On Tue, Mar 20, 2007 at 08:14:26PM -0400, Dan Geer wrote:
Quoting from a discussion of threat posed by software virtualization as
found in Symantec's ISTR:xi, released today:
The second type of threat that Symantec believes could emerge is
related to the impact that softwarevirtualized
On Mon, Jan 28, 2008 at 03:56:11PM -0700, John Denker wrote:
[...]
I don't think it is very common; I get only five hits from
http://www.google.com/search?q=two-person-login
[...]
Try searching for secret splitting instead.
From the foregoing, you might conclude that the two-person login
On Tue, Jan 29, 2008 at 03:37:26PM -0600, Nicolas Williams wrote:
I think you missed John's point, which is that two-person *login*
says *nothing* about what happens once logged in -- logging in
enables arbitrary subsequent transactions that may not require two
people to acquiesce.
Certainly,
On Sat, Feb 23, 2008 at 05:09:29AM +1300, Peter Gutmann wrote:
There were commercial products that did this available some years
ago, they hooked into the Windows auth using a custom GINA DLL
(GINA = the Windows extensible login/authentication mechanism,
think PAM for Windows) and locked the
On Wed, May 28, 2008 at 10:34:53AM +0200, Philipp Gühring wrote:
it is imperative that wasteful reads of this pseudo-device be
avoided at all costs.
Yes. Still, some people are using fopen/fread to access
/dev/random, which does pre-fetching on most implementations I
saw, so using
On Tue, Jun 10, 2008 at 11:41:56PM +0100, Dave Howe wrote:
The key size would imply PKI; that being true, then the ransom may
be for a session key (specific per machine) rather than the
master key it is unwrapped with.
Per the computerworld.com article:
Kaspersky has the public key in
On Wed, Jun 11, 2008 at 11:53:54AM -0400, Leichter, Jerry wrote:
Returning to the point of the earlier question - why doesn't someone
pay the ransom once and then use the key to decrypt everyone's files:
Assuming, as seems reasonable, that there is a session key created
per machine and then
On Tue, Jan 27, 2009 at 09:04:45AM -0500, Jerry Leichter wrote:
[...]
It might be useful to put together a special-purpose HTTPS client
which would initiate a connection and tell you about the cert
returned, then exit.
[...]
I often use this (though there's probably an easier way)...
On Fri, Aug 13, 2010 at 09:32:57AM -0700, Jeff Simmons wrote:
It wouldn't surprise me if there's been some blowback from the
adoption of PCI-DSS (Payment Card Industry Data Security
Standards). As someone who has had to help several small to medium
size businesses comply with these 'voluntary'