Mitnick starts security company
http://technology.scmp.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=SCMP/Printacopyaid=ZZZRFQ7QX6D Thursday, October 10, 2002 Hacker starts security company AGENCE FRANCE-PRESSE in Washington Kevin Mitnick, the cult figure hacker jailed for breaking into big corporate computer networks, is starting his own Internet security firm, according to an interview published this week. Mr Mitnick, who served nearly five years in prison for stealing corporate computer secrets, said he had formed the company and would work more intensely on it when the terms of his supervised release expire in a few months. I am taking my knowledge and experience to help educate government and industry on how to protect their assets, instead of using my former hobby to create grief, Mr Mitnick told silicon.com. Mr Mitnick allegedly broke into computer systems of Motorola, Sun Microsystems, Qualcomm and others until he was apprehended in 1995. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: open source CAs?
Perry E. Metzger wrote: Beyond the openssl tools (which are quite primitive), are there any open source certificate authority tools out there at the moment that people can recommend? CSP http://devel.it.su.se/projects(openssl perl wrapper) is used by some members of SwUPKI http://www.swupki.su.se. Not recommended for high-volume pkis (e.g user certificates). leifj - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: open source CAs?
Hi, On Wed, Oct 09, 2002 at 11:03:35AM -0400, Perry E. Metzger wrote: Beyond the openssl tools (which are quite primitive), are there any open source certificate authority tools out there at the moment that people can recommend? here a list I onced compiled: Set up your own Certification Authority using free software (ssleay) http://cognac.epfl.ch/SIC/SL/CA/ pyCA - X.509 CA Software for running a X.509/PKIX certificate authority (openssl) http://www.pyca.de/ OpenCA http://openca.sourceforge.net/ Certificate Management Library (CML) http://www.getronicsgov.com/hot/cml_home.htm (library) oscar 3.2: Open Secure Certificate Architechture http://oscar.dstc.qut.edu.au/ (dead) uPKI http://www.wedgetail.com/upki/ (commercial, toolkit+library) JCSI - Java Crypto and Security Implementation http://www.wedgetail.com/jcsi/ Jonah: Freeware PKIX reference implementation http://web.mit.edu/pfl/ Overview: http://munitions.vipul.net/dolphin.cgi?action=3Drendercategory=3D08 if you find others, please post... tschuess Stefan -- Stefan Mink, Schlund+Partner AG (AS 8560) Key fingerprint = 389E 5DC9 751F A6EB B974 DC3F 7A1B CF62 F0D4 D2BA msg02904/pgp0.pgp Description: PGP signature
Re: open source CAs?
On Wed, Oct 09, 2002 at 11:03:35AM -0400, Perry E. Metzger wrote: Beyond the openssl tools (which are quite primitive), are there any open source certificate authority tools out there at the moment that people can recommend? www.openca.org? Web based. LDAP backend. A little overkill for my purposes... -- Perry E. Metzger [EMAIL PROTECTED] Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
- Original Message - From: Roy M.Silvernail [EMAIL PROTECTED] And here, I thought that a portion of the security embodied in a SecurID token was the fact that it was a tamper-resistant, independent piece of hardware. Now M$ wants to put the PRNG out in plain view, along with its seed value. This cherry is just begging to be picked by some blackhat, probably exploiting a hole in Pocket Outlook. Unfortunately, SecurID hasn't been that way for a while. RSA has offered executables for various operating systems for some time now. I agree it destroys what there was of the security, and reduces it to basically the level of username/password, albeit at a more expensive price. But I'm sure it was a move to improve their bottom line. Joe - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
Tamper-resistant hardware is out, second channel with remote source is in. Trust can be induced this way too, and better. There is no need for PRNG in plain view, no seed value known. Delay time of 60 seconds (or more) is fine because each one-time code applies only to one page served. Please take a look at: http://www.rsasecurity.com/products/mobile/datasheets/SIDMOB_DS_0802.pdf and http://nma.com/zsentry/ Thanks for the pointers. I've also received some off-list mail encouraging me not to dismiss this so quickly. Time to study up a bit. (and this, folks, is why I love the net) -- Roy M. Silvernail [ ] [EMAIL PROTECTED] DNRC Minister Plenipotentiary of All Things Confusing, Software Division PGP fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from [EMAIL PROTECTED] I charge to process unsolicited commercial email - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
Roy M.Silvernail [EMAIL PROTECTED] writes: The first initiatives will centre on Microsoft's licensing of RSA SecurID two-factor authentication software and RSA Security's development of an RSA SecurID Software Token for Pocket PC. And here, I thought that a portion of the security embodied in a SecurID token was the fact that it was a tamper-resistant, independent piece of hardware. SecurityDynamics/RSA Security have sold SecurID for Palms for several years. Some previous discussion can be found in the mailing list archives around the release date in spring of 1999. They also sell software implementations of SecurID for Windows. Now M$ wants to put the PRNG out in plain view It's already out here--the algorithm for the SecurID hash function was published on Bugtraq by a third party (allegedly Russian) in late 2000. along with its seed value. They did make some attempt to make the seed difficult to recover on the Palm. No doubt it could be reverse engineered with some effort, and software SecurID on networked devices does change the threat model. -dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: open source CAs?
http://www.opencerts.com/ -Original Message- From: Perry E. Metzger [mailto:[EMAIL PROTECTED]] Sent: 09 October 2002 16:04 To: [EMAIL PROTECTED] Subject: open source CAs? Beyond the openssl tools (which are quite primitive), are there any open source certificate authority tools out there at the moment that people can recommend? -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: open source CAs?
OpenCA? At one point I wrote some PERL around OpenSSL called WebCA, but I don't know what became of that. I don't think it was ever released. -derek Perry E. Metzger [EMAIL PROTECTED] writes: Beyond the openssl tools (which are quite primitive), are there any open source certificate authority tools out there at the moment that people can recommend? -- Perry E. Metzger [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
Tamper-resistant hardware is out, second channel with remote source is in. Trust can be induced this way too, and better. There is no need for PRNG in plain view, no seed value known. Delay time of 60 seconds (or more) is fine because each one-time code applies only to one page served. Please take a look at: http://www.rsasecurity.com/products/mobile/datasheets/SIDMOB_DS_0802.pdf and http://nma.com/zsentry/ Microsoft's move is good, RSA gets a good ride too, and the door may open for a standards-based two-channel authentication method. Cheers, Ed Gerck Roy M.Silvernail wrote: On Tuesday 08 October 2002 10:11 pm, it was said: Microsoft marries RSA Security to Windows http://www.theregister.co.uk/content/55/27499.html [...] The first initiatives will centre on Microsoft's licensing of RSA SecurID two-factor authentication software and RSA Security's development of an RSA SecurID Software Token for Pocket PC. And here, I thought that a portion of the security embodied in a SecurID token was the fact that it was a tamper-resistant, independent piece of hardware. Now M$ wants to put the PRNG out in plain view, along with its seed value. This cherry is just begging to be picked by some blackhat, probably exploiting a hole in Pocket Outlook. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: open source CAs?
On 9 Oct 2002, Perry E. Metzger wrote: Well if you're into J2EE check ejbca.sourceforge.net out. From the about page: EJBCA is a fully functional Certificate Authority. Based on J2EE technology it constitutes a robust, high performance and component based CA. Both flexible and platform independent, EJBCA can be used standalone or integrated in any J2EE application. Beyond the openssl tools (which are quite primitive), are there any open source certificate authority tools out there at the moment that people can recommend? -- Perry E. Metzger [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
CFP -- IEEE Symposium on Security and Privacy
CALL FOR PAPERS May 11-14,2003 The Claremont Resort Oakland, California, USA 2003 IEEE Symposium on Security and Privacy sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Symposium Committee: General Chair: Bob Blakley (IBM Software Group - Tivoli Systems, USA) (bblakley @us.ibm.com) Vice Chair: Lee Badger (Network Associates Labs, USA) Program Co-Chairs: Steven M. Bellovin (ATT Research, USA) David A. Wagner (University of California at Berkeley, USA) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. Previously unpublished papers offering novel research contributions in any aspect of computer security or electronic privacy are solicited for submission to the 2003 symposium. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains. Topics of interest include, but are not limited to, the following: Commercial and Industrial Security Electronic Privacy Mobile Code and Agent Security Distributed Systems Security Network Security Anonymity Data Integrity Access Control and Audit Information Flow Security Verification Viruses and Other Malicious Code Security Protocols Authentication Biometrics Smartcards Peer-to-Peer Security Intrusion Detection Database Security Language-Based Security Denial of Service Security of Mobile Ad-Hoc Networks Program Committee: Martin Abadi (University of California Santa Cruz, USA) Marc Dacier (Eurecom, France) Drew Dean (SRI, USA) Barbara Fox (Microsoft, USA) Virgil Gligor (University of Maryland, USA) Peter Gutmann (University of Auckland, New Zealand) John Ioannidis (ATT, USA) Trent Jaeger (IBM, USA) Paul Karger (IBM, USA) Dick Kemmerer (University of California Santa Barbara, USA) John McLean (Naval Research Laboratory, USA) Vern Paxson (ICSI, USA) Michael Roe (Microsoft, UK) Avi Rubin (ATT, USA) John Rushby (SRI, USA) Paul Syverson (Naval Research Laboratory, USA) INSTRUCTIONS FOR PAPER SUBMISSIONS Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Papers should be in Portable Document Format (.pdf) or Postscript (.ps), at most 15 pages excluding the bibliography and well-marked appendices (using 11-point font, single column format, and reasonable margins on 8.5x11 or A4 paper), and at most 25 pages total. We request the submissions be in US letter paper size (not A4) if at all possible. Authors submitting papers in PDF are urged to follow the NSF Fastlane guidelines for document preparation ( http://www.fastlane.nsf.gov/a1/pdfcreat.htm ), and to pay special attention to unusual fonts. Committee members are not required to read the appendices, so the paper should be intelligible without them. Papers should be submitted in a form suitable for anonymous review: remove author names and affiliations from the title page, and avoid explicit self-referencing in the text. Instructions on electronic submission will appear shortly at http://www.research.att.com/~smb/oakland03-cfp.html . For any questions, please contact the program chairs, at [EMAIL PROTECTED] Paper submissions due: November 6, 2002 Acceptance notification: January 29, 2003 Submissions received after the submission deadline or failing to conform to the guidelines above risk rejection without consideration of their merits. Authors are responsible for obtaining appropriate clearances; authors of accepted papers will be asked to sign IEEE copyright release forms. Where possible all further communications to authors will be via email. PANEL PROPOSALS The conference may include panel sessions addressing topics of interest to the computer security community. Proposals for panels should be no longer than five pages in length and should include possible panelists and an indication of which of those panelists have confirmed participation. Please submit panel proposals by email to [EMAIL PROTECTED] Panel proposals due: November 6, 2002 Acceptance notification: January 21, 2003 Where possible all further communications to authors will be via email. 5-MINUTE TALKS A continuing feature of the symposium will be a session of 5-minute talks, where attendees can present preliminary research results or summaries of works published elsewhere. Poster presentations related to these talks are also possible. Abstracts for 5-minute talks should fit on one 8.5x11 or A4 page, including the title and all author names and affiliations. Please submit abstracts by email to [EMAIL PROTECTED] 5-minute abstracts due: March 17, 2003 Acceptance notification: March 31, 2003 Where possible all further