The court's uneasiness with the technical aspects of the case was evident in its description of the device under attack. "The pause button, when depressed," Justice John Paul Stevens solemnly found, "deactivates the recorder until it is released."

Someone has produced a survey of 8,081 SSL-enabled web servers on the Internet showing that 32% of them are either using 40-bit encryption, or expired certificates. Given that kind of rampant insecurity, it's not a wonder that the FTC blames the Internet (seemingly rightly so) for giant increases in identity fraud.

Read the full story over at ABCNews.

Note to self: When trying to hijack planes, don't start the transmission off with "Hey, Dudes...how's it hangin' ?"

While I'd like to link criminal tendencies to AOL usage, I think this is probably indicative of the greater trend of online-related crimes and law enforcement's familiarization with the technologies.

[Update] NAI has released hotfixes for its commercial (Windows 9x/NT/2000 and Mac OS) PGP for Personal Privacy software.

• PGP Personal Privacy 6.5.3 for Windows HotFix 1
• PGP Personal Privacy 6.5.2a for Macintosh HotFix 1

• Technical Follow-up by NSI
• A response containing some technical jabs/suggestions concerning the method in which the zone transfers are performed
• A note suggesting more truth/clarity in NSI's press releases

1. Assuming proper usage, will the Carnivore system provide investigators with all the information, and only the information, that it is designed and set to provide in accordance with a given court order?
2. Assuming proper usage, will use of the Carnivore system introduce new, material risks of operational or security impairment of an ISP's network?
3. Does use of the Carnivore system introduce new, material risks of the unauthorized acquisition, whether intentional or unintentional, of electronic communication information by (i) FBI personnel or (ii) persons other than FBI personnel?
4. Are the protections built into the Carnivore system, including both audit functions and operational procedures or practices, commensurate with the level of the risks, if any, identified in response to (3) above?

Read the executive summary, as well as the full RFP.

To aid in the coming battles, the government is asking corporations to share security information, is looking at sharing "sensitive" information with selected companies, futzing with the Freedom of Information Act to make it more attractive for companies and the government to share such info (danger, will robinson... danger), as well as dropping a few bucks on IT research in unprofitable areas (what would those be?).

No word on how they're planning to stop attacks on their own infrastructure though. Try as we might, nothing shmoo.com is likely to do will keep USAF sites from getting hacked. But at least it's a start.

According to a Libertarian Party press release "Banks would [be] required to develop customer profiles and report any 'unusual activity' such as large cash deposits or withdrawals to the government -- in effect turning every bank teller into an informer and everyone with a bank account into a criminal suspect."

The Liberterians are often a little melodramtic, but this bears looking into. Incedently U.S. banks would be affected since any of thier customers is potentially in league with Foreign Devil(TM) money launderers.

This case, and a couple other examples in the article, epitomize the best tactics corporations are taking to combat this kind of terrorism. As stated in the article, dealing with this kind of extortion is quite similar to ye olde "thug and mortar" kidnapping and extortion.

The odd thing is that few of said attacks are publicized, whatever the outcome. The Bloomberg incident ended well, and their tact was atypical in that they let everybody know what happened. Visa did the same, and may have lost customers. As long as customers react poorly to these invasions, even when they're handled properly, it won't be surprising that companies are less than forthcoming. In the end, the article rightfully makes the statement that keeping such attacks secret only reinforces some peoples' views that no one ever gets caught, or that no one else has survived them, or even that there's no strategy for handling them.

Read on...

Beyond the attempt to be one of the independent testing groups, the members (which include Mudge, Matt Blaze, Wietse Venema, David Wagner, and several other industry notables) have put together a good site that is, as it says, "a source of factual information and informed opinion about the FBI's Carnivore software. "

Read More...

It seems that Linux has gone mainstream, in terms of marketing. Think DefCon meets Madison Avenue. You pay $25 for an exhibit pass, if you don't have a complementary ticket. Even if you pay, you are forced to answer several excessively private questions before the admission shock troops will release your id badge. You walk onto the show floor, and it's a classic "mine is bigger than yours" arrangement of booths. A booth worker in a green lizard suit becons you into the SuSe booth. The noise level is deafening, not from music, or people chatting, but from a blizzard of barkers giving gratuitous lectures at 60 by 60 booths, to seated throngs of catatonic show attendees, presumably who are patiently sleeping through the presentation to get the free T-Shirt.

I start an organized search of the show floor, looking for the interesting exhibits. Usually this means going to the small, 10 by 10 booths, that are typically occupied by startups. There are very few of these, jammed against two edges of the floor. A woman wearing essentially nothing but a fishnet bathing suit and a skillfully printed array of Caldera logos stolls past, as I think about whether I should stare or not, the marketing flack in the standard logowear buttondown shirt next to her gives me a cold look. I wish they'd make up their mind if I should be ashamed of looking at the girl or be ashamed of thinking about ever purchasing the product.

Eventually I work my way across the floor. This is a surreal mix of arcane high geekdom and raw crass marketing. There are grey-bearded techies walking around in t-shirts and socks and sandals. There are kids, probably high-school age hackers, milling about with bags full of skillfully obtained free distribution CD's. There are young innocent looking mainstream professionals wandering around wearing these silly red devil horns that have been carpet bombed across the entire show floor by the BSD folks. Apparently that's not enough to get your attention, they also have the BSD red Demon, another booth worker in a gorilla suit, walking the floor accompanied by a woman in a skimpy red jumpsuit that almost contains her cleavage.

I try talking to some folks in one of the booths. They are booth workers, with the normal booth worker skills and faults (I _hate_ booth works who ignore me when I patiently stand and wait to ask a question.) They try to tell me theirs is the coolest O/S on the show floor, but instead of telling me how good the device driver documentation is (read the source, dude!) or how reliable it is on several different notebook configurations, they try to convince me that their lead amateur's undocumented ad hoc shell script-based packet insertion kludge is better than Red Hat. I point out I'm the customer and this is not impressing me, and they proudly point out they aren't trying to sell me anything as it's open source.

Oh well, Red Hat may suck, but the competion in the Unix/Linux/thingie-ix/*bsd*.* space isn't clearly better, regardless of the number of marketing suits or booth chickies they hire.

During the Fifth Annual Black and White Ball, a stunning man drifted by in a long skirt and shoes laced with glowing electro luminescent wire.

As GET requests show up in browser (histories) and web server logs (referrers) this seems most academically a insecure thing. Granted POST requests don't actually encrypt anything, but the information doesn't show up in the browser for any future user to see, nor in some other site's web logs when the user is done using the software.

With policies out there like this, who needs script kiddies.

I'd personally like to thank Mark Shuttleworth and Bruce Watermeyer of Thawte for putting the effort in to support PGP in the past.

Even though participants in this illicit pattern swapping only number in the hundreds (versus the millions that use Napster), the Needlework industry is so small that a movement such as this could destroy many companies. To quote the CNN story:

"This strikes at the heart of the needlepoint industry. The people who are doing this seem to have a hacker's mentality," said Jo Weiss, executive secretary of the International Needleart Retailers Guild.

For quite some time now - at least since I joined the Army in 1991 - the military has been collecting all sorts of biometrics from service members. Ostensibly for the identification of remains although I won't ever commit a violent crime and expect to get away with it.

Some of this information is from personal experience, and some can be found in Database Nation by Simson Garfinkel (ISBN: 1565926536). The Army has all ten of my fingerprints, a drop of dried blood, and a swab with skin cells floating in a vial of preservative.

For those of you who have served in the military and think its bad^TM that The Man has a sample of your DNA, you can request that they destroy it. More information can be found at the Armed Forces Repository website.

We've been trying to keep this under wraps for most of the year now, but The Evil Geniuses for a Better Tomorrow will be releasing a public beta of MojoNation. This is a brilliant distributed computing system that crosses Napster like filesharing with a network based RAID5 redundancy and a micropayment cost-recovery system. Be a part of the revolution and go get it now.

Notice: downloading is free, but... most documents require `paying` using IBM Micro Payments demo money

• Today was the first day that the Napster faction was face to face with the recording industry and artists. There are no reports of Lars beating Shawn Fanning (Napster founder) into a pulp in the parking lot... yet.
• Orrin Hatch (R-Utah), committee chair, played devil's advocate. He claimed that service providers such as Napster are taking advantage of the Digital Millenium Copyright Act. However, he also asked the RIAA president Hilary Rosen if making a copy of a CD onto analog tape to give you your spouse was "fair use" of the CD. She declined to answer.
• Orrin Hatch admitted to listening to Metallica... and liking it.

Q: How does anyone make money if everything can be pirated so fantastically well?

A: The archives of this list contain many discussions about how artists make money in a world without copyrights. It never ceases to amaze me that people who claim to be creative have such a pathetic lack of imagination for business models, blindly assuming that the standard old method of selling recordings is all there is. - Lee Daniel Crocker "All inventions or works of authorship original to me, herein and past, are placed irrevocably in the public domain, and may be used or modified for any purpose, without permission, attribution, or notification."--LDC

Half-ass Security Holes

Send us your ideas.

We've finally finished that unofficial xinetd tutorial we promised a while back. It's chock full of information useful for users of all platforms, and includes a section specifically for Mac OS X [Server]. It should have just about everything one would need to get up and running, including installation, configuration, day to day use, and other sundry things. Have a read and remember, comments are welcome.

Security for our customers has always been a top priority at Network Solutions.

The new stuff: Our fourth cipher returns to a difficulty more in keeping with the spirit of our contest. This one should be much easier than the last, while being incrementally more difficult than the first two. As with our other contests, a DVD (Contact) goes to the first person to break the cipher and give us the plain text. Now, get cracking!

In recent weeks in playing with my new DP4 install, I noticed that I could 'nidump passwd / > /tmp/estupido.txt' as a non-root equivalent user and get a properly formatted BSD passwd file, with the passwd hashes. I thought I had to be mistaken about this as it seems to be a major security problem; maybe the hashes are decoys or something. To this end, I created a couple test accounts, set their passwords to easily guessable values, and created the 'estupido' file. To my (not so much) surprise, crack cracked the easy test accounts in seconds. ...

As most would argue, allowing non-root users access to passwd hashes on a system is a "bad thing".

In England, for example, a teller discovered that change-of-address procedures for account holders were not audited by her bank--after all, what's so worrisome about a change of address?--so she simply changed the addresses of various account holders to that of her own when checks were due to be sent out, then changed them back. She operated this scam for 10 years before being caught.

UPDATE: We're back up. Just thought I'd point out that outages like that should be embraced. Since Shmoo has no banner ads, or sponsors of any type, we're lucky to be able to leach the QoS we've got now. Feel free to contribute if you want to help make Shmoo better. - pablos.

"InTether protects the content of files like .mp3, video, software or documents, allowing the sender of information to control the recipient's use, including printing, copying, forwarding and time of destruction. If hacking is attempted, the file self-destructs. Just like Mission Impossible. No other technology can do this."

Nifty sounding stuff I suppose. Unfortunately, it's not very new, at least as a concept. While I won't debate their patent rights, I'm sure their implementation is unique, I debate the quality of the very concepts behind the implementation.

Read on...

"As enterprises move mission-critical, high-value applications to the Internet, they are often forced to make trade-offs between security, privacy and end-user convenience," said Stratton Sclavos, president and chief executive officer of VeriSign. Sclavos said the new technology allows enterprises and end-users to bypass this hurdle.

In case you haven't noticed, most of my postings to shmoo.com are out of exasperation. This is just another example.

B1. What is a CERT advisory? What alerts does the CERT/CC send?

A CERT advisory is a document that provides a description of a serious security problem and its impact, along with instructions on how to obtain a patch or details of a workaround.

• CSS together with the web of laws and contracts around it also eliminate the individual's ability to make noninfringing copies of DVD images
• EFF is not spending years in court merely to exonerate one or two individuals, or to enable distribution of a limited software prototype. We are here to establish the principle that the anticircumvention provisions cannot be used to eliminate fair use broadly throughout society.
• While the industry has loudly over-stated any potential harm it might face resulting from digital technology, it quietly looks the other way without mentioning the unprecedented power technology provides to copyright holders to control access and use over creative expression.

What really makes a difference is the people. In every endeavor there are two kinds of people who can get involved. There is the kind of people you want to work with. You know them. They share your values and your views on software construction. They like lunch at the same place you do and they make your job as fun as it can be. When you are on a team with them, you feel like there is nothing you cannot do.

Then there are the ones who you would shoot if the president gave you a card good for one free murder. These evil beings suck your moral and cause the boss to make poor decisions based on their faulty, but insistent input. They are the albatross around the neck of your project.

Granted, these are polar opposites and most people fall in a continuum along the axis rather than at the extremes. However, the more people you can get from the good side and the fewer from the evil side the better.

The people from the good side have thoughts like these:

• If I spend another two weeks with this code Version 2.0 will be a breeze.
• I need to get with the other programmers on this project and think this through.
• Most meetings are a big waste of time.
• The testers found 3 bugs in my last section of code. time to re-write.

Evil people think this way:

• If I only spend a week with this code I will be rewarded for pumping out features.
• The other programmers on this project are not as smart as me. their input would be meaningless.
• I want to go to another meeting so I can prove I am smarter than the others.
• The testers are picking on me. That's not a bug a real user would ever encounter.

In a small startup, you recognize the evil people, route around them, and then fire them.

Microsoft has been a victim of it's own growth. It has a large number of people and quite a few of the evil ones snuck in while uncle Bill was not looking. It's all but impossible to fire a developer. The best you can do is shuffle them off to another group.

There are very few groups without some number of the evil people. Once two or three evil people get together they multiply their evil ways and tread all over the good. I personally think most of the things we think of as evil that Microsoft has done is due, in no small part, to this contingent of bad advisers and cowboy coders.

Microsoft's history of surging stock prices has made it so these people never want to leave, even if they are hated. Some of them even like being hated. (The computer industry is rife with people with strong and unusual personalities.)

The only good thing about these people is that they are rigorously self-centered. If they think the ship is sinking, they will desert like the rats that they are. It has already started to happen. A few more weeks of dropping or neutral stock performance will further weed out these losers.

In the short term Microsoft will perceive a labor shortage and may make the mistake of making it attractive for these folks to stay around. The people they really want to keep are not going to be scared off by a month or two of low stock prices.

In the end, if they can manage to let the jerks leave and not let them back when things improve, they will be left with a better balance of good to evil. Their products will improve and consumer/investor confidence will rise once again. It will, however, take months and years to show the fruits of this culling.

With any luck Microsoft's new tag line this summer will be:

MS has released a patch to Office 2000 that fixes a demonstrated hole in the Office Assistant discovered by the folks at @stake. The fault lies in an undocumented ActiveX control (read: eeevil) that allows malicious documents (local docs, spreadsheets, html docs, blah, blah, et al.) to use it to change numerous Office and IE settings, most notably the changing of macro security settings. Having stuck a nail through that prophelactic, we can only imagine what kinds of nasty diseases the malfeasant code could give us. There is a demo of the 'sploit at @stake.

You know, I just wish that they would admit that an email client that opens messages without your interaction was a bad idea.

You'll also find notes on the International Cybercrime Treaty, the damnable ILOVEYOU bug/virus/feature, trusted client software (an important part of several engineered obselesence/EOL/limited lifetime usage apps), and Microsoft's lame attempts at Kerberos standards obfuscation.

Happy reading.

Update: Never fear readers, it seems a good dooer has quelled the ego of our most fair and beloved pablos. We trust he shall take this in good stride.

• The Melissa virus caused in excess of $80MM in damage
• AMW intervied FBI Director Freeh *giggle* a _real_ meeting of the soundbites. Both sides tried to sound dramatic and apocalyptic, but it came out sounding vague and uninformative.
• Terrorists all over the world are storing their evil plans on the internet for all to see and duplicate
• They added the h4x0r's that helped mafiaboy in the Feb DDoS attacks to their Most Wanted List. Feel free to call them or visit their website if you overheard mafiaboy and pals in your favorite yahoo chatroom. NOTE: As of 10:45PM EDT, AMW's site is unreachable (as well as other sites in the Teleglobe network). Must be a DoS from all the folks sending in leads on where to stick it.

Third/final hint: Whilst digging around in the binary representation of the world of our message, think about ASCII and how it's represented at the binary level. And think about how many bits are in the regulation ASCII set, excluding any of the extended non-standard set.

Now get cracking.

The member of the long-lost southeastern shmoo sub-clan would like to thank the shmoo elders for inviting us to this site ;-)

The Seattle Times has an article that apparently attempts to educate users about the insecurity of their e-mail. Unfortunately, it's a lackluster attempt that fails to educate the user, and even leaves the user with the sense that everything is just fine, unless you're famous. The upshot is that your e-mail is safe with your ISP and eveywhere else because it takes too much to time to read everyone's email. And besides it's bad business, unless you're famous, then you have something to worry about, but can fix it, not by using PGP (or GPG, or any semi-standard solution), but by using some ginchy bit o' software from Cypost. Insert dumbfounded stare here. This is the "meat" of their article. These people can't be on the same plane of existence as the rest of us. In an article entitled "Internet security: Just how safe is your e-mail?", you'd think they'd actually have credible "experts", and some information that users would find useful. Perhaps they'd tell people about corporate e-mail problems and solutions? Encryption standards? The law, maybe? And to make things worse, they say it will be even less of a problem in the future, because there'll be even more e-mail, making it more difficult to browse. Whatever. With information like this spreading around to the general public, it's no wonder the average user doesn't realize the true insecurities of e-mail. Argghhh!

ZDNet has an article about another company proposing to make money from tracking everywhere users go and feeding the boiled down version of it to merchants. The company actually believes that a lot of people will willingly download their software (or free ISP's will require/bundle it), install it, and allow themselves to be tracked, cataloged, and spammed. Apparently, the software also allows the company to track all form submissions, but haven't decided whether they're going to implement that feature yet. Yeah, that's just what we need. Hook me up.

Ok, that was only two of them, and they weren't exactly short, but ...

Hint: While delving deeper into the base of the numbers that are broadcast, and the different way those same numbers may be represented, think strings of binary.

Pretty darn cool stuff all things considered. No word of when I'll be able to attach an add-on unit to my Palm though.

pablos: Sadly, these guys are not Brothers in Arms. Choice quote from their site - "The future will be brighter when the privacy paranoia fades."

Though this meeting to foster public discussion of a public problem was itself semi-newsworthy, the government did not unveil any new proposals. Jeffery Hunker, a White House advisor on threats to critical infrastructure, briefly outlined elements of the Clinton administration's National Plan for Information Systems Protection (http://cryptome.org/cybersec-plan.htm) -pointedly labeling it 'Version 1.0'.

One law enforcement official slipped out the back, exasperated at the number of policy wonks in the room. Hacker-turned-government advisor Mudge didn't show, but Gregor Freund of Zone Labs took his place as the technology expert on the panel.

Hunker stressed that though we have not yet seen instances of cyberterror, we should be concerned that China, Russia, and other countries are developing CNA (Computer Network Attack) capability, and that we need to take a proactive stance to protect critical infrastructure. Hunker and the other panelists discussed the need for public/private collaboration to secure the Internet, yet they emphasized that individual citizens must take responsibility to protect themselves.

Members from the audience proposed that government should have a federal 'sandbox' where hackers can legally play-after all, not all 15-year olds can afford a security lab. Hunker seemed interested.

More information on the Town Hall meeting from ZDNet.

Graham Cluely, senior technical consultant at anti-virus vendor Sophos, said the group [hackers] may find it hard to be accepted in the marketplace. He said: "They may find they need to act in a more corporate way."

"Who is going to buy software from someone who hides behind a pseudonym like 'Shrieking Radish' or 'Colostomy BagBoy' rather than a real name?" Cluely added.

While I don't agree with much of what Elias Levy says in this case, I give him the benifit of the doubt from his many years working with BugTraq (one of the earliest, and best respected, full disclosure security forums) that he's more questioning people's blind faith in OSS as as oftware development method, then then Open Source model its self.

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: imapd4r1 v12.264
From: Michal Zalewski
Newest RH:

OK nimue IMAP4rev1 v12.264 server ready
1 login lcamtuf test
1 OK LOGIN completed
1 list "" AAAAAAAAAAAAAAAAAAAAAAAAAAA...[yes, a lot of 'A's ;]
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

*sigh*

Privledges seems to be dropped, but, anyway, it's nice way to get shell access to mail account, maybe grab some data from memory etc.

As was indicated, all privileges are dropped at that point. There is nothing that can be done by crashing imapd this way that can not also be done (much easier) by logging in to the UNIX shell.

This of course assumes that the user has a shell account on the server he's getting his mail from. I'd say that 90% of the time, this is not the case, judging from the work I've done at ISP's and talking with other geeks

All imapd security efforts have been focused on eliminating root-level security holes. ... There has not been an equivalent effort to eliminate all possible ways to induce imapd or the c-client library to crash when it is in a non-root state. I am not certain that the results would be worth the effort, particularly since there are alternatives, either one of which is sufficient to neutralize the problem:

If you have a "closed" system (which is the only type of system where this bug matters), a much better solution is to insert the following instruction in routine pw_login() in env_unix.c:
if (chroot (home ? home : ANONYMOUSHOME)) chroot ("/tmp");

Not every machine supports "jailed" processes. And of those that do, sometimes having local privs is enough to break out of the jail. chroot solves some problems in normal execution, but if a program can be exploited, a chroot'd jail may not be enough to stop the bad things from happening

Another important measure is to use StackGuard. I am very surprised at the implication that RedHat doesn't use StackGuard. Is that really true?

As many on bugtraq pointed out, the whole planet isn't run on Linux, so StackGaurd isn't always an option. Plus, it's best to fix the whole and not rely on the OS to catch your mistake

Some of these problems are somewhat understandable, as the ratings are created by humans, fallible as we are; however, given the great number of errors that exist, it is nearly unforgiveable for a company that claims "strict, objective criteria" and wants to make money off our privacy concerns, to blatantly mislead the public into thinking they're the "privacy standard". And more along those lines, how much do we trust a company who's entire business is based upon making money off our privacy, and who's trying sell a "wallet" and other services that are intimately related to how customers feel about the privacy of a site.

And then there's that insipid name...

According to this article on ZDNet some people think that the current laws getting ready to be passed regarding digital signatures might not be in the best interests of the consumer. Funnily enough the voice quoted is that of Zero Knowledge Systems who have recently patented a system for digital signatures which are capable of only releasing a portion of your credentials to a remote site.

Still I like what I've seen from ZKS so far and some good points are made.

Many of the cypherpunk usual suspects were off attending the Computers, Freedom, and Privacy Conference in Toronto. We hear that they held a meeting on Saturday at the Toronto City Hall--we imagine that we'll hear more from the cavorting conference-goers as they straggle home.

Articles on the Junger case: CNET & Wired

On another note, Cohn and the EFF may soon be launching BXA Watch, a community watchdog organization that will keep an eye on the Bureau of Export Administration. Cohn fears that the BXA might attempt to reintroduce stricter crypto export regulations. Stay tuned.

Article Stolen from Technocrat: According to this article (in German but Babelfish is your friend) the committee "citizen rights, internal affairs, and law" of the European parliament requires an end to anonymity on the Internet. In a report the committee also suggests that ISPs should be forced to enable the identification of email users and store connection data for up to 3 months.

The recommendations of the parliament are not binding however. The council for justice and internal affairs makes the final decision over the directive.

See also End of Anonymity (in German too) for a more in-depth article.

"Sources also suggest that the document was posted to a Usenet group, but was quickly deleted by a Ministry of Defence autobot, a software agent that autodeletes questionable Usenet postings from the servers of Usenet-enabled Internet service providers (ISPs) around the world."

Sounds like Scientologists. Oh yeah, Riccochet works great in the SeaTac airport.

I wanted to address the "key escrow" issue that you have raised regarding ZixMail.

The quote that you reference was from last July - when the escrow was required for "hard" encryption. That requirement was eliminated in December - and we do not keep an escrow of any kind.

I would like to invite you to come to Dallas and visit our data center. I will personally walk you through the system design, etc...

Let me know if you are interested in coming to Dallas.

Thanks

David Cook (CEO)
ZixIt Corporation

My efforts to contact ZixMail about this yesterday failed, and I apologize for the outdated information. Hopefully they're working on replies to our other advice:

• Open source their (crypto) code
• Embrace at least one of the existing standards for encrypted email (PGP &/or S/MIME).

• Given the lack of end to end protection (encryption, et al.) of data on the Internet as it stands today, there are plenty of opportunities for wiretapping external to any standard.
• Providing such backdoors, may be illegal in some privacy-conscious jurisdictions.
• Such things would greatly complicate protocols as backdoors, and backdoors to backdoors, would need to be created.
• The concept if foreign to their views on privacy (RFC1984).
• The wiretapping technologies would, in their minds, need to be documented fully, possibly negating the effects of the wiretapping or the usage of the protocol.

Good for them! Good for us.

Second, Is there a key escrow for ZixMail?

In order to obtain worldwide encryption export approval from the Commerce Department - for encryption that the National Security Agency cannot break - there is a requirement that a secure key escrow be established, normally with a "trusted third party". This escrow can be accessed only by court order from a federal court of competent jurisdiction.

CustomTracks has been approved to be its own "trusted third party". The escrowed keys, however, are encrypted by public key cryptography and can only be decrypted by a private key that is unknown to CustomTracks or ZixMail.

• Eliminate key escrow
• OpenSource their code
• Embrace at least one of the existing standards for encrypted email (PGP &/or S/MIME).

In the mean time they can start by leveling with their customers. I can find no mention of key escrow on the ZixMail site.

What with all this fun, what will the coming week bring?

Always having been one to be amused by the masses finding new ways to thumb their collective noses at authority figures I was intrigued. Distribute a client (in this case just an HTML file) to LOTS of people and then have them use this to take down an enemies server. They are even going to warn them that the attack is coming.

As fasincated as I am I must admit that my first thought was that if i was the victim I'd be covering my odds by harvesting as much information as I could from the maruaders to sell to someone. Surely information on people who hate you has to be worth money to someone. Got the email address of 10,000 people who hate genetically modified food, why not sell it to a health food chain.... or something.

More info here: Microsoft officials announced today a proposed acquisition of the National Security Agency. In a move to bolster their dominance in the growing privacy invasion market, Microsoft will rebrand the NSA as MSNSA and leverage its worldwide customer base to improve surveillance penetration. Microsoft claims it has already incorporated leading spy technology into all its products, and this is a logical progression, giving them access to key intellectual property, and all the other information in the world. NSA officials commented that "Microsoft has been a valuable partner for over 15 years, our union can eliminate the threat of privacy from Amercans once and for all."

#chmod 700 .profile

This is based on the Fair Credit Reporting Act, one of the few strong bits of legislation that consumers have going for them.

In layman's terms, ZKS now has the technology to deploy anonymous digital cash that rivals the Chaumian offline blinding protocol. Additionally, their "Minimum Disclosure Privacy" scheme overcomes vast privacy violations inherent in today's PKI models.

The Wall Street Journal will break the story today, Wired will probably have a piece by Declan McCullagh before long. Remember, you heard it first from Shmoo.

UPDATE by gdead: As usual, Pablos nails it. Here's the Wired article on this.

According to the report, "it would seem that the creation of Microsoft was largely supported, not least financially, by the NSA, and that IBM was made to accept the (Microsoft) MS-DOS operating system by the same administration."

It said that the Pentagon was Microsoft's biggest client in the world.

It's available at his web site in HTML, Postscript and plain text. [Note: the secure server certificate isn't signed by a known CA so you have to be using a browser capable of approving a custom certificate.]

Woohoo, CRL's from the sky.

There are all sorts of things that are unclear from the article, especially when it comes to backward compatibility with current digital devices, how the CRL's are actually applied, whether legitimate owners of devices with violated keys get screwed, and what kind of power this satellite network has, but I can already smell a DeCSS-like lawsuit on its way.

[Note: I'm not sure if this is a legit technical glictch or if something ill is in the works, but the pigdog.org site just disappeared and went back to the default ISP's page. Fortunately I had just put up a mirror and it is still available. - larry]

Developed by 7val, Location Poisoning is a new and especially abusive technology for user-tracking.

A new device (ed. not sure how new but i hadn't heard of it before) to track customers using DNS instead of cookies, so it's harder to circumvent. Unfortunately it somewhat abuses the way DNS and HTTP work and is considered by some to be a "Bad Thing[tm]".

Read more at http://www.lemuria.org/Software/unpoison/, including a way to circumvent it using a squid proxy.

Maybe a slightly glorified claim, but none the less and interesting counterpoint to recent claims that employing hackers as security experts is "like hiring an arsonist to be your fire marshal".

Read more at CNN.

While we will primarily focus upon Mac OS X Server, Mac OS X, and Darwin, we recognize the number of admins that are managing Mac OS 8.x/9.x computers. We will post any relevant info we find useful in this domain, especially when the revelations deal with the joining of the two worlds.

We have several projects forthcoming, and we welcome any suggestions for possible ports of security applications and services for Mac OS X Server. Subscribe to mso-announce for updates on our projects, announcements, and other happenings at MacSecurity.org.

We are also starting a new mailing list devoted to discussing Mac OS security problems, and solutions. Here again the intent is to focus on Apple's BSD-based operating systems, though all of Apple's operating systems are welcome for discussion. There has been little organized (or other) talk of security when it comes to Mac OS X Server. We hope this list will foster better communication throughout the user base, especially looking forward to the general release of Mac OS X (client) upon the traditional Mac OS population. We hope that everyone interested will subscribe.

For members of the macosx-admin and macosx-talk lists, we'll be hosting a searchable, continuously updated archives of the venerable Omnigroup lists.

Well, we hope this has whet your appetite. There will be more content forthcoming (not limited to software and ports, but including white papers and FAQ's on best practices and such) as we see what the public's needs are, and how we can best serve them. We encourage you to visit often and offer feedback on what you'd like to see from the group.

Thanks for your time, and happy browsing.

NOTE: We are currently looking for one or two individuals willing to test software and policies we develop from time to time. We unfortunately do not have the resources to test on all our target platforms, and so need a little help covering the other bases. Right now, we need a user(s) who has access to a machine running Darwin, and a machine running the Mac OS X DP/Beta's. Fortunately we think the software we port to MOSXS will run on both platforms, but can not know for sure since we cannot run either OS. Interested parties should drop a note to curator. Thanks again.

Doesn't that give you a warm glowy feeling of comfort? After all I'm sure they had their employees best interests at heart ...

And we think Echelon is bad.

Perhaps the Russians will spearhead widespread encryption of Internet traffic. Perhaps the Dumas will just mandate some sort of key escrow for everyone in that event. Who knows?

References to a project Echelon have been found for the first time in declassified National Security Agency documents, says the researcher who found them.

After combing through declassified National Security Agency documents, Jeffrey Richelson, a researcher for the National Security Archives, has concluded that Echelon -- the purported name of the alleged international project for intercepting all forms of electronic communication -- does exist.

Read more at Wired.

Animosity++;

While I have an urge to continue to mock Microsoft for this, I must give them credit for actually patching it, even though they may suffer the PR lash back. The biggest shame is that it is another operating system that needs to be patched out of the box.

Also, sorry for the DVD centric news lately, but we think this will prove to be very important stuff in the long run.

• Conflicts of interest with security advocacy by commercial security companies.
• A pointer to the Counterpane review of IPSec.
• A rap on Netscape's corporate head about their password encryption.
• Essay on block and stream ciphers.
• Responses to reader mail.

Happy reading.

While definitely a very good thing, the rules still seem awfully complicated and occasionally vague, thus still requiring lawyers. However, we entreat you to read the regs for yourselves.

Entrust has filed antitrust papers against Verisign who late last year announced their intention to purchase Thawte Consulting. The move follows a Virginia court's dismissal of Entrust's attempt to obtain a temporary restraining order against the takeover. Entrust, like several of us, are concerned that the combined companies will account for 99% of the certificate issuance market.

Pablos: This isn't as noble as it sounds. CDUniverse should have paid the hacker. It was their obligation to secure the data & they didn't do it. Now it is other merchants who will absorb the fraud associated with those 300,000 card numbers, not CDUniverse.

I can't imagine how this is going to be managed from a legal and political point of view. Foreign countries already get pretty hacked off when we send jets over their countries to go bomb the living daylights out of some dictator's people. Imagine what they're going to do when we start using some of their infrastructure, especially when you consider the often relatively small pipe to and from the countries in transit from the US to the target. Imagine if the Croats and the US get into some cyber-pissing match in the middle of war, thus hogging all or major portions of the bandwidth of the transit countries (or providers). Said countries (or providers) then rip down the circuits in question (or black hole them). Then what are the hackers on either side to do? Suppose MCI, AT&T or someother provider decides the US military is hogging to much bandwidth, or the Iraqis decide that attacking the US provider networks is the best way fight. The the providers then drop all of the US military traffic. What does the military do then? Require MCI or whoever to allow the traffic? At that point, the government is nationalizing the entire network between the US and the target country. Yeah, that'll go over well.

Another interesting point, while there was much hype surrounding "Y2K Virus" threats, i.e. those virii coded specifically to wreak havoc at the rollover, CERT has issued a statement as to their assessment of the actual threat of this happening. Original estimates were in the thousands, now *poof* apparently not many are expected. As someone who wasted quite a bit of time on this subject, I'm a bit miffed.:)

Round 2 begins January 14, 2000.

Consider this: Does Yahoo! have a contractual obligation to post its privacy policy in order to be a Truste member? Will Truste sue if Yahoo! complies with the restraining order? Shift-Colon-Q-Bang-halt.

For three months beginning in May, the auditors rummaged through high-level administrative and financial system computer files at the Pension Benefit Guaranty Corp. in Washington, their activities undetected. Full Text.

Given the importance of anonymity as a component of free speech, the cost of banning anonymous Internet speech would be enormous. It makes no sense to treat Internet speech differently from printed leaflets or books." - Executive Summary

The Bunker offers the ultimate in protection from a myriad of attacks, including crackers, terrorist attack, electro-magnetic pulse, electronic eavesdropping, HERF and Solar flares.

How afraid are we to find out what may be in those documents?

Any feedback on it is welcome.

• A recent lawsuit in Virginia by several ISP's, and a free speech organization, against the Virginian government for violation of Virginian free speech laws was thrown out... because they sued the wrong people.
• After receiving a ton of e-mail mocking a proposed depricatory cash carry tax, the Richmond Federal Reserve clarified it position on the topic, pointing out it was only a hypothetical statement, and no legislation has ever actually been sought.
• According to the IETF chairman the battle over implanting wiretaping capabilities in Internet standards may not be over.

"Echelon is perhaps the most powerful intelligence gathering network in the world," said Barry Steinhardt, Associate Director of the ACLU. "But it is still very much a black box, which apparently operates without the oversight of Congress or the courts."

"It appears that the U.S. government is once again spying on Americans' private communications," said Gregory T. Nojeim, a legislative counsel in the ACLU's Washington National Office. "Congress must determine if Echelon is as sweeping and intrusive as has been reported, and most importantly, it must ensure that Americans' conversations are not intercepted without a court order."

More at Independant News.

Apparently an MSNBC article broke the story, of all places. Quote from the story: "The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations). If security settings for Internet Zone in IE5 are set to High, the worm will not be executed. It does not run on Windows NT." ZDNet also has a story about this "Bubbleboy" virus. McAfee weighs in too.

Of course, we stole this tidbit from Slashdot.

The New Scientist - SOFTWARE that allows a computer to receive radio signals could make spying on other computers all too simple, according to two scientists at the University of Cambridge. Such are the dangers that they are patenting countermeasures that computer manufacturers can take to foil any electronic eavesdroppers.

you can get openssh from via anonymous cvs:

mkdir openssh && cd openssh
CVSROOT=anoncvs@anoncvs.ca.openbsd.org:/cvs
CVS_RSH=/usr/bin/ssh
cvs get src/usr.bin/ssh

Why the DVD Hack Was a Cinch by Andy Patrizio

2:15 p.m. 2.Nov.1999 PST
The anonymous developers of the decryption program that removes DVD copy protection had an easy time doing it, thanks to a gaffe by a software developer and the surprising weakness of the encryption technology.

See also: DVD Piracy: It Can Be Done & Catch the buzz in Hollywood Tech