compatibility for
new things but bridging the old things with a
magic box that both preserves the annuity revenue
stream from locked-in users while it keeps the
liability bar at bay.
Or so I think.
--dan
[1] http://www.microsoft.com/windows/virtualpc/previous/default.mspx
| in those environments is VirtualPC). Thank you for
| playing.
TILT
No need to buy a company just to use its
product in your development shop.
Please insert additional coins.
--dan
-
The Cryptography Mailing List
Unsubscribe
for corroborating evidence.
--dan, on the road
[1] Some circumstantial evidence is very strong, like
finding a trout in the milk. -- Henry David Thoreau
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
http://www.geocities.com/khlim777_my/b777cockpit4r.jpg
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
it not for
compelled disclosure.[1]
--dan
[1]
sample state list, to which you can add gunshot wounds
==
Acquired Immunodeficiency Syndrome (AIDS)
Amebiasis
Anthrax
Botulism
Brucellosis
Campylobacteriosis
Cancer
Chancroid
Chickenpox
Chlamydial
center.
--dan
[1]
Whitten A Tygar JD, Why Johnny Can't Encrypt: A Usability
Evaluation of PGP 5.0, Proceedings of the 8th USENIX Security
Symposium, August 23-36, 1999, Washington, D.C., pp 169-184.
http://www.usenix.org/publications/library/proceedings/sec99/full_papers/whitten/whitten_html
have no
other leverage for recourse.
And, of course, proving anything by way of dueling
experts doesn't provide much predictability in a jury
system, e.g., OJ Simpson.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending
.
If someone here can point me at the mother lode of
insight, I would be most grateful.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
-down to the individual
desktop.
split K as 2-of-3 quorum
(1) smartcard
(2) laptop
(3) corp server
encrypt disk using K (or another key protected by K, of course)
situations handled
(a) Dan offline inside Faraday cage, use frags 1,2 to do work
(b) fire Dan / confiscate laptop, use
,
thus anonymizing it, within a single corporate shell.
This is second best and tends to have little motive
power of its own, though I/we proved it can be done[1]
as has Qualys[2], inter alia.
Clear enough?
--dan
[1]
http://www.atstake.com/research/reports/acrobat/atstake_app_reloaded.pdf
[2
if it can't talk to its
distant master? (Why do I care if I have a tumor
if angiostatin keeps it forever smaller than 1mm
in diameter?) Of course, there are details, and,
of course, I am willing to discuss them at far
greater length.
/commercial_message
--dan
Dan Kaminsky writes:
| Dan--
|
| I had something much more complicated, but it comes down to.
|
| You trust Internet Explorer.
| Spyware considers Internet Explorer crunchy, and good with ketchup.
| Any questions?
|
| A little less snarkily, Spyware can trivially use
, if you ever have the opportunity to hear
Frank Abagnale's discussion of check forgery
by all means do so.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
advise this company ]
Take a look at Boojum Mobile -- it is
precisely the idea of using the cell
phone as an out-of-band chanel for an
in-band transaction.
http://www.boojummobile.com
[ Disclaimer -- I advise this company ]
--dan
Nick Owen writes:
| I think that the cost of two-factor authentication will plummet in the
| face of the volumes offered by e-banking.
Would you or anyone here care to analyze
what I am presuming is the market failure
of Amex Blue in the sense of its chipcard
and reader combo?
--dan
Well, whether you like the cell phone as
the out-of-band second-factor, you can now
unlock your front door with it...
http://weblog.physorg.com/news2334.html
--dan
-
The Cryptography Mailing List
Unsubscribe by sending
text on-disk to
see what tape it was on and to then read that
tape.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Dare I say that the best must not be the enemy of the good?
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
to be an expert to be safe.
--dan
[1]
http://www.cra.org/Activities/grand.challenges/security/home.html
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
with a potentially
more expensive test that has low/no false positives.
There is a whole health policy management
literature on this. I reproduce the barest
precis of same below, assuming the reader can
manage to view it in a fixed width font while
respecting my hard carriage returns as writ.
--dan
cheat
You know, I'd wonder how many people on this
list use or have used online banking.
To start the ball rolling, I have not and won't.
--dan
Cryptography is nothing more than a mathematical framework for
discussing the implications of various paranoid delusions.
-- Don Alvarez
Clinton's Asst. A.G.
http://www.chicagotribune.com/news/opinion/chi-0512210142dec21,0,3553632.story?
coll=chi-newsopinioncommentary-hed
Dick Morris
http://www.drudgereport.com/flash7.htm
--dan
-
The Cryptography Mailing
can attack location independently, and
likely without self identification, your only
choice is pre-emption, which requires intell,
which requires surveillance, which requires
listening posts.
And I'm just talking about intellectual property
in the Fortune 1000, not the freaking country.
--dan
interpret as apologies for the first
or second estate are, at least as I mean them,
nothing but an attempt at Real Politik. Hope
I'm wrong, but I don't bet against my intuition.
Probably a rat hole,
--dan
-
The Cryptography Mailing
In our office, we have a shredder that happily
takes CDs and is designed to do so. It is noisy
and cost $500.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Usability should by now be recognized as the key issue for security -
namely, if users can't use it, it doesn't actually work.
% man gpg | wc -l
1705
% man gpg | grep dry
-n, --dry-run Don't make any changes (this is not completely implemented).
I rest my case.
--dan
, perhaps the canoe is
now far enough upriver. If it is a patent claim or the
like and one needs to find the exact wet spot in the
ground that the river starts, well, let me know.
--dan
[1] Proceedings of the IEEE. Vol. 63, No. 9 (September 1975), pp.
1278-1308; Manuscript received October 11, 1974
OK, I'll say it. This site:
http://www.truecrypt.org/
makes me visualize tinfoil hats.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
, this will be the place.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Security Agency as part of an
effort to thwart terrorism.
snip
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
-related lists are composed
of people who are off-center when it comes to risk,
it is us what be the outliers in the distribution
and in no way are our various paranoias widely shared.
Not trying to debate the hive mind, etc.,
--dan
not be able to see (such as organized
survey takers who talk to each other). Sort of like
an Internet-mailing-list, no?
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Alan,
You and I are in agreement, but how do we get
the seemingly (to us) plain truth across to
others? I've been trying for a good while now,
reaching a point where I'd almost wish for a
crisis of some sort as persuasiveness is not
working.
We are probably well off-topic for this list.
--dan
administration. As Gilmore
would say now (hi, John), don't give any
government a power you would not want a
despot to have.
--dan
=
What's on my car
https://www.protestwarrior.com/store/files/master/democrat_president.gif
2004 Turing Award Lecture
* Absolutely secure systems do not exist
* To halve your vulnerability, you have to double your expenditure
* Cryptography is typically bypassed, not penetrated
--dan
-
The Cryptography Mailing List
for NAIS) with a requirement to file with
USDA any off premises transportation (taking the kids'
heifer to the the 4H show included).
--dan
===
The great distinction:
A conservative is a socialist who worships order.
A liberal is a socialist who worships safety
, e.g.), then you get prove-a-negative
from the regulators and auditors -- madness on the same
scale as tulip mania or the defenestration of Prague.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
Anyone know what is up with this?
http://www.gcn.com/online/vol1_no1/41371-1.html
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
http://www.amazon.com/gp/product/customer-reviews/0833030477/ref=cm_cr_dp_pt/102-8179025-1336125?ie=UTF8n=283155s=books
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
http://news.zdnet.com/2100-1009_22-6142935.html?part=rsstag=feedsubj=zdnn
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
I hesitate to use the syllable crypto in describing this paper,
but those who have not seen it may find it interesting.
http://www.arx.com/documents/The_Unbearable_Lightness_of_PIN_Cracking.pdf
Or profitable.
--dan
http://news.com.com/Jailed+ID+thieves+thwart+cops+with+crypto/2100-7348_3-6144521.html
Jailed ID thieves thwart cops with crypto
By Tom Espiner
Story last modified Tue Dec 19 06:46:45 PST 2006
Three men have been jailed in the U.K. for their part in a massive
data theft operation.
One
an
all-countries-are-created-equal position statement.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
makes the entire edifice untrustable).
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
their Admin privilege to accept ActiveX
controls that strip the OS of this or that subsystem,
and to do so in the name of security.
--dan
P.S., The S.E.C. tackling some Estonian clown for $353,609 [2],
is an irrelevant side show at the scale I am talking about: It's
not material to anyone who
Ed Gerck writes:
| We've heard it so many times: There's nothing to worry about.
| Now, Skype adds a new IT protection measure -- love:
|
| The Skype system has not crashed or been victim of a cyber
| attack. We love our customers too much to let that happen.
|
-- Forwarded
just said is hearsay,
though my office-mate says that he has bought three cars
by this method. It almost causes me to say relying party
out loud...
If this idea is a rathole, then my fault and my apology.
--dan
-
The Cryptography
If on the one hand, the correct procedure is sign-encrypt-sign,
then why, on the other hand, is the parallel not sign-hash-sign ?
--dan
=
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.ps
Donald T. Davis, Defective Sign Encrypt in S/MIME, PKCS#7, MOSS, PEM,
PGP, and XML
May I point out that if voting systems have a level
of flaw that says only an idiot would use them, then
how can you explain electronic commerce, FaceBook,
or gambling sites? More people use just those three
than will *ever* vote.
--dan
money.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
and still
apparently function. Why should voting be
different?
We are approaching a rat hole...
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
to the embargoed country
list (Cuba, Iran, Sudan, Syria, North Korea, and Libya).
YMMV.
--dan
-8cut-here8-
A. BIS Checklist of Questions:
1. Does your product perform cryptography, or otherwise
contain any parts or components that are capable
who've already seen it.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Well, for all of you who want to prove that hacking
the vote is easy, here's your chance to do something:
http://apnews.myway.com/article/20080121/D8UA8VGG0.html
[ ObDebate: is a winner-take-all state more or less
attractive to vote hacking? ]
--dan
So, what is Apple doing for its brand-new iTunes movie rental thing?
1/3rd of the way into Jobs' song-and-dance
http://stream.qtv.apple.com/events/jan/f27853y2/m_972345688g_650_ref.mov
--dan
-
The Cryptography Mailing List
and unobvious) *and* Type II (false negative)
errors (when confronted with something sufficiently
unobvious that they find it impossible to understand
that it is either unobvious or useful much less
both).
--dan
[1]
http://www.usenix.org/publications/library/proceedings/sec96/boneh.html
of the inter-relation of security privacy.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Amateurs talk about algorithms. Professionals talk about economics.
That would be
Amateurs study cryptography; professionals study economics.
-- Allan Schiffman, 2 July 04
Quotationally yours,
--dan
.
Important Dates
Requests to participate: by May 12, 2008
Notification of acceptance: by June 2, 2008
Materials for distribution: by July 21, 2008
Workshop Organizers
Dan Geer, Geer Risk Services, Chair
Bob Blakley, The Burton Group
Fred Cohen, Fred Cohen Associates California Sciences
, then it would today be $300. (1968-present)
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
MetriCon 3.0 agenda at this URL
http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon3.0
Workshop is limited attendance though some small number
of requests can still be granted; send same by e-mail to
[EMAIL PROTECTED]
Best,
--dan
not occur, but two such parties, if
they really care, would do their own end-to-end
protections even if it is a simple as speaking
Navajo.
All hail Saltzer, Reed, and Clark.
--dan
-
The Cryptography Mailing List
Unsubscribe
number
| (in some cases after 3 tries).
| ...
So I hold the PIN constant and vary the bank account number.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt
Likely off-topic,
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
yet another proprietary symmetric cipher ?
http://www.pureentropy.com
...
Encryption Security Solutions provides unprecedented encryption
security, efficiency, and performance for business applications ensuring
critical information is secure.
Encryption Security Solutions, LLC (ES²) has
reproduce it. It was a photo of
the tail end of her car and on it a bumper sticker.
That bumper sticker read
PREVENT UNWANTED PRESIDENCIES
MAKE VOTE COUNTING A HAND JOB
In no other state could a Constitutional Officer
get away with such a bumper sticker, but...
--dan
,
at least the kind of security that says they
can't misuse what they ain't got.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
wouldn't
go into government in the first place.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
for the company to do is to just keep
everything forever. With disk prices falling
as they are, keeping everything is cheaper
than careful selective deletion, that's for
sure.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending
) and the growing
role of virtual machines should be of intense interest.
Inferentially yours,
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
David Molnar writes, in part:
-+---
| Dan Geer's comment about the street price of
| heroin as a metric for success has me thinking -
| are people tracking the street prices of digital
| underground goods over time?
This material is in fact tracked but not so
Sigh... typing in a moving vehicle. This is
the right URL, verified by cutpaste.
http://geer.tinho.net/ieee/ieee.sp.geer.0801.pdf
Sorry.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
Damien Miller writes:
-+---
|
| David Molnar [EMAIL PROTECTED] writes:
|
| Dan Geer's comment about the street price of heroin as a metric for
| success has me thinking - are people tracking the street prices of
| digital underground goods over time?
|
| I've been
ones signed?
|
quorum threshhold crypto; if Avishai Wool or Moti Yung
or Yvo Desmedt or Yair Frankel or... are here on this
list, they should answer
a *tiny* contribution on my part
http://geer.tinho.net/geer.yung.pdf
humbly,
--dan
.
Thinking out loud,
--dan
[ just for amusement, 2008 world production of wheat
and rice would each cover 53 squares, with maize
coming in at 51 squares ]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
or asking Can I trust you?
---
http://blog.startcom.org/?p=145
Slashdot and others are reporting on this story about how it was
possible for a person to receive a completely valid certificate for
a random domain of his choosing without any
Peter Gutmann has responded
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
(see the Further Epilogue section well down the page)
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
. On this basis and others,
bot-nets are a life form.
Rest of text upon request. Incidentally, I *highly* recommend
Daniel Suarez's _Daemon_; trust me as to its relevance. Try
this for a non-fiction taste:
http://fora.tv/2008/08/08/Daniel_Suarez_Daemon_Bot-Mediated_Reality
--dan
=AJournalNumber=6221
As always, the phrase proprietary coding readable
only by us caught my ear.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
to take no longer baked into
the browser as effectively revocation, there is a
retrospective clerical job that might be a fun project
if you had some graduate student labor to assign.
--dan
-
The Cryptography Mailing List
Unsubscribe
. The theme of
this episode is The Importance of Context. This workshop
series is intense, and is focused on progress rather than
claims of first discovery. See
http://securitymetrics.org/content/Wiki.jsp?page=Metricon4.0
Dan Geer
sequential numbers.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
addresses change as they come and go from the network.
One would imagine that as IPv6 rolls out, the need
for DHCP goes to zero excepting for mobile devices
attaching to public (not carrier) nets. Yes?
--dan
-
The Cryptography Mailing
they can debug. This
may apply to the world at large.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
. Put differently, only within airtight
surveillance will the absence of evidence be the
evidence of absence.
In factually, if not politically, correct terms, the
Electronic Health Record is the surest path to a
surveillance state, but I digress.
--dan
|
| This is the first attack against TLS that I consider to be
| the real deal. To really fix it is going to require a change to
| all affected clients and servers. Fortunately, Eric Rescorla
| has a protocol extension that appears to do the job.
|
...silicon...
--dan
-protecting that
it is capable of refusing a command.
Long live HAL,
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
in SSL
and certificates when (as far as we can determine) 100% of
all certificate errors seen by users are false positives.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord
://www.ietf.org/mailman/listinfo/cicm .
Dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
and - most importantly - certified random by laws of
physics.
article cut there as there both a diagram and a video
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
False metrics are rampant in the security industry. We really need
to do something about them. I propose that we make fun of them.
You might consider joining us in D.C. on 10 August at
http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon5.0
--dan, program committee
Best,
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
at the toll stations where the license
plates are read and correlation between plate number and
current radio fingerprint trivially recorded.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography
be unwitting)?
Probably too out there.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
investment than the accumulated profits in the sale
of SSL domain name certs, we could have solved this by now.
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
as usual, there's an XKCD for that
http://xkcd.com/504/
--dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
to know collectively what each part of it is doing and
that without a CC channel other than the repurposed MSM; the fun
begins when the botnet reads the obituary of a certain person
/spoiler
--dan
___
The cryptography mailing list
cryptography@metzdowd.com
, not penetrated.[*]
Nevertheless, the value of scepticism is profound; it is
the chastity of the intellect.
--dan
[*]
www.financialcryptography.com/mt/archives/000147.html
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com
of the
U.S. Federal government that handle electronic health records is
ASCII encoded, and readable. Called The Blue Button,[1] there
is even an HL7-Blue Button file converter.[2]
Score one for human readable.
/utter_tangent
--dan
[1] www.va.gov/BLUEBUTTON/Resources.asp
[2] www.hl7.org/implement
to interceptions (they deal with the case of noisy
channels later in the paper).
-dan
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
1 - 100 of 144 matches
Mail list logo