Re: Question on export issues

[Sidney Markowitz]

Ivan Krsti? wrote, On 31/12/07 12:48 PM:
> We've recently had to jump through the BIS crypto export hoops at  
> OLPC

I find that very strange considering this from a BIS FAQ
http://www.bis.doc.gov/encryption/encfaqs6_17_02.html

"all encryption source code that would be considered publicly available under 
Section
734.3(b)(3) of the EAR (such as source code posted to the Internet) and the 
corresponding
object code may be exported and reexported under License Exception TSU -- 
Technology and
Software Unrestricted (specifically, Section 740.13(e) of the EAR), once 
notification (or
a copy of the source code) is provided to BIS and the ENC Encryption Request 
Coordinator."

What hoops did you have to jump through?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

DRM Helps Sink Another Content Distribution Project

[Ali, Saqib]

See:
http://msl1.mit.edu/furdlog/?p=6538

And Foxtrot on DMCA:
http://www.gocomics.com/foxtrot/2007/12/30/

And Opus on e-books:
http://www.salon.com/comics/opus/2007/12/30/opus/


saqib
http://www.quantumcrypto.de/dante/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Philips/NXP/Mifare CRYPTO1 mostly reverse-engineered

[markus reichelt]

* Ralf-Philipp Weinmann <[EMAIL PROTECTED]> wrote:

> My colleague Erik took photos of the slides which I put up on
> Zooomr [0]. A video recording of the talk should be available
> shortly and will be linked here."

preliminary link for the video:

http://stan.freitagsrunde.org/mirror/24c3/matroska/24c3-2378-en-mifare_security.mkv


-- 
left blank, right bald


pgpEBaezFdod1.pgp
Description: PGP signature

Re: Death of antivirus software imminent

[Ivan Krstić]

On Dec 29, 2007, at 6:37 PM, Anne & Lynn Wheeler wrote:

Virtualization still hot, death of antivirus software imminent


My, that sounds awfully familiar:


I note that, come the January OLPC software update, I will be using my  
XO laptop for all my e-banking and related needs. It provides a  
drastically more secure platform for doing so than any mainstream  
computer I know exists.


--
Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on export issues

[Ivan Krstić]

On Dec 30, 2007, at 12:06 AM, [EMAIL PROTECTED] wrote:

never be permitted to export to the embargoed country
list (Cuba, Iran, Sudan, Syria, North Korea, and Libya).



Not Libya. See 15 C.F.R §740Spir[0], country group E: Cuba, Iran,  
North Korea, Sudan, Syria.


Interestingly, 15 C.F.R. §746.8[1] also lists Rwanda: "an embargo  
applies to the sale or supply to Rwanda of arms and related matériel  
of all types and regardless of origin, including weapons and  
ammunition." I am not a lawyer, and cannot tell whether this applies  
to encryption.


We've recently had to jump through the BIS crypto export hoops at  
OLPC. Our systems both ship with crypto built-in and, due to their  
Fedora underpinnings, allow end-user installation of various crypto  
libraries -- all open-source -- through our servers. It was a  
nightmare; the regulations and paperwork appear to be designed for the  
use case of individual applications that utilize a handful of  
primitives and attempt to keep the user from examining or modifying  
the utilized crypto. Trying to fit a Linux distribution into this  
model proved, er, challenging. (We also found that projects that we  
expected would know the drill cold, such as Fedora and Mozilla, were  
actually not very familiar with the processes involved.)


Cheers,
Ivan.



[0] http://www.access.gpo.gov/bis/ear/pdf/740spir.pdf
[1] http://www.access.gpo.gov/bis/ear/pdf/746.pdf

--
Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Death of antivirus software imminent

[Sherri Davidoff]

Anne & Lynn Wheeler wrote:
> Virtualization still hot, death of antivirus software imminent, VC says
> http://www.networkworld.com/news/2007/121707-crystal-ball-virtualization.html

Interesting how "virtualization" seems to imply "safe" in the public
mind (and explicitly in that article) right now I'm sure with the
increasing use of virtualization, we'll start to see more VMware-aware
malware and virtual machine escapes in the wild. Another example of
putting many, many eggs in the same basket.

Here's a good article about the first public VMware escape, which
Intelguardians demonstrated at SANSFIRE this summer:
(Note: I'm biased, having worked on this project.)
http://www.pauldotcom.com/2007/07/

What boggles my mind is that despite this, the DoD has still decided to
rely on virtualization software to keep classified and unclassified info
on the same physical systems:
http://www.internetnews.com/storage/article.php/3696996

Sherri



Anne & Lynn Wheeler wrote:
> re:
> Storm, Nugache lead dangerous new botnet barrage
> http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1286808,00.html
> 
> from above:
> 
> The creators of these Trojans and bots not only have very strong software 
> development and testing skills, but also clearly know how security vendors 
> operate and how to outmaneuver defenses such as antivirus software, IDS and 
> firewalls, experts say. They know that they simply need to alter their code 
> and the messages carrying it in small ways in order to evade signature-based 
> defenses. Dittrich and other researchers say that when they analyze the code 
> these malware authors are putting out, what emerges is a picture of a group 
> of skilled, professional software developers learning from their mistakes, 
> improving their code on a weekly basis and making a lot of money in the 
> process.
> 
> ... snip ...
> 
> ... and somewhat related
> 
> Virtualization still hot, death of antivirus software imminent, VC says
> http://www.networkworld.com/news/2007/121707-crystal-ball-virtualization.html
> 
> from above:
> 
> Another trend Maeder predicts for 2008 is, at long last, the death of 
> antivirus software and other security products that allow employees to 
> install and download any programs they'd like onto their PCs, and then 
> attempt to weed out the malicious code. Instead, products that protect 
> endpoints by only allowing IT-approved code to be installed will become the 
> norm.
> 
> ... snip ...
> 
> and post about dealing with compromised machines
> http://www.garlic.com/~lynn/2007u.html#771 folklore indeed
> 
> mentioning sophistication in other ways:
> 
> Botnet-controlled Trojan robbing online bank customers
> http://www.networkworld.com/news/2007/121307-zbot-trojan-robbing-banks.htm
> 
> from above:
> 
> If the attacker succeeds in getting the Trojan malware onto the victim's
> computer, he can piggyback on a session of online banking without even
> having to use the victim's name and password. The infected computer
> communicates back to the Trojan's command-and-controller exactly which
> bank the victim has an account with. It then automatically feeds code
> that tells the Trojan how to mimic actual online transactions with a
> particular bank to do wire transfers or bill payments
> 
> ... snip ...
> 
> there have been some number of online banking countermeasures for
> specific kinds of system compromises  like keyloggers ... but they
> apparently didn't bother to get promises from the crooks to only limit
> the kinds of attacks to those exploits.
> 
> some related comments on such compromised machines
> http://www.garlic.com/~lynn/aadsm27.htm#66 2007: year in review
> http://www.garlic.com/~lynn/aadsm28.htm#0 2007: year in review
> 
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]