On 09/15/2010 11:48 AM, Adam Fields wrote:
On Wed, Sep 15, 2010 at 03:16:34AM -0700, Jacob Appelbaum wrote:
[...]
What Steve has written is mostly true - though I was not working alone,
we did it in an afternoon. It took quite a bit of effort to get Haystack
to take this seriously.
On Sep 15, 2010, at 11:48 AM, Adam Fields wrote:
I find it hard to believe that even the most uninformed dissidents
would be using an untested, unaudited, _beta_, __foreign__ new service
for anything. Is there any reason to believe otherwise? My first guess
would have been that it was a
On 2010-09-16 6:12 AM, Andy Steingruebl wrote:
The malware could just as easily fake the whole UI. Is it really
PKI's fault that it doesn't defend against malware? Did even the
grandest supporters ever claim it could/did?
That is rather like having a fortress with one wall rather than four
* Adam Fields schrieb am 2010-09-15 um 20:48 Uhr:
I find it hard to believe that even the most uninformed dissidents
would be using an untested, unaudited, _beta_, __foreign__ new service
for anything. Is there any reason to believe otherwise? My first guess
According to my experience the
I, too, would love to get the details, but Peter is right here.
The flaw he reported was in the PKI itself, not in the UI. If there were a
bulletproof OS with perfect non-confusing UI, once the malware has a valid
signature that traces to a valid certificate, it's the PKI that failed.
As for EV
Moderator's note:
There have been a lot (!) of messages sent in the last 15 hours or so
following a number of recent high heat threads. Over a dozen (!) of
them are long, earnest, well written, and generally a repeat of a
number of recent arguments we've had on the list or veer off
topic. (Yes,
Brian Holyfield has created another implementation of the padding oracle
exploitation tool first described by Juliano Rizzo and Thai Duong, as well as
providing a step-by-step, easy-to-understand explanation of how the attack
works, you can find it at: