Re: Cookie Monster
On Wed, Sep 17, 2008 at 6:39 PM, EMC IMAP [EMAIL PROTECTED] wrote: It turns out hardly anyone bothers to mark their cookies secure. In Firefox, if you list your cookies, you can sort on the Secure field. I only found a couple of cookies marked - mainly from American Express, one of the few sites that gets this right. (Bank of America, for example, doesn't; Gmail with the new HTTPS-only setting does, but other Google services don't.) This isn't a new problem. I might be inclined to argue that it used to be worse in terms of vulnerability (though today it's worse in the asset exposed through vulnerability, e.g., a stolen session can be a bigger problem today than it was). We found the same problem with the BankOne Online site eight years ago. The part that we found significant about that was that the UserID field then was a working customer payment card number. http://www.interhack.net/pubs/bankone-online/ Back-end systems for dealing with authentication of sessions and so on tend to be more sophisticated these days, which also helps. While this is probably happening very little if at all in systems like Web-based email, at least in higher-value Web applications there is better detection of fraud. In particular, I am seeing more systems that are paying attention to source IP addresses in combination with other factors like cookies to determine whether the request is legitimate. -- Matt Curtin, author of Brute Force: Cracking the Data Encryption Standard Founder of Interhack Corporation +1 614 545 4225 http://web.interhack.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
DESCHALL Classic Client Source Code Released
Hello everyone. It was at the RSA Conference ten years ago that the Secret Key Challenges were issued, including the original DES Challenge. Rocke Verser's DESCHALL project, of course, went on to win that contest. Source code for the project was covered by a ten-year non-disclosure agreement. Rocke has granted me permission to release the source code for the classic fast DES key search clients and I have done so. Additional server-side code, including the UDP-HTTP proxies (both sides) and the code for running the client distribution center, is also available. All of the goodies are at http://www.interhack.net/projects/deschall/. There are also links there in the Writings section to some technical descriptions of the code's operation. I'm also looking for Darrell Kindred and Andrew Meggs, both of whom contributed very fast bitslice clients to the project after we got it up and running, to secure their permission for the release of their code as well. I think that the code is very interesting and of historical significance. Thanks to Rocke for allowing the release as well as to everyone who worked on the DES challenges. Enjoy. -- Matt Curtin, author of Brute Force: Cracking the Data Encryption Standard Founder of Interhack Corporation +1 614 545 4225 http://web.interhack.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SHA-1 rumors
Eric Rescorla [EMAIL PROTECTED] writes: P.S. AFAIK, although Dobbertin was able to find preimages for reduced MD4, there still isn't a complete break in MD4. Correct? Dobbertin's work on was reduced MD5. I haven't heard anything about progress on that front for several years. http://citeseer.ist.psu.edu/243938.html MD4 was reported broken a year or two earlier. -- Matt Curtin, CISSP, IAM, INTP. Keywords: Lisp, Unix, Internet, INFOSEC. Founder, Interhack Corporation +1 614 545 HACK http://web.interhack.com/ Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Have any Crack DES Now graphics from 1997?
Hi, Pardon the diversion. As most here know, I'm hard at work on the book BRUTE FORCE, which is the story behind the 1997 DESCHALL effort that was the first to crack a DES key by brute force in public. (Presently it is on-course for an October release by Copernicus Books; we're aiming for something that will be of interest to a fairly mainstream audience, as a critical component of the Crypto Wars.) If anyone has any of the Crack DES Now! graphics that we were using through the project, I'd love to get my hands on some so I could include them in the book. I still have all of my web stuff from the project, as well as Rocke's web pages, but it would be nice if we could get some of the smaller banners and buttons that people were using at the time. Thanks in advance. -- Matt Curtin, CISSP, IAM, INTP. Keywords: Lisp, Unix, Internet, INFOSEC. Founder, Interhack Corporation +1 614 545 HACK http://web.interhack.com/ Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]