On 8/23/2010 5:17 PM, Thierry Moreau wrote:
Commercial avionics certification looks like the most demanding among
industrial sectors requiring software certification (public
transportation, high energy incl. nuclear, medical devices, government
IT security in some countries, electronic payments
Location-based services are already being used for dating services (big
surprise here). Mobiles send their location to a server, the server
figures out who is near whom, and matches them. There are lots of
variants on that. An obvious risk here is that the server is acting as
a location orac
I think the problem is more marketing and less technology. Some
marketoid somewhere decided to say that their product supports rekeying
(they usually call it "key agility"). Probably because they read
somewhere that you should change your password frequently (another
misconception, but that's f
John Gilmore wrote:
...
PPS: On a consulting job one time, I helped my customer patch out the
license check for some expensive Unix circuit simulation software they
were running. They had bought a faster, newer machine and wanted to
run it there instead of on the machine they'd bought the "node
If you've already explained to them that what they are trying to do is
both impossible and pointless, and they still want your consulting
services, take as much of their money as you can and don't feel bad
about it! Maybe you can get some more people on this list hired, too :)
/ji
--
As it has been pointed out numerous times on this and other places, this
is a singularly bad idea.
The crypto isn't even the hardest part (and it's hard enough).
Just don't do it. If you are going to spend your energy on anything, it
should be to work against such a plan.
/ji
-
This just about sums it up: http://xkcd.com/463/
/ji
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
John Ioannidis wrote:
| Does anyone know how this "security questions" disease started, and
why
| it is spreading the way it is? If your company does this, can you
find
| the people responsible and ask them what they were thinking?
The answer is "
Does anyone know how this "security questions" disease started, and why
it is spreading the way it is? If your company does this, can you find
the people responsible and ask them what they were thinking?
My theory is that no actual security people have ever been involved, and
that it's just a
Eugen Leitl wrote:
In case somebody missed it,
http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE)
If this is a joke, I'm not getting it.
/ji
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscr
Perry E. Metzger wrote:
Also from Declan McCullagh today, a full survey of instant message
service security:
http://news.cnet.com/8301-13578_3-9962106-38.html?part=rss&tag=feed&subj=TheIconoclast
Interesting. Of course, with the possible exception of Skype, only the
over-the-network part of
Leichter, Jerry wrote:
Computerworld reports:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9094818
This is no different than suffering a disk crash. That's what backups
are for.
/ji
PS: Oh, backups you say.
Recall that "crypto-" (??-) means "hidden":
http://www.xkcd.com/426/
/ji
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
nce monitor somewhere in it that you can truly
trust.
- Alex
That we agree on!
/ji
- Original Message -
From: "John Ioannidis" <[EMAIL PROTECTED]>
To: Cryptography
Subject: Just update the microcode (was: Re: defending against
evil in all layers of hardware and soft
Intel and AMD processors can have new microcode loaded to them, and this
is usually done by the BIOS. Presumably there is some asymmetric crypto
involved with the processor doing the signature validation.
A major power that makes a good fraction of the world's laptops and
desktops (and hence
Not just Amtrak. The Economist and The New Yorker both do the same
thing. I tried engaging them in a discussion on the subject. The
Economist never replied, whereas the New Yorker assured me that those
addresses were indeed theirs. I haven't figured out how to get past the
clueless people w
Alex Alten wrote:
Great. What next? I guess air-gap transfer of flash memory might be
the best solution.
Malware's new infection route: photo frames
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2008/01/26/MNE7UHOOQ.DTL
For starters, you can turn off the "feature" that auto-runs cod
Perry E. Metzger wrote:
That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over th
Florian Weimer wrote:
It's also an open question whether network operators subject to
interception requirements can legally offer built-in E2E encryption
capabilities without backdoors.
You probably meant device vendors, not network operators. The whole
*point* of E2E security is that networ
silvio wrote:
Aren't run-of-the-mill cellphones these days powerful enough to use
available software like OpenSSL to encrypt voice/datastreams?
Again...what are the options for end-to-end cell encryption right now?
Mobile phones have had spare cycles for doing strong crypto for a very
long ti
Apparently, last February IBM lost some tapes with employee data.
Yesterday, I received a notification from them, which I scanned and put
(slightly redacted) in http://www.tla.org/private/ibmloss1.pdf for
your amusement.
Now, I haven't worked for IBM in a long time, and since then I have
moved a
I think their auditing is fine; the attacks occured in late November
2006, and the litigation is starting less than four months later.
/ji
--
John Ioannidis | Packet GENERAL Networks, Inc.
[EMAIL PROTECTED] | http://www.packetgeneral.com/
--
On Sun, Jan 14, 2007 at 03:31:22PM -0500, Steven M. Bellovin wrote:
> On Sat, 13 Jan 2007 18:26:52 -0500
> John Ioannidis <[EMAIL PROTECTED]> wrote:
>
> > Citibank send me periodic reminders to switch to an electronic-only
> > statement so that I am "better
Citibank send me periodic reminders to switch to an electronic-only
statement so that I am "better protected against identity theft".
John Cleese saying "explain the logic underlying this conclusion" in
the cheese shop sketch comes to mind...
The return address for the email message, although app
There is too much conflicting information out there. Can someone
please recommend an SSL accelerator board that they have personally
tested and used, that works with the 2.6.* kernels and the current
release of OpenSSL, and is actually an *accelerator* (I've used a
board from a certain otherwise f
On Sun, Dec 03, 2006 at 09:26:15PM -0600, Taral wrote:
> That's the same question I have. I don't remember seeing anything in
> the GSM standard that would allow this either.
>
I'll hazard a guess: mobile providers can send a special type of
message (not sure if it would be classed as an SMS) wit
On Sat, Dec 02, 2006 at 10:21:57AM -0500, Perry E. Metzger wrote:
>
> Quoting:
>
>The FBI appears to have begun using a novel form of electronic
>surveillance in criminal investigations: remotely activating a
>mobile phone's microphone and using it to eavesdrop on nearby
>conversa
There are a few more things to know about TPM (I've been playing with
it recently, and the scars have not healed yet).
First, very few systems, mostly laptops, support it. The only
*server* platform I found that supports it is the IBM eSeries 366, and
even then, its BIOS does not have support for
> Although in this case it's obviously the man's stupidity using an instant
> messenger with his old virtual identity that got him tracked down. No one
For that matter, he could just have gotten a phonecard and used a
payphone. Wearing sunglasses, a wig and a false beard while limping
to and fr
On Tue, May 23, 2006 at 11:19:38AM -0400, Perry E. Metzger wrote:
>
> Following the links from a /. story about a secure(?) mobile phone
> VectroTel in Switzerland is selling, I came across the fact that this
> firm sells a full line of encrypted phones.
>
> http://www.vectrotel.ch/
>
Too littl
Speaking of bulk encryption cards... does the linux 2.6 kernel support
any? There is a reference to a "crypto framework" in the
configuration menus, but as is typical of linux, there are no man
pages or other documentation related to it, and I don't feel like
reading source code. (/usr/src/linux*
As some of you may remember, there was a scandal in Greece back in
February 2006 involving the interception of mobile phones belonging to
high-level government officials, including the Prime Minister. The
CALEA software on the Ericsson switches used by Vodafone was blamed;
it had apparently been
Or you can run vmware under XP, run NetBSD under vmware, use CGD, and
export it back to windows with samba.
It's sick, but I know of at least one person who is doing this, and he
says the performance is acceptable (on his 1+ GHz laptop).
/ji
33 matches
Mail list logo