Isn't this what Rivest's Chaffing and Winnowing is all about?
http://theory.lcs.mit.edu/~rivest/chaffing.txt
Cheers, Scott
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hadmut Danisch
Sent: Thursday, May 26, 2005 5:51 PM
To: cryptography@metzdowd.com
On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote:
[..]
With bank web sites, experience has shown that only 0.3%
of users are deterred by an invalid certificate,
probably because very few users have any idea what a
certificate authority is, what it does, or why they
should
-Original Message-
Hadmut Danisch wrote:
...
Plenty of research has been done about information hiding.
But this special court case requires algorithm hiding as a kind of
response. Do you know where to look for papers about this subject?
...
Here is the list that you can start
James A. Donald [EMAIL PROTECTED] writes:
With bank web sites, experience has shown that only 0.3% of users are
deterred by an invalid certificate, probably because very few users have any
idea what a certificate authority is, what it does, or why they should care.
James (and others): I really
HD What about designing an algorithm good for encryption which someone
HD can not prove to be an encryption algorithm?
Hmmm, but to do that one needs to have a good definition of 'encryption
algorithm' and perhaps also some other apparently fundamental terms. But
we have none, I am afraid ... at
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald
Sent: Saturday, May 28, 2005 1:48 PM
With bank web sites, experience has shown that only 0.3% of
users are deterred by an invalid certificate, probably
because very few users have any idea what a certificate
- Forwarded message from David Farber [EMAIL PROTECTED] -
From: David Farber [EMAIL PROTECTED]
Date: Tue, 31 May 2005 08:17:59 -0400
To: Ip ip ip@v2.listbox.com
Subject: [IP] Intel quietly embeds DRM in it's 945 chips firmware
X-Mailer: Apple Mail (2.730)
Reply-To: [EMAIL PROTECTED]
| Hi,
|
| you most probably have heard about the court case where the presence
| of encryption software on a computer was viewed as evidence of
| criminal intent.
|
| http://www.lawlibrary.state.mn.us/archive/ctappub/0505/opa040381-0503.htm
|
John, yes, I believe the Trojan ran on Windows. In fact, I just met my
kids schoolmaster, and turns out she was also a victim of that person -
already 3-4 years ago!!! Her daughter learned with his in the same
school, and apparently he got mad at them and started abusing them in
the most crazy
On Saturday 28 May 2005 18:47, James A. Donald wrote:
Do we have any comparable experience on SSH logins?
Existing SSH uses tend to be geek oriented, and do not
secure stuff that is under heavy attack. Does anyone
have any examples of SSH securing something that was
valuable to the user,
With bank web sites, experience has shown that only 0.3%
of users are deterred by an invalid certificate,
probably because very few users have any idea what a
certificate authority is, what it does, or why they
should care. (And if you have seen the experts debating
what a certificate
In message [EMAIL PROTECTED], James A. Donald writes:
--
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
First, you mean the Web PKI, not PKI in general.
The next part of this is circular
On Thursday 26 May 2005 22:51, Hadmut Danisch wrote:
Hi,
you most probably have heard about the court case where the presence
of encryption software on a computer was viewed as evidence of
criminal intent.
http://www.lawlibrary.state.mn.us/archive/ctappub/0505/opa040381-0503.htm
On Tue, May 31, 2005 at 02:45:56PM +0100, Ian G wrote:
On Saturday 28 May 2005 18:47, James A. Donald wrote:
Do we have any comparable experience on SSH logins?
Existing SSH uses tend to be geek oriented, and do not
secure stuff that is under heavy attack. Does anyone
have any
Heyman, Michael [EMAIL PROTECTED] writes:
In this situation, I believe that the users, through hard won experience with
computers, _correctly_ assumed this was a false positive.
Probably not. This issue was discussed at some length on the hcisec list,
(security usability,
Ed Gerck wrote:
Suppose you choose A4RT as your codeword. The codeword has no privacy
concern
(it does not identify you) and is dynamic -- you can change it at will,
if you
suspect someone else got it.
Compare with the other two identifiers that Citibank is using. Your full
name
is private
John Saylor wrote:
hi
( 05.05.30 15:34 +0200 ) Amir Herzberg:
See more info e.g. at http://www.haaretz.com/hasen/spages/581790.html
an excellent tale [still unfolding]- no doubt coming to a bookstore or
movie theatre near you real soon.
of course, it was never mentioned in
Adam Fields wrote:
Moreover, in my experience (as I've mentioned before on this list),
noticing an invalid certificate is absolutely useless if the banks
won't verify via another channel a) that it changed, b) what the new
value is or c) what the old value is.
I've tried. They won't/can't.
On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], James A. Donald writes:
--
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
First, you mean the
James A. Donald wrote:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
asymmetric cryptography has a pair of keys ... the other of the key-pair
decodes what has been encoding by one of
In message [EMAIL PROTECTED], Ian G writes:
On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], James A. Donald writes:
--
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a
Ian G [EMAIL PROTECTED] writes:
On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
The next part of this is circular reasoning. We don't see network
sniffing for credit card numbers *because* we have SSL.
I think you meant to write that James' reasoning is
circular, but strangely,
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can register your
computer; if your account is
Steven M. Bellovin wrote:
Given the prevalance of password sniffers as early as 1993, and given
that credit card number sniffing is technically easier -- credit card
numbers will tend to be in a single packet, and comprise a
self-checking string, I stand by my statement.
the major exploits
Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can register your
Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can register your
just for the heck of it ... something today more from the physical world
ATM scams added to GASAs fraud library
http://www.atmmarketplace.com/news_story_23307.htm
CAPE TOWN, South Africa and BROOKINGS, S.D. The ATM Industry
Association's Global ATM Security Alliance launched its online
oops, sorry, forgot to include this one
Hong Kong banks to introduce two-factor authentication for online
transactions
http://www.finextra.com/fullstory.asp?id=13744
Banks in Hong Kong are set to introduce two-factor authentication
services to the country's 2.7 million Internet banking
On Tuesday 31 May 2005 21:03, Perry E. Metzger wrote:
Ian G [EMAIL PROTECTED] writes:
On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
The next part of this is circular reasoning. We don't see network
sniffing for credit card numbers *because* we have SSL.
I think you meant to
Ed Gerck wrote:
Also, in an effort to make their certs more valuable, CAs have made
digitally
signed messages imply too much -- much more than they warrant or can
even represent.
There are now all sorts of legal implications tied to PKI signatures, in
my opinion
largely exagerated and
Ian G [EMAIL PROTECTED] writes:
Perhaps you are unaware of it because no one has chosen to make you
aware of it. However, sniffing is used quite frequently in cases where
information is not properly protected. I've personally dealt with
several such situations.
This leads to a big issue.
31 matches
Mail list logo
