Friday, June 20, 2003

Best Buy Hoax notification

Here is an excerpt from an e-mail I got today. If you ever get e-mail purportedly from a company that asks for you to divulge personal information, there is a high likelihood that it is one of the many social engineering attacks running around. Popular ones try to snag AOL and eBay/Pay Pal users. Be wary of what e-mails and Internet sites you trust your personal information to!!


Late Wednesday afternoon, June 18, 2003, Best Buy became aware of an unauthorized and deceptive e-mail to consumers titled "Fraud Alert." That e-mail message, which requested personal information (i.e., social security and credit card numbers), claimed to come from the Fraud Department. That message was NOT from Best Buy or any of our affiliates.

Best Buy is working with the appropriate law enforcement authorities to quickly resolve the situation. We are working to shut down sites affiliated with that unauthorized e-mail and Best Buy will work with law enforcement authorities to prosecute any perpetrators involved in this illegal act to the fullest extent of the law. If you replied to the fraudulent
e-mail in any way, contact your bank and/or credit card companies immediately.

No Best Buy systems have been compromised, and our online business is secure. The privacy of your personal information is of the utmost importance to Best Buy and any information you provide to us is handled according to our Privacy Policy.

Wednesday, June 18, 2003

Wal-Mart poised to dominate online DVD rental space

This does not look good for Netflix, which is too bad. They have been a great service.

Excite News

After a seven-month trial, Wal-Mart Stores Inc. has begun full-scale operations in its online DVD rental business, hoping to catch up with market leader Netflix Inc. (NFLX)

Customers order the movies online. Wal-Mart sends them from six distribution points, reaching 90 percent of the nation within two days, the company says.

Saturday, June 7, 2003

DOJ Inspector General Criticizes DOJ for Treatment of Immigrant Detainees

Courtesy of EPIC Alert 10.10.

[3] Inspector General Criticizes DOJ on September 11 Detainees

The Inspector General of the Department of Justice has released a
198-page report examining the treatment of people who were held on
immigration charges in connection with the investigation of the
September 11, 2001 terrorist attacks. The report details how the
Justice Department used federal immigration laws to detain 762
persons, mostly of Arab or South Asian origin, who were suspected of
having ties to the attacks or connections to terrorism, or who were
simply encountered during the course of the FBI's inquiry into the
attacks. The report highlights serious problems with the round-up and
treatment of the 762 detainees, including arbitrary detentions,
prolonged detentions, restrictive detention conditions, and in some
instances physical and verbal abuse. The Office of Inspector General
is an independent internal investigation unit within the Justice

The report, instigated by media reports and reports from human rights
organizations, paints a picture of chaos immediately following the
attacks, followed by a long period of negligence that left detainees
in administrative limbo. Only after details of the abusive treatment
emerged in the press did the Department begin to process the detainees
more quickly in January 2002. DOJ has not apologized for its actions,
but instead has taken the position that the crisis atmosphere
immediately after September 11, and the fact that all the persons
detained were in technical violation of immigration laws, makes it
"unfair to criticize the conduct" of Department officials. The
Department spokesperson said that, "We make no apologies for finding
every legal way possible to protect the American public from further
terrorist attacks." EPIC and a coalition of public interest groups is
litigating under the Freedom of Information Act to require disclosure
of the names of the detainees; the case is now pending before the D.C.
Circuit Court of Appeals.

According to the report, the Justice Department instituted a "no bond"
policy for all detainees connected to the terrorism probe after the
attacks -- even though immigration officials quickly questioned the
policy's legality. Without bail, terrorism suspects remained in jail
for an average of nearly three months, much longer than the FBI
projected before it cleared most of them for release, the report said.
In addition, detainees faced monumental difficulties and weeks of
delay before they were allowed to make phone calls and find lawyers.
Some were kept for months in cells illuminated 24 hours a day and were
escorted in handcuffs, leg irons and waist chains. Most of the
detainees were eventually found to have no connection to the terrorist

The September 11 Detainees Report, Office of Inspector General:

CNSS/EPIC v. Department of Justice (detainee FOIA case):

Tuesday, June 3, 2003

Anonymity Bibliography

If you are interested in research into the field of anonymity, check this site out.

The "goal is to set up something we can point at for people new to the field [anonymity] (and most of us are still new to the field, it seems), so they know which papers to look at to get up to speed. The ones I particularly recommend have boxes around them."

Anonymity Bibliography

Monday, June 2, 2003

Out for Dinner MATHEMATICS

This is very interesting. Supposedly only works in 2003. Anyone have the mathematical basis for this? I have a whole book with cool calculator games somewhere...




It takes less than a minute.......

Work this out as you read.

Be sure you don't read the bottom until you've worked it out!

This is not one of those waste of time things, it's fun.

1. First of all, pick the number of times a week that you would like to
have dinner out. (try for more than once but less than 10)

2. Multiply this number by 2 (Just to be bold)

3. Add 5. (for Sunday)

4. Multiply it by 50 - I'll wait while you get the

5. If you have already had your birthday this year add 1753.... If you
haven't, add 1752..........

6.. Now subtract the four digit year that you were born.

You should have a three digit number .

The first digit of this was your original number

(I.e., how many times you want to have eat out each week.)

The next two numbers are...

YOUR AGE! (Oh YES, it IS!!!!!)


CERT needs to plug leak

  1. Confidential bug report gets sent to CERT.
  2. CERT sends it out to their advanced ISA (Internet Security Alliance: pay for early warning) group (Jericho calls "a vulnerability cartel)
  3. The bug report is leaked out to the public, perhaps by an ISA member who was either compromised (if so, they would need more than CERT to help them...) or purposefully leaked it out

Jericho's comments on the ISN list were classic, especially:

"> CERT representatives declined to say when the organization planned
> to release official versions of the leaked advisories.

Even with leaked draft copies, CERT still can't release anything
ontime. Go figure."

Wired News: Leaked Bug Alerts Cause a Stir

Danger and absurdity of the TSA No-Fly list

John Gilmore points out how to have fun with bomb scanners by using hand lotion with Glycerine, or at least points out how easily such expensive equipment can be rendered useless. If equipment has any significant number of false-positives, be sure that it, or procedures, will tune out any hope of finding a real needle in the haystack.

Also, if you notice an "S" on your boarding pass, prepare for extra scrutiny at the airport. The TSA believes, based on often erroneous matching, that you are a member of its "Selectee" list of people who need additional security measures.

Be sure to check out EPIC's site, "Documents Show Errors in TSA's "No-Fly" Watchlist"

-----Original Message-----
From: John Gilmore [mailto:[email protected]]
Sent: Sunday, May 18, 2003 3:25 PM
To: Jason C Axley Exchange
Subject: Re: The War on David Nelson

> > ... people who want to see if their name is on either list or who
> > want to make a complaint, can call the agency's contact center at
> > 866-289-9673 or send an e-mail to [email protected].
> Since this inquiry will no doubt result in a listing where none
> existed, I would suggest that everyone reading this make an inquiry -
> *especially* those of us with very common names. Let the system break
> it's own weight.

If you want to break the system under its own weight, I also suggest
using lots of "Kiss My Face" honey scented hand cream. Someone
recently told me setting off the nitrogylcerin censors (oops, I mean
sensors) at that spot where they wipe down your bag with little pads
and then put them through a quick chemical analysis. When she set it
off, they went down a checklist of "Did you do X recently?" until they
got to "Did you put on hand cream recently?" They let her through, of
course; you probably can't blow up an airplane with hand cream. The
problem was with their sensorship, not with her.

If even 1% of travelers refused to show an ID, the system would also
break down under its own weight. Do your part. There is no law or
regulation that requires you to show ID. You are all being sheep for
violating your own privacy, for no reason, when ordered by people who
have no authority. Demand that they show you such a law, and refuse
to show ID until they identify one. As you go up the chain of
command, you will find that you have the option to be searched rather
than show an ID. In regimes where the laws are secret, the only way
to find out what the law is, is to not follow orders.


PS: I doubt that sending a complaint to TSA results in them adding you
to the no-fly list. It's random and arbitrary, but not THAT random
and arbitrary. If you want to see the complaints of some of the
ordinary people who TSA mousetraps every single time they enter an
airport, (not just the David Nelsons), check EPIC's FOIA results. The
dozens of complaints forwarded via Congresspeople are well worth

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
[email protected]

Is the price right for your freedom?

How do you measure a cost-benefit for the new security measures or of your liberty? It is hard to even come up with a causal link from the "increased" security measures (ask me about the absurd experience I had in LAX...) to increased safety, let alone quantifying such a benefit.

There is also a discussion at;sid=03/03/12/06265215;cmt=42 Abstract

In an unusual twist on cost-benefit analysis, an economic tool that conservatives have often used to attack environmental regulation, top advisers to President Bush want to weigh the benefits of tighter domestic security against the ''costs'' of lost privacy and freedom.

Secure programming in UNIX HOWTO

David Wheeler has put together a set of design and implementation guidelines for programming securely in several languages. The document is actually in a ton of different formats, even ones suitable for Wireless devices. So, take yours with you and learn it well!

Secure Programming for Linux and Unix HOWTO

There is also a set of overview slides that are definitely worth a look.

ACLU DMCA case against N2H2 is a loss for freedom

This is a very disturbing development and more reason why the DMCA has a chilling effect on speech and freedom to do legitimate research.


N2H2 Inc. can use the Digital Millennium Copyright Act (DMCA) to stop a researcher from attempting to reverse engineer its Web filtering product, a judge ruled last week.

Harvard Law student Benjamin Edelman says he wants to crack the filtering tools to test them. Edelman planned to hack into N2H2�s cryptography-protected list of filter parameters, but, fearing prosecution, sought court protection. Edelman and the ACLU believe filters, used at libraries and schools, limit free speech.

In a written decision, U.S. District Judge Richard Stearns found "no plausibly protected constitutional interest� that would overcome �N2H2's right to protect its copyrighted property from invasive and destructive trespass."

N2H2 didn�t respond to requests for comment. Edelman says no decision has been made on appealing, but adds that N2H2�s public list of filtered sites isn�t enough for rigorous testing.

�Suppose you wanted to know which .gov sites are classified as pornography. Or to see what sites N2H2 calls pornography this week, that last week were not,� he says. �N2H2's online database site would not allow any of these kinds of research, but you can see why it would be important.�"

Bid to Expose Porn Filters Loses

"U.S. gov't blindly trusts the antivirus industry"

I love the quote below and the 15 claims about how shady the Antivirus industry is are great, especially #7, "expect applause when you release hundreds of security patches for your product each year;" Truth About Computer Virus Myths & Hoaxes

"The Pentagon should not protect a weapon system with software written by people they'd never trust. Yet they do."

Low-bandwidth application DoS attacks

Interesting work and something that I can't seem to get many people to pay attention to. Not all DoS attacks are bandwidth exhaustion attacks. DoS attacks can be thought of generically as resource exhaustion or suppression attacks. This does not necessarily require using a large amount of bandwidth.

The traditional thoughts on DoS attacks cause people to believe that normal modes of monitoring systems will catch DoS attacks early just because it would be hard to not notice such brazen resource consumption. However, low-flying attacks could possibly cause DoS attacks that are more difficult to detect without finer-grained application-level monitoring than is often employed.

This work documents attacks on the complexity of applications themselves to cause DoS.

Denial of Service via Algorithmic Complexity Attacks

We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures. Frequently used data structures have ``average-case'' expected running time that's far more efficient than the worst case. For example, both binary trees and hash tables can degenerate to linked lists with carefully chosen input. We show how an attacker can effectively compute such input, and we demonstrate attacks against the hash table implementations in two versions of Perl, the Squid web proxy, and the Bro intrusion detection system. Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks.

Hussein can hide WMD but not his money

William Raspberry from the Washington post asks a great question:

"Why would Hussein, facing annihilation, take the bother to hide his chemical and biological weapons so carefully that we still haven't found them, while leaving his millions of American dollars right where we could find them?"

If WMD are there for defense purposes, they have to be readily-available to provide a benefit to the holder. Accounts indicate thousands of tons of WMD and production capabilities should be all over the place but -- nothing. However, we find his stash of cash fairly easily.


MCI to build new GSM network in Iraq

MCI gets $500 million to build a new GSM network in Iraq. There are a couple of interesting aspects to this:

a. The sensible GSM network was chosen amid staunch lobbying by Qualcomm junkies to build an "American" CDMA network. Hooray!

b. MCI is not a wireless telephone company. Why are they getting to build a wireless network from scratch instead of other wireless carriers? They were actually a reseller of AT&T Wireless before their accounting scandals.

The Register: MCI wins Iraq gig, shovels $500m to shareholders

"Politicians lie, new study shows"

Well, we definitely agree on the point, �Politicians need to be more honest about lying� Perhaps they should go for more of the honest and less on the lying at the same time.

Politicians lie, new study shows

IN A STUDY described in Britain�s Observer newspaper, Glen Newey, a political scientist at Britain�s University of Strathclyde, concluded that lying is an important part of politics in the modern democracy.