Re: Trusting the Tools - was Re: Open Source ...

2003-10-13 Thread kent
On Sun, Oct 12, 2003 at 08:25:21AM -0600, Anne Lynn Wheeler wrote: It wouldn't have been impossible ... but quite unlikely. It is somewhat easier in C-based programs since there are additional levels of indirection and obfuscations between the statements in a C program and the generated

Re: Trusting the Tools - was Re: Open Source ...

2003-10-13 Thread Anne Lynn Wheeler
At 03:48 PM 10/12/2003 -0700, [EMAIL PROTECTED] wrote: Hmm. While I agree with your assessment of likelihood, I think you understate the seriousness of the issue in both the C case and the assembler case -- they are not really that different. It's not just a matter of indirection and obfuscation

WYTM?

2003-10-13 Thread Ian Grigg
As many have decried in recent threads, it all comes down the WYTM - What's Your Threat Model. It's hard to come up with anything more important in crypto. It's the starting point for ... every- thing. This seems increasingly evident because we haven't successfully reverse-engineered the threat

Re: NCipher Takes Hardware Security To Network Level

2003-10-13 Thread Peter Gutmann
Anton Stiglic [EMAIL PROTECTED] writes: But the problem is how can people who know nothing about security evaluate which vendor is most committed to security? For the moment, FIPS 140 and CC type certifications seem to be the only means for these people... Yeah, it's largely a case of looking

Re: WYTM?

2003-10-13 Thread Ian Grigg
Minor errata: Eric Rescorla wrote: I totally agree that the systems are insecure (obligatory pitch for my Internet is Too Secure Already) http://www.rtfm.com/TooSecure.pdf, I found this link had moved to here; http://www.rtfm.com/TooSecure-usenix.pdf which makes some of the same

Re: Now Is the Time to Finally Kill Spam - A Call to Action

2003-10-13 Thread martin f krafft
also sprach R. A. Hettinga [EMAIL PROTECTED] [2003.10.13.0639 +0200]: The time to stop this nonsense is now, and there's a non-governmental, low-cost, low-effort way it could happen. Here's my plan of action, it's not original to me but I want to lay it out publicly as a battle plan: Of course

Re: WYTM?

2003-10-13 Thread Tim Dierks
At 12:28 AM 10/13/2003, Ian Grigg wrote: Problem is, it's also wrong. The end systems are not secure, and the comms in the middle is actually remarkably safe. I think this is an interesting, insightful analysis, but I also think it's drawing a stronger contrast between the real world and the

Re: Software protection scheme may boost new game sales

2003-10-13 Thread Sunder
On Mon, 13 Oct 2003, Jerrold Leichter wrote: different forms. It's been broken repeatedly. The one advantage they have this time around is that CD readers - and, even more, DVD readers; there is mention of applying the same trick to DVD's - is, compared to the floppy readers of yesteryear,

Partners Promote Quantum Cryptography

2003-10-13 Thread R. A. Hettinga
http://www.lightreading.com/document.asp?site=lightreadingdoc_id=41735 Light Reading - Networking the Telecom Industry OCTOBER 13, 2003 PREVIOUS ITU TELECOM WORLD NEWSWIRE FEED Partners Promote Quantum Cryptography GENEVA -- WISeKey, ID Quantique and OISTE sign a partnership agreement to

Re: Software protection scheme may boost new game sales

2003-10-13 Thread Jerrold Leichter
| I've not read the said article just yet, but from that direct quote as | the copy degrades... I can already see the trouble with this scheme: | their copy protection already fails them. They allow copies to be made | and rely on the fact that the CDR or whatever media, will eventually |

Re: NCipher Takes Hardware Security To Network Level

2003-10-13 Thread Anne Lynn Wheeler
At 10:22 PM 10/13/2003 +1300, Peter Gutmann wrote: So why is this stuff still present in the very latest certification requirements? Because we're measuring what we know how to measure, whether it makes sense to evaluate security in that way or not. This is probably why penetrate-and-patch is

Re: WYTM?

2003-10-13 Thread Ian Grigg
Eric, thanks for your reply! My point is strictly limited to something approximating there was no threat model for SSL / secure browsing. And, as you say, you don't really disagree with that 100% :-) With that in mind, I think we agree on this: [9] I'd love to hear the inside scoop, but

Re: WYTM?

2003-10-13 Thread Eric Rescorla
Ian Grigg [EMAIL PROTECTED] writes: It's really a mistake to think of SSL as being designed with an explicit threat model. That just wasn't how the designers at Netscape thought, as far as I can tell. Well, that's the sort of confirmation I'm looking for. From the documents and

Re: NCipher Takes Hardware Security To Network Level

2003-10-13 Thread Joseph Ashwood
- Original Message - From: Ian Grigg [EMAIL PROTECTED] Sent: Saturday, October 11, 2003 1:22 PM Subject: Re: NCipher Takes Hardware Security To Network Level Is there any reason to believe that people who know nothing about security can actually evaluate questions about security?

Re: WYTM?

2003-10-13 Thread Ian Grigg
Eric Rescorla wrote: Ian Grigg [EMAIL PROTECTED] writes: It's really a mistake to think of SSL as being designed with an explicit threat model. That just wasn't how the designers at Netscape thought, as far as I can tell. Well, that's the sort of confirmation I'm looking for.