If you are insisting that there is always
a way and that, therefore, the situation is
permanently hopeless such that the smart
ones are getting the hell out of the
Internet, I can go with that, but then
we (you and I) would both be guilty of
letting the best be the enemy of the good.
A
On 06/27/05 00:28, Dan Kaminsky wrote:
... there exists an acceptable solution that
keeps PC's with persistent stores secure. A bootable CD from a bank is
an unexpectedly compelling option
Even more compelling is:
-- obtain laptop hardware from a trusted source
-- obtain software from a
On 6/26/05, Dan Kaminsky [EMAIL PROTECTED] wrote:
It is not necessary though that there exists an acceptable solution that
keeps PC's with persistent stores secure. A bootable CD from a bank is
an unexpectedly compelling option, as are the sort of services we're
going to see coming out of all
What do you tell people to do?
commercial_message
Defense in depth, as always. As an officer at
Verdasys, data-offload is something we block
by simply installing rules like Only these
two trusted applications can initiate outbound
HTTP where the word trusted means checksummed
and the choice of
Dan--
I had something much more complicated, but it comes down to.
You trust Internet Explorer.
Spyware considers Internet Explorer crunchy, and good with ketchup.
Any questions?
A little less snarkily, Spyware can trivially use what MS refers to
as a Browser Helper Object
Dan Kaminsky writes:
| Dan--
|
| I had something much more complicated, but it comes down to.
|
| You trust Internet Explorer.
| Spyware considers Internet Explorer crunchy, and good with ketchup.
| Any questions?
|
| A little less snarkily, Spyware can trivially use
Allan Liska wrote:
3. Use an on-screen keyboard.
For extra points, try Dasher.
http://www.inference.phy.cam.ac.uk/dasher/
--
ApacheCon Europe http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
There is no limit to what a man can
On Tue, 21 Oct 2003 15:02:14 +1300, Peter Gutmann said:
Are there any known servers online that offer X.509 (or PGP) mechanisms in
their handshake? Both ssh.com and VanDyke are commercial offerings so it's
not possible to look at the source code to see what they do, and I'm not sure
Joel N.
Thor Lancelot Simon [EMAIL PROTECTED] writes:
I believe the VanDyke implementation also supports X.509, and interoperates
with the ssh.com code. It was also my perception that, at the time, the
VanDyke guy was basically shouted down when trying to discuss the utility of
X.509 for this purpose
On Sun, 2003-10-19 at 00:47, Peter Gutmann wrote:
What was the motive for adding lip service into the document?
So that it's possible to claim PGP and X.509 support if anyone's interested in
it. It's (I guess) something driven mostly by marketing so you can answer
Yes to any question of Do
Damien Miller [EMAIL PROTECTED] writes:
The SSH protocol supports certificates (X.509 and OpenPGP), though most
implementations don't.
One of the reason why many implementations may not support it is that the spec
is completely ambiguous as to the data formats being used. For example it
On 10/16/2003 07:19 PM, David Honig wrote:
it would make sense for the original vendor website (eg Palm)
to have signed the MITM site's cert (palmorder.modusmedia.com),
not for Verisign to do so. Even better, for Mastercard to have signed
both Palm and palmorder.modusmedia.com as well. And
On Fri, 2003-10-17 at 00:58, John S. Denker wrote:
Tangentially-related point about credentials:
In a previous thread the point was made that
anonymous or pseudonymous credentials can only
say positive things. That is, I cannot discredit
you by giving you a discredential. You'll just
Jon Snader wrote:
On Mon, Oct 13, 2003 at 06:49:30PM -0400, Ian Grigg wrote:
Yet others say to be sure we are talking
to the merchant. Sorry, that's not a good
answer either because in my email box today
there are about 10 different attacks on the
secure sites that I care about. And
Hopefully everyone realizes this, but just for the record, I didn't write the
lines apparently attributed to me below -- I was quoting Bruce Schneier.
By the way, I strongly agree with David Honig's point that the wrong entities
are doing the signing.
Regards,
Bryce O'Whielacronx
David
Eric Rescorla wrote:
Ian Grigg [EMAIL PROTECTED] writes:
I'm sorry, but, yes, I do find great difficulty
in not dismissing it. Indeed being other than
dismissive about it!
Cryptography is a special product, it may
appear to be working, but that isn't really
good enough.
Minor errata:
Eric Rescorla wrote:
I totally agree that the systems are
insecure (obligatory pitch for my Internet is Too
Secure Already) http://www.rtfm.com/TooSecure.pdf,
I found this link had moved to here;
http://www.rtfm.com/TooSecure-usenix.pdf
which makes some of the same
At 12:28 AM 10/13/2003, Ian Grigg wrote:
Problem is, it's also wrong. The end systems
are not secure, and the comms in the middle is
actually remarkably safe.
I think this is an interesting, insightful analysis, but I also think it's
drawing a stronger contrast between the real world and the
Eric,
thanks for your reply!
My point is strictly limited to something
approximating there was no threat model
for SSL / secure browsing. And, as you
say, you don't really disagree with that
100% :-)
With that in mind, I think we agree on this:
[9] I'd love to hear the inside scoop, but
19 matches
Mail list logo
