DESCHALL Classic Client Source Code Released
Hello everyone. It was at the RSA Conference ten years ago that the Secret Key Challenges were issued, including the original DES Challenge. Rocke Verser's DESCHALL project, of course, went on to win that contest. Source code for the project was covered by a ten-year non-disclosure agreement. Rocke has granted me permission to release the source code for the classic fast DES key search clients and I have done so. Additional server-side code, including the UDP-HTTP proxies (both sides) and the code for running the client distribution center, is also available. All of the goodies are at http://www.interhack.net/projects/deschall/. There are also links there in the Writings section to some technical descriptions of the code's operation. I'm also looking for Darrell Kindred and Andrew Meggs, both of whom contributed very fast bitslice clients to the project after we got it up and running, to secure their permission for the release of their code as well. I think that the code is very interesting and of historical significance. Thanks to Rocke for allowing the release as well as to everyone who worked on the DES challenges. Enjoy. -- Matt Curtin, author of Brute Force: Cracking the Data Encryption Standard Founder of Interhack Corporation +1 614 545 4225 http://web.interhack.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: One Laptop per Child security
Steven M. Bellovin wrote: What about unprotected, frequently-running web browsers? I don't follow. How do you hop from one browser to another, if you want to use one as your spread vector? Browsers don't accept inbound connections. -- Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: One Laptop per Child security
-- Nicolas Williams wrote: The text you quote doesn't answer the question; the rest of the wiki frontpage says little more. It tends to make me think that if an application wants to do something that I've not enabled it to do ahead of time then it fails. Failure is incovenient. So as near as I can tell from the text you quote BitFrost sets its convenience/security parameters differently than other OSes, but there's nothing truly Earth shatteringly new there. There is a great deal that is earth shatteringly new, and it is documented - albeit in rather unclear and non standard format. The fundamental difference is that each application is run in its own VM, and so *cannot* exercise full user powers, whereas with *all* other OSs, if your solitaire game is a trojan, or (more likely) has flaws that enable an adversary to get control of it, it can read all your user documents and mail them to the adversary, check your interaction with the browser to detect you typing in passwords to your bank account and share trading account, get the names of everyone on your address list, and spam cons and trojans to them in each others names, use your modem to dial a ten dollar a minute gay SM sex line in Outer Mongolia, launch a denial of service attack against The Gold Casino as part of an extortion scheme, spray ads onto your screen, make your system a file share server for other people's child pornography, and report all your video files to the copyright lawyers. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG x4p2u5+Go3URK4IvzoJkO/+K0lr4p4XW2aNmlbEi 4dlOW8vAN4GsnWBzDGfvyjQYPosBfDEqrH3rKQ451 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: One Laptop per Child security
-- Simon Josefsson wrote: Would it be possible for one malicious web site to be able to access (or even influence) what is being done in another tab or window of the browser? If the user is talking to a bank, then that scenario may threaten the user's privacy. Sandboxing the browser instance for each site would solve that problem. As designed, hard to VM each browser instance. If one uses something less than VM, one relies on quite a lot of code that one does not really understand being correct. I do not see any alternative to this, short of a major browser rewrite. Ideally, there should be a separate VM responsible for talking to each site, interpreting javascript, etc, which is created when the conversation is started, and shut down when one browses away from that site. Big project. Or instead of VMing things, one could structure the code so that automatic code checks make it impossible to compile code that is bad in certain ways - again a big project. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG txnLOsPeyJqwn5LYEMAdBUQoBArt6OJO8Rp8P6Vn 4GQB25JeUovLVxb1JZBHA6Q0qjCGFQGkhchihumVh - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: One Laptop per Child security
Just a general thought, it seems like the OLPC security design is a real-world implementation of Bill Cheswick's Windows OK proposal. See for example http://usablesecurity.com/2005/07/07/bill-cheswick/ for more on this (modulo the comments on feature starvation, which don't apply to the OLPC design). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: One Laptop per Child security
Peter Gutmann wrote: Just a general thought, it seems like the OLPC security design is a real-world implementation of Bill Cheswick's Windows OK proposal. See for example http://usablesecurity.com/2005/07/07/bill-cheswick/ for more on this (modulo the comments on feature starvation, which don't apply to the OLPC design). The systems are similar in their desire to offer no-frills protection, but I think the similarities end there. If I had been trying to simply lock the machines down, as is the essence of Cheswick's proposal, my task would have been extremely simple. The resulting security model would also have gone against everything OLPC's educational principles stand for. I think you'll find that moving (even mentally) from protection by not running untrusted code to usable protection _while_ running untrusted code involves a few trips through a labyrinth sitting on top of a mine field, with the exit guarded by a killer rabbit. It's also certainly possible I'm not smart enough, and other people find this to be an easier problem. -- Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: One Laptop per Child security
On Fri, Feb 09, 2007 at 01:22:06PM +1000, James A. Donald wrote: Nicolas Williams wrote: The text you quote doesn't answer the question; the rest of the wiki frontpage says little more. It tends to make me think that if an application wants to do something that I've not enabled it to do ahead of time then it fails. Failure is incovenient. So as near as I can tell from the text you quote BitFrost sets its convenience/security parameters differently than other OSes, but there's nothing truly Earth shatteringly new there. There is a great deal that is earth shatteringly new, and it is documented - albeit in rather unclear and non standard format. The fundamental difference is that each application is run in its own VM, and so *cannot* exercise full user powers, whereas with *all* other OSs, if your solitaire This is a good summary -- the analogy that I asked for. It doesn't sound so new either though. Labelled OSes and trusted desktops allow as much. My employer makes this stuff (much, if not all of it FOSS), and there have been some very impressive blog posts showing how you can have applications, including browsers, running in different VMs, with some VMs VPNed into a private network, and some not. Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: interesting and thought provoking resources on quantum crypto
On Thu, Feb 08, 2007 at 04:29:25PM -0800, Saqib Ali wrote: i have been tasked by my advisor to create series of mini-lectures slides on the topic of cryptography for a freshman year CS class. You know, you shouldn't use the Internet to ask people to do your homework for you... ;-) j/k any thoughts? the resource has to be related to quantum crypto... Well, this company sells quantum cryptography devices: http://www.idquantique.com/home.htm On the other side, any link collection on quantum _cryptanalysis_ wouldn't be complete without Shor: http://www-math.mit.edu/~shor/ I went to one of his lectures at my university, and it was one of those experiences where you know they're speaking English, but it's just not communicating information to you. Usually this means one of two things; either they are trying to fool you, or you are the fool. I'm convinced it was the latter. I know an EPR pair from a quantum decoy, but I still have no idea what the angles on his graphs had to do with QC and superposition. Lots of good papers on his electronic publications list: http://www-math.mit.edu/~shor/elecpubs.html He points to this wiki: http://www.qubit.org/ This page is about the watershed paper: http://en.wikipedia.org/wiki/Shor's_algorithm And this page attempts to illustrate it: http://pdivos.mobstop.com/shor/ -- Good code works. Great code can't fail. -- URL:http://www.subspacefield.org/~travis/ For a good time on my UBE blacklist, email [EMAIL PROTECTED] pgpS1PBD0MH5l.pgp Description: PGP signature