Re: Reading List (for the umpteenth time....)

2001-04-20 Thread Sampo Syreeni 

On Thu, 19 Apr 2001, James A. Donald wrote:

Detweiler repeatedly attempted that hack in several different newsgroups
and mailing lists, and repeatedly failed.   Everyone would come to the
conclusion that he was a loon, and that anyone who agreed with him was
either a tentacle or a fellow loon.

Hmm. I wouldn't care to advertise my ignorance (as Detweiler is certainly
part of net.legend), what *was* the final outcome of that ordeal?

(Feel free to answer offline, or to post links only.)

Sampo Syreeni, aka decoy, mailto:[EMAIL PROTECTED], gsm: +358-50-5756111
student/math+cs/helsinki university, http://www.iki.fi/~decoy/front

Re: firewall

2001-03-16 Thread Sampo Syreeni 

On Thu, 15 Mar 2001, cory ertle wrote:

I want to see if my girl is cheating on me by hacking into her e-mail
account at school. Now i know enough about here to bypass her pass pretty
easily but i however don't know the best way to go about getting to her
account.

I would suggest social engineering, but in this case...

Sampo Syreeni [EMAIL PROTECTED], aka decoy, student/math/Helsinki university

Re: Secure Erasing is actually harder than that...

2001-02-23 Thread Sampo Syreeni 

On Thu, 22 Feb 2001, Ray Dillinger wrote:

If your application can read and write an encrypted drive without
specifically providing the keys, then a trojan on your system can
read and write an encrypted drive without specifically providing
the keys.

I think it is not sensible to include trojans in the threat model, here.
After all, it does not matter how deliciously secure your application seems
to be if you assume there can be a keyboard sniffer there, somewhere.

These workarounds can only work by "hiding" key management from
the application, and thus from the user - which means key
management gets done badly if at all.  Good crypto can't be
tacked on - it has to be designed in.

Why is this? To me it seems that key management at the system level is far
more likely to be securely implemented than the personal blend of a given
app coder.

Another problem with an encrypted drive is that an encrypted drive is
infrastructure that someone is likely to not have in place when they
first discover a real need to encrypt.

The same does go for encrypt capable applications as well, only there's
considerably more hassle in trying to setup many of those in a row than in
simply relying on an encrypted backing store.

Applications that write to (and more importantly, which read from) the
encrypted drive should themselves be crypto-aware and do proper key
management.

Could you elaborate a bit on why system level key management isn't enough?
I'm afraid I might be missing something here...

Sampo Syreeni [EMAIL PROTECTED], aka decoy, student/math/Helsinki university