Skype reverse-engineering details]
Some very juicy details here: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pd -- Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions. -- Don Alvarez URL:http://www.subspacefield.org/~travis/ -- ---BeginMessage--- Trying this again... hopefully the envelope sender gets set right. Some very juicy details here: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pd -- Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions. -- Don Alvarez URL:http://www.subspacefield.org/~travis/ -- pgpDsDeOH8h78.pgp Description: PGP signature ---End Message--- pgpSmV0dqE60W.pgp Description: PGP signature
gang uses crypto to hide identity theft databases
http://www.zdnet.co.uk/misc/print/0%2C100169%2C39285188-39001093c%2C00.htm --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Startup to launch new random number generator from space
http://news.zdnet.com/2100-1009_22-6142935.html British start-up Yuzoz has announced that it will be launching its beta service in the next two weeks--an online random-number generator driven by astronomical events. Working with data from satellites and observatories, Yuzoz will use the solar wind, the clouds of Venus, the Northern Lights, Jupiter's shortwave emissions and other cosmic events to generate 200 choices per second. While the beta service will use only a single source--the solar wind--to deliver a selection of numbers, the full service, due at the end of January, will have many more options, including the ability to give the site a list of choices and have it pick one. snip -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Discuss-gnuradio] VT receives NSF grant for SDR security (fwd)
-- Forwarded message -- Date: Tue, 19 Dec 2006 10:24:44 -0500 From: David P. Reed [EMAIL PROTECTED] To: discuss-gnuradio@gnu.org Subject: Re: [Discuss-gnuradio] VT receives NSF grant for SDR security Greg - I think the concept of software defined radio being explored by the VT folks is a concept I persoally refer to as crippled software radio. It is based on a discredited theory of security that was called a secure kernel when I was a student 30 years ago. In other words - that there is a small, well-defined portion of a system that can be certified separately from the rest of the system, which has the essential property that its *correct* operation *guarantees* that the entire system will be secure according to *all possible interpretations* of the word secure. I worked on a project of this sort, and am currently ashamed that I helped perpetuate that charade. I can only say that many others helped - it funded lots of work on proving programs correct - on the theory that it was feasible to prove small programs correct, and thus whole systems secure. The big lie, of course, is that the researchers essentially redefined the word secure to mean the trivial notion of security that you couldn't compromise the kernel. Of course today we stare the fraudulence of that idea in the face: phishing, XSS, and other very dangerous attacks do not depend one whit on a failure to secure a kernel of the operating system, or even the kernel of a router. Yet the idea that incorrectness is the same thing as insecurity persists in such ideas as the idea that you need hardware inegrity to prevent attacks on radio systems. I suggest that it is impossible to carry on a dialog with folks like the VT researchers, because they must necessarily buy into the certification of correctness notion of security.If they were concerned with correctness that would be fine - we could carry out a meaningful discussion about the difficulty of determining correctness in a system that is inherently focusing on getting reliable communications through unreliable channels (information theory). But since they play to the gods of deterministic correctness - unreliability doesn't fit in their notion of security - they cannot even consider the idea that there is no kernel that can be certified to reduce risk. ___ Discuss-gnuradio mailing list Discuss-gnuradio@gnu.org http://lists.gnu.org/mailman/listinfo/discuss-gnuradio - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
news story - Jailed ID thieves thwart cops with crypto
http://news.com.com/Jailed+ID+thieves+thwart+cops+with+crypto/2100-7348_3-6144521.html Jailed ID thieves thwart cops with crypto By Tom Espiner Story last modified Tue Dec 19 06:46:45 PST 2006 Three men have been jailed in the U.K. for their part in a massive data theft operation. One of the accused ringleaders of the gang, Anton Dolgov--also known as Gelonkin--was sentenced to six years at London's Harrow Crown Court on Wednesday for his part in the theft of millions of dollars from victims in countries including the U.K. and the U.S. The ID thieves used stolen credit card numbers and created false identities to buy high-end electronics and other goods, which they then resold on eBay, prosecutors said. The gang pleaded guilty to conspiracy to defraud, obtain services by deception, acquire, use and possess criminal property, and conceal, disguise, convert, transfer or remove criminal property. One of the gang members, Aleksei Kostap, was also found guilty of perverting the course of justice, and was sentenced to four years' imprisonment. When the gang's premises were raided by the members of the Serious and Organised Crime Agency (SOCA), Kostap was handcuffed with his hands in front of his body. He managed to leap up and flick an electrical switch that wiped databases that could have contained records of the gang's activities stretching back more than 10 years, SOCA said. Kostap's action also triggered intricate layers of encryption on the gang's computer systems, which SOCA's experts were unable to crack, the court heard. SOCA was not prepared to discuss what encryption was used or why it was unable to decrypt it, as such information would enable other criminals to use the same methods. According to the Crown Prosecution Service (CPS), which confirmed that Kostap had activated the encryption after being arrested, it would take 400 computers 12 years to crack the code. Because much data was inaccessible to the police, it is not known how much the criminals profited from their operation, but it is believed that they made millions of dollars. Police were able to find evidence of 750,000 pounds ($1.46 million) worth of transactions between 2003 and 2006, but the gang had been operating since the mid-'90s. The true scale of the gang's crimes will probably never be known, said a representative for the CPS. Identify theft is a growing problem worldwide. Figures released by Sainsbury's Bank last week found that more than 4 million British citizens have suffered financial losses through ID fraud. And last year, in the U.S, identity theft for the third straight year topped the list of fraud complaints reported to the Federal Trade Commission. Consumers filed more than 255,000 identity theft reports to the FTC in 2005, accounting for more than a third of all complaints the agency received. Police became aware of the gang after a reported break-in at the gang's base of operations. When they raided the premises they found the gang hard at work at their computers and arrested them. They were very busy when they were arrested, the CPS said. The gang used fake identities, and falsified and forged passports to open bank and PayPal accounts, and sent the goods they purchased to residential addresses for later sale. They had already requested the mail be redirected from the addresses. Goods including Manchester United strips and cameras, which have a high resale value, were then auctioned on eBay. The CPS told ZDNet UK, CNET News.com's sister site, that the gang also had data containing registries of births and deaths, local tax documents and electoral registration applications, and that they had 120 different checkbooks in their possession. Fraud was their bread and butter, the CPS representative said. There is an outstanding arrest warrant for another member of the gang, believed to be a ringleader. Known as Mr. Kaljusaar, police have evidence of his involvement but as yet have no idea who or where he actually is, the CPS said. After the break-in at the gang's premises, the police became aware of an outstanding international arrest warrant for Gelonkin/Dolgov in the name of Anthony Peyton, which had been issued after the arrest of gang member Andreas Furhmann by Spanish authorities. Another gang member, Romanos Vasiliauskas, was jailed for 18 months on Thursday. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: ATM vulnerability
I hesitate to use the syllable crypto in describing this paper, but those who have not seen it may find it interesting. http://www.arx.com/documents/The_Unbearable_Lightness_of_PIN_Cracking.pdf Or profitable. In a weired sense, yes. If I understand the paper correctly, the authors show that given the current protocol requirements, spending money on HSMs is a total waste. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Startup to launch new random number generator from space
Udhay Shankar N wrote: http://news.zdnet.com/2100-1009_22-6142935.html British start-up Yuzoz has announced that it will be launching its beta service in the next two weeks--an online random-number generator driven by astronomical events. Working with data from satellites and observatories, Yuzoz will use the solar wind, the clouds of Venus, the Northern Lights, Jupiter's shortwave emissions and other cosmic events to generate 200 choices per second. While the beta service will use only a single source--the solar wind--to deliver a selection of numbers, the full service, due at the end of January, will have many more options, including the ability to give the site a list of choices and have it pick one. Using a random number generator, presumably. If only we could find a good source of randomness... :-) This kind of service has been discussed here before, of course. The usual verdict: so much better for attackers, especially if they work for Yuzoz. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Skype reverse-engineering details]
On 12/18/06, Travis H. [EMAIL PROTECTED] wrote: Some very juicy details here: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pd the file extension is pdf (or was it some sort of security-trough-obscuring the file name? :) ) -- :lorenzo grespan GPG Key fingerprint = 5372 1B49 9E61 747C FB9A 4DAE 5D2A A9A0 74B4 8F1A - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
How important is FIPS 140-2 Level 1 cert?
Hello All, I would like to know how much weight people usually give to the FIPS 140-2 Level 1 certification. If two products have exactly same feature set, but one is FIPS 140-2 Level 1 certified but cost twice. Would you go for it, considering the Level 1 is the lowest. saqib http://www.full-disk-encryption.net - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Skype reverse-engineering details]
Yes, that's a very interesting slide deck. An alternative URL to the talk is in this blog posting.. Skype.exe innards revealed... http://identitymeme.org/archives/2006/04/06/skypeexe-innards-revealed/ =JeffH - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
U.S. to Declassify Secrets at Age 25
The New York Times has an article on the coming automatic declassification of most US government documents over 25 years old. I wonder if some interesting nuggets in the history of DES might become available: http://www.nytimes.com/2006/12/21/washington/21declassify.html -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: gang uses crypto to hide identity theft databases
Well this just sucks if you ask me. According to the Crown Prosecution Service (CPS), which confirmed that Kostap had activated the encryption after being arrested, it would have taken 400 computers twelve years to crack the code. Scales linearly, right? 4,800 computers'll get it in a year? How can one write a SETI-at-home-like screensaver that can attack the ciphertext without giving the underlying information to thousands of people? Barring that sort of grass-roots effort, I'm personally mad enough to donate a PC + shipping. -- jim Steven M. Bellovin wrote: http://www.zdnet.co.uk/misc/print/0%2C100169%2C39285188-39001093c%2C00.htm --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: news story - Jailed ID thieves thwart cops with crypto
On Dec 20, 2006, at 8:44 AM, [EMAIL PROTECTED] wrote: http://news.com.com/Jailed+ID+thieves+thwart+cops+with+crypto/ 2100-7348_3-6144521.html [...] According to the Crown Prosecution Service (CPS), which confirmed that Kostap had activated the encryption after being arrested, it would take 400 computers 12 years to crack the code. [...] What algorithm was that? Seems like a really small time, especially if you have a 4000 or larger CPU cluster... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]