The clouds are not random enough

2009-08-01 Thread Ali, Saqib
Why Cloud Computing Needs More Chaos:
http://www.forbes.com/2009/07/30/cloud-computing-security-technology-cio-network-cloud-computing.html

[Moderator's note: It is not supposed to be the moderator's job to read
a link and then summarize for the readers it is interesting to click
on. In the future, posters should provide at least a few sentences
explaining why a link is of interest or I'm going to simply stop
forwarding them.

In the current instance, the article is about a growing problem -- the
lack of good quality random numbers in VMs provided by services like EC2
and the effect this has on security. --Perry]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Manipulation and abuse of the consumer credit reporting agencies

2009-08-01 Thread Jerry Leichter
Found on the Telecom list (which I've subscribed to for years but  
almost never read any more).  The paper is quite interesting.


-- Jerry

Date: Fri, 31 Jul 2009 22:07:03 -0400
From: Monty Solomon mo...@roscom.com
To: mod...@telecom.csail.mit.edu
Subject: Manipulation and abuse of the consumer credit reporting  
agencies

Message-ID: p0624087dc699532ac...@[10.0.1.3]


Manipulation and abuse of the consumer credit reporting agencies

by Christopher Soghoian
First Monday
Volume 14, Number 8
3 August 2009

Abstract

This paper will present a number of loopholes and exploits against
the system of consumer credit in the United States that can enable a
careful attacker to hugely leverage her (or someone else's) credit
report for hundreds of thousands of dollars. While the techniques
outlined in this paper have been used for the personal (and legal)
profit by a small community of credit hackers, these same techniques
could equally be used by more nefarious persons - that is, criminals
willing to break the law, engage in fraud, and make off with
significant sums of money. The purpose of this paper is to shed light
on these exploits, to analyze them through the lens of the computer
security community and to propose a number of fixes which will
significantly reduce the effectiveness of the exploits, by both those
with good and ill intentions.

...

http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2583/2246

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: Fast MAC algorithms?

2009-08-01 Thread Joseph Ashwood

--
From: James A. Donald jam...@echeque.com
Subject: Re: Fast MAC algorithms?


james hughes wrote:


On Jul 27, 2009, at 4:50 AM, James A. Donald wrote:
No one can break arcfour used correctly - unfortunately, it is tricky to 
use it correctly.


RC-4 is broken when used as intended.

...

If you take these into consideration, can it be used correctly?


Hence tricky


By the same argument a Viginere cipher is tricky to use securely, same 
with monoalphabetic and even Ceasar. Not that RC4 is anywhere near the 
brokenness of Viginere, etc, but the same argument can be applied, so the 
argument is flawed.


The question is: What level of heroic effort is acceptable before a cipher 
is considered broken? Is AES-256 still secure?3-DES? Right now, to me 
AES-256 seems to be about the line, it doesn't take significant effort to 
use it securely, and the impact on the security of modern protocols is 
effectively zero, so it doesn't need to be retired, but I wouldn't recommend 
it for most new protocol purposes. RC4 takes excessive heroic efforts to 
avoid the problems, and even teams with highly skilled members have gotten 
it horribly wrong. Generally, using RC4 is foolish at best.
   Joe 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com