Liudvikas Bukys

[Full-Disclosure] GnuPG’s ElGamal signing keys compromised:

In January 2000, as part of version 1.0.2, the GnuPG code was changed to create ElGamal keys which work more efficiently for encryption (selecting a smaller x secret exponent and using a smaller k for encryption). While making this change the problem with signing keys was accidentally introduced: the same small k for encryption was also used for signing. This can be used for a cryptographic attack to reveal the private key (i.e. the secret exponent x) if a signature made using that key is available. Such a signature is always available for primary ElGamal keys because signatures created with that key are used to bind the user ID and other material to the primary key (self-signatures). Even if the key was never used for signing documents it should be considered compromised.

Scientific American: What a Little Limeade Can Do — Owning the rights for frozen juice to treat angina:

Method of treating chest pain, patent 6,457,474, Carl E. Hanson of St. Paul, Minn. This inventor has patented lime juice to replace nitroglycerin as a treatment for chest pain such as angina pectoris…. The lime juice can also be administered intravenously or by the angina sufferer’s placing the frozen concentrate directly into his or her mouth.

“The spammers have discovered the hole.”

Stan Liebowitz: The Economist: The QWERTY Myth:

A fine tale, but largely fiction. The paper by Messrs Liebowitz and Margolis shows, in the first place, that the first evidence supporting claims of Dvorak’s superiority was extremely thin. The main study was carried out by the United States Navy in 1944 (doubtless a time when every second counted in the typing pools). The speed of 14 typists retrained on Dvorak was compared with the speed of 18 given supplementary training on QWERTY. The Dvorak typists did better — but it is impossible to say from the official report whether the experiment was properly controlled. There are a variety of oddities and possible biases: all of them, it so happens, seeming to favour Dvorak.

But then it turns out — something else the report forgot to mention — that the experiments were conducted by one Lieutenant-Commander August Dvorak, the navy’s top time-and-motion man, and owner of the Dvorak layout patent.

Another source server compromise, this one at Debian

Steven Searle succinctly compares and contrasts the Auto-ID and Ubiquitous ID projects in The Auto-ID vs. the Ubiquitous ID vs. ?:

In fact, the Ubiquitous ID and the Auto-ID are very different in their technologies and their scope. The Ubiquitous ID scheme is a “meta code,” i.e., a code of existing and new codes, that gives a 128-bit number to both physical and non-physical things and is intended to operate across multiple network types. The Auto-ID scheme is a “new product code” that gives a 64/96-bit number to physical products and is intended to operate mainly via the Internet. Moreover, they use different scanning frequencies: the Ubiquitous IDs use a dual band, 2.45 GHz for RFID and 13.56 MHz for eTRON smart cards; while the Auto-IDs use 915 MHz for RFID. Here’s a chart of the main differences.

Note that the Auto-ID Center at MIT has evolved into something like a trade group, EPCglobal Inc.

Ed Felten in Freedom to Tinker: Flaky Voting Technology cites The Washington Post: Fairfax Judge Orders Logs Of Voting Machines Inspected regarding yet another specific example of a buggy or fraudulent voting machine in action, and concludes:

You could hardly construct a better textbook illustration of the importance of having a voter-verifiable paper trail. The paper trail would have helped voters notice the disappearance of their votes, and it would have provided a reliable record to consult in a later recount. As it is, we’ll never know who really won the election.

An interesting page: Unique ID - The numbers that control your life, that includes details on how various ID numbers are constructed, including some that embed data in the ID number.

Dan Gillmor’s eJournal - AT&T’s Anti-Anti-Spam Patent:

“A system and method for circumventing schemes that use duplication detection to detect and block unsolicited e-mail (spam.) An address on a list is assigned to one of m sublists, where m is an integer that is greater than one. A set of m different messages are created. A different message from the set of m different messages is sent to the addresses on each sublist. In this way, spam countermeasures based upon duplicate detection schemes are foiled.”

The mind boggles at the willingness of the U.S. Patent & Trademark Office to grant patents to the most trivial ideas. Some commentators note that perhaps the patent can be used for good and not evil.

SecurityFocus: Banking Scam Revealed:

A single spam gang, using a unique bulk-mailing tool, appears responsible for the recent rash of financial fraud emails. This gang has targeted over a dozen financial sources, had dabbled in malware, and has struck over 20 times, showing what appears to be a serial pattern. Attempts to report these findings to Citibank were unsuccessful, and Citibank was unavailable for comment. Citibank has publicly stated that they do not know who has been victimized by the Citibank scams, nor do they know how many victims [ref 10]. In truth, their web logs very likely indicate exactly who fell victim to the 16-Aug-2003 fraudulent Citibank scheme. In addition, Citibank may not be able to identify “who” fell victim on 25-Sep-2003 and 25-Oct-2003 to the second and third revisions of the fraud scheme, but Citibank can identify “how many” victims are likely. This is because the fraudulent web sites used HTML links that directly referenced the financial institution’s web site.