Secrets of Computer Espionage: Tactics and Countermeasures

2003-06-11 Thread John Young
New book by Joel McNamara who runs the Tempest website:

   http://www.eskimo.com/~joel/tempest.html


http://www.wiley.com/legacy/compbooks/mcnamara/

Secrets of Computer Espionage: Tactics and Countermeasures

by Joel McNamara

Covers electronic and wireless eavesdropping, computer surveillance, 
intelligence gathering, password cracking, keylogging, data duplication, 
black bag computer spy jobs, reconnaissance, risk assessment, legal 
issues, and advanced spying techniques used by the government.

Author shares easily-implemented countermeasures against spying to 
detect and defeat eavesdroppers and other hostile individuals.

Addresses legal issues, including the U.S. Patriot Act, legal spying in 
the workplace, and computer fraud crimes. 

ISBN 0-7645-3710-5
384 Pages
June 2003

Links:


http://www.wiley.com/legacy/compbooks/mcnamara/links.html

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: An attack on paypal

2003-06-11 Thread Eric Rescorla
Sunder [EMAIL PROTECTED] writes:

 The worst trouble I've had with https is that you have no way to use host
 header names to differentiate between sites that require different SSL
 certificates.

 i.e. www.foo.com www.bar.com www.baz.com can't all live on the same IP and
 have individual ssl certs for https. :(  This is because the cert is
 exchanged before the http 1.1 layer can say I want www.bar.com 
 
 So you need to waste IP's for this.  Since the browser standards are
 already in place, it's unlikely to be to find a workaround.  i.e. be able
 to switch to a different virtual host after you've established the ssl
 session.  :(
This is being fixed. See draft-ietf-tls-extensions-06.txt

-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]
http://www.rtfm.com/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: An attack on paypal

2003-06-11 Thread Anne Lynn Wheeler
At 10:56 AM 6/11/2003 -0400, Sunder wrote:
In either case, we wouldn't need to worry about paying Verisign or anyone
else if we had properly secured DNS.  Then you could trust those pop-up
self-signed SSL cert warnings.
actually, if you had a properly secured DNS  then you could trust DNS 
to distribute public keys bound to a domain name in the same way they 
distribute ip-addresses bound to a domain name.

the certificates serve two purposes: 1) is the server that we think we are 
talking to really the server we are talking to and 2) key-exchange for 
establishing an encrypted channel. a properly secured DNS would allow 
information distributed by DNS to be trusted  including a server's 
public key  and given the public key  it would be possible to do 
the rest of the SSL operation (w/o requiring certificates) which is 
establishing an agreed upon session secret key.
--
Anne  Lynn Wheelerhttp://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: An attack on paypal (trivia addenda)

2003-06-11 Thread Anne Lynn Wheeler
somewhat related to the early posting in this m.l. about distributed 
computing systems conference and possible interest from security and 
cryptography sections.

when my wife and I were doing ha/cmp
http://www.garlic.com/~lynn/subtopic.html#hacmp
we were working with two people in the following meeting in ellison's 
conference room
http://www.garlic.com/~lynn/95.html#13

who the following year, left and joined a small client/server startup and 
were responsible for something called the commerce server (the company also 
had this thing called https/SSL). we then worked with these two people on 
the implementation for payments for the thing called the commerce server 
and well as the infrastructure regarding
trusting online merchants (as part of promoting this whole thing that came 
to be called electronic commerce):
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3
and more recent posting in the same thread that I had also posted about 
buffer overflows and the multics study:
http://www.garlic.com/~lynn/2003j.html#15 A Dark Day

in any case, one of the jokes has been there are actually only 200 people 
in the industry.

in any case, back to the recent related thread on distributed system operation:
http://www.garlic.com/~lynn/2003i.html#70 A few Z990 Gee-Wiz stats
http://www.garlic.com/~lynn/2003i.html#72 A few Z990 Gee-Wiz stats
http://www.garlic.com/~lynn/2003j.html#3 A few Z990 Gee-Wiz stats
http://www.garlic.com/~lynn/2003j.html#7 A few Z990 Gee-Wiz stats
and past posts discussing the BBB aspects for online electronic commerce:
http://www.garlic.com/~lynn/aepay3.htm#sslset2 SSL  SET Query ... from 
usenet group
http://www.garlic.com/~lynn/aadsm2.htm#useire U.S.  Ireland use digital 
signature
http://www.garlic.com/~lynn/aadsm4.htm#0 Public Key Infrastructure: An 
Artifact...
http://www.garlic.com/~lynn/aadsm4.htm#2 Public Key Infrastructure: An 
Artifact...
http://www.garlic.com/~lynn/aepay10.htm#83 SSL certs  baby steps
http://www.garlic.com/~lynn/aadsm12.htm#55 TTPs  AADS (part II)
http://www.garlic.com/~lynn/aadsm13.htm#1 OCSP and LDAP
http://www.garlic.com/~lynn/aepay11.htm#7 FTC says incidence of ID theft 
jumped in 2002
http://www.garlic.com/~lynn/2000f.html#72 SET; was Re: Why trust root CAs ?
--
Anne  Lynn Wheelerhttp://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Keyservers and Spam

2003-06-11 Thread Bill Frantz
To try to reflect some of David's points with a real-world situation.  I
was at work, with a brand new installation of PGP.  I wanted to send some
confidential data home so I could work with it.  However I didn't have my
home key at work, so I didn't have a secure way to send either the data, or
the work key.  I didn't even have the fingerprint of the home key.

My solution was to pull Carl Ellison's business card out of my pocket.  It
had his key fingerprint on it, and I remember getting it directly from him,
so I could trust the fingerprint.  Now Carl had signed my key, so when I
downloaded it from the key server, I could verify that it was indeed mine
(to the extent I trusted Carl).  Carl's signature, and the key server
allowed me to bootstrap trust into my own key.

At 3:53 PM -0700 6/10/03, David Honig wrote:
At 04:54 PM 6/10/03 +0100, [EMAIL PROTECTED] wrote:
I don't know you.  Why should I trust your signing of someone else's key?

If I know a mutual aquaintence, no need for web of trust.
...
If we allow this, then the entire web-of-trust disintegrates.

There *is no web of trust* unless you know the signers.  In which
case you may as well have them forward keys manually.

But with a key server, I didn't have to bother Carl to send me my key.  Or
depend on him being online when I needed it.

Cheers - Bill


-
Bill Frantz   | Due process for all| Periwinkle -- Consulting
(408)356-8506 | used to be the | 16345 Englewood Ave.
[EMAIL PROTECTED] | American way.  | Los Gatos, CA 95032, USA



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]