> From: [email protected] > Subject: cryptography Digest, Vol 25, Issue 3 > To: [email protected] > Date: Thu, 1 Mar 2012 20:21:21 -0500 > > Send cryptography mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.randombit.net/mailman/listinfo/cryptography > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of cryptography digest..." > > > Today's Topics: > > 1. Re: Constitutional Showdown Voided as Feds Decrypt Laptop > (Steven Bellovin) > 2. Re: Constitutional Showdown Voided as Feds Decrypt Laptop > (Jeffrey Walton) > 3. Re: Constitutional Showdown Voided as Feds Decrypt Laptop > (Nico Williams) > 4. Re: Constitutional Showdown Voided as Feds Decrypt Laptop > (Nico Williams) > 5. Re: Constitutional Showdown Voided as Feds Decrypt Laptop > (James A. Donald) > 6. Re: Constitutional Showdown Voided as Feds Decrypt Laptop > ([email protected]) > 7. Re: Constitutional Showdown Voided as Feds Decrypt Laptop > (Jeffrey I. Schiller) > 8. Re: Constitutional Showdown Voided as Feds Decrypt Laptop > (Jeffrey I. Schiller) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 1 Mar 2012 17:49:09 -0500 > From: Steven Bellovin <[email protected]> > To: Nico Williams <[email protected]> > Cc: Crypto List <[email protected]> > Subject: Re: [cryptography] Constitutional Showdown Voided as Feds > Decrypt Laptop > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > > On Mar 1, 2012, at 4:33 12PM, Nico Williams wrote: > > > On Thu, Mar 1, 2012 at 3:22 PM, Randall Webmail <[email protected]> > > wrote: > >> From: "Jeffrey Walton" <[email protected]> > >>> Perhaps Fricosu reused a password and was on a mailing list using > >>> Mailman... > >> > >> Yeah - what's the deal with Mailman sending the password in clear-text, > >> once a month? > >> > >> Did anyone really think that was a good idea? Was it a tradeoff between > >> security and help desk support costs? What other reason could there be? > > > > Mailman passwords are of very low value. > > > Precisely correct. The security mechanism is commensurate with the general > risk. And if you're running that high-value a mailing list, you simply > disable that feature. > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > > > ------------------------------ > > Message: 2 > Date: Thu, 1 Mar 2012 17:56:48 -0500 > From: Jeffrey Walton <[email protected]> > To: Steven Bellovin <[email protected]> > Cc: Crypto List <[email protected]> > Subject: Re: [cryptography] Constitutional Showdown Voided as Feds > Decrypt Laptop > Message-ID: > <CAH8yC8nsyKWPV=__k-rigkboes_wy5vnxduffs7pbxbdhmw...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On Thu, Mar 1, 2012 at 5:49 PM, Steven Bellovin <[email protected]> wrote: > > > > On Mar 1, 2012, at 4:33 12PM, Nico Williams wrote: > > > >> On Thu, Mar 1, 2012 at 3:22 PM, Randall ?Webmail <[email protected]> > >> wrote: > >>> From: "Jeffrey Walton" <[email protected]> > >>>> Perhaps Fricosu reused a password and was on a mailing list using > >>>> Mailman... > >>> > >>> Yeah - what's the deal with Mailman sending the password in clear-text, > >>> once a month? > >>> > >>> Did anyone really think that was a good idea? ?Was it a tradeoff between > >>> security and help desk support costs? ? What other reason could there be? > >> > >> Mailman passwords are of very low value. > > > > > > Precisely correct. ?The security mechanism is commensurate with the general > > risk. ?And if you're running that high-value a mailing list, you simply > > disable that feature. > Low value to whom? Considering all the password reuse, some (such as > the bad guys) would consider the username/password list high value. > > Jeff > > > ------------------------------ > > Message: 3 > Date: Thu, 1 Mar 2012 17:09:03 -0600 > From: Nico Williams <[email protected]> > To: [email protected] > Cc: Crypto List <[email protected]> > Subject: Re: [cryptography] Constitutional Showdown Voided as Feds > Decrypt Laptop > Message-ID: > <CAK3OfOhJBEA9NHQA7Bqk03kb5aPH1P75tGH1=SjS=t9278q...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On Thu, Mar 1, 2012 at 4:56 PM, Jeffrey Walton <[email protected]> wrote: > >>> Mailman passwords are of very low value. > >> > >> > >> Precisely correct. ?The security mechanism is commensurate with the general > >> risk. ?And if you're running that high-value a mailing list, you simply > >> disable that feature. > > Low value to whom? Considering all the password reuse, some (such as > > the bad guys) would consider the username/password list high value. > > I let mailman generate passwords. And I never use them, much less > re-use them. Well, I do use them when I need to change e-mail > addresses, which happens very rarely, and then I start by asking > mailman to send my my passwords because I don't remember them -- I've > done this like once in the past decade. > > These are all public mailing lists. With public archives. To which > people post unsigned messages. > > As for non-public lists, see Steven's reply. > > Yeah, mailman passwords are of low value from a security point of view. > > Nico > -- > > > ------------------------------ > > Message: 4 > Date: Thu, 1 Mar 2012 17:09:52 -0600 > From: Nico Williams <[email protected]> > To: Crypto List <[email protected]> > Subject: Re: [cryptography] Constitutional Showdown Voided as Feds > Decrypt Laptop > Message-ID: > <CAK3OfOg2hXieELrNh8kSnC=-wan3mnawv23e7tygm3opoau...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > IOW, I doubt mailman is how they got Fricosu's password. > > > ------------------------------ > > Message: 5 > Date: Fri, 02 Mar 2012 09:13:00 +1000 > From: "James A. Donald" <[email protected]> > To: [email protected] > Subject: Re: [cryptography] Constitutional Showdown Voided as Feds > Decrypt Laptop > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8; format=flowed > > On 2012-03-01 8:53 AM, James S. Tyre wrote: > > The authorities seized the encrypted Toshiba laptop from defendant Ramona > > Fricosu in 2010 > > with valid court warrants while investigating alleged mortgage fraud, and > > demanded she > > decrypt it. Colorado U.S. District Judge Robert Blackburn ordered the woman > > in January to > > decrypt the laptop by the end of February. The judge refused to stay his > > decision to allow > > Fricosu time to appeal. > > > > "They must have used or found successful one of the passwords the > > co-defendant provided > > them," Fricosu's attorney, Philip Dubois, said in a telephone interview > > Wednesday. > > What one man knows, no one knows, what two men know, everyone knows. > > > ------------------------------ > > Message: 6 > Date: Thu, 01 Mar 2012 18:42:39 -0500 > From: [email protected] > To: [email protected] > Cc: [email protected] > Subject: Re: [cryptography] Constitutional Showdown Voided as Feds > Decrypt Laptop > Message-ID: <[email protected]> > > > > What one man knows, no one knows, what two men know, everyone knows. > > Can I rely on that? > > --dan > > > > ------------------------------ > > Message: 7 > Date: Thu, 01 Mar 2012 20:18:32 -0500 > From: "Jeffrey I. Schiller" <[email protected]> > To: [email protected] > Subject: Re: [cryptography] Constitutional Showdown Voided as Feds > Decrypt Laptop > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/01/2012 06:09 PM, Nico Williams wrote: > > I let mailman generate passwords. And I never use them, much less > > re-use them. Well, I do use them when I need to change e-mail > > addresses, which happens very rarely, and then I start by asking > > mailman to send my my passwords because I don't remember them -- I've > > done this like once in the past decade. > > Perhaps mailman should be changed to require you to use its generated > passwords, or better yet, to only generate a password when you ask it > to send you your password, and then invalidate it after a few days. So > it isn't really a password but a "thunk" of limited value. > > In this fashion we can be more assured that people aren't re-using > passwords with mailman. > > Because... you and I may know better... the manager at the bank where > are money is stored (or the doctors office where are medical records > are located) may not know better... ;-) > > -Jeff > > - -- > _______________________________________________________________________ > Jeffrey I. Schiller > MIT Technologist, Consultant, and Cavy Breeder > Cambridge, MA 02139-4307 > 617.910.0259 - Voice > [email protected] > http://jis.qyv.name > _______________________________________________________________________ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iD8DBQFPUB+98CBzV/QUlSsRAme0AKD68AevJfdboYC8zd/OeShRtwSS8QCgnRTr > oL3z9rBPfkYy3vPLrSdsQ6M= > =TPD+ > -----END PGP SIGNATURE----- > > > > ------------------------------ > > Message: 8 > Date: Thu, 01 Mar 2012 20:21:18 -0500 > From: "Jeffrey I. Schiller" <[email protected]> > To: [email protected] > Subject: Re: [cryptography] Constitutional Showdown Voided as Feds > Decrypt Laptop > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > s/are/our/ grrr... :-) > > - - -- > _______________________________________________________________________ > Jeffrey I. Schiller > MIT Technologist, Consultant, and Cavy Breeder > Cambridge, MA 02139-4307 > 617.910.0259 - Voice > [email protected] > http://jis.qyv.name > _______________________________________________________________________ > - -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iD8DBQFPUCBa8CBzV/QUlSsRAltxAJwPgKaSNEMhRJJ3dOUr29Tq1vT2bwCgggla > Ew6HH+WhiaNj2QMj+lmXHok= > =B3Cs > - -----END PGP SIGNATURE----- > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iD8DBQFPUCCN8CBzV/QUlSsRAuNFAJ9LI2MkEA8UrifmPI0DwC81db6jhQCfdNRJ > /PrCjjWaXXosN6+mRoTtyiY= > =0+8y > -----END PGP SIGNATURE----- > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 4881 bytes > Desc: S/MIME Cryptographic Signature > URL: > <http://lists.randombit.net/pipermail/cryptography/attachments/20120301/97b82e64/smime.p7s> > > ------------------------------ > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography > > > End of cryptography Digest, Vol 25, Issue 3 > *******************************************
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
