Re: virus: The myth of privacy and the end of PKI

From: Mermaid . (britannica@hotmail.com)
Date: Mon Jan 21 2002 - 19:57:07 MST


Interesting info..

but

1.Well...I dont think Yash lives in the United States.
2.I still maintain that Kirk had no business doing/saying what he did..
3<important>.Can we expect more of this kind of behaviour from Kirk?

Mermaid.

P.S. and oh...4.Really..did Kirk do this with a simple search with no other
intention of malice and intent to threaten...:)

From: "L' Ermit" <lhermit@hotmail.com>
Reply-To: virus@lucifer.com
To: virus@lucifer.com
Subject: virus: The myth of privacy and the end of PKI
Date: Mon, 21 Jan 2002 20:45:50 -0600

[Mermaid] Phone Book of Mauritius? Is it online?

[Hermit] "Anyone who wishes to do research on *any* subject can do it if
they have the time and inclination." [Mermaid] She left intelligence off the
list... maybe why she is having difficulty.

[Mermaid] Does that mean that everyone in the Church of Virus should conceal
their real names because some weirdo son of bitch will find out their phone
numbers and publish it on this forum which btw is archived...that the
publishing of the full number or the last four numbers depends on the
goodness of mr.sob's kind heart is irrelevant...

[Hermit] You really can be a PsychoBitch. Time for a new handle in the name
of truth in advertising. I'll leave others to deal with your insinuations if
they choose to.

=====
[Hermit] Treating the balance of the question seriously and rephrasing it as
"Does that mean that everyone on the Internet should conceal their real
names in the hope of maintaining privacy?"

[Hermit] If you live in the US you have no privacy.

[Hermit] Get over it. Once you have released any data - and you can't help
it, you leave spoor that can be followed "for ever." (The following is an
example based on real world search). Your phone number is everywhere - even
though you think you have an unlisted number. Unfortunately for you, your
bank sold your unlisted number and account status to a card-processor, who
in turn sold it to a card offer solicitation agency. From there it went to a
catalogue agency. You also made a purchase at "Best Buy" and for some reason
gave them a "real" phone number. They also sold it to a catalogue agency.
Both catalog agencies then sold your information to net directories. As did
the "petition site" where you filled in real data without checking their
privacy agreement - and they also on-sold your data - mainly to spammers.
When you switched long distance providers your number was automatically put
up on three different LD directories - they didn't receive the "unlisted"
status from your incumbent. So if you search intelligently for yourself
under your real name you will find yourself in a fairly large number of
locations... Given the above or knowledge of !one! of the email accounts you
have used to make postings on the Internet, and a further search on the
posting host used, your IP address becomes visible (aha a class C, and a
quick peek at the subnet tells me that it is a cable modem) and this allows
me to track down everywhere you have ever posted (from that address), what
you have on your web sites (no matter what pseudonym you use) (and for those
owning a website, the whois data goives me a lot more) and this tells me a
lot more about your interests. So at the end of about 3 hours, I know where
you live, your phone numbers, your ISP and can make intelligent guesses
about your buying habits. If you owned property, were on a voters roll or
had a drivers licence I could find out a lot more about you yet... Isn't
"net-stalking" wonderful? And in the USA, there is nothing stopping me for
doing this to build the worlds biggest customer database - and if I were MSN
or double-click (or a number of other "click-trackers") I would then link
all of that data to your browsing habits... and probably end up knowing more
about you than your significant other. Your insurance company, which holds
all your medical history, might be very interested in buying such
information... and a whole new batch of uses spring readily to mind. Oh yes,
I almost forgot to mention, when you go onto most IRC networks, I can also
track you by IP address and work out (most) of the channels you join. Are
you getting the picture yet?

[Hermit] If I were an authorised government user wanting to watch you it is
even easier. Today almost all network traffic is routed through a small
number of vampire switches that allow all your packets to be tracked
dynamically and in real time across continents. And with the new roaming
phone taps, if you carry your cell phone I can see where you go (and if the
people you meet also carry cell phones) can probably very quickly figure out
who you meet with if you meet them more than once.

[Hermit] Europeans have more privacy from private enterprise, but less
privacy from government as the government owns more of the big databases. In
the US government is now buying data from private data warehouses so the net
effect is worse.

[Hermit] Using a pseudonym protects you only from the lamest of the lame -
but even that is better than being completely flooded. So yes. Use a
pseudonym, but don't expect it to provide much in the way of privacy against
anyone half-way competent or motivated. Just don't do anything that you
wouldn't want in a database, or for your 13 year-old cousin to know about,
and there won't be a problem.

[Hermit] One last thing, I dont know if you noticed IBM <em>announcing</em>
their factorizing quantum computer*, but I would suggest that you should
regard any PKI system as being compromisable by USA agencies in finite time,
even with outrageous key-lengths (8k+). So unless you use manually
distributed one time cipher keys, you shouldn't be saying anything you don't
want to have read over your shoulder on a computer either.

*IBM's Almaden Research Center's [
http://www.research.ibm.com/resources/news/20011219_quantum.shtml ] has
announced that they have achieved success in performing the most complicated
"quantum computer" calculation yet. IBM scientists dumped a
billion-billion custom-constructed molecules into a test tube and convinced
them to act as a seven-qubit (QUantum BIT) computer, which then solved a
simple version of the math behind many of today's cryptographic systems
(Shor's Algorithm). The bottom line is that quantum computers can factor
numbers dramatically faster than their traditional counterparts -- in fact
exponentially faster. While the reported experiment (factoring the number
15) may seem trivial, as the number of qubits in these quantum computers
grow (which just takes adding more chemical soup), they're going to
dramatically change the rules for what constitutes "unbreakable" encryption.

Standard cryptography practice is to take an announcement of capability as a
warning to change your standards. Which is what I am advising here. Where I
previously regarded a 2k key as providing reasonable security, and 4k as
being close to unbreakable, I now regard 8k as reasonably secure, and no
current PK implementation as fully secure.

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.



This archive was generated by hypermail 2.1.5 : Wed Sep 25 2002 - 13:28:40 MDT