From Q.G.Campbell@newcastle.ac.uk Fri, 1 Jun 2001 12:33:45 +0100 Date: Fri, 1 Jun 2001 12:33:45 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: FW: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall The URL http://grc.com/dos/grcdos.htm is recommended as an interesting and detailed analysis of a DDoS attack that was made recently on the Gibson Research Corporation router. The URL offer a lot more besides including a strongly argued case that DDoS and a new MS operating system may prevent the growth of a stable Internet economy. Although his story is not directly crypto related [and thus do not read any further!], the concerns that Steve Gibson raises about the inclusion of full Unix-like socket functionality into Windows XP, and about the possible consequences for a stable Internet economy, are relevant to threads appearing on this list.=20 Steve Gibson also makes reference to the use of "spy-bots" and "zombie-bots" as useful tools for hacking/DoS, etc, and provides some useful insights into the motives and methods of people involved in these activities. While it is arguable whether the experience he describes amounts to "terrorism", from ones own experience it is not difficult to recognise some truths in (for example): "From my dialog with "Wicked" [one of the poeple involved in the DDoS], I saw that these repeated attacks were "fun" for him. He was like a child pulling the legs off a spider to see what it would do, watching it flail and attempt to get away from its tormentor. And, as we have seen, he experiences absolutely no remorse and has no regard for any damage being done as a consequence. He believes that he can not and will not be caught. Hiding behind the anonymity created by the Internet's trusting technology, he exhibits no social conscience."=20 Gibson then goes onto say: "I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity."=20 This poses an interesting question for the Home Secretary to consider. What is potentially more damaging to the growth of an Internet based economy: Paedophiles targeting 13-year-old children on the Internet OR 13-year-old-children hackers targeting the Internet? Quentin From nexus@patrol.i-way.co.uk Fri, 1 Jun 2001 12:49:42 +0100 Date: Fri, 1 Jun 2001 12:49:42 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall Or a 13 year olds usings worms that target computers that have suspected paedo-files on their drives... http://www.newsbytes.com/news/01/166164.html http://www.symantec.com/avcenter/venc/data/vbs.noped.a@mm.html Cheers, JJ ----- Original Message ----- From: "Q G Campbell" To: Sent: Friday, June 01, 2001 12:33 PM Subject: FW: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall [snip] > This poses an interesting question for the Home Secretary to consider. > What is potentially more damaging to the growth of an Internet based > economy: Paedophiles targeting 13-year-old children on the Internet OR > 13-year-old-children hackers targeting the Internet? > > > Quentin > > From anthony.naggs@atrial.com Fri, 1 Jun 2001 14:02:59 +0100 Date: Fri, 1 Jun 2001 14:02:59 +0100 From: anthony.naggs@atrial.com anthony.naggs@atrial.com Subject: US endorses FBI hacking of foreign computers (?) http://www.theregister.co.uk/content/6/19360.html Apparently the FBI invited some Russian hackers to the USA to demonstrate their hacking skills. When the Russians accessed their home computers, to get tools, the FBI recorded the login information - which they then used to 'inspect' the overseas computers for 'evidence' of other hacking activities. A US judge seems to think this is just dandy, but it seems dodgy to me on several counts. The usual question in any kind of sting is how much the FBI acted as an agent provocateur. The FBI's unauthorised access to the computers is as bad as the alleged hackers doing something similar - worse in that the FBI should be setting an example in follow the relevant rules. (In this case getting a Russian warrant.) The law should apply to everyone equally! Also one has to be suspicious of the evidence of any remote access like this, as there is no opportunity for the data to be copied or preserved in a trusted way - so that the content of the hard disk at the time of seizure is preserved and available for a defence expert to examine. Cheers, Tony From nexus@patrol.i-way.co.uk Fri, 1 Jun 2001 14:41:07 +0100 Date: Fri, 1 Jun 2001 14:41:07 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: [Spy News] MI5 builds new centre to read e-mails on the net (fwd) I wasn't aware that political ideals were nation-centric ? So some of us brits are communists, some are facist, some are Monster Raving Loony and some like me are apolitical. Goverments will always want to try and know everything about everyone, we all know this. Then again, some people send multiple duplicate emails from Florida International University.... *shrug* ----- Original Message ----- From: "Markku Saarelainen" To: ; Sent: Thursday, May 31, 2001 8:32 PM Subject: Re: [Spy News] MI5 builds new centre to read e-mails on the net (fwd) > > Yes .. Brits are known to be communists ... I had a penpal in the U.K., when I grew up. I used to exchange my letters regularly. I mailed my letters in sealed envelops. I hope they did not break my privacy rights and opened these my "little boy" envelops before these letters reached my penpal. Nowadays, these Brits are trying to control everything. What communists they are. > > MI is very actively involved in the commercial and business intelligence. > > > Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at http://www.eudoramail.com > > From oml@eloka.demon.co.uk Fri, 1 Jun 2001 15:57:40 +0100 Date: Fri, 1 Jun 2001 15:57:40 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: US endorses FBI hacking of foreign computers (?) > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of > anthony.naggs@atrial.com > Sent: 01 June 2001 14:03 > To: ukcrypto@chiark.greenend.org.uk > Subject: US endorses FBI hacking of foreign computers (?) > > > http://www.theregister.co.uk/content/6/19360.html > > Apparently the FBI invited some Russian hackers to the USA to > demonstrate their hacking skills. When the Russians accessed > their home computers, to get tools, the FBI recorded the login > information - which they then used to 'inspect' the overseas > computers for 'evidence' of other hacking activities. > > A US judge seems to think this is just dandy, but it seems dodgy > to me on several counts. > > The usual question in any kind of sting is how much the FBI acted > as an agent provocateur. > > The FBI's unauthorised access to the computers is as bad as the > alleged hackers doing something similar - worse in that the FBI > should be setting an example in follow the relevant rules. (In this > case getting a Russian warrant.) The law should apply to everyone > equally! > > Also one has to be suspicious of the evidence of any remote > access like this, as there is no opportunity for the data to be > copied or preserved in a trusted way - so that the content of the > hard disk at the time of seizure is preserved and available for a > defence expert to examine. You touch a sensitive area, i.e.. the pursuit of lawful ends by unlawful means. In truth this has a long history, the roots of which are in warfare itself. As the 'battle' against crime has come (at the police's urging) more and more to be perceived as a 'war', so the historic sanction by states of seriously criminal acts at the instruments of war slips onto the shoulders of those engaged properly only in policing. Perhaps by no coincidence, what was once termed 'war' between states has this last 50 years been almost always (in the West) termed as a 'police action. Thus, befuddling important issues by the manipulation of language, we arrive at a point where (in this fair land): 1. The courts will accept as good evidence material which itself was unlawfully obtained. 2. Unfair acts and even unlawful acts in pursuit of evidence become a commonplace. As with much else, this is not 'oppressive' in the sense that these tactics are forced on an unwilling public. Rather, the public mainly welcome them and would have the police venture further and faster than they are generally prepared to go. I.e. the policy in this area is at the training rather than at the leading edge of what the public will accept and the courts will bless. You may remember the instance a few years' back where 6 set up a bank in the Turks & Caicos, where it proceeded to trail its coat for 'dirty' business? Sho nuff, when some millions of drugs money had been deposited, the customers were nabbed and the funds confiscated by a grateful UKG. Right or wrong? You tell me. All I know is that the man in the street thought it a pretty neat trick. Owen From ben@algroup.co.uk Fri, 01 Jun 2001 16:25:36 +0100 Date: Fri, 01 Jun 2001 16:25:36 +0100 From: Ben Laurie ben@algroup.co.uk Subject: US endorses FBI hacking of foreign computers (?) anthony.naggs@atrial.com wrote: > > http://www.theregister.co.uk/content/6/19360.html > > Apparently the FBI invited some Russian hackers to the USA to > demonstrate their hacking skills. When the Russians accessed > their home computers, to get tools, the FBI recorded the login > information - which they then used to 'inspect' the overseas > computers for 'evidence' of other hacking activities. Pretty dim hackers, then! Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From Q.G.Campbell@newcastle.ac.uk Fri, 1 Jun 2001 16:26:57 +0100 Date: Fri, 1 Jun 2001 16:26:57 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: US endorses FBI hacking of foreign computers (?) [snip] > As with much else, this is not 'oppressive' in the sense that=20 > these tactics are forced on an unwilling public. Rather, the=20 > public mainly welcome them and would have the police venture=20 > further and faster than they are generally prepared to go. Really? Oppressive tactics ARE forced on an unwilling public. Pace armed and trigger happy Police who can seemingly shoot anyone without penalty in law. So the public welcome the shooting dead by the Police of an unarmed naked man because an incompetent Police Force (Sussex) sent incompetent armed officers to the wrong address? This was another case where the court held that no individual Police officer was criminally responsible. Whether by incompetence or willfullness LEAs appear to be getting away with murder, in all senses of that word. Right or wrong? You tell me. All I know is that the familly of the man in the street wouldn't think it a pretty neat trick if he was the victim. Quentin From donald@ramsbottom.co.uk Fri, 01 Jun 2001 16:35:15 +0100 Date: Fri, 01 Jun 2001 16:35:15 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: US endorses FBI hacking of foreign computers (?) At 02:02 PM 6/1/01 +0100, you wrote: > http://www.theregister.co.uk/content/6/19360.html > >Apparently the FBI invited some Russian hackers to the USA to >demonstrate their hacking skills. When the Russians accessed >their home computers, to get tools, the FBI recorded the login >information - which they then used to 'inspect' the overseas >computers for 'evidence' of other hacking activities. > >A US judge seems to think this is just dandy, but it seems dodgy >to me on several counts. SNIPS This story surfaced several weeks ago when the "bust" first "went down". As I said then (and will repeat for those that missed it), it is in the FBI's job description to spy on "foreign nationals" (foreign being none US citizens) in the US and to gather intelligence on them or their associates. They were just doing their job, like it or not. If they had done it to US citizens in the US, without proper authority, they would have been in breach of local (i.e. US) law. So far as "spying" on Russian computers is concerned in Russia, I think you will find the FBI is just the tip of the Iceberg ;) I am not passing a moral judgement just observing the law as I perceive it to be within a given jurisdiction. Again as I said some weeks ago, if I am wrong no doubt someone will point it out. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From nexus@patrol.i-way.co.uk Fri, 1 Jun 2001 16:45:41 +0100 Date: Fri, 1 Jun 2001 16:45:41 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: US endorses FBI hacking of foreign computers (?) Indeed, very much against what I consider to be a fundamental rule of computer security: Anything that you do not own and did not build yourself is always unrusted and should be considered totally hostile. Access my stuff from someone elses system ? Yeah, right. Of course now that the US has OK'd this activity, will we now see a national goverment global hackfest ? Anyone for a game of "capture the flag" for real ? ;-) JJ ----- Original Message ----- From: "Ben Laurie" To: Sent: Friday, June 01, 2001 4:25 PM Subject: Re: US endorses FBI hacking of foreign computers (?) [snip] > Pretty dim hackers, then! > > Cheers, > > Ben. > > -- > http://www.apache-ssl.org/ben.html > > "There is no limit to what a man can do or how far he can go if he > doesn't mind who gets the credit." - Robert Woodruff > > From jya@pipeline.com Fri, 01 Jun 2001 11:38:17 -0700 Date: Fri, 01 Jun 2001 11:38:17 -0700 From: John Young jya@pipeline.com Subject: US endorses FBI hacking of foreign computers (?) Owen wrote: >Right or wrong? You tell me. All I know is that the man in the street >thought it a pretty neat trick. Indeed, as do most citizens of the Echelon cartel believe it to be hunky-dory. And why the EP believes it best to beg inclusion in Echelon protectitive custody than to resist it. What is not clear in the upbeat promise of illegal action in the national interest is what are its limits, and how can one know when what the programs actually do and by what means are ever so carefully secreted. A few days ago a US official warned of the need for controlling criminal behavior by officials of law enforcement, justice and national security. Yes, yes and yes. Not stated by the official is who shall watch the super-moral investigators, judges and spies happily reporting malfeasance by everyone except themselves. Certainly not the public who are ever encouraged to love neat tricks by trusted homeboys. From daw@mozart.cs.berkeley.edu 1 Jun 2001 21:30:11 GMT Date: 1 Jun 2001 21:30:11 GMT From: David Wagner daw@mozart.cs.berkeley.edu Subject: FW: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall Q G Campbell wrote: >The URL offer a lot more besides >including a strongly argued case that DDoS and a new MS operating system >may prevent the growth of a stable Internet economy. That part was pretty hard for me to take seriously. It is already possible to send spoofed packets; you don't need a new MS OS for that. From acr@als.co.uk Fri, 1 Jun 2001 23:04:23 +0100 Date: Fri, 1 Jun 2001 23:04:23 +0100 From: Alan Ramsbottom acr@als.co.uk Subject: FW: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall From: "David Wagner" > That part was pretty hard for me to take seriously. It is > already possible to send spoofed packets; you don't need a > new MS OS for that. Exactly and I suspect Gibson also knows his "impossible" claim is nonsense having simultaneously promised us the Spoofarino[tm] utility. -Alan- From jei@cc.hut.fi Sat, 2 Jun 2001 00:45:21 +0300 (EET DST) Date: Sat, 2 Jun 2001 00:45:21 +0300 (EET DST) From: Jei jei@cc.hut.fi Subject: [Spy News] ECHELON: Call to come clean on 'spying system' (fwd) ---------- Forwarded message ---------- Date: Fri, 1 Jun 2001 14:42:27 +0200 From: Mario Profaca Reply-To: spynews@yahoogroups.com To: "[Spy News]" Subject: [Spy News] ECHELON: Call to come clean on 'spying system' Call to come clean on 'spying system' http://www.thisisthenortheast.co.uk/the_north_east/richmond/news/NEWS5.html by Nick Morrison EURO MP David Bowe has called on the Government to lift the lid on a secret spying system following a critical report. The Yorkshire and Humber MEP said the report by a special European Parliament committee underlined his concerns over the Echelon network, which includes the Menwith Hill listening base near Harrogate. The report highlighted concerns that Echelon is largely being used to eavesdrop on private and commercial communications, including telephone conversations. Mr Bowe said: "Concerns I have had about the potential misuse of Menwith Hill for commercial espionage have been reinforced by what the committee has found. "There is a very important role for Menwith Hill in terms of collecting information about terrorist threats and organised crime, but we really do need stricter controls." The European Parliament committee said the UK, as the only EU country involved in Echelon, could be in breach of the European Convention on Human Rights over the right to privacy. It warned that the only way for individuals and companies to protect their communications was to start encrypting all e-mails and faxes. Their report came after a year-long investigation, but has been dogged by the refusal of the UK and US governments to cooperate with the inquiry, or even to admit Echelon exists. The committee claimed their evidence proved that Echelon did exist and was used to listen to private and business communications. Mr Bowe said: "Local people deserve far more information and we need a proper system of scrutiny over how these bases operate and the implications for local communities." --- FYI: This mail sent by Mario Profaca is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.255 / Virus Database: 128 - Release Date: 17. 05. 01 ============================================== SPY NEWS is OSINT newsletter and discussion list associated to Mario's Cyberspace Station http://mprofaca.cro.net/mainmenu.html ============================================== *** NOTICE: In accordance with Title 17 U.S.C. Section 107, this material is distributed without profit to SPYNEWS eGroup members who have expressed a prior interest in receiving the included information for non-profit research and educational purposes only. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml ---------------------------------------------- To subscribe SPYNEWS send a blank message: mailto:spynews-subscribe@yahoogroups.com To change your subscription mode to Daily Digest (one message a day) send a blank message: mailto:spynews-digest@yahoogroups.com To unsubscribe SPYNEWS send a blank message: mailto:spynews-unsubscribe@yahoogroups.com Mario Profaca, independent journalist, SPY NEWS eGroup list owner, editor & moderator, is a member of of the Committee of Concerned Journalists, an initiative administered through the offices of the Project for Excellence in Journalism in Washington, D.C. mailto:mprofaca@jagor.srce.hr SPY NEWS home page: http://groups.yahoo.com/group/spynews Spy books, handbooks and manuals: http://mprofaca.cro.net/spybooks.html ============================================= Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ From jei@cc.hut.fi Fri, 1 Jun 2001 15:05:38 +0300 (EET DST) Date: Fri, 1 Jun 2001 15:05:38 +0300 (EET DST) From: Jei jei@cc.hut.fi Subject: [Spy News] Duncan Campbell: Germany, UK breaching human rights with NSA spy link-up (fwd) ---------- Forwarded message ---------- Date: Thu, 31 May 2001 19:39:07 +0200 From: Mario Profaca Reply-To: spynews@yahoogroups.com To: IntelForum , "[Spy News]" Subject: [Spy News] Duncan Campbell: Germany, UK breaching human rights with NSA spy link-up Germany, UK breaching human rights with NSA spy link-up http://www.heise.de/tp/english/inhalt/te/7753/1.html Duncan Campbell 27.05.2001 Echelon system identified as "legislation-free zone" Composite Signals Organisation Station Morwenstow, run by Britain's GCHQ, was the first station built to intercept civil commercial satellite communications as part of the ECHELON system http://www.heise.de/tp/english/inhalt/te/7753/7753_3.jpg Echelon committee vice-chairman Neil MacCormick (Scotland) wants to see legal changes to protect private communications; meanwhile "people should treat their e-mails like seaside postcards" that anyone else can read. http://www.heise.de/tp/english/inhalt/te/7753/7753_2.jpg The job of the US Department of Commerce's Advocay Center is to "aggressively support U.S. bidders in global competitions where advocacy is in the national interest". http://www.heise.de/tp/english/inhalt/te/7753/7753_1.jpg In a major report to be published this week, the Echelon committee of the European Parliament has found that the conduct of electronic surveillance activities by US intelligence breaches the European Convention of Human Rights even when conducted, allegedly, for law enforcement purposes. It concludes that if the British and German governments fail to prevent the improper use of surveillance stations sited on their territory to intercept private and commercial communications, they may be in breach both of community law and of human rights treaties. Two drafts of the proposed EP report, prepared by rapporteur and MEP Gerhard Schmidt, were leaked earlier this month. The form and wording of the committee's final report is due to be settled by the full committee in a meeting in Brussels on Tuesday 29 May. Comparison of the two drafts shows that the committee was waiting to question American government and trade officials about their use of economic intelligence before making its final comments. But, two weeks ago, the American government decided to snub them after members had already arrived in Washington, abruptly cancelling a series of planned meetings. The declared policy of the US government, as explained last year by former CIA director James Woolsey, is to use the U.S. intelligence system spy on European companies in order to gather evidence of bribery and unfair trade practices. Woolsey said "Yes, my continental European friends, we have spied on you. And it's true that we use computers to sort through data by using keywords". "We have spied on you because you bribe", he wrote in the Wall Street Journal. US economic intelligence policies in support of business and trade were exposed four months ago in a detailed new report to the Echelon committee. That report on "COMINT impact on international trade" is published here exclusively for the first time today. The report traces in detail how U.S. intelligence gathering priorities shifted dramatically after the end of the Cold War, with the result that "about 40 percent of the requirements" of U.S. intelligence collection became "economic, either in part or in whole". The new priorities for economic intelligence were approved by the first President Bush in a document called NSD-67 (National Security Directive 67), issued by the White House on 20 March 1992. By using the CIA and NSA to spy on foreign rivals of American companies, the declared U.S. objective was to "level the playing field" in foreign trade. After the new policies came into force, the incoming Clinton administration set up a new Trade Promotion co-ordinating committee, with direct intelligence inputs from the CIA and direct links to U.S. business through a new "Advocacy Center". Intelligence from NSA and CIA was supplied to the U.S. government department of Commerce through an "Office of Intelligence Liasion", which was equipped to handle intercepted communications such as those supplied by the Echelon network. According to documents provided to the Echelon Committee and now published here, the CIA team in the Commerce Department proposed gathering information on "primary competitors" of American business in a major Asian market. One document shows that, of 16 U.S. government officials attending a meeting on winning contracts in Indonesia, 5 were from the CIA (see Annexe 2-3). Two of the NSA's largest electronic intelligence stations are located at Bad Aibling, Bavaria and Menwith Hill, in England. Both stations intercept satellite communications and use surveillance satellites to collect communications from the ground, anywhere in the western hemisphere. The U.S. congress was recently told that, as a result of "levelling the playing field", American companies gained $145 billion worth of business during the 1990s, after intelligence agencies claimed to have detected and defeated bribery or unfair conduct by foreign competitors. Many such contracts were listed in dossiers of cases publicised during the 1990s. According to reports of "success stories" published by the Advocacy Center, European countries have lost out massively. France lost nearly $17 billion dollars worth of trade, and Germany $4 billion out of a total of about $40 billion. Sweden lost $386 million worth of business, the Netherlands $184 million. Not all "successes" necessarily involved allegations of bribery, but many did. Despite the huge number of cases in which it claims to have detected bribery, the U.S. government has never published any evidence to substantiate its claims. Nor has it instigated any prosecutions. Equally hard to substantiate has been evidence in specific cases where secret interception activities are alleged to have affected a major contract. All of the specific accounts of European business losses, such as the lost of an $8 billion Airbus contract in 1994, were published by the American press, at a time when the Clinton administration wanted to publicise that it was doing its best for business. The clear motive was to tell the Americans that their government and intelligence agencies were now helping with the economy. But when Europe became concerned about the Echelon system, such stories stopped appearing in the U.S. media, and information dried up. Many MEPs suspect that the American claim only to use their secret listening systems, including the Echelon network, to prevent bribery are a smoke screen to cover straightforward spying for business and trade purposes. The report on "COMINT impact on international trade" sets out, with many detailed sources, the case that from 1992 to date Europe is likely to have sustained significant employment and financial loss as a result of the U.S. government policy of "levelling the playing field". The report does not address whether the U.S. position that such interventions were and are justified by corrupt and or unfair behaviour by foreign competitors or governments are reasonable or, in fact, are true. But it is not necessary to show that intelligence information has been given directly to U.S. corporations for major economic damage to be assessed to have occurred. The boundaries of such estimates could lie between $13 billion and $145 billion. The only certain observation is that the exact figure will never be known. Although failing to find new reports of European business losses beyond those appearing in the American media in 1994-1996, the Echelon committee has found that even if it were proven that bribery was involved, this does not make NSA activities of this kind legal in Europe. The draft report points out that: "The American authorities have repeatedly tried to justify the interception of telecommunications by accusing the European authorities of corruption and taking bribes. It should be pointed out to the Americans that all EU Member States have properly functioning criminal justice systems. If there is evidence that crimes have been committed, the USA must leave the task of law enforcement to the host countries. If there is no such evidence, surveillance must be regarded as unproportional, a violation of human rights and thus inadmissible." Just a week ago, former CIA director Woolsey repeated his claims of European bribery at a meeting in New York. In the context of any such activities conducted at NSA's British and German stations, this now appears to be an admission of unlawful conduct. According to the draft report, "under the terms of the ECHR, interference in the exercise of the right to privacy must be proportional and, in addition, the least invasive methods must be chosen. As far as European citizens are concerned, an operation constituting interference carried out by a European intelligence service must be regarded as less serious than one conducted by an American intelligence service". Not least, this is because European citizens or companies could only get legal redress for such misconduct in national courts, not American courts. "Operations constituting interference must therefore be carried out, as far as possible, by the German or UK authorities, particularly when investigations are being conducted for law enforcement." The draft committee report concludes that "there would seem to be good reason ... to call on Germany and the United Kingdom to take their obligations under the ECHR seriously and to make the authorisation of further intelligence activities by the NSA on their territory contingent on compliance with the ECHR". The IC2001 papers Four new studies on "Interception Capabilities - Impact and Exploitation" were commissioned by the Temporary Committee on the Echelon Interception System of the European Parliament in December 2000. The new studies update and extend the previous EP report, "Interception Capabilities 2000", which was prepared in 1999. They cover the use of communications intelligence (COMINT) for economic purposes, legal and human rights issues, and recent political and technological developments. Among the key topics covered are the documentary and factual evidence for the existence of the COMSAT (communications satellite) intercept system known as "ECHELON". These studies were presented to the Echelon Committee at its Brussels meeting on 22 and 23 January 2001. The fourth study, on new political and technical developments, was presented only in the form of a slideshow. These studies are published with permission from the secretariat of the Echelon Committee. ECHELON and its role in COMINT IC2001, paper 1 http://www.heise.de/tp/deutsch/special/ech/7747/1.html This paper summarises the evidence for the existence of ECHELON as a global interception system. It records official admissions about the secret UKUSA agreement that links English-speaking signals intelligence organisations. The paper also provides detailed answers to questions put by the Committee. It points out that very few media reports have provided original new information about Echelon, and that many press reports have enlarged on the nature of the interception systems and their capabilities, without evidence. COMINT impact on international trade IC2001, paper 2 http://www.heise.de/tp/deutsch/special/ech/7752/1.html Paper 2 sets out, with detailed sources, the case that from 1992 to date Europe is likely to have sustained significant employment and financial loss as a result of the U.S. government policy of "levelling the playing field", introduced in 1991. It also refers to: Annexe 2-1 http://www.heise.de/tp/deutsch/special/ech/7743/1.html Background papers about the U.S. Trade Promotion Co-ordinating Committee (TPCC) and the Advocacy Center, including statements of purpose Annexe 2-2 http://www.heise.de/tp/deutsch/special/ech/7744/1.html A questionaire for U.S. companies to answer in order to determine whether or not they are deemed "American" and thus qualify for official assistance. The questionnaire is also on the internet. http://www.ita.doc.gov/td/advocacy/question.htm Annexe 2-3 http://www.heise.de/tp/deutsch/special/ech/7749/1.html Documents revealing the CIA's role in U.S. trade promotion, obtained under the Freedom of Information Act. Annexe 2-4 U.S. trade "Success stories" affecting Europe - financial and geographical analysis (Editors note: Online version of Annexe 2-4 will follow soon) Many of the stories can be viewed online For example, this report http://www.ita.doc.gov/td/advocacy/Enronin1.htm concerns the controversial power plant at Dabhol, India. COMINT, privacy and human rights IC2001, paper 3 http://www.heise.de/tp/deutsch/special/ech/7748/1.html This paper reveals that Britain undertakes to protect the rights of Americans, Canadians and Australians against interception that would not comply with their own domestic law, while offering no protection of any kind to other Europeans. This and other background papers provided to the Echelon committee have prompted them to observe that "possible threats to privacy and to businesses posed by a system of the ECHELON type arise not only from the fact that is a particularly powerful monitoring system, but also that it operates in a largely legislation-free area." Other Reports The committee were also given copies of three key articles about US intelligence and economic activity: "Why We Spy on Our Allies", http://cryptome.org/echelon-cia2.htm by James Woolsey, former director of the CIA, Wall Street Journal, 17 March 2000. "It's true that we use computers to sort through data by using keywords. Have you stopped to ask yourselves what we're looking for?" "U.S. spying pays off for business" by Bob Windrem, NBC News Online, 15 April 2000 Originally published at MSNBC http://www.msnbc.com/news/394993.asp This link is broken, but an alternative copy is here http://www.dei.uc.pt/majordomo/sociedade/msg01132.html and on other sites. "U.S. companies have benefited when U.S. intelligence redirected its Cold War assets towards economic intelligence." " U.S. steps up commercial spying http://www.msnbc.com/news/403435.asp - Washington gives companies an advantage in information", by Bob Windrem, NBC News Online, 7 May 2000. Again, the link has recently been broken, but an alternative copy is at www.gn.apc.org/cndyorks/caab/articles/spying.htm. "Documents, all published during the Clinton administration, appear to confirm reports that America's electronic eavesdropping apparatus was involved in commercial espionage." --- FYI: This mail sent by Mario Profaca is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.255 / Virus Database: 128 - Release Date: 17. 05. 01 ============================================== SPY NEWS is OSINT newsletter and discussion list associated to Mario's Cyberspace Station http://mprofaca.cro.net/mainmenu.html ============================================== *** NOTICE: In accordance with Title 17 U.S.C. Section 107, this material is distributed without profit to SPYNEWS eGroup members who have expressed a prior interest in receiving the included information for non-profit research and educational purposes only. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml ---------------------------------------------- To subscribe SPYNEWS send a blank message: mailto:spynews-subscribe@yahoogroups.com To change your subscription mode to Daily Digest (one message a day) send a blank message: mailto:spynews-digest@yahoogroups.com To unsubscribe SPYNEWS send a blank message: mailto:spynews-unsubscribe@yahoogroups.com Mario Profaca, independent journalist, SPY NEWS eGroup list owner, editor & moderator, is a member of of the Committee of Concerned Journalists, an initiative administered through the offices of the Project for Excellence in Journalism in Washington, D.C. mailto:mprofaca@jagor.srce.hr SPY NEWS home page: http://groups.yahoo.com/group/spynews Spy books, handbooks and manuals: http://mprofaca.cro.net/spybooks.html ============================================= Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ From octobersdad@reporters.net Fri, 1 Jun 2001 13:56:07 +0100 Date: Fri, 1 Jun 2001 13:56:07 +0100 From: T Bruce Tober octobersdad@reporters.net Subject: RIP Echelon? Naaaa, but... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And the latest news is that security experts are warning against getting too heavily dependent on encryption because it means you have to open email to see what's in it which could result in viruses being spread more easily and undetected till it's too late. and with regard the RIP bill, even Patricia Hewett MP the minister in charge of ecommerce says RIP is unworkable unless... and the tories vow to revoke it if it becomes law (which I thought it had already). For details see - -- | Bruce Tober, , | *.* *.* *.* *.* | Birmingham, UK, EU +44-780-374-8255 (Mobile) +44-1562-638-704 (Landline) | -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOxeQ50lMGg3Z3q20EQLLXwCg0wyANUHZW8S2qd9xmv7mM+c1HXEAoOXN Vu2w7y/HlJo0nzURxxK26hGe =OoRV -----END PGP SIGNATURE----- From Donald.McIntosh@accaglobal.com Fri, 1 Jun 2001 16:25:58 +0100 Date: Fri, 1 Jun 2001 16:25:58 +0100 From: McIntosh Donald Donald.McIntosh@accaglobal.com Subject: crypto cards I've been bench testing one of these cryptographic accelerator cards, manufactured by a company I shall refrain from naming in case any of the more paranoid readers of this list mistake me for a plant. I was a bit sceptical about how effective it would be at increasing the number of SSL connections our webservers can handle. Given that they are pretty expensive, the card has been dipped in resin to comply with some FIPS regulations, and you can buy a "fast" or "very fast" card, I was tempted to think all this pointed to an expensive gimmick more than an effective solution. However we upped our SSL connections per second from around 30 to about 180, which is pretty good. The card can do more than that but our on-board CPU couldn't cope with any more, even thought it was handing off much of the processing. I was just curious to know what experiences anyone else had with these accelerators and if people found them to be effective. Donald. From jonc@lacunae.org Sat, 2 Jun 2001 12:23:04 +0100 Date: Sat, 2 Jun 2001 12:23:04 +0100 From: Jonathan Care jonc@lacunae.org Subject: crypto cards > I've been bench testing one of these cryptographic accelerator cards, > manufactured by a company I shall refrain from naming in case any of the > more paranoid readers of this list mistake me for a plant. You are an azelea, and I claim my five pounds. > > I was a bit sceptical about how effective it would be at increasing the > number of SSL connections our webservers can handle. Given that they are > pretty expensive, the card has been dipped in resin to comply > with some FIPS > regulations, and you can buy a "fast" or "very fast" card, I was > tempted to > think all this pointed to an expensive gimmick more than an effective > solution. No, the crypto accelerator cards really do work. Some are better than others, and some are designed to work closely with a particular OS, and therefore tend to have a better performance with that OS. > > However we upped our SSL connections per second from around 30 to > about 180, > which is pretty good. The card can do more than that but our on-board CPU > couldn't cope with any more, even thought it was handing off much of the > processing. What hardware, OS, web server were you using? > > I was just curious to know what experiences anyone else had with these > accelerators and if people found them to be effective. Yes. With kind regards, Jonathan Care Tel/Fax: +44 7092 016192 From akm@92tr.freeserve.co.uk Sat, 2 Jun 2001 14:19:33 +0100 Date: Sat, 2 Jun 2001 14:19:33 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: RIP Echelon? Naaaa, but... From: T Bruce Tober >And the latest news is that security experts are warning against getting >too heavily dependent on encryption because it means you have to open >email to see what's in it which could result in viruses being spread >more easily and undetected till it's too late. I favour encryption on the network segment, between the border of one practice and the border of the next, for medical email. For that reason, and because of my threat model. -- Midgley, A From akm@92tr.freeserve.co.uk Sat, 2 Jun 2001 14:42:42 +0100 Date: Sat, 2 Jun 2001 14:42:42 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall From: Q G Campbell >The URL http://grc.com/dos/grcdos.htm is recommended as an interesting >and detailed analysis of a DDoS attack that was made recently Still under attack? keeps timing out here, now. From nexus@patrol.i-way.co.uk Sat, 2 Jun 2001 18:19:01 +0100 Date: Sat, 2 Jun 2001 18:19:01 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: crypto cards There's me thinking that was to stop people rummaging through EEPROM's and throwing a logic analyser on it, just to see what makes it tick, or to check if there are any ummm.... undocumented 'features'... JJ ----- Original Message ----- From: "McIntosh Donald" To: Sent: Friday, June 01, 2001 4:25 PM Subject: crypto cards [snip] > pretty expensive, the card has been dipped in resin to comply with some FIPS > regulations, and you can buy a "fast" or "very fast" card, I was tempted to [snip] From phantomink@powersurfr.com Sun, 3 Jun 2001 06:02:15 -0700 Date: Sun, 3 Jun 2001 06:02:15 -0700 From: Phantom Ink phantomink@powersurfr.com Subject: [Spy News] ECHELON: Call to come clean on 'spying system' (fwd) Forward from Phantomink ----- Original Message ----- From: "Jei" To: Sent: Friday, June 01, 2001 2:45 PM Subject: [Spy News] ECHELON: Call to come clean on 'spying system' (fwd) > > > ---------- Forwarded message ---------- > Date: Fri, 1 Jun 2001 14:42:27 +0200 > From: Mario Profaca > Reply-To: spynews@yahoogroups.com > To: "[Spy News]" > Subject: [Spy News] ECHELON: Call to come clean on 'spying system' > > Call to come clean on 'spying system' > http://www.thisisthenortheast.co.uk/the_north_east/richmond/news/NEWS5.html > > by Nick Morrison > > EURO MP David Bowe has called on the Government to lift the lid on a secret > spying system following a critical report. > > The Yorkshire and Humber MEP said the report by a special European > Parliament committee underlined his concerns over the Echelon network, which > includes the Menwith Hill listening base near Harrogate. > > The report highlighted concerns that Echelon is largely being used to > eavesdrop on private and commercial communications, including telephone > conversations. > > Mr Bowe said: "Concerns I have had about the potential misuse of Menwith > Hill for commercial espionage have been reinforced by what the committee has > found. > > "There is a very important role for Menwith Hill in terms of collecting > information about terrorist threats and organised crime, but we really do > need stricter controls." > > The European Parliament committee said the UK, as the only EU country > involved in Echelon, could be in breach of the European Convention on Human > Rights over the right to privacy. > > It warned that the only way for individuals and companies to protect their > communications was to start encrypting all e-mails and faxes. > > Their report came after a year-long investigation, but has been dogged by > the refusal of the UK and US governments to cooperate with the inquiry, or > even to admit Echelon exists. > > The committee claimed their evidence proved that Echelon did exist and was > used to listen to private and business communications. > > Mr Bowe said: "Local people deserve far more information and we need a > proper system of scrutiny over how these bases operate and the implications > for local communities." > > > --- > FYI: This mail sent by Mario Profaca is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.255 / Virus Database: 128 - Release Date: 17. 05. 01 > > > ============================================== > SPY NEWS is OSINT newsletter > and discussion list associated to > Mario's Cyberspace Station > http://mprofaca.cro.net/mainmenu.html > ============================================== > *** NOTICE: In accordance with Title 17 U.S.C. > Section 107, this material is distributed > without profit to SPYNEWS eGroup members > who have expressed a prior interest in receiving > the included information for non-profit research > and educational purposes only. > > For more information go to: > http://www.law.cornell.edu/uscode/17/107.shtml > > ---------------------------------------------- > To subscribe SPYNEWS send a blank message: > mailto:spynews-subscribe@yahoogroups.com > > To change your subscription mode to Daily Digest > (one message a day) send a blank message: > mailto:spynews-digest@yahoogroups.com > > To unsubscribe SPYNEWS send a blank message: > mailto:spynews-unsubscribe@yahoogroups.com > > Mario Profaca, independent journalist, > SPY NEWS eGroup list owner, editor > & moderator, is a member of of the > Committee of Concerned Journalists, > an initiative administered through > the offices of the Project for > Excellence in Journalism in Washington, D.C. > mailto:mprofaca@jagor.srce.hr > > SPY NEWS home page: > http://groups.yahoo.com/group/spynews > > Spy books, handbooks and manuals: > http://mprofaca.cro.net/spybooks.html > ============================================= > > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > > > > > > From owenfb@easynet.co.uk Sun, 3 Jun 2001 21:59:28 +0100 Date: Sun, 3 Jun 2001 21:59:28 +0100 From: Owen Blacker owenfb@easynet.co.uk Subject: "Disable Word 2002 features that may store hidden information" http://office.microsoft.com/assistance/2002/articles/wdDisableFeatureStoreHiddenInf.aspx Also http://office.microsoft.com/assistance/2002/articles/oDigSigsEnableRvknChck.aspx and http://search.office.microsoft.com/assistance/tasks.aspx?s=emlSecurity O x ----- Owen Blacker Senior Internet Software Developer / Information Security Consultant See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 ----- Opinions are mine. My employer and their clients can get their own! From donald@ramsbottom.co.uk Mon, 04 Jun 2001 07:14:38 +0100 Date: Mon, 04 Jun 2001 07:14:38 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Secretary of State for Trade and Industry v Crane and Another Below is a cas from today's Times Law report. It deals with the right to ilence and self incrimination in civil procedings and the interaction with criminal proceedings. As ever ignore if you do not like law. Secretary of State for Trade and Industry v Crane and Another Before Mr Justice Ferris Judgment April 11, 2001 Subject to statute preventing statements made in directors' disqualification proceedings being received in evidence in subsequent criminal proceedings, there was nothing in either the general law or in the fair trial requirement in the European Convention on Human Rights which made it objectionable for a prosecuting authority to obtain helpful ideas from what was said in other proceedings concerning the same subject matter. Mr Justice Ferris in a reserved judgment in the Chancery Division, on appeal by the Secretary of State for Trade and Industry, discharged the order of Mr Registrar Simmonds, dated November 15, 2000, staying the secretary of state's disqualification proceedings against Mr Kevin Crane and Ms Shirley Ann Burton, pending the outcome of possible criminal proceedings against them. Mr Philip Jones and Mr Gregory Banner for the secretary of state; Mr Paul Girolami as amicus curiae; the defendants did not appear and were not represented. MR JUSTICE FERRIS said that there was no principle of law that a claimant in civil proceedings was to be debarred from pursuing that action in the normal way merely because doing so might lead to the defendant having to disclose what his defence might be. The so-called right of silence afforded to a person facing a criminal charge, in contrast to the privilege against self-incrimination, did not extend to give a defendant as a matter of right the same protection in contemporaneous civil proceedings: see Jefferson Ltd v Bhetcha ((1979) 1 WLR 898, 904-5). Nevertheless, the court which was competent to control the civil proceedings had a jurisdiction to stay the proceedings if it appeared that justice so required, having regard to any concurrent proceedings: see R v Panel on Takeovers and Mergers, Ex parte Fayed ((1992) BCC 524, 531). In exercising that discretion the court should not lose sight of the fact that the judge in the criminal proceedings had extensive powers of his own to control those proceedings, for example, by staying proceedings as an abuse of process or excluding evidence by operation of section 78 of the Police and Criminal Evidence Act 1984 if it would be unfair to admit that evidence: see Attorney-General's Reference (No 3 of 1999) ((2001) 2 WLR 56, 64). Since the responsibility for doing justice in criminal proceedings lay primarily with the criminal court, the civil court, while striving to prevent a manifest risk of injustice, should not go out of its way to anticipate the existence of the mere possibility of injustice. The secretary of state had a public duty to apply for the disqualification of unfit directors and could not allow disqualification proceedings to be held up indefinitely by other proceedings over which he had no control: see In re Rex Williams Leisure plc ((1994) Ch 350). It could hardly be the case that the more deserving an individual was of disqualification the more he would be in a position to say that he was entitled to a stay merely because he was worried about his right to silence: see Jibrail v Secretary of State for Trade and Industry, per Mr Justice Jacob (unreported, November 20, 1997). Since a defendant in disqualification proceedings must, if he wished to rely on any evidence, file an affidavit prior to the close of the secretary of state's case under the old law, there was a real possibility that as a result of those proceedings, evidence would be available to the Crown, to which it would not otherwise be entitled. By contrast the new section 20 of the Company Directors Disqualification Act 1986, substituted by section 59 of and Schedule 3 to the Youth Justice and Criminal Evidence Act 1999, provides: "(2) ... in criminal proceedings in which any person is charged with an offence to which this subsection applies - (a) no evidence relating to the statement may be adduced; and (b) no question relating to it may be asked by or on behalf of the prosecution, unless evidence relating to it is adduced, or a question relating to it is asked, in the proceedings on behalf of that person." None of the grounds upon which the registrar had granted a stay had any real substance. They did not indicate that the trial of the disqualification proceedings would be unfair. Any anxiety about unfairness had to relate to the criminal proceedings. Section 20(2) of the 1986 Act would prevent statements made in the disqualification proceedings being received in evidence in the subsequent criminal proceedings. There was nothing in either the general law or in article 6 of the Convention on Human Rights which made it objectionable for a prosecuting authority to obtain helpful ideas from what was said in other proceedings concerning the same subject matter: see R v Hertfordshire County Council, Ex parte Green Environmental Services Ltd ((2000) 2 WLR 373). While the stay was granted in exercise of the registrar's discretion, the failure of the registrar to take into account the amended section 20(2) left it open for the court to substitute its view for that of the registrar. The appeal should be allowed and the stay discharged. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From Q.G.Campbell@newcastle.ac.uk Mon, 4 Jun 2001 07:37:36 +0100 Date: Mon, 4 Jun 2001 07:37:36 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall > -----Original Message----- > From: Adrian Midgley [mailto:akm@92tr.freeserve.co.uk]=20 > Sent: 02 June 2001 14:43 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Gibson stops 13-year-old DOS `terrorist,' but=20 > says W2K and XP will fail and fall >=20 >=20 > From: Q G Campbell >=20 > >The URL http://grc.com/dos/grcdos.htm is recommended as an > interesting > >and detailed analysis of a DDoS attack that was made recently >=20 > Still under attack? > keeps timing out here, now. It was OK last week and it is OK this morning. Quentin From Q.G.Campbell@newcastle.ac.uk Mon, 4 Jun 2001 08:07:02 +0100 Date: Mon, 4 Jun 2001 08:07:02 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall > -----Original Message----- > From: David Wagner [mailto:daw@mozart.cs.berkeley.edu] > Sent: 01 June 2001 22:30 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Gibson stops 13-year-old DOS `terrorist,' but=20 > says W2K and XP will fail and fall >=20 >=20 > Q G Campbell wrote: > >The URL offer a lot more besides > >including a strongly argued case that DDoS and a new MS operating > >system may prevent the growth of a stable Internet economy. >=20 > That part was pretty hard for me to take seriously. It is > already possible to send spoofed packets; you don't need a=20 > new MS OS for that. It may be POSSIBLE but the issue at the heart of Gibson's case seems to be whether this is EASY to do with remotely installed generic code loaded onto a PC running a current MS O/S. There is some dispute about this among my collegaues at least. Our PC specialists say that since you can write directly to the ethernet card on a PC then you can send spoofed packets; you do not need a new O/S to do this. This is an assertion but none of them have tried it. On the other hand the sockets interface of the various implementations of Unix does make writing such code much easier. I have done it in Perl and C on a Sun box and am currently reviewing someone elses C-code that does a similar job in Linux.=20 The vulnerabilities of TCP/IP and the way it can be exploited are well documented. What strikes me from reading the URL posted by Steve Gibson is why we do not see more of the damaging type of DDoS activity he describes. All the means and tools are there. What seems to be lacking is the intent. How much longer will that last? When will anti-captitalist protesters realise that they can wreak huge amounts of mayhem on banks, businesses and government from the comfort and security of a cyber caf=E9 or their own homes? Perhaps it is a good thing that they appear to enjoy a punch-up more than they enjoy playing with a keyboard. Crypto certainly does not help here and it remains to be seen whether legislation like the Terrorism Act 2000 or the Computer Misuse Act 1990 offers any really effective assistance against such people. Never mind the paedophiles and pushers targeting kids; what about anti-capitalist "terrorists" offering sweets and DDoS tools to 13-year-olds so that they can make a game of disrupting e-commerce and e-business. Quentin From nexus@patrol.i-way.co.uk Mon, 4 Jun 2001 08:41:56 +0100 Date: Mon, 4 Jun 2001 08:41:56 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall ----- Original Message ----- From: "Q G Campbell" To: Sent: Monday, June 04, 2001 8:07 AM Subject: RE: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall [snip] > Our PC specialists say that since you can write directly to the ethernet > card on a PC then you can send spoofed packets; you do not need a new > O/S to do this. This is an assertion but none of them have tried it. Yup, no problem there - you can also use low level packet drivers to do the same. But as you said, it's not easy. > The vulnerabilities of TCP/IP and the way it can be exploited are well > documented. What strikes me from reading the URL posted by Steve Gibson > is why we do not see more of the damaging type of DDoS activity he > describes. All the means and tools are there. What seems to be lacking > is the intent. I would say that it is more prevalent that it appears - a lot of DDoS attacks are the k1dd13s fighting amonst themselves as an extention of IRC 'bot wars' - I am sure that there exist an awful lot of companies that would not notice of recognise a DDoS attack and would just blame "that bloody ISP again" And that is discounting all the companies that have a policy _never_ to report attacks or breaches. > How much longer will that last? When will anti-captitalist protesters > realise that they can wreak huge amounts of mayhem on banks, businesses > and government from the comfort and security of a cyber café or their > own homes? Perhaps it is a good thing that they appear to enjoy a > punch-up more than they enjoy playing with a keyboard. They have already done it, there was a web server based one as well AFAIR > Crypto certainly does not help here and it remains to be seen whether > legislation like the Terrorism Act 2000 or the Computer Misuse Act 1990 > offers any really effective assistance against such people. Nor really - unless you are the US of course and therefore not subject to minor complications like borders ;-) > Never mind the paedophiles and pushers targeting kids; what about > anti-capitalist "terrorists" offering sweets and DDoS tools to > 13-year-olds so that they can make a game of disrupting e-commerce and > e-business. Hmmm.... past tense would probably be better there.... ;-) Cheers, JJ From k.brown@ccs.bbk.ac.uk Mon, 04 Jun 2001 10:40:01 +0100 Date: Mon, 04 Jun 2001 10:40:01 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail andfall Q G Campbell wrote: > > That part was pretty hard for me to take seriously. It is > > already possible to send spoofed packets; you don't need a > > new MS OS for that. > > It may be POSSIBLE but the issue at the heart of Gibson's case seems to > be whether this is EASY to do with remotely installed generic code > loaded onto a PC running a current MS O/S. There is some dispute about > this among my collegaues at least. I think Gibson exaggerates, but there is something in it. As you point out there is a big difference between someone who knows about network protocols, device drivers and the management of ethernet cards being able to write IP spoofing software (which is the situation on DOS-based machines) and someone who knows about socket-programming being able to do it (which is, I assume, the situation on Unix & recent NT/2000). In the second situation you can write software that ought to work through the existing IP connection rather than in spite of it. [...] > Crypto certainly does not help here and it remains to be seen whether > legislation like the Terrorism Act 2000 or the Computer Misuse Act 1990 > offers any really effective assistance against such people. Legislation is neither here nor there. The means to prevent these attacks are technical, and (perhaps unfortunately) mostly in the hands of the ISP. (Of course we can protect our own computers against ddos pretty easily, but that won't stop the connections to the Net being swamped). In the long run though the attacks will go away when computers are harder to subvert - the attack cluster of course, not the target. Cryptography does help here, and firewalls help more, but the number one problem remains the stupid way mailers run programs that turn up in the mail. Ken From Donald.McIntosh@accaglobal.com Mon, 4 Jun 2001 09:39:52 +0100 Date: Mon, 4 Jun 2001 09:39:52 +0100 From: McIntosh Donald Donald.McIntosh@accaglobal.com Subject: crypto cards Oh dear... you couldn't resist the obvious joke. :) We are using the card on a Netra T1 AC200 with one 500 MHz processor, with the crypto card in the only PCI slot. We are using Apache version 1.3.14 on Solaris 8 with the crypto hand-off stuff installed into the source. The CPU usage on the Netra hits 100% with the card only running at 60% or so. I think we need to go for the "fast" card instead of the "very fast" card we are using. It's a bit too pacey for a our wee Netra. Cheers, Donald.- > -----Original Message----- > From: Jonathan Care > Sent: Saturday, June 02, 2001 12:23 PM > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: crypto cards > > > I've been bench testing one of these cryptographic accelerator cards, > > manufactured by a company I shall refrain from naming in case any of the > > more paranoid readers of this list mistake me for a plant. > > You are an azelea, and I claim my five pounds. > > > > > I was a bit sceptical about how effective it would be at increasing the > > number of SSL connections our webservers can handle. Given that they > are > > pretty expensive, the card has been dipped in resin to comply > > with some FIPS > > regulations, and you can buy a "fast" or "very fast" card, I was > > tempted to > > think all this pointed to an expensive gimmick more than an effective > > solution. > > No, the crypto accelerator cards really do work. Some are better than > others, and some are designed to work closely with a particular OS, and > therefore tend to have a better performance with that OS. > > > > > However we upped our SSL connections per second from around 30 to > > about 180, > > which is pretty good. The card can do more than that but our on-board > CPU > > couldn't cope with any more, even thought it was handing off much of the > > processing. > > What hardware, OS, web server were you using? > > > > > I was just curious to know what experiences anyone else had with these > > accelerators and if people found them to be effective. > > Yes. > > With kind regards, > Jonathan Care > Tel/Fax: +44 7092 016192 > > > From owen.blacker@wheel.co.uk Mon, 4 Jun 2001 10:49:48 +0100 Date: Mon, 4 Jun 2001 10:49:48 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: The Case Against Privacy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The Case Against Privacy > By Declan McCullagh > 3:00 a.m. June 2, 2001 PDT > > > WASHINGTON -- Scott McNealy once vexed privacy activists by claiming that > "you have zero privacy anyway -- get over it." > > Now the Sun Microsystems CEO is saying that "absolute privacy is a > disaster waiting to happen." > > In an opinion article published in The Washington Post > > [I'll post it shortly -- Owen] this week, McNealy said it would be "a > mistake" to dismiss the benefits of sharing information, citing medical > records that should be forwarded to your doctor and vehicle location > information after an accident. > > Predicts McNealy: "Someday soon you could find yourself in a strange city > and your Web-enabled wireless phone will be able to recommend a nearby > restaurant based on your fondness for French, Italian or Mexican cuisine > -- and then make your reservation for you. It could even recommend a > movie based on what you liked and didn't like in the past." > > His essay is designed to persuade legislators to think twice about > enacting broad laws that could cost US firms > tens of billions > of dollars in compliance costs and drive struggling companies out of > business. > > McNealy has a point: When consumers are shopping for something, they have > the option to take their business to companies that are sufficiently > privacy-protective -- that is, if they even care. > > Editor's note: We are replacing the regularly-scheduled pro-privacy > diatribe with an anti-privacy plea. We regret any distress this may cause > to regular readers. Our regularly-scheduled paranoia will return next > week. Thank you. > > *** > > Spies on us: John Alejandro King's first mistake was developing a sense > of humor while working at the CIA. > > His second mistake was writing a book of hideously bad poetry poking fun > at his colleagues. Part of it is online at covertcomic.com > . > > King says the CIA finds his self-described "book" tasteless and claims > that his job has been repeatedly imperiled by his out-of-office jokes. > > This isn't the first time that King has had a run-in with the spy > bureaucracy. The New York Daily News reported in 1999 > sp> that the CIA was hardly amused at his website, which features > unflattering descriptions of other spooks. > > Some of his better tales -- the bulk of his writing is not worth the time > -- include the FBI official who believes he's the son of Jesus Christ, > the military intelligence operative who runs a lucrative porn ring and > the female CIA agent who keeps a harem of male sex slaves. > > *** > > Children's privacy: A California state appeals court said this week > that > children's privacy should trump the right to a free press. > > In the course of covering a story about adult coaches who sexually abused > youngsters, Sports Illustrated and HBO ran photographs of a little league > team in California. The team's manager had pled guilty to molesting five > children in the league. > > Members of the team -- 10 players and coaches -- sued the media outlets' > parent company, AOL-Time Warner, on the usual grounds of invasion of > privacy and emotional harm. > > AOL-Time Warner said in response that this was a SLAPP suit > , meaning one designed to inhibit > free speech. The trial court disagreed with the media conglomerate, and > now the appeals court has too, so the case continues. > > The appeals court said that a 1989 Supreme Court case, Florida Star vs > BJF > 24>, does not apply since the people in the photographs were minors. In > that decision, the high court said newspapers could publish a rape > victim's name that was legally obtained from a police report. > > *** > > Sex spam ban: Proposed sex spam rules go too far, says the Center for > Democracy and Technology . > > In a policy post this week > , CDT said that so-called > anti-spam laws in Congress threaten free speech and won't even work that > well. > > The House Judiciary committee last week approved a bill > that promises a > fine and a one-year prison term to anyone who e-mails an advertisement > relating to sex without including a special advisory, which would be > drafted by the attorney general. > > Says CDT: "Such a provision creates the threat of forced speech and > stigmatizes potentially beneficial and lawful, though adult, speech. It > also gives the Justice Department broad discretion to determine what is > acceptable bulk mail and what is not." > > *** > > Next week: The Electronic Privacy Information Center is organizing a > briefing at the National Press Club on Monday. The topic is "Emerging > Issues in Cyberspace Law," including jurisdiction and privacy.... > America's Future Foundation is hosting an intellectual property debate on > Thursday.... Tim Muris, currently a professor at George Mason University, > starts his new job as chairman of the Federal Trade Commission. He did > not respond to requests for an interview.... And Congress returns from > the Memorial Day recess. > > Copyright © 1994-2001 Wired Digital Inc. All rights reserved. > - ----- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOxtZP1VeQSYAA2h0EQKE+ACfd/SkkTTmWDpDZjdAxJDfDdTzsa4An28Y GPuBa08qvkDDvqLRKasu3MDr =TSZ/ -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Mon, 4 Jun 2001 10:50:48 +0100 Date: Mon, 4 Jun 2001 10:50:48 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Scott McNealy: The Case Against Absolute Privacy =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://washingtonpost.com/ac2/wp-dyn/A89273-2001May28?language=3Dprinter= The Case Against Absolute Privacy=20 By Scott McNealy Tuesday, May 29, 2001; Page A15=20 Any company that doesn't properly safeguard people's personal = information will suffer the same fate as a bank that doesn't safeguard people's = money. It will go out of business. But privacy is not always desirable -- and absolute privacy is a disaster waiting to happen. Take medical records. If you're in an accident, do you want an = ambulance driver to be able to access your medical records online? I think you = do. Do you want everybody to? No. Properly administered, the online environment offers more privacy protections, not fewer. Online, you can encrypt things and provide conditional access. You can know where your files are and who's looking = at them through audit trails. Try that with a paper file. I know medical records are a hot button for a lot of people, and I = agree they need to be protected. But it would be a mistake to lose sight of = the real benefits of sharing information about ourselves. One of the chief benefits, to use a more routine example, is personalized service. In exchange for a little information, you can get an online experience = that's more in tune with your interests and needs. I have agreed to let my car company, for instance, track my every move through GPS satellites. Some people might consider that an invasion of privacy, but I find it = comforting to know that, should my air bag deploy, they know where I am and can = send help. I'm convinced that we've barely scratched the surface on this one. = Someday soon you could find yourself in a strange city and your Web-enabled wireless phone will be able to recommend a nearby restaurant based on = your fondness for French, Italian or Mexican cuisine -- and then make your reservation for you. It could even recommend a movie based on what you liked and didn't like in the past -- and, by the way, it's playing = three blocks away, starts in half an hour and only a few tickets are left, so would you like to purchase one now with your credit card? Those are just two examples of how specific needs will be met in = specific circumstances -- many more are possible. The point is, for that level = of service, most people would gladly reveal their personal preferences, as long as they feel certain the information won't be misused. On the Internet, even more than in other areas of our lives, trust is the real currency. Squander what you have and you'll find out how hard it can be = to get more. So far the industry has done a pretty good job of regulating itself. = Most companies now post formal privacy policies on their Web sites and allow visitors to have a say in how information about them is used. That just makes good business sense, but I recognize that it took some prodding from the watchdogs in the media. The media could also start rewarding companies who have learned how to offer both consumer = protection and personalized service. Maybe some enterprising magazine will start publishing an annual list of the companies with the best policies and practices. The Privacy 500, perhaps. The writer is chief executive of Sun Microsystems Inc. =A9 2001 The Washington Post Company=20 - ----- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOxtZelVeQSYAA2h0EQI8KQCfXyXqPr695rmEjbTqqCUzuXWkcxMAnjPd Ul9kEdiTqdh8KrvQ52njXZl5 =3D7sPO -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From nexus@patrol.i-way.co.uk Mon, 4 Jun 2001 11:24:01 +0100 Date: Mon, 4 Jun 2001 11:24:01 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Getting DIRT on people... Hmm.. so then, Codex Data Systems are trumpeting their new Trojan program, but it's for feds and spooks only, so we are safe from abuse then. *cough* *ahem* Document posted to Cryptome http://cryptome.org/dirty-secrets2.htm Codex Data Systems http://www.codexdatasystems.com/menu.html The Register with some handy tips ;-) http://www.theregister.co.uk/content/6/19404.html The resident cycnics will note the terrorist and child porn references as justification in the heavily PR guffed document. Cheers, JJ From roland@linx.net Mon, 4 Jun 2001 12:54:17 +0100 Date: Mon, 4 Jun 2001 12:54:17 +0100 From: Roland Perry roland@linx.net Subject: Scott McNealy: The Case Against Absolute Privacy In message <55ED5FD3B4D2D41193E60002A5090BCDC33387@clerkenwell.pres.co>, Owen Blacker writes >I have agreed to let my car >company, for instance, track my every move through GPS satellites. Ah, those mythical GPS satellites with a back channel again. -- Roland Perry From Q.G.Campbell@newcastle.ac.uk Mon, 4 Jun 2001 13:18:09 +0100 Date: Mon, 4 Jun 2001 13:18:09 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail andfall > -----Original Message----- > From: Ken Brown [mailto:k.brown@ccs.bbk.ac.uk]=20 > Sent: 04 June 2001 10:40 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Gibson stops 13-year-old DOS `terrorist,' but=20 > says W2K and XP will fail andfall >=20 > [Quentin Campbell said] > > Crypto certainly does not help here and it remains to be seen whether=20 > > legislation like the Terrorism Act 2000 or the Computer Misuse Act=20 > > 1990 offers any really effective assistance against such people. >=20 > Legislation is neither here nor there. The means to prevent=20 > these attacks are technical, and (perhaps unfortunately)=20 > mostly in the hands of the ISP. (Of course we can protect our=20 > own computers against ddos pretty easily, but that won't stop=20 > the connections to the Net being swamped). >=20 > In the long run though the attacks will go away when=20 > computers are harder to subvert - the attack cluster of=20 > course, not the target. Cryptography does help here, and=20 > firewalls help more, but the number one problem remains the=20 > stupid way mailers run programs that turn up in the mail.=20 Ken You brought this thread back on track with your assertion that cryptography DOES help here. I thought that I would add a recent posting to David Farber's list about Steve Gibson's story. It lends support to your view and is right on topic for this list. Applogies to those who have already seen it: >This is a great story, and instructive. But the one problem I have >is with Steve's simplistic analysis that Windows XP and Windows=20 >2000 are major increases in vulnerability *because* they allow=20 >spoofed IP datagrams to be *sent*. > >Linux and other machines routinely allow such things. And for a >(pretty good) reason that applies also to Windows machines - if a=20 >machine is to act as a router, it *must* be able to generate a=20 >source IP address different than its own. Linux, Windows XP and=20 >Windows 2000 machines do act as routers - the NAT gateway and RRAS=20 >facilities are low cost, software only routers that are good values=20 >for those who have PCs available to run them. > >The real problem causing today's DDOS attacks is that these systems >(Windows and Linux) are so vulnerable to Trojans and other attacks=20 >that allow the distributed deployment of agents/Zombies. The fix=20 >has been obvious for 20 years - good strong crypto-based end-to-end=20 >security, certificates, and sandboxing of downloaded applications=20 >that you want to try but don't fully trust. We have the law=20 >enforcement community to thank for blocking end-to-end security and=20 >authentication, and we have the OS designers to blame for not=20 >developing good sandboxing virtual machine capabilities (since the=20 >hardware has supported VMs for a long time). (and Outlook's own=20 >sandboxing options are insufficient). Quentin From I.Brown@cs.ucl.ac.uk Mon, 04 Jun 2001 13:47:22 +0100 Date: Mon, 04 Jun 2001 13:47:22 +0100 From: Ian BROWN I.Brown@cs.ucl.ac.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail andfall >the number one problem remains the stupid way mailers run programs that turn up >in the mail. As we've discussed before, it's almost unbelievable that most mailers execute attachments or their readers with the full privileges of their user. I wonder if Microsoft is finally about to change this: Windows XP beta 2 has a feature to run (any) program with the option "Protect my computer and data from unauthorized program activity" (shift-right-click "Run as"). I haven't seen any details of exactly what is happening there, but hopefully it will run apps with minimal read access and zero write access and be the default in Win mailers in future... -- "While it clearly is appropriate for the government to take steps to protect its technological infrastructure and its computers from attack, we must not allow fear of those threats to blind us to the need to balance the competing interests of privacy, cost, law enforcement, and national security." --Rep. Bob Barr From Ian.Johnson@uwe.ac.uk Mon, 04 Jun 2001 13:52:10 +0100 Date: Mon, 04 Jun 2001 13:52:10 +0100 From: Ian Johnson Ian.Johnson@uwe.ac.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall Q G Campbell wrote: > How much longer will that last? When will anti-captitalist protesters > realise that they can wreak huge amounts of mayhem on banks, businesses > and government from the comfort and security of a cyber café or their > own homes? Perhaps it is a good thing that they appear to enjoy a > punch-up more than they enjoy playing with a keyboard. The real answer I suspect is lack of broadband (in the UK). I noted that ntl (my local cable modem offerer) had made it into Steve Gibson's chart. I suspect that when we see a large number of unpatched, unmanaged insecure home computers in obvious places, trouble will really start. > Crypto certainly does not help here and it remains to be seen whether > legislation like the Terrorism Act 2000 or the Computer Misuse Act 1990 > offers any really effective assistance against such people. Crypto's role I would suggest is knowing whats in your box, and what has changed - tripwire for win98? If you have a perp who is old enough to answer, the Acts give powers to deal with it *after the event* Regards, Ian -- Ian Johnson Tel : +44 117 965 6261 x3167 Faculty of CSM, UWE Bristol Email: irj@acm.org Frenchay Campus, Bristol. BS16 1QY. UK. From oml@eloka.demon.co.uk Mon, 4 Jun 2001 13:51:41 +0100 Date: Mon, 4 Jun 2001 13:51:41 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: US endorses FBI hacking of foreign computers (?) > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of John Young > Sent: 01 June 2001 19:38 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: US endorses FBI hacking of foreign computers (?) > > > Owen wrote: > > > >Right or wrong? You tell me. All I know is that the man in the street > >thought it a pretty neat trick. > > Indeed, as do most citizens of the Echelon cartel believe it to be > hunky-dory. And why the EP believes it best to beg inclusion in > Echelon protectitive custody than to resist it. > > What is not clear in the upbeat promise of illegal action in the > national interest is what are its limits, and how can one know when > what the programs actually do and by what means are ever so > carefully secreted. > > A few days ago a US official warned of the need for controlling > criminal behavior by officials of law enforcement, justice and > national security. Yes, yes and yes. Not stated by the official > is who shall watch the super-moral investigators, judges and > spies happily reporting malfeasance by everyone except > themselves. Certainly not the public who are ever encouraged > to love neat tricks by trusted homeboys. To re-iterate what has been snipped away: The essence of warfare does and always has required the commission of acts which, unless sanctioned by the state are most seriously criminal. In the last hundred years or so, state sanction has in many cases been replaced by international treaties, recognising the commission of such acts as lawful when committed as an act of war. This has never been a carte blanche for criminal behaviour, certain acts only being legitimised (the primary one being to kill) and the circumstances where legitimisation shall apply are clearly defined. Others such are rape and torture have never been legitimised - at least in international recognition. Now, the question is the extent to which the people are prepared to see the tools and methods of warfare adopted for the policing of society? By observation, most if not all of these tools and methods have come to be accepted by the public and by the courts both as proper to policing (though the US courts seem to have taken a more rigorous moral stance that our own). If this trend disturbs you, that is good. So it should. A state should never use or suffer to be used the tools and methods of warfare against its own people unless it admits it has become but one of the contending parties in a civil war. With very few exceptions, this is simply not the position and therefore such methods ought not to be used. The pity is that that the majority of the people are entirely apathetic over this and other such matters. We presently have a General Election campaign in progress here. Such issues register ) on the electoral Richter scale. Owen From owen.blacker@wheel.co.uk Mon, 4 Jun 2001 14:28:48 +0100 Date: Mon, 4 Jun 2001 14:28:48 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Secretary of State for Trade and Industry v Crane and Another -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry to sound stupid, but what does this actually read? I'm usually relatively good at divining at least the gist of these legal reports, but this one just went straight past me. Could someone of better legal reading summarise what happened? :o) > -----Original Message----- > From: Donald ramsbottom [mailto:donald@ramsbottom.co.uk] > Sent: Monday, June 04, 2001 7:15 AM > To: ukcrypto@chiark.greenend.org.uk > Subject: Secretary of State for Trade and Industry v Crane and Another > > > Below is a cas from today's Times Law report. It deals with > the right to > ilence and self incrimination in civil procedings and the > interaction with > criminal proceedings. As ever ignore if you do not like law. > > > Secretary of State for Trade and Industry v Crane and Another > > > Before Mr Justice Ferris > Judgment April 11, 2001 > [deletia] -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOxuMi1VeQSYAA2h0EQJAywCg36KnwxoSHyCOsgbwfWNBHarC0SEAoP6P 47rZ0mvnBvPWIG5cOpOGsw+3 =7x4p -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From k.brown@ccs.bbk.ac.uk Mon, 04 Jun 2001 14:46:06 +0100 Date: Mon, 04 Jun 2001 14:46:06 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will failandfall MS were certainly working towards this in w2000 with the reduction of the default rights and permissions given to a normal user, and by recommending that people log in as a user rather than an administrator most of the time. It hasn't worked well yet of course, because vast numbers of applications (including Microsoft's own) just don't work right unless you run as a "power user" (like adding spellings to the Word spellchecker); and because a default user still has enough privilege to do damage (like redefining screens or filling every last bit of a disk). Separation of powers is (sometimes) enforceable in organisations with IT staff of course but I don't see many home users doing it. I spent about an hour fiddling with user privileges to get my daughter's version of "The Sims" running on w2000 without her having to log on as an administrator. I doubt if very many home users will have other the knowledge or the desire to bother. What it needs is for the browser & mailer to run as a minimally privileged user by *default* even when the human is logged on as administrator or equivalent (which I image most wXP users will be). If it is just an option few people will notice. Ian BROWN wrote: > > >the number one problem remains the stupid way mailers run programs that turn up > >in the mail. > > As we've discussed before, it's almost unbelievable that most mailers execute > attachments or their readers with the full privileges of their user. I wonder > if Microsoft is finally about to change this: Windows XP beta 2 has a feature > to run (any) program with the option "Protect my computer and data from > unauthorized program activity" (shift-right-click "Run as"). > > I haven't seen any details of exactly what is happening there, but hopefully > it will run apps with minimal read access and zero write access and be the default in Win mailers in future... > -- > "While it clearly is appropriate for the government to take steps to protect its technological infrastructure and its computers from attack, we must not allow fear of those threats to blind us to the need to balance the competing interests of privacy, cost, law enforcement, and national security." --Rep. Bob Barr From owen.blacker@wheel.co.uk Mon, 4 Jun 2001 15:02:37 +0100 Date: Mon, 4 Jun 2001 15:02:37 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Gibson stops 13-year-old ... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quentin Campbell said: > > > > The real problem causing today's DDOS attacks is that these systems > > (Windows and Linux) are so vulnerable to Trojans and other attacks that > > allow the distributed deployment of agents/Zombies. The fix has been > > obvious for 20 years - good strong crypto-based end-to-end security, > > certificates, and sandboxing of downloaded applications that you want > > to try but don't fully trust. We have the law enforcement community to > > thank for blocking end-to-end security and authentication, and we have > > the OS designers to blame for not developing good sandboxing virtual > > machine capabilities (since the hardware has supported VMs for a long > > time). (and Outlook's own sandboxing options are insufficient). To be fair to Microsoft (no, really :o) I'd say that Outlook's sandboxing options aren't insufficient. You can configure Outlook 2000 and all version of Outlook Express I've seen[1] such that they sandbox adequately (or, rather, that they disable potentially dangerous scripts) with regard attachments and inline scripts[2]. The problem is, imho, that these settings are not the defaults and that most users don't understand that running executables forwarded from a friend is stupid, no matter how trustworthy they consider the friend to be. (I have, just before sending, received Ken Brown's mail about logging on with Administrative privileges and he's right -- even I am logged on as a member of the Administrators group currently, because it's very inconvenient not to be. But that's a separate issue, I feel...) Whilst some of the blame definitely lies in Redmond[3], I definitely feel that some of it really isn't their fault. True, a lot of it wouldn't be a problem at all had Microsoft's developers / architects made different calls a few years back, notably with regard Windows Script Host. It is worth bearing in mind, however, that it's always very easy to underestimate the power of users' stupidity. :o) O x [1] Sorry, I've never paid attention to OE version numbers, so I can't be more specific. [2] By which I mean the contents of entities in HTML mail. [3] Proposals: set High security in Outlook and in OE by default and make the default action of "Windows Script Host" scripts be to "Edit in Notepad", for example. - ----- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOxuUd1VeQSYAA2h0EQK/7wCcCvWIkeileOGLC6VekJ3peO/nTGkAn1v1 lhBethHJycDTa4biEDQQ61RV =V/CP -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From nexus@patrol.i-way.co.uk Mon, 4 Jun 2001 15:11:16 +0100 Date: Mon, 4 Jun 2001 15:11:16 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will failandfall It's not as cut and dried as that IMHO since most trojans and the like will mimic legit user activity. Can you imagine a home user unable to browse the internet, or send email or install any software at all without special procedures and the like ? That would kill the OS sales dead. If you want to trojan a corporate enviroment then obviously escalation of privs is a good thing, but to turn some poor sap's home windows box into a DDoS agent, then who cares ? Running in the context of the current user is fine for that. Cheers, JJ ----- Original Message ----- From: "Ken Brown" To: Sent: Monday, June 04, 2001 2:46 PM Subject: Re: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will failandfall [snip] > MS were certainly working towards this in w2000 with the reduction of > the default rights and permissions given to a normal user, and by > recommending that people log in as a user rather than an administrator > most of the time. [snip] From I.Brown@cs.ucl.ac.uk Mon, 04 Jun 2001 15:13:04 +0100 Date: Mon, 04 Jun 2001 15:13:04 +0100 From: Ian BROWN I.Brown@cs.ucl.ac.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will failandfall >Can you imagine a home user unable to browse >the internet, or send email or install any software at all without special >procedures and the like ? You don't need to do that; just make sure that programs that run from e-mail or Web pages can't write to C:\WINDOWS, for example. -- "While it clearly is appropriate for the government to take steps to protect its technological infrastructure and its computers from attack, we must not allow fear of those threats to blind us to the need to balance the competing interests of privacy, cost, law enforcement, and national security." --Rep. Bob Barr From nexus@patrol.i-way.co.uk Mon, 4 Jun 2001 15:17:02 +0100 Date: Mon, 4 Jun 2001 15:17:02 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Disable Windows Scripting Host (Was Gibson etc etc) For greater control of WSH I can recommend: http://www.symantec.com/avcenter/noscript.exe If nothing breaks after disabling it, guess you didn't need it ;-) Cheers, JJ ----- Original Message ----- From: "Owen Blacker" To: Sent: Monday, June 04, 2001 3:02 PM Subject: RE: Gibson stops 13-year-old ... [snip] > [3] Proposals: set High security in Outlook and in OE by default and > make the default action of "Windows Script Host" scripts be to > "Edit in Notepad", for example. > - ----- > Owen Blacker > Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell > See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys > Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 From nexus@patrol.i-way.co.uk Mon, 4 Jun 2001 15:32:49 +0100 Date: Mon, 4 Jun 2001 15:32:49 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Gibson stops 13-year-old DOS etc And ? Better add the registry to that, as well as the users start menu and documents area. And the address book, favourites, .lnk files and so on ad infinitum ad driftus offthreadus ;-) Simply adding filesystem ACL's and the like will help to "raise the bar" as the US folks love to say, but it won't stop a lot of things. Also note the number of exploits recently using non executable files as well - media player, outlook vcards and the like. What do you trust ? If you are on this list, then only yourself... perhaps... Maybe there should be some form of test that you have to pass before being allowed to connect to the internet ;-) Cheers, JJ ----- Original Message ----- From: "Ian BROWN" To: Sent: Monday, June 04, 2001 3:13 PM Subject: Re: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will failandfall > >Can you imagine a home user unable to browse > >the internet, or send email or install any software at all without special > >procedures and the like ? > > You don't need to do that; just make sure that programs that run from e-mail or Web > pages can't write to C:\WINDOWS, for example. > -- > "While it clearly is appropriate for the government to take steps to protect its technological infrastructure and its computers from attack, we must not allow fear of those threats to blind us to the need to balance the competing interests of privacy, cost, law enforcement, and national security." --Rep. Bob Barr > > > > From owen.blacker@wheel.co.uk Mon, 4 Jun 2001 15:32:57 +0100 Date: Mon, 4 Jun 2001 15:32:57 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Disable Windows Scripting Host -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 But I'm a developer. I know I need it. :o) www.symantec.com/avcenter/venc/data/win.script.hosting.html gives more info about the executable you mention, by the way. For anyone else who thought "I wonder which way they disable things?" and "Do they disable all of them?" and so on, it renames the file association classes for any class that has either Wscript.exe or Cscript.exe in its Shell\Open\Command or Shell\Open2\Command registry keys. As a toggle too, so you can run it again and choose to re-enable WSH. O x > -----Original Message----- > From: Nexus [mailto:nexus@patrol.i-way.co.uk] > Sent: Monday, June 04, 2001 3:17 PM > To: ukcrypto@chiark.greenend.org.uk > Subject: Disable Windows Scripting Host (Was Gibson etc etc) > > > For greater control of WSH I can recommend: > http://www.symantec.com/avcenter/noscript.exe > > If nothing breaks after disabling it, guess you didn't need it ;-) > > Cheers, > JJ > > ----- Original Message ----- > From: "Owen Blacker" > To: > Sent: Monday, June 04, 2001 3:02 PM > Subject: RE: Gibson stops 13-year-old ... > [snip] > > > > [3] Proposals: set High security in Outlook and in OE by > default and > > make the default action of "Windows Script Host" scripts be to > > "Edit in Notepad", for example. > > - ----- > > Owen Blacker > > Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell > > See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys > > Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 > > > > > > _____________________________________________________________________ > This message has been checked for all known viruses by UUNET > delivered > through the MessageLabs Virus Control Centre. For further > information visit > http://www.uk.uu.net/products/security/virus/ > -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOxubk1VeQSYAA2h0EQKk1gCfWds/IxOeqDin8X4HOdKqEjSJC5wAoPHM s2o0c+4WPmgVW9ARwFYl7PQ0 =N8Zf -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From I.Brown@cs.ucl.ac.uk Mon, 04 Jun 2001 15:34:55 +0100 Date: Mon, 04 Jun 2001 15:34:55 +0100 From: Ian BROWN I.Brown@cs.ucl.ac.uk Subject: Gibson stops 13-year-old DOS etc Obviously, the restrictions you need are far far wider than the one example I gave to avoid boring people. -- "While it clearly is appropriate for the government to take steps to protect its technological infrastructure and its computers from attack, we must not allow fear of those threats to blind us to the need to balance the competing interests of privacy, cost, law enforcement, and national security." --Rep. Bob Barr From owen.blacker@wheel.co.uk Mon, 4 Jun 2001 17:11:17 +0100 Date: Mon, 4 Jun 2001 17:11:17 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: MS Monopolizes UK Govt Site -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Warning -- Read the text before trying to access the govt site. It will cause Mozilla on Windows to use as much CPU as it can get. Where they say IE 5,1, they actually mean IE 5,01, I think. http://www.wired.com/news/print/0,1294,44186,00.html > MS Monopolizes UK Gov't Site > By Michelle Delio > 2:00 a.m. June 1, 2001 PDT > > > Britain's first step in the country's grand plan to move all > government-related services onto the Internet has resulted in a virtual > lockout for users who do not run Microsoft software. > > The British Government Gateway site , > developed by Microsoft, will eventually be the main access point to 200 > central government and nearly 500 local government institutions. > > But only those who are using Microsoft Internet Explorer 5.1 can access > all of the site's services at the present time, a situation that some > said is proof that Microsoft cannot play well with others. > > Microsoft denies the allegation that it has created a Microsoft-only > site. > > Barry Goffe, group manager of Microsoft's .NET enterprise solutions > group, said that the access problems are due to security protocols that > had been selected by the government long before Microsoft became involved > in the project. > > Critics also claim that Microsoft technology also locks out other > developers' protocols and applications, and said that the British > government is now irrevocably bound to using only Microsoft products. > > Scott McNealy, chairman of Sun Microsystems, said the Brits were bound to > find out what being a drug addict is like. According to McNealy, using > one Microsoft product always leads to the need for other and more > Microsoft products. > > "The first hit of heroin is always free.... Microsoft is integrated -- > it's not integratable," McNealy said in a meeting with government > officials, according to the British publication Government Computing. > > "McNealy's statements are utterly ridiculous," said Microsoft's Goffe. > > "Many people like to accuse Microsoft of using non-standard standards, > but in reality XML, which the Gateway site implements, is an accepted > standard that allows different applications and operating platforms to > communicate with each other," Goffe said. > > XML -- Extensible Markup Language -- is a vendor-neutral programming > protocol that is not a proprietary development of any company. It has > been fully supported by the World Wide Web Consortium (W3C), an > organization that has approved Web development standards since 1998, > according to Andrew Antipass of British technical support firm TecServ. > > Goffe said that Microsoft had been brought into the project when another > vendor dropped out after seven months of negotiations, leaving the > British government scrambling to find a way to fulfill its promise to > have selected government services online by the end of 2001. > > Microsoft developers managed to get the three selected departments online > in just under four months. > > The company also developed an XML-based architecture that would allow 800 > separate departments running "virtually every operating system in > existence and their 13,000 different pieces of software," to communicate > with each other and with U.K. citizens and businesses, a feat that Goffe > said required "many all-nighters." > > Goffe also noted that XML's ability to integrate all of these various > applications proves that "XML and .NET is not a closed standard, despite > Scott McNealy's ravings." > > Sun did not reply to requests for comment. > > The Gateway site does restrict access to users running certain browsers > or operating systems. > > "Mac users can enter the Gateway site but cannot do anything useful. > Windows users running any version of Mozilla or Opera are barred from > entry. Anybody else, including those running Linux or Unix of any flavor, > is not welcome. They are told that they are running an unsupported > browser," according to an investigative article in the June issue of the > British publication LinuxUser. > > But Goffe said this problem isn't one of Microsoft's development work. > The problem lies with the digital certificate system used on the Gateway > site. > > Digital certificates are a protocol intended to secure the electronic > transmission of information. Goffe said that the British government > decided which certificates they would use long before they began working > with Microsoft, and the certificates only function with the latest > versions of IE and Netscape. > > "The government developers are in an unenviable position here. They can > choose security that will allow everyone full access, or they can choose > tools that make the site highly secure, and take the chance that some > users may not be able to access it," Goffe said. > > "Equifax certificates can currently only be used with Internet Explorer > (IE) 5.01 or later, they do not work on any version of the Netscape > browser. ChamberSign certificates can be used with both Netscape > Navigator and Internet Explorer, except they are not currently supported > on version 6 of the Netscape browser," according to the Gateway site's > documentation. > > The government-developers' statement on the site said "other browsers do > not give proper support for SSL and digital certificates." > > But the LinuxUser article > demolished the > veracity of that statement with a detailed explanation of how to provide > strong security using other browsers and older versions of IE. > > Kierstan McDonald, press officer for the UK's Cabinet Office > , an agency that coordinates > government services, said election ministers and officials would be > unavailable for interviews. This is due to the forthcoming elections in > Britain -- pre-election guidelines restrict their ability to speak to the > press. > > Government officials had previously told British tech site VNUnet that > the site was launched with limited access capacities in order to get it > online as soon as possible. > > Officials promised that more digital certificates would be added so users > could navigate and use the Gateway via different combinations of Web > browsers and computer systems, a process that was expected to take a year > or more. > > The government has also been working with open-source and free-software > advocates to help correct the accessibility issues on the Gateway site, > said Jason KitCat, co-coordinator of the FREE e-democracy project, an > organization advocating the use of free software in government services > and processes. > > KitCat said government officials have been very willing to work with the > FREE e-democracy project . > > "They were delighted to be able to hear voices like mine who could offer > them non-commercial alternatives to Microsoft, and EDS and Sema > (outsourcing firms that design technical solutions)." > > Copyright © 1994-2001 Wired Digital Inc. All rights reserved. > - ----- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOxuyn1VeQSYAA2h0EQI7FgCdHYwazkoL1GNXAOWLpT0BEfs0A3IAoM+a +oEghhkfy5ybET9O9bUm15iK =NIlU -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From David_Biggins@usermgmt.com Mon, 4 Jun 2001 17:21:01 +0100 Date: Mon, 4 Jun 2001 17:21:01 +0100 From: David_Biggins@usermgmt.com David_Biggins@usermgmt.com Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and X P will fail and fall I have come across a suggestion that there may be an activeX scripting object on XP that exposes raw sockets to simple VBScripts, as so = beloved of so many trojan script authors. If true, would this would perhaps account for Gibson's concerns? ## dave ## > -----Original Message----- > From: Q G Campbell [mailto:Q.G.Campbell@newcastle.ac.uk] > Sent: Monday, June 04, 2001 08:07 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Gibson stops 13-year-old DOS `terrorist,' but=20 > says W2K and > XP will fail and fall > Importance: Low >=20 >=20 > > -----Original Message----- > > From: David Wagner [mailto:daw@mozart.cs.berkeley.edu] > > Sent: 01 June 2001 22:30 > > To: ukcrypto@chiark.greenend.org.uk > > Subject: Re: Gibson stops 13-year-old DOS `terrorist,' but=20 > > says W2K and XP will fail and fall > >=20 > >=20 > > Q G Campbell wrote: > > >The URL offer a lot more besides > > >including a strongly argued case that DDoS and a new MS operating > > >system may prevent the growth of a stable Internet economy. > >=20 > > That part was pretty hard for me to take seriously. It is > > already possible to send spoofed packets; you don't need a=20 > > new MS OS for that. >=20 > It may be POSSIBLE but the issue at the heart of Gibson's=20 > case seems to > be whether this is EASY to do with remotely installed generic code > loaded onto a PC running a current MS O/S. There is some dispute = about > this among my collegaues at least. >=20 > Our PC specialists say that since you can write directly to=20 > the ethernet > card on a PC then you can send spoofed packets; you do not need a new > O/S to do this. This is an assertion but none of them have tried it. >=20 > On the other hand the sockets interface of the various = implementations > of Unix does make writing such code much easier. I have done=20 > it in Perl > and C on a Sun box and am currently reviewing someone elses=20 > C-code that > does a similar job in Linux.=20 >=20 > The vulnerabilities of TCP/IP and the way it can be exploited are = well > documented. What strikes me from reading the URL posted by=20 > Steve Gibson > is why we do not see more of the damaging type of DDoS activity he > describes. All the means and tools are there. What seems to be = lacking > is the intent. >=20 > How much longer will that last? When will anti-captitalist protesters > realise that they can wreak huge amounts of mayhem on banks,=20 > businesses > and government from the comfort and security of a cyber caf=E9 or = their > own homes? Perhaps it is a good thing that they appear to enjoy a > punch-up more than they enjoy playing with a keyboard. >=20 > Crypto certainly does not help here and it remains to be seen whether > legislation like the Terrorism Act 2000 or the Computer=20 > Misuse Act 1990 > offers any really effective assistance against such people. >=20 > Never mind the paedophiles and pushers targeting kids; what about > anti-capitalist "terrorists" offering sweets and DDoS tools to > 13-year-olds so that they can make a game of disrupting e-commerce = and > e-business. >=20 > Quentin >=20 >=20 From james@cloud9.co.uk Mon, 4 Jun 2001 15:05:04 +0100 Date: Mon, 4 Jun 2001 15:05:04 +0100 From: James Fidell james@cloud9.co.uk Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and XP will fail and fall Quoting Ian Johnson (Ian.Johnson@uwe.ac.uk): > Q G Campbell wrote: > > > How much longer will that last? When will anti-captitalist protesters > > realise that they can wreak huge amounts of mayhem on banks, businesses > > and government from the comfort and security of a cyber café or their > > own homes? Perhaps it is a good thing that they appear to enjoy a > > punch-up more than they enjoy playing with a keyboard. > > The real answer I suspect is lack of broadband (in the UK). I noted > that ntl (my local cable modem offerer) had made it into Steve Gibson's > chart. > I suspect that when we see a large number of unpatched, unmanaged > insecure home computers in obvious places, trouble will really start. I don't think that matters. UK ISPs (and others) are already having to deal with DoS attacks initiated by people from the UK. Once you find a single machine with reasonable bandwidth anywhere in the world that can be compromised, you could do the rest with the poorest of modem connections. James From alecm@coyote.uk.sun.com Mon, 04 Jun 2001 18:28:39 +0100 Date: Mon, 04 Jun 2001 18:28:39 +0100 From: Alec Muffett alecm@coyote.uk.sun.com Subject: Scott McNealy: The Case Against Absolute Privacy >Ah, those mythical GPS satellites with a back channel again. "back channel" = mobile phone that is also tied to the engine management system, which phones the dealer and books services for you, passes support feedback to them (eg: "fanbelt wearing out, order another one in before customer comes in for service", "customer habitually overrevs engine", etc). The system is called (IIRC) "OnStar"[1] and terrifies the hell out of me, from a personal-privacy point of view. God forbid that you should ever do anything remotely naughty, or that the data sent-back includes traffic speed, or anything that can be subpoenaed. See, for instance: http://207.37.252.232/olds/archive/99olds/onstar/99olds_2.htm So, Owen, yes. A GPS and Engine-Management system with a backchannel. - alec -- [opinions and statements cited herein are personal and may not be factual] alec muffett - random numbers: 17159 54 - alec.muffett @ uk.sun.com hard to love, hard to argue with, easy to hear from 5 miles away From jonc@lacunae.org Mon, 4 Jun 2001 20:30:28 +0100 Date: Mon, 4 Jun 2001 20:30:28 +0100 From: Jonathan Care jonc@lacunae.org Subject: Scott McNealy: The Case Against Absolute Privacy Roland wrote: > > In message <55ED5FD3B4D2D41193E60002A5090BCDC33387@clerkenwell.pres.co>, > Owen Blacker writes > >I have agreed to let my car > >company, for instance, track my every move through GPS satellites. > > Ah, those mythical GPS satellites with a back channel again. The General Motors OnStar system uses a wireless channel for data transmission from the automobile. In Europe this is GSM, with GPRS where available. In America, it is either Mobitex, or CDPD. The initial purpose of OnStar is to allow the car to alert a central monitoring point as to certain occurrences. For example failure of ABS during POST, airbag warnings, power steering, time for service, etc etc. It uses a series of WAP messages, and contains a GPS receiver to allow the onboard navigation computer to recommend a local servicing centre. I do not know of an independent audit that has verified the existence or otherwise of a "Law Enforcement Access Field", to borrow some Clipper terminology. There are already several companies that provide explicit vehicle tracking and remote immobilisation services, which have a confirmed link to law enforcement as part of the architecture. GPS on board is a great convenience - while in Palo Alto recently, I drove a car with the Magellan system installed from Hertz. It made life a lot easier, rather than driving down the 101 and working everything out from first principles (or even its relationship to Hyatt Rickeys), to have a moving map, and a set of directions given to one while driving along was a great convenience. It has been observed before that people are usually willing to forgo privacy if they are presented with an attractive benefit in return. I suspect that the convenience of interactive maps, driver advice, and recommended service dealers will prove enough of a carrot for many people to accept this particular saddle. With kind regards, Jonathan Care CISSP Tel/Fax: +44 7092 016192 Lacunae Systems - Cryptography, Privacy, Security, Technical & Change Management From roland@linx.net Mon, 4 Jun 2001 22:01:27 +0100 Date: Mon, 4 Jun 2001 22:01:27 +0100 From: Roland Perry roland@linx.net Subject: Scott McNealy: The Case Against Absolute Privacy In message , Jonathan Care writes >> >I have agreed to let my car >> >company, for instance, track my every move through GPS satellites. >> >> Ah, those mythical GPS satellites with a back channel again. > >The General Motors OnStar system uses a wireless channel for data >transmission from the automobile. Indeed, and I'm not sure you've not missed the point. Those "every moves" are clearly tracked through a terrestrial wireless system, not "through a satellite". -- Roland Perry From donald@ramsbottom.co.uk Tue, 05 Jun 2001 06:49:08 +0100 Date: Tue, 05 Jun 2001 06:49:08 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Re post I sent the post below yesterday but I have not seen it turn up. Apologies if everyone has it but me! Below is a case from today's Times Law report. It deals with the right to silence and self incrimination in civil proceedings and the interaction with criminal proceedings. As ever ignore if you do not like law. Secretary of State for Trade and Industry v Crane and Another Before Mr Justice Ferris Judgment April 11, 2001 Subject to statute preventing statements made in directors' disqualification proceedings being received in evidence in subsequent criminal proceedings, there was nothing in either the general law or in the fair trial requirement in the European Convention on Human Rights which made it objectionable for a prosecuting authority to obtain helpful ideas from what was said in other proceedings concerning the same subject matter. Mr Justice Ferris in a reserved judgment in the Chancery Division, on appeal by the Secretary of State for Trade and Industry, discharged the order of Mr Registrar Simmonds, dated November 15, 2000, staying the secretary of state's disqualification proceedings against Mr Kevin Crane and Ms Shirley Ann Burton, pending the outcome of possible criminal proceedings against them. Mr Philip Jones and Mr Gregory Banner for the secretary of state; Mr Paul Girolami as amicus curiae; the defendants did not appear and were not represented. MR JUSTICE FERRIS said that there was no principle of law that a claimant in civil proceedings was to be debarred from pursuing that action in the normal way merely because doing so might lead to the defendant having to disclose what his defence might be. The so-called right of silence afforded to a person facing a criminal charge, in contrast to the privilege against self-incrimination, did not extend to give a defendant as a matter of right the same protection in contemporaneous civil proceedings: see Jefferson Ltd v Bhetcha ((1979) 1 WLR 898, 904-5). Nevertheless, the court which was competent to control the civil proceedings had a jurisdiction to stay the proceedings if it appeared that justice so required, having regard to any concurrent proceedings: see R v Panel on Takeovers and Mergers, Ex parte Fayed ((1992) BCC 524, 531). In exercising that discretion the court should not lose sight of the fact that the judge in the criminal proceedings had extensive powers of his own to control those proceedings, for example, by staying proceedings as an abuse of process or excluding evidence by operation of section 78 of the Police and Criminal Evidence Act 1984 if it would be unfair to admit that evidence: see Attorney-General's Reference (No 3 of 1999) ((2001) 2 WLR 56, 64). Since the responsibility for doing justice in criminal proceedings lay primarily with the criminal court, the civil court, while striving to prevent a manifest risk of injustice, should not go out of its way to anticipate the existence of the mere possibility of injustice. The secretary of state had a public duty to apply for the disqualification of unfit directors and could not allow disqualification proceedings to be held up indefinitely by other proceedings over which he had no control: see In re Rex Williams Leisure plc ((1994) Ch 350). It could hardly be the case that the more deserving an individual was of disqualification the more he would be in a position to say that he was entitled to a stay merely because he was worried about his right to silence: see Jibrail v Secretary of State for Trade and Industry, per Mr Justice Jacob (unreported, November 20, 1997). Since a defendant in disqualification proceedings must, if he wished to rely on any evidence, file an affidavit prior to the close of the secretary of state's case under the old law, there was a real possibility that as a result of those proceedings, evidence would be available to the Crown, to which it would not otherwise be entitled. By contrast the new section 20 of the Company Directors Disqualification Act 1986, substituted by section 59 of and Schedule 3 to the Youth Justice and Criminal Evidence Act 1999, provides: "(2) ... in criminal proceedings in which any person is charged with an offence to which this subsection applies - (a) no evidence relating to the statement may be adduced; and (b) no question relating to it may be asked by or on behalf of the prosecution, unless evidence relating to it is adduced, or a question relating to it is asked, in the proceedings on behalf of that person." None of the grounds upon which the registrar had granted a stay had any real substance. They did not indicate that the trial of the disqualification proceedings would be unfair. Any anxiety about unfairness had to relate to the criminal proceedings. Section 20(2) of the 1986 Act would prevent statements made in the disqualification proceedings being received in evidence in the subsequent criminal proceedings. There was nothing in either the general law or in article 6 of the Convention on Human Rights which made it objectionable for a prosecuting authority to obtain helpful ideas from what was said in other proceedings concerning the same subject matter: see R v Hertfordshire County Council, Ex parte Green Environmental Services Ltd ((2000) 2 WLR 373). While the stay was granted in exercise of the registrar's discretion, the failure of the registrar to take into account the amended section 20(2) left it open for the court to substitute its view for that of the registrar. The appeal should be allowed and the stay discharged. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From jonc@lacunae.org Tue, 5 Jun 2001 09:39:43 +0100 Date: Tue, 5 Jun 2001 09:39:43 +0100 From: Jonathan Care jonc@lacunae.org Subject: Scott McNealy: The Case Against Absolute Privacy > > In message , Jonathan > Care writes > >> >I have agreed to let my car > >> >company, for instance, track my every move through GPS satellites. > >> > >> Ah, those mythical GPS satellites with a back channel again. > > > >The General Motors OnStar system uses a wireless channel for data > >transmission from the automobile. > > Indeed, and I'm not sure you've not missed the point. Those "every > moves" are clearly tracked through a terrestrial wireless system, not > "through a satellite". My apologies, the fine details of your point had escaped me. I assumed that the issue was whether a wireless back-channel existed or not, not whether McNealy had got the technical details correct in a press release drafted by his marketing and PR staff. Building on Roland's point, I don't know the details of the authentication and authorisation model from OnStar, and it occurs to me that there are distinct possibilities for spoofing the central station, spoofing another vehicle ID, sending fake messages out to receive free parts under warranty that are then sold at a car boot sale - quite possible in collusion with an unscrupulous dealer. This raises interesting questions if OnStar is used by third-party agencies. If Insurance Agencies use the data for actuarial purposes, spoofing messages such as "Customer overrevs car" and "High wear on brake pads" from another vehicle may indicate not only reckless driving, but also a high level of stress on the part of the driver. More serious concerns exist when considering access to OnStar by a law enforcement agency. With kind regards, Jonathan Care Tel/Fax: +44 7092 016192 From Sergei.Lewis@arm.com Tue, 5 Jun 2001 09:33:24 +0100 Date: Tue, 5 Jun 2001 09:33:24 +0100 From: Sergei.Lewis@arm.com Sergei.Lewis@arm.com Subject: Gibson stops 13-year-old DOS `terrorist,' but says W2K and X P will fail and fall On 06/04/2001 05:21:01 PM ukcrypto-admin wrote: >I have come across a suggestion that there may be an activeX scripting >object on XP that exposes raw sockets to simple VBScripts, as so beloved >of so many trojan script authors. > >If true, would this would perhaps account for Gibson's concerns? ..and if there isn't, it sure won't be long before some l33t h4x0r writes one ^^;; -- Sergei Lewis From steve@greenend.org.uk Tue, 5 Jun 2001 12:35:47 +0100 Date: Tue, 5 Jun 2001 12:35:47 +0100 From: Stephen Early steve@greenend.org.uk Subject: Administrivia (was Re: Re post) On Tuesday, 5 Jun 2001, Donald ramsbottom wrote: > I sent the post below yesterday but I have not seen it turn > up. Apologies if everyone has it but me! Please don't do that! UKcrypto is hosted on a reliably-administered machine. In the normal course of events, messages sent to and through this machine should never just 'go missing'. If a message sent to chiark does not reach its intended destination and does not result in the message originator receiving a bounce message then there is a misconfiguration somewhere, which I would like to know about so that I can try to get it fixed. Re-sending the message in the hope that it will 'work the second time' is not the correct thing to do: it will usually either result in the message being received twice (as in this case) or not at all, and does not help with diagnosing the underlying problem. If there a fault with chiark then it will be fixed quickly. If it is a fault outside chiark (for example with the message originator's ISP) then the response depends on the third party; I'll try to get them to fix their problem, but unfortunately many ISPs do not appear to be interested in providing a reliable service. Stephen Early UKcrypto mailing list administrator From G.Price@ccsr.cam.ac.uk Tue, 05 Jun 2001 10:38:43 +0100 Date: Tue, 05 Jun 2001 10:38:43 +0100 From: Geraint Price G.Price@ccsr.cam.ac.uk Subject: Scott McNealy: The Case Against Absolute Privacy > The system is called (IIRC) "OnStar"[1] and terrifies the hell out of > me, from a personal-privacy point of view. God forbid that you should > ever do anything remotely naughty, or that the data sent-back includes > traffic speed, or anything that can be subpoenaed. Unfortunately I think this is likely to be the case... I remember speaking to someone from within the motor industry a while back, and their opinion was quite clear on the matter. With engine management systems storing more and more data to help a garage sort out a problem when you take your car in for a service, then it would only be a matter of time before both (a) the police and (b) the insurance companies would want access to the information. The police would obviously love to get their hands on the information to see which driver was genuinely doing 30 before the crash, and the insurance companies would also like to for the same reason. In that sense the old carrot and stick approach will come out again, with `ABC motor insurance Ltd' offering cheaper insurance for those people with a comprehensive engine management data collection system on board. Thus in an accident, they can off load the insurance cost to you if you are deemed to have been doing something naughty. Geraint From jtjm@xenoclast.org Tue, 5 Jun 2001 17:01:27 +0100 (BST) Date: Tue, 5 Jun 2001 17:01:27 +0100 (BST) From: Julian T. J. Midgley jtjm@xenoclast.org Subject: Scott McNealy: The Case Against Absolute Privacy On Tue, 5 Jun 2001, Geraint Price wrote: > > > The system is called (IIRC) "OnStar"[1] and terrifies the hell out of > > me, from a personal-privacy point of view. God forbid that you should > > ever do anything remotely naughty, or that the data sent-back includes > > traffic speed, or anything that can be subpoenaed. > > Unfortunately I think this is likely to be the case... I remember speaking to > someone from within the motor industry a while back, and their opinion was > quite clear on the matter. With engine management systems storing more and > more data to help a garage sort out a problem when you take your car in for a > service, then it would only be a matter of time before both (a) the police and > (b) the insurance companies would want access to the information. The police > would obviously love to get their hands on the information to see which driver > was genuinely doing 30 before the crash, and the insurance companies would > also like to for the same reason. In that sense the old carrot and stick > approach will come out again, with `ABC motor insurance Ltd' offering cheaper > insurance for those people with a comprehensive engine management data > collection system on board. Thus in an accident, they can off load the > insurance cost to you if you are deemed to have been doing something naughty. However, I am not certain that a record of the speed of the car over time is useful for servicing purposes (the critical data being wear and stress information for parts, etc. - as far as the engine is concerned, it's the revs that count, not the speed of the vehicle). Given that, then there's little sense in including this data amongst that logged by an engine management/servicing system. In fact, it behoves a manufacturer not to log such data, since by so doing they may encourage a potential customer to purchase a competitor's product instead. I don't dispute that the insurance companies and police might be interested in the data, but if neither the drivers nor the car manufacturers have any desire to buy/sell cars that log it, the only way they'll get access to it is through legislation mandating its gathering. Julian -- Julian T. J. Midgley http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From adam@homeport.org Tue, 5 Jun 2001 13:48:39 -0400 Date: Tue, 5 Jun 2001 13:48:39 -0400 From: Adam Shostack adam@homeport.org Subject: Scott McNealy: The Case Against Absolute Privacy On Tue, Jun 05, 2001 at 05:01:27PM +0100, Julian T. J. Midgley wrote: | However, I am not certain that a record of the speed of the car over time | is useful for servicing purposes (the critical data being wear and stress | information for parts, etc. - as far as the engine is concerned, it's the | revs that count, not the speed of the vehicle). Given that, then there's | little sense in including this data amongst that logged by an engine | management/servicing system. In fact, it behoves a manufacturer not to | log such data, since by so doing they may encourage a potential customer | to purchase a competitor's product instead. I think that a stronger argument is that they may be in violation of laws such as the EU data protection directive, by creating a data gathering system which is secret, non-consunsual, perhaps not in the best interests of the data subject, etc. | I don't dispute that the insurance companies and police might be | interested in the data, but if neither the drivers nor the car | manufacturers have any desire to buy/sell cars that log it, the only way | they'll get access to it is through legislation mandating its gathering. The auto makers are including such systems today, because they believe that they have an interest in gathering the data. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From donald@ramsbottom.co.uk Wed, 06 Jun 2001 07:18:24 +0100 Date: Wed, 06 Jun 2001 07:18:24 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Mobiles and Infections Now this will probably sound pretty dumb to all you Techmarines, but I am a user and worse than that IAL! With the labour party spamming the text message airwaves with 5 million messages, and with WAP phones downloading new ringtones and getting email etc, does the A5/** crypto on the phones protect the text and WAP traffic, or is it unprotected, or does it have seperate crypto? Is there any equivilent of a firewall or any protection on a WAP phone from virii or Trojans etc? Will the next scourge be a ringtone with a Worm payload inside, if so what are the consequences and has anybody done anything about it. This line of query is a by product of the now Debunked DIRT Trojan, Sorry to be so ignorant, but horrible scenarios keep washing unbidden, on the dark shores of my mind. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From akm@92tr.freeserve.co.uk Tue, 5 Jun 2001 23:11:43 +0100 Date: Tue, 5 Jun 2001 23:11:43 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: Wired: MS Monopolizes UK Govt Site I am distinctly pissed off at Opera being blocked... From owen.blacker@wheel.co.uk Wed, 6 Jun 2001 10:09:27 +0100 Date: Wed, 6 Jun 2001 10:09:27 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: London Metro: EMI Web deal will let users burn CDs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Finally, someone in the music industry has worked out that digital media aren't intrinsically evil and that there ~are~ ways of maintaining revenue from digital transfers of music. :o) | Internet users will soon be able to burn music legally from artists such | as Robbie Williams and The Beatles on to blank CDs. | | The move will be possible after a deal announced yesterday between music | publisher EMI and Roxio, which publishes Toast software. [sic, I assume | they mean Toaster] | | Users will have to get their downloads authorised before being able to | make a copy and artists will be properly compensated. | | The move is being viewed as a way for EMI top cut production costs. | | The future of digital distribution could cut out the need to get CDs into | shops, but EMI has admitted it will not make much money from the project | at first. | | The move is also an attempt to protect itself from unauthorised | reproduction of material via file sharing websites such as Napster. No | decision has yet been made on how much downloads will cost. | | [ends] Retyped from London Metro, 2001-06-06, page 9 col 2. - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOx3yqlVeQSYAA2h0EQI5CQCdHQKbC4B5dXZkMmDQhJjXtjxfQYsAniFA 5SWpEKSFWktW+h7jsWtQhVpk =zvKj -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Wed, 6 Jun 2001 10:09:28 +0100 Date: Wed, 6 Jun 2001 10:09:28 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: London Metro: Mobile dials into top-level security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This looks like it's been directly retyped from a press release but, fwiw: | A new mobile phone is promising military-grade privacy for its users. | | The TopSec handset is intended for executives who need to discuss | confidential business matters on the move. The GBP 2 000 device is the | first consumer phone with such a high level of encryption, according to | security experts. | | Stefan Boettinger, of manufacturer Rohde & Schwarz, said : "They're aimed | at companies who want to be sure they're not being spied on by | competitors." | | The TopSec is based on a conventional handset manufactured by Siemens and | also works as a normal mobile phone. For encrypted calls, both parties | need to have a TopSec handset. | | An encryption box for landlines will be available in September. | | Meanwhile, mobile phones are being sold from vending machines in a | British consumer trial. | | Buyers will be able to insert money or a credit card into a machine and | choose a new handset, costing about GB 60. | | [ends] Retyped from London Metro, 2001-06-06, page 9 col 5. - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOx3xNlVeQSYAA2h0EQJYHwCglEut0SxsILnu+UOBBEqLz4E5G7AAnjIa VyDTpVjWZTHgrL6qz8zNqI1q =t0La -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Wed, 6 Jun 2001 10:14:02 +0100 Date: Wed, 6 Jun 2001 10:14:02 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Silicon.com: US embraces secure mobile technology it cannot use -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > HEADLINE: US embraces secure mobile technology it cannot use > PUBLISHED: 5:31pm on Tuesday 5th June 2001 > CHANNEL: Geeks with gadgets > AUTHOR: Ron Coates > SERVICE: http://www.silicon.com > > TEXT OF STORY FOLLOWS: > > US customers buy $3,000 phone that will not work. It's a lot > of money for a novelty door stop or paperweight -- though you > could have some GSM bookends for $6,000... > > A German company has launched a military-grade secure mobile > in the US -- the one country where it will not yet work, > according to reports. > > Rohde & Schwarz, a telecom and testing equipment maker from > Munich gained the rights to the phone, and other encryption > technology, when it took over a division of Siemens at the > beginning of May. > > It now says it has sold a few hundred of the modified S35i > Siemens mobile to private and government customers, as well > as 1,500 fixed line models to the German military. Prices of > $3,000 per handset have been quoted. > > The TopSec phone uses a combination of 1,024-bit encryption > for authentication and 128-bit encryption for data transfer. > But it operates only on GSM standard networks, which makes it > unusable in the US. > > Officials in the parent company could not comment on the US launch. > > > STORY ENDS > > For more information on silicon.com go to http://www.silicon.com. > > silicon.com - the who, what, when, where and why of ebusiness -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOx3z11VeQSYAA2h0EQJq/wCgq2Vp49kxKPLcVjmQl5q/nntYkosAoIME ASONiQwDVjZ0xXWxjLIg3NsG =xjyi -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From bdm@fenrir.org.uk Wed, 06 Jun 2001 10:16:34 +0100 Date: Wed, 06 Jun 2001 10:16:34 +0100 From: Brian Morrison bdm@fenrir.org.uk Subject: London Metro: Mobile dials into top-level security On Wed, 6 Jun 2001 10:09:28 +0100, Owen Blacker wrote: >| >| Stefan Boettinger, of manufacturer Rohde & Schwarz, said : "They're aimed >| at companies who want to be sure they're not being spied on by >| competitors." >| I don't see how this can help anything other than the off air monitoring case, there is no provision to pass encrypted voice traffic out of the GSM network into the PSTN, unless you were to do it as a data call perhaps. Anyone know any more? -- Brian Morrison bdm@fenrir.demon.co.uk do you know how far this has gone? just how damaged have I become? 'Even Deeper' by Nine Inch Nails From lists@benzo8.org Wed, 06 Jun 2001 10:18:59 +0100 Date: Wed, 06 Jun 2001 10:18:59 +0100 From: John Sullivan lists@benzo8.org Subject: London Metro: EMI Web deal will let users burn CDs At 10:09 AM 06/06/2001, you wrote: >| The move will be possible after a deal announced yesterday between music >| publisher EMI and Roxio, which publishes Toast software. [sic, I assume >| they mean Toaster] Er, no - they mean Toast. (http://www.roxio.com/en/products/toast/index.html) A toaster is something for turning bread into burnt bread. Or for locking scan frequencies in order to transfer video from one standard to another. John... -- www.sporadica.co.uk - "...a willful squandering of 'Net resources..." - Newsweak From owen.blacker@wheel.co.uk Wed, 6 Jun 2001 10:29:34 +0100 Date: Wed, 6 Jun 2001 10:29:34 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Silicon.com Leader: Napster: A loud enough wake up call for media giants? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > HEADLINE: Napster: A loud enough wake up call for media giants? > PUBLISHED: 6:00pm on Tuesday 5th June 2001 > CHANNEL: New media marketing > AUTHOR: editorial@silicon.com > SERVICE: http://www.silicon.com > > TEXT OF STORY FOLLOWS: > > They're getting the message... s-l-o-w-l-y > > Napster looks close to a deal that could save its bacon and > EMI intends to develop a platform for legalising the burning > of CDs from digital music on the net. > > Good news for music fans, but too late to raise the > collective pulse rate. > > While the big five labels are dabbling with digital music > platform ventures to supplement retail sales, they have still > missed the point. > > The digital music genie has been out of the bottle and > granting wishes for some time. While record labels flap > around protecting margins on album sales, they refuse to > accept the stark truth: protection of copyright online isn't > the big issue. Millions of people simply won't consume music > in a pre-Napster fashion anymore. Labels' business models > have to change, and change radically. > > No-one downloads albums from Napster. Most people use Napster > right now for a quick hit, but quality mostly isn't good > enough to bother burning tracks on a CD. > > People will pay -- maybe on a subscription basis -- for a > quality download service, but they won't pay much, and the > services had better be good. Charge too much and services > won't get used or they'll just get cracked. > > In the meantime, services such as those based on Gnutella > will continue to lure potential users away and, unlike > Napster, prove hard to shut down. > > No business favours widespread copyright abuse, which is > exactly why record companies must take the lead now, before > surfers get hooked on commercial content for free. > > It's tempting to accuse labels of fiddling while Rome burns, > but an even harsher metaphor may be required, involving > rabbits and juggernaut headlights. Let's just say their pace > of progress has been painfully slow. > > For related news, see: > Napster accepts its corporate destiny > http://www.silicon.com/a44862 > EMI invests to protect digital downloads > http://www.silicon.com/a44876 > Greedy stars ate my Napster > http://www.silicon.com/a44230 > > > STORY ENDS > > For more information on silicon.com go to http://www.silicon.com. > > silicon.com - the who, what, when, where and why of ebusiness -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOx33elVeQSYAA2h0EQL19gCgrS7KmtrRa3P2UboLNn7WmZH7tB8AniJH TrLcSbiJA1craNA23l+wWVQc =Fz81 -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Wed, 6 Jun 2001 10:27:49 +0100 Date: Wed, 6 Jun 2001 10:27:49 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: Say Ahh, Then Remain Silent -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Say Ahh, Then Remain Silent | By Jeffrey Benner | 2:00 a.m. June 5, 2001 PDT | | | Cops may someday be searching private medical records in search of | criminals, according to some medical privacy experts who cite increasing | automation of medical records combined with broad exemptions for law | enforcement in new medical privacy regulations. | | "I'm very concerned about the possibility of medical records becoming a | vast law enforcement database," said Ronald Weich, a legislative | consultant to the ACLU. "It's only a matter of time before the police see | how convenient it would be to search medical records to find suspects." | | Sweeping new federal rules designed to protect the privacy of medical | information became official April 14, and hospitals have two years to | comply with the new standards. | | Privacy advocates generally applauded the new rules as a victory for | patients' rights to privacy and control over their medical records. | | But there remains what appears to be a broad loophole in the regulations | for state and federal law enforcement | officials. | | The regulations state that the only thing police or other law enforcement | agents need to do to obtain medical records is assert their request for | the records is necessary and relevant to specific investigations. | | The rules don't require permission from a judge, or even notification to | the patient that medical records have been turned over to the police. | | "Any cop can walk into any hospital, wave a badge and get records," said | a former congressional staffer named Bob Gellman, who has been involved | in drafting medical privacy legislation for over 20 years. | | "We're in a position where your doctor may have to give you a Miranda | warning," he | said. | | While there are currently no plans to keep any kind of centralized | database of medical records, the government already has access to | millions of Medicare records. Gellman worries this database could be | abused under loopholes for law enforcement and for the Inspector General | at the department of Health and Human Services (HHS) | , the agency that wrote the rules. | | "You could have an automated search on a daily basis to look for | extraneous crimes," Gellman said. | | Opponents of the exemption point out that police would have a harder time | finding out what movies a person rented than what an individual tells a | doctor in confidence. (Under a law commonly known as the Bork Bill | , cops must get a warrant to see video rental records. The law | was passed in 1988 after muckrakers found out what movies ill-fated | Supreme Court nominee Robert Bork had been renting at Blockbuster.) | | Although the exemption hasn't gotten much public attention, the Clinton | administration was aware of the potential for abuse. On Dec. 20, 2000, | the same day the final text of the rule was published, Clinton signed an | executive order | | designed to protect patients from undue probing from law enforcement. | | The order makes it difficult for federal officials to use evidence | discovered during a fraud investigation involving a doctor or hospital | against a patient. In the course of policing the health care system for | fraud -- like overcharging of Medicare -- federal authorities access | thousands of medical records. | | "This executive order is pretty strong stuff," said Peter Swire, who | served as Clinton's top adviser on privacy policy. "States should | consider adopting similar protections." | | The order is an important protection against law enforcement using its | "oversight" role of the health care system as a back door for access to | records in order to investigate patients, Swire said. "Without the | executive order, the broad oversight power in the rule could result in | fishing expeditions," he said. | | In her official comment on the privacy regulation submitted before it | became final, former Attorney General Janet Reno argued that the | Department of Justice needed broad authority to access records in order | to be able to fight fraud, protect public safety and enforce the law. | | Gellman and Weich acknowledge that the executive order did offer some | protection not provided in the privacy rule. But neither felt it solved | the problem. | | "The executive order is significant," Gellman said. "It's not the | greatest order in the world, but (Clinton) deserves a lot of credit for | it." | | He pointed out that the order only applies to federal -- not state -- | officials, and that it did not totally prohibit the use of evidence found | against patients, but just placed limits on it. | | The ACLU, the Electronic Frontier Foundation and the Health Privacy | Project all fought to have the rule require cops to get a court order in | order to access medical records, and argued patients should be notified | of the request in order to have an opportunity to fight the subpoena. The | American Hospital Association, often on the opposite side of issues from | privacy advocates, supports stricter limits on law enforcement access to | records as well. | | Defenders of the rule, including the HHS, point out that it does not | allow police to do anything they can't do already. Aside from a law that | protects drug addicts in rehab from being turned over to the police, | there are no federal laws limiting police access to medical records. | | But Gellman doesn't agree. He thinks the law could work in favor of the | police, because now hospitals or doctors handing over records won't be | worried about getting sued. | | "Right now, there's a lot of uncertainty about cops getting records, and | there could be civil liability for violating confidentiality," Gellman | said. "This law clarifies the situation. It really does make a difference | by clarifying the law, and it does so totally in favor of the cops." | | As for the most troubling scenarios, the Fourth Amendment clauses on | unreasonable search and seizure still offer patients some protection. In | March, the Supreme Court ruled that a pregnant woman turned over to the | police in Charleston, South Carolina, after testing positive for cocaine, | had had her Fourth Amendment rights violated. | | | Copyright © 1994-2001 Wired Digital Inc. All rights reserved. | - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOx33ElVeQSYAA2h0EQJC8QCfdXxhhJNg4QH2ngTC64kt+fXvF2oAoMqs W+OleQOVmYN2L+q4Q6CIBiiv =q8Av -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From alumpot@cwcom.net Wed, 06 Jun 2001 05:39:05 -0500 Date: Wed, 06 Jun 2001 05:39:05 -0500 From: Kat K alumpot@cwcom.net Subject: Mobiles and infections Donald Ramsbottom wrote: >is there any equivilent of a firewall or any protection on a WAP phone from virii or Trojans etc? Although I cannot give info on WAP (which I do use occasionally), I have used a PDA with a mobile and am currently using Omnisky (with a springboard module with modem and sim card) as a beta tester and they have this paper on the security that they use: http://www.omnisky.co.uk/products/security.html Found this too, F-Secure Anti-Virus for palm: http://pda.tucows.com/palm/preview/169395.html And I believe PGP is available for palm OS PDA's too. Thanks - Kat -- Sent wirelessly using OmniSky From owen.blacker@wheel.co.uk Wed, 6 Jun 2001 10:52:41 +0100 Date: Wed, 6 Jun 2001 10:52:41 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: London Metro: EMI Web deal will let users burn CDs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Sullivan, correcting me: > > | The move will be possible after a deal announced yesterday between > | music publisher EMI and Roxio, which publishes Toast software. [sic, I > | assume they mean Toaster] > > Er, no - they mean Toast. > (http://www.roxio.com/en/products/toast/index.html) A toaster is > something for turning bread into burnt bread. Or for locking scan > frequencies in order to transfer video from one standard to another. I stand corrected. I'm sure I know of a CD-ROM burning app called Toaster, but it is (as ever) entirely conceivable that I'm making that up. :o) Having skim read the first page of a Google search, it would appear there is a ROM-burning app called toaster but I'll be honest -- it's not what I was thinking of. Evidently I was making it up, my apologies... O x - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOx385lVeQSYAA2h0EQInAACfXMbLNEqzlaVmwLEWTg5SVO7d6M0AoKk7 VNDN1uapAk5U+CSG00RnNbXu =LUCY -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From alumpot@cwcom.net Wed, 06 Jun 2001 05:52:44 -0500 Date: Wed, 06 Jun 2001 05:52:44 -0500 From: Kat K alumpot@cwcom.net Subject: Mobiles and infections Donald Ramsbottom wrote: >is there any equivilent of a firewall or any protection on a WAP phone from virii or Trojans etc? Although I cannot give info on WAP (which I do use occasionally), I have used a PDA with a mobile and am currently using Omnisky (with a springboard module with modem and sim card) as a beta tester and they have this paper on the security that they use: http://www.omnisky.co.uk/products/security.html Found this too, F-Secure Anti-Virus for palm: http://pda.tucows.com/palm/preview/169395.html And I believe PGP is available for palm OS PDA's too. Thanks - Kat -- Sent wirelessly using OmniSky From DHowe@Hawkswing.demon.co.uk Wed, 6 Jun 2001 10:54:51 +0100 Date: Wed, 6 Jun 2001 10:54:51 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: Mobiles and Infections > Is there any equivilent of a firewall or any protection on a WAP phone from > virii or Trojans etc? No. > Will the next scourge be a ringtone with a Worm > payload inside, yes. the next generation of web enabled phones will have scripting support, and will be liable to the same sorts of viruses as you might expect (a obvious first one will be one that force-redials you to an alternate WAP gateway phone number, but on a "premium rate" line they can collect from) > if so what are the consequences and has anybody done > anything about it. There are ongoing discussions, but unfortunately the new phones will not be advanced enough to run full-blown software like a firewall, but *will* be advanced enough to support the worms (go figure). Manufacturers are having difficulty seeing virus security as an issue though (and yes, I think MS does have an interest in one of the proposed schemes) From octobersdad@reporters.net Wed, 6 Jun 2001 11:04:12 +0100 Date: Wed, 6 Jun 2001 11:04:12 +0100 From: T Bruce Tober octobersdad@reporters.net Subject: London Metro: Mobile dials into top-level security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <55ED5FD3B4D2D41193E60002A5090BCDC333E6@clerkenwell.pres.co>, Owen Blacker writes >This looks like it's been directly retyped from a press release but, fwiw: > >| A new mobile phone is promising military-grade privacy for its users. >| >| The TopSec handset is intended for executives who need to discuss >| confidential business matters on the move. The GBP 2 000 device is the >| first consumer phone with such a high level of encryption, according to >| security experts. This isn't the first such. I wrote about the Sectra secure phones both in 1999 and 2000 - -- | Bruce Tober, , | *.* *.* *.* *.* | Birmingham, UK, EU +44-780-374-8255 (Mobile) +44-1562-638-704 (Landline) | -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOx4AHElMGg3Z3q20EQI/4QCfYmrYa9yqRsyyzxFH6SpNvAQKw4AAnRYH ZzP5PlaVktPCWJVcEXK2fwfv =5bme -----END PGP SIGNATURE----- From octobersdad@reporters.net Wed, 6 Jun 2001 10:58:51 +0100 Date: Wed, 6 Jun 2001 10:58:51 +0100 From: T Bruce Tober octobersdad@reporters.net Subject: Wired: MS Monopolizes UK Govt Site -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <00f701c0ee0c$81f0bcf0$d400000a@jupiter.92tr.freeserve.co.uk> , Adrian Midgley writes >I am distinctly pissed off at Opera being blocked... Considering how total rubbish Opera is at this point (v5.11 and even 5.02), I almost can't blame them. It's constantly crashing my system so a hard reboot is needed. I've had to switch default back to Netscape. argh. > > > > - -- | Bruce Tober, , | *.* *.* *.* *.* | Birmingham, UK, EU +44-780-374-8255 (Mobile) +44-1562-638-704 (Landline) | -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOx3+20lMGg3Z3q20EQKSZwCeJMC9LZ8QeHjGO62NWU695t4Pzt0AoOl9 dmy0PSZaq2gm/R0uIkdn8dbu =eMun -----END PGP SIGNATURE----- From David_Biggins@usermgmt.com Wed, 6 Jun 2001 12:01:00 +0100 Date: Wed, 6 Jun 2001 12:01:00 +0100 From: David_Biggins@usermgmt.com David_Biggins@usermgmt.com Subject: Wired: Say Ahh, Then Remain Silent I have been warning for some time that provisions of the Health & Social Services Bill make such things inevitable in the UK - indeed worse. ## dave ## > -----Original Message----- > From: Owen Blacker [mailto:owen.blacker@wheel.co.uk] > Sent: Wednesday, June 06, 2001 10:28 > To: UK Crypto list (E-mail) > Subject: Wired: Say Ahh, Then Remain Silent > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > | Say Ahh, Then Remain Silent > | By Jeffrey Benner > | 2:00 a.m. June 5, 2001 PDT > | > | > | Cops may someday be searching private medical records in search of > | criminals, according to some medical privacy experts who > cite increasing > | automation of medical records combined with broad exemptions for law > | enforcement in new medical privacy regulations. > | > | "I'm very concerned about the possibility of medical > records becoming a > | vast law enforcement database," said Ronald Weich, a legislative > | consultant to the ACLU. "It's only a matter of time before > the police see > | how convenient it would be to search medical records to > find suspects." > | > | Sweeping new federal rules designed to protect the privacy > of medical > | information became official April 14, and hospitals have > two years to > | comply with the new standards. > | > | Privacy advocates generally applauded the new rules as a victory for > | patients' rights to privacy and control over their medical > records. > | > | But there remains what appears to be a broad loophole in > the regulations > | for state and federal law > enforcement > | officials. > | > | The regulations state that the only thing police or other > law enforcement > | agents need to do to obtain medical records is assert their > request for > | the records is necessary and relevant to specific investigations. > | > | The rules don't require permission from a judge, or even > notification to > | the patient that medical records have been turned over to > the police. > | > | "Any cop can walk into any hospital, wave a badge and get > records," said > | a former congressional staffer named Bob Gellman, who has > been involved > | in drafting medical privacy legislation for over 20 years. > | > | "We're in a position where your doctor may have to give you > a Miranda > | > > warning," he > | said. > | > | While there are currently no plans to keep any kind of centralized > | database of medical records, the government already has access to > | millions of Medicare records. Gellman worries this database could be > | abused under loopholes for law enforcement and for the > Inspector General > | at the department of Health and Human Services (HHS) > | , the agency that wrote the rules. > | > | "You could have an automated search on a daily basis to look for > | extraneous crimes," Gellman said. > | > | Opponents of the exemption point out that police would have > a harder time > | finding out what movies a person rented than what an > individual tells a > | doctor in confidence. (Under a law commonly known as the Bork Bill > | > hacks/videop > | rv.html>, cops must get a warrant to see video rental > records. The law > | was passed in 1988 after muckrakers found out what movies ill-fated > | Supreme Court nominee Robert Bork had been renting at > Blockbuster.) > | > | Although the exemption hasn't gotten much public attention, > the Clinton > | administration was aware of the potential for abuse. On > Dec. 20, 2000, > | the same day the final text of the rule was published, > Clinton signed an > | executive order > | > | designed to protect patients from undue probing from law > enforcement. > | > | The order makes it difficult for federal officials to use evidence > | discovered during a fraud investigation involving a doctor > or hospital > | against a patient. In the course of policing the health > care system for > | fraud -- like overcharging of Medicare -- federal authorities access > | thousands of medical records. > | > | "This executive order is pretty strong stuff," said Peter Swire, who > | served as Clinton's top adviser on privacy policy. "States should > | consider adopting similar protections." > | > | The order is an important protection against law > enforcement using its > | "oversight" role of the health care system as a back door > for access to > | records in order to investigate patients, Swire said. "Without the > | executive order, the broad oversight power in the rule > could result in > | fishing expeditions," he said. > | > | In her official comment on the privacy regulation submitted > before it > | became final, former Attorney General Janet Reno argued that the > | Department of Justice needed broad authority to access > records in order > | to be able to fight fraud, protect public safety and > enforce the law. > | > | Gellman and Weich acknowledge that the executive order did > offer some > | protection not provided in the privacy rule. But neither > felt it solved > | the problem. > | > | "The executive order is significant," Gellman said. "It's not the > | greatest order in the world, but (Clinton) deserves a lot > of credit for > | it." > | > | He pointed out that the order only applies to federal -- > not state -- > | officials, and that it did not totally prohibit the use of > evidence found > | against patients, but just placed limits on it. > | > | The ACLU, the Electronic Frontier Foundation and the Health Privacy > | Project all fought to have the rule require cops to get a > court order in > | order to access medical records, and argued patients should > be notified > | of the request in order to have an opportunity to fight the > subpoena. The > | American Hospital Association, often on the opposite side > of issues from > | privacy advocates, supports stricter limits on law > enforcement access to > | records as well. > | > | Defenders of the rule, including the HHS, point out that it does not > | allow police to do anything they can't do already. Aside > from a law that > | protects drug addicts in rehab from being turned over to the police, > | there are no federal laws limiting police access to medical > records. > | > | But Gellman doesn't agree. He thinks the law could work in > favor of the > | police, because now hospitals or doctors handing over > records won't be > | worried about getting sued. > | > | "Right now, there's a lot of uncertainty about cops getting > records, and > | there could be civil liability for violating > confidentiality," Gellman > | said. "This law clarifies the situation. It really does > make a difference > | by clarifying the law, and it does so totally in favor of > the cops." > | > | As for the most troubling scenarios, the Fourth Amendment clauses on > | unreasonable search and seizure still offer patients some > protection. In > | March, the Supreme Court ruled that a pregnant woman turned > over to the > | police in Charleston, South Carolina, after testing > positive for cocaine, > | had had her Fourth Amendment rights violated. > | > | > | Copyright © 1994-2001 Wired Digital Inc. All rights reserved. > | > > - -- > Owen Blacker > Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell > See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys > Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.0.4 > Comment: Due to RIP, pls check for revocation before using this key! > > iQA/AwUBOx33ElVeQSYAA2h0EQJC8QCfdXxhhJNg4QH2ngTC64kt+fXvF2oAoMqs > W+OleQOVmYN2L+q4Q6CIBiiv > =q8Av > -----END PGP SIGNATURE----- > > _____________________________________________________________________ > This message has been checked for all known viruses by UUNET > delivered > through the MessageLabs Virus Control Centre. For further > information visit > http://www.uk.uu.net/products/security/virus/ > > From DHowe@Hawkswing.demon.co.uk Wed, 6 Jun 2001 12:49:10 +0100 Date: Wed, 6 Jun 2001 12:49:10 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: Wired: Say Ahh, Then Remain Silent > I have been warning for some time that provisions of the Health & Social > Services Bill make such things inevitable in the UK - indeed worse. Indeed - the big fear was always that personalized information would be sold, but that blanket trawling for "criminal" data in the medical records. I am told doctors often turn a blind eye to traces of marijuana in the test results of (for example) chronic pain suffers, and many welcome the decrease in prescription (famous name, expensive) painkillers their drugs budget must support this seems to bring. However, if a blood test were to lead to a police raid a few days later, how many conditions easily treatable in the early stages would be burdening the NHS a few years down the line due to refusals to take blood tests in case the results are used against you? not only by the police, but insurance companies, employers, the media and of course drug pushers would *love* details of recovering heroin addicts, and I have not high hopes that they can be kept away from the data if a RIPA style authorization was all that was required for full access. From nbohm@ernest.net Wed, 06 Jun 2001 12:51:41 +0100 Date: Wed, 06 Jun 2001 12:51:41 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: PGP anniversary I got the following from a US list, dated 5th June .............................................................................. Today marks the 10th anniversary of the release of PGP 1.0. It was on this day in 1991 that I sent the first release of PGP to a couple of my friends for uploading to the Internet. First, I sent it to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized in grassroots political organizations, mainly in the peace movement. Peacenet was accessible to political activists all over the world. Then, I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code. At my request, he marked the Usenet posting as "US only". Kelly also uploaded it to many BBS systems around the country. I don't recall if the postings to the Internet began on June 5th or 6th. It may be surprising to some that back in 1991, I did not yet know enough about Usenet newsgroups to realize that a "US only" tag was merely an advisory tag that had little real effect on how Usenet propagated newsgroup postings. I thought it actually controlled how Usenet routed the posting. But back then, I had no clue how to post anything on a newsgroup, and didn't even have a clear idea what a newsgroup was. It was a hard road to get to the release of PGP. I missed five mortgage payments developing the software in the first half of 1991. To add to the stress, a week before PGP's first release, I discovered the existence of another email encryption standard called Privacy Enhanced Mail (PEM), which was backed by several big companies, as well as RSA Data Security. I didn't like PEM's design, for several reasons. PEM used 56-bit DES to encrypt messages, which I did not regards as strong cryptography. Also, PEM absolutely required every message to be signed, and revealed the signature outside the encryption envelope, so that the message did not have to be decrypted to reveal who signed it. Nonetheless, I was distressed to learn of the existence of PEM only one week before PGP's release. How could I be so out of touch to fail to notice something as important as PEM? I guess I just had my head down too long, writing code. I fully expected PEM to crush PGP, and even briefly considered not releasing PGP, since it might be futile in the face of PEM and its powerful backers. But I decided to press ahead, since I had come this far already, and besides, I knew that my design was better aligned with protecting the privacy of users. After releasing PGP, I immediately diverted my attention back to consulting work, to try to get caught up on my mortgage payments. I thought I could just release PGP 1.0 for MSDOS, and leave it alone for awhile, and let people play with it. I thought I could get back to it later, at my leisure. Little did I realize what a feeding frenzy PGP would set off. Apparently, there was a lot of pent-up demand for a tool like this. Volunteers from around the world were clamoring to help me port it to other platforms, add enhancements, and generally promote it. I did have to go back to work on paying gigs, but PGP continued to demand my time, pulled along by public enthusiasm. I assembled a team of volunteer engineers from around the world. They ported PGP to almost every platform (except for the Mac, which turned out to be harder). They translated PGP into foreign languages. And I started designing the PGP trust model, which I did not have time to finish in the first release. Fifteen months later, in September 1992, we released PGP 2.0, for MSDOS, several flavors of Unix, Commodore Amiga, Atari, and maybe a few other platforms, and in about ten foreign languages. PGP 2.0 had the now-famous PGP trust model, essentially in its present form. It was shortly after PGP 2.0's release that US Customs took an interest in the case. Little did they realize that they would help propel PGP's popularity, helping to ignite a controversy that would eventually lead to the demise of the US export restrictions on strong cryptography. Today, PGP remains just about the only way anyone encrypts their email. And now there are a dozen companies developing products that use the OpenPGP standard, all members of the OpenPGP Alliance, at http://www.openpgp.org. What a decade it has been. - -Philip Zimmermann 5 June 2001 Burlingame, California http://www.philzimmermann.com From David_Biggins@usermgmt.com Wed, 6 Jun 2001 13:10:33 +0100 Date: Wed, 6 Jun 2001 13:10:33 +0100 From: David_Biggins@usermgmt.com David_Biggins@usermgmt.com Subject: Wired: Say Ahh, Then Remain Silent > -----Original Message----- > From: David Howe [mailto:DHowe@Hawkswing.demon.co.uk] > Sent: Wednesday, June 06, 2001 12:49 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Say Ahh, Then Remain Silent > > I > have not high hopes that they can be kept away from the data > if a RIPA style > authorization was all that was required for full access. > As the legislation is framed, and given IANAL, it looks to me as if the SOS could release the data directly to the PNC if he chose ("the public interest"), meaning that the police would be able to check it with no SPECIFIC authorisation at all! From DHowe@Hawkswing.demon.co.uk Wed, 6 Jun 2001 13:49:26 +0100 Date: Wed, 6 Jun 2001 13:49:26 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: Wired: Say Ahh, Then Remain Silent > As the legislation is framed, and given IANAL, it looks to me as if > the SOS could release the data directly to the PNC if he chose ("the > public interest"), meaning that the police would be able to check it > with no SPECIFIC authorisation at all! Indeed - but I would give good odds that the SOS would require SOME paperwork - just to cover his own backside when (for example) the Sun gets a full list of school teachers who have requested an Aids test in the last five years "Children at AIDS risk shocker!! exclusive!!" From David_Biggins@usermgmt.com Wed, 6 Jun 2001 14:04:43 +0100 Date: Wed, 6 Jun 2001 14:04:43 +0100 From: David_Biggins@usermgmt.com David_Biggins@usermgmt.com Subject: Wired: Say Ahh, Then Remain Silent Doubt it - we're referring to the SOS for HEALTH here in framing the regs. He could quite easily duck such subsequent accidents as "faulty procedures/failure of communication between Health Dept and Police/Someone Else's Problem". ## dave ## > -----Original Message----- > From: David Howe [mailto:DHowe@Hawkswing.demon.co.uk] > Sent: Wednesday, June 06, 2001 01:49 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Say Ahh, Then Remain Silent > > > > As the legislation is framed, and given IANAL, it looks > to me as if > > the SOS could release the data directly to the PNC if he > chose ("the > > public interest"), meaning that the police would be able > to check it > > with no SPECIFIC authorisation at all! > Indeed - but I would give good odds that the SOS would require SOME > paperwork - just to cover his own backside when (for example) > the Sun gets a > full list of school teachers who have requested an Aids test > in the last > five years "Children at AIDS risk shocker!! exclusive!!" > > > From DHowe@Hawkswing.demon.co.uk Wed, 6 Jun 2001 14:28:29 +0100 Date: Wed, 6 Jun 2001 14:28:29 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: Wired: Say Ahh, Then Remain Silent > Doubt it - we're referring to the SOS for HEALTH here in framing the > regs. > He could quite easily duck such subsequent accidents as "faulty > procedures/failure of communication between Health Dept and > Police/Someone Else's Problem". Yep. But what odds would you give that he (or at least his officials who are more likely to be offered up as scapegoats) will try to cover their butts by paperwork? From D.M.Steer@lse.ac.uk 06 Jun 2001 12:55:28 +0100 Date: 06 Jun 2001 12:55:28 +0100 From: Damian Steer D.M.Steer@lse.ac.uk Subject: Protest to Highlight Keith Henson case in London Sat 9/6/01 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apologies for this shameless plug. I guess some of you will be interested, given the 'unhappy' relationship between Scientology and the internet. Details of protest and case follow. Please feel free to come along and support Keith - and to meet and chat ;-) Damian Steer _details_ On Saturday 9th June, at 1pm, a protest will take place outside the Canadian High Commission in Grosvenor Square, London, to highlight the case of Keith Henson. (details of protest follow below) Keith Henson is a campaigner against the Church of Scientology, a controversial religion which has used agressive tactics to silence critics - including internet-based criticism. Since 1996 Henson has been on of their targets. This has recently resulted in the following situation: (Taken from ) "On 26 Apr 2001, Keith Henson was convicted of "interfering with a religion", a misdemeanor under California law, for picketing outside Scientology's heavily-armed, razor-wire enclosed base outside Hemet, CA [USA]" "At trial, the judge threw out all Henson's witnesses, disallowed any testimony about his reasons for picketing the cult, and allowed the prosecution to present excerpts from Henson's Internet postings out of context; the Scientology witnesses also committed perjury which Henson was unable to rebut." In mid-May Henson went to Canada to see a fellow critic and picket there. He was away for his sentencing on 16th May, since he said his lawyer had said that it would be postponed for various reasons. Unfortunately it did go ahead and a 'no-bail' warrant was put out for him - apparently unusual for a misdemeanor charge. Keith was applying for asylum in Canada but was arrested for failing to declare that he was a fugitive on entering the country (although is is debatable whether he was at the time). He is currently in a maximum security jail in Canada. (also from the above web page) "Henson is seeking political refugee status in Canada in order to force the US government to look into the criminal conspiracy between the Hemet District Attorney's office and the Scientlogy cult to deprive him of his civil rights." Links: ( might be more up-to-date due to technical problems) (general information about Scientology) | | Selfridges ______________| |______________________ ______________ _______________________Oxford Street o | | o Marble Arch | | Bond Street Tube Tube o| |<-North Audley Street Marlborough| | Head Pub | | | | _| |_ Grosvenor Square (site of Canadian High Commission) Meet: Marlborough Head, 24 North Audley Street, London. 12 noon, Saturday 9th June Protest: Canadian High Commission, Grosvenor Square, London. 1-4pm. - -- Key fingerprint = 30F0 FB16 DA72 D8F2 DA3D B3D4 0322 C207 E993 B729 rw-rw-rw- the permissions of the Beast -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard iD8DBQE7HhotAyLCB+mTtykRAkKZAJ4kJxgFc8zlP1UDqcamleSTcXz+8ACdFhde QOdoYVRenmwYQYIO/M8n6X0= =iOZD -----END PGP SIGNATURE----- From Pete.Chown@skygate.co.uk Wed, 6 Jun 2001 14:42:49 +0100 Date: Wed, 6 Jun 2001 14:42:49 +0100 From: Pete Chown Pete.Chown@skygate.co.uk Subject: Wired: MS Monopolizes UK Govt Site Adrian Midgley wrote: > I am distinctly pissed off at Opera being blocked... That ukonline site is complete rubbish; open.gov.uk was far and away better. I wasn't blocked but I just got this: | General Error | | The page you requested is not valid. Please try again or go back to | the Home Page. Of course it was the home page I was trying to get to, so being advised to go back there isn't a lot of help. For some reason the thing that is supposed to take you back to the home page isn't a link. Neither is the "Report a problem" one but that's probably lucky for them. -- Pete From David_Biggins@usermgmt.com Wed, 6 Jun 2001 15:20:16 +0100 Date: Wed, 6 Jun 2001 15:20:16 +0100 From: David_Biggins@usermgmt.com David_Biggins@usermgmt.com Subject: Wired: Say Ahh, Then Remain Silent Dunno - depends whether the "plausible deniability" of not doing so is more attractive... > -----Original Message----- > From: David Howe [mailto:DHowe@Hawkswing.demon.co.uk] > Sent: Wednesday, June 06, 2001 02:28 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Wired: Say Ahh, Then Remain Silent > > > > Doubt it - we're referring to the SOS for HEALTH here in framing the > > regs. > > He could quite easily duck such subsequent accidents as "faulty > > procedures/failure of communication between Health Dept and > > Police/Someone Else's Problem". > Yep. But what odds would you give that he (or at least his > officials who are > more likely to be offered up as scapegoats) will try to cover > their butts by > paperwork? From owen.blacker@wheel.co.uk Wed, 6 Jun 2001 15:50:32 +0100 Date: Wed, 6 Jun 2001 15:50:32 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: FW: London Metro: Mobile dials into top-level security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forwarded unedited (except by PGP :o) > -----Original Message----- > From: anthony.naggs@atrial.com [mailto:anthony.naggs@atrial.com] > Sent: Wednesday, June 06, 2001 3:41 PM > To: Owen Blacker > Subject: Re: London Metro: Mobile dials into top-level security > > > Hi Owen > > For some reason I haven't been able to fathom (1) my postings to > UKcrypto keep bouncing and (2) I am getting more posting to my > home Demon account han I am here. Please feel free to forward to > the list ... > > On 6 Jun 2001, at 10:09, Owen Blacker wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > This looks like it's been directly retyped from a press release but, > > fwiw: > > > > | A new mobile phone is promising military-grade privacy for its users. > > | > > | > > | The TopSec handset is intended for executives who need to discuss > > | confidential business matters on the move. The GBP 2 000 device is > > | the first consumer phone with such a high level of encryption, > > | according to security experts. > > The Silicon.com version of the story you posted claims that GSM > doesn't work in the USA, which ist exactly rue. GSM 1900 has > fairly reasonable coverage, though I think they US refer to this > system as "PCS". > > The Siemens S35i mentioned in the Metro article is only a dual > band, 900 & 1800 Mhz, system but the similar triple band S40 > works with the GSM 1900 / PCS network. Maybe R&S have a S40 > based version too? > > Cheers, Tony -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOx5CtVVeQSYAA2h0EQKuvgCg/VggNJI+eWCxqus/7WQcFcxNBAQAoNG8 9Oa9/SnPFEzl2pKlDywARbZu =HoXW -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From pete@dmed.demon.co.uk Wed, 06 Jun 2001 15:46:42 +0100 Date: Wed, 06 Jun 2001 15:46:42 +0100 From: Pete Mitchell pete@dmed.demon.co.uk Subject: Wired: Say Ahh, Then Remain Silent David_Biggins@usermgmt.com wrote: > > > -----Original Message----- > > From: David Howe [mailto:DHowe@Hawkswing.demon.co.uk] > > Sent: Wednesday, June 06, 2001 12:49 > > To: ukcrypto@chiark.greenend.org.uk > > Subject: Re: Wired: Say Ahh, Then Remain Silent > > > > I > > have not high hopes that they can be kept away from the data > > if a RIPA style > > authorization was all that was required for full access. > > > > As the legislation is framed, and given IANAL, it looks to me as if > the SOS could release the data directly to the PNC if he chose ("the > public interest"), meaning that the police would be able to check it > with no SPECIFIC authorisation at all! Agreed, the legislation (H&SC Act 2001 Section 60) is fearsome: except that it makes little sense in the form on which it appears on the hmso website http://www.hmso.gov.uk/acts.htm Subsection (3) sets out restrictions to the kind of regulations that the SoS can make under subsection (3). However subsection (3) itself does not provide for the making of any regulations. I think they really meant subsections 1 and 2. Meanwhile subsection 6 refers to provisions made under subsection 4(c). There *is* no subsection 4(c). Or have the HMSO put up an old and uncorrected version on their website? -- pete mitchell From peter.fairbrother@ntlworld.com Thu, 07 Jun 2001 01:34:59 +0100 Date: Thu, 07 Jun 2001 01:34:59 +0100 From: Peter Fairbrother peter.fairbrother@ntlworld.com Subject: Wired: Say Ahh, Then Remain Silent > Pete Mitchell at pete@dmed.demon.co.uk wrote: > Subsection (3) sets out restrictions to the kind of regulations that the > SoS can make under subsection (3). However subsection (3) itself does > not provide for the making of any regulations. I think they really meant > subsections 1 and 2. > > Meanwhile subsection 6 refers to provisions made under subsection 4(c). > There *is* no subsection 4(c). > > Or have the HMSO put up an old and uncorrected version on their website? > > -- pete mitchell Went looking. It's a humoungous 5.9 Meg pdf. WTF? Didn't bother checking it out. It is said to appear "as originally passed by the UK Parliament". It doesn't say which Hole. I thought the official text of Acts was the text signed by the Queen, and that Bills become Acts at that point. Or is that when Acts become Law? Or am I totally wrong? BTW, Don't forget to vote! Hmmm. What if they held an election and nobody came? Nah, I bet Blair votes for himself. On TV. They shouldn't let people do that. -- Peter From pete@dmed.demon.co.uk Thu, 07 Jun 2001 07:10:52 +0100 Date: Thu, 07 Jun 2001 07:10:52 +0100 From: Pete Mitchell pete@dmed.demon.co.uk Subject: Wired: Say Ahh, Then Remain Silent Peter Fairbrother wrote: > > > Pete Mitchell at pete@dmed.demon.co.uk wrote: > > > Subsection (3) sets out restrictions to the kind of regulations that the > > SoS can make under subsection (3). However subsection (3) itself does > > not provide for the making of any regulations. I think they really meant > > subsections 1 and 2. > > > > Meanwhile subsection 6 refers to provisions made under subsection 4(c). > > There *is* no subsection 4(c). > > > > Or have the HMSO put up an old and uncorrected version on their website? > > > > -- pete mitchell > > Went looking. It's a humoungous 5.9 Meg pdf. WTF? Didn't bother checking it > out. > I know. I have complained to them that it's not up in HTML. I suppose we should think ourselves lucky that it's not in Microsoft PowerPoint format. I would paste it up here, but unfortunately for some reason my Acrobat Reader doesn't let you clipboard from this particular document. -- pete mitchell From akm@92tr.freeserve.co.uk Thu, 7 Jun 2001 01:46:58 +0100 Date: Thu, 7 Jun 2001 01:46:58 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: Wired: Say Ahh, Then Remain Silent From: David_Biggins@usermgmt.com >I have been warning for some time that provisions of the Health & Social >Services Bill make such things inevitable in the UK - indeed worse. Only while the NHS endures. 86% of GPs are not confident that it _should_ now. So, one benefit to patients of the post-deluge health service will be that the SoS doesn't own or have access to their subsequent GP records under that bill. Perhaps he'll take it under RIPA. -- Midgley, A From akm@92tr.freeserve.co.uk Thu, 7 Jun 2001 01:38:00 +0100 Date: Thu, 7 Jun 2001 01:38:00 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: Wired: MS Monopolizes UK Govt Site From: T Bruce Tober >Considering how total rubbish Opera is at this point (v5.11 and even >5.02), I almost can't blame them. It's constantly crashing my system so >a hard reboot is needed. Odd. Not my experience on NT or on Linux or on W95. O5 has crashed a few times - not many - but never harmed the OS. Your machine is probably subtly broken. On topic, Opera implements TLS rather than just SSL and claims to be advanced in security thereby. I like some of the cookie handling features but don't use them, IYSWIM, but does anyone have any thoughts on its crypto aspects? From owen.blacker@wheel.co.uk Thu, 7 Jun 2001 09:52:35 +0100 Date: Thu, 7 Jun 2001 09:52:35 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: : Silicon.com: Europe brings the Net police one cyberstep closer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > HEADLINE: Europe brings the Net police one cyberstep closer > PUBLISHED: 1:15pm on Wednesday 6th June 2001 > CHANNEL: ISPs > AUTHOR: Suzanna Kerridge > STORY: http://www.silicon.com/a44895 > > TEXT OF STORY FOLLOWS: > > Hang on to your emails, the spooks are angling for evidence... > > The Council of Europe has released the 27th and final version > of its highly controversial cybercrime treaty. > > The treaty, dismissed in the past as unworkable by many > leading IT figures, sets out legislation to crack down on > internet crime, fraud and child pornography, and gives > greater powers to law enforcement agencies to patrol the internet. > > Mike Pullen, leading EU lawyer at London law firm DLA, said: > "In the UK, a lot of the laws already apply in some form [to > the Internet] but a lot of prosecutions are prevented from > getting a conviction because the traditional law does not go > far enough in terms of computer related fraud." > > Madeleine Abas, the lawyer famous for defending MI6 internet > names publisher Richard Thomlinson, agreed. "It is difficult, > if not impossible, to secure a conviction because the > criminal is one step ahead by committing the act through > technical means," she claimed. > > Under the treaty, law enforcement agencies will be able to > place 90-day preservation orders on ISPs to retain data for > inspection during criminal proceedings. > > Furthermore, confidentiality clauses will prevent the service > provider from disclosing the existence of a preservation > order as it might impede a criminal investigation. > > The Council of Europe represents 43 European countries. The > US State Department and the Department of Justice were both > involved in the drafting of the treaty. > > Pullen disputed allegations that the treaty will damage the > European ecommerce market, claiming it is led by the need for > law enforcement. > > "There is nothing draconian about this treaty," he said. "A > lot of the offences mentioned are probably already > established in law but lawyers have difficulty proving them. > This legislation closes a lot of loopholes by setting a > common standard." > > The Council of Europe will now pass the convention on to its > member countries, offering the recommendations for formal adoption. > > If you have an opinion on this, or any other story on > silicon.com, why not share it with other users by posting a > reader comment in the forum below. > > For related news, see: > Fighting Fraud: How far we've come (Part II) > http://www.silicon.com/a44225 > Fighting Fraud: How far we've come (Part I) > http://www.silicon.com/a44177 > 'Shunned' industry scuppers European cybercrime treaty > http://www.silicon.com/a43678 > > > STORY ENDS > > For more information on silicon.com go to http://www.silicon.com. > > silicon.com - the who, what, when, where and why of ebusiness -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA+AwUBOx9AUVVeQSYAA2h0EQLyuQCY7DczTptDSWRGw+Fm9ZHGNe/LEQCeKRcu 8azrvm4WZOHFtxFudPa4NiE= =TSEQ -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Thu, 7 Jun 2001 10:13:37 +0100 Date: Thu, 7 Jun 2001 10:13:37 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: Code-Breakers go to Court -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.wired.com/news/mp3/0,1285,44344,00.html | Code-Breakers Go to Court | By Declan McCullagh | 10:25 a.m. June 6, 2001 PDT | | | WASHINGTON -- After a team of academics who broke a music-watermarking | scheme bowed to legal threats from the recording industry and chose not | to publish their research in April, they vowed to "fight another day, in | another way." | | On Wednesday, Ed Felten of Princeton University and seven other | researchers took their fight to a New Jersey federal court in a lawsuit | asking that they be | permitted to disclose their work at a security conference this summer. | | Joining them is the Usenix Association , a | 26-year-old professional organization that has accepted Felten's paper | for its 10th security symposium in | Washington during the week of Aug. 13. The Electronic Frontier Foundation | of San Francisco is representing the researchers | and Usenix. | | In the first legal challenge to the Digital Millennium Copyright Act's | criminal sections | , | Usenix is asking the court to block the Justice Department from | prosecuting the conference organizers for allowing the paper to be | presented. For certain "commercial" activities, the law promises fines of | up to $500,000 and a prison term of five years. | | "Studying digital access technologies and publishing the research for our | colleagues are both fundamental to the progress of science and academic | freedom," said Felten , an | associate professor of computer science. "The recording industry's | interpretation of the DMCA would make scientific progress on this | important topic illegal." | | "It became evident that litigation was the only step we could take," | Felten said during a conference call Wednesday afternoon. | | This case pits academics and civil libertarians against the recording | industry, which believes that without the DMCA, piracy will thrive | online, recording artists will no longer be compensated for their work | and America's economy will eventually suffer. EFF currently is fighting | eight movie studios in another suit challenging the DMCA that is | currently before the Second Circuit Court of Appeals. | | "When scientists are intimidated from publishing their work, there is a | clear First Amendment problem," says EFF legal director Cindy Cohn. "We | have long argued that unless properly limited, the anti-distribution | provisions of the DMCA would interfere with science. Now they plainly | have." | | The lawsuit, filed Wednesday, names the Recording Industry Association of | America , the Secure Digital Music Initiative | Foundation , Attorney General John Ashcroft and | watermarking company Verance as defendants. | | In April, the industry groups told Felten and his co-authors that the | planned publication of their work at the Information Hiding Workshop | violated the DMCA, and after a remarkable amount of confusion, the | researchers abandoned their plans to discuss their successful attempts to | remove Verance's watermark from a digital music file. | | After the conference was over, however, SDMI said | it "does not -- nor did it ever -- | intend to bring any legal action" against Felten. RIAA stressed at the | time that its member companies are strong believers in free speech. | | That's not good enough, says EFF's Cohn. She said EFF decided not to | enter into negotiations with the industry groups to obtain a promise of | no lawsuits since her clients don't want to be in a position of obtaining | approval from corporations before they publish research. | | "They need to pledge to stop interfering with the scientific process," | Cohn said. We're not going to play a game -- it's not appropriate for | scientists to have to ask the industry before they publish each paper." | | Last year, SDMI organized a | challenge to the cryptologic community offering a prize up to $10,000 to | anyone who "can remove the watermark or defeat the other technology on | our proposed copyright protection system." | | Felten and his colleagues, including Bede Liu, Scott Craver and Dan | Wallach, wrote a paper describing their attack on the watermarks. | | They're asking for declaratory judgment | , which allows a court to weigh | in on concrete disputes where constitutional rights are at stake that | have not yet led to a lawsuit. | | One plaintiff, Min Wu, is asking for a declaratory judgment that would | allow her to publish her complete thesis, titled "Multimedia Data | Hiding." Currently her thesis | is online, | but it's missing Chapter 10, which describes her work on the SDMI | contest. | | The DMCA makes it illegal to distribute any technology that "is primarily | designed or produced for the purpose of circumventing a technological | measure" and also prohibits the "the intentional removal or alteration of | copyright management information" such as watermarks. | | Copyright © 1994-2001 Wired Digital Inc. All rights reserved. | | | [ends] - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOx9FPlVeQSYAA2h0EQLMbACfeo/XQRgqtBfmsODGpbSjKHiER94AnjDu 2FD12BufFXOvXtG2kaHJ6uvh =mp3x -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From peter.fairbrother@ntlworld.com Thu, 07 Jun 2001 11:13:20 +0100 Date: Thu, 07 Jun 2001 11:13:20 +0100 From: Peter Fairbrother peter.fairbrother@ntlworld.com Subject: Wired: Say Ahh, Then Remain Silent > Pete Mitchell at pete@dmed.demon.co.uk wrote: >> Peter Fairbrother wrote: >>> Pete Mitchell at pete@dmed.demon.co.uk wrote: >>> Or have the HMSO put up an old and uncorrected version on their website? >>> >> Went looking. It's a humoungous 5.9 Meg pdf. WTF? Didn't bother checking it >> out. > > I know. I have complained to them that it's not up in HTML. HTML smahchtml. I have a pdf of the Private Security Industry Bill, it's 34 pages long and 300k. A guide to Parliament, 16 pages, 44k. Is this Act 670, or even 2150, pages long? Or is it just computer illiterates in HMSO? > I suppose we should think ourselves lucky that it's not in Microsoft > PowerPoint format. > > I would paste it up here, but unfortunately for some reason my Acrobat > Reader doesn't let you clipboard from this particular document. That's because it's in a (lousy, illegible) graphics format. It's pictures of pages rather than formatted text (pdf's can be either). I wonder why? Any modern format used for printing would have been generated from computer text. Or, the (texty) pdf version of the Bill used by Parliament should be correct, except for amendments. Perhaps, for some arcane reason, HMSO still typecut Acts by hand, print them on a dwindling supply of paper secretly made in 1746 from Spanish Armada wreckage calendered with Cromwell's bones, in ink made from oak galls, ground newt, stale pig urine, the cut-off raven feathers from the Tower, and a drop of the Queen's blood, with a dead rat for flavour, and they don't actually _have_ a computer text version. HMSO say that the definitive form of the Act is the printed version. Me, I thought it was the version the Queen signed. Any lawyers on the list know? HMSO don't seem to have heard of OCR. Should be easy enough, they only use one set of fonts and one form. Gimme for 'ware and half a day's pay, I'd set up a system the work experience girl could use. -- Peter From I.Brown@cs.ucl.ac.uk Thu, 07 Jun 2001 11:14:21 +0100 Date: Thu, 07 Jun 2001 11:14:21 +0100 From: Ian BROWN I.Brown@cs.ucl.ac.uk Subject: Wired: Say Ahh, Then Remain Silent >So, one benefit to patients of the post-deluge health service will be >that the SoS doesn't own or have access to their subsequent GP records >under that bill. Unfortunately, private medicine is no refuge from the H&SCB -- it gives the govt. powers over that too :( Otherwise the dear medical researchers might have the validity of their statistics compromised (much more important than the validity of the doctor-patient relationship). -- "The media has characterized `1A vs. privacy' as a novel issue. The press gave birth to the latter in the pursuit of the former." --Aimee E. Farr From nbohm@ernest.net Thu, 07 Jun 2001 12:27:51 +0100 Date: Thu, 07 Jun 2001 12:27:51 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Wired: Say Ahh, Then Remain Silent At 11:13 07/06/2001 +0100, Peter Fairbrother wrote: >> Pete Mitchell at pete@dmed.demon.co.uk wrote: >>> Peter Fairbrother wrote: >>>> Pete Mitchell at pete@dmed.demon.co.uk wrote: > >>>> Or have the HMSO put up an old and uncorrected version on their website? >>>> >>> Went looking. It's a humoungous 5.9 Meg pdf. WTF? Didn't bother checking it >>> out. >> >> I know. I have complained to them that it's not up in HTML. > >HTML smahchtml. I have a pdf of the Private Security Industry Bill, it's 34 >pages long and 300k. A guide to Parliament, 16 pages, 44k. Is this Act 670, >or even 2150, pages long? Or is it just computer illiterates in HMSO? > >> I suppose we should think ourselves lucky that it's not in Microsoft >> PowerPoint format. >> >> I would paste it up here, but unfortunately for some reason my Acrobat >> Reader doesn't let you clipboard from this particular document. > >That's because it's in a (lousy, illegible) graphics format. It's pictures >of pages rather than formatted text (pdf's can be either). I wonder why? Any >modern format used for printing would have been generated from computer >text. Or, the (texty) pdf version of the Bill used by Parliament should be >correct, except for amendments. During a Bill's progress, amendments are tabled by reference to page and line numbers, which means they are not intelligible to someone reading an ordinary html version. Why the pdf version has to be of a graphic image to achieve this purpose I don't know. Presumably the final version is first available in the same format, and later converted to html. [snip] >HMSO say that the definitive form of the Act is the printed version. Me, I >thought it was the version the Queen signed. Any lawyers on the list know? The Queen doesn't personally sign Bills these days (nor for a long time): her assent is signified by Commissioners on her behalf. I think they just nod when the title of the Bill is announced to them as having passed both Houses. It is from that moment an Act, having been "made" by the Queen in Parliament. It comes into force in accordance with whatever provisions it contains for its coming into force (often different bits on different days according to statutory instruments). If silent it comes into force by default after the expiry of a period, I think one month, from being made. The definitive text is the one contained in what is called the Queen's Printer's copy, and issued by the now privatised former HMSO. Following the ECA, thought is being given to the use of electronic records in evidence, and no doubt to the interesting question of whose key should authenticate Acts of Parliament. See details at http://www.e-envoy.gov.uk/publications/guidelines/ecomms/table.htm In particular: Documentary Evidence Acts 1868 to 1895 Proposed to amend the current provision that the official version of legislation is that printed under the authority of the Queen’s Printer, so as to make the Official Legislation website version acceptable. Statutory Instruments Act 1946 and associated Regulations Proposed to amend provisions about the admissibility in evidence of printed issue lists, and also how Departments transmit SIs to HMSO after being made. Currently they have to be sent with signed certificates but electronic alternatives to this procedure are being considered. Regards Nicholas Salkyns, Great Canfield, Takeley, Bishop’s Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From ben@algroup.co.uk Thu, 07 Jun 2001 16:20:01 +0100 Date: Thu, 07 Jun 2001 16:20:01 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Wired: MS Monopolizes UK Govt Site Adrian Midgley wrote: > On topic, Opera implements TLS rather than just SSL and claims to be > advanced in security thereby. Compared to what? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From benmeg@benmeg.com Thu, 07 Jun 2001 16:34:28 +0100 Date: Thu, 07 Jun 2001 16:34:28 +0100 From: Ben Meghreblian benmeg@benmeg.com Subject: Wired: Code-Breakers go to Court >| The DMCA makes it illegal to distribute any technology that "is primarily >| designed or produced for the purpose of circumventing a technological >| measure" and also prohibits the "the intentional removal or alteration of >| copyright management information" such as watermarks. >| Slightly OT, but one exception to this rule is that of dongles, as stated here: http://cryptome.org/dmca102700.txt I expect you guys heard about this at the time, but it's interesting to note that quite a few companies have now sprung up, offering this, now legal, 'service'. Cheers, Ben http://benmeg.com Home 020 8892 8744 PGP: 5950 6447 2FB2 3314 F57D 82B2 7EF8 B51A 2DE5 5E08 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. From oml@eloka.demon.co.uk Thu, 7 Jun 2001 18:07:06 +0100 Date: Thu, 7 Jun 2001 18:07:06 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Silent Runner I took a presentation today on a network investigation and traffic trawling system called 'Silent Runner'. This is claimed several orders better than Carnivore. If it lives up to the demonstration, this is unlikely to be an exaggeration. Since investigative tools of this type have little bearing on crypto (except to identify groups who communicate in cipher), I'd welcome off list any comment or opinion from those who have any firsthand experience of or information on this system. Owen > > From akm@92tr.freeserve.co.uk Thu, 7 Jun 2001 21:29:55 +0100 Date: Thu, 7 Jun 2001 21:29:55 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: Wired: MS Monopolizes UK Govt Site From: Ben Laurie >> On topic, Opera implements TLS rather than just SSL and claims to be >> advanced in security thereby. > >Compared to what? Wet string and tin cans? IE and Netscape I suppose. The main claim that Opera have always made is that they stick to the standards more closely than the bigger two. From ben@algroup.co.uk Fri, 08 Jun 2001 11:11:04 +0100 Date: Fri, 08 Jun 2001 11:11:04 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Wired: MS Monopolizes UK Govt Site Adrian Midgley wrote: > > From: Ben Laurie > >> On topic, Opera implements TLS rather than just SSL and claims to > be > >> advanced in security thereby. > > > >Compared to what? > > Wet string and tin cans? > IE and Netscape I suppose. The main claim that Opera have always made > is that they stick to the standards more closely than the bigger two. I confess I don't know whether TLS is implemented by Netscape/IE - but given that the TLS effort was started by those two companies, it would surprise me if not. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From kelm@secorvo.de Fri, 8 Jun 2001 10:45:28 +0200 Date: Fri, 8 Jun 2001 10:45:28 +0200 From: Stefan Kelm kelm@secorvo.de Subject: (Fwd) Communication from the Commission on "Network and Information Security" The Europen Commission started to work on a European Policy for IT security. A first draft is available at: http://europa.eu.int/eur-lex/en/com/cnc/cnc_month2001_06_en.html http://europa.eu.int/eur-lex/en/com/cnc/2001/com2001_0298en01.pdf Cheers, Stefan. ------- Forwarded message follows ------- From: claude boulle [mailto:c.boulle@FRLV.BULL.FR] Sent: Wednesday, June 06, 2001 21:21 To: EESSI@LIST.ETSI.FR Subject: Communication from the Commission on "Network and Information Security" Date : 06/06/01 Message reference : CB 01/ 363 Dear Colleagues, For your information you will find attached copy of the Communication from the Commission titled "Network and Information Security: proposal for a European Policy Approach". This communication was announced by Anne Lehouck during the last ad-hoc SG. Useful link : "Commission boosts security on the Internet" Best regards --------------------------------------------------------------------- | Claude Boulle | Tel : +33 1 3966 6676 | | Groupe Bull - European Affairs | Fax : +33 1 3966 6336 | | | Mobile : +33 6 8024 1237 | | 68, route de Versailles - 78434 Louveciennes CEDEX - FRANCE | | E-mail c.boulle@frlv.bull.fr | --------------------------------------------------------------------- ------- End of forwarded message ------- ------------------------------------------------------- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail kelm@secorvo.de, http://www.secorvo.de ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B From phil@headstar.com Fri, 8 Jun 2001 16:51:06 +0100 Date: Fri, 8 Jun 2001 16:51:06 +0100 From: Phil Cain phil@headstar.com Subject: MoD STRIKES PRETTY GOOD DEAL >From the E-Government Bulletin. To subscribe send a blank email to egovbulletin-subscribe@headstar.com MoD STRIKES PRETTY GOOD DEAL By Phil Cain phil@headstar.com The UK's Ministry of Defence is "highly likely" to adopt 'Pretty Good Privacy' (PGP) email encryption for sending documents to external organisations securely over the Internet, E-Government Bulletin has learned. 'PGP HMG', as the system is known, is a customised version of PGP Security, a product developed by Network Associates (http://www.nai.com) based on an algorithm put into the public domain 10 years ago by Phillip Zimmerman. PGP became hugely popular and gained controversy when it was temporarily banned for export by the US military. "We are not talking about James Bond stuff here," said Ray Lepore of the software's UK distributor Connect Open Systems (http://www.cos.uk.com), explaining the system will be used only to send only 'restricted' items, the lowest security classification. The software became the first to gain official endorsement as a way to transmit restricted documents when it was approved in May by the Communications-Electronics Security Group (CE-SG) of the UK security services (http://www.cesg.gov.uk). Other government departments said to be thinking of taking up the software are the Scottish Health Service, the NHS and the Inland Revenue. Lepore said the adoption of PGP would result in a better and more secure flow of information between government departments and outside agencies. He added that it would also be cheaper than fax and traditional mail, the methods currently approved for restricted communications. From alastair@calliope.demon.co.uk Fri, 8 Jun 2001 21:22:20 +0100 Date: Fri, 8 Jun 2001 21:22:20 +0100 From: alastair alastair@calliope.demon.co.uk Subject: Wired: MS Monopolizes UK Govt Site On Fri, Jun 08, 2001 at 11:11:04AM +0100, Ben Laurie wrote: > > I confess I don't know whether TLS is implemented by Netscape/IE - but > given that the TLS effort was started by those two companies, it would > surprise me if not. Can't speak for IE or Netscape, but it seems to be in Mozilla now - at least there's a checkbox for 'enable TLS' in the security settings (alongside a substantial number of ciphers). Cheers, -- Alastair | alastair@calliope.demon.co.uk | http://www.calliope.demon.co.uk | PGP Key : A9DE69F8 ------------------------------------------------------------------- From nexus@patrol.i-way.co.uk Sat, 9 Jun 2001 01:01:50 +0100 Date: Sat, 9 Jun 2001 01:01:50 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Wired: MS Monopolizes UK Govt Site In IE 5.5 there is support for TLS 1.0 but it is not enabled by default. Tools->Internet Options->Advanced in the security bit if you need to enable it. Netscape 6 also has TLS support from Tasks->Privacy & Security->Security Manager->Advanced->Modules->Options->Enable TLS. I think this is enabled by default. Nowt like buried configs ;-) Cheers, JJ ----- Original Message ----- From: "alastair" To: Sent: Friday, June 08, 2001 9:22 PM Subject: Re: Wired: MS Monopolizes UK Govt Site > On Fri, Jun 08, 2001 at 11:11:04AM +0100, Ben Laurie wrote: > > > > I confess I don't know whether TLS is implemented by Netscape/IE - but > > given that the TLS effort was started by those two companies, it would > > surprise me if not. > > Can't speak for IE or Netscape, but it seems to be in Mozilla now - at > least there's a checkbox for 'enable TLS' in the security settings > (alongside a substantial number of ciphers). > > Cheers, > > -- > Alastair | > alastair@calliope.demon.co.uk | > http://www.calliope.demon.co.uk | PGP Key : A9DE69F8 > ------------------------------------------------------------------- > > From danny@spesh.com Fri, 8 Jun 2001 14:12:01 -0700 Date: Fri, 8 Jun 2001 14:12:01 -0700 From: Danny O'Brien danny@spesh.com Subject: Protest to Highlight Keith Henson case in London Sat 9/6/01 --A6N2fC+uXW/VQSAv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jun 06, 2001 at 12:55:28PM +0100, Damian Steer wrote: > Apologies for this shameless plug. I guess some of you will be > interested, given the 'unhappy' relationship between Scientology and > the internet. Details of protest and case follow. Please feel free to > come along and support Keith - and to meet and chat ;-) > > Damian Steer I've just received this note from Karin Spaink . As she says, better change it from a protest to a celebration... d. --A6N2fC+uXW/VQSAv Content-Type: message/rfc822 Content-Disposition: inline Return-path: Date: Fri, 8 Jun 2001 22:27:10 +0200 From: Karin Spaink X-Mailer: The Bat! (v1.52) Personal Reply-To: Karin Spaink Organization: Marcab Inc. X-Priority: 2 (High) Message-ID: <831653875276.20010608222710@xs4all.nl> To: Hippies CC: "Danny O'Brien" Subject: Re: NTK now, 2001-06-08 (fwd) In-Reply-To: <200106081947.UAA05785@internation.co.uk> References: <200106081947.UAA05785@internation.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Keith was released a few hours ago. His application for refugeer status has been accepted. Decidiing about it will take at least two years, and meanwhile he can stay in Canada. A press release will be out within the hour; check http://www.operatingthetan.com/ for news and updates In other words: call off the demo, or turn it into a thank-you festival. Danny - whoever you are - will yopu please forward my message to this ntknow list? --A6N2fC+uXW/VQSAv-- From peter.fairbrother@ntlworld.com Sat, 09 Jun 2001 03:56:52 +0100 Date: Sat, 09 Jun 2001 03:56:52 +0100 From: Peter Fairbrother peter.fairbrother@ntlworld.com Subject: Privacy in voting I went to vote yesterday (okay the polling station is part of the cheap beer place) anyway the procedure puzzled me a bit. There were two "ballot issuer" people, I gave my card to the pretty one, she looked my name up, presumably in a very local Electoral Register, asked me to state my name aloud, and then told her colleague a three digit number, which had been printed next to my name in the Electoral Register. He wrote it down on a counterfoil to the ballot paper, which had a five digit serial number printed on it. The ballot paper had the same serial number printed on it's back. I was under the impression that ballots were anonymous, however it would be easy to trace my ballot paper from these numbers. I presume there are (human) precautions to prevent that happening, but I wasn't terribly reassured by being chased out of there by a Policeman for making a nuisance of myself by asking about them. BTW, new MP's always thank the Police for their role in the election process. Just what is it? Keeping order? I hope it's not transporting ballot boxes. What happens to the counterfoils? The ballots, after counting? Anyone know? Can they be linked together? I presume it is to detect election fraud. Why must you use a pencil, not a pen? Do electronic voting systems do this too (to get us nearly back on track)? -- Peter From akm@92tr.freeserve.co.uk Sat, 9 Jun 2001 11:40:44 +0100 Date: Sat, 9 Jun 2001 11:40:44 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: Privacy in voting http://www.parliament.the-stationery-office.co.uk/pa/cm199798/cmselect /cmhaff/768/8060208.htm TUESDAY 2 JUNE 1998 PROFESSOR ROBERT BLACKBURN AND DR DAVID BUTLER 120. Because the ballot papers are franked, they have all got numbers. (Dr Butler) You cannot look at the ballot papers except under the conditions of a scrutiny. 121. So where do the ballot papers go? (Dr Butler) They used to be in the Victoria Tower. They have to be kept for a year and a day after the election. 122. Those who might wish to look at ballot papers are only located a hundred yards down the Embankment. (Dr Butler) You are not allowed to look at ballot papers except under judicial order of scrutiny, I think I am right. (Professor Blackburn) In law. Mr Winnick: Is there any evidence of abuse? Chairman 123. I just want to stick with this point for a moment, Professor Blackburn. Do you agree that the state could discover this in limited circumstances like Northern Ireland or if the Communists were doing rather well in a particular area as they did in the past, or if for example a racist candidate was doing very well in a particular area? (Professor Blackburn) What we are talking about here is there has never been a secret ballot in this country in the sense that when you are given a ballot paper by the electoral official your electoral registration number is put down on the counterfoil. That means it is conceivable to match the two up and to find out exactly how you voted. At the count of course votes for each individual party are put in a neat pile. There are all the people who voted for this party and there are all the people who voted for that party. After the count they are taken away and kept for year at Hayes in Middlesex and housed there. The information is there. It is illegal to do that matching of course, except under a court order. 124. But it could in theory be done? (Professor Blackburn) Well, yes, and of course there have been public claims made that it has been done. 125. When? (Professor Blackburn) It may or may not have ever happened. But there is a public perception that it could. If people feel inhibited about how they exercise their vote because they think that it might be discovered how they voted and used against them at some point in the future then that is clearly a breach of a secret ballot. That electoral officials at the polling station quite blatantly take down a voter's personal registration number and put it on the counterfoil they retain is quite extraordinary to most people and rather creepy. Just a few weeks ago in The Guardian of 9 May there was a complaint about it in a letter to the editor: "Having recently become a British citizen, I voted this week for the first time. I was shocked to discover that my polling number was written on the counterfoil of my ballot. Since each ballot paper is numbered, this allows my vote to be identified. I had always believed the Secret Ballot Act provided precisely what it says—secrecy". That letter reminded me to dig out some of the correspondence I had read on the same matter in the newspapers around the time of the 1992 General Election. There were then several complaints, one of which was from James Rusbridger who claimed in a letter to The Independent on 16 April, though without offering any evidence, that: "Over the years, it has been customary for Special Branch to be given access to the ballot papers of extreme candidates (Sinn Fein, Communists, National Front), and these voters' names are then passed to M15 for inclusion on their files of subversives." From k.brown@ccs.bbk.ac.uk Sat, 09 Jun 2001 11:46:14 +0100 Date: Sat, 09 Jun 2001 11:46:14 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Privacy in voting I think we've been through this before in great detail! The short answer is - yes, they can trace your vote, and no they (almost certainly) don't. The papers are stored. Voters are traced when there is strong suspicion of fraud. There is some evidence, by its very nature anecdotal, that some central government agencies extracted the names of people who voted for far-left parties in the 1950s and 1960s. And if anyone told me that no-one has ever tried to find the names and addresses of Sinn Fein voters I wouldn't believe them. (Though I don't know if N. Ireland uses the same system as England - I would have thought that anonymity was more important there than anywhere, there have been places and times where voting for the "wrong" party would have got you killed). I have no idea if anyone is looking at votes for political reasons these days. I would suspect not because there is a chance of someone letting the cat out of the bag and that would be very, very The thanking the police bit is part of the ritual. Our elections, which by-and-large are fair are run by tradition. What keeps them both fair, and efficient, and cheap, is the local co-operation between the various parties, the local council workers, and the police. The polling stations and the counts are often surprisingly friendly places. If there was serious non-co-operation it would all break down. The people who make the laws claim - falsely in my opinion - that the only alternative to the present system would be identity cards, which would be far, far worse. As long as they hold that view I think we are stuck with what we've got Ken Brown Peter Fairbrother wrote: > > I went to vote yesterday (okay the polling station is part of the cheap beer > place) anyway the procedure puzzled me a bit. > > There were two "ballot issuer" people, I gave my card to the pretty one, she > looked my name up, presumably in a very local Electoral Register, asked me > to state my name aloud, and then told her colleague a three digit number, > which had been printed next to my name in the Electoral Register. He wrote > it down on a counterfoil to the ballot paper, which had a five digit serial > number printed on it. The ballot paper had the same serial number printed on > it's back. > > I was under the impression that ballots were anonymous, however it would be > easy to trace my ballot paper from these numbers. I presume there are > (human) precautions to prevent that happening, but I wasn't terribly > reassured by being chased out of there by a Policeman for making a nuisance > of myself by asking about them. > > BTW, new MP's always thank the Police for their role in the election > process. Just what is it? Keeping order? I hope it's not transporting ballot > boxes. > > What happens to the counterfoils? The ballots, after counting? Anyone know? > Can they be linked together? I presume it is to detect election fraud. Why > must you use a pencil, not a pen? > > Do electronic voting systems do this too (to get us nearly back on track)? > > -- Peter From Nick.Barnes@pobox.com Sat, 09 Jun 2001 10:02:40 +0100 Date: Sat, 09 Jun 2001 10:02:40 +0100 From: Nick Barnes Nick.Barnes@pobox.com Subject: Privacy in voting At 2001-06-09 02:56:52+0000, Peter Fairbrother writes: > I went to vote yesterday (okay the polling station is part of the cheap beer > place) anyway the procedure puzzled me a bit. > > There were two "ballot issuer" people, I gave my card to the pretty one, she > looked my name up, presumably in a very local Electoral Register, asked me > to state my name aloud, and then told her colleague a three digit number, > which had been printed next to my name in the Electoral Register. He wrote > it down on a counterfoil to the ballot paper, which had a five digit serial > number printed on it. The ballot paper had the same serial number printed on > it's back. > > I was under the impression that ballots were anonymous, Some ballots are anonymous. UK elections are not. It's a common misconception. There are long-standing rumours that the powers-that-be have used and maybe still use this paper trail to identify voters for various extremist parties (primarily Communists). See, for instance, (starting near the bottom, and going onto the following pages). > BTW, new MP's always thank the Police for their role in the election > process. Just what is it? Keeping order? I hope it's not > transporting ballot boxes. Who would you suggest has the responsibility for transporting ballot boxes? On whose payroll should these people be? Maybe they should be volunteers (!). > What happens to the counterfoils? The ballots, after counting? Anyone know? Yes, it is well known. They are stored securely (!) for a year and a day. Nick B From richard@highwayman.com Sat, 9 Jun 2001 11:50:00 +0100 Date: Sat, 9 Jun 2001 11:50:00 +0100 From: Richard Clayton richard@highwayman.com Subject: Privacy in voting -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Peter Fairbrother writes >I went to vote yesterday (okay the polling station is part of the cheap beer >place) anyway the procedure puzzled me a bit. your description is of what I've seen for many years >There were two "ballot issuer" people, I gave my card to the pretty one, she >looked my name up, presumably in a very local Electoral Register, it will cover a few streets ... often a single polling station will have several pairs of people - each covering a separate area in my polling station there were three people, because I also received a ballot paper for a council election as well >asked me >to state my name aloud, if you pretended to be someone else, then at this point you committed an offence (of course you might have been a proxy ... that's not a complication I've ever been involved in) >and then told her colleague a three digit number, >which had been printed next to my name in the Electoral Register. and indeed this number was on the polling card you may have received a few weeks ago >He wrote >it down on a counterfoil to the ballot paper, which had a five digit serial >number printed on it. The ballot paper had the same serial number printed on >it's back. this allows them to be matched up >I was under the impression that ballots were anonymous, however it would be >easy to trace my ballot paper from these numbers. yes, that's exactly the point if there was a subsequent dispute ... for example, someone voted by pretending to be you - then it would be possible to locate the fraudulent vote and remove it from the ballot in practice, if there was a dispute then you would be allowed to vote but your "second" vote would go into a separate envelope rather than the ballot box - if the final tally was not close then they might not go to the effort (on the night, anyway) of locating the fraudulent ballot paper in any case - once the count is complete the counterfoils and ballot papers are sent to different storage places - and eventually destroyed. >I presume there are >(human) precautions to prevent that happening, but I wasn't terribly >reassured by being chased out of there by a Policeman for making a nuisance >of myself by asking about them. There have been stories of MI5 putting the two bits of information together to determine who voted for extremist candidates. However, no widespread abuse has come to light -- and the numbering system makes "stuffing" of ballot boxes a waste of time [it is easy to detect which votes are forged and you don't need to rerun the vote in that particular area] - so it should be considered to have some positive use. >BTW, new MP's always thank the Police for their role in the election >process. Just what is it? Keeping order? you will see a police presence at many polling stations - my experience is of seeing a lot more "bobbies on the beat" on such days >I hope it's not transporting ballot >boxes. It often is - though I noted that white van man was doing the honours in Sunderland. I think you should look at the paperwork that accompanies ballot boxes before assessing whether the transporter has a reasonable chance of committing any fraud >What happens to the counterfoils? The ballots, after counting? Anyone know? >Can they be linked together? I presume it is to detect election fraud. Why >must you use a pencil, not a pen? Pencil marks will not fade away before the small hours >Do electronic voting systems do this too (to get us nearly back on track)? As usual when considering questions of security, the first thing you need to do is to consider the threat model. In the UK, the main threat has not been considered to be breach of anonymity - but assorted tricks to add extra votes to the boxes; or unfair or improper influence of voters [which is why the party workers who record who voted sit outside in the rain; and why there are no party posters very close to the polling station .... though at least these days you get the party affiliation on the ballot paper so you don't have to remember your favourite candidates name as you enter the building!] That said - the first thing you should look at with electronic (or indeed postal) voting systems is how you prevent abuses such as stuffing the ballot or improper influence on voters (or indeed voters "selling" their votes). About the last thing you'll need to consider is the crypto :) - -- richard richard.clayton @ h i g h w a y m a n . com "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOyH/WBfnRQV/feRLEQLeaACg3h6AtRLl3KetvOQCb55BK3SuFEwAoOnz rTxTY0a9rrGGO+uSd4mB6LbQ =WodG -----END PGP SIGNATURE----- From donald@ramsbottom.co.uk Sat, 09 Jun 2001 13:58:22 +0100 Date: Sat, 09 Jun 2001 13:58:22 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Delays leave clearing house open to attack >From CW 360, regarding BACS security and PKI http%3A//www.cw360.com/article%26rd%3D%26i%3D%26ard%3D102723 Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From donald@ramsbottom.co.uk Sat, 09 Jun 2001 14:30:57 +0100 Date: Sat, 09 Jun 2001 14:30:57 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Dutch Stuff More on the Dutch proposals: http://cryptome.org/nl-tap-specs.htm & http://cryptome.org/nl-tap2.htm Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From nexus@patrol.i-way.co.uk Sat, 9 Jun 2001 17:06:45 +0100 Date: Sat, 9 Jun 2001 17:06:45 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Delays leave clearing house open to attack For those of you that find that URL totally stuffs up your browser (IE5.5 me) try: http://www.cw360.com/article%26rd%3D%26i%3D%26ard%3D102723 No idea why they percent encode the URL like that - could be that godawful bladerunner monstrosity ? JJ ----- Original Message ----- From: "Donald ramsbottom" To: Sent: Saturday, June 09, 2001 1:58 PM Subject: Delays leave clearing house open to attack > > >From CW 360, regarding BACS security and PKI > > > > http%3A//www.cw360.com/article%26rd%3D%26i%3D%26ard%3D102723 > > > Donald Ramsbottom BA LLb (Hons) PGdip > Ramsbottom & Co Solicitors > Internet and Global Encryption Law Specialists & General UK Law Matters > 5 Seagrove Avenue Hayling Island Hampshire UK > Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 > Regulated by the Law Society in the conduct of Investment business > Service by Fax or Email NOT accepted > > From roger.hird@argonet.co.uk Sat, 09 Jun 2001 17:48:27 +0100 Date: Sat, 09 Jun 2001 17:48:27 +0100 From: Roger Hird roger.hird@argonet.co.uk Subject: Privacy in voting On 09 Jun, Peter Fairbrother wrote: > I went to vote yesterday (okay the polling station is part of the cheap > beer place) anyway the procedure puzzled me a bit. Etc, etc, (much reproduced below). I was tempted to do a spoof response about the army of undercover government operatives who, since 1872, have worked to undermine the secrecy of the ballot, sifting through increasingly large numbers of ballot papers, as the franchise widened during the later 19th and early 20th century, creating a vast database of voting histories, providing the Government with detailed reports, the paper overload problems solved only by the adoption of punched card techniques and then early computers etc etc. There might have been interesting diversions on the magnitude of this continuing secret operation, the many secret locations where it was carried out, the incredible secrecy whereby over the whole period not one hint of the operation leaked. But I decided that the Internet being the Internet and UK Crypto being UK crypto it might be taken seriously - so I've decided to be serious instead. > There were two "ballot issuer" people, I gave my card to the pretty one, > she looked my name up, presumably in a very local Electoral Register, > asked me to state my name aloud, and then told her colleague a three > digit number, which had been printed next to my name in the Electoral > Register. He wrote it down on a counterfoil to the ballot paper, which > had a five digit serial number printed on it. The ballot paper had the > same serial number printed on it's back. > I was under the impression that ballots were anonymous, however it would > be easy to trace my ballot paper from these numbers. I presume there are > (human) precautions to prevent that happening, but I wasn't terribly > reassured by being chased out of there by a Policeman for making a > nuisance of myself by asking about them. The system IS DESIGNED to allow ballot papers to be linked to individual voters, in case of subsequent dispute. Two points: (i) The "Secret Ballot" was not introduced to protect individual voters from the state - noone thought that was necessary in 872 and I doubt if many do now - it was introduced, as part of 19th century electoral reform, to stop voters being afraid that their landlords or employers - or anyone who thought they had bought the voter's vote - might actually find out how they voted. (ii) Throughout the 19th and early 20th century direct corruption of voters and many forms of illegal electoral fraud were a continuing feature of elections. In 1865 after the General Election there were legal challenges to the results in 65 seats. The "Secret Ballot" was one mechanism to limit certain forms of corruption. The recording of the voter's identity on the ballot paper through the medium of the electoral register number, is another mechanism, designed to help the courts when results are disputed. See "Corrupt and Illegal Practices", L M Helmore, Library of Political Studies, RKP, 1967. > BTW, new MP's always thank the Police for their role in the election > process. Just what is it? Keeping order? I hope it's not transporting > ballot boxes. Who would you trust to transport ballot boxes, then? > What happens to the counterfoils? The ballots, after counting? Anyone > know? Can they be linked together? I presume it is to detect election > fraud. Why must you use a pencil, not a pen? They are sealed and sent to the House of Commons where they are kept under the authority of the Speaker and released to the Courts if petitions are presented querying the results of an election in a constituency. -- Roger Hird roger.hird@argonet.co.uk http://www.argonet.co.uk/users/roger.hird Running Voyager 2.07 and RISCOS 4.02 on an Acorn StrongARM RiscPC From pgut001@cs.auckland.ac.nz Sun, 10 Jun 2001 23:40:54 (NZST) Date: Sun, 10 Jun 2001 23:40:54 (NZST) From: Peter Gutmann pgut001@cs.auckland.ac.nz Subject: Wired: MS Monopolizes UK Govt Site alastair writes: On Fri, Jun 08, 2001 at 11:11:04AM +0100, Ben Laurie wrote: >>I confess I don't know whether TLS is implemented by Netscape/IE - but >>given that the TLS effort was started by those two companies, it would >>surprise me if not. > >Can't speak for IE or Netscape, but it seems to be in Mozilla now - at least >there's a checkbox for 'enable TLS' in the security settings (alongside a >substantial number of ciphers). It's been in both for a long time, and in most servers as well (try connecting to your favourite secure site with SSLv2 and v3 disabled). Peter. From jon+ukcrypto@unequivocal.co.uk Sun, 10 Jun 2001 13:09:12 +0100 Date: Sun, 10 Jun 2001 13:09:12 +0100 From: Jon Ribbens jon+ukcrypto@unequivocal.co.uk Subject: Wired: Say Ahh, Then Remain Silent Nicholas Bohm wrote: > If silent it comes into force by default after the expiry of a period, > I think one month, from being made. If it doesn't specify it comes into force from the *beginning* of the day on which Royal Assent is given, which introduces an interesting small amount of retrospectiveness. From nbohm@ernest.net Sun, 10 Jun 2001 14:59:55 +0100 Date: Sun, 10 Jun 2001 14:59:55 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Wired: Say Ahh, Then Remain Silent At 13:09 10/06/2001 +0100, Jon Ribbens wrote: >Nicholas Bohm wrote: >> If silent it comes into force by default after the expiry of a period, >> I think one month, from being made. > >If it doesn't specify it comes into force from the *beginning* of the >day on which Royal Assent is given, which introduces an interesting >small amount of retrospectiveness. Quite right; as provided in section 4(b) of the Interpretation Act 1978, which I'd forgotten about. Regards Nicholas Salkyns, Great Canfield, Takeley, Bishop’s Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From richard_12345@hotmail.com Sun, 10 Jun 2001 15:43:59 +0100 Date: Sun, 10 Jun 2001 15:43:59 +0100 From: Richard P richard_12345@hotmail.com Subject: Privacy in voting I'd say the problem of improper influence is fairly insurmountable. At least with a ballot you aren't *allowed* to show anyone how you voted. Any system where votes get cast away from a polling booth introduces the problem of family, friends, local hoodlums or whoever influencing how people vote. Apparently there have been accusations of this with the new simpler system of postal voting. -- Richard >That said - the first thing you should look at with electronic (or >indeed postal) voting systems is how you prevent abuses such as stuffing >the ballot or improper influence on voters (or indeed voters "selling" >their votes). > >About the last thing you'll need to consider is the crypto :) > >- -- _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From owenfb@easynet.co.uk Sun, 10 Jun 2001 22:00:15 +0100 Date: Sun, 10 Jun 2001 22:00:15 +0100 From: Owen Blacker owenfb@easynet.co.uk Subject: Privacy in voting -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > BTW, new MP's always thank the Police for their role in the > > election process. Just what is it? Keeping order? I hope it's not > > transporting ballot boxes. > > Who would you trust to transport ballot boxes, then? To be honest, I'd consider myself an overly paranoid person and I have what is probably far more than a healthy mistrust of the State and its vestiges (that's what growing up under Maggie and reading too many dystopia novels does for you :o) I can't think of anyone more appropriate than the Police to transport ballots. Apart from anything else, we're voting for who we want to represent our views in the discussion fora of the State. Surely it's only natural that employees of the State should handle it all? The boxes are sealed from when they are first used until they get to the count, so I don't really think that (even were we to assume that the Police wanted to corrupt a ballot, which even ~I~ think is overkill on the paranoia :o) there is any real risk to democracy there. There are ~plenty~ of other ways in which elections can be tampered with, not least all those ways in which Electoral Fraud has been made so much easier with the new postal vote system. I don't think coppers (bent or otherwise) transporting sealed ballot boxes is a realistic point at which to worry... :o) And I think your spoof response might have proved everso amusing, Roger *GRIN* O x - ----- Owen Blacker Senior Internet Software Developer / Information Security Consultant See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 - ----- Opinions are mine. My employer and their clients can get their own! -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOyPfylVeQSYAA2h0EQJfSwCg/ISApCSNs535/n6000o81TnUrYAAoO7l VQgWz/NNCVzm0rBN7IOig0zp =26E0 -----END PGP SIGNATURE----- From donald@ramsbottom.co.uk Mon, 11 Jun 2001 06:44:29 +0100 Date: Mon, 11 Jun 2001 06:44:29 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: BARLOW v (1) BOC LTD >From Lawtel. More on evidence and the legality of certain types of evidence in civil proceedings. I wonder what the Swiss authorities would make of the use of such info. As ever ignore if you do not like law. FREDERICK EDWARD BARLOW (2) DAVID WILLIAM BARLOW v (1) BOC LTD (2) EDWARDS HIGH VACUUM INTERNATIONAL LTD (2001) Court: CA (Mummery LJ, Kay LJ) 8/6/2001 Subject: CIVIL PROCEDURE - CRIMINAL PROCEDURE - EVIDENCE Descriptors: INFORMATION OBTAINED IN CRIMINAL PROCEEDINGS : INVESTIGATION AND PROSECUTION OF CRIME : USE IN CIVIL PROCEEDINGS : DISCLOSURE ORDERS : FREEZING ORDERS : UNLAWFULLY OBTAINED EVIDENCE : ADMISSIBILITY : S.3(7) CRIMINAL JUSTICE (INTERNATIONAL COOPERATION) ACT 1990 Summary: Information obtained from a prosecuting authority which had acquired the information as a result of letters of request under the provisions of Criminal Justice (International Cooperation) Act 1990 could be used in civil proceedings where relevant despite the provisions of s.3(7) of the Act. Text: Defendants' appeal against an order made by Grigson J on 15 February 2001 continuing, after an inter partes hearing until trial, freezing and disclosure orders made on a without notice application to Henriques J on 7 February. The issue on appeal was what use could properly be made in civil proceedings of information which had been obtained under the Criminal Justice (International Cooperation) Act 1990 , and particularly the effect of s.3(7) of the Act. In this action the claimants alleged fraudulent misrepresentation against the defendants, one of whom was later charged with criminal offences. Information relevant to the criminal proceedings was obtained under the Act by the police by means of letters of request to the Swiss authorities. The prosecuting authority supplied the claimants' solicitor with the information that there were three Swiss bank accounts directly or indirectly under the defendants' control which were not disclosed by them in accordance with a judge's order. It was assumed that the letters of request were confined to information and documents relating to the investigation and prosecution of crime. The police had not sought the consent of the Swiss authorities in relation to the use of the material in civil proceedings. HELD: (1) The critical question was whether there was any valid legal objection to the claimants tendering this cogent and highly relevant evidence to the court in civil proceedings brought for the protection of their legitimate interests, or to the court admitting and acting on such evidence. (2) There was no general principle of common law or of European Convention law that unlawfully obtained evidence was inadmissible, though it might be excluded in certain circumstances in the exercise of judicial discretion R v B (HM Attorney-General's Reference No.3 of 1999) (2001) 2 WLR 56. This was an a fortiori case as it was not suggested that the information was obtained by unlawful means from the claimants' solicitor. Apart from s.3(7) of the Act, there was no bar on the use and admissibility of the evidence in these proceedings. (3) As s.3 of the Act was not directed at obtaining evidence for use in civil proceedings, there was no reason why there should be any prohibition of its use in such proceedings. The width of the prohibition in s.3(7) of the 1990 Act was implicitly restricted to the use of information by the prosecuting authority or the defendant in criminal investigations and proceedings. Appeal dismissed. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From donald@ramsbottom.co.uk Mon, 11 Jun 2001 07:19:49 +0100 Date: Mon, 11 Jun 2001 07:19:49 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Mag's guide to contempt proceedings For those of you who wonder what the Magistrates Courts can do by way of contempt for refusal to give evidence, below is the latest "practice direction" (guidance from the Judiciary to the Beak). It's law so don't read if not interested. Practice Direction (Magistrates' courts: Contempt) Directions as to the way in which justices should exercise their powers to deal with contempt in the face of the court or a refusal to give evidence would take effect immediately. Justices should cease to exercise their power to bind persons over to be of good behaviour in respect to their conduct in court. Lord Woolf, Lord Chief Justice, sitting in the Queen's Bench Division, so stated in a practice direction issued on June 5, 2001. General 1 Magistrates' courts had power to detain someone, whether a defendant or another person present in court, who wilfully insulted or interrupted proceedings under section 12 of the Contempt of Court Act 1981 until the court rose. In any such case, the court could order any officer of the court, or any constable, to take the offender into custody and detain him until the rising of the court; and the court could, if it thought fit, commit the offender to custody for a specified period not exceeding one month or impose on him a fine not exceeding level 4 on the standard scale, or both. That power could be used to stop disruption of their proceedings. Detention was until the person could be conveniently dealt with without disruption of the proceedings. Prior to the court using the power, the offender should be warned to desist or face the prospect of being detained. 2 Magistrates' courts also had the power to commit to custody any person attending or brought before a magistrates' court who refused without just cause to be sworn or give evidence under section 97(4) of the Magistrates' Courts Act 1980 until the expiration of such period not exceeding one month as might be specified in the warrant or until he sooner gave evidence or produced the document or thing or impose on him a fine not exceeding level 4 on the standard scale or both. 3 In the exercise of any of those powers, as soon as practical, and in any event prior to an offender being proceeded against, an offender should be told the conduct which was alleged to constitute his offending in clear terms. When making an order under section 12, the justices should state their findings of fact as to the contempt. 4 Exceptional situations required exceptional treatment. While the practice direction dealt with the generality of situations, there would be a minority of situations where the application of the practice direction would not be consistent with achieving justice in the special circumstances of the particular case. Where that was the situation, the compliance with the practice direction should be modified so far as was necessary so as to accord with the interests of justice. 5 The power to bind persons over to be of good behaviour in respect to their conduct in court should cease to be exercised. Contempt consisting of wilfully insulting or interrupting proceedings 6 In the case of someone who wilfully insulted or interrupted proceedings, if an offender expressed a willingness to apologise for his misconduct, he or she should be brought back before the court at the earliest convenient moment in order to make the apology and to give undertakings to the court to refrain from further misbehaviour. 7 In the majority of cases, an apology and promise as to future conduct should be sufficient for justices to order an offender's release. However, there were likely to be certain cases where the nature and seriousness of the misconduct required the justices to consider using their powers under section 12(2) of the Contempt of Court Act 1981 to either fine or order the offender's committal to custody. Where an offender was detained for contempt of court 8 Anyone detained under either of those provisions in paragraphs 1 or 2 above, should be seen by the duty solicitor or another legal representative and be represented in proceedings if they so wished. Legal aid should generally be granted to cover representation. The offender must be afforded adequate time and facilities in order to prepare his case. The matter should be resolved the same day if at all possible. 9 The offender should be brought back before the court before the justices concluded their daily business. The justices should ensure that he understood the nature of the proceedings, including his opportunity to apologise or give evidence and the alternative of them exercising their powers. 10 Having heard from the offender's solicitor the justices should decide whether to take further action. Sentencing of an offender who admitted being in contempt 11 If an offence of contempt was admitted, the justices should consider whether they were able to proceed on the day or whether to adjourn to allow further reflection. The matter should be dealt with on the same day if at all possible. If the justices were of the view to adjourn they should generally grant the offender bail unless one or more of the exceptions to the right to bail in the Bail Act 1976 were made out. 12 When they came to sentence the offender where the offence had been admitted, the justices should first ask the offender if he had any objection to them dealing with the matter. If there was any objection to the justices dealing with the matter, a differently constituted panel should hear the proceedings. If the offender's conduct was directed to the magistrates, it would not be appropriate for the same bench to deal with the matter. If the offender's conduct was not directed to the magistrates, it might be in order for the same bench to deal with the matter. 13 The justices should consider whether an order for the offender's discharge was appropriate, taking into account any time spent on remand, whether the offence was admitted and the nature and seriousness of the contempt. Any period of committal should be for the shortest period of time commensurate with the interests of preserving good order in the administration of justice. Trial of the issue where the contempt was not admitted 14 Where the contempt was not admitted the justices' powers were limited to making arrangements for a trial to take place. They should not at that stage make findings against the offender. 15 In the case of a contested contempt, the trial should take place at the earliest opportunity and should be before a bench of justices other than those justices before whom the alleged contempt took place. If trial of the issue could take place on the day such arrangements should be made taking into account the offender's rights under article 6 of the Convention for the Protection of Human Rights and Fundamental Freedoms, as scheduled to the Human Rights Act 1998. If the trial could not take place that day, the justices should again bail the offender unless there were grounds under the Bail Act 1976 to remand him in custody. 16 The offender was entitled to call and examine witnesses where evidence was relevant. If the offender was found by the court to have committed contempt the court should again consider first whether an order for his discharge from custody was sufficient to bring proceedings to an end. The justices should also allow the offender a further opportunity to apologise for his contempt or to make representations. If the justices were of the view that they must exercise their powers to commit to custody under section 12(2) of the 1981 Act, they must take into account any time spent on remand and the nature and seriousness of the contempt. Any period of committal should be for the shortest period of time commensurate with the interests of preserving good order in the administration of justice. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From donald@ramsbottom.co.uk Mon, 11 Jun 2001 07:28:10 +0100 Date: Mon, 11 Jun 2001 07:28:10 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Regina v Kansal More Law!, this from today's Times Law reort, don't read if law bores you. It deals with HRA, appeals and evidence under article 6 (much to the disgruntlement of the Appeal judges). Regina v Kansal Before Lord Justice Rose, Mr Justice Rougier and Mr Justice McCombe Judgment May 24, 2001 The sooner the ambit of the discretion of the Criminal Cases Review Commission to refer to the Court of Appeal a conviction, whenever the trial had taken place, was addressed the better. Once such a reference had been made, the Court of Appeal had no option, however old the case, but to declare the conviction unsafe if that was the result either of the admission of evidence obtained in breach of article 6 of the European Convention on Human Rights, or of a change in the common law, deemed on judgment to be retrospective. The Court of Appeal, Criminal Division, so held in allowing an appeal, on a reference by the commission under section 9 of the Criminal Appeal Act 1995, by Yash Pal Kansal against his conviction on February 18, 1992, at Snaresbrook Crown Court (Judge Rucker and a jury) on counts 1 and 2 of obtaining property by deception, contrary to section 15(1) of the Theft Act 1968; and, being a bankrupt, of count 4, of removing property contrary to section 354(2) of the Insolvency Act 1986 and on count 5 of failing to account for property contrary to section 354(3) of that 1986, for which he was sentenced to a total of 15 months imprisonment. Mr Ivan Krolick and Miss Anita Geser for the appellant; Mr John McGuinness, QC, for the Crown. LORD JUSTICE ROSE, delivering the reserved judgment of the court, said that ground 1 of the grounds of appeal challenged the convictions on counts 1 and 2 in the light of R v Preddy ((1996) AC 815) and ground 11 challenged the judge's ruling admitting the transcript of the examination of the appellant at the bankruptcy proceedings, in the light of the decision of the European Court of Human Rights in Saunders v United Kingdom (Case 43/1994/490/572) (The Times December 18, 1996; (1996) 23 EHRR 313). There was a point of considerable importance in relation to the treatment by the Court of Appeal of such references. It was this: in view of the long established practice of the Court of Appeal (see, for example: Lord Justice Lane in R v Mitchell ((1977) 65 Cr App R 185, 189); Lord Bingham Lord Chief Justice, in R v Campbell ((1997) 1 Cr App R 199, 206F) and Lord Woolf, Lord Chief Justice, in R v Benjafield (The Times December 28, 2000)) not to reopen convictions because of a change in the law since trial, was it appropriate in the light of sections 9 and 13 of the Criminal Appeal Act 1995 for the commission to refer, and for the Court of Appeal on a reference to consider the safety of a conviction on such a ground? The point was at the heart of the present case because the principal reasons for the reference and grounds of appeal were the decisions of House of Lords in Preddy and of the Human Rights Court in Saunders, both some years after the trial. Changes in the law could arise by virtue of Acts of Parliament, developments in the common law and, following the coming into force of the Human Rights Act 1998 on October 2, 2000, decisions of the European Court of Human Rights. In the ordinary way, changes by Acts of Parliament were not retrospective, but changes in the common law were. The retrospectivity or otherwise of the Human Rights Act had attracted divergent judicial views. In this appeal, their Lordships had not had the advantage of hearing any submissions on behalf of the commission as to how they might properly choose to exercise their discretion. It would, in their Lordships' judgment, be helpful if, at an early date, it proved possible for the Court of Appeal to hear representations on behalf of the commission as to the proper ambit of their discretion. Meanwhile, they expressed the very firm hope that, in exercising the discretion under section 9 and the judgment conferred by section 13(1)(a), the commission might think it right to take into account the Court of Appeal's practice in refusing leave because of a change in the law just as, in the light of R v Criminal Cases Review Commission, Ex parte Pearson ((1999) 3 All ER 498), they took the court's practice into account when assessing the possibility of fresh evidence being received. As a matter of statutory construction, it appeared to their Lordships that the consequences of the absence from the Criminal Appeal Act 1995 of any time limit for references by the commission and the presence of the retrospectivity provision of section 22(4) of the 1998 Act, as interpreted by the majority in R v DPP, Ex parte Kebilene ((2000) 2 AC 326) were twofold: (i) the commission, subject to the proper exercise of the discretion conferred by section 9 of the Criminal Appeal Act 1995, could refer to the Court of Appeal a conviction following a trial whenever it took place; (ii) the Court of Appeal, once such a reference had been made, had no option, however old the case, but to declare the conviction unsafe if that was the result either of the admission of evidence in breach of article 6 or of a change in the common law, which was deemed always to have been that which it was authoritatively declared to be, as, for example, by reason of R v Preddy. Their Lordships reached that conclusion with no enthusiasm whatever. Leaving aside colourful historical examples such as Sir Thomas More, Guy Fawkes and Charles I, all of whom would have benefited from Convention rights; until the Criminal Evidence Act 1898, no defendants was permitted to give evidence on his own behalf. That was a clear breach of article 6. For over 20 years, the Court of Appeal had adopted a pragmatic approach, confirmed by successive Lord Chief Justices, whereby a refusal to extend time to apply for leave to appeal had filtered out those seeking to take advantage of a change in the law since they were convicted. That, in their Lordships' judgment, reflected the public interest that there be finality in litigation and it was an approach which had helped the court to concentrate its limited resources on determining more meritorious appeals arising from more recent convictions. Subject to the outcome of further consideration of the proper ambit of the commission's discretion to refer cases, their Lordships, having not in the instant appeal had the advantage of hearing any submissions on behalf of the commission as to how they might properly choose to exercise that discretion, it appeared that Parliament, consciously or unconsciously, had completely emasculated that approach. If so, the consequential prospective work-load for the commission and for the Court of Appeal was alarming. If that was what Parliament intended, so be it. If not, the sooner the matter was addressed, by Parliament or by the House of Lords on appeal, the better. The appellant's convictions on all four counts were quashed on the sole ground that the answers he was obliged to give in his examination by the Official Receiver were, as the law now stood, wrongly admitted before the jury. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From owen.blacker@wheel.co.uk Mon, 11 Jun 2001 10:34:01 +0100 Date: Mon, 11 Jun 2001 10:34:01 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Silicon.com: Nokia flaw leaves your personal details online -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > HEADLINE: Nokia flaw leaves your personal details online > PUBLISHED: 12:37pm on Friday 8th June 2001 > CHANNEL: Ebusiness security > AUTHOR: editorial@silicon.com > SERVICE: http://www.silicon.com > > TEXT OF STORY FOLLOWS: > > The mighty Finn not mighty enough to guard your data... > > Nokia has admitted that private customer information was left > exposed online to be freely seen by others. > > The mobile phone giant blamed the popularity of its new > "dirty bath water" advertisement for leaving it in hot water. > > One customer new to Nokia told silicon.com he was shocked to > see another 'Club Nokia' member's name, email address, phone > number, SIM card ID number, phone identification number and > password when he signed up yesterday. > > "There's a serious security flaw at Club Nokia," he said. "I > was trying to register for club membership when a page came > up with someone else's details." > He hadn't seen the credit card details of the other user, but > was still sufficiently concerned to phone the helpline. > > Reporting the fault, he was shocked to be told by the > helpdesk operator that she had another member on the other > line reporting the same thing. This other complainant had > seen the details of another member living in Portugal. > > A Nokia spokesman claimed that while there had been reports > of other problems with the site from new sign-ups there had > only been "two or three" complaints of the serious nature > experienced by these two users. > > Mark Squires, senior manager communications at Nokia, said: > "We'll hold our hands up to this one. We've had an > advertising campaign running this week that has caused an > unprecedented number of people to sign up with Club Nokia. > > "During the peak, a bug emerged. As more than one person > tried to register at the same time the system gave out the > same Club Nokia membership number to more than one person. > > "The bug had started to occur on Wednesday, but was resolved > on Thursday," he added. > > The problem was compounded by a promotion for users of the > new Nokia 3330 handset. > > By Andy Favell > > For related news, see: > Nokia puts Java on 100 million mobiles > http://www.silicon.com/a44892 > The royal bank of Nokia > http://www.silicon.com/a43744 > To be or Nokia to be? > http://www.silicon.com/a43738 > > > STORY ENDS > > For more information on silicon.com go to http://www.silicon.com. > > silicon.com - the who, what, when, where and why of ebusiness -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOySQBFVeQSYAA2h0EQJRCQCgmAvtf1RDryEZxya1ZcGgTVxXzqsAn2Jj LL0T30e/H1nna3PdkZ9dZryD =RXuA -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From Pete.Chown@skygate.co.uk Mon, 11 Jun 2001 13:54:23 +0100 Date: Mon, 11 Jun 2001 13:54:23 +0100 From: Pete Chown Pete.Chown@skygate.co.uk Subject: Delays leave clearing house open to attack Donald Ramsbottom wrote: > From CW 360, regarding BACS security and PKI It's one thing if BACS' security isn't up to the job, but sprinkling a bit of crypto on it won't fix it. Saying that BACS needs to implement PKI in order to be secure is putting the cart before the horse. -- Pete From donald@ramsbottom.co.uk Mon, 11 Jun 2001 14:46:47 +0100 Date: Mon, 11 Jun 2001 14:46:47 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Delays leave clearing house open to attack Pete, I couldn't agree more. I Just thought it was interesting that they should throw out PKI as a "solution". At 01:54 PM 6/11/01 +0100, you wrote: >Donald Ramsbottom wrote: > >> From CW 360, regarding BACS security and PKI > >It's one thing if BACS' security isn't up to the job, but sprinkling a >bit of crypto on it won't fix it. Saying that BACS needs to implement >PKI in order to be secure is putting the cart before the horse. > >-- >Pete > > > Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From johndoe2@mail.anonymizer.com Mon, 11 Jun 2001 06:11:00 -0500 Date: Mon, 11 Jun 2001 06:11:00 -0500 From: John Doe Number Two johndoe2@mail.anonymizer.com Subject: 'The Independent': Top Firms Retreat Into Bunker An interesting piece about Ben Laurie's The Bunker (http://www.thebunker.net). http://news.independent.co.uk/digital/update/story.jsp?story=77374 "Insert the usual disclaimer here." Key ID: 0x8EF048F5 4093 Bit DH/DSS Fingerprint: CC8F 8D2C E1A3 6555 7438 B456 D00E A83C 8EF0 48F5 From pete@dmed.demon.co.uk Mon, 11 Jun 2001 18:07:34 +0100 Date: Mon, 11 Jun 2001 18:07:34 +0100 From: Pete Mitchell pete@dmed.demon.co.uk Subject: Wired: MS Monopolizes UK Govt Site This is what I get. > > > Unsupported Browser > > > > You cannot access the Government Gateway at the moment. This is because you are either using an old version of > a browser, or the browser you are using does not have the correct settings. Read this page to find out which > browsers are supported and which settings to use. > > Supported Browsers > > We have made the Government Gateway compatible with as many browsers as possible, on both PCs and Macintoshes. > However, because we need to maintain maximum security on this web site, we cannot support older versions of browsers. > To use the Government Gateway, you must have: > > a PC, with Windows 95 or later, or Windows NT 4.0 or later with Microsoft Internet Explorer version 4.01 or later or > Netscape Navigator version 4.08 or later > OR an Apple Macintosh with Mac OS version 7.5 or later with Microsoft Internet Explorer version 5.0 or later or > Netscape Navigator version 4.xx or later > a working Internet connection > the 128-bit security add-in, for your version of the browser > > Please note that you cannot currently use Netscape 6 to access the Government Gateway, due to issues with the > support for digital certificates in this new version. > > You can find out which version of the browser version you are currently using, by clicking on Help, then About…, in the > menu bar of your browser. The name and version number of your browser is displayed. > > Browser Settings > > To use the Government Gateway, you must also have the following options enabled in your browser: > > Your browser must be set to accept cookies > Java must be enabled > Javascript must be enabled > > To check your settings: > > Internet Explorer > > 1.From the menu bar, click on Tools, then Internet Options. > 2.In the window that appears, click on the Security tab. Click on the Internet zone and check that the security level is > set to Medium > > Netscape Navigator > > 1.From the menu bar, click on Edit, then Preferences. > 2.In the window that appears, click on Advanced in the left-hand pane. The settings are displayed. It really is unbelievable. I have got used to NHS departments putting stuff up in Word, which is bad enough, but this! How dare they claim they are making it compatible with as many browsers as possible, while displaying a message like this? How many other websites - let alone govt websites that are supposed to be addressing thew whole population - give you a message of this kind? Why do they need maximun security on a public website? Why must we accept cookies? Why must we run Javascript? Is there any sign of an answer to any of these questions yet? -- Pete Mitchell From jeremy.barker@btinternet.com Mon, 11 Jun 2001 18:56:56 +0100 Date: Mon, 11 Jun 2001 18:56:56 +0100 From: Jeremy Barker jeremy.barker@btinternet.com Subject: London Metro: Mobile dials into top-level security Brian Morrison wrote: > On Wed, 6 Jun 2001 10:09:28 +0100, Owen Blacker wrote: > > >| > >| Stefan Boettinger, of manufacturer Rohde & Schwarz, said : "They're aimed > >| at companies who want to be sure they're not being spied on by > >| competitors." > >| > > I don't see how this can help anything other than the off air > monitoring case, there is no provision to pass encrypted voice traffic > out of the GSM network into the PSTN, unless you were to do it as a > data call perhaps. > > Anyone know any more? I think I saw somewhere (can't remember where) that in crypto mode it only interworks with a similar phone or a special ISDN landline telephone. I think it's reasonable to assume that the call is handled as a data call - it's very hard to see how it could work otherwise. jb From graham@barnowl.demon.co.uk 11 Jun 2001 19:40:24 +0000 Date: 11 Jun 2001 19:40:24 +0000 From: Graham Murray graham@barnowl.demon.co.uk Subject: Wired: MS Monopolizes UK Govt Site Pete Mitchell writes: > Why do they need maximun security on a public website? Why must we > accept cookies? Why must we run Javascript? Also, their site certificate uses RSA/MD5. Would they not get more security using DSA/SHA1? From owen.blacker@wheel.co.uk Tue, 12 Jun 2001 09:40:38 +0100 Date: Tue, 12 Jun 2001 09:40:38 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: MS Monopolizes UK Govt Site =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pete Mitchell quoth: > > It really is unbelievable. I have got used to NHS departments putting > stuff up in Word, which is bad enough, but this! How dare they claim = they > are making it compatible with as many browsers as possible, while > displaying a message like this? How many other websites - let alone = govt > websites that are supposed to be addressing the whole population - = give > you a message of this kind? =20 >=20 > Why do they need maximum security on a public website? Why must we = accept > cookies? Why must we run Javascript? =20 >=20 > Is there any sign of an answer to any of these questions yet? Whilst I agree with you in principle -- the government's websites = should be as inclusive as possible -- to be fair to the developers of the site, = it is often impractical to support every browser running on every platform. OK, whilst this is less the case when you can just curtail your = =E6sthetic enthusiasm and sacrifice eyecandy for inclusivity, it is quite an = important point [to people who develop websites, like me; consider that a = declaration of interest *GRIN*] Most of the websites I have developed professionally have only ever supported the big browsers. Quite a few of those refuse admission to = users using other browsers. Frankly, it is usually not worth our time as developers (and thus our clients' money) to make sure that absolutely everything should be able = to get in to absolutely every part of every site. Whilst I would have = flamed myself for saying this four years ago, as someone who now does this = kind of work professionally, it really is difficult enough supporting half a = dozen minor versions of two browsers on, say, two operating systems (for the = sake of argument, let's say we're only supporting IE 4+ or Netscape 4.06+ running on either 32-bit Windows or MacOS (System 8.x or 9.x)). As the overwhelming majority of users (to ~all~ of our clients' sites, afaiaa) use IE 5.x running on Windows 98 or Windows ME (with a few = Windows NT users, who are presumably surfing from work), it just isn't cost-efficient to support Conqueror running on RedHat / KDE or Netscape = 6 on a Mac, for example. In principle, I agree with you, ~particularly~ for a site that doesn't necessarily need =E6sthetic whistles and bells, but, in practice, I = don't think I -- or any agency I know much about -- would have done anything different, in those regards, at least. The main places where I think we are right to criticise the Government Gateway is (a) they are wrongly claiming to be inclusive -- I think = they should just not claim that, (b) they are very unclear about why users = are being excluded and make no attempt to justify this exclusion (but I = don't feel that justification is necessarily useful) and (c) they don't make = it clear when, if ever, specific classes of excluded users will be allowed = in. They have handled the users' expectations rather badly, as one of my colleagues would doubtless say. If anyone wants to flame my views, feel free to do so off-list, as I'm definitely pushing us off-topic, but I just wanted to explain what I = see as a relatively common practice, at least amongst sites I have seen or = worked upon. (And yes, I know that this means implicitly that I'm helping Microsoft's evil monopoly, don't bother flaming me about that, cos it'd = be dull :o) Just my two penneth... O x - --=20 Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 - --=20 Opinions are mine. My employer and their clients can get their own! -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOyXVAlVeQSYAA2h0EQK5+ACeJ91RqpaHxEMyMtmRrPdtp7fNQUwAoKDY 32xS8Az13FgxUK5/fb/iPyXX =3DdzYu -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Tue, 12 Jun 2001 09:43:19 +0100 Date: Tue, 12 Jun 2001 09:43:19 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: London Metro: Mobile dials into top-level security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > I don't see how this can help anything other than the off air > > monitoring case, there is no provision to pass encrypted voice traffic > > out of the GSM network into the PSTN, unless you were to do it as a > > data call perhaps. > > > > Anyone know any more? > > I think I saw somewhere (can't remember where) that in crypto mode it > only interworks with a similar phone or a special ISDN landline > telephone. I think it's reasonable to assume that the call is handled as > a data call - it's very hard to see how it could work otherwise. The original article mentioned something about "For encrypted calls, both parties need to have a TopSec handset". O x - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOyXVpFVeQSYAA2h0EQKL/wCeNTs4O7S7OOcZD84gWimAcGmyd6IAnjrW 92B675i3JVwF0ktjh2IBeVTf =s77l -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Tue, 12 Jun 2001 10:14:20 +0100 Date: Tue, 12 Jun 2001 10:14:20 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: Farewell Free Downloads -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not necessarily on-topic for UK Crypto, but it evoked memories of a lot of the issues that were criticised in the report about the gagged SDMI challenge . http://www.wired.com/news/mp3/0,1285,44412,00.html | Farewell Free Downloads | By Brad King | 2:00 a.m. June 11, 2001 PDT | | | An audible sigh of relief can be heard from the folks at Napster. | | With major label deals that will keep its trademark access to popular | music intact and new technologies that limit the number of songs | available on the service, Napster is slowly but decidedly morphing into a | commercially viable enterprise. | | Of course, the consumer experience is going to be radically different | than it was a year ago, as filtering technologies and tracking software | prevent users from getting to all the music they want. | | In the old days -- according to the company's own count -- somewhere in | the neighborhood of 70 million users downloaded the Napster application | because the network allowed users on-demand access to any music they | wanted -- for free. | | But the company's new subscription service set to launch this summer is | founded on a different principle: keeping free music away from consumers. | And, of course, making them pay for it. While the changing consumer | experience has hurt Napster traffic and use, the shift in the business | model is no longer up to the Napster team. As part of its ongoing | litigation with the recording industry, the company has been legally | forced to develop a filtering system that controls what music is being | traded on its network. | | On Thursday, Napster teamed up with Loudeye, an encoding and digital | infrastructure company, to help bolster its filtering technology designed | to keep copyrighted music off the company's file-trading network. | | The Loudeye deal gives the Napster technology team access to over two | million encoded music files from the major labels, according to a Napster | spokeswoman. With the help of software-maker Relatable, Napster has now | created a filtering technology that can digitally fingerprint music. | | The fingerprints allow the company to keep copyrighted music off its | file-trading network by comparing music on its system against a list of | copyrighted music that can't be legally traded. | | The company also has access to a song database from Gracenote that allows | the company to filter out misspelled song titles. | | The results of the filtering process have been quite dramatic. | | The service had 840,000 simultaneous users in May, down from its high of | 1.5 million just three months before, according to Internet research firm | Webnoize. Those users were sharing 21 songs on average, off 90 percent | from the 220 songs users were making available in February. In other | words, getting an unauthorized song onto the Napster system is now much | harder. | | Despite the reduced traffic and withering consumer experience, this is | all good news for Napster. See, the company can't begin to launch its | subscription service until it proves to the recording industry that the | file-trading network can be controlled. | | "The Napster brand name is still on users' PCs and laptops, and those | users are continuing to use the service," said senior Webnoize analyst | Matt Bailey. "The drop in usage will continue, though, and if they can't | launch their service soon, the brand might diminish in the eyes of the | consumer. | | "Of course, this filtering technology is giving the company some | credibility. If there were obvious leaks in the filtering, they would | have a hard time selling the service to MusicNet or any other music | service." | | MusicNet -- a joint subscription service owned by digital media company | RealNetworks along with three major labels: EMI, Warner Music and BMG -- | agreed to license content to Napster on the condition its filtering and | tracking technologies get upgraded. | | Once consumers have downloaded music using Napster -- or any of the | myriad other file-trading applications -- they have the ability to burn | that music onto a CD, something the recording industry fears could eat | into its CD sales market. | | Recently, technology companies have also been working overtime to ensure | that once music gets to consumers' PCs, there will be some control as | well. | | Major music label EMI recently signed a deal with software company Roxio | to develop a secure, CD-burning technology that would only allow certain | music files to be transferred to a CD. | | Without that protection, users could download music files from their | subscription services, then indiscriminately burn the music onto any | blank CD for free. | | "There has to be a core technology that accomplishes what the labels need | and it needs to be deployed where consumers are," said Brad Duea, Roxio's | vice president of business development. | | "One way that we look at being deployed is putting this within a | subscription service, a premium subscription service that would allow | users to download specific files that come with burning capabilities." | | Copyright © 1994-2001 Wired Digital Inc. All rights reserved. | - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOyXc6VVeQSYAA2h0EQLWPQCePGYytks/B+siu9W/zeDJ1yweKO0AniGB 383d/9YQq+F4RbrDXNbqAHH+ =Gw+f -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Tue, 12 Jun 2001 11:14:44 +0100 Date: Tue, 12 Jun 2001 11:14:44 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Silicon.com: Blair appoints new e-minister -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > HEADLINE: Blair appoints new e-minister > PUBLISHED: 9:25am on Tuesday 12th June 2001 > CHANNEL: Power brokers > AUTHOR: Sally Watson > STORY: http://www.silicon.com/a45003 > > TEXT OF STORY FOLLOWS: > > Douglas Alexander steps into Hewitt's shoes > > Douglas Alexander, MP for Paisley South, has replaced > Patricia Hewitt as e-minister following Tony Blair's weekend > reshuffle. > > Alexander was named minister for ecommerce and > competitiveness late last night, although it's not clear yet > how the portfolio will differ from that of his predecessor > Patricia Hewitt, who was responsible for ecommerce, small > businesses and the textiles industry. > > The appointment comes three days after Hewitt was promoted to > secretary of state for trade and industry. > > The move will disappoint some industry chiefs who were keen > for Hewitt to keep her responsibility for ecommerce, despite > her promotion. > > Philip Flaxton, chief executive of high-tech lobby group > InterForum, praised Hewitt's knowledge of the subject. "She's > very well briefed, and pays more than just lip service to the > industry," he said. > > Flaxton is now prepared to face another raft of industry > briefings with the new e-minister. > > John Higgins, director general of the CSSA, will also have > mixed feelings about Alexander's appointment, having backed > Hewitt to keep the ecommerce portfolio. > > Higgins is confident that despite her increased > responsibility Hewitt will still remain a champion of the > high-tech market. "I'm confident from knowing her that she > will concentrate on those parts of UK industry that will make > it more competitive and productive," he said. > > Glasgow-born Alexander won the Paisley South seat in a > by-election in 1997. The 33-year-old MP was part of a > backbench revolt against Jack Straw's amendments to the > Freedom of Information Bill in 1999. > > For related news, see: > Cabinet reshuffles, IT gains > http://www.silicon.com/a44999 > Ecommerce brief up for grabs as e-minister gets DTI job > http://www.silicon.com/a44994 > Election special: IT fights for Cabinet seat > http://www.silicon.com/a44881 > > > STORY ENDS > > For more information on silicon.com go to http://www.silicon.com. > > silicon.com - the who, what, when, where and why of ebusiness -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOyXrEFVeQSYAA2h0EQJjagCfSoIyZwPqpBi5pCHSpvHB2dvkxGYAoPVE 1bIL8XoG6ycq+lkT/G9rIkoM =iYQB -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From DHowe@Hawkswing.demon.co.uk Tue, 12 Jun 2001 11:25:50 +0100 Date: Tue, 12 Jun 2001 11:25:50 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: London Metro: Mobile dials into top-level security > > > I don't see how this can help anything other than the off air > > > monitoring case, there is no provision to pass encrypted voice traffic > > > out of the GSM network into the PSTN, unless you were to do it as a > > > data call perhaps. > > > Anyone know any more? > > I think I saw somewhere (can't remember where) that in crypto mode it > > only interworks with a similar phone or a special ISDN landline > > telephone. I think it's reasonable to assume that the call is handled as > > a data call - it's very hard to see how it could work otherwise. Hmm. could there be a software version for your pc/modem/soundcard setup (PGPfone equiv?) From Pete.Chown@skygate.co.uk Tue, 12 Jun 2001 11:43:53 +0100 Date: Tue, 12 Jun 2001 11:43:53 +0100 From: Pete Chown Pete.Chown@skygate.co.uk Subject: Wired: MS Monopolizes UK Govt Site Graham Murray wrote: > Also, their [ukonline's] site certificate uses RSA/MD5. Would they > not get more security using DSA/SHA1? No, interestingly, because systems are only as secure as their weakest link. If you have a way of producing MD4, MD2 or DES/MDC-2 preimages with the characteristics you want, you have broken the web PKI. Because web browsers will accept weaker certificates, you don't gain anything by using a stronger one yourself. -- Pete From grenouf@well.com Mon, 11 Jun 2001 22:11:42 +0200 Date: Mon, 11 Jun 2001 22:11:42 +0200 From: Greg Renouf grenouf@well.com Subject: 'The Independent': Top Firms Retreat Into Bunker I love this quote: "The fear is that servers, the ---small electronic boxes--- through which customer traffic and business transactions on the web are channelled, could be physically vulnerable to theft, damage or sabotage." Wouldn't it be great if people who were writing about technology actually knew something about it? They should be ashamed.... -GSR ----- Original Message ----- From: "John Doe Number Two" To: "ukcrypto chiark.greenend.org.uk" Sent: Monday, June 11, 2001 1:11 PM Subject: 'The Independent': Top Firms Retreat Into Bunker > An interesting piece about Ben Laurie's The Bunker > (http://www.thebunker.net). > > http://news.independent.co.uk/digital/update/story.jsp?story=77374 > > > > "Insert the usual disclaimer here." > > Key ID: 0x8EF048F5 > 4093 Bit DH/DSS > Fingerprint: CC8F 8D2C E1A3 6555 7438 B456 D00E A83C 8EF0 48F5 > > > > > From brg@gladman.plus.com Tue, 12 Jun 2001 12:27:52 +0100 Date: Tue, 12 Jun 2001 12:27:52 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: MS Monopolizes UK Govt Site From: "Pete Chown" To: Sent: Tuesday, June 12, 2001 11:43 AM Subject: Re: Wired: MS Monopolizes UK Govt Site > Graham Murray wrote: > > > Also, their [ukonline's] site certificate uses RSA/MD5. Would they > > not get more security using DSA/SHA1? > > No, interestingly, because systems are only as secure as their weakest > link. If you have a way of producing MD4, MD2 or DES/MDC-2 preimages > with the characteristics you want, you have broken the web PKI. > > Because web browsers will accept weaker certificates, you don't gain > anything by using a stronger one yourself. I guess I am being thick here but I don't understand this. If a public key is signed using two different methods, one weak and one strong, but I accept only the strong method, in what way does the existence of a weak signature reduce my security in accessing the site? I can see that those who accept the weak signature can be duped into going to a bogus site but I don't see how I can be duped in this way provided I use the stronger signature. Brian From pleyland@microsoft.com Tue, 12 Jun 2001 04:58:28 -0700 Date: Tue, 12 Jun 2001 04:58:28 -0700 From: Paul Leyland pleyland@microsoft.com Subject: 'The Independent': Top Firms Retreat Into Bunker Hmm, which of "small", "electronic" and "boxes" do you disagree with? "Electronic" is perhaps the easiest to justify. Pneumatic, hydraulic and mechanical computers went out of fashion a long time ago. "Boxes" perhaps is the most misleading to a reader unfamiliar with the jargon. When IT professionals use the term "Unix box", "Windows box" and the like they refer not to the relatively inert casing but the active components within. Perhaps the metaphor "The Whitehouse" used when referring to the president of the United States and/or his staff might be a sufficiently close analogy. "Small" is perhaps the one most likely to be wrong in many cases. Some servers are indeed physically very large. In defence of the author, though, I must point out that there has been a great movement towards rather small rack-mount servers in recent years. Quite a lot these days are only an inch or two thick. Paul > -----Original Message----- > From: Greg Renouf [mailto:grenouf@well.com]=20 > Sent: 11 June 2001 21:12 > To: ukcrypto@chiark.greenend.org.uk > Cc: newseditor@independent.co.uk > Subject: Re: 'The Independent': Top Firms Retreat Into Bunker >=20 >=20 > I love this quote: >=20 > "The fear is that servers, the ---small electronic boxes---=20 > through which > customer traffic and business transactions on the web are=20 > channelled, could > be physically vulnerable to theft, damage or sabotage." >=20 > Wouldn't it be great if people who were writing about=20 > technology actually > knew something about it? They should be ashamed.... >=20 > -GSR >=20 >=20 >=20 > ----- Original Message ----- > From: "John Doe Number Two" > To: "ukcrypto chiark.greenend.org.uk"=20 > > Sent: Monday, June 11, 2001 1:11 PM > Subject: 'The Independent': Top Firms Retreat Into Bunker >=20 >=20 > > An interesting piece about Ben Laurie's The Bunker > > (http://www.thebunker.net). > > > > http://news.independent.co.uk/digital/update/story.jsp?story=3D77374 > > > > > > > > "Insert the usual disclaimer here." > > > > Key ID: 0x8EF048F5 > > 4093 Bit DH/DSS > > Fingerprint: CC8F 8D2C E1A3 6555 7438 B456 D00E A83C 8EF0 48F5 > > > > > > > > > > >=20 >=20 >=20 >=20 >=20 From Pete.Chown@skygate.co.uk Tue, 12 Jun 2001 13:41:57 +0100 Date: Tue, 12 Jun 2001 13:41:57 +0100 From: Pete Chown Pete.Chown@skygate.co.uk Subject: Wired: MS Monopolizes UK Govt Site Brian Gladman wrote: > From: "Pete Chown" > > ... systems are only as secure as their weakest link. If you have > > a way of producing MD4, MD2 or DES/MDC-2 preimages with the > > characteristics you want, you have broken the web PKI. > > > > Because web browsers will accept weaker certificates, you don't gain > > anything by using a stronger one yourself. > If a public key is signed using two different methods, one weak and one > strong, but I accept only the strong method, in what way does the existence > of a weak signature reduce my security in accessing the site? It doesn't. But imagine a site X which has a certificate using SHA-1 as the digest algorithm. Now say someone has broken MD4 and uses the break to forge a certificate for X. This certificate will say that MD4 is the digest algorithm. The public key part of the signature will be borrowed from a genuine certificate, which may use MD4 or something else. You haven't defended against this attack by using SHA-1 yourself, except in the restricted sense that you won't have to get a new certificate now people are (presumably) stopping using MD4. The only way the impact of an MD4 break can be eliminated is by updating the browsers (which is equivalent to you only accepting the strong method in your example). Site operators themselves can do nothing. (You probably realised this and thought I was saying something more interesting, but I wasn't! :-) ) -- Pete From brg@gladman.plus.com Tue, 12 Jun 2001 14:22:05 +0100 Date: Tue, 12 Jun 2001 14:22:05 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: MS Monopolizes UK Govt Site From: "Pete Chown" To: Sent: Tuesday, June 12, 2001 1:41 PM Subject: Re: Wired: MS Monopolizes UK Govt Site > Brian Gladman wrote: > > > From: "Pete Chown" > > > > ... systems are only as secure as their weakest link. If you have > > > a way of producing MD4, MD2 or DES/MDC-2 preimages with the > > > characteristics you want, you have broken the web PKI. > > > > > > Because web browsers will accept weaker certificates, you don't gain > > > anything by using a stronger one yourself. > > > If a public key is signed using two different methods, one weak and one > > strong, but I accept only the strong method, in what way does the existence > > of a weak signature reduce my security in accessing the site? > > It doesn't. But imagine a site X which has a certificate using SHA-1 > as the digest algorithm. Now say someone has broken MD4 and uses the > break to forge a certificate for X. This certificate will say that > MD4 is the digest algorithm. The public key part of the signature > will be borrowed from a genuine certificate, which may use MD4 or > something else. > > You haven't defended against this attack by using SHA-1 yourself, > except in the restricted sense that you won't have to get a new > certificate now people are (presumably) stopping using MD4. The only > way the impact of an MD4 break can be eliminated is by updating the > browsers (which is equivalent to you only accepting the strong method > in your example). Site operators themselves can do nothing. > > (You probably realised this and thought I was saying something more > interesting, but I wasn't! :-) ) Thanks Pete, As you say, I thought that you might have more than this in mind. I assume that the issue you are raising is one of the extent of the control which clients and servers can exert over certificate use? Brian From Pete.Chown@skygate.co.uk Tue, 12 Jun 2001 15:22:19 +0100 Date: Tue, 12 Jun 2001 15:22:19 +0100 From: Pete Chown Pete.Chown@skygate.co.uk Subject: Wired: MS Monopolizes UK Govt Site Brian Gladman wrote: > As you say, I thought that you might have more than this in mind. :-) I haven't got more than this in mind. > I assume that the issue you are raising is one of the extent of the control > which clients and servers can exert over certificate use? Yes exactly. I think the answer is that only the party relying on a certificate can have control... Any server controls could be operated by a bogus server as well as a legitimate one. "I am microsoft.com and MD4 certs are now acceptable from this domain. To prove I am allowed to exercise this control, here is my (MD4) cert..." BTW, there was something I wanted to ask you -- I will ask on the list because it is probably of interest to others too. In Ross Anderson's book you are quoted as saying that military use of tamper resistance is far in advance of civilian use. Are you able to amplify on that at all? In particular, are you saying that military products are more resistant to tampering, or that tamper resistant products are exploited more fully? -- Pete From matthew@idrach.com Tue, 12 Jun 2001 15:29:12 +0100 Date: Tue, 12 Jun 2001 15:29:12 +0100 From: Matthew Pemble matthew@idrach.com Subject: EFCE 2001 Any one else going to this? -- Matthew Pemble Eur Ing CEng MIEE MBCS AIMgt Technical Director Idrach Ltd Tel: + 44 (0) 7050 128620 Fax: + 44 (0) 1324 610367 Email: matthew@idrach.com Web: www.idrach.com From brg@gladman.plus.com Tue, 12 Jun 2001 16:13:30 +0100 Date: Tue, 12 Jun 2001 16:13:30 +0100 From: Brian Gladman brg@gladman.plus.com Subject: Wired: MS Monopolizes UK Govt Site From: "Pete Chown" To: Sent: Tuesday, June 12, 2001 3:22 PM Subject: Re: Wired: MS Monopolizes UK Govt Site > Brian Gladman wrote: > > > As you say, I thought that you might have more than this in mind. > > :-) I haven't got more than this in mind. > > > I assume that the issue you are raising is one of the extent of the control > > which clients and servers can exert over certificate use? > > Yes exactly. I think the answer is that only the party relying on a > certificate can have control... Any server controls could be operated > by a bogus server as well as a legitimate one. "I am microsoft.com > and MD4 certs are now acceptable from this domain. To prove I am > allowed to exercise this control, here is my (MD4) cert..." A server might, however, say "only certificates of 'type X' are issued for this site" where 'type X' is strong. But I agree that this would be a procedural rather than a technical control mechanism. > BTW, there was something I wanted to ask you -- I will ask on the list > because it is probably of interest to others too. In Ross Anderson's > book you are quoted as saying that military use of tamper resistance > is far in advance of civilian use. Are you able to amplify on that at > all? In particular, are you saying that military products are more > resistant to tampering, or that tamper resistant products are > exploited more fully? In basic terms I simply meant that military cryptographic systems have had to include tamper resistance for many years in response to real threats posed by enemies who can deploy sophisticated ways of overcoming such techniques. It is hence not surprising that the methods used are some way ahead of what we see commercially. This is also true for another reason because the designers of military cryptographic systems that might be subject to physical attack can consider the use of techniques that would almost certainly be too risky in commercial situations. For example, detonating an explosive charge mounted on a crypto when under threat is an approach that I assume would not be likely to be acceptable in most commercial situations. More generally I doubt that there is now any significant military/government lead in terms of crypto algorithm performance but there is still a significant lead in terms of implementation techniques that can provide implementations that are capable of approaching the strength of the algorithms in use. The real name of the game now is in 'systems assurance' and here commercial systems are some way behind because this is extremely expensive when done properly and is judged not to be cost effective by most non-government customers. Brian From jeremysj@pobox.com Tue, 12 Jun 2001 12:14:10 +0100 Date: Tue, 12 Jun 2001 12:14:10 +0100 From: Jeremy Scott-Joynt jeremysj@pobox.com Subject: Wired: MS Monopolizes UK Govt Site I have to declare an interest here. I'm a long-time user of Macs over PCs, and will stay that way as long as i can. and I'll freely admit that biases me against HMG's move here. On the flipside, though, we are talking about a government project. And for the government to demand that all use not only a single vendor's products, but also the newest versions thereof, is daft. For one simple reason. what happens to the projects out there equipping the less rich in our society with perhaps less than full-spec machines to give them an 'in' to the wired world? Like, I suspect, many people on this list, I've given old machines to people before now rather than sell them, so that they can get some kind of access. Admittedly mine have been Macs, but the principle remains. So what this MS-sponsored botch job does is disenfranchise anyone with an old, creaky machine that they can't possibly afford to upgrade, or one that their employer has -- in all good faith -- made available when it became obsolete for up-to-the-minute office purposes. Alternatively, consider a village 10 or 12 miles from the nearst large town. the village library can't possibly afford whizbang kit but at least has some kind of machine or two sitting on a desk, via which access to government services would be available for those with no computer of their own, and for whom access to even local government offices, let alone jobcentres or benefit/revenue agencies, is an unreliable bus ride away. they'll be left out of the picture on current thinking. someone want to tell me how this squares with policy on social exclusion? I understand Owen's point from a designer's perspective. But this project can't be run from a designer's perspective: the aim of any project like this has to be the maximum access for the maximum number of people. and regardless of my own ire about having my own favourite platform shut out, that's the most important point about why giving MS the farm like this is a huge political, as well as technical, error. best to all, Jeremy ______________________ Jeremy Scott-Joynt Correspondent, AFX News t +44 (0)20 7422 4897 f +44 (0)870 130 8924 m +44 (0)797 325 7380 e jeremysj@pobox.com ----- Original Message ----- From: "Owen Blacker" To: Sent: Tuesday, June 12, 2001 9:40 AM Subject: RE: Wired: MS Monopolizes UK Govt Site -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pete Mitchell quoth: > > It really is unbelievable. I have got used to NHS departments putting > stuff up in Word, which is bad enough, but this! How dare they claim they > are making it compatible with as many browsers as possible, while > displaying a message like this? How many other websites - let alone govt > websites that are supposed to be addressing the whole population - give > you a message of this kind? > > Why do they need maximum security on a public website? Why must we accept > cookies? Why must we run Javascript? > > Is there any sign of an answer to any of these questions yet? Whilst I agree with you in principle -- the government's websites should be as inclusive as possible -- to be fair to the developers of the site, it is often impractical to support every browser running on every platform. OK, whilst this is less the case when you can just curtail your ćsthetic enthusiasm and sacrifice eyecandy for inclusivity, it is quite an important point [to people who develop websites, like me; consider that a declaration of interest *GRIN*] Most of the websites I have developed professionally have only ever supported the big browsers. Quite a few of those refuse admission to users using other browsers. Frankly, it is usually not worth our time as developers (and thus our clients' money) to make sure that absolutely everything should be able to get in to absolutely every part of every site. Whilst I would have flamed myself for saying this four years ago, as someone who now does this kind of work professionally, it really is difficult enough supporting half a dozen minor versions of two browsers on, say, two operating systems (for the sake of argument, let's say we're only supporting IE 4+ or Netscape 4.06+ running on either 32-bit Windows or MacOS (System 8.x or 9.x)). As the overwhelming majority of users (to ~all~ of our clients' sites, afaiaa) use IE 5.x running on Windows 98 or Windows ME (with a few Windows NT users, who are presumably surfing from work), it just isn't cost-efficient to support Conqueror running on RedHat / KDE or Netscape 6 on a Mac, for example. In principle, I agree with you, ~particularly~ for a site that doesn't necessarily need ćsthetic whistles and bells, but, in practice, I don't think I -- or any agency I know much about -- would have done anything different, in those regards, at least. The main places where I think we are right to criticise the Government Gateway is (a) they are wrongly claiming to be inclusive -- I think they should just not claim that, (b) they are very unclear about why users are being excluded and make no attempt to justify this exclusion (but I don't feel that justification is necessarily useful) and (c) they don't make it clear when, if ever, specific classes of excluded users will be allowed in. They have handled the users' expectations rather badly, as one of my colleagues would doubtless say. If anyone wants to flame my views, feel free to do so off-list, as I'm definitely pushing us off-topic, but I just wanted to explain what I see as a relatively common practice, at least amongst sites I have seen or worked upon. (And yes, I know that this means implicitly that I'm helping Microsoft's evil monopoly, don't bother flaming me about that, cos it'd be dull :o) Just my two penneth... O x - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 - -- Opinions are mine. My employer and their clients can get their own! -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOyXVAlVeQSYAA2h0EQK5+ACeJ91RqpaHxEMyMtmRrPdtp7fNQUwAoKDY 32xS8Az13FgxUK5/fb/iPyXX =dzYu -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From alastair@calliope.demon.co.uk Tue, 12 Jun 2001 21:39:05 +0100 Date: Tue, 12 Jun 2001 21:39:05 +0100 From: alastair alastair@calliope.demon.co.uk Subject: Wired: MS Monopolizes UK Govt Site On Tue, Jun 12, 2001 at 09:40:38AM +0100, Owen Blacker wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Pete Mitchell quoth: > > > > It really is unbelievable. I have got used to NHS departments putting > > stuff up in Word, which is bad enough, but this! How dare they claim they > > are making it compatible with as many browsers as possible, while > > displaying a message like this? How many other websites - let alone govt > > websites that are supposed to be addressing the whole population - give > > you a message of this kind? > > > > Why do they need maximum security on a public website? Why must we accept > > cookies? Why must we run Javascript? > > > > Is there any sign of an answer to any of these questions yet? > > Whilst I agree with you in principle -- the government's websites should be > as inclusive as possible -- to be fair to the developers of the site, it is > often impractical to support every browser running on every platform. Owen, I have to respectfully and completely disagree. I believe it is practical and possible to create web sites/pages that can be used from any browser on any platform, including a text based browser such as Lynx. I think you are letting these people (and yourself I'm afraid) off the hook too easily. I think this is true as long as the page has textual information to impart but I would make an exception for sites that are more art or entertainment orientated. I am of the impression that the government has decided to use Microsoft as a main supplier for much of their IT infrastructure. I might even be correct in thinking that MS built this government portal. I posit that the 'developers' of this site have the skill and knowledge to create a web site that works in all (or most) browsers. After all, Microsoft's own main web site seems to work happily in every browser I've used - even Lynx. By a strange coincidence this evening, I had also just read JWZ on this type of braindamage ; http://www.jwz.org/gruntle/design.html And finally, ofcourse, this is a government portal, for god's sake! So much for the great universality of the web and HTML. The early promise has been well and truly betrayed. This web site is supposedly there to enable the public to easily access government information. It's a farce. As Pete asks, "Why do they need maximum security on a public website?". Why do they need it just to access the main page? What's all this garbage about a 'digital certificate' mismatch? To access the home page?? So ... to be fair to the developers of this site - they've screwed up and have to fix it ASAP. Welcome to the UK. A leader in e-commerce. Cheers, -- Alastair | alastair@calliope.demon.co.uk | http://www.calliope.demon.co.uk | PGP Key : A9DE69F8 ------------------------------------------------------------------- From akm@92tr.freeserve.co.uk Wed, 13 Jun 2001 01:58:13 +0100 Date: Wed, 13 Jun 2001 01:58:13 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: Wired: MS Monopolizes UK Govt Site From: Owen Blacker "Most of the websites I have developed professionally have only ever supported the big browsers. Quite a few of those refuse admission to users using other browsers." Weird behaviour IMHO, refusing. "it really is difficult enough supporting half a dozen minor versions of two browsers on, say, two operating systems" hence the W3C standards. Support those, and as discussed in www.alistapart.com you support all browsers...now and in the future. Do you think that a proportion of users of a gov gateway might be using a web-TV set top box to get access from their home over thier cable connection in the near future - MS have managed to block them out. But coming back onto Crypto topic... It is a commonplace at least here that open code is more secure or more trustworthy than secret code. Now the only common browser that are open source are the Mozilla ones, and we see that they do not handle certificates in a way which satisfies MS... Extending this a little, perhaps if the security part of the gateway is seen to work with several browsers we might feel more confident that there is not a conspiracy to foist a breakable encryption implementation on us than if there is only one browser that can work with it? What do governments do when they realise they have had their name attached to a set of lies? Just reflect that it makes a change, or do they take appropriate notice? -- Midgley From Graeme.Burnett@acm.org Tue, 12 Jun 2001 18:54:21 +0100 Date: Tue, 12 Jun 2001 18:54:21 +0100 From: Graeme Burnett Graeme.Burnett@acm.org Subject: EFCE 2001 Sure http://www.efce.net for registration and accommodation. Graeme Burnett Director Security Engineering UBS Warburg +(44) 20 7568 2806 Matthew Pemble wrote: > Any one else going to this? > > -- > Matthew Pemble > Eur Ing CEng MIEE MBCS AIMgt > > Technical Director > Idrach Ltd > > Tel: + 44 (0) 7050 128620 > Fax: + 44 (0) 1324 610367 > > Email: matthew@idrach.com > Web: www.idrach.com From donald@ramsbottom.co.uk Wed, 13 Jun 2001 07:03:44 +0100 Date: Wed, 13 Jun 2001 07:03:44 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Cryptobox This looks interesting: http://cryptobox.sourceforge.net/new/index.html Thanks to JY at Cryptome. It could be snake oil, but the tone of the site does not appear to suggest this. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From donald@ramsbottom.co.uk Wed, 13 Jun 2001 07:36:44 +0100 Date: Wed, 13 Jun 2001 07:36:44 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Kuddus v Chief Constable of Leicestershire Constabulary This case deals with damages for misfeasance in public office, in effect the redress/compensation an individual has for oppresive use of the state or public machinery against an individual. It is from today's Times Law report. As ever ignore if you do not like law. Kuddus v Chief Constable of Leicestershire Constabulary Before Lord Slynn of Hadley, Lord Mackay of Clashfern, Lord Nicholls of Birkenhead, Lord Hutton and Lord Scott of Foscote Speeches June 7, 2001 The fact that misfeasance in public office was not a tort for which exemplary damages had been awarded before 1964 did not preclude the plaintiff's claim for exemplary damages based on the defendant chief constable's vicarious liability for oppressive, arbitrary or unconstitutional action by a police constable. The House of Lords allowed an appeal by the plaintiff, Omar Kuddus, from the majority decision of the Court of Appeal (Lord Justice Beldam and Sir Christopher Staughton, Lord Justice Auld dissenting) (The Times March 16, 2000) dismissing his appeal from the order of Mr Recorder Stephen Waine at Leicester County Court who, on November 26, 1998, had struck out his claim for exemplary damages for the misfeasance in office of a police constable who had forged his signature to a statement purporting to withdraw a complaint about the theft from his home of goods worth some =A36,000. Mr David Harris, QC and Mr Nicholas George for the plaintiff; Mr Guy Mansfield, QC, Mr Simon Freeland and Miss Georgina Kent for the chief constable. LORD SLYNN said that the issues of law raised could have been more satisfactorily dealt with after the facts had been found. The chief constable admitted the forgery and that it amounted to misfeasance in public office. He accepted that the plaintiff had a viable claim for aggravated damages but contended that exemplary damages were not recoverable. The parties agreed that an award of exemplary damages might be made in appropriate cases even though, being punitive in nature, it was inconsistent with the principle that damages were intended to be= compensatory. As the law now stood, that agreement was well founded: see Rookes v Barnard ((1964) AC 1129). Lord Devlin there (at pp1225-1226) had said that exemplary damages were available in three categories of case: the first being oppressive, arbitrary or unconstitutional action by the servants of the government. It seemed to his Lordship that there was nothing in Lord Devlin's analysis that required that a claim should also constitute a cause of action that had before 1964 been accepted as grounding a claim for exemplary damages, as had been held in AB v South West Water Services Ltd ((1993) QB 507) in reliance on Broome v Cassell and Co Ltd ((1972) AC 1027). Having considered the speeches in Broome 's case, his Lordship did not consider that the House was bound by a clear or unequivocal decision therein to hold that the power to award exemplary damages was so limited. Nor did he consider that it should be. In any event, like Lord Justice Auld, he did not think that the courts should be required to undertake a trawl of the authorities to decipher whether awards of damages for misfeasance prior to 1964 might have included an award for exemplary damages. That would be all the more difficult given that the distinction between exemplary and aggravated damages had not been clearly articulated before Rookes v Barnard . To adopt such a rigid rule limited the future development of the law, even within Lord Devlin's restrictive categories, in a way contrary to the normal practice of the courts. It was also to be borne in mind that the Law Commission in its report Aggravated, Exemplary and Restitutional Damages ((1997, LC No 247 paragraph 5.49) had recommended that the availability of punitive damages be extended for most torts, rejecting the rationally indefensible position which the common law reached in deciding claims on the basis of the existence or absence of pre-1964 precedents. It would not be right in the present case to consider reopening the whole question as to whether exemplary damages should be available at all. The House had clearly refused in Rookes v Barnard and Broome's case to abolish the rule that they were in some cases available. As to whether it was arguable that they could be awarded in the present case for the tort of misfeasance in public office, it seemed to his Lordship from Lord Devlin's speech in Rookes v Barnard that it was the features of the behaviour rather than the cause of action that had to be looked at to decide whether the facts fell into his first category. For the purpose of the defendant's strike-out application it was accepted that they did so fall. The claim for exemplary damages should not have been struck out on the basis argued before the House. The question whether in principle the chief constable could be vicariously liable had not been argued and his Lordship did not think it right to discuss or rule on it. LORD MACKAY, concurring, said that the mere fact that the tort sued on was that of misfeasance in public office did not determine whether it carried the power to award exemplary damages. That issue was determined by whether the factual situation was covered by either of Lord Devlin's formulations. His Lordship had found the consideration of the measure of exemplary damages in vicarious liability cases somewhat perplexing. While the defendant's means might be important in considering an award against him personally, where the case was one of vicarious liability it was somewhat difficult to accept that the relevant means were those of the defendant rather than the wrongdoer. Since the point had not been argued his Lordship expressed no concluded view on it. LORD NICHOLLS, concurring, said that exemplary damages were a controversial topic and had been for many years. If exemplary damages were to continue as a remedial tool, as recommended by the Law Commission, the difficult question arose of the circumstances in which they should be available. In Rookes v Barnard Lord Devlin had drawn a distinction between oppressive acts by government officials and similar acts by companies or individuals. He had considered that exemplary damages should not be available in the case of non-governmental oppression or bullying. His Lordship doubted the soundness of that distinction today. National and international companies could exercise enormous power. So did some individuals. LORD HUTTON, concurring, said that, as the point had not been argued, he expressed no concluded opinion as to whether exemplary damages should continue to be awarded in England, but a number of cases decided in Northern Ireland during the past 30 years of terrorist violence supported Lord Devlin's opinion in Rookes v Barnard that in certain cases exemplary damages served a valuable purpose in restraining the arbitrary and outrageous use of executive power and vindicating the strength of the law: see, for example Lavery v Ministry of Defence ((1984) NI 99) and Pettigrew v Northern Ireland Office ((1990) NI 179). Moreover, in some circumstances where a group of soldiers or police officers committed some outrageous act in the course of a confused and violent confrontation it might be very difficult to identify the individual wrongdoer so that criminal proceedings might be brought against him to punish and deter such conduct, whereas an award of exemplary damages to mark the court's condemnation of the conduct could be made against the Minister of Defence or the chief constable under the principle of vicarious liability. LORD SCOTT, concurring, said that the function of an award of damages was to compensate the claimant. An award of exemplary damages, the intention of which was not compensation but punishment, was an anomaly, as Lord Devlin had recognised in Rookes v Barnard. The continuing need for exemplary damages to control, deter and punish acts falling within Lord Devlin's first category was not obvious. Developments in the law since Lord Diplock's remarks in Broome's case (at pp1129-1130), had transformed the ability of the ordinary citizen to obtain redress. Oppressive, arbitrary and unconstitutional acts by members of the executive could be remedied through civil proceedings in the High Court. His Lordship would be receptive to a submission that exemplary damages should no longer be available, but that submission had not been made on the present appeal. The objection to exemplary damages awards in vicarious liability cases seemed to his Lordship to be fundamental. The defendant should not be liable to pay exemplary damages unless he had committed punishable= behaviour. There was no room for an award against an individual whose alleged liability was vicarious only and who had not done anything that constituted punishable behaviour. However, the point had not been dealt with in the courts below and not addressed by counsel before their Lordships. His Lordship's views should therefore be regarded as provisional. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From roland@linx.net Wed, 13 Jun 2001 08:51:23 +0100 Date: Wed, 13 Jun 2001 08:51:23 +0100 From: Roland Perry roland@linx.net Subject: 'The Independent': Top Firms Retreat Into Bunker In message , Paul Leyland writes >I must point out that there has been a great movement towards >rather small rack-mount servers in recent years. Quite a lot these days >are only an inch or two thick. And quite a lot get stolen (Suns mainly). -- Roland Perry From roland@linx.net Wed, 13 Jun 2001 08:48:27 +0100 Date: Wed, 13 Jun 2001 08:48:27 +0100 From: Roland Perry roland@linx.net Subject: Wired: MS Monopolizes UK Govt Site In message <00e201c0f330$da542020$2789a8c0@39.afxlondon>, Jeremy Scott-Joynt writes >On the flipside, though, we are talking about a government project. And for >the government to demand that all use not only a single vendor's products, >but also the newest versions thereof, is daft. I used to work for a company designing set-top boxes to access the Internet. You know, the set-top boxes that everyone predicts will "by two years time" form the majority of internet access in the home. Well, I started that project three years ago... Anyway, it became painfully obvious that the last browser you'd be able to run on such a set-top box was MS Explorer, as they simply don't have enough horsepower, storage, or something to work the excessively fiddly user interface (one suggested cop-out is to always run in Kiosk mode, but I don't think that's acheivable). So perhaps folks in Govt should revisit the issue - or perhaps two years time will continue not to arrive. While on this subject, does anyone have a handheld or palmtop with WinCE, and does that browser work with the Govt Gateway? -- Roland Perry From ben@algroup.co.uk Wed, 13 Jun 2001 09:29:34 +0100 Date: Wed, 13 Jun 2001 09:29:34 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Wired: MS Monopolizes UK Govt Site Adrian Midgley wrote: > > From: Owen Blacker > > "Most of the websites I have developed professionally have only ever > supported the big browsers. Quite a few of those refuse admission to > users using other browsers." > > Weird behaviour IMHO, refusing. And shamefully crap, to say the least. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From davidh@spidacom.co.uk Wed, 13 Jun 2001 09:29:01 +0100 Date: Wed, 13 Jun 2001 09:29:01 +0100 From: davidh@spidacom.co.uk davidh@spidacom.co.uk Subject: Wired: MS Monopolizes UK Govt Site On 12 Jun 01, at 21:39, alastair wrote: > including a text based browser such as Lynx. Upon which a number of text to speech systems are based. Some people may believe that keeping the blind out of the web is a good idea, some may just be ignorant of the issues. However, it will be somewhat embarassing for a government that claims to be inclusive if it emerges that the blind are discriminated against in its main offering. Any real web site developer should be aware of the work done in this area by the RNIB. There are comprehansive guidelines on the subject. -- David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E If I revoke this key, the only circumstance in which I will not be prepared to explain my reasons for doing so will be when UK government authorities have stipulated that providing such an explanation would be unlawful. See RIP Act 2000. From pete@dmed.demon.co.uk Wed, 13 Jun 2001 09:57:17 +0100 Date: Wed, 13 Jun 2001 09:57:17 +0100 From: Pete Mitchell pete@dmed.demon.co.uk Subject: Wired: MS Monopolizes UK Govt Site alastair wrote: > web site that works in all (or most) browsers. After all, Microsoft's own > main web site seems to work happily in every browser I've used - even > Lynx. > No longer quite true. The other day I went to MS's download site looking for a serial port driver, and discovered I can't use the site because it requires an Active-X browser. I don't believe, btw, that the govt website designers know or care how to design an open website. Few designers do. They just assume that the whole world works with top-of-the-range machines, with huge displays, all running the latest M$ OS and browser, because that is what they see around them in their own offices. Here Microsoft appears to have encouraged this misconception. As you would expect. Anyway, back to my serious question: Can anyone explain what they meant by saying this website needs "maximum security", and what that requires? I can understand that they don't want people breaking in and defacing it, but why does that mean that everybody has to use Explorer? And isn't the consensus on this list that Javascript and high security are very uneasy bedfellows? -- Pete Mitchell From kieran@snaz.com Wed, 13 Jun 2001 10:43:30 +0100 Date: Wed, 13 Jun 2001 10:43:30 +0100 From: Kieran Barry kieran@snaz.com Subject: Wired: MS Monopolizes UK Govt Site > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of alastair > > On Tue, Jun 12, 2001 at 09:40:38AM +0100, Owen Blacker wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Pete Mitchell quoth: > > > > > > It really is unbelievable. I have got used to NHS > > > departments putting > > > stuff up in Word, which is bad enough, but this! How > > > dare they claim they > > > are making it compatible with as many browsers as > > > possible, while > > > displaying a message like this? How many other > > > websites - let alone govt > > > websites that are supposed to be addressing the whole > > > population - give you a message of this kind? > > > > > > Why do they need maximum security on a public website? > > > Why must we accept cookies? Why must we run Javascript? > > > > > > Is there any sign of an answer to any of these questions yet? > > > > Whilst I agree with you in principle -- the government's > > websites should be as inclusive as possible -- to be fair > > to the developers of the site, it is > > often impractical to support every browser running on > > every platform. > > Owen, > > I have to respectfully and completely disagree. I believe it is > practical and possible to create web sites/pages that can > be used from any browser on any platform, including a text > based browser such as Lynx. I think you are letting these > people (and yourself I'm afraid) off the hook too easily. I > think this is true as long as the page has textual information > to impart but I would make an exception for sites > that are more art or entertainment orientated. While it may be deplorable, it is standard operating procedure in the web design industry. Let's let Owen off the hook here. He's not responsible for the whole industry. The services offered by the site currently are: Electronic VAT Return (for VAT-registered businesses) MAFF IACS Area Aid Application (for farmers, and agents who complete MAFF forms on behalf of farmers) PAYE Internet Services (for employers and their agents) At least the VAT-related ones are sensitive, and a PKI is appropriate. (I would imagine that the others are pretty sensitive too...) So, should they allow people to move through the site right up to the point where they submit their docs and then say "Sorry, tough bananas"? Regarding use by lynx, we find on the site:

Which Government Services are available online?

So at least some of the site would be difficult to use with lynx because of use of pop-up boxes. But what of Earth brings the designers to use this? The whole site is a disaster. While you can access it without cookies, if you turn off javascript, (with IE) it drops you to the unsupported browser page. Regards Kieran From matthew@idrach.com Wed, 13 Jun 2001 11:07:16 +0100 Date: Wed, 13 Jun 2001 11:07:16 +0100 From: Matthew Pemble matthew@idrach.com Subject: Wired: MS Monopolizes UK Govt Site Pete Mitchell wrote: > > I don't believe, btw, that the govt website designers know or care how > to design an open website. Few designers do. They just assume that the > whole world works with top-of-the-range machines, with huge displays, > all running the latest M$ OS and browser, because that is what they see > around them in their own offices. Here Microsoft appears to have > encouraged this misconception. As you would expect. > Eerm, isn't the whole point that the Gateway site designers were Microsoft employees (or sub-contractors)? I don't expect "encouragement" was employed, more on the lines of direct instruction. -- Matthew Pemble Eur Ing CEng MIEE MBCS AIMgt Technical Director Idrach Ltd Tel: + 44 (0) 7050 128620 Fax: + 44 (0) 1324 610367 Email: matthew@idrach.com Web: www.idrach.com From R.Corrigan@open.ac.uk Wed, 13 Jun 2001 11:13:43 +0100 Date: Wed, 13 Jun 2001 11:13:43 +0100 From: R.Corrigan@open.ac.uk R.Corrigan@open.ac.uk Subject: Wired: MS Monopolizes UK Govt Site The Observer's take on how it happened: http://www.observer.co.uk/business/story/0,6903,504363,00.html and the response of Alan Mather (programme manager of the gateway) to the various criticisms: http://www.kablenet.com/newkable.nsf/Frontpage/C81D7FF6AC39A47A80256A6500472 34E?OpenDocument Ray Corrigan From roland@linx.net Wed, 13 Jun 2001 11:41:01 +0100 Date: Wed, 13 Jun 2001 11:41:01 +0100 From: Roland Perry roland@linx.net Subject: Wired: MS Monopolizes UK Govt Site In message <3B272AED.72F4@dmed.demon.co.uk>, Pete Mitchell writes >Can anyone explain what they meant >by saying this website needs "maximum security" They don't want somebody else filing a forgery of your tax return. Or telling their notification system that you've moved house, when you haven't. This "appears" to require some kind of authentication system, although it's not clear to me that the Fat Lady is likely to sing any time soon. -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From roland@linx.net Wed, 13 Jun 2001 11:42:56 +0100 Date: Wed, 13 Jun 2001 11:42:56 +0100 From: Roland Perry roland@linx.net Subject: Wired: MS Monopolizes UK Govt Site In message , Kieran Barry writes >So, should they allow people to move through the site right up to the >point where they Enter a section where they might be invited to... >submit their docs and then say "Sorry, tough >bananas"? That's fair enough, at this stage. But *everyone* should be able to get that far. -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From roland@linx.net Wed, 13 Jun 2001 11:43:33 +0100 Date: Wed, 13 Jun 2001 11:43:33 +0100 From: Roland Perry roland@linx.net Subject: Wired: MS Monopolizes UK Govt Site In message <20010613082826.4507E9C@liszt-02.ednet.co.uk>, davidh@spidacom.co.uk writes >However, it will be >somewhat embarassing for a government that claims to be inclusive >if it emerges that the blind are discriminated against in its main >offering. It might even be unlawful. -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From Pete.Chown@skygate.co.uk Wed, 13 Jun 2001 12:47:21 +0100 Date: Wed, 13 Jun 2001 12:47:21 +0100 From: Pete Chown Pete.Chown@skygate.co.uk Subject: Wired: MS Monopolizes UK Govt Site Alastair wrote: > I have to respectfully and completely disagree. I believe it is > practical and possible to create web sites/pages that can be used from > any browser on any platform, including a text based browser such as > Lynx. Have a look at our site, http://www.skygate.co.uk/ in a few browsers. It isn't perfect in Lynx but it is usable. It took a lot of effort to get it working that way. Netscape 4 was the biggest hassle; Lynx was easy compared to that! What's a pity is that the old open.gov.uk was pretty browser- independent. For some reason it was felt necessary to replace it with this new site which quite frankly is crap, whatever browser you are using. -- Pete From richard@highwayman.com Wed, 13 Jun 2001 12:55:39 +0100 Date: Wed, 13 Jun 2001 12:55:39 +0100 From: Richard Clayton richard@highwayman.com Subject: Wired: MS Monopolizes UK Govt Site -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Roland Perry writes >In message <3B272AED.72F4@dmed.demon.co.uk>, Pete Mitchell > writes >>Can anyone explain what they meant >>by saying this website needs "maximum security" > >They don't want somebody else filing a forgery of your tax return. Only because they'd have to make a decision later on as to which of two returns was valid. After all, it would, in time, become clear that this had happened. I'd be upset if someone else could see my return - but that's NOT the problem you're describing. One should note that in the paper based world it is trivial to submit a return in someone else's name ...and with the shameful lack of authentication at pillar boxes and the lack of record keeping when people buy stamps, the miscreant is unlikely to be apprehended [but keep your DNA away from the sticky bits of the stamp and envelope!] so why does the online world have to be perfect when the offline world is getting along just fine without such perfection ? So what IS the reason for demanding more authentication in the online world ? Part of the answer, I suppose, is that a script kiddie would be able to submit millions of tax returns.... but some simple stats gathering (and inspection of the connecting IP address) would prevent all but the most subtle of such DoS attacks. However that sort of script detector is hard to think about (though probably not hard to do) so the government dumps the risk onto the individual ("keep this ID safe, lest someone else use it") and thinks that by this inconvenience they have solved the problem ((and surprise, surprise, almost no-one is using the online tax return system)). > Or >telling their notification system that you've moved house, when you >haven't. So you expect them to save money by not employing the basic security mechanisms that are essential when running this sort of application [eg send a non-forwardable indicator to the old address]?? This list, passim, has discussed how such systems are not always infallible; but they can work well. >This "appears" to require some kind of authentication system, an authentication system might assist - but it should never be the end of the story. If the system designers get the idea that the authentication system is infallible then they'll dispense with the other checks and balances -- which will cause problems sooner or later. Perhaps it would be best to build the system without authentication first (and therefore continue with the fraud and forgery systems that exist in the paper world). Then add the authentication at the end as an optional extra that acts as an extra barrier rather than being (as seems almost too likely) the only barrier to be cleared. - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOydUuxfnRQV/feRLEQLjgQCgwBf8AgfPvn/JG/2PzZK44tRrwPcAni3j fvTVG4fXtsB+bvV0dFxb25Fv =EAIE -----END PGP SIGNATURE----- From roland@linx.net Wed, 13 Jun 2001 13:53:00 +0100 Date: Wed, 13 Jun 2001 13:53:00 +0100 From: Roland Perry roland@linx.net Subject: Wired: MS Monopolizes UK Govt Site In message , Richard Clayton writes >In article , Roland Perry > writes > >>In message <3B272AED.72F4@dmed.demon.co.uk>, Pete Mitchell >> writes >>>Can anyone explain what they meant >>>by saying this website needs "maximum security" >> >>They don't want somebody else filing a forgery of your tax return. > >Only because they'd have to make a decision later on as to which of two >returns was valid. Only if a suitable repudiation system is in place. >After all, it would, in time, become clear that this >had happened. > >I'd be upset if someone else could see my return Freedom of Information doesn't go that far then ;-) >- but that's NOT the >problem you're describing. > >One should note that in the paper based world it is trivial to submit a >return in someone else's name Not really, a normal Tax Return is a form with several vital personal details printed on it by the Tax Office. It would be an interesting exercise to forge one (for example, how do you get a blank one to overprint?) >so why does the online world have to be perfect when the offline world >is getting along just fine without such perfection ? Perhaps because it's easier to forge the documents? >So what IS the reason for demanding more authentication in the online >world ? Some of this is laziness and a lack of incentive to introduce a proper repudiation system into electronic transactions. If I write to someone and say my address has changed, then they have some physical evidence to examine, not least of which might be a conventional signature. >> Or >>telling their notification system that you've moved house, when you >>haven't. > >So you expect them to save money by not employing the basic security >mechanisms that are essential when running this sort of application [eg >send a non-forwardable indicator to the old address]?? Sadly, yes. Very very few organisations (even Government ones) do this. I know, I've moved quite often in the last ten years :-(( The only such advice I remember getting is from the Post Office (sorry, Consignia) when redirecting my mail. Even then they have a broken threat model. They refuse to redirect for more than 2 years. I have several annual mailings which if I forget to redirect at source could easily become material useful as identity theft if delivered at Consignia's insistence to the original address. -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From jth@st-andrews.ac.uk Wed, 13 Jun 2001 12:39:34 +0100 (BST) Date: Wed, 13 Jun 2001 12:39:34 +0100 (BST) From: John Henderson jth@st-andrews.ac.uk Subject: Scott McNealy: The Case Against Absolute Privacy On Tue, 5 Jun 2001, Jonathan Care wrote: > This raises interesting questions if OnStar is used by third-party agencies. > If Insurance Agencies use the data for actuarial purposes, spoofing messages > such as "Customer overrevs car" and "High wear on brake pads" from another > vehicle may indicate not only reckless driving, but also a high level of > stress on the part of the driver. More serious concerns exist when > considering access to OnStar by a law enforcement agency. Your concerns are well-founded, as this recent item taken from the RISKS Forum digest confirms. Date: Thu, 7 Jun 2001 08:44:52 -0400 From: "Chris Norloff" Subject: Computer reports unreported wreck You just can't outrun a satellite. A Merced, California, man took his fully equipped 2001 SUV out onto some nearby country roads, navigating swiftly and confidently with the optional OnStar Global Positioning System. When he got into an accident, he decided to run for it. But the guidance system had already notified OnStar headquarters of the accident, specifying where it had happened and giving a complete description of his vehicle to the California Highway Patrol. The officers followed a trail of coolant about a mile into an orchard, where they found and arrested the driver. [Source: *Road & Track* magazine, July 2001; PGN-ed] ---------------------------------------------------------------- John Henderson, IT Services, University of St Andrews, Tel : 01334-462761 John Honey Building, North Haugh, Fax : 01334-462759 St Andrews, Fife KY16 9SX, Scotland Email: jth@st-andrews.ac.uk ---------------------------------------------------------------- From richard@highwayman.com Wed, 13 Jun 2001 14:57:08 +0100 Date: Wed, 13 Jun 2001 14:57:08 +0100 From: Richard Clayton richard@highwayman.com Subject: Wired: MS Monopolizes UK Govt Site -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Roland Perry writes >In message , Richard Clayton > writes >>One should note that in the paper based world it is trivial to submit a >>return in someone else's name > >Not really, a normal Tax Return is a form with several vital personal >details printed on it by the Tax Office. It would be an interesting >exercise to forge one (for example, how do you get a blank one to >overprint?) http://www.inlandrevenue.gov.uk/pdfs/2000_01/tax_return/SA100.pdf So all you need now is a real world address and an NI number. Neither are a very significant challenge. >>so why does the online world have to be perfect when the offline world >>is getting along just fine without such perfection ? > >Perhaps because it's easier to forge the documents? see above (also, most commercial tax return software will print the tax return as a whole). This idea of the difficulty of forgery seems to underpin various organisations wish to see requests "on headed notepaper". Clearly they have not (at any time in the past 10 years) considered the abilities of laser or bubble-jet printers. The same soggy thinking fails to consider the method by which forms and master copies of documents are produced in the first place! >>So what IS the reason for demanding more authentication in the online >>world ? > >Some of this is laziness and a lack of incentive to introduce a proper >repudiation system into electronic transactions. If I write to someone >and say my address has changed, then they have some physical evidence to >examine, not least of which might be a conventional signature. which they may or may not have a copy of... and may or may not bother to dig out and check. In practice you can now change your address by telephone with almost any organisation (some seem better at doing it that way than by letter). All you need for that (now that address databases are so widespread) is a postcode and a corresponding house number. Of course, using a database means that consistency checks within the address are no longer being carried out; but that's another story... I wonder if the concern about the electronic world is fear of the unknown by systems designers compounded by their inability to find anyone in the organization who understands their current security model. - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOydxNBfnRQV/feRLEQKXCACg7e9/WFJOZyJ1YJ5Nf/cNeeNh31IAoL5N MVvy5RanOAWxLmWiFczk6ixn =w1bP -----END PGP SIGNATURE----- From roland@linx.net Wed, 13 Jun 2001 15:39:45 +0100 Date: Wed, 13 Jun 2001 15:39:45 +0100 From: Roland Perry roland@linx.net Subject: Wired: MS Monopolizes UK Govt Site In message , Richard Clayton writes >>how do you get a blank one to >>overprint?) > >http://www.inlandrevenue.gov.uk/pdfs/2000_01/tax_return/SA100.pdf That's not a blank form, it's an electronic version of a blank form which you could print out. It's rather different to the "real" blank form with "real" Inland Revenue preprinting on it. >(also, most commercial tax return software will print the tax >return as a whole). These should have stricter safeguards, but snail mailing them with real signatures is a start. > This idea of the difficulty of forgery seems to underpin various > organisations wish to see requests "on headed notepaper". Clearly > they have not (at any time in the past 10 years) considered the > abilities of laser or bubble-jet printers. The same soggy thinking > fails to consider the method by which forms and master copies of > documents are produced in the first place! Staplers that can authentically turn A3 into A4 booklets are still quite rare... >I wonder if the concern about the electronic world is fear of the >unknown by systems designers compounded by their inability to find >anyone in the organization who understands their current security model. Is it wrong for Government to have a higher security requirement than commerce? After all, having to sort out someone opting you out of SERPS several years ago without your knowledge is a bit more serious than Amazon delivering a book to somewhere wrong at the CC company's risk. -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From donald@ramsbottom.co.uk Wed, 13 Jun 2001 16:45:39 +0100 Date: Wed, 13 Jun 2001 16:45:39 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Wired: MS Monopolizes UK Govt Site At 11:43 AM 6/13/01 +0100, you wrote: >In message <20010613082826.4507E9C@liszt-02.ednet.co.uk>, >davidh@spidacom.co.uk writes >>However, it will be >>somewhat embarassing for a government that claims to be inclusive >>if it emerges that the blind are discriminated against in its main >>offering. > >It might even be unlawful. >-- > Roland Perry | tel: +44 1733 207705 | roland@linx.org Even worse, the new Home Secretary, who must have ultimate responsibility is blind! Now there is a story for the media hounds on this list....... The Blind disenfranchise the Blind........ I know it was not Blunkett that initiated it ( that was ultimately Sejackus, [now at foreign affairs]), but he should remedy not only this error, but all of them, and tell Microsoft they will not get paid until they do. Perhaps the recenty appointed eminister (http://www.cw360asp.com/eb/eb.asp?b=91&a=102923&i=256108 ) should get onto it! Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From Nigel.Metheringham@VData.co.uk 13 Jun 2001 13:19:04 +0100 Date: 13 Jun 2001 13:19:04 +0100 From: Nigel Metheringham Nigel.Metheringham@VData.co.uk Subject: Wired: MS Monopolizes UK Govt Site On 13 Jun 2001 12:55:39 +0100, Richard Clayton wrote: > ...and with the shameful lack of authentication at pillar boxes > and the lack of record keeping when people buy stamps, the > miscreant is unlikely to be apprehended [but keep your DNA away > from the sticky bits of the stamp and envelope!] Fortunately (!) the new self-adhesive stamps mean you aren't tempted to lick the stamp so reducing the likely level of DNA trace. Nigel. From davidh@spidacom.co.uk Wed, 13 Jun 2001 18:12:44 +0100 Date: Wed, 13 Jun 2001 18:12:44 +0100 From: davidh@spidacom.co.uk davidh@spidacom.co.uk Subject: Wired: MS Monopolizes UK Govt Site On 13 Jun 01, at 11:43, Roland Perry wrote: > >However, it will be > >somewhat embarassing for a government that claims to be inclusive if > >it emerges that the blind are discriminated against in its main > >offering. > > It might even be unlawful. Unfortunately, probably not Roland. Those who listen to "In touch" on Radio 4 will be familiar with the steady trickle of smug government officials trying to defend the indefensible and the lack of action against them. In recent months the census mob and the Home Office bunch have been exposed. Action against these characters, zero. Anyway, if something is unlawful the government soon changes the law, as those who remember that well known and extensive criminal Howard will recall. -- David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E If I revoke this key, the only circumstance in which I will not be prepared to explain my reasons for doing so will be when UK government authorities have stipulated that providing such an explanation would be unlawful. See RIP Act 2000. From roland@linx.net Wed, 13 Jun 2001 20:41:06 +0100 Date: Wed, 13 Jun 2001 20:41:06 +0100 From: Roland Perry roland@linx.net Subject: Wired: MS Monopolizes UK Govt Site In message <20010613171303.C80F4400C@liszt-01.ednet.co.uk>, davidh@spidacom.co.uk writes >> It might even be unlawful. > >Unfortunately, probably not Roland. Oh goody. I look forward to when they stop painting trains like Tonka Toys, then. -- Roland Perry From alastair@calliope.demon.co.uk Wed, 13 Jun 2001 23:11:58 +0100 Date: Wed, 13 Jun 2001 23:11:58 +0100 From: alastair alastair@calliope.demon.co.uk Subject: Wired: MS Monopolizes UK Govt Site On Wed, Jun 13, 2001 at 09:57:17AM +0100, Pete Mitchell wrote: > > Anyway, back to my serious question: Can anyone explain what they meant > by saying this website needs "maximum security", and what that requires? I think that's the wrong question. I can understand the requirement for 'maximum' security on a web site such as this, assuming some decent level of security in any transactions I might want to perform through it. Somewhere on it anyway. The question I would ask is "can anyone explain why they require 'maximum' security on their home page"? Where 'maximum' security means, for me, no access at all. Completely half-baked and almost certainly very expensive as well. Maybe we should look forward to an NAO inquiry a few years hence into the usual waste of our money on fancy IT schemes (in this case to a 'monopolist' as well). Oh well - let's see what transpires. That's me done on the subject (I think). Cheers, -- Alastair | alastair@calliope.demon.co.uk | http://www.calliope.demon.co.uk | PGP Key : A9DE69F8 ------------------------------------------------------------------- From akm@92tr.freeserve.co.uk Wed, 13 Jun 2001 23:41:51 +0100 Date: Wed, 13 Jun 2001 23:41:51 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: Wired: MS Monopolizes UK Govt Site From: Roland Perry >While on this subject, does anyone have a handheld or palmtop with >WinCE, and does that browser work with the Govt Gateway? Yes, and it does not. This is CE2 I think on an HP Journada. From jonc@lacunae.org Thu, 14 Jun 2001 00:06:27 +0100 Date: Thu, 14 Jun 2001 00:06:27 +0100 From: Jonathan Care jonc@lacunae.org Subject: (no subject) Dear All, I have a query for the big brains on this group. I am involved in a project that needs to be able to talk to banking credit card systems - Mastercard, Visa, Amex, and also debit cards such as Switch in the UK. My system needs to interface into the bank payment system, and present credit cards, gain authorisations, and make a transaction (payment/refund) as a normal EPOS terminal would. This system will not be internet connected, although the possibility of an IPSEC VPN for connectivity between parties exists. I would prefer to become a payment service provider directly, rather than rely on n third parties. Has anyone done some work in this area, and would be willing to either send me a white paper, or point me in the right direction of some good resources? I'd be happy to get some input off-line, and summarise back to the list for general information. Thanks in advance. With kind regards, Jonathan Care CISSP Tel/Fax: +44 7092 016192 From davidh@spidacom.co.uk Thu, 14 Jun 2001 07:11:06 +0100 Date: Thu, 14 Jun 2001 07:11:06 +0100 From: davidh@spidacom.co.uk davidh@spidacom.co.uk Subject: Wired: MS Monopolizes UK Govt Site On 13 Jun 01, at 13:53, Roland Perry wrote: > Not really, a normal Tax Return is a form with several vital personal > details printed on it by the Tax Office. One of the computer systems that I maintain is that of a firm of accountants. This prints out tax returns on plain A4 copier paper via a Laserjet 6 printer, these are then put in the post and sent off to the Inland Revenue, which accepts them. It would be easy for most computer literate people to forge one of these tax returns, given access to a sample. Customers include a few MSPs, MPs and the odd fairly famous person, none of whom would enjoy the publicity of a forgery. They used to be involved in the electronic lodgement system, but this was so stupid and time wasting that they reverted to paper, which is faster. The only check on internal forgeries is the honesty of those who operate the system and myself. I could send in hundreds of forged tax returns, but I don't even know the names of the famous people who are their customers and I have never even thought of looking them up. -- David Hansen | davidh@spidacom.co.uk | PGP email preferred Edinburgh | CI$ number 100024,3247 | key number F566DA0E If I revoke this key, the only circumstance in which I will not be prepared to explain my reasons for doing so will be when UK government authorities have stipulated that providing such an explanation would be unlawful. See RIP Act 2000. From kieran@snaz.com Thu, 14 Jun 2001 09:49:42 +0100 Date: Thu, 14 Jun 2001 09:49:42 +0100 From: Kieran Barry kieran@snaz.com Subject: Wired: MS Monopolizes UK Govt Site From: ukcrypto-admin@chiark.greenend.org.uk on Behalf Of alastair > > On Wed, Jun 13, 2001 at 09:57:17AM +0100, Pete Mitchell wrote: > > > > Anyway, back to my serious question: Can anyone explain > > what they meant by saying this website needs "maximum security", > > and what that requires? > > I think that's the wrong question. I can understand the requirement > for 'maximum' security on a web site such as this, assuming some > decent level of security in any transactions I might want to > perform through it. Somewhere on it anyway. The question I > would ask is "can anyone explain why they require 'maximum' > security on their home page"? Where 'maximum' security means, > for me, no access at all. Completely half-baked and almost > certainly very expensive as well. Maybe we should look forward > to an NAO inquiry a few years hence into the usual waste of > our money on fancy IT schemes (in this case to a 'monopolist' as well). > Actually, on the subject of questions.... An article defending the site was posted a couple of days ago. In it, it was claimed that the site used open standards. Well, they could claim that, being as TCP/IP is used... What I have started thinking about is formulating a question which: 1. requires a yes or no answer, 2. is understandable to the layman, 3. asks whether the gateway uses any non-standardised technology. My understanding is that the IETF standards require two working sample implementations before they accept a standard. If we could require the use of something that open, it would also be useful. The idea, of course, is that any evasion would be difficult. Then we need to feed it to a tame MP. Does anyone know the Kidderminster MP? He seems like a man of principle... Regards Kieran From k.brown@ccs.bbk.ac.uk Thu, 14 Jun 2001 10:00:45 +0100 Date: Thu, 14 Jun 2001 10:00:45 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Wired: MS Monopolizes UK Govt Site Roland Perry wrote: > >One should note that in the paper based world it is trivial to submit a > >return in someone else's name > > Not really, a normal Tax Return is a form with several vital personal > details printed on it by the Tax Office. > It would be an interesting > exercise to forge one (for example, how do you get a blank one to > overprint?) I'm pretty sure mine doesn't have vital personal details on it. Even if it did you could phone them up & ask for a copy because you have lost/damaged yours. And say you have moved. You need to know (certainly) the name & date of birth of the taxpayer and (I strongly suspect) their employer details if they are in PAYE. You don't need to know NI number or any details of the tax office dealing with that person. I know this because I did lose a form and I did phone up and I had moved and I don't know my NI number. And now all I have to do is fill it in before they deduct another 100 pounds :-( Ken Brown (who used to write software for the Inland Revenue but that was a long time ago) From k.brown@ccs.bbk.ac.uk Thu, 14 Jun 2001 10:03:35 +0100 Date: Thu, 14 Jun 2001 10:03:35 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Wired: MS Monopolizes UK Govt Site Kieran Barry wrote: > What I have started thinking about is formulating a question which: > 1. requires a yes or no answer, > 2. is understandable to the layman, > 3. asks whether the gateway uses any non-standardised technology. > > My understanding is that the IETF standards require two working sample > implementations before they accept a standard. If we could require > the use of something that open, it would also be useful. > > The idea, of course, is that any evasion would be difficult. > > Then we need to feed it to a tame MP. > > Does anyone know the Kidderminster MP? He seems like a man of > principle... Just ask the Home Secretary when he last used the site. From richard@highwayman.com Thu, 14 Jun 2001 11:18:24 +0100 Date: Thu, 14 Jun 2001 11:18:24 +0100 From: Richard Clayton richard@highwayman.com Subject: Wired: MS Monopolizes UK Govt Site -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article , Roland Perry writes >In message , Richard Clayton > writes > >>>how do you get a blank one to >>>overprint?) >> >>http://www.inlandrevenue.gov.uk/pdfs/2000_01/tax_return/SA100.pdf > >That's not a blank form, it's an electronic version of a blank form >which you could print out. It's rather different to the "real" blank >form with "real" Inland Revenue preprinting on it. Indeed - but the Inland Revenue don't care whether the details on the first page were printed by them or written by you (or a forger pretending to be you). I've used these "blank" forms for the past four years and they work just fine - nary a quibble. The key point is that there is nothing special in the paper world that prevents you submitting a forgery that is not also present in the electronic world (the need to determine an NI number, the need to make employment appear to overlap with the previous year, a valid street address etc). Yes for the paper copy you will need to "sign" it ... (unless you pretend to be an accountant or executor). But they don't have a copy of your signature (except on last year's form) and will not be experts in signature verification anyway. I really don't see this as a high hurdle. It's not as if you have to sign it in front of them! >>I wonder if the concern about the electronic world is fear of the >>unknown by systems designers compounded by their inability to find >>anyone in the organization who understands their current security model. > >Is it wrong for Government to have a higher security requirement than >commerce? After all, having to sort out someone opting you out of SERPS >several years ago without your knowledge is a bit more serious than >Amazon delivering a book to somewhere wrong at the CC company's risk. The Government is a well-funded organisation with a large bureaucracy. As such, they are in a position to spend the time to unpick an event like your SERPS one and to underwrite any transfer of funds that is then required.... yes, it costs - but they amortise that over the whole of their tax base. Amazon are a much smaller organisation and may not have (originally!) budgeted for the costs involved in unpicking errors - so they might, on this argument, be expected to require more authentication before taking action. The presence of the credit card company in the transaction should not blind you to the fact that the risk is Amazon's (the merchant) because as soon as an item is disputed the credit card company will retrieve their money! Now of course Amazon require LESS identification than the Government does. They don't require any pre-registration before you use their system. I don't think this difference is because of the "serious" nature of Government transactions -- I suggest again, it's because their system designers don't understand how their current systems deal with threat - and they've been seduced by the technology vendors into believing that "electronic signatures" are an "electronic replacement for a signature". - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOyiPcBfnRQV/feRLEQJ8fQCeLVk1/1cNeSEkPXDpauMFCk4Iq6QAoNAe dptPRF750p4yVyqKPV0lPZwB =bYDZ -----END PGP SIGNATURE----- From Q.G.Campbell@newcastle.ac.uk Thu, 14 Jun 2001 13:31:49 +0100 Date: Thu, 14 Jun 2001 13:31:49 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: Illegal prime numbers I forward the following messages and URLs to this list as an interesting and relevant curiosity that many of you will enjoy. I do so on the spurious grounds that one URL make reference to the word "steganography" and all are related to legal issues previously discussed on this list! They might even provide an outline mathematical proof to show that the politicians who passed the DCMA are asses! :-) Probably best to start with the URL at the bottom and work upwards... Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinions expressed above are mine. The University can get its own." =20 > -----Original Message----- > From: C Gerrard [mailto:C.Gerrard@newcastle.ac.uk] > Sent: 14 June 2001 12:32 > To: ucs-all@ncl.ac.uk > Subject: RE: Converting Pi to binary: DON'T DO IT! >=20 >=20 > I'd love to argue this one with the lawyers :-) >=20 > Pi existed (in all possible number bases) long before humans. > Indeed all numbers already exist and therefore so do all=20 > possible (non-random) digital representations (eg text,=20 > digitised pictures, computer programs > etc) >=20 > Thus a finite digital representation of *anything* is already > pre-dated by some number! Indeed there may be some digit=20 > sequences which can represent all possible finite digital=20 > representations.=20 >=20 > It would be bizzare to consider that all claims for > patent/trademark protection of digital representations are=20 > disallowed simply because some "number" already existed, but=20 > it's even more bizzare to claim you can't talk about a number=20 > because someone has registered some patent/trademark on that=20 > same digital representation. >=20 > No-one "owns" bits. >=20 > The present notion of copyright etc. is going to collapse in > the onslaught of digitisation, they are intrinsically=20 > incompatible, and we need to think of a more sensible=20 > conceptual basis on which to found intellectual/ business=20 > rights protection - I've no idea what that might be. >=20 > Clive >=20 >=20 > > -----Original Message----- > > From: Denis Russell [mailto:Denis.Russell@ncl.ac.uk] > > Sent: 14 June 2001 12:02 > > To: ucs-all@ncl.ac.uk > > Subject: Converting Pi to binary: DON'T DO IT! > >=20 > >=20 > > The original article in RISKS is is at: > >=20 > > http://catless.ncl.ac.uk/Risks/21.42.html#subj5 > >=20 > > "Do NOT calculate Pi in binary....If you compute it, you will be=20 > > guilty of:..." > >=20 > > followed by a whole series of crimes. I thought it an amusing=20 > > theoretical exercise. Apparently not. It seems there may be at least > > one illegal prime number. (Actually I suspect there may be many -=20 > > you just scan binary versions of all sorts of items to look for ones > > that are prime.) > >=20 > > Be afraid... > >=20 > > > > > >------------------------------ > > > > > >Date: Mon, 12 Jun 2001 12:17:11 -0700 (PDT) > > >From: "Peter G. Neumann" > > >Subject: And you thought Keith Lynch was kidding! (Re: RISKS-21.42) > > > > > > http://www.utm.edu/research/primes/curios/48565...29443.html > > > > > >One of the strangest consequences of the DMCA is that it would seem > > >to outlaw possession of certain integers. The above URL gives the=20 > > >decimal form of a prime number whose HEX form just happens to be=20 > > >the gzip-ed C source code for DeCSS (which breaks the DVD Movie=20 > > >encryption -- see RISKS-21.37). This observation is due to Phil=20 > > >Carmody. > > > > > > [Thanks to Mark Brader for the Subject: line!] > > > > > >------------------------------ > > > =20 From paulfordh@uk.ibm.com Thu, 14 Jun 2001 10:59:44 +0100 Date: Thu, 14 Jun 2001 10:59:44 +0100 From: paulfordh@uk.ibm.com paulfordh@uk.ibm.com Subject: Wired: MS Monopolizes UK Govt Site I think we are getting to the nub of the issue here. Kieran Barry wrote: >My understanding is that the IETF standards require two working sample >implementations before they accept a standard. If we could require >the use of something that open, it would also be useful. Whilst this may be true, most new protocols move so fast that they are well deployed, accepted and interoperable before getting close to Standards Track. (just look at the whole PCT vs SSL vs TLS issue.) If you want to be picky, SSL is a proprietary Netscape protocol that they then published, TLS is the one true way for standards advocates. Should the site stop using SSL ? I think the issue can probably be easily explained by reference to the Observer article we were pointed at yesterday. (http://www.observer.co.uk/business/story/0,6903,504363,00.html) A) "and charged him with using the internet to link UK citizens to their government." and B) "to create a technical solution by January 2001 that would meet requirements." Now, if A) is the requirement then B) is satisfied with the 'solution' we have today. It is my experience from being involved in many design discussions that non-technical people have a very hard time differentiating between - The Internet - Protocols - Standard Protocols - Client Implementations - Interoperable Implementations And who can blame them, especially when the Standards process is (necessarily) so slow. Where HMG were remiss, IMHO, is that they (probably) never specified to their supplier what the client platform options must be. Either that, or they got railroaded by MS into accepting an 'initial' deployment that only works with IE (stupid, but expedient). Of course they might have been very naive and actually agreed that MS was the one true way - I guess they talked to some quite persuasive people. Cheers, Paul (my views only - not my employers) From donald@ramsbottom.co.uk Thu, 14 Jun 2001 15:54:28 +0100 Date: Thu, 14 Jun 2001 15:54:28 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Illegal prime numbers Great! I love this stuff even if Ido not fully understand, I do comprehend a little. The trouble is the Judges are by and large no techies ( that is why they are lawyers and not technocrats), so while the technical argument may be sound; (I'll leave others to discuss that), the chances of the argument being accepted, is I'm afraid, very remote. Having said all of that, I'd love to give the argument a go, and I hope the defendants in the various MPAA actions lawyers have a look to expose the DMCA for what it is a load of twaddle. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From owen.blacker@wheel.co.uk Thu, 14 Jun 2001 16:42:24 +0100 Date: Thu, 14 Jun 2001 16:42:24 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: MS Monopolizes UK Govt Site (OT) =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ~Very~ briefly. I wrote: > > > > Whilst I agree with you in principle -- the government's > > > websites should be as inclusive as possible -- to be fair > > > to the developers of the site, it is > > > often impractical to support every browser running on > > > every platform. In reply, alastair wrote: > > I have to respectfully and completely disagree. I believe it is > > practical and possible to create web sites/pages that can > > be used from any browser on any platform, including a text > > based browser such as Lynx. I think you are letting these > > people (and yourself I'm afraid) off the hook too easily. I > > think this is true as long as the page has textual information > > to impart but I would make an exception for sites > > that are more art or entertainment orientated. And, in my defence, Kieran Barry wrote: > While it may be deplorable, it is standard operating procedure in > the web design industry. Let's let Owen off the hook here. He's > not responsible for the whole industry. Separately, Adrian Midgley wrote: > "it really is difficult enough supporting half a dozen minor versions > of two browsers on, say, two operating systems" >=20 > hence the W3C standards. Support those, and as discussed in > www.alistapart.com you support all browsers...now and in the future. I'm very aware that this is (a) drastically off-topic and (b) rather = out of date, as I've been away from my email for 36 hours, so I will be very brief. I'm not gonna justify my comments here, as they're off topic. If = anyone really wants me to justify them, mail me off list. Whilst I think the situation where several browsers used by a minute fraction of the visiting public (yes, I have statistics to justify that statement :o) are excluded is less than ideal, I really ~do~ think = that it is a pragmatic, realistic and sensible commercial decision not to = support them. It is almost certainly standard practice across the industry and I = honestly believe that anyone who thinks that it is realistic for it not to be is more than a little na=EFve (and that's not meant as a personal attack = on anyone, promise :o) Whilst there are indeed beautiful standards from those nice guys at the = W3 Consortium, anyone who thinks that all those pretty bells and whistles = so liked by clients and designers can successfully be implemented whist conforming to all the standards has obviously never tried to do so, as = a glance at the discussion fora at www.alistapart.com will show you. That said, I also think that this entire line of conversation is = completely irrelevant, as I don't think that is why the Govt Gateway site sucks. = The problem is that the Government took bad advice from a company with a = vested interest and a history of abusing their market position but forgot to = look for that pinch of salt to take with it. Then, they claimed the reason = why Joe Public couldn't access the site using Their Favorite Browser(tm) = was because of the crypto, which was obviously bollocks. I'm not saying don't bitch about it, I'm just saying bitch about the = right thing (and, by the way, you're wrong in how you're bitching about it originally). If that doesn't make any sense -- or if you still disagree -- mail me = off list and I'm more than happy to justify my position. Or just realise = that it's really healthy for people to disagree on stuff and let it lie. = But please don't leave this on list, cos I'm sure we must be boring a lot = of people with much better things to do now... *GRIN* OK, that was less brief than I meant. Sorry an' all. :o) All the best, O x - --=20 Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 - --=20 Opinions are mine. My employer and their clients can get their own! -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOyja01VeQSYAA2h0EQILpACeMp4I16m1zkz094E5ltj/BOwrgAYAnjAb 3z9/Mlmj2ErevzRhUM0WY+Ks =3DYqtt -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From chl@clw.cs.man.ac.uk Thu, 14 Jun 2001 20:20:49 +0100 (BST) Date: Thu, 14 Jun 2001 20:20:49 +0100 (BST) From: Charles Lindsey chl@clw.cs.man.ac.uk Subject: Wired: MS Monopolizes UK Govt Site (OT) On Thu, 14 Jun 2001 16:42:24 +0100 Owen Blacker said... > Whilst I think the situation where several browsers used by a minute > fraction of the visiting public (yes, I have statistics to justify that > statement :o) are excluded is less than ideal, I really ~do~ think that it > is a pragmatic, realistic and sensible commercial decision not to support > them. Yes, but: A. The government is not supposed to be maing "commercial" decisions, and B. The proper thing to do is to say that the site requires the following protocols: HTML version X JavaScript Java TLS whatever else (even some proprietary protocols) It could even mention that browsers X, Y and Z did or did not support those protocols. But, whatever it claimed to support, it should support correctly, according to the specification of those protocols, and it should interoperate with ANY browser the implemented them correctly. Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl Email: chl@clw.cs.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From roland@linx.net Fri, 15 Jun 2001 06:59:30 +0100 Date: Fri, 15 Jun 2001 06:59:30 +0100 From: Roland Perry roland@linx.net Subject: Wired: MS Monopolizes UK Govt Site (OT) In message <200106141920.UAA01918@clw.cs.man.ac.uk>, Charles Lindsey writes >B. The proper thing to do is to say that the site requires the following >protocols: > HTML version X > JavaScript > Java > TLS > whatever else (even some proprietary protocols) >It could even mention that browsers X, Y and Z did or did not support >those protocols. I've seen this statement from them: " The Gateway interoperates with any system that can work with GovTalk compliant XML. So far the Gateway interfaces with a variety of front-ends based on platforms ranging from UNIX variants to Microsoft platforms. The Gateway Registration and Enrolment pages, a small part of the overall functionality of the Gateway, already supports the two most popular browsers - Netscape and Internet Explorer - and work is beginning on providing extended browser support on a wider variety of operating systems. Specifically for the Registration and Enrolment pages, you can register for user ID and password transactions with either Netscape or Internet Explorer running on a Macintosh with MacOS or a PC running Windows. You can register for digital certificate transactions using a PC running Netscape or Internet Explorer (Chambersign) or a PC running Internet Explorer (Equifax). We are well aware that we need to do more to support a wider platform set when using certificates and are working hard to do that - it's not an easy problem to solve. There has been much publicity recently around the openness or otherwise of the Gateway. This world-leading initiative is in its earliest stages. However I can assure you that the Office of the e-Envoy is fervently committed to open accessible systems for all - in line with our own e-Government Interoperability Framework (e-GIF) which mandates the use of open international standards across the UK public sector." Sounds like a cue for people to get involved in: -- Roland Perry From owen.blacker@wheel.co.uk Fri, 15 Jun 2001 10:06:45 +0100 Date: Fri, 15 Jun 2001 10:06:45 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: MS Monopolizes UK Govt Site (OT) =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles Lindsey, quoting me: >=20 > > Whilst I think the situation where several browsers used by a = minute > > fraction of the visiting public (yes, I have statistics to justify = that > > statement :o) are excluded is less than ideal, I really ~do~ think > > that it is a pragmatic, realistic and sensible commercial decision = not > > to support them. >=20 > Yes, but: >=20 > A. The government is not supposed to be making "commercial" = decisions, > and =20 But surely that's a politicised opinion? Personally, I'd much rather = the government made pragmatic decisions about the use of our tax money, so = that it can spend more of it elsewhere, where it will benefit people in real need (NHS / Education / whatever), rather than just satisfying the = whims of the techno=E9lite (within which I would include myself and everyone = else on this list :o) > B. The proper thing to do is to say that the site requires the = following > protocols: > HTML version X > JavaScript > Java > TLS > whatever else (even some proprietary protocols) > It could even mention that browsers X, Y and Z did or did not support > those protocols. >=20 > But, whatever it claimed to support, it should support correctly, > according to the specification of those protocols, and it should > interoperate with ANY browser the implemented them correctly. That's exactly the point I was trying (rather unsuccessfully) to make. = =20 :o) And they should be realistic about which protocols they should choose, = so that they don't choose shit-hot proprietary protocols that would lock = out too high a proportion of potential users, imho. This is where they = failed; this is where we are right, imho, to complain at that failure. O x - --=20 Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 - --=20 Opinions are mine. My employer and their clients can get their own! -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOynPmlVeQSYAA2h0EQKMBQCgnTDJ5BiW8+tWdt4aUmoTaXrdU84AoO+a xfVK+KDOtD3Bmf9s00ZdhLtu =3DT+J1 -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From jtjm@xenoclast.org Fri, 15 Jun 2001 10:56:07 +0100 (BST) Date: Fri, 15 Jun 2001 10:56:07 +0100 (BST) From: Julian T. J. Midgley jtjm@xenoclast.org Subject: Wired: MS Monopolizes UK Govt Site (OT) > Whilst I think the situation where several browsers used by a minute > fraction of the visiting public (yes, I have statistics to justify that > statement :o) are excluded is less than ideal, I really ~do~ think that = it > is a pragmatic, realistic and sensible commercial decision not to support > them. > > It is almost certainly standard practice across the industry and I honest= ly > believe that anyone who thinks that it is realistic for it not to be is > more than a little na=EFve I am afraid that that claim is absolute nonsense. Speaking as someone working as consultant in this industry, I can say with absolute certainty that it is not standard practice within the industry. My desktop machine runs Linux with Netscape 4.77 (currently). I can count on the fingers of one hand the number of sites I have not been able to view with this combination this year. Amazon works fine, Barclays online banking works fine (as did Lloyds till I changed banks) all the major news sites work without problems, as does any ecommerce site I've wanted to have dealings with. Microsoft, Sun, IBM, HP, Intel, all have perfectly working sites (although there a few bits of Microsoft's that are dodgy). Aside from the government site, I can't remember another site that I actually cared about (apart from tin pot homepages designed by ignoramuses) that told me I was trying to use an unsupported browser. It really is not very difficult to design a web site that will work satisfactorily with the majority of browsers on the majority of platforms; and there is no excuse for the government's position. The fact that > 90% of the useful web sites work quite happily across most platforms and browsers is evidence of this, and refutes absolutely the claim that it is "standard practice across the industry" only to support less than a handful of browsers. Standard practice for the company's own website, for example, is to ensure that it can accessed from all the following: =091. Windows (IE and Netscape) 2. Unices (Netscape) 3. Mac (IE and Netscape) =09*and*, as far as possible, Lynx and other text mode browsers. Achieving this is not particularly difficult, and a side effect of doing so is that most other browsers will have a good chance of rendering the site correctly. And I am unable to think of a customer whose website cannot be accessed using Netscape on Linux (I work for Zeus Technology, which sells web server software...). I haven't yet heard an adequate explanation for the designers of the government site choosing to use technologies that were not yet widely supported, when perfectly acceptable widespread alternatives exist. The requirement for "security" is an inadequate reason; existing technologies are quite secure enough for the government's purposes, and have the advantage of having been scrutinised for rather longer than Microsoft's recent innovations. Julian --=20 Julian T. J. Midgley=09=09=09http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From owen.blacker@wheel.co.uk Fri, 15 Jun 2001 11:29:46 +0100 Date: Fri, 15 Jun 2001 11:29:46 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Wired: MS Monopolizes UK Govt Site (OT) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, this is off topic. PLEASE STOP REPLYING TO THE LIST! :o) - From what I can tell, we are both misunderstanding each other but, essentially, agree on the basics. If you want to discuss this further, mail me off list, as this discussion is wholly irrelevant, both to crypto and to criticism of the Govt Gateway :o) O x > -----Original Message----- > From: Julian T. J. Midgley [mailto:jtjm@xenoclast.org] > Sent: Friday, June 15, 2001 10:56 AM > To: 'ukcrypto@chiark.greenend.org.uk' > Subject: RE: Wired: MS Monopolizes UK Govt Site (OT) > > > This message uses a character set that is not supported by > the Internet Service. To view the original message content, > open the attached message. If the text doesn't display > correctly, save the attachment to disk, and then open it > using a viewer that can display the original character set. > -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOynjD1VeQSYAA2h0EQKlDgCZAc/sBaeeSYQzcGhE3v6CiKLgxH4An2lb nSEH/sbG8AS4MlcfB28frczR =TCO4 -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From rrw@semiramis.org.uk Thu, 14 Jun 2001 13:47:34 +0100 Date: Thu, 14 Jun 2001 13:47:34 +0100 From: rrw rrw@semiramis.org.uk Subject: Illegal prime numbers On Thursday 14 June 2001, Q G Campbell wrote: >I forward the following messages and URLs to this list as an interesting >and relevant curiosity that many of you will enjoy. > >I do so on the spurious grounds that one URL make reference to the word >"steganography" and all are related to legal issues previously discussed >on this list! > >They might even provide an outline mathematical proof to show that the >politicians who passed the DCMA are asses! :-) The correct way to solve this problem (he says, veering even further off-topic) is to decide that it isn't the number whose copying violates IPR, but the knowledge it represents: if you distribute a number with the knowledge that this is a CSS decoder, you'd be liable. If you distribute it without that knowledge, it's fine - what we're trying to protect is the expression or mechanism behind the number, not the bits themselves. There's even a precedent for this - there's a patent case in which it was established that you can only practice an invention if, in some sense, you know you're doing so. If you don't know you're practicing an invention, you're not practicing it. I'm rather more worried about the increasing capacity of legislatures to restrict technology (and encryption gets very badly hit by this) in the interest of protecting rights. It may not be the business of the law to allow injustice just because the wronged didn't have adequate defence, but it's equally not its business to protect the willfully negligent from the consequences of their own stupidity - especially when the result of that protection is to leave the protected in a monopoly position from which they fully intend to profit unfairly. [snip] Richard. From Q.G.Campbell@newcastle.ac.uk Fri, 15 Jun 2001 12:15:54 +0100 Date: Fri, 15 Jun 2001 12:15:54 +0100 From: Q G Campbell Q.G.Campbell@newcastle.ac.uk Subject: Illegal prime numbers > -----Original Message----- > From: rrw [mailto:rrw@semiramis.org.uk]=20 > Sent: 14 June 2001 13:48 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Illegal prime numbers >=20 >=20 > On Thursday 14 June 2001, Q G Campbell=20 > wrote: >=20 > >I forward the following messages and URLs to this list as an=20 > >interesting and relevant curiosity that many of you will enjoy. > > > >I do so on the spurious grounds that one URL make reference=20 > to the word=20 > >"steganography" and all are related to legal issues previously=20 > >discussed on this list! > > > >They might even provide an outline mathematical proof to=20 > show that the > >politicians who passed the DCMA are asses! :-) >=20 > The correct way to solve this problem (he says, veering even further > off-topic) is to decide that it isn't the number whose=20 > copying violates IPR, but the knowledge it represents: if=20 > you distribute a number with the knowledge that this is a=20 > CSS decoder, you'd be liable. If you distribute it without=20 > that knowledge, it's fine - what we're trying to protect is=20 > the expression or mechanism behind the number, not the bits=20 > themselves. Richard I don't think my original posting, nor your response, is veering off-topic for this list. The issues involved seemed to me to be at the heart of steganography and to many of the discussions this list has had about the legal and practical aspects of avoiding the impact of RIPA on our use of cryptography. The relative lack of response so far probably indicates that the posting remains an interesting curiosity but adds nothing new to those earlier discussions. Quentin From ybanrab@hotmail.com Fri, 15 Jun 2001 12:58:39 +0100 Date: Fri, 15 Jun 2001 12:58:39 +0100 From: Barnaby Prendergast ybanrab@hotmail.com Subject: Illegal prime numbers >From: "Q G Campbell" >Reply-To: ukcrypto@chiark.greenend.org.uk >To: >Subject: Illegal prime numbers >Date: Thu, 14 Jun 2001 13:31:49 +0100 > [snip]> >They might even provide an outline mathematical proof to show that the >politicians who passed the DCMA are asses! :-) > I think this type proof leads to mathematicians proving black is white and getting run over on zebra crossings, if I recollect Douglas Adams' words of wisdom correctly... :) B _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From norman@astro.gla.ac.uk Fri, 15 Jun 2001 11:08:56 +0100 (BST) Date: Fri, 15 Jun 2001 11:08:56 +0100 (BST) From: Norman Gray norman@astro.gla.ac.uk Subject: Wired: MS Monopolizes UK Govt Site (OT) Greetings, I know this is off-topic, I know, but I can't let this pass. I'll keep it brutally short, by generalising recklessly, and there is a ukcrypto hook at the end. On Thu, 14 Jun 2001, Owen Blacker said: > [...] anyone who thinks that all those pretty bells and whistles > so liked by clients and designers can successfully be implemented whist > conforming to all the standards has obviously never tried to do so As others have said, this may well be perfectly true. However, Owen missed out a third important constituency, that of the poor sods who have to attempt to use the final web pages. The situation will never get better, because designers' clients will always want a whizz-bang website (because it gives them a warm glow to have the `state of the art' site the designers say they are providing), and the designers will always want to produce that website (because it's probably both more fun, and easier, to do that, and because it looks better on a CV than `Designed a plain but functional website for...'). For similar reasons, software houses will generally prefer to add whizz-bang features, rather than implementing boring ones correctly. [ My canned rant about market-forces is regrettably snipped here ] This morning, Charles Lindsay said: > B. The proper thing to do is to say that the site requires the following > protocols: > HTML version X > JavaScript > Java > TLS > whatever else (even some proprietary protocols) and the gateway.gov.uk piss-off page does say something like this: > * Your browser must be set to accept cookies > * Java must be enabled > * Javascript must be enabled ...but I betcha I wouldn't need any of that in order to benefit from the security, but solely to worship at the altar of the designers' vanity. As with may other issues on ukcrypto, what we have here is yet another example of `It's For Security' being trotted out as a knock-down argument, to evade criticism of a variety of design misfeatures. All the best, Norman -- --------------------------------------------------------------------------- Norman Gray http://www.astro.gla.ac.uk/users/norman/ Physics and Astronomy, University of Glasgow, UK norman@astro.gla.ac.uk From adam@homeport.org Fri, 15 Jun 2001 10:11:20 -0400 Date: Fri, 15 Jun 2001 10:11:20 -0400 From: Adam Shostack adam@homeport.org Subject: Wired: MS Monopolizes UK Govt Site On Thu, Jun 14, 2001 at 10:59:44AM +0100, paulfordh@uk.ibm.com wrote: | Kieran Barry wrote: | >My understanding is that the IETF standards require two working sample | >implementations before they accept a standard. If we could require | >the use of something that open, it would also be useful. | | Whilst this may be true, most new protocols move so fast that they are | well deployed, accepted and interoperable before getting close to | Standards Track. (just look at the whole PCT vs SSL vs TLS issue.) If | you want to be picky, SSL is a proprietary Netscape protocol that they | then published, TLS is the one true way for standards advocates. Should | the site stop using SSL ? If Microsoft's claim, which is that they wanted to ensure the highest standard of security, is accurate, then yes. TLS offers slightly more security than SSL 3, and if the site only supports TLS then the roll-back attacks are not feasable. The usual reason for not having TLS only sites is compatability, but Microsoft has been willing to force people to use certain browsers, so that should not apply. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From akm@92tr.freeserve.co.uk Sat, 16 Jun 2001 00:59:42 +0100 Date: Sat, 16 Jun 2001 00:59:42 +0100 From: Adrian Midgley akm@92tr.freeserve.co.uk Subject: Wired: MS Monopolizes UK Govt Site From: Adam Shostack >TLS offers slightly more >security than SSL 3, and if the site only supports TLS then the >roll-back attacks are not feasable. And Opera of course, the browser which I approached the site with, offers TLS. From chl@clw.cs.man.ac.uk Fri, 15 Jun 2001 20:53:54 +0100 (BST) Date: Fri, 15 Jun 2001 20:53:54 +0100 (BST) From: Charles Lindsey chl@clw.cs.man.ac.uk Subject: Wired: MS Monopolizes UK Govt Site (OT) On Fri, 15 Jun 2001 06:59:30 +0100 Roland Perry said... > I've seen this statement from them: > > " The Gateway interoperates with any system that can work with > GovTalk compliant XML. So far the Gateway interfaces with a > variety of front-ends based on platforms ranging from UNIX > variants to Microsoft platforms. Rest snipped. Wow! That's the most sensible statement I've seen from a Government source in a long time. But neatly hidden away where noone would find it :-( . Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl Email: chl@clw.cs.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From ukcrypto@lists.colondot.net Fri, 15 Jun 2001 15:14:03 +0100 Date: Fri, 15 Jun 2001 15:14:03 +0100 From: Matthew Byng-Maddick ukcrypto@lists.colondot.net Subject: Wired: MS Monopolizes UK Govt Site (OT) On Fri, Jun 15, 2001 at 11:08:56AM +0100, Norman Gray wrote: > This morning, Charles Lindsay said: > > B. The proper thing to do is to say that the site requires the following > > protocols: > > HTML version X > > JavaScript > > Java > > TLS > > whatever else (even some proprietary protocols) > and the gateway.gov.uk piss-off page does say something like this: > > * Your browser must be set to accept cookies > > * Java must be enabled > > * Javascript must be enabled > ...but I betcha I wouldn't need any of that in order to benefit from > the security, but solely to worship at the altar of the designers' vanity. You are wrong in this. Part of the "security" is not implemented at TLS level, (which is silly), but the client certificate is (from the pdf for which I can't remember the URL): "Used to sign an XML object". The way of doing this is that the Java applet (somehow) requests said XML object from the https connection, and is signed, (which obviously allows it to evade any controls that the sandbox tries to put there...) using a key that it gets from the local machine and the particular "PKI" software. There is no mention of how they've made this secure from potential replay or MITM attacks. In the case of SSL/TLS, this is obvious (you use the DH session key), but an object passed at an upper layer? well.... > As with may other issues on ukcrypto, what we have here is yet another > example of `It's For Security' being trotted out as a knock-down > argument, to evade criticism of a variety of design misfeatures. As above the Java is: "for security" however, the benefits of the provided security are unclear. And there is a definite vendor lock-in for the "PKI" software involved (aka basic key management s/w). MBM From ben@algroup.co.uk Sat, 16 Jun 2001 13:57:00 +0100 Date: Sat, 16 Jun 2001 13:57:00 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Wired: MS Monopolizes UK Govt Site (OT) Matthew Byng-Maddick wrote: > There is no mention of how they've made this secure from potential replay > or MITM attacks. In the case of SSL/TLS, this is obvious (you use the DH > session key), but an object passed at an upper layer? well.... DH session key? If only! Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From dfawcus@cisco.com Sun, 17 Jun 2001 02:23:11 +0100 Date: Sun, 17 Jun 2001 02:23:11 +0100 From: Derek Fawcus dfawcus@cisco.com Subject: Illegal prime numbers On Thu, Jun 14, 2001 at 03:54:28PM +0100, Donald ramsbottom wrote: > > Having said all of that, I'd love to give the argument a go, and I hope the > defendants in the various MPAA actions lawyers have a look to expose the > DMCA for what it is a load of twaddle. I'd certainly agree with the view that the DMCA is a load of twaddle. Unfortunatly it looks like we're going to be burdened by the same load of twaddle courtesy of the EU copyright directive. DF From roland@linx.net Sun, 17 Jun 2001 11:37:12 +0100 Date: Sun, 17 Jun 2001 11:37:12 +0100 From: Roland Perry roland@linx.net Subject: Illegal prime numbers In message <20010617022311.A20458@edi-view1.cisco.com>, Derek Fawcus writes >On Thu, Jun 14, 2001 at 03:54:28PM +0100, Donald ramsbottom wrote: >> >> Having said all of that, I'd love to give the argument a go, and I hope the >> defendants in the various MPAA actions lawyers have a look to expose the >> DMCA for what it is a load of twaddle. > >I'd certainly agree with the view that the DMCA is a load of twaddle. > >Unfortunatly it looks like we're going to be burdened by the same load >of twaddle courtesy of the EU copyright directive. In what way? A proper framework has traditionally been seen to be better than a mish mash of random excursions with little redress from vexatious complainants and the ISP forced to act as judge and jury. To get back on topic, watermarking digital intellectual property might be a start when trying to establish the basis of a complaint. -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From ben@algroup.co.uk Sun, 17 Jun 2001 11:47:23 +0100 Date: Sun, 17 Jun 2001 11:47:23 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Illegal prime numbers Roland Perry wrote: > > In message <20010617022311.A20458@edi-view1.cisco.com>, Derek Fawcus > writes > >On Thu, Jun 14, 2001 at 03:54:28PM +0100, Donald ramsbottom wrote: > >> > >> Having said all of that, I'd love to give the argument a go, and I hope the > >> defendants in the various MPAA actions lawyers have a look to expose the > >> DMCA for what it is a load of twaddle. > > > >I'd certainly agree with the view that the DMCA is a load of twaddle. > > > >Unfortunatly it looks like we're going to be burdened by the same load > >of twaddle courtesy of the EU copyright directive. > > In what way? A proper framework has traditionally been seen to be better > than a mish mash of random excursions with little redress from vexatious > complainants and the ISP forced to act as judge and jury. > > To get back on topic, watermarking digital intellectual property might > be a start when trying to establish the basis of a complaint. Apart from the minor problem that it doesn't work, you mean? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From roland@linx.net Sun, 17 Jun 2001 13:53:17 +0100 Date: Sun, 17 Jun 2001 13:53:17 +0100 From: Roland Perry roland@linx.net Subject: Illegal prime numbers In message <3B2C8ABB.6F099D4E@algroup.co.uk>, Ben Laurie writes >> To get back on topic, watermarking digital intellectual property might >> be a start when trying to establish the basis of a complaint. > >Apart from the minor problem that it doesn't work, you mean? In what way: Too easy to remove? Too many false positives?? -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From ben@algroup.co.uk Sun, 17 Jun 2001 13:56:58 +0100 Date: Sun, 17 Jun 2001 13:56:58 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Illegal prime numbers Roland Perry wrote: > > In message <3B2C8ABB.6F099D4E@algroup.co.uk>, Ben Laurie > writes > >> To get back on topic, watermarking digital intellectual property might > >> be a start when trying to establish the basis of a complaint. > > > >Apart from the minor problem that it doesn't work, you mean? > > In what way: Too easy to remove? Too many false positives?? Too easy to remove. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From peter.fairbrother@ntlworld.com Sun, 17 Jun 2001 14:30:04 +0100 Date: Sun, 17 Jun 2001 14:30:04 +0100 From: Peter Fairbrother peter.fairbrother@ntlworld.com Subject: Illegal prime numbers > Ben Laurie at ben@algroup.co.uk wrote: > Roland Perry wrote: >> >> In message <3B2C8ABB.6F099D4E@algroup.co.uk>, Ben Laurie >> writes >>>> To get back on topic, watermarking digital intellectual property might >>>> be a start when trying to establish the basis of a complaint. >>> >>> Apart from the minor problem that it doesn't work, you mean? >> >> In what way: Too easy to remove? Too many false positives?? > > Too easy to remove. It's a silly idea anyway. If you've got some Opium and the man from Yves St Laurent comes to examine it, he knows if it's real. If you've got a Beatles song, well it's obviously copyright. I don't see how having a watermark on it tells you anything new. -- Peter From ben@algroup.co.uk Sun, 17 Jun 2001 15:17:33 +0100 Date: Sun, 17 Jun 2001 15:17:33 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Illegal prime numbers Peter Fairbrother wrote: > > > Ben Laurie at ben@algroup.co.uk wrote: > > > Roland Perry wrote: > >> > >> In message <3B2C8ABB.6F099D4E@algroup.co.uk>, Ben Laurie > >> writes > >>>> To get back on topic, watermarking digital intellectual property might > >>>> be a start when trying to establish the basis of a complaint. > >>> > >>> Apart from the minor problem that it doesn't work, you mean? > >> > >> In what way: Too easy to remove? Too many false positives?? > > > > Too easy to remove. > > It's a silly idea anyway. If you've got some Opium and the man from Yves St > Laurent comes to examine it, he knows if it's real. If you've got a Beatles > song, well it's obviously copyright. I don't see how having a watermark on > it tells you anything new. It tells you who ripped it off. Of course, when you get a bootlegged videotape or CD, you don't know, so why do people want a new capability for digital stuff? Control freaks, the lot of 'em. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From richard@highwayman.com Sun, 17 Jun 2001 15:55:49 +0100 Date: Sun, 17 Jun 2001 15:55:49 +0100 From: Richard Clayton richard@highwayman.com Subject: Illegal prime numbers -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <3B2CBBFD.4DBBB451@algroup.co.uk>, Ben Laurie writes >Peter Fairbrother wrote: >> It's a silly idea anyway. If you've got some Opium and the man from Yves St >> Laurent comes to examine it, he knows if it's real. If you've got a Beatles >> song, well it's obviously copyright. I don't see how having a watermark on >> it tells you anything new. It allows a robot to wander the web and peek at the MP3 and know that it's "Let it Be"... so that a mail can be sent to the correct people (who will fire enough "take down" notices that it will not "be" very much longer...) Otherwise, some lucky person gets to listen to all the music and use their skill and judgement to guess if its the original recording or a soundalike band (with permission, perhaps, to record it). ie although it may look like a technology for convincing juries, it's more likely to be a technology for convincing spider software >It tells you who ripped it off. Sometimes people do suggest watermarking schemes that will indicate whose copy was "ripped off" (the jargon for this is a "traitor tracing scheme"). There are even fancy systems that will show if several traitors co-operated in an attempt to expunge the mark... ... however, they are unlikely to work in open environments, since if it is your copy that was plastered all over the web you will just blame the thieves who broke in a week last Thursday and stole your machine (or set-top box or smart-card or whatever). >Of course, when you get a bootlegged >videotape or CD, you don't know, so why do people want a new capability >for digital stuff? Like other recent topics of discussion... because the salesman told them how wonderfully it would work :-) Actually, I suspect that for a while there will be some successes in tracking digital material by watermark. Though the marks are indeed easy to remove (by a suitably complex distortion of the picture) most people will not bother until the number of prosecutions rises. So there may be a short-term win for the "rights holders". >Control freaks, the lot of 'em. they're protecting their existing business model - -- richard richard.clayton @ h i g h w a y m a n . com "Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOyzE9RfnRQV/feRLEQItcgCeJZu8R/CXW1xsJPwy8iRya6Jw2ogAnRyM RuL06I0uy38ALkOch5eFYU5i =MIzH -----END PGP SIGNATURE----- From roland@linx.net Sun, 17 Jun 2001 16:21:51 +0100 Date: Sun, 17 Jun 2001 16:21:51 +0100 From: Roland Perry roland@linx.net Subject: Illegal prime numbers In message , Peter Fairbrother writes >If you've got a Beatles >song, well it's obviously copyright. I don't see how having a watermark on >it tells you anything new. It it's being sung by someone else, they may have some copyright too. If it's a photo, the ownership is much less obvious. -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From ben@algroup.co.uk Sun, 17 Jun 2001 17:56:23 +0100 Date: Sun, 17 Jun 2001 17:56:23 +0100 From: Ben Laurie ben@algroup.co.uk Subject: Illegal prime numbers Richard Clayton wrote: > >Control freaks, the lot of 'em. > > they're protecting their existing business model You mean the one that works by being able to identify copies of CDs, videotapes and so forth? Hmmm ... obviously a piece of technology that passed me by! This reminds me of the music biz's failed attempts to impose a levy on blank tapes - they're not protecting their existing business model at all, but hoping to exploit a new one. I presume they're particularly keen given the tedious squeeze the artists are putting on their profit margins, and also the real danger that the artists might wake up and cut them out of the business model altogether! Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff From owen.blacker@wheel.co.uk Mon, 18 Jun 2001 09:32:43 +0100 Date: Mon, 18 Jun 2001 09:32:43 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Watermarking (Was RE: Illegal prime numbers) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > To get back on topic, watermarking digital intellectual property > > > might be a start when trying to establish the basis of a complaint. > > > > Apart from the minor problem that it doesn't work, you mean? > > In what way: Too easy to remove? Too many false positives?? The report by Craver, McGregor et alii (2001) about their successful SDMI challenge went into some detail about how they found watermarking to be relatively easy to remove (which was the purposes of Challenges A, B, C and F in the SDMI challenge). The challenge ignored the idea of false positives, as that would (presumably) be considered a lesser concern -- the way the SDMI stuff works is by having a 'secure player' that will only accept watermarked tracks, whereas you can always just use a different player. OK, typing that has just caused me to realise that my assumptions are backwards, however the facts above are the right way round, cos I've had a copy of the document in front of me. Well, it ~is~ a Monday morning :o) O x - -- Owen Blacker Senior Software Developer / InfoSec Consultant Wheel: Clerkenwell See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys Sig 0x00036874 | d39f b776 fa20 c125 b0e2 aa6d 555e 4126 0003 6874 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOy28HVVeQSYAA2h0EQKkBACeJXrM5MhYl406XlLi+vPtIHJgM1AAnRQv ja9y5IZb4yOeUSEt6oQbxVh9 =9lcb -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From owen.blacker@wheel.co.uk Mon, 18 Jun 2001 09:53:12 +0100 Date: Mon, 18 Jun 2001 09:53:12 +0100 From: Owen Blacker owen.blacker@wheel.co.uk Subject: Silicon.com: Cyber terrorism and a ship full of IT directors =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > HEADLINE: John Lamb's Week: Cyber terrorism and a ship full=20 > of IT directors > PUBLISHED: 5:25pm on Friday 15th June 2001 > CHANNEL: CIO > AUTHOR: John Lamb > SERVICE: http://www.silicon.com >=20 > TEXT OF STORY FOLLOWS: >=20 > If we can get Steven Seagal, we've got a film... >=20 > Is the security of nation-states threatened by the=20 > information revolution? The Global Forum for Law Enforcement=20 > and National Security (LENS) certainly thinks it might be.=20 > This group of political, military and business interests will=20 > be sitting down in Edinburgh on Tuesday and Wednesday to work=20 > out ways of defeating so-called cyber warriors out to attack=20 > national information infrastructures. >=20 > Speakers from among the good and the great include Lord=20 > Robertson of Port Ellen, Secretary General of NATO, William=20 > Webster, former Director of the FBI and CIA, and Jurgen=20 > Storbeck, Director of Europol. Former Lib Dem leader and=20 > special forces operative Paddy Ashdown will be chairing the=20 > discussion. The Forum's president is none other than Mikhail=20 > Gorbachev. >=20 > Apart from looking at the need to counter espionage and the=20 > theft of intellectual property -- while of course upholding=20 > personal privacy -- delegates will also consider to what=20 > extent the internet is destabilising nation states by=20 > allowing people to by-pass existing structures. >=20 > If all this sounds suspiciously like a skit from Monty Python=20 > or the Cambridge Footlights Review then you won't be=20 > surprised to learn that the next big event in Edinburgh is=20 > the Festival Fringe famed for its satirical comedy shows. >=20 > If international computer crime policy is a little heavy=20 > going for you, also on Tuesday PeopleSoft will be flaunting=20 > its latest customer relationship management software in=20 > London. The launch of PeopleSoft 8 CRM will be trumpeted by=20 > presentations from experts in the business of building=20 > customer loyalty including Frederick Reichheld of Bain &=20 > Company and Dr Wolfgang Martin of the META Group. >=20 > Despite some recent questions about the extent to which=20 > businesses have benefited from the current craze for CRM=20 > concepts and products, these luminaries will explain how to=20 > build customer loyalty using more collaborative CRM software.=20 > Oil company Shell will be talking about its experience. >=20 > The application of Bayesian probability theory to a range of=20 > pattern recognition problems continues apace. On Wednesday,=20 > Mike Alford of software company Alaric will be talking about=20 > how his company's new Fractals product is being used by=20 > financial companies to combat credit card fraud by allowing=20 > them to spot unusual patterns of behaviour quickly.=20 >=20 > Credit and debit card fraud costs big money. UK fraud figures=20 > for 2000 from the Association of Payment Clearing Services=20 > (APACS) revealed total losses at =A3292m, compared to =A3135m in=20 > 1998, meaning the problem has more than doubled in just two years. >=20 > Also on Wednesday, terrorists have the opportunity of wiping=20 > out the cream of UK IT management at a stroke by disposing of=20 > the MV Aurora as it sets sail from Southampton with over 550=20 > executives on board. The IT Directors' Forum -- which is=20 > being covered by silicon.com's camera-wielding news marines=20 > -- is the UK's largest get together of IT users. >=20 > Delegates will be listening to speakers who include Andy Kyte=20 > of Gartner, Graham Whitehead of BT and Martha Bennett of=20 > eBusiness Connect. They will also be taking part in problem=20 > solving exercises. >=20 > For those left on dry land, Craig Barrett, Intel CEO, makes a=20 > rare trip to London. The tough talking chip boss will be=20 > squaring up to gravel voiced Radio 4 newsman John Humphrys in=20 > a studio at London's South Bank. >=20 > It is unlikely that Barrett, who earlier this year was one of=20 > the first people to decry the prospects of third generation=20 > wireless technology, will be put through the mangle over=20 > 64-bit Itanium processing or how he is going to beat the=20 > current downturn in the semiconductor business. But then=20 > that's not what PR is about. >=20 >=20 > STORY ENDS >=20 > For more information on silicon.com go to http://www.silicon.com. >=20 > silicon.com - the who, what, when, where and why of ebusiness -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOy3A6VVeQSYAA2h0EQJHMgCeLsAVBogl5q1M5fr6jg2psro8MakAoM1n JYuZoDFdu9tTNkxbMRVwKlkp =3DsV8H -----END PGP SIGNATURE----- _____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ From donald@ramsbottom.co.uk Mon, 18 Jun 2001 11:33:14 +0100 Date: Mon, 18 Jun 2001 11:33:14 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Watermarking (Was RE: Illegal prime numbers) What all of the Companies concerned (and in the main we are talking record companies at present) with their digital watermarks is that the in their quest to stamp out the "evil" of pirated copies by you and me, that the product actually suffers as the watermarking is actually audible on any half decent HiFi setup. So not only is the watermarking by-passable it actually degrades the product, when they are trying to sell us new formats from the various DVD audios and HDFC (or something similar) and at least two other acronyms I can't remember, on the basis they are giving us better quality. Good plan! I am afraid I have no truck with record company claims, they have dusted off the old arguments about cassettes and brought it "up to date" by stating copies do not degrade as they are digital, which is true(ish), but the people who make money (as opposed to just copying for a friend or car etc) already have a decent master copy, (or even if they do not they do not use copies to copy), they have industrial manufacturing processes. While I am against mass piracy, I do object to having to buy the same piece of IP lord(any) knows how many times on/in differing formats (records, 8Tracks, Cassette, CD, Minidisc, etc). I buy the right to listen, and they are trying to dictate the manner and form in which I listen, which is not on. The SDMI challengees know the "product" does not work, but have been "restricted" from publishing (despite recent noises from the Challengors that they may publish) which was a lot of silliness in the first place, as the crypto used, was and still is relying on secrecy rather than being open source and open to scrutiny. Why they want to do all of this with proprietary code when they have the DeCSS debacle still in place is beyond me, but once a control freak always a control freak. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From Ross.Anderson@cl.cam.ac.uk Tue, 19 Jun 2001 09:36:27 +0100 Date: Tue, 19 Jun 2001 09:36:27 +0100 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: Proposed abolition of data protection controls on public sector data This is simply outrageous. Compared with this, key escrow just doesn't matter. Why should the state bother with the keys, when they can just legislate themselves the plaintext? Ross ******** Whitehall plans new checks on citizens By Rachel Sylvester WHITEHALL departments will be able to share information about people's tax records, benefit entitlements and family history under proposals by Tony Blair's personal think tank. The change could lead to a person's benefit application being cross-checked with his or her medical record, passport details being handed to the Inland Revenue, or driving licence details compared with information on the electoral roll - although the specific areas affected have not yet been agreed. A report by the performance and innovation unit, to be published next month, says that the exchange of information could reduce fraud and other crime and speed up the delivery of Government services by cutting red tape. The Government is planning to introduce catch-all legislation to enable ministers to instruct their officials to cross-check data without having to put a separate Bill through Parliament. That proposal, which has been approved by ministers, will almost certainly mean rewriting the Data Protection Act, which safeguards the privacy of information. At present, the Government has to introduce a Bill every time one department wants to exchange a new type of data with another. Under the proposed scheme, ministers would be able to push changes through much more quickly, using secondary legislation. A senior Government source said: "At the moment the presumption is that data given to one department are not compared with information given to another. We want to reverse that so that the presumption is that they can be." The report from the performance and innovation unit, based in the Cabinet Office, says the current arrangements for data matching are "haphazard" and "piecemeal" because each department has its own rules. The unit's proposals were attacked last night by one of the Government's advisers on the subject. John Wadham, the director of Liberty, said: "We are forced to give our personal details to the Government, but this information still belongs to us. Now the Government is seeking powers to take greater control of this personal information. "Decisions to violate the principles of data protection and human rights are wrong however they are made. But to allow such important decisions to be made by ministers in secondary legislation and rubber-stamped by Parliament can never be justified." There are also fears that people may find themselves being investigated because information held by one department, then passed to another, is wrong. A Government insider admitted that the amount of inaccurate data held on Whitehall files was "the next BSE waiting to happen". To try to allay public concern, the report will emphasise the importance of privacy. An officer will be appointed to every department to control the quality and use of private information. People will be reminded that they can request to see any data held about them to check that they are accurate. But a proposal to give everybody a "unique identifier" to access Government services online has been dropped because of fears that it would be seen as a prototype ID card. Although the unit was in favour of the idea in principle, it decided that problems such as the potential for "identity theft" outweighed the benefits. The Data Sharing and Privacy Bill will be introduced as early as possible. Ministers are aware of the importance of winning over public opinion. A government project in Canada, which involved compiling a database of information about individuals, was scrapped last year after a public backlash amid accusations that it had been undertaken without people's consent. From kelm@secorvo.de Tue, 19 Jun 2001 13:15:36 +0200 Date: Tue, 19 Jun 2001 13:15:36 +0200 From: Stefan Kelm kelm@secorvo.de Subject: [Fwd] data transfers to non-EU countries http://europa.eu.int/comm/internal_market/en/dataprot/news/clauses2.htm Data protection: Commission approves standart contractual clauses for data transfers to non-EU countries The European Commission has adopted a Decision setting out standard contractual clauses ensuring adequate safeguards for personal data transferred from the EU to countries outside the Union. The Decision obliges Member States to recognise that companies or organisations using such standard clauses in contracts concerning personal data transfers to countries outside the EU are offering "adequate protection" to the data. The EU=92s data protection Directive (95/46/EC) requires all personal data transferred to countries outside the Union to benefit from "adequate protection". Use of these standard contractual clauses will be voluntary but will offer companies and organisations a straightforward means of complying with their obligation to ensure "adequate protection" for personal data transferred to countries outside the EU which have not been recognised by the Commission as providing adequate protection for such data. So far, only Switzerland, Hungary and the US =91Safe Harbor=92 arrangement have been recognised as providing adequate protection (see IP/00/865). [...] ------------------------------------------------------- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail kelm@secorvo.de, http://www.secorvo.de ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B From mctylr@privacy.nb.ca Tue, 19 Jun 2001 07:14:53 -0300 (ADT) Date: Tue, 19 Jun 2001 07:14:53 -0300 (ADT) From: M Taylor mctylr@privacy.nb.ca Subject: Black market in 'everlasting' Tube tickets unearthed Black market in 'everlasting' Tube tickets unearthed A black market in tube tickets with an infinite expiry date has appeared in London. The fraudulent Travelcards can be used indefinitely and current magnetic strip technology does not recognise they are fakes. The Evening Standard newspaper says a reporter bought one of the bogus passes for Ł80 in a Notting Hill pub which should have expired in 1999, but which still works. ... A spokesman said: "At the moment it is not cost-effective to make any more software updates, although we think eventually number sequences such as the one on your card will be trapped." LU is confident the introduction of credit card-sized smartcards will reduce ticket fraud. The smartcards rely on microchips which have been resistant to fraud in Washington and Chicago underground systems. They're scheduled for general use by autumn 2002. Also in: -------------------------- Interesting because they claim it doesn't make sense to do a software upgrade to fix the problem, yet they are losing real money due to it. Wonder how many other "security" problems are deemed not economical to fix, in software. From donald@ramsbottom.co.uk Tue, 19 Jun 2001 15:23:55 +0100 Date: Tue, 19 Jun 2001 15:23:55 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Proposed abolition of data protection controls on public sector data At 09:36 AM 6/19/01 +0100, you wrote: >This is simply outrageous. Compared with this, key escrow just doesn't >matter. Why should the state bother with the keys, when they can just >legislate themselves the plaintext? > >Ross > >******** > > SNIPS Look who is behind it again, the wonderful PIU, those very people who hatched RIPA now want all your data in one place, great stuff. They are also the people who commissioned "project Trawler" as I recall whereby the LEAs reported to them (the PIU) and they then used Trawler as a raison d'etre for RIPA. I wonder whether Grimerwormtongue Campbell is on it (the PIU)? We might as well all buy our clothes from the Emperors tailors for all the privacy we will have left from state intrusion into our lives. When will they realize they were elected to Govern, not rule. All the more reason to ensure we protect what vestiges of privacy we have by the use of all tools at our disposal including crypto. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From dparkins@alien.bt.co.uk Tue, 19 Jun 2001 16:58:39 +0100 Date: Tue, 19 Jun 2001 16:58:39 +0100 From: David Parkinson dparkins@alien.bt.co.uk Subject: Black market in 'everlasting' Tube tickets unearthed At 07:14 AM 19-06-01 -0300, M Taylor quoted: >Black market in 'everlasting' Tube tickets unearthed > > >A black market in tube tickets with an infinite expiry date has appeared >in London. Unless this is something new it is old news. I seem to recall seeing something on this a few years ago, but I can't track down the reference. >The fraudulent Travelcards can be used indefinitely and current magnetic >strip technology does not recognise they are fakes. The known problem is that the date field wraps around in some way so that old cards become valid again. >The Evening Standard newspaper says a reporter bought one of the bogus >passes for Ł80 in a Notting Hill pub which should have expired in 1999, >but which still works. It is a new fraud if that sentence is correct, but maybe the more accurate wording is "..but which now works again". From the article quoted: >While they were advanced at the time, the limitations of magnetic strips >mean that some date sequences held on the ticket come around again. >When this happens the ticket starts working again. LU is aware of the >problem and has updated the computer software in tickets machines, the >last update being in January 2000. Although they admit that "one or two >number sequences have evaded them." M Taylor wrote: >Interesting because they claim it doesn't make sense to do a software >upgrade to fix the problem, yet they are losing real money due to it. >Wonder how many other "security" problems are deemed not economical to >fix, in software. I guess as they moving to a smartcard based system in 2002 somebody has done their sums and worked out "software upgrade costs" > "fraud losses" in the interim. A simple enough equation, the difficulty being in estimating the "fraud losses" element. David From pkicrypto2k@hotmail.com Tue, 19 Jun 2001 20:14:33 -0000 Date: Tue, 19 Jun 2001 20:14:33 -0000 From: crypto listdump pkicrypto2k@hotmail.com Subject: Silent Runner Owen, can you please send me full details of this? Including the company & URL if you have it. Many thanks >Subject: RE: Silent Runner >Date: Thu, 7 Jun 2001 18:07:06 +0100 > > > >I took a presentation today on a network investigation and traffic trawling >system called 'Silent Runner'. This is claimed several orders better than >Carnivore. If it lives up to the demonstration, this is unlikely to be an >exaggeration. Since investigative tools of this type have little bearing on >crypto (except to identify groups who communicate in cipher), I'd welcome >off list any comment or opinion from those who have any firsthand >experience >of or information on this system. > >Owen > > > > > > > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From jya@pipeline.com Tue, 19 Jun 2001 19:47:13 -0700 Date: Tue, 19 Jun 2001 19:47:13 -0700 From: John Young jya@pipeline.com Subject: Silent Runner SilentRunner by Raytheon has a Web site: http://www.silentrunner.com/ The nasty product got a fair amount of press attention in the summer of 2000. Quote the Web site's news blurbs: It is possible that SilentRunnerTM could be less intrusive than current surveillance methods, most of which involve reading a lot of e-mail that contain keywords. THE WALL STREET JOURNAL June 14, 2000 BOSTON (AP) - Beware, corporate snitches loose with company secrets - your boss may have a new tool to track what you do with your computer. Lexington-based defense contractor Raytheon Co. (NYSE:RTNa - news) claims its "SilentRunnerTM" software is the vanguard of network monitoring. Rather than rely solely on searches for suspicious keywords, the program uses algorithms to analyze communications patterns. Then it turns its analysis into 3-D pictures. By looking at the pictures, monitors can follow traffic patterns and detect "backdoors" or other anomalies that may mean sensitive data is at risk. ASSOCIATED PRESS June 16, 2000 The technology can track and analyze every move from e-mail to Web browsing to file transfers involving as many as 1,444 protocols, or communications standards, said John Suit, one of the three inventors. REUTERS June 14, 2000 Raytheon's latest effort to go commercial following the end of the Cold War is security software called SilentRunnerTM, which helps businesses detect nefarious communications by employees. The software uses algorithms rather than keywords to sift through email for employees plotting fraud, insider trading, corporate espionage or anything else detrimental to companies' health. TELEKOM NET June 14, 2000 ARLINGTON RAYTHEON, a top US defence contractor, rolled out a software tool yesterday it said is designed to spot and report the 70 per cent or so of cyber-threats said to come from inside computer networks. Dubbed SilentRunnerTM, the high-end product uses complex algorithms, or logical steps, to sniff out such corporate headaches as proprietary-data theft, fraud and commercial espionage even as they are occurring. REUTERS June 16, 2000 From hcorn@cix.co.uk Tue, 19 Jun 2001 15:52:44 +0100 Date: Tue, 19 Jun 2001 15:52:44 +0100 From: Peter Sommer hcorn@cix.co.uk Subject: Proposed abolition of data protection controls on public sector data At 15:23 19/06/01 +0100, Donald Ramsbottom wrote: >Look who is behind it again, the wonderful PIU, those very people who >hatched RIPA now want all your data in one place, great stuff. > >They are also the people who commissioned "project Trawler" as I recall >whereby the LEAs reported to them (the PIU) and they then used Trawler as a >raison d'etre for RIPA. No: RIPA was not hatched by the PIU but was born from a Home Office consultative document on the reform of IoCA - to which was added the crypto part of the E-Commerce legislation. PIU produced a report which tried to make peace between Home Office interests and those of the DTI. Project Trawler was commissioned by the National Criminal Intelligence Agency (NCIS) |-> Peter Sommer ------------------------------------>| |-> hcorn@cix.co.uk P.M.Sommer@lse.ac.uk ------------>| |-> Academic URL: http://csrc.lse.ac.uk//Sommer.htm ->| |-> Commercial URL: http://www.virtualcity.co.uk----->| From lists@benzo8.org Wed, 20 Jun 2001 07:55:50 +0100 Date: Wed, 20 Jun 2001 07:55:50 +0100 From: John Sullivan lists@benzo8.org Subject: Silent Runner At 03:47 AM 20/06/2001, you wrote: >SilentRunner by Raytheon has a Web site: > http://www.silentrunner.com/ It also has an exploit with which you can crash it, should your boss be using it on your work network (version specific): http://www.securiteam.com/exploits/5SP0W0A3PO.html John... -- www.sporadica.co.uk - "...a willful squandering of 'Net resources..." - Newsweak From kelm@secorvo.de Wed, 20 Jun 2001 10:11:08 +0200 Date: Wed, 20 Jun 2001 10:11:08 +0200 From: Stefan Kelm kelm@secorvo.de Subject: [Fwd] Privacy Issues in the Use of PKI... http://www.privacy.gov.au/rfc/index.html#4 Invitation to comment on the Consultation Paper: Privacy Issues in the Use of Public Key Infrastructure for Individuals and Possible Guidelines for Handling Privacy Issues in the Use of PKI for Individuals by Commonwealth agencies (15/6/2001) (Please note: comments required by 27 July 2001) The federal Government has developed a Public Key Infrastructure (PKI) known as Gatekeeper to facilitate the take up of online delivery of government services in Australia. PKI is a technology and trust framework, which involves the use of digital signature certificates for assuring the identity of certificate holders and the integrity of the online messages they exchange. [...] ------------------------------------------------------- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail kelm@secorvo.de, http://www.secorvo.de ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B From nbohm@ernest.net Wed, 20 Jun 2001 10:19:43 +0100 Date: Wed, 20 Jun 2001 10:19:43 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Proposed abolition of data protection controls on public sector data At 15:52 19/06/2001 +0100, Peter Sommer wrote: >At 15:23 19/06/01 +0100, Donald Ramsbottom wrote: >>Look who is behind it again, the wonderful PIU, those very people who >>hatched RIPA now want all your data in one place, great stuff. >> >>They are also the people who commissioned "project Trawler" as I recall >>whereby the LEAs reported to them (the PIU) and they then used Trawler as a >>raison d'etre for RIPA. > > >No: RIPA was not hatched by the PIU but was born from a Home Office >consultative document on the reform of IoCA - to which was added the crypto >part of the E-Commerce legislation. PIU produced a report which tried to >make peace between Home Office interests and those of the DTI. But this was, I think, the first place where the notorious "reverse burden of proof" suggestion first surfaced. Regards Nicholas Salkyns, Great Canfield, Takeley, Bishop’s Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 07715 419728 (+44 7715 419728) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From anthony.naggs@atrial.com Wed, 20 Jun 2001 13:45:42 +0100 Date: Wed, 20 Jun 2001 13:45:42 +0100 From: anthony.naggs@atrial.com anthony.naggs@atrial.com Subject: Black market in 'everlasting' Tube tickets unearthed On 19 Jun 2001, at 16:58, David Parkinson wrote: > At 07:14 AM 19-06-01 -0300, M Taylor quoted: > >Black market in 'everlasting' Tube tickets unearthed > > > > > >A black market in tube tickets with an infinite expiry date has appeare= d > >in London. > > Unless this is something new it is old news. I seem to recall seeing > something on this a few years ago, but I can't track down the reference. Risks Digest 20.48 has a short piece, referring to an article by Dick Murray in the London Evening Standard of July 9th 1999. > >The fraudulent Travelcards can be used indefinitely and current magneti= c > >strip technology does not recognise they are fakes. > > The known problem is that the date field wraps around in some way so tha= t > old cards become valid again. > > >The Evening Standard newspaper says a reporter bought one of the bogus > >passes for =A380 in a Notting Hill pub which should have expired in 199= 9, > >but which still works. Well one thing has changed since the 1999 story, which quoted a price of =A350. > It is a new fraud if that sentence is correct, but maybe the more accura= te > wording is "..but which now works again". > > From the article quoted: > >While they were advanced at the time, the limitations of magnetic stri= ps > >mean that some date sequences held on the ticket come around again. > >When this happens the ticket starts working again. LU is aware of the > >problem and has updated the computer software in tickets machines, the > >last update being in January 2000. Although they admit that "one or tw= o > >number sequences have evaded them." > > M Taylor wrote: > >Interesting because they claim it doesn't make sense to do a software > >upgrade to fix the problem, yet they are losing real money due to it. > >Wonder how many other "security" problems are deemed not economical to > >fix, in software. > > I guess as they moving to a smartcard based system in 2002 somebody has > done their sums and worked out "software upgrade costs" > "fraud losses" > in the interim. A simple enough equation, the difficulty being in > estimating the "fraud losses" element. Probably much of the cost in co-ordinating deployment of the updated software to ticket gates, ticket vending machines, railway company ticketing terminals, as well as all the little corner shop ticket terminals. All of which must happen without upsetting holders of valid tickets. Cheers, Tony From kieran@snaz.com Wed, 20 Jun 2001 14:44:46 +0100 Date: Wed, 20 Jun 2001 14:44:46 +0100 From: Kieran Barry kieran@snaz.com Subject: Watermarking (Was RE: Illegal prime numbers) > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Donald > ramsbottom > > The SDMI challengees know the "product" does not work, but have been > "restricted" from publishing (despite recent noises from > the Challengors > that they may publish) which was a lot of silliness in the > first place, as > the crypto used, was and still is relying on secrecy rather > than being open > source and open to scrutiny. Why they want to do all of this with > proprietary code when they have the DeCSS debacle still in > place is beyond > me, but once a control freak always a control freak. > The SDMI, IMO, is a charade to ensure that anyone circumventing the watermark can be prosecuted under the DMCA. It is possible to argue that playing such music (after removing the watermark) is an offence. And from the record companies POV, the DeCSS was a resounding success. They have a view that they want to completely control the supply of music. The technology they choose is only needed to ensure the additional protection given by DMCA. Regards Kieran From jonc@lacunae.org Wed, 20 Jun 2001 15:03:24 +0100 Date: Wed, 20 Jun 2001 15:03:24 +0100 From: Jonathan Care jonc@lacunae.org Subject: GPS driver systems and privacy Some time ago, I contributed to a thread in regarding the issues behind GPS systems and secrecy. This article from The Register (http://www.theregister.co.uk/content/2/19831.html) seems to illustrate a real case of a driver being monitored by a GPS system "complete with back channel". I'd be interested to know any more technical details on this case. GPS used to spy on rental drivers By John Leyden Posted: 20/06/2001 at 11:53 GMT A driver is suing a car hire firm, which charged him $450 for allegedly speeding in a van fitted with a hi-tech device for spying on drivers. According to the New Haven Advocate, James Turner is taking Acme Rent-A-Car to court over penalties levied on him for "going at speeds in excess of 90 mph on three separate occasions." The van was fitted with a system based on GPS (Global Positioning System) satellite technology whose primary purpose was to monitor drivers rather than help them with navigation. Acme uses technology from wireless application service provider AirIQ called OnBoard which "keeps track of where the vehicle is, what direction it is going, what speed it is travelling". OnBoard, which uses an on-board computer with integrated GPS (Global Positioning System) and wireless transceiver, can even be used to disable a vehicle or lock its doors with the "point and click of a mouse". In the case of Turner, the technology reportedly recorded him speeding while he made a journey through seven states last October. Tuner had been a regular customer of Acme and didn't notice the small print in his rental agreement, which said, "vehicles in excess of posted speed limit will be charged $150 fee per occurrence". Acme levied the "fines" on Turner though his debit card had nothing to do with any police action. It has defended its business practices and will contest Turner's claims when they come to court. Six other claims have also been filed against Acme. Quite apart from whether the technology proves someone is speeding and whether due process of law was followed by Acme we reckon that the car hire firm has scored an own goal when it comes to customer management. However you feel about speeding, would you be happy hiring a car knowing that the car hire firm can spy on you? This is a use of technology that deserves to be left in the lay-by. ® With kind regards, Jonathan Care CISSP Tel/Fax: +44 7092 016192 Lacunae Systems - Cryptography, Privacy, Security, Technical & Change Management From donald@ramsbottom.co.uk Wed, 20 Jun 2001 15:46:00 +0100 Date: Wed, 20 Jun 2001 15:46:00 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Proposed abolition of data protection controls on public sector data >No: RIPA was not hatched by the PIU but was born from a Home Office >consultative document on the reform of IoCA - to which was added the crypto >part of the E-Commerce legislation. PIU produced a report which tried to >make peace between Home Office interests and those of the DTI. Project >Trawler was commissioned by the National Criminal Intelligence Agency (NCIS) > > > > >|-> Peter Sommer ------------------------------------>| I am not sure I agree with this statement, but am not going to argue it. I made a quip from memory..................................I am not going to .........................memory............................................. ..... meeeeeeeeeeeeemory...... Ergh, Alzheimers flash forward! Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From donald@ramsbottom.co.uk Wed, 20 Jun 2001 15:49:49 +0100 Date: Wed, 20 Jun 2001 15:49:49 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Watermarking (Was RE: Illegal prime numbers) SNIP >The SDMI, IMO, is a charade to ensure that anyone circumventing >the watermark can be prosecuted under the DMCA. It is possible >to argue that playing such music (after removing the watermark) >is an offence. > >And from the record companies POV, the DeCSS was a resounding >success. They have a view that they want to completely control >the supply of music. The technology they choose is only needed >to ensure the additional protection given by DMCA. > >Regards > >Kieran Good point, never thought of that. Damnbly cunning these ......errr record company executives. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From Nick.Barnes@pobox.com Wed, 20 Jun 2001 15:12:04 +0100 Date: Wed, 20 Jun 2001 15:12:04 +0100 From: Nick Barnes Nick.Barnes@pobox.com Subject: GPS driver systems and privacy At 2001-06-20 14:03:24+0000, "Jonathan Care" writes: > Some time ago, I contributed to a thread in regarding the issues behind GPS > systems and secrecy. This article from The Register > (http://www.theregister.co.uk/content/2/19831.html) seems to illustrate a > real case of a driver being monitored by a GPS system "complete with back > channel". > > I'd be interested to know any more technical details on this case. www.airiq.com has more details on the system. Basically their unit combines (a) a GPS unit, (b) a cellphone unit, and (c) control over the car's engine, locks, and other components. Even disregarding the 'big brother' aspects, the possibilities for abuse are remarkable. How long before 13-year-olds are "0wn1ng" cars? Nick B > GPS used to spy on rental drivers > By John Leyden > Posted: 20/06/2001 at 11:53 GMT > > > A driver is suing a car hire firm, which charged him $450 for allegedly > speeding in a van fitted with a hi-tech device for spying on drivers. > > According to the New Haven Advocate, James Turner is taking Acme Rent-A-Car > to court over penalties levied on him for "going at speeds in excess of 90 > mph on three separate occasions." > > The van was fitted with a system based on GPS (Global Positioning System) > satellite technology whose primary purpose was to monitor drivers rather > than help them with navigation. > > Acme uses technology from wireless application service provider AirIQ called > OnBoard which "keeps track of where the vehicle is, what direction it is > going, what speed it is travelling". > > OnBoard, which uses an on-board computer with integrated GPS (Global > Positioning System) and wireless transceiver, can even be used to disable a > vehicle or lock its doors with the "point and click of a mouse". > > In the case of Turner, the technology reportedly recorded him speeding while > he made a journey through seven states last October. > > Tuner had been a regular customer of Acme and didn't notice the small print > in his rental agreement, which said, "vehicles in excess of posted speed > limit will be charged $150 fee per occurrence". > > Acme levied the "fines" on Turner though his debit card had nothing to do > with any police action. It has defended its business practices and will > contest Turner's claims when they come to court. Six other claims have also > been filed against Acme. > > Quite apart from whether the technology proves someone is speeding and > whether due process of law was followed by Acme we reckon that the car hire > firm has scored an own goal when it comes to customer management. > > However you feel about speeding, would you be happy hiring a car knowing > that the car hire firm can spy on you? This is a use of technology that > deserves to be left in the lay-by. ® > > > With kind regards, > Jonathan Care CISSP > Tel/Fax: +44 7092 016192 > Lacunae Systems - Cryptography, Privacy, > Security, Technical & Change Management > > > > > From roland@linx.net Wed, 20 Jun 2001 17:32:04 +0100 Date: Wed, 20 Jun 2001 17:32:04 +0100 From: Roland Perry roland@linx.net Subject: GPS driver systems and privacy In message , Jonathan Care writes >a driver being monitored by a GPS system "complete with back >channel". Yes, the back channel here will be terrestrial wireless. What it won't be is VSAT. Of course, it would be much simpler just to log the speeds into a black box [1] and decode it after the vehicle is returned. The 'fine' appears to have been retrospective, rather than waiting for him on his return. [1] My 99 quid pocket GPS receiver logs "max speed attained". -- Roland Perry | tel: +44 1733 207705 | roland@linx.org Director of Public Policy | fax: +44 1733 207729 | http://www.linx.net London Internet Exchange | mbl: +44 7050 604080 | /contact/roland From richard@highwayman.com Wed, 20 Jun 2001 17:40:59 +0100 Date: Wed, 20 Jun 2001 17:40:59 +0100 From: Richard Clayton richard@highwayman.com Subject: UNIRAS Briefing - No 95/01 - UNIRAS - Hoax Email -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vaguely on topic! .... (BTW: it isn't yet on the website [nor is #94]... so maybe the briefing is itself a hoax ? the copy I received was not PGP signed, so I keep an open mind) - -----Original message----- Subject: UNIRAS Briefing - No 95/01 - UNIRAS - Hoax Email From: uniras@niscc.gov.uk - ---------------------------------------------------------------------------- - - UNIRAS (UK Govt CERT) Electronic Briefing Notice - No. E95/01 dated 20.06.01 UNIRAS Briefings are also available from our website at www.uniras.gov.uk - ---------------------------------------------------------------------------- - - Title ===== Hoax Email spam Detail ====== The Home Office and UNIRAS are aware that an email message is in circulation purporting to notify recipients that they have committed a spurious offence of "Internet Perversion" in apparent contravention of the Regulation of Investigatory Powers Act, referring recipients to a non-existent website for further details. This is a hoax and has no connection whatsoever to the Regulation of Investigatory Powers Act or any other piece of legislation. Anyone receiving this spammed message can safely delete and ignore it. - ---------------------------------------------------------------------------- - - For additional information or assistance, please contact the UNIRAS HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: uniras@niscc.gov.uk Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 Technical queries can also be addressed to: uniras@cesg.gov.uk Tel: 020 7821 1330 Ext 4542 or Tel: GTN 1366 5065 UNIRAS material is also available from our website at www.uniras.gov.uk - ---------------------------------------------------------------------------- - - UNIRAS wishes to acknowledge the contributions of the Home Office for the information contained in this briefing. - ---------------------------------------------------------------------------- - - Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. UNIRAS shall also accept no responsibility for any errors or omissions contained within this briefing notice. In particular, UNIRAS shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ---------------------------------------------------------------------------- - - - -----End of original message from UNIRAS----- - -- richard Richard Clayton "Where the people who kindly endured my odd questions asked if I came very far" Jackson Browne 1971 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOzDSGxfnRQV/feRLEQJ/tACfRoB4BCx0dtwI9cLwxm3e19vYEqkAoL0b DxQaBwCNwygkVEmF0QKqdFYP =+Cki -----END PGP SIGNATURE----- From oml@eloka.demon.co.uk Thu, 21 Jun 2001 14:07:50 +0100 Date: Thu, 21 Jun 2001 14:07:50 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Silent Runner > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of John Young > Sent: 20 June 2001 03:47 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: Silent Runner > > > SilentRunner by Raytheon has a Web site: > > http://www.silentrunner.com/ > > The nasty product got a fair amount of press attention > in the summer of 2000. Quote the Web site's news blurbs: (snip) Yes, the web site is not too informative about this remarkable tool. In sum: 1. The presence on a network of the platform running it is claimed to be undetectable (it has no IP stack). 2. The product is underpinned by 50 patents, all alleged as owned by the NSA. 3. It records all traffic and can perform both traffic analysis and keyword search (any language/character set). 4. It can read and sort graphical images transmitted with a high degree of certainty (e.g. It can sort images of Britney Spears in various costume and poses from those of any other blonde female. 5. Its traffic analysis capabilities include the certain detection and identification of: a. Groups communicating in cipher (capability against stego not probable). b. Individuals concerning themselves with company information outside of their job remit. c. Communication of material not relevant to the employment of the sender. d. Hacking, actual and attempted. The question is, what's in it for Uncle Sam to be turning loose such a powerful product with, seemingly, only the most trivial of controls? Interestingly, there is opinion that its use by companies in the UK would be in contravention of RIPA unless the said company has expressly forbidden all use of its network for the purpose of private communication. Owen From nexus@patrol.i-way.co.uk Thu, 21 Jun 2001 14:36:47 +0100 Date: Thu, 21 Jun 2001 14:36:47 +0100 From: Nexus nexus@patrol.i-way.co.uk Subject: Silent Runner ----- Original Message ----- From: "Owen Lewis" To: Sent: Thursday, June 21, 2001 2:07 PM Subject: RE: Silent Runner [snip] > Yes, the web site is not too informative about this remarkable tool. In sum: > > 1. The presence on a network of the platform running it is claimed to be > undetectable (it has no IP stack). As do existing Intrusion Detection Systems, no big deal. > 2. The product is underpinned by 50 patents, all alleged as owned by the > NSA. Which means bugger all, apart from a rather nifty way to dodge any technical questions ;-) > 3. It records all traffic and can perform both traffic analysis and keyword > search (any language/character set). Nothing new yet... > 4. It can read and sort graphical images transmitted with a high degree of > certainty (e.g. It can sort images of Britney Spears in various costume and > poses from those of any other blonde female. This is would like to see (the sorting algo, not Britters) > Interestingly, there is opinion that its use by companies in the UK would be > in contravention of RIPA unless the said company has expressly forbidden all > use of its network for the purpose of private communication. And the EU Privacy rulings as well ? Cheers, JJ From jtjm@xenoclast.org Thu, 21 Jun 2001 14:44:34 +0100 (BST) Date: Thu, 21 Jun 2001 14:44:34 +0100 (BST) From: Julian T. J. Midgley jtjm@xenoclast.org Subject: Silent Runner On Thu, 21 Jun 2001, Nexus wrote: > ----- Original Message ----- > From: "Owen Lewis" > > > 2. The product is underpinned by 50 patents, all alleged as owned by the > > NSA. > > Which means bugger all, apart from a rather nifty way to dodge any technical > questions ;-) Surely not - if they're patented then the technical details must be in the public domain, by definition. It also appears to have a snazzy 3D data analysis tool - unfortunately the screenshots on the website whet the appetite, but don't show much detail. Julian -- Julian T. J. Midgley http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From DHowe@Hawkswing.demon.co.uk Thu, 21 Jun 2001 14:59:32 +0100 Date: Thu, 21 Jun 2001 14:59:32 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: Silent Runner > > 2. The product is underpinned by 50 patents, all alleged as owned by the > > NSA. > Which means bugger all, apart from a rather nifty way to dodge any technical > questions ;-) Nope, obvious question should be "which patents" - as patents are a matter of public record (that is the whole point - you get your monopoly in return for revealing the secret) they have nothing to gain by hiding them (and IIRC, they *have* to put the patent number somewhere in the documentation to claim patent protection - could be my memory playing up again though) > > 4. It can read and sort graphical images transmitted with a high degree of > > certainty (e.g. It can sort images of Britney Spears in various costume > > and poses from those of any other blonde female. > This is would like to see (the sorting algo, not Britters) Like to see both TBH - but regardless; I can imagine that face recognition software is in there somewhere (and IIRC the NSA does have two or three patents in that area) but why bother? what advantage is there in grouping photographs by probable person for a corporate sniffer? or have they somehow managed to distinguish porn from art (which presumably gives us an AI computer with a working knowledge of the art world) From mctylr@privacy.nb.ca Thu, 21 Jun 2001 11:33:17 -0300 (ADT) Date: Thu, 21 Jun 2001 11:33:17 -0300 (ADT) From: M Taylor mctylr@privacy.nb.ca Subject: Silent Runner On Thu, 21 Jun 2001, Julian T. J. Midgley wrote: > > ----- Original Message ----- > > From: "Owen Lewis" > > > > > 2. The product is underpinned by 50 patents, all alleged as owned by the > > > NSA. > > > > Surely not - if they're patented then the technical details must be in the > public domain, by definition. So they licensed these technologies from the NSA? In the USA the NSA, as well other members of DoD can protect patents, or something to that effect. I don't know the details but some mention is made in Crypto by Steven Levy about early cryptographic patents (Lucifer, or DEA/DES I think). Perhaps a 'secrecy order'. -M Taylor From oml@eloka.demon.co.uk Thu, 21 Jun 2001 18:15:05 +0100 Date: Thu, 21 Jun 2001 18:15:05 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Silent Runner > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of David Howe > Sent: 21 June 2001 15:00 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Silent Runner > > > 4. It can read and sort graphical images transmitted with a > high degree > of > > > certainty (e.g. It can sort images of Britney Spears in > various costume > > > and poses from those of any other blonde female. > > This is would like to see (the sorting algo, not Britters) > Like to see both TBH - but regardless; I can imagine that face recognition > software is in there somewhere (and IIRC the NSA does have two or three > patents in that area) but why bother? what advantage is there in grouping > photographs by probable person for a corporate sniffer? or have > they somehow > managed to distinguish porn from art (which presumably gives us an AI > computer with a working knowledge of the art world) The BS demo was simply to be innocuous. The program can sort with a high degree of specificity who communicates/receives images of a given type. This is said not to be any form of graphical comparison but done directly on the compressed code in the graphics files. I had hopes that some here might have had some 'hands-on with this tool. If any have, their staying stumm :-( Owen From oml@eloka.demon.co.uk Thu, 21 Jun 2001 21:16:41 +0100 Date: Thu, 21 Jun 2001 21:16:41 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: Silent Runner > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of M Taylor > Sent: 21 June 2001 15:33 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: Silent Runner > > > On Thu, 21 Jun 2001, Julian T. J. Midgley wrote: > > > > ----- Original Message ----- > > > From: "Owen Lewis" > > > > > > > 2. The product is underpinned by 50 patents, all alleged as > owned by the > > > > NSA. > > > > > > > Surely not - if they're patented then the technical details > must be in the > > public domain, by definition. > > So they licensed these technologies from the NSA? > > In the USA the NSA, as well other members of DoD can protect patents, or > something to that effect. I don't know the details but some mention is > made in Crypto by Steven Levy about early cryptographic patents (Lucifer, > or DEA/DES I think). Perhaps a 'secrecy order'. Perhaps you are thinking of something different. There are, I think two points: 1. Every patent application must be first filed with the national patent office of the applicant. All applications are screened for matters affecting national security. Where there is concern that the subject material of an application has a material effect on national security, the state has a finite period of time in which to react and prevent both the publication of the material or further work on it. This can lead to some pretty weasel worded applications (or so one is told). 2. A patentee may not refuse the use of his invention to the state, which may use it as of right (but for which use it makes appropriate financial compensation). Owen From jeremy.barker@btinternet.com Fri, 22 Jun 2001 00:24:43 +0100 Date: Fri, 22 Jun 2001 00:24:43 +0100 From: Jeremy Barker jeremy.barker@btinternet.com Subject: Silent Runner David Howe wrote: > > > 2. The product is underpinned by 50 patents, all alleged as owned by the > > > NSA. > > Which means bugger all, apart from a rather nifty way to dodge any > technical > > questions ;-) > Nope, obvious question should be "which patents" - as patents are a matter > of public record (that is the whole point - you get your monopoly in return > for revealing the secret) they have nothing to gain by hiding them (and > IIRC, they *have* to put the patent number somewhere in the documentation to > claim patent protection - could be my memory playing up again though) There's no legal need to even disclose that equipment is patented or incorporates patented technology to obtain the benefit of patent protection. Neither is there any need to show the number of any patent - if there was many cars would come with a patents handbook probably as large as the owner's handbook. The only time that disclosing the existence of a patent is undoubtedly helpful is if - as in this case - it can be used for marketing purposes. jb From DHowe@Hawkswing.demon.co.uk Fri, 22 Jun 2001 10:51:17 +0100 Date: Fri, 22 Jun 2001 10:51:17 +0100 From: David Howe DHowe@Hawkswing.demon.co.uk Subject: Silent Runner > There's no legal need to even disclose that equipment is patented or > incorporates patented technology to obtain the benefit of patent protection. > Neither is there any need to show the number of any patent - if there was many > cars would come with a patents handbook probably as large as the owner's > handbook. The only time that disclosing the existence of a patent is undoubtedly > helpful is if - as in this case - it can be used for marketing purposes. ok, thanks - I *did* mark the comment as a doubtful one - it is one of those things you get told by a collegue about the american legal system that sound plausable, but you never quite know for sure :) From k.brown@ccs.bbk.ac.uk Fri, 22 Jun 2001 11:42:24 +0100 Date: Fri, 22 Jun 2001 11:42:24 +0100 From: Ken Brown k.brown@ccs.bbk.ac.uk Subject: Silent Runner Jeremy Barker wrote: [...] > Neither is there any need to show the number of any patent - if there was many > cars would come with a patents handbook probably as large as the owner's > handbook. As large as the owner more like - if not as large as the car. There must be some hundreds, if not thousands, of patents involved in just the computers in the control systems of a modern car. As for the car itself & the materials it is made of - I bet just about every tiny little piece of the motor is slightly different from the next manufacturer's tiny little piece and has been thoroughly worked over by lawyers. (I never did understand machines with moving parts, but I get the impression that they are made of a great many Tiny Little Pieces which go wrong and require much money, and occasional blows with blunt objects, to fix. Software is much simpler - it does what you tell it, all you need to do is find the magic words. No unpleasant bending.) Ken Brown From donald@ramsbottom.co.uk Fri, 22 Jun 2001 11:51:27 +0100 Date: Fri, 22 Jun 2001 11:51:27 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: Silent Runner SNIP >(I never did understand machines with moving parts, but I get the >impression that they are made of a great many Tiny Little Pieces which >go wrong and require much money, and occasional blows with blunt >objects, to fix. Software is much simpler - it does what you tell it, >all you need to do is find the magic words. No unpleasant bending.) > >Ken Brown > But finding the right spell book can be a long and ardous quest :) Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From jya@pipeline.com Sat, 23 Jun 2001 12:26:17 -0700 Date: Sat, 23 Jun 2001 12:26:17 -0700 From: John Young jya@pipeline.com Subject: NSA Snooping US Crypto Data Debate on whether the NSA spies domestically on US persons appears to be "yes" according to USSID 18, dated July 23, 1993, which was obtained by the National Security Archive a while back, for which we offer an HTML: http://cryptome.org/nsa-ussid18.htm Parts previously redacted concerning domestic surveillance are now revealed, among them these provisions for acquiring and retaining indefinitely domestically acquired encipherments: [Quote] (2) Domestic communications reasonably believed to contain technical data base information may be retained for a period sufficient to allow a thorough exploitation and to permit access to data that are, or are reasonably believed likely to become, relevant to a current or future foreign intelligence requirement. Sufficient duration may vary with the nature of the exploitation. (S-CCO) a. In the context of a cryptanalytic effort, maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis. (S-CCO) b. In the case of communications that are not enciphered or otherwise thought to contain secret meaning, sufficient duration is one year unless the Deputy Director for Operations, NSA, determines in writing that retention for a longer period is required to respond to authorized foreign intelligence or counterintelligence requirements. (S-CCO) [End quote] Again, these sections were censored in versions of USSID 18 previously made public, a 1980 version here: http://cryptome.org/nsa-ussid18-80.htm While the quoted material is a small part of the 52-page document, variations on it are repeated more than once, and seems to be the one exception to the requirement to avoid domestic interceptions and to destroy any that are inadvertently acquired. The classification (S-CCO) is not explained but some think it perhaps indicates material limited to the UK/USA agreement and/or the Echelon partners. A better answer is welcomed. From phantomink@powersurfr.com Sat, 23 Jun 2001 22:34:14 -0700 Date: Sat, 23 Jun 2001 22:34:14 -0700 From: Phantom Ink phantomink@powersurfr.com Subject: NSA Snooping US Crypto Data ----- Original Message ----- From: "John Young" To: Sent: Saturday, June 23, 2001 12:26 PM Subject: NSA Snooping US Crypto Data > Debate on whether the NSA spies domestically on US > persons appears to be "yes" according to USSID 18, dated > July 23, 1993, which was obtained by the National Security > Archive a while back, for which we offer an HTML: > > http://cryptome.org/nsa-ussid18.htm > > Parts previously redacted concerning domestic surveillance > are now revealed, among them these provisions for acquiring > and retaining indefinitely domestically acquired encipherments: > > [Quote] > > (2) Domestic communications reasonably believed to > contain technical data base information may be retained > for a period sufficient to allow a thorough exploitation and > to permit access to data that are, or are reasonably believed > likely to become, relevant to a current or future foreign > intelligence requirement. Sufficient duration may vary > with the nature of the exploitation. (S-CCO) > > a. In the context of a cryptanalytic effort, maintenance of > technical data bases requires retention of all communications > that are enciphered or reasonably believed to contain secret > meaning, and sufficient duration may consist of any period of > time during which encrypted material is subject to, or of use > in, cryptanalysis. (S-CCO) > > b. In the case of communications that are not enciphered or > otherwise thought to contain secret meaning, sufficient duration > is one year unless the Deputy Director for Operations, NSA, > determines in writing that retention for a longer period is > required to respond to authorized foreign intelligence or > counterintelligence requirements. (S-CCO) > > [End quote] > > Again, these sections were censored in versions of USSID 18 > previously made public, a 1980 version here: > > http://cryptome.org/nsa-ussid18-80.htm > > While the quoted material is a small part of the 52-page > document, variations on it are repeated more than > once, and seems to be the one exception to the > requirement to avoid domestic interceptions and > to destroy any that are inadvertently acquired. > > The classification (S-CCO) is not explained but some > think it perhaps indicates material limited to the UK/USA > agreement and/or the Echelon partners. A better answer > is welcomed. > > > > From David_Biggins@usermgmt.com Sun, 24 Jun 2001 19:37:26 +0100 Date: Sun, 24 Jun 2001 19:37:26 +0100 From: David_Biggins@usermgmt.com David_Biggins@usermgmt.com Subject: US confirms that warrants are needed for data snooping. " The US Supreme Court ruled that nosy cops and Feds must obtain a warrant to carry out remote surveillance of a suspect's house by means of radiation detection apparatus, according to a five/four decision issued Tuesday. " http://www.theregister.co.uk/content/8/19655.html Dare we hope that the UK will similarly defend our safeguards? ## dave ## From oml@eloka.demon.co.uk Mon, 25 Jun 2001 09:32:14 +0100 Date: Mon, 25 Jun 2001 09:32:14 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: US confirms that warrants are needed for data snooping. > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of > David_Biggins@usermgmt.com > Sent: 24 June 2001 19:37 > To: ukcrypto@chiark.greenend.org.uk > Subject: US confirms that warrants are needed for data snooping. > > > " The US Supreme Court ruled that nosy cops and Feds must obtain a > warrant to carry out remote surveillance of a suspect's house by means > of radiation detection apparatus, according to a five/four decision > issued Tuesday. " > > > > http://www.theregister.co.uk/content/8/19655.html > > > Dare we hope that the UK will similarly defend our safeguards? Don't hold your breath. Just think of all the TV licensing authority personnel you'd have put out of work. Besides, 'radiation detection' includes the use of standard radio receivers and Geiger counters. Methinks perhaps the USSS has been misreported. Owen From james@cloud9.co.uk Mon, 25 Jun 2001 09:40:07 +0100 Date: Mon, 25 Jun 2001 09:40:07 +0100 From: James Fidell james@cloud9.co.uk Subject: US confirms that warrants are needed for data snooping. Quoting Owen Lewis (oml@eloka.demon.co.uk): > Besides, 'radiation detection' includes the use of standard radio receivers > and Geiger counters. And eyes? :) James From I.Brown@cs.ucl.ac.uk Mon, 25 Jun 2001 11:02:33 +0100 Date: Mon, 25 Jun 2001 11:02:33 +0100 From: Ian BROWN I.Brown@cs.ucl.ac.uk Subject: US confirms that warrants are needed for data snooping. >Besides, 'radiation detection' includes the use of standard radio receivers >and Geiger counters. Methinks perhaps the USSS has been misreported. The Supreme Court ruled that use of surveillance equipment *not in general use by the public* against a home required a warrant. -- "The media has characterized `1A vs. privacy' as a novel issue. The press gave birth to the latter in the pursuit of the former." --Aimee E. Farr From cb@fipr.org Mon, 25 Jun 2001 11:39:28 +0100 Date: Mon, 25 Jun 2001 11:39:28 +0100 From: Caspar Bowden cb@fipr.org Subject: US confirms that warrants are needed for data snooping. >>David_Biggins@usermgmt.com >>" The US Supreme Court ruled that nosy cops and Feds must obtain a >>warrant to carry out remote surveillance of a suspect's house by means >>of radiation detection apparatus, according to a five/four decision >[mailto:ukcrypto-admin@chiark.greenend.org.uk] On Behalf Of Owen Lewis >Don't hold your breath. Just think of all the TV licensing >authority personnel you'd have put out of work. RIP deals with TV license fee enforcement as a specific case http://www.hmso.gov.uk/si/si2001/20011057.htm >Besides, 'radiation detection' includes the use of standard >radio receivers and Geiger counters. Methinks perhaps the USSS >has been misreported. Relevant (but perhaps OT ukcrypto) cross-post from Politech below -----Original Message----- From: owner-politech@politechbot.com [mailto:owner-politech@politechbot.com] On Behalf Of Declan McCullagh Sent: 23 June 2001 20:11 To: politech@politechbot.com Subject: FC: Response to WSJ on Jeffrey Rosen's op-ed on Kyllo decision --- Background: http://www.politechbot.com/cgi-bin/politech.cgi?name=kyllo --- Date: Tue, 19 Jun 2001 16:11:29 -0400 From: "Phil Corwin" To: declan@well.com Subject: FW: Comment re: Jeffrey Rosen's Op-Ed on the Kyllo Decision (Privacy and Technology) Declan: Thought you might find this letter I sent to the WSJ yesterdau to be of some interest. Hope all is well. Best, Philip -----Original Message----- From: Phil Corwin [mailto:pcorwin@butera-andrews.com] Sent: Monday, June 18, 2001 12:53 PM To: 'editors@interactive.wsj.com' Subject: Comment re: Jeffrey Rosen's Op-Ed on the Kyllo Decision (Privacy and Technology) Jeffrey Rosen (A Victory for Privacy, June 18) is correct that Justice Scalia's majority opinion in the Kyllo case "is only the latest illustration of how privacy is an issue about which liberal and conservative justices can increasingly agree", as well as in his observation that "as invasive technologies become more commonplace, the court may have to decide that there are certain invasions no citizen in a civilized society should endure". The Court's decision, while welcome, unfortunately contains the seeds of its own destruction as a meaningful bulwark against technological erosion of privacy protections. That is due to its limitation to technologies incorporated in "a device that is not in general public use". Under this standard, as sophisticated technologies with the ability to surreptitiously invade privacy become widely utilized, Constitutional privacy protection contracts. In other words, the more such protection is needed, the less it is available. Applied to the facts of the Kyllo case, citizens may lose Constitutional protection against a future "search" conducted by a thermal imaging device if such devices have enjoyed broad adoption by the public. In fact, thermal imagery is already being offered as an automotive night vision enhancement, and in night vision goggles. Should these and similar uses achieve substantial market penetration sufficient to satisfy a future Court's subjective determination of "general public use" the same scenario could yield an opposite decision. The general public use standard raises even greater concerns when applied to protecting the information stored on the hard drives of home computers as we contemplate a future of constant broadband connection and broad use of peer-to-peer technologies. Napster, whatever its status under copyright law, demonstrated mass public acceptance of the notion that one's own computer can be a server providing content to others, and vice versa. But readily obtainable hacker programs make it possible to search another person's hard drive for sensitive financial, medical, and other information as well as for MP3 music files. Neither the "general public use" standard of the Kyllo decision or the "reasonable expectation" standard of the earlier Katz case may be sufficient to assure Constitutional prohibition of unauthorized hard drive searches. The limited statutory protections of current Federal law, in the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act, also fall short. So, while the Kyllo decision is a welcome stopgap, much work remains to be done by jurists and legislators of all political stripes if the privacy of information stored on computers is to remain secure against unreasonable searches in the twenty-first century. Sincerely, Philip S. Corwin Partner Butera & Andrews 1301 Pennsylvania Ave., NW Suite 500 Washington, DC 20004 202-347-6875 (voice)/-6876 (fax) ------------------------------------------------------------------------ - POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ ------------------------------------------------------------------------ - From donald@ramsbottom.co.uk Mon, 25 Jun 2001 11:43:48 +0100 Date: Mon, 25 Jun 2001 11:43:48 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: US confirms that warrants are needed for data snooping. At 09:40 AM 6/25/01 +0100, you wrote: >Quoting Owen Lewis (oml@eloka.demon.co.uk): > >> Besides, 'radiation detection' includes the use of standard radio receivers >> and Geiger counters. > >And eyes? :) > >James No they can use eyes any other tech which is in "public use" (eg cameras). They can't use narrow beam high gain mic's or thermal imaging, or other "Tempest" like tech etc. Donald Ramsbottom BA LLb (Hons) PGdip Ramsbottom & Co Solicitors Internet and Global Encryption Law Specialists & General UK Law Matters 5 Seagrove Avenue Hayling Island Hampshire UK Tel (44) 023 9246 5931 Fax (44) 023 9246 8349 Regulated by the Law Society in the conduct of Investment business Service by Fax or Email NOT accepted From jya@pipeline.com Mon, 25 Jun 2001 07:30:29 -0700 Date: Mon, 25 Jun 2001 07:30:29 -0700 From: John Young jya@pipeline.com Subject: US confirms that warrants are needed for data snooping. Ian Brown wrote: >The Supreme Court ruled that use of surveillance equipment >*not in general use by the public* against a home required a >warrant. We are preparing a list of such equipment and welcome suggestions, and/or leads to locate and identify such equipment. NSA broadly defines its surveillance tools as "electronic, optical and mechanical." The Department of Defense extends that to include "physical" to cover human direct surveillance. But none of these are described specifically. Peter Wright, for one, in Spycatcher, lightly described a most interesting range of technologies deployed for counterintelligence, in particular "acoustic" means not precisely described. And he and others portray a technology for remotely "illuminating" objects within a secure facility to acquire interior signals that are believed to be otherwise protected. The US also uses classified technology whose code names are "NONSTOP" and "HIJACK." Rather these may indicate types of counterinterception methods. Presumably (like cryptology) these stand-off technologies will come into law enforcement use, then dual-use investigative and security, then select government-corporate, say for finance and telecommunications, and finally to the general public, they will also be subject to court challenge as with cryptology and, lately, thermal imaging. Optical and acoustical means are no doubt supplemented with means based on the other three or more senses. Extra-sensory perception has received an intriguing amount of attention by US and Russian intelligence agencies, according to open sources. Though "extra-sensory" is likely to be a cover phrase. Final note: in our pursuit of Freedom of Information data from NSA on Tempest technology, we are whispered that we are not asking the right questions, suggesting that there are other names or other outgrowths of Tempest that precludes our obtaining more enlightening information about the full electromagnetic spectrum -- and beyond?. From jtjm@xenoclast.org Mon, 25 Jun 2001 12:42:29 +0100 (BST) Date: Mon, 25 Jun 2001 12:42:29 +0100 (BST) From: Julian T. J. Midgley jtjm@xenoclast.org Subject: US confirms that warrants are needed for data snooping. On Mon, 25 Jun 2001, John Young wrote: > Ian Brown wrote: > > >The Supreme Court ruled that use of surveillance equipment > >*not in general use by the public* against a home required a > >warrant. > > We are preparing a list of such equipment and welcome > suggestions, and/or leads to locate and identify such > equipment. > > NSA broadly defines its surveillance tools as "electronic, > optical and mechanical." The Department of Defense > extends that to include "physical" to cover human > direct surveillance. But none of these are described > specifically. > > Peter Wright, for one, in Spycatcher, lightly described > a most interesting range of technologies deployed > for counterintelligence, in particular "acoustic" means > not precisely described. And he and others portray > a technology for remotely "illuminating" objects within > a secure facility to acquire interior signals that are > believed to be otherwise protected. The Russians were masters at this particular game; they perfected a method of eavesdropping based around illuminating a resonant cavity within the target room with microwaves. Sounds waves hitting the resonant cavity changed its properties slightly, effectively modulating the microwaves. In one case, the resonant cavity was concealed within a wooden replica of the Great Seal of the United States which was presented to the US Amassador in Moscow (who proceeded to keep it hung above his desk for several years before the cavity was discovered). See Ross Anderson's "Security Engineering" for a little more on this. Julian -- Julian T. J. Midgley http://www.xenoclast.org Cambridge, England. PGP Key ID: 0xBCC7863F From oml@eloka.demon.co.uk Mon, 25 Jun 2001 15:02:43 +0100 Date: Mon, 25 Jun 2001 15:02:43 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: US confirms that warrants are needed for data snooping. > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of James Fidell > Sent: 25 June 2001 09:40 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: US confirms that warrants are needed for data snooping. > > > Quoting Owen Lewis (oml@eloka.demon.co.uk): > > > Besides, 'radiation detection' includes the use of standard > radio receivers > > and Geiger counters. > > And eyes? :) Well spotted! What sharp ones you have :-) Owen From oml@eloka.demon.co.uk Mon, 25 Jun 2001 15:02:43 +0100 Date: Mon, 25 Jun 2001 15:02:43 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: US confirms that warrants are needed for data snooping. > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Caspar Bowden > Sent: 25 June 2001 11:39 > To: ukcrypto@chiark.greenend.org.uk > Subject: RE: US confirms that warrants are needed for data snooping. > > > >>David_Biggins@usermgmt.com > >>" The US Supreme Court ruled that nosy cops and Feds must obtain a > >>warrant to carry out remote surveillance of a suspect's house by means > > >>of radiation detection apparatus, according to a five/four decision > > >[mailto:ukcrypto-admin@chiark.greenend.org.uk] On Behalf Of Owen Lewis > >Don't hold your breath. Just think of all the TV licensing > >authority personnel you'd have put out of work. > > RIP deals with TV license fee enforcement as a specific case > http://www.hmso.gov.uk/si/si2001/20011057.htm > > >Besides, 'radiation detection' includes the use of standard > >radio receivers and Geiger counters. Methinks perhaps the USSS > >has been misreported. > > Relevant (but perhaps OT ukcrypto) cross-post from Politech below The relevance is slight, for sure, but it surely does no harm to inform members of this list as to electronic means of obtaining information against which the use of crypto is no defence. > > -----Original Message----- > From: Phil Corwin [mailto:pcorwin@butera-andrews.com] > Sent: Monday, June 18, 2001 12:53 PM > To: 'editors@interactive.wsj.com' > Subject: Comment re: Jeffrey Rosen's Op-Ed on the Kyllo Decision > (Privacy > and Technology) Much snipped from this interesting opinion. > Jeffrey Rosen (A Victory for Privacy, June 18) is correct that Justice > Scalia's majority opinion in the Kyllo case "is only the latest > illustration of how privacy is an issue about which liberal and > conservative justices can increasingly agree", as well as in his > observation that "as invasive technologies become more commonplace, the > court may have to decide that there are certain invasions no citizen in > a civilized society should endure". Mmmm... Sounds good, but truth is I can see no way of sensibly demarcating what is acceptable and is therefore to be lawful from what is deemed unacceptable and therefore unlawful. Any attempt to do so that is based on type of technology must be constantly re-interpreted - perhaps annually - as technology and its applications advance and proliferate. One sees a bean-feast for the lawyers but no satisfactory law or other protection of the individual in view. > > The Court's decision, while welcome, unfortunately contains the seeds of > its own destruction as a meaningful bulwark against technological > erosion of privacy protections. Very true. Now, the US SC justices are most surely no fools. Therefore, what can lead them to such a conclusion? Ignorance of the technology? Possibly, but is seems very unlikely for such astute and powerful people, with great resources at their beck and call. If there is no ignorance then by what means is it proposes to distinguish the use of one device from another and to what good end? That is due to its limitation to > technologies incorporated in "a device that is not in general public > use". Under this standard, as sophisticated technologies with the > ability to surreptitiously invade privacy become widely utilized, > Constitutional privacy protection contracts. In other words, the more > such protection is needed, the less it is available. > > Applied to the facts of the Kyllo case, citizens may lose Constitutional > protection against a future "search" conducted by a thermal imaging > device if such devices have enjoyed broad adoption by the public. In > fact, thermal imagery is already being offered as an automotive night > vision enhancement, and in night vision goggles. Should these and > similar uses achieve substantial market penetration sufficient to > satisfy a future Court's subjective determination of "general public > use" the same scenario could yield an opposite decision. Even this analysis does not bring out the full measure of futility. Consider the following: - A covert eavesdropping device using wireless technology, such as has been used for many years. The courts, throughout the US, EU and elsewhere accept evidence so obtained as routine. - The same covert eavesdropping capability but technologically enhanced, so that it has a very low probability of detection, should a party choose to check for the presence of a listening device. Here an ability to detect and therefore to defeat the purpose of the surveillance may be denied to the subject, but there is no greater 'invasion' of his privacy. - The same but associated with a miniature camera capable of operating in low light conditions. Again, these are now becoming a commonplace. I hear that some have been sold to the World Wildlife Fund for game park wardens to wear, concealed, in their hats! - As above but with the optics enhanced to provide imaging in the infra-red spectrum rather than in the visible spectrum. An infra-red receiver constitutes an invasion of privacy whilst a visible light one does not? I'd like to be in the court where that point was argued. Surely, the essential condition, which applies with equal force to both options, is whether or not the target had reason to believe that he was unobserved and unheard. The means of looking and listening must be immaterial. Once the principle is accepted that a person's activity may be recorded without his consent then the rest is mainly mechanics. I think it is way too late to claim that there is any right or freedom from recording without consent and therefore this (divided) ruling will gradually be dismantled as one of fine feeling but little clarity of thought. Perhaps it was objection to the lack of clarity of thought far more than disagreement as to sentiment that so nearly caused the ruling never to have been uttered. > The general public use standard raises even greater concerns when > applied to protecting the information stored on the hard drives of home > computers as we contemplate a future of constant broadband connection > and broad use of peer-to-peer technologies. Napster, whatever its status > under copyright law, demonstrated mass public acceptance of the notion > that one's own computer can be a server providing content to others, and > vice versa. But readily obtainable hacker programs make it possible to > search another person's hard drive for sensitive financial, medical, and > other information as well as for MP3 music files. Neither the "general > public use" standard of the Kyllo decision or the "reasonable > expectation" standard of the earlier Katz case may be sufficient to > assure Constitutional prohibition of unauthorized hard drive searches. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Surely the problem is not so much one of 'unauthorised' searches but of searches authorised other than by court order or other special warrant? The problem here is that information stored on magnetic media can be so quickly and thoroughly destroyed. Thus, seizure, if not the actual search must of necessity be unannounced. Again, it seems to me that the courts have for quite some time been alive to concerns as to the destruction of ephemeral evidence and have been prepared to lend their weight to such seizures, even in matters of civil dispute. Ob Crypto: Two computers are seized for search of the information they contain. In one the information is enciphered and in the other it is not. The information on both is of equal relevance and importance to the investigation. Where, in logic, would be the argument that a search of the one should be effected but that a search of the other could be thwarted without risk of further and serious penalty? It seems to me we risk compounding muddle with muddle. The essential issue must surely be whether an individual has an absolute right to thwart a search of whatever information he holds and in whatever form he holds it. The decision that no such absolute right exists is about as old as our framework of law itself. However, once that defence has been disposed of, then it is surely open season (provided only that such searches shall all be sanctioned in law)? I do not like where this leads any more that the USSC seems to but, as we slide down the slippery chute we so blithely entered into long ago, there seems little point in grasping at slim branches of technology as they whisk past us before they disappear forever. Rather, the sad truth is that there is no way we can get back to where we once were; to when mankind was young and knew nothing of duties to Lord - even less of any duty to State - and law lay only in the strength of one's arm and the quickness of one's wits. Does salvation lie ahead by changing our very nature, so that we may come to accommodate without distress the increasingly inhuman conditions we demand of each other? Or is there, after all, some halfway house, where the legislature and the courts shall be curbed absolutely in their unslakeable thirst to know whatever there is to know about whatever they choose to concern themselves? Maybe there is. It might be nice to think so. But, again, I shan't be holding my breath. Owen From cb@fipr.org Mon, 25 Jun 2001 15:13:41 +0100 Date: Mon, 25 Jun 2001 15:13:41 +0100 From: Caspar Bowden cb@fipr.org Subject: Times 25/6/2001: "CBI attacks EU Net 'log' plans" http://www.thetimes.co.uk/article/0,,5-2001213193,00.html CBI attacks EU Net 'log' plans BY LEA PATERSON PLANS by Brussels to force Internet service providers (ISPs), such as BT and AOL, to store detailed logs of their customers' Web activities have been condemned by the Confederation of British Industry (CBI) as "a retrograde step" that could compromise privacy and damage e-commerce. The CBI will today give warning that planned amendments to the telecommunications data protection directive - likely to be approved on Wednesday - risk undermining trust and confidence in e-commerce and could ultimately reduce investment in the Web. Under proposals to be discussed in Brussels, ISPs will be obliged to keep records of the websites that their customers visit, log the time spent on the Net and retain details of e-mail recipients. Nigel Hickson, the head of e-business at the CBI, urged Douglas Alexander, Minister for E-commerce, to vote against the proposals. Mr Hickson said: "To impose a blanket requirement on operators would be costly and would call into question trust in e-commerce." He added: "We believe this will discourage investment in e-commerce in the EU." The EU's Telecommunications Council convenes to discuss the planned amendment on Wednesday. From Ross.Anderson@cl.cam.ac.uk Mon, 25 Jun 2001 15:22:44 +0100 Date: Mon, 25 Jun 2001 15:22:44 +0100 From: Ross Anderson Ross.Anderson@cl.cam.ac.uk Subject: US confirms that warrants are needed for data snooping. > The US also uses classified technology whose code > names are "NONSTOP" and "HIJACK." Rather these > may indicate types of counterinterception methods. NONSTOP and HIJACK are desscribed in my book, chapter 15: http://www.cl.cam.ac.uk/~rja14/book.html There's also stuff on monitoring using hostilely provoked emissions (`TEAPOT'). That's what you may have meant with illuminating a room; e.g. you flood it with microwaves and see what bounces back. You can also send in a Tempest virus that infects a PC and persuades it to transmit the PGP secret key, whether by flashing the screen in Morse code or by something even more geeky. But the sort of technical surveillance devices that you can buy for a few tens or hundreds of pounds - radio mikes, GSM phones hidden in mains adapters, all that sort of stuff - are likely to remain much more threatening to the privacy of the typical individual than this gee-whiz stuff. So the test of whether the equipment is in common use doesn't buy us much. The most dangerous stuff already is Ross From oml@eloka.demon.co.uk Mon, 25 Jun 2001 16:37:58 +0100 Date: Mon, 25 Jun 2001 16:37:58 +0100 From: Owen Lewis oml@eloka.demon.co.uk Subject: US confirms that warrants are needed for data snooping. > -----Original Message----- > From: ukcrypto-admin@chiark.greenend.org.uk > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Donald > ramsbottom > Sent: 25 June 2001 11:44 > To: ukcrypto@chiark.greenend.org.uk > Subject: Re: US confirms that warrants are needed for data snooping. > > > At 09:40 AM 6/25/01 +0100, you wrote: > >Quoting Owen Lewis (oml@eloka.demon.co.uk): > > > >> Besides, 'radiation detection' includes the use of standard > radio receivers > >> and Geiger counters. > > > >And eyes? :) > > > >James > > They can't use narrow beam high gain mic's..... How so? I build my first (from a recipe in 'Popular Electronics', a US mass circulation periodical)when I was 14 year old. With it, and on a windless day, I could take a conversation at about 400 yards. Modern devices of this type are used quite regularly by 'twitchers'and also by reporters in the field. Besides,they may look good in the movies but are not particularly useful for covert audio surveillance against humans. As for laser mics..... > ....or thermal imaging, How so? Simply put, one focuses radiation in the infrared part of the E-M spectrum rather than some other. What is so special or so horrid? IR imaging is at least 55 years old (Wehrmacht Panthers were equipped with IR sights, some 20 years before the first NATO tank was so equipped). IR imaging is in common industrial/commercial use (and also by my cat). > ....or other "Tempest" like tech etc. The lawyers will have to do a *lot* better than this to get it to stick. What feature of the so-called 'Tempest like tech, represents a cruel and unusual method of surveillance or is even unique to it? What one has is a radio receiver that, like the one in your living room, will tune to certain signals and reject reception of others. Some of the radio frequencies of these signals lie in the standard public broadcast bands. For example IBM Thinkpad 380 portable computers (to which I am partial)with TFT screens (reputed by some not to emit) actually emit quite nicely at long wave as well as at several other frequencies. There are inertial mics that demonstrate beautifully the reproduction of a conversation taking place the other side of 24 inches of hewn granite. The technology is not cruel and unusual and it is only a little removed from that of glass tumbler. It cannot be done on a basis of technological discrimination, Donald, though it will provide many lawyers with much income should we try. The question, surely, should be whether and in what circumstances, covert surveillance is to be sanctioned and not one of the size or power of some lens or other amplifying technology? If you would argue for the latter, would your position be absolute or to be varied according to circumstance? >From whatever angle one comes at such a position, it still seems a mare's nest. As some one once said, "Ask first, what is this thing in itself?". I believe that in the matter under discussion we are in danger of neglecting this fine principle. Owen From jya@pipeline.com Mon, 25 Jun 2001 14:02:03 -0700 Date: Mon, 25 Jun 2001 14:02:03 -0700 From: John Young jya@pipeline.com Subject: US confirms that warrants are needed for data snooping. Owen Lewis is right to emphasize that wizard surveillance technology is abroad the land, seas and sky. The US Supreme Court decision applies only to protection of the home, not all the non-home places that remain wide-open to foul snooping. There will surely be permutations concerning the burgeoning home-office facility, the home-attached garage, the workshop, the studio, the stable, the barn, the far-distant reaches of Bill Gates electronic sanctuary, as the definition of "home" is assaulted and diminished. Still, this is not a slam-dunk non-issue just because invasive technology is rampant, no matter who uses it to rundown copyright violators, TV thieves, wayward mates, ex-officials advising the once-enemy via consultancies. What interests this target is what and where are the defensive technologies, laws, regs and spin physicians available to combat the uncontrolled abuse of national security-derived transgressives. Ross's book is the bellweather for these defenses, one hopes, to counter the gadzillions of evil-doers peddling the offensives and deftly apologizing for them not least by arguing nonsense that there is not much to be done but to enjoy submissiveness. What can be done is to broaden the knowledge base of the offensive technologies, raise public awareness, identify if not invent defensive technologies and strategies, and to perhaps futilely goad legislators to do the right thing to protect citizens from their governments and the industries arming the invaders as if the good old days will last forever for select beneficiaries. Note that the wealthy certainly are arming themselves against government snoops, and demanding release of nat-sec technologies that are being dribbled out to favored banking and telecomm companies and, most essentially, to tax collectors and waiverers. From daw@mozart.cs.berkeley.edu 26 Jun 2001 00:21:35 GMT Date: 26 Jun 2001 00:21:35 GMT From: David Wagner daw@mozart.cs.berkeley.edu Subject: US confirms that warrants are needed for data snooping. John Young wrote: >The US also uses classified technology whose code >names are "NONSTOP" and "HIJACK." Rather these >may indicate types of counterinterception methods. In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier, Chris Hall, and I, we speculated on possible meanings of NONSTOP and HIJACK. In particular, our guess was that NONSTOP refers to RED/BLACK crosstalk, and that HIJACK refers to cases where crypto hardware is radiated by a nearby RF source (e.g., a cellphone), causing the return signal to be modulated with sensitive data from the crypto box. See http://cryptome.unicast.org/cryptome022401/nonstop-hijack.htm for more information. From daw@mozart.cs.berkeley.edu 26 Jun 2001 00:50:07 GMT Date: 26 Jun 2001 00:50:07 GMT From: David Wagner daw@mozart.cs.berkeley.edu Subject: US confirms that warrants are needed for data snooping. David Wagner wrote: >In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier, >Chris Hall, and I, we speculated on possible meanings of NONSTOP and >HIJACK. In particular, our guess was that NONSTOP refers to RED/BLACK >crosstalk, and that HIJACK refers to cases where crypto hardware >is radiated by a nearby RF source (e.g., a cellphone), causing the >return signal to be modulated with sensitive data from the crypto box. >See http://cryptome.unicast.org/cryptome022401/nonstop-hijack.htm for >more information. I forgot to say that the above comments relied heavily on conversations with Ross Anderson and Markus Kuhn, and they should be credited prominently. Also, I reversed HIJACK and NONSTOP above (gack!). Sorry about the omissions and errors. From donald@ramsbottom.co.uk Tue, 26 Jun 2001 07:07:38 +0100 Date: Tue, 26 Jun 2001 07:07:38 +0100 From: Donald ramsbottom donald@ramsbottom.co.uk Subject: US confirms that warrants are needed for data snooping. Owen, SNIPS >> They can't use narrow beam high gain mic's..... > >How so? I build my first (from a recipe in 'Popular Electronics', a US mass >circulation periodical)when I was 14 year old. With it, and on a windless >day, I could take a conversation at about 400 yards. Modern devices of this >type are used quite regularly by 'twitchers'and also by reporters in the >field. Besides,they may look good in the movies but are not particularly >useful for covert audio surveillance against humans. As for laser mics..... The problem is the entire readership of "popular Electronics" and "Bird weekly" (or whatever) are not a signifincant enough sample of the population. I may be wrong and am open to correction, but suspect the supreme court means things you can buy from Comet or Currys (or their US equivilents) rather than a specialist component built at home. So off the shelf laser mics in the highstreet are not a good seller, wheras the latest MP3 player is. > >> ....or thermal imaging, > >How so? Simply put, one focuses radiation in the infrared part of the E-M >spectrum rather than some other. What is so special or so horrid? IR imaging >is at least 55 years old (Wehrmacht Panthers were equipped with IR sights, >some 20 years before the first NATO tank was so equipped). IR imaging is in >common industrial/commercial use (and also by my cat). I bow to your superior technical knowledge in these matters, and agree the best tank of WW2 in later variants had IR (can't remember off hand whether it was passive or a search light, it also had anexcellent way of making it own "windows of opportunity" a long barrelled L75 Gun!) and IR is in common use even in homes with burglar alarms triggered by passive IR detectors. The point is although you can go to the High street and by a PIR, you cannot then use it to see through walls (well not most of us anyhow). > >> ....or other "Tempest" like tech etc. > >The lawyers will have to do a *lot* better than this to get it to stick. >What feature of the so-called 'Tempest like tech, represents a cruel and >unusual method of surveillance or is even unique to it? What one has is a >radio receiver that, like the one in your living room, will tune to certain >signals and reject reception of others. Some of the radio frequencies of >these signals lie in the standard public broadcast bands. For example IBM >Thinkpad 380 portable computers (to which I am partial)with TFT screens >(reputed by some not to emit) actually emit quite nicely at long wave as >well as at several other frequencies. The sureveillance does not have to be cruel or even unusual, it just has to be that to use any of the tech referred to you either get a warrant, or use something which Jo Public can buy "off the shelf" from a local HIFI store. > >There are inertial mics that demonstrate beautifully the reproduction of a >conversation taking place the other side of 24 inches of hewn granite. The >technology is not cruel and unusual and it is only a little removed from >that of glass tumbler. >It cannot be done on a basis of technological discrimination, Donald, though >it will provide many lawyers with much income should we try. > >The question, surely, should be whether and in what circumstances, covert >surveillance is to be sanctioned and not one of the size or power of some >lens or other amplifying technology? If you would argue for the latter, >would your position be absolute or to be varied according to circumstance? >From whatever angle one comes at such a position, it still seems a mare's >nest. > >As some one once said, "Ask first, what is this thing in itself?". I believe >that in the matter under discussion we are in danger of neglecting this fine >principle. I agree wholeheartedly with this statement, and the "thing" here is unlawful surveillance and LEAs attempts to circumvent the law which is there to protect them (the general public)from "unwarranted" (in all meanings of the word) intrusion. We are, here and in the US (at least in theory) innocent until proven guilty. To prove that guilt you collect eveidence. The collection of the evidence (at least in the US , here our courts don't give two figs) must be lawful and if it cannot be obtained lawfully then USC says it is inadmissable. While I realize you can probably make a Vostok rocket from a few bake bean cans and some sticky back plastic, or a "scanner" which will tell you what the Queen had for lunch 300 miles away from nothing more than a mouldy pork pie and a boot lace (sorry), and many on this list could probably do the same, we are a very unrepresentative bunch so far as the skills and knowledge of Jo Public or even TMOTCO are