On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote:
| On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote:
| This would be great if LoginWindow.app didn't store your unencrypted
| login and password in memory for your entire session (including screen
| lock, suspend to
Udhay Shankar N wrote, [on 5/29/2009 9:02 AM]:
Fascinating discussion at boing boing that will probably be of interest
to this list.
http://www.boingboing.net/2009/05/27/what-will-happen-to.html
Followup article by Cory Doctorow:
Adam Shostack a...@homeport.org writes:
On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote:
| On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote:
| This would be great if LoginWindow.app didn't store your unencrypted
| login and password in memory for your entire
On Wed, Jul 01, 2009 at 11:03:13AM -0400, Adam Shostack wrote:
On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote:
| On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote:
| This would be great if LoginWindow.app didn't store your unencrypted
| login and password in
On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote:
I think he's pointing out a more general problem.
Indeed. IIRC, the Mac keychain uses your login password as its passphrase
by default, which means that to keep your keychain unlocked requires
either keeping the password around
I should add that a hardware token/smartcard, would be even better, but
the same issue arises: keep it logged in, or prompt for the PIN every
time it's needed? If you keep it logged in then an attacker who
compromises the system will get to use the token, which I bet in
practice is only
On Wed, Jul 01, 2009 at 01:06:05PM -0500, Nicolas Williams wrote:
| On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote:
| I think he's pointing out a more general problem.
|
| Indeed. IIRC, the Mac keychain uses your login password as its passphrase
| by default, which means that
On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote:
|
| Adam Shostack a...@homeport.org writes:
| On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote:
| | On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote:
| | This would be great if LoginWindow.app
On 07/01/2009 02:10 PM, Nicolas Williams wrote:
I should add that a hardware token/smartcard, would be even better, but
the same issue arises: keep it logged in, or prompt for the PIN every
time it's needed? If you keep it logged in then an attacker who
compromises the system will get to use
Bruce Schneier's coverage:
http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html
Paper:
https://cryptolux.uni.lu/mediawiki/uploads/1/1a/Aes-192-256.pdf
Perry
--
Perry E. Metzgerpe...@piermont.com
Also from Bruce Schneier, a report that MD6 was withdrawn from the SHA-3
competition because of performance considerations.
http://www.schneier.com/blog/archives/2009/07/md6.html
Perry
--
Perry E. Metzgerpe...@piermont.com
11 matches
Mail list logo