and others.
What statement are you referring to?
- Phil Zimmerman Profiled
- Philip Zimmermann's personal response to the ADK bug,
- 2003 Defcon interview
- Phil Zimmermann & Associates LLC
Interesting claim. Care to document it?It seems to me that if Zimmermann felt that way, he wouldn't be on the PGP.Com technical board, and he wouldn't be reselling their products on his web site.
To quote Phil Zimmermann, "There is no backdoor in PGP. Get a life."
A satisfied PGP customer.
For example, I'd like to be able to put up a page on my web site containing a Java applet with my embedded public key.
That way I could finally remove my grandmother's AOL account from the exception list, the last obstacle standing between me and my "all incoming mail must be either signed by somebody I trust or encrypted with my public key" procmail rule.
Requiring the sender to use their own CPU cycles to encrypt messages is a classic variation on the "micropayments" approach to reducing spam volumes...
Thumbnail Post Galleries have been around for years, but this is one of the very few non-pornographic applications of the concept, ever.
Only one problem- Symantec, like every other commercial filtering software vendor, does not publish their list of blocked sites, does not make any particular political or religious slant of their filtering public, and will sue anybody who reverse-engineers their blocking list.
I agree, "It's a bit rediculus.".
Merriam-Webster:
Keep in mind that children are a captive audience, and will still see all of the Handgun Control Inc. (Sarah Brady) propaganda, and all of the other anti-gun propaganda.
When only one side of the debate is being filtered out, when kids can get all of the "gun porn" they want online so long as they swallow it with a healthy-dose of "2nd amendment does apply to individuals" indoctrination, how can you not call that biased?
What happens when a kid goes to write a report on the Bill of Rights and all of the computers he has access to at school, at the library, and at home have this filter enabled?
The school shooting in Columbine, Colorado happened just before the NRA's annual meeting and convention was scheduled to take place in Denver, Colorado.
The meeting, like most such conventions, was scheduled several years in advance, and would have been all but impossible to move.
The NRA couldn't cancel the annual meeting, they are required by law to hold the meeting every year. The NRA did cancel most of the other scheduled events.
Micheal Moore's film presented the opening remarks in a false light.