Carl Ellison's home page (original) (raw)

[7 May 2007]

Fellow tenor Nick took some pictures during Desmond Tutu's visit to St. Mark's, mostly from the choir loft during the Evensong service on May 11, 2006.

Ted Koppel on NPR quoting Lily Tomlin: "No matter how cynical I get, I can never keep up."

My SPAM e-mail list has been moved to a blog to save my friends the e-mail traffic and let them respond directly to my postings. Enjoy.

``All suspects are guilty - period - otherwise they wouldn't be suspects would they?'' From ``Troops'', the old take-off on ``COPS!''. That was a funny line, once, back before we had people at the very top of the US administration who act like they expect us to believe this.

"Does the Public Really Believe?" -- Arianna apparently doesn't

Al Gore's speech on the Patriot Act & the Bush administration.

Trinity Consort and St. Mark's music program.

An anecdote about life here in Seattle. I think I'm going to like this town.

My real claim to fame :-) thanks to Timewarp Films and Leanna Chamish.

Security Pages

The Padlock Story

The SPKI web page.
Why I Shop Online when it's obviously so dangerous.
Ceremonies rump session talk at CRYPTO 2005 andthe slides for that talk.
Rants: on trust and non-repudiation.
UPnP V1 Security draft specs for public review
USENIX Security Symposia.
Annual NIST/Internet2 PKI Research Workshops: (2007) (2006) (2005) (2004) (2003) (2002)
Story on hacked public computers

The Cryptography Timeline, that I prepared back in the days when the government was trying to claim that crypto had historically been a government monopoly.
The NPR Series, Technopop, examining the history of technology and pop music and leading me to wonder how long the record companies will fail to embrace the new technology and help advance it. I understand their fear. It means giving up the old way of doing business. But, it's inevitable. Perhaps there are people near retirement who want to be able to cash out before the inevitable change happens -- the old "not on my watch, you don't" theory.
Randomness
- If you can get a machine using the Intel 800 series chipset (810, 815, 820, ...), including the Intel hardware random number generator, that's all you need. [Note: I have discovered that not all Intel 800 series chipsets include the Intel Firmware Hub with the hardware RNG. The part numbers you need to have are: E82802Ax or N82802Ax. So, I guess you have to look on the motherboard before you buy. If I learn some different mechanism for buying a computer with the RNG, I will update this message.]
  * The Intel RNG hardware driver for Windows.
  * Documentation on the Intel RNG.
- However, if you're stuck with having to try to create randomness on a plain vanilla machine, you might check out the suggestions cited below.
  * Jakobsson, Shriver, Hillyer and Juels, "A practical secure physical random bit generator", Proceedings of the 5th ACM conference on Computer and communications security, 1998.
  * Maurer, Ueli, A Universal Statistical Test for Random Bit Generators
  * A new page on randomness that will eventually replace the others I have posted.
  * The white paper on random numbers that I drafted many years ago.
  * RFC1750``Randomness Recommendations for Security'', by Eastlake, Crocker and Schiller.
- Although it is not really about randomness, check out this storymy buddy Tim sent me. Obviously, this was some designer's concept of ``random''.
My normal (home) PGP DSS key andRSA key. Other keys of mine are available from the PGP keyservers. Of course, you have no idea if those are my keys. To really know that they are, you need to:
1. know me personally (otherwise the word my has no meaning to you, personally, when you read it in the phrase my keys); and
2. receive confirmation of the key from me in the physcial world (e.g.,
  - with my business card that has my key fingerprints printed on the back, provided I hand it to you personally; or
  - with a voice confirmation of the key fingerprint; etc.)

It is important to note that a certificate on those keys from the most trustworthy CA in the world or PGP key signatures from a set of the most careful and trustworthy web-of-trust key signers in the world does you little good if all it does is bind a globalized human name to the key. You would need to know which name was being used for me and the process of securely delivering that name to you requires the same steps enumerated above. That is, PKI schemes (or directory systems like the D-H modified phone book) ``solve'' the key management problem by replacing it with a name management problem that is precisely as difficult as the original key management problem. [This was the main flaw in the phone book analogy used by Diffie and Hellman: the assumption that names were not only globally unique but also known and used accurately by anyone else in the world needing to use that name. Names are not globally unique. Unique names can be created and used to build a directory or set of certificates, but there is no channel for communicating those constructed names to the person needing to consult the directory.]

The ASN.1 Misuse paper that I presented at RSA 1996.
MD5 hashes of the PGP distribution files athttp://web.mit.edu/network/pgp.html, andmy signature on that file.
My directory of freeware, brought over from my backup of my previous home page. This includes my ranno filters, tran (as in des|tran|des|tran|des), etc.
Instructions for using SSH to send and receive mail (access SMTP and POP3)prepared for use at theworld.com. This will probably work on any ISP where SSHD is running.
I wrote to Senator Wyden about the CBDTPA asking him to do what he could to kill the bill.
The Return of GAK?
After the attacks of 11 Sept, there have been renewed calls for Government Access to Keys (GAK) (also called "Key Escrow"). I could put back up my old pages that show the incorrectness of that approach, but Lauren Weinstein has written a very clear letter on this subject giving the central point, that cryptography is not controllable and that attempts to control it legally will penalize those of us who use it to secure the domestic infrastructure while having no impact on any terrorist. In particular, such controls would not increase the FBI's ability to do its job of rounding up terrorists. Fortunately, we have seen no such requests from the FBI itself. They appear to be coming from news media, perhaps in an attempt to play a Game of ``Let's You And Him Fight''.
Remember: The original proponents of Key Escrow admitted that it would not work against a determined or sophisticated adversary. The terrorists responsible for the attacks of 11 Sept were clearly both determined and sophisticated.