Obama administration revives Draconian communications intercept plans
[Moderator's note: there are messages still in the queue that will go out later today, but I felt this had to go out ASAP --Perry] From the New York Times, word that the Obama administration wants to compel access to encrypted communications. http://www.nytimes.com/2010/09/27/us/27wiretap.html Excerpt: U.S. Wants to Make It Easier to Wiretap the Internet By CHARLIE SAVAGE Published: September 27, 2010 WASHINGTON — Federal law enforcement and national security officials are preparing to seek sweeping new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is “going dark” as people increasingly communicate online instead of by telephone. Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages. -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
The Demise of the Trusted Third Party Fallacy
From the New York Times, word that the Obama administration wants to compel access to encrypted communications. http://www.nytimes.com/2010/09/27/us/27wiretap.html ... I expect this law to be, overall, counterproductive. From the information given in the NYT article, I conclude that the law might well be called The Demise of the Trusted Third Party Fallacy. (Another excerpt from NYT article): Even with such a law, some gaps could remain. It is not clear how it could compel compliance by overseas services that do no domestic business, or from a “freeware” application developed by volunteers... Hushmail case demonstrated that the US actually could compel some (many? all?) legal entities outside of its borders to comply; but it is quite unlikely that peer-to-peer ~applications~, operating entirely independent from any third party, could be effectively subverted or eradicated. I would therefore expect increased preference for such applications, specifically among those that have the greatest motivation to secure their communications from those that desire such law in order to make their work easier. After all, when it becomes not just suspected, but generally assumed that any third party will cooperate with your adversary, crypto solutions that assume the existence of a trusted third party will be in due course replaced by those that do not. Marko R. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Obama administration revives Draconian communications intercept plans
On 28/09/10 1:26 AM, Perry E. Metzger wrote: From the New York Times, word that the Obama administration wants to compel access to encrypted communications. http://www.nytimes.com/2010/09/27/us/27wiretap.html Someone should beat up the FBI for using specious arguments: But as an example, one official said, an investigation into a drug cartel earlier this year was stymied because smugglers used peer-to-peer software, which is difficult to intercept because it is not routed through a central hub. Agents eventually installed surveillance equipment in a suspect’s office, but that tactic was “risky,” the official said, and the delay “prevented the interception of pertinent communications.” You could note that the communications either went through a phone system or through an ISP. The qualifier 'delay prevented the interception of pertinent communications' means they couldn't get a wiretap instantly. Seems they wouldn't either if they asked for a court order first. This sort of argumentation is why privacy advocates won in the Clipper debate. The FBI isn't arguing 'for' rationally, but then again they'd probably have a hard time winning without resorting to propaganda. And their envisioned decryption mandate is modest, they contended, because service providers — not the government — would hold the key. “No one should be promising their customers that they will thumb their nose at a U.S. court order,” Ms. Caproni said. “They can promise strong encryption. They just need to figure out how they can provide us plain text.” Sounds like an effort to legitmize and institutionalize the ability of government to perform SSL MITM with service providers footing the bill. There's also a Declan McCullagh article Report: Feds to push for Net encryption backdoors. http://news.cnet.com/8301-31921_3-20017671-281.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Haystack (helping dissidents?)
I said (something like) this when Haystack first appeared on this list... Words dissidents and oppressive regimes have no place in serious discussions among cryptographers. Once we start assigning ethical categorizations to those that protect and those that attack (data files, communications channels, etc.) we are watering the garden in which the weeds like Haystack flourish. Marko R. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Something you have, something else you have, and, uh, something else you have
On 17 Sep 2010 at 20:53, Peter Gutmann wrote: From the ukcrypto mailing list: Just had a new Lloyds credit card delivered, it had a sticker saying I have to call a number to activate it. I call, it's an automated system. It asks for the card number, fair enough. It asks for the expiry date, well maybe, It asks for my DOB, the only information that isn't actually on the card, but no big secret. And then it asks for the three-digit-security-code- on-the-back, well wtf? Looks like it's not just US banks whose interpretation of n-factor auth is n times as much 1-factor auth. Well, as I understood it, a key part of the auth that wasn't mentioned was the source telephone #, and so lost-in-the-mail/theft would, on top of guessing the trivial questions, also have to call from your home phone [or the phone associated with the account]. Not perfectly secure but I was under the impression that ANI was harder to spoof than CallerID is. /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:ber...@fantasyfarm.com Pearisburg, VA -- Too many people, too few sheep -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Something you have, something else you have, and, uh, something else you have
I don't know how NZ banks do it; in the US, they use the phone number you're calling from. Yes, it's spoofable, but most folks (a) don't know it, and (b) don't know how. No, they don't use the phone number to validate anything. I routinely ignore the instructions to call from your home phone. I call in from random payphones to activate my cretin cards, and they activate just fine. Perhaps there's a database record made somewhere with the phone number of that payphone -- but the card is active, and I could be stealing money from it immediately. Note also that their ability to get that phone number depends on the FCC exemption that allows 800-numbers to bypass caller-ID blocking. If the FCC ever comes to its senses (I know, unlikely) then making somebody call an 800-number will not even produce a phone number. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
On Wed, Sep 15, 2010 at 11:07 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Tom Ritter t...@ritter.vg writes: What's weird is I find confusing literature about what *is* the default for protecting the viewstate. I still haven't seen the paper/slides from the talk so it's a bit hard to comment on the specifics, but if you're using .NET's FormsAuthenticationTicket (for cookie-based auth, not viewstate protection) then you get MAC protection built-in, along with other nice features like sliding cookie expiration (the cookie expires relative to the last active use of the site rather than an absolute time after it was set). I've used it in the past as an example of how to do cookie-based auth right Peter. I'm one of the authors of the attack. Actually if you look closer, you'll see that they do it wrong in many ways. Here is a video that we just release this morning at EKOPARTY: http://www.youtube.com/watch?v=yghiC_U2RaM Slide, paper, and tools will be released on http://www.netifera.com/research. Thai. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Something you have, something else you have, and, uh, something else you have
On Fri, 17 Sep 2010, Steven Bellovin wrote: On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote: From the ukcrypto mailing list: AIUI, and I may be wrong, the purpose of activation is to prevent lost-in- the-post theft/fraud - so what do they need details which a thief who has the card in his hot sweaty hand already knows for? Looks like it's not just US banks whose interpretation of n-factor auth is n times as much 1-factor auth. I don't know how NZ banks do it; in the US, they use the phone number you're calling from. Yes, it's spoofable, but most folks (a) don't know it, and (b) don't know how. Its 1-1/2 factor authentication, and the rest of the steps are quality control for card manufacturing. Much cheaper to use the customer as the final quality control inspector. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Czech intel agency allegedly offered tax free cash to local crypto vendor to incorporate defects
I don't know anything beyond this this news story, but interesting... http://www.praguemonitor.com/2010/09/14/mfd-bis-offers-tax-free-money-encryption-system - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Haystack redux
* Adam Fields: I find it hard to believe that even the most uninformed dissidents would be using an untested, unaudited, _beta_, __foreign__ new service for anything. Is there any reason to believe otherwise? I wouldn't be surprised if there are plenty such tools in circulation which are used by various dissident groups. It's a cost-effective way to infiltrate them. The problem with such tools is that you can't really know how is listening in on the proxies. Even if the software itself contains no backdoors, the service as a whole might still be compromised. Even if the proxies are trustworthy, your usage of the tool can very likely be discovered by traffic analysis (and usage patterns as well, if you're unlucky, and increasingly so if the service has low latency). There is no technical solution to oppressive governments (or non-trustworthy ISPs, for that matter). After all, if you're anonymous and oppressed, you're still oppressed. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
ciphers with keys modifying control flow?
Does anyone know of any ciphers where bits of keys modify the control path, rather than just data operations? Yes, I know that that's a slippery concept, since ultimately things like addition and multiplication can be implemented with loops in the hardware or firmware. I also suspect that it's potentially dangerous, since it might create very hard-to-spot classes of weak keys. The closest I can think of is SIGABA, where some of the keying controlled the stepping of the other rotors. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
[sp...@cs.stevens.edu: WECSR 2011 CFP - Deadline Oct 15, 2010 - please disseminate]
--- Start of forwarded message --- Date: Thu, 23 Sep 2010 13:00:27 -0400 (EDT) From: Sven Dietrich sp...@cs.stevens.edu Subject: WECSR 2011 CFP - Deadline Oct 15, 2010 - please disseminate Source is at: http://www.cs.stevens.edu/~spock/wecsr2011/cfp.html Call for Papers 2nd Workshop on Ethics in Computer Security Research 2011 http://www.cs.stevens.edu/~spock/wecsr2011/ March 4, 2011 Bay Gardens Beach Resort, St. Lucia A workshop co-located with The Fifteenth Conference on Financial Cryptography and Data Security (FC'11) Submissions are now open (Deadline: Oct 15, 2010) Computer security often leads to discovering interesting new problems and challenges. The challenge still remains to follow a path acceptable for Institutional Review Boards at academic institutions, as well as compatible with ethical guidelines for professional societies or government institutions. However, no exact guidelines exist for computer security research yet. This workshop will bring together computer security researchers, practitioners, policy makers, and legal experts. This workshop solicits submissions describing or suggesting ethical and responsible conduct in computer security research. While we focus on setting standards and sharing prior experiences and experiments in computer security research, successful or not, we tap into research behavior in network security, computer security, applied cryptography, privacy, anonymity, and security economics. This workshop will favor discussions among participants, in order to shape the future of ethical standards in the field. It will be co-located with the Fifteenth International Conference on Financial Cryptography and Data Security 2011. Program Chair: Sven Dietrich, Stevens Institute of Technology Program Committee: Michael Bailey, University of Michigan Elizabeth Buchanan, University of Wisconsin-Milwaukee Aaron Burstein, University of California Berkeley Nicolas Christin, Carnegie Mellon University Michael Collins, RedJack Marc Dacier, Symantec Research Roger Dingledine, The Tor Project David Dittrich, University of Washington Kenneth Fleischmann, University of Maryland Rachel Greenstadt, Drexel University Erin Kenneally, UC San Diego/CAIDA/Elchemy Engin Kirda, EURECOM Howard Lipson, CERT John McHugh, University of North Carolina, Chapel Hill Peter Neumann, SRI International Vern Paxson, University of California, Berkeley / ICSI Len Sassaman, KU Leuven Angela Sasse, University College London Angelos Stavrou, George Mason University Michael Steinmann, Stevens Institute of Technology Paul Syverson, Naval Research Laboratory Submissions WECSR 2011 solicits submissions in three categories: 1. Position papers. Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or conference with proceedings. Position paper submission should not exceed 6 pages in length, excluding bibliography and well-marked appendices. 2. Case studies. Submitted case studies must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or conference with proceedings. Submitted case studies should not exceed 12 pages in length, excluding bibliography and well-marked appendices. 3. Panel proposals. Submitted panel proposals should list the panel topic, a moderator, and a list of confirmed panelists, along with a short biography of the participants. The composition should be adequately selected as to generate copious discussion. Panelists will be given an opportunity to submit a position statement for the final proceedings. Paper Submission Instructions Submissions must be formatted in the style of the Springer Publications format for Lecture Notes in Computer Science (LNCS). For complete details, see Springer's Author Instructions. Papers must be submitted electronically via the EasyChair submission page. Papers must be submitted in PDF (Adobe's Portable Document Format) format. Papers will not be accepted in any other format. Questions about conference submissions should be directed to the Program Chair at spock AT cs DOT stevens DOT edu. Proceedings The WECSR 2011 Proceedings will be published in the Springer Lecture Notes in Computer Science (LNCS) in conjunction with the FC'11 proceedings. Important Dates: Paper Submission: October 15, 2010 Author Notification:November 15, 2010 Camera-ready for Pre-Proceedings: December 15, 2010 WECSR 2011 Dates: March 4, 2011 - -- Sven Dietrich Stevens Institute of Technology Assistant Professor Castle Point on Hudson Computer Science Dept Hoboken, NJ 07030, USA sp...@cs.stevens.eduT: +1-201-216-8078 F: +1-201-216-8249 --- End of forwarded message --- - The Cryptography Mailing List Unsubscribe by sending unsubscribe
ANNOUNCING Tahoe, the Least-Authority File System, v1.8.0
ANNOUNCING Tahoe, the Least-Authority File System, v1.8.0 The Tahoe-LAFS team is pleased to announce the immediate availability of version 1.8.0 of Tahoe-LAFS, an extremely reliable distributed storage system. Get it here: http://tahoe-lafs.org/source/tahoe/trunk/docs/quickstart.html Tahoe-LAFS is the first distributed storage system to offer provider-independent security — meaning that not even the operators of your storage servers can read or alter your data without your consent. Here is the one-page explanation of its unique security and fault-tolerance properties: http://tahoe-lafs.org/source/tahoe/trunk/docs/about.html The previous stable release of Tahoe-LAFS was v1.7.1, which was released July 18, 2010 [1]. v1.8.0 offers greatly improved performance and fault-tolerance of downloads and improved Windows support. See the NEWS file [2] for details. WHAT IS IT GOOD FOR? With Tahoe-LAFS, you distribute your filesystem across multiple servers, and even if some of the servers fail or are taken over by an attacker, the entire filesystem continues to work correctly, and continues to preserve your privacy and security. You can easily share specific files and directories with other people. In addition to the core storage system itself, volunteers have built other projects on top of Tahoe-LAFS and have integrated Tahoe-LAFS with existing systems, including Windows, JavaScript, iPhone, Android, Hadoop, Flume, Django, Puppet, bzr, mercurial, perforce, duplicity, TiddlyWiki, and more. See the Related Projects page on the wiki [3]. We believe that strong cryptography, Free and Open Source Software, erasure coding, and principled engineering practices make Tahoe-LAFS safer than RAID, removable drive, tape, on-line backup or cloud storage. This software is developed under test-driven development, and there are no known bugs or security flaws which would compromise confidentiality or data integrity under recommended use. (For all important issues that we are currently aware of please see the known_issues.txt file [4].) COMPATIBILITY This release is compatible with the version 1 series of Tahoe-LAFS. Clients from this release can write files and directories in the format used by clients of all versions back to v1.0 (which was released March 25, 2008). Clients from this release can read files and directories produced by clients of all versions since v1.0. Servers from this release can serve clients of all versions back to v1.0 and clients from this release can use servers of all versions back to v1.0. This is the eleventh release in the version 1 series. This series of Tahoe-LAFS will be actively supported and maintained for the forseeable future, and future versions of Tahoe-LAFS will retain the ability to read and write files compatible with this series. LICENCE You may use this package under the GNU General Public License, version 2 or, at your option, any later version. See the file COPYING.GPL [5] for the terms of the GNU General Public License, version 2. You may use this package under the Transitive Grace Period Public Licence, version 1 or, at your option, any later version. (The Transitive Grace Period Public Licence has requirements similar to the GPL except that it allows you to delay for up to twelve months after you redistribute a derived work before releasing the source code of your derived work.) See the file COPYING.TGPPL.html [6] for the terms of the Transitive Grace Period Public Licence, version 1. (You may choose to use this package under the terms of either licence, at your option.) INSTALLATION Tahoe-LAFS works on Linux, Mac OS X, Windows, Cygwin, Solaris, *BSD, and probably most other systems. Start with docs/quickstart.html [7]. HACKING AND COMMUNITY Please join us on the mailing list [8]. Patches are gratefully accepted -- the RoadMap page [9] shows the next improvements that we plan to make and CREDITS [10] lists the names of people who've contributed to the project. The Dev page [11] contains resources for hackers. SPONSORSHIP Tahoe-LAFS was originally developed by Allmydata, Inc., a provider of commercial backup services. After discontinuing funding of Tahoe-LAFS RD in early 2009, they continued to provide servers, bandwidth, small personal gifts as tokens of appreciation, and bug reports. Google, Inc. sponsored Tahoe-LAFS development as part of the Google Summer of Code 2010. They awarded four sponsorships to students from around the world to hack on Tahoe-LAFS that summer. Thank you to Allmydata and Google for their generous and public-spirited support. HACK TAHOE-LAFS! If you can find a security flaw in Tahoe-LAFS which is serious enough that feel compelled to warn our users and issue a fix, then we will award you with a customized t-shirts with your exploit printed on it and add you to the Hack Tahoe-LAFS Hall Of Fame [12]. ACKNOWLEDGEMENTS This is the fifth release of Tahoe-LAFS to be created solely as a labor of love by volunteers. Thank you very
Certificate-stealing Trojan
Per http://news.softpedia.com/news/New-Trojan-Steals-Digital-Certificates-157442.shtml there's a new Trojan out there that looks for a steals Cert_*.p12 files -- certificates with private keys. Since the private keys are password-protected, it thoughtfully installs a keystroke logger as well --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
Peter Gutmann wrote: Tom Ritter t...@ritter.vg writes: What's weird is I find confusing literature about what *is* the default for protecting the viewstate. I still haven't seen the paper/slides from the talk so it's a bit hard to comment on the specifics, but if you're using .NET's FormsAuthenticationTicket (for cookie-based auth, not viewstate protection) then you get MAC protection built-in, along with other nice features like sliding cookie expiration (the cookie expires relative to the last active use of the site rather than an absolute time after it was set). I've used it in the past as an example of how to do cookie-based auth right FYI...I just received confirmation from my company's on-site consultant from Microsoft that .NET's FormsAuthenticationTicket is also vulnerable to this padding oracle attack. So apparently Microsoft didn't apply the MAC protection quite right in their implementation. -kevin -- Kevin W. Wall The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents.-- Nathaniel Borenstein, co-creator of MIME - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Former Stasi Cryptographers Now Develop Technology for NATO
http://www.spiegel.de/international/germany/0,1518,druck-719726,00.html 09/27/2010 11:23 AM Recruited by West Germany Former Stasi Cryptographers Now Develop Technology for NATO By Marcel Rosenbach and Holger Stark After the fall of the Berlin Wall, the West Germans were desperate to prevent the Stasi's top codebreakers from falling into the wrong hands. from falling into the wrong hands and set up a company to hire the East German cryptographers. Now the former Stasi scientists develop technology used by Angela Merkel and NATO. Every morning, while going to his office in Berlin's Adlershof district, Ralph W. passes a reminder of his own past, a small museum that occupies a room on the ground floor of the building. The museum could easily double as a command center run by the class enemy in an old James Bond film. A display of coding devices from various decades includes the T-310, a green metal machine roughly the size of a huge refrigerator, which East German officials used to encode their telex messages. The device was the pride of the Stasi, the feared East German secret police, which was W.'s former employer. Today he works as a cryptologist with Rohde Schwarz SIT GmbH (SIT), a subsidiary of Rohde Schwarz, a Munich-based company specializing in testing equipment, broadcasting and secure communications. W. and his colleagues encode sensitive information to ensure that it can only be read or heard by authorized individuals. Their most important customers are NATO and the German government. Rohde Schwarz is something of an unofficial supplier of choice to the German government. Among other things, the company develops bugproof mobile phones for official use. Since 2004, its Berlin-based subsidiary SIT, which specializes in encryption solutions, has been classified as a security partner to the German Interior Ministry, which recently ordered a few thousand encoding devices for mobile phones, at about €1,250 ($1,675) apiece. Even German Chancellor Angela Merkel has used phones equipped with SIT's encryption technology. In other words, the Stasi's former cryptographers are now Merkel's cryptographers. Secret Operation The transfer of Ralph W. and other cryptologists from the East German Ministry for State Security, as the Stasi was officially known, to West Germany was handled both seamlessly and discreetly. West German officials were determined to make sure that no one would find out about the integration of East Germany's top cryptologists into the west. The operation was so secret, in fact, that it has remained unknown to this day. Only a handful of officials were involved in the operation, which was planned at the West German Interior Ministry in Bonn. In January 1991, Rohde Schwarz SIT GmbH was founded. The company was established primarily to provide employment for particularly talented Stasi cryptologists that the Bonn government wanted to keep in key positions. Ralph W. is one of those specialists. W., who holds a doctorate in mathematics, signed a declaration of commitment to the Stasi on Sept. 1, 1982. By the end of his time with the Stasi, he was making 22,550 East German marks a year -- an excellent salary by East German standards. And when he was promoted to the rank of captain in June 1987, his superior characterized W. as one of the most capable comrades in the collective. While with the Stasi, W. worked in Department XI, which also boasted the name Central Cryptology Agency (ZCO). Looking for the Top Performers The story begins during the heady days of the East German revolution in 1990. Officially, the East German government, under its last communist premier, Hans Modrow, had established a government committee to dissolve the Ministry for State Security which reported to the new East German interior minister, Peter-Michael Diestel. In reality, the West German government was already playing a key role in particularly sensitive matters. Then-West German Interior Minister Wolfgang Schäuble (who is the current German finance minister) had instructed two senior Interior Ministry officials, Hans Neusel and Eckart Werthebach, to take care of the most politically sensitive remnants of the 40-year intelligence war between the two Germanys. The government of then-Chancellor Helmut Kohl was interested in more than just the politically explosive material contained in some of the Stasi's files. It also had its eye on the top performers in the former East German spy agency. The cryptologists were of particular interest to the Kohl government, which recognized that experts capable of developing good codes would also be adept at breaking them. The Stasi cryptologists were proven experts in both fields. Documents from the Stasi records department indicate that the one of the Stasi cryptologists' achievements was to break Vericrypt and Cryptophon standards that had been used until the 1980s. This meant that they were capable of decoding encrypted radio transmissions by the two main
Obama administration wants encryption backdoors for domestic surveillance
http://www.boingboing.net/2010/09/27/obama-administration.html A good first point of interest clearinghouse site for the issue can be found on Boing Boing. It points to a Green Greenwald article on Salon and the ACLU. There's also a nice piece at the Cato Institute http://www.cato-at-liberty.org/designing-an-insecure-internet/ Designing an Insecure Internet and http://reason.com/blog/2010/09/27/obama-administration-frustrate Feds Frustrated With Their Inability to Wiretap This Here New-Fangled Internet Thing Seems the underdogs in the Crypto Wars still has strong feelings, and now a lot of them are part of mainstream media. also https://www.eff.org/deeplinks/2010/09/government-seeks Government Seeks Back Door Into All Our Communications The CDT and EPIC web sites haven't been updated yet. I'd expect once a lot of people get the chance to do some digging will see some 'entertaining' articles show up on the web. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Certificate-stealing Trojan
On 2010 Sep 24, at 12:47 , Steven Bellovin wrote: Per http://news.softpedia.com/news/New-Trojan-Steals-Digital-Certificates-157442.shtml there's a new Trojan out there that looks for a steals Cert_*.p12 files -- certificates with private keys. Since the private keys are password-protected, it thoughtfully installs a keystroke logger as well Ah, the irony of a trojan stealing something that, because of lack of PKI, is essentially useless anyway... 100 years from now they'll be blaming the trojan for lack of a certificate infrastructure. Greg. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
