Re: Haystack redux
On Sep 15, 2010, at 11:48 AM, Adam Fields wrote: I find it hard to believe that even the most uninformed dissidents would be using an untested, unaudited, _beta_, __foreign__ new service for anything. Is there any reason to believe otherwise? My first guess would have been that it was a government-sponsored honeypot, and I bet they're far more suspicious than I am. Perhaps people are more hopeful than suspicious. Haystack [1] had the apparent approval of the US State Department (no friends of the Iranian government), a pretty web page, major donors, coverage in all the mainstream press, an award in the UK, and lots of other stuff that demonstrated credibility. Gotta trust someone. Who you gonna trust? The guys with all that cred, or, say... me? --- [1] given Daniel Colascione's statements, we may have to quote this thing as it was test code, not what he intended to release. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Haystack redux
On Sep 15, 2010, at 6:16 AM, Jacob Appelbaum wrote: An interesting unintended consequence of the original media storm is that no one in the media enjoys being played; it seems that now most of the original players are lining up to ask hard questions. It may be too little and too late, frankly. I suppose it's better than nothing but it sure is a great lesson in popular media journalism failures. On the contrary, because life is not a series of disconnected events, this is a great success for the safety of civilians, and for media coverage, going forward: - people who care about the lives of others, and who worry about technologies based in trust now are more aware of one another than ever before - the business of taking well-intentioned but defective things apart is out of the shadows and in a very favorable spotlight - The media have a whole new dimension of drama to add to their coverage of high tech wonders: ... but does it really work? Journalism is self-correcting, as you note... provided a feedback channel exists and can be maintained long enough for the corrections to hold... as happened here. - jim - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Quantum direct communication: secrecy without key distribution
On Dec 5, 2008, at 7:06 PM, [EMAIL PROTECTED] wrote: well-placed but UNCORROBORATED informant sez that day before yesterday (3 dec): 5 hours of CheckFree traffic redirected and likely captured in full half of IP addresses for CheckFree left in place, half re-directed to Ukraine, i.e., partial MITM entirely at the routing protocol layer [the important part] it appears that in the last few hours a method has been ?found/?released that makes possible the MITM completely transparent with all traffic forwarded on as if there was just an extra hop in the path; MITM via an effective attack on routing protocols, per se, would be no joke The cited articles discuss a much simpler DNS revision with stolen Netsol credentials on Dec 2., apparently confirmed via their logs. How sure are you about this informant? Does the person have the expertise to say what was said, or was the Dec 2 story reinterpreted into the Dec 3 story? It's too big an issue to leave floating. [http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html ]: It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar. Susan Wade, a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine. - jim - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
On Sep 23, 2008, at 6:15 PM, Sandy Harris wrote: From Slashdot: Psychologists gave university students phony popups with various malware warning signs. Many just clicked. http://arstechnica.com/news.ars/post/20080923-study-confirms-users-are-idiots.html I think it's got to be said that it's not apparent that the end-users are the /idiots/ who should be called out for failing this study. We gave them these interfaces, protocols and technologies that allow for things to go so badly wrong. Nothing in the world required the technology ecosystem to become what it is, except design decisions that were (and are) made well out of the sphere of influence of mere idiot users. This stuff was designed and shepherded to market by the modern captains of industry, by rock star developers and wünderkinden. When a real engineer builds a bridge that falls down, we blame the engineer, not gravity. Bad people have always existed in the world. When developers pretend they don't exist and people are then victimized, we're supposed to continue to accept the bluster about technology rock stars, and therefore conclude that the customers (who outnumber the developers by what, 1,000 to 1?) are the idiots? Let's reconsider that. Seriously, let's shout it down. It's a ridiculous proposition that's tiring to hear time and again. I'll even argue from the other direction just to make it complete. Even if they are all idiots: when a population you serve outnumbers you by 1,000 to 1 and keeps blowing itself up when using your stuff, it's time to idiot- proof the product. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
On Sep 24, 2008, at 5:45 PM, Perry E. Metzger wrote: Jim Youll [EMAIL PROTECTED] writes: I think it's got to be said that it's not apparent that the end-users are the /idiots/ who should be called out for failing this study. We gave them these interfaces, protocols and technologies that allow for things to go so badly wrong. Nothing in the world required the technology ecosystem to become what it is, except design decisions that were (and are) made well out of the sphere of influence of mere idiot users. This stuff was designed and shepherded to market by the modern captains of industry, by rock star developers and wünderkinden. When a real engineer builds a bridge that falls down, we blame the engineer, not gravity. 419 scams are not caused by bad interfaces or bad engineering. Phishing is, but clearly not all con games are, and con games are remarkably profitable. The article and the study concerned user vulnerabilities compounded by poor user interfaces and poor underlying architectures. I was addressing my comments toward the study generally, and to the inappropriate but common tone of the article, in particular, not to other out-of-band issues. There are many risks in the world. I see in that study some confirmation that poor design has made certain of those risks worse. I was having a discussion over lunch about a week ago with a couple of pretty well known security people (one of them might pipe up on the list). We were considering what would happen in a particular seemingly foolproof system with a trusted channel if someone got a message via an untrusted channel saying... Now, to complete your book purchase, the trusted system is going to say If you press YES, you're going to send all the money you have in the world to a con man in Nigeria -- this is normal. Please press yes when it says that. ...a large fraction of users would just press YES. Straw man. I don't want to claim that there is no place for better human factors work in security engineering. There clearly is. However, I will repeat, that is not the only story here, and it is not unreasonable to note that there are people who are clearly nearly impossible to protect with almost any level of human factors engineering and security technology. Considering the magnitude and frequency of losses that apparently occur through these technologies, and the fact that the crypto and security technologies are pretty far evolved and seem to work well if used well, I would counter that human factors are just about all we should be worrying about right now, if we hope to ever make online activities as safe as they should be. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fake popup study
On Sep 24, 2008, at 6:39 PM, Perry E. Metzger wrote: The whole point of the study (which you feel had an inappropriate tone) and of such gedankenexperiments is to understand the problem space better. Clarification: not the study. I believe the article had an inappropriate tone. Calling victims of inadequate user interfaces idiots is inappropriate and spits in the face of the evidence. It's still a fact that when a majority of a population of operators of any equipment is experiencing poor outcomes just using it as normal people do, then there is a screaming need to fix that equipment. If the blame the idiot thinking were accepted in other domains, we'd still have factory workers chopping off their limbs on a daily basis because any non-idiot should be smart enough to step back when the press is coming down. The simple fact is that normal people make mistakes and experience momentary slips as part of their ordinary existence. It's a designer's job to consider the users of an engineered device, to consider what their /entirely expected/ failings will be, and to work to prevent them. The current approaches do not work well to prevent the expected human failures. Therefore, the current approaches are inadequate. The study suggests that people should be expected to make errors using current user interfaces shoved in their faces by the stuff behind the scenes that never should have been so insecure in the first place. Why all the shock and outrage then? Security and OS builders would do well to consider how nuanced certain other things are, that just work right. As a quick example, I've not looked at the code but i can definitely tell that a hell of a lot of scrubbing is done on the trackpad inputs from this laptop, so that cursor motion is reliable and predictable, despite my imprecise finger movements. I look forward to seeing such nuance in user safety someday and will never be satisfied calling the majority of the population idiots because some human-built device has gotten lots of them into unexpected trouble. At one time, we believed that with enough crypto, we would be safe, but we were disabused of that notion -- crypto is a great tool but not a panacea. Now the notion seems to be that with enough human factors, we will be safe. It appears this, too, is not a panacea. protect themselves adequately. Human factors haven't received nearly enough attention, and as long as human factors failings are dismissed as the fault of idiot users, they never will. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Judge approves TRO to stop DEFCON presentation
On Aug 9, 2008, at 8:46 PM, Jim Youll wrote: these have been circulating for hours, but they are content-free title slides... [Moderator's note: I've read them and they're far from content free. They give you a recipe for doing things like rewriting the mag stripes on stored value cards to give you arbitrary balances, and they even include actual examples. Apologies to all. it's a UI issue with the PDF reader I was using and the layout of the PDF file. Pages other than the title slides - are obscured and it's not clear they're even present (the pages are readily visible in Acrobat Reader) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Judge approves TRO to stop DEFCON presentation
these have been circulating for hours, but they are content-free title slides... [Moderator's note: I've read them and they're far from content free. They give you a recipe for doing things like rewriting the mag stripes on stored value cards to give you arbitrary balances, and they even include actual examples. Also, Please Don't Top Post. Please cut down quoted material to just the important content, too. -Perry] On Aug 9, 2008, at 7:38 PM, Ivan Krstić wrote: On Sat, 09 Aug 2008 17:11:11 -0400, Perry E. Metzger [EMAIL PROTECTED] wrote: Las Vegas - Three students at the Massachusetts Institute of Technology (MIT) were ordered this morning by a federal court judge to cancel their scheduled presentation about vulnerabilities in Boston's transit fare payment system, violating their First Amendment right to discuss their important research. http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf -- Ivan Krsti? [EMAIL PROTECTED] | http://radian.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On Jun 9, 2008, at 11:54 AM, Leichter, Jerry wrote: Computerworld reports: http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 [...] Apparently earlier versions of this ransomware were broken because of a faulty implementation of the encryption. This one seems to get it right. It uses a 1024-bit RSA key. Vesselin Bontchev, a long-time antivirus developer at another company, claims that Kaspersky is just looking for publicity: The encryption in this case is done right and there's no real hope of breaking it. If there's just one key, then Kaspersky could get maximum press by paying the ransom and publishing it. If there are many keys, then Kaspersky still has reached its press-coverage quota, just not as dramatically. Speculation about this kind of attack has made the rounds for years. It appears the speculations have now become reality. But press gambits from security companies have been in the realm of reality for quite some time! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: RIM to give in to GAK in India
Isn't this just a semantic game on the part of RIM and the government? The phrase enterprise customers would seem to isolate a class of customers such that individual customers not using a corporate version of the product would see their crypto weakened... and be subject to monitoring through the service provider On May 27, 2008, at 12:21 PM, Dave Korn wrote: Perry E. Metzger wrote on 27 May 2008 16:14: Excerpt: In a major change of stance, Canada-based Research In Motion (RIM) may allow the Indian government to intercept non-corporate emails sent over BlackBerrys. http://economictimes.indiatimes.com/Telecom/Govt_may_get_keys_to_your_BlackB erry_mailbox_soon/articleshow/3041313.cms Hat tip: Bruce Schneier's blog. Although on the other hand: Excerpt: Research In Motion (RIM), the Canadian company behind the BlackBerry handheld, has refused to give the Indian government special access to its encrypted email services. [ ... ] According to the Times of India, the company said in a statement: The BlackBerry security architecture for enterprise customers is purposefully designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances. We regret any concern prompted by incorrect speculation or rumours and wish to assure customers that RIM is committed to continue serving security- conscious business in the Indian market. http://www.theregister.co.uk/2008/05/27/indian_gov_blackberry_blackball/ [ Hmm, two contradictory stories, whoever woulda thunk it? There's probably some politicking going on, mixed up with marketeering and FUD-spinning. ] cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: debunking snake oil
Crossroads is an undergraduate journal. We'd do well to single out more worth targets for public ridicule than CS undergrads. If you want to help the author, why not educate, rather than mocking? He's obviously been motivated to think about the subject matter and to even take the bold step up publishing something. If you must scold, aim at the advisor, then. But I don't see much to be gained by scolding in this case. Pick someone who's asking for it - the vendors of all the products that don't do what their buyers hope and wish they would do... On Aug 31, 2007, at 11:35 PM, Ben Pfaff wrote: [EMAIL PROTECTED] writes: So, when you find a particularly obnoxious dilettante going on about his bone-headed unbreakable scheme, please forward it to me and I'll see about breaking it, and then publish the schemes and the results on a web site for publicly educating them. Honestly, there's probably no better way to educate people than to see schemes submitted and broken, and I'm not sure there's a good site for it, although there are plenty of books. Unfortunately, these types won't be bothered to buy books since they already know everything. Here's a particularly moronic scheme: http://www.acm.org/crossroads/xrds11-3/xorencrypt.html -- If a person keeps faithfully busy each hour of the working day, he can count on waking up some morning to find himself one of the competent ones of his generation. --William James - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: more reports of terrorist steganography
That's a pretty in-credible report. Emphasis on in-. It's disturbing to see Security Researchers so willing to trade on rumors in order to be quoted in the press. The conclusion is pretty confusing. Conclusion Internet-based attacks are extremely popular with terrorist organizations because they are relatively cheap to perform, offer a high degree of anonymity, and can be tremendously effective. Perhaps author Jeffrey Carr should stick to coverage of 'semantic and geospatial intelligence applications'. I'd sure like credible details... On Aug 20, 2007, at 10:59 AM, Steven M. Bellovin wrote: http://www.esecurityplanet.com/prevention/article.php/3694711 I'd sure like technical details... --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]