Re: WYTM?

2003-10-16 Thread Bryce O'Whielacronx
Hopefully everyone realizes this, but just for the record, I didn't write the lines apparently attributed to me below -- I was quoting Bruce Schneier. By the way, I strongly agree with David Honig's point that the wrong entities are doing the signing. Regards, Bryce O'Whielacronx David Honi

Re: WYTM?

2003-10-16 Thread David Honig
At 01:51 PM 10/16/03 -0400, Bryce O'Whielacronx wrote: > I doubt it. It's true that VeriSign has certified this man-in-the-middle > attack, but no one cares. Indeed, it would make sense for the original vendor website (eg Palm) to have signed the "MITM" site's cert (palmorder.modusmedia.

Re: cryptoIDs

2003-10-16 Thread Trevor Perrin
At 09:51 AM 10/16/2003 -0500, Von Welch wrote: Trevor Perrin writes (02:53 October 16, 2003): ... > Anyways, for private-key management people should use certs - store your > root key (i.e. the key that matches the fingerprint) in a safe place (for > most people, this would be with their employ

Re: WYTM?

2003-10-16 Thread Bryce O'Whielacronx
I am very much enjoying the discussion about threat models, web stores, etc. I'm interested to see a continual influx of spoofed e-mail from e-gold.com in my inbox, instructing me to click here to verify the safety of my account. Here is a good rant from Schneier's "Secrets and Lies". From Ch

Re: WYTM?

2003-10-16 Thread Eric Rescorla
Ian Grigg <[EMAIL PROTECTED]> writes: > So to say that ITM is consensus is something > that is going to have to be established. Most comsec people I know subscribe to it. I don't have a study to show it. > In this case, the ITM was a) agreed upon after > the fact to fill in the hole I don't know w

Re: WYTM?

2003-10-16 Thread Florian Weimer
Jon Snader wrote: > I don't understand this. Let's suppose, for the > sake of argument, that MitM is impossible. It's > still trivially easy to make a fake site and harvest > sensitive information. If we assume (perhaps erroneously) > that all but the most naive user will check that they > are

cryptoIDs

2003-10-16 Thread Trevor Perrin
Hi cryptography, I haven't posted here much, but I've got an idea I'd like to try to win some converts / draw some criticism for. There's a paper, code, and other stuff here: http://trevp.net#cryptoID. Here's the gist: The goal is a system for encrypted & authenticated person-to-person commu

VIA wows with nano-sized x86, entropy-based security, tiny PCs

2003-10-16 Thread R. A. Hettinga
A few years ago, I remember being called into at least two chip companies and telling them they really should build something like this. They paid me anyway, but it's too bad they didn't actually build it. Glad *someone* did, though. :-). Here's hoping it works... Cheers, RAH --

Re: WYTM?

2003-10-16 Thread Wuphon's Reach
Ian Grigg wrote: Eric Rescorla wrote: Ian Grigg <[EMAIL PROTECTED]> writes: I actually find the Firebird popup vastly more understandable and helpful. I'm not sure I can make much of your point, as I've never heard of nor seen a Firebird? I believe he's talking about Mozilla Firebird... which is

Re: WYTM?

2003-10-16 Thread Ian Grigg
Jon Snader wrote: > > On Mon, Oct 13, 2003 at 06:49:30PM -0400, Ian Grigg wrote: > > Yet others say "to be sure we are talking > > to the merchant." Sorry, that's not a good > > answer either because in my email box today > > there are about 10 different attacks on the > > secure sites that I car

Re: WYTM?

2003-10-16 Thread Jon Snader
On Mon, Oct 13, 2003 at 10:27:45PM -0400, Ian Grigg wrote: > The situation is so ludicrously unbalanced, that if > one really wanted to be serious about this issue, > instead of dismissing certs out of hand (which would > be the engineering approach c.f., SSH), one would > run ADH across the net an

Re: Trusting the Tools - was Re: Open Source ...

2003-10-16 Thread Bill Frantz
At 1:27 AM -0700 10/12/03, Thor Lancelot Simon wrote: >On Thu, Oct 09, 2003 at 07:45:01PM -0700, Bill Frantz wrote: >> With KeyKOS, we used the argument that since the assembler we were using >> was written and distributed before we designed KeyKOS, it was not feasible >> to include code to subvert

Re: NCipher Takes Hardware Security To Network Level

2003-10-16 Thread Peter Gutmann
Jerrold Leichter <[EMAIL PROTECTED]> writes: >There was also an effort in England that produced a verified chip. Quite >impressive, actually - but I don't know if anyone actually wanted the chip >they (designed and) verified. The Viper. Because it needed to be formally verifiable, they had to l

Schneier gets the heebie-Brin-jeebies (was Re: CRYPTO-GRAM, October 15, 2003)

2003-10-16 Thread R. A. Hettinga
At 10:58 PM -0500 10/14/03, Bruce Schneier wrote: >The Future of Surveillance > > > >At a gas station in Coquitlam, British Columbia, two employees >installed a camera in the ceiling in front of an ATM machine. They >recorded thousands of people as they typed in their PIN >numbers.

Re: Test of BIOS Spyware

2003-10-16 Thread Dave Howe
Ralf-P. Weinmann wrote: > This is *NOT* the interesting part. The interesting part is the > payload it is to deliver. The claim "This enables the software to spy > on the user and remain hidden to the operating system." rather > interests me. How do they achieve this in an OS-agnostic fashion? They