Re: Another entry in the internet security hall of shame....

Read in an email from a website: You'll need to send us your CC information via regular email or fax. I would suggest splitting up your CC info if you send it to us via email in two separate emails for security. - The Cryptogra

Re: Is there any future for smartcards?

-- James A. Donald: > > Typical worm installation [on a smartphone] goes > > like this: > > > > : : Receive message via bluetooth from > > : : unnamed device? Y/N > > : : > > : : Installation Security warning: Unable to > > : : verify supplier. Continue anyway? Y/N Eugen Leitl > It's just

Re: Clearing sensitive in-memory data in perl

Steve Furlong wrote: > Other important questions for programmers are, how good are you? How > good does the process allow you to be? > > My answers are, I'm quite a good programmer. (Pardon the ego.) I'm > careful and methodical and very seldom have buffer overruns or unfreed > memory even in my f

Re: Is there any future for smartcards?

Dave Howe wrote: > TBH I don't think the smartcard approach will work - really, everything > needed > to verify what you are signing or encrypting needs to be within your secure > boundary, so the only sensible approach is for a mobile-sized cryptographic > device to be autonomous, but accept *d

Re: Another entry in the internet security hall of shame....

Paul Hoffman wrote: > In many deployments of "SSL first, then authenticate the user with a > password", the "site" consists of two or more machines. Many or most > high-traffic secure sites use SSL front-end systems to terminate the SSL > connection, then pass the raw HTTP back to one or more web s

Re: Clearing sensitive in-memory data in perl

On Tue, Sep 13, 2005 at 11:32:45AM -0400, Perry E. Metzger wrote: > What the world really needs is something between C++ and C -- a > language with very clean obvious semantics (like C) which does run > time bounds checking and strong typing, though it also needs explicit > escapes in the type sy

Re: ECC patents?

> Anyone can claim to have patented anything. Someone > recently patented the wheel, to show how bad the > situation is. I agree the system doesn't work well. > I think these guys are just blowing > smoke. It has been a long time, and no one has paid out > money on an ECC patent yet. NSA lice

Re: Clearing sensitive in-memory data in perl

Steve Furlong <[EMAIL PROTECTED]> writes: > On 9/13/05, Steven M. Bellovin <[EMAIL PROTECTED]> wrote: >> There's an interesting tradeoff here: which is a bigger threat, crypto >> secrets lying around memory or buffer overflows? What's your threat >> model? For the average server, I suspect you'r

Re: ECC patents?

At 9:32 AM -0700 9/12/05, James A. Donald wrote: It has been a long time, and no one has paid out money on an ECC patent yet. That's pretty bold statement that folks at Certicom might disagree with, even before . --Paul Hoff

Re: Is there any future for smartcards?

On Mon, Sep 12, 2005 at 09:52:27AM -0700, James A. Donald wrote: > Typical worm installation goes like this: > > : : Receive message via bluetooth from unnamed > : : device? Y/N > : : > : : Installation Security warning: Unable to > : : verify supplier. Continue anyway? Y/N It's jus

Re: Clearing sensitive in-memory data in perl

On 9/13/05, Steven M. Bellovin <[EMAIL PROTECTED]> wrote: > There's an interesting tradeoff here: which is a bigger threat, crypto > secrets lying around memory or buffer overflows? What's your threat > model? For the average server, I suspect you're better off with Java, > especially if you use

Re: ECC patents?

On Sep 12, 2005, at 11:32, James A. Donald wrote: Someone recently patented the wheel, to show how bad the situation is. That's a bit misleading without the context. Google patented-the- wheel for details. - The Cryptogr

Re: Clearing sensitive in-memory data in perl

In message <[EMAIL PROTECTED]>, Steve Furlong writes: >On 9/11/05, Jason Holt <[EMAIL PROTECTED]> wrote: >> Securely deleting secrets is hard enough in C, much less high level language >s. > >But, but..Java is the be-all end-all! > >Three years ago I advised a business/tech guy to avoid Java for cr

[IP] Lauren Weinstein's Blog Update: Public Call for Skype to Release Specifications

- Begin Forwarded Message - From: David Farber <[EMAIL PROTECTED]> Date: Mon, 12 Sep 2005 15:50:41 -0400 Begin forwarded message: Even more important is the eBay "privacy" policy... From: David Farber <[EMAIL PROTECTED]> Date: Mon, 12 Sep 2005 15:53:09 -0400 Begin forw

Re: Is there any future for smartcards?

Eugen Leitl wrote: > On Sun, Sep 11, 2005 at 06:49:58PM -0400, Scott Guthery wrote: >>1) GSM/3G handsets are networked card readers that are pretty >>successful. They are I'd wager about as secure as an ATM or a POS, >>particularly with respect to social attacks. > The smartphones not secure at al

Re: Is there any future for smartcards?

-- From: Eugen Leitl <[EMAIL PROTECTED]> > Virtually all new phones sold are smartphones, and for > every platform there are documented vulnerabilities, > exploits, and malware already in the wild. Increased > use of mobile phones as means of payment are a strong > motivation for malware wr

Re: Another entry in the internet security hall of shame....

At 3:52 AM +1200 9/11/05, Peter Gutmann wrote: Sure, but those issues have already been addressed by pretty much every site that needs to use passwords or user authentication for any reason. That's the point I was trying to make, that the standard response to use of passwords (or PSKs) is they d

Re: ECC patents?

-- Alexander Klimov > But (potential) problem still persists: even if > openssl implements ECC it does not save you from > patent issues if they exist. Anyone can claim to have patented anything. Someone recently patented the wheel, to show how bad the situation is. I think these guys are

Re: Is there any future for smartcards?

On Mon, 12 Sep 2005, Jaap-Henk Hoepman wrote: > I believe smartcards (and trusted computing platforms too, btw) aim to solve > the following problem: > > "How to enforce your own security policy in a hostile environment, not >under your own physical control?" > > Examples: > - Smartcard: elec

Re: ECC patents?

In message <[EMAIL PROTECTED]>, Ben Laurie writes: >Alexander Klimov wrote: >> >> But (potential) problem still persists: even if openssl implements ECC >> it does not save you from patent issues if they exist. > >It does if they are owned by Sun. > It does if *all necessary patent rights* are o

Re: ECC patents?

On Mon, 12 Sep 2005 11:58:14 +0300 (IDT), Alexander Klimov said: > There is also work on ECC for gnupg > http://www.g10code.de/tasklist.html#gcrypt-ecc Yes, there exists an implementation for an ECC implementation for GnuPG. The problem is that OpenPGP does not define ECC and thus it does not ma

Re: Is there any future for smartcards?

On Sun, Sep 11, 2005 at 07:32:45PM +0200, Eugen Leitl wrote: > On Sun, Sep 11, 2005 at 10:53:34PM +1200, Peter Gutmann wrote: >=20 > > The problem with this is that in 99.99% of cases the insecure networked > > machine *is* the reader, rendering the smart card pretty much pointless= . I've >=20 >

Re: Clearing sensitive in-memory data in perl

On 9/11/05, Jason Holt <[EMAIL PROTECTED]> wrote: > Securely deleting secrets is hard enough in C, much less high level languages. But, but..Java is the be-all end-all! Three years ago I advised a business/tech guy to avoid Java for crypto and related purposes. I'll revise that somewhat in light

Re: Is there any future for smartcards?

Jaap-Henk Hoepman wrote: > I believe smartcards (and trusted computing platforms too, btw) aim to solve > the following problem: > > "How to enforce your own security policy in a hostile environment, not >under your own physical control?" > > Examples: > - Smartcard: electronic purse: you c