On 8/23/2010 5:17 PM, Thierry Moreau wrote:
Commercial avionics certification looks like the most demanding among
industrial sectors requiring software certification (public
transportation, high energy incl. nuclear, medical devices, government
IT security in some countries, electronic
Location-based services are already being used for dating services (big
surprise here). Mobiles send their location to a server, the server
figures out who is near whom, and matches them. There are lots of
variants on that. An obvious risk here is that the server is acting as
a location
I think the problem is more marketing and less technology. Some
marketoid somewhere decided to say that their product supports rekeying
(they usually call it key agility). Probably because they read
somewhere that you should change your password frequently (another
misconception, but that's
John Gilmore wrote:
...
PPS: On a consulting job one time, I helped my customer patch out the
license check for some expensive Unix circuit simulation software they
were running. They had bought a faster, newer machine and wanted to
run it there instead of on the machine they'd bought the
If you've already explained to them that what they are trying to do is
both impossible and pointless, and they still want your consulting
services, take as much of their money as you can and don't feel bad
about it! Maybe you can get some more people on this list hired, too :)
/ji
As it has been pointed out numerous times on this and other places, this
is a singularly bad idea.
The crypto isn't even the hardest part (and it's hard enough).
Just don't do it. If you are going to spend your energy on anything, it
should be to work against such a plan.
/ji
This just about sums it up: http://xkcd.com/463/
/ji
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
John Ioannidis wrote:
| Does anyone know how this security questions disease started, and
why
| it is spreading the way it is? If your company does this, can you
find
| the people responsible and ask them what they were thinking?
The answer is Help Desk Call
Does anyone know how this security questions disease started, and why
it is spreading the way it is? If your company does this, can you find
the people responsible and ask them what they were thinking?
My theory is that no actual security people have ever been involved, and
that it's just
Leichter, Jerry wrote:
Computerworld reports:
http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818
This is no different than suffering a disk crash. That's what backups
are for.
/ji
PS: Oh, backups you say.
Perry E. Metzger wrote:
Also from Declan McCullagh today, a full survey of instant message
service security:
http://news.cnet.com/8301-13578_3-9962106-38.html?part=rsstag=feedsubj=TheIconoclast
Interesting. Of course, with the possible exception of Skype, only the
over-the-network part of
truly
trust.
- Alex
That we agree on!
/ji
- Original Message -
From: John Ioannidis [EMAIL PROTECTED]
To: Cryptography cryptography@metzdowd.com
Subject: Just update the microcode (was: Re: defending against
evil in all layers of hardware and software)
Date: Mon, 28 Apr 2008 18:16:12
Intel and AMD processors can have new microcode loaded to them, and this
is usually done by the BIOS. Presumably there is some asymmetric crypto
involved with the processor doing the signature validation.
A major power that makes a good fraction of the world's laptops and
desktops (and hence
Not just Amtrak. The Economist and The New Yorker both do the same
thing. I tried engaging them in a discussion on the subject. The
Economist never replied, whereas the New Yorker assured me that those
addresses were indeed theirs. I haven't figured out how to get past the
clueless people
Perry E. Metzger wrote:
That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over
Florian Weimer wrote:
It's also an open question whether network operators subject to
interception requirements can legally offer built-in E2E encryption
capabilities without backdoors.
You probably meant device vendors, not network operators. The whole
*point* of E2E security is that
silvio wrote:
Aren't run-of-the-mill cellphones these days powerful enough to use
available software like OpenSSL to encrypt voice/datastreams?
Again...what are the options for end-to-end cell encryption right now?
Mobile phones have had spare cycles for doing strong crypto for a very
long
Apparently, last February IBM lost some tapes with employee data.
Yesterday, I received a notification from them, which I scanned and put
(slightly redacted) in http://www.tla.org/private/ibmloss1.pdf for
your amusement.
Now, I haven't worked for IBM in a long time, and since then I have
moved
occured in late November
2006, and the litigation is starting less than four months later.
/ji
--
John Ioannidis | Packet GENERAL Networks, Inc.
[EMAIL PROTECTED] | http://www.packetgeneral.com/
-
The Cryptography Mailing List
On Sun, Jan 14, 2007 at 03:31:22PM -0500, Steven M. Bellovin wrote:
On Sat, 13 Jan 2007 18:26:52 -0500
John Ioannidis [EMAIL PROTECTED] wrote:
Citibank send me periodic reminders to switch to an electronic-only
statement so that I am better protected against identity theft.
The advice
Citibank send me periodic reminders to switch to an electronic-only
statement so that I am better protected against identity theft.
John Cleese saying explain the logic underlying this conclusion in
the cheese shop sketch comes to mind...
The return address for the email message, although
There is too much conflicting information out there. Can someone
please recommend an SSL accelerator board that they have personally
tested and used, that works with the 2.6.* kernels and the current
release of OpenSSL, and is actually an *accelerator* (I've used a
board from a certain otherwise
On Sun, Dec 03, 2006 at 09:26:15PM -0600, Taral wrote:
That's the same question I have. I don't remember seeing anything in
the GSM standard that would allow this either.
I'll hazard a guess: mobile providers can send a special type of
message (not sure if it would be classed as an SMS) with
On Sat, Dec 02, 2006 at 10:21:57AM -0500, Perry E. Metzger wrote:
Quoting:
The FBI appears to have begun using a novel form of electronic
surveillance in criminal investigations: remotely activating a
mobile phone's microphone and using it to eavesdrop on nearby
conversations.
Although in this case it's obviously the man's stupidity using an instant
messenger with his old virtual identity that got him tracked down. No one
For that matter, he could just have gotten a phonecard and used a
payphone. Wearing sunglasses, a wig and a false beard while limping
to and
Speaking of bulk encryption cards... does the linux 2.6 kernel support
any? There is a reference to a crypto framework in the
configuration menus, but as is typical of linux, there are no man
pages or other documentation related to it, and I don't feel like
reading source code.
As some of you may remember, there was a scandal in Greece back in
February 2006 involving the interception of mobile phones belonging to
high-level government officials, including the Prime Minister. The
CALEA software on the Ericsson switches used by Vodafone was blamed;
it had apparently been
Or you can run vmware under XP, run NetBSD under vmware, use CGD, and
export it back to windows with samba.
It's sick, but I know of at least one person who is doing this, and he
says the performance is acceptable (on his 1+ GHz laptop).
/ji
28 matches
Mail list logo
