Passwords can sit on disk for years

[Adam Fields]

Tal Garfinkel (related to Simpson?) is a Stanford PHD student who has
put together a working model for tracking tainted data stored in RAM
in various popular applications.

This is the first mention I've seen of this - interesting stuff.

http://www.newscientist.com/news/news.jsp?id=ns5064

Abstract here:

http://forum.stanford.edu/events/workshop/security/abstract/garfinkel.html


-- 
- Adam

-
http://www.adamfields.com

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

WPES04 submission deadline extended

[R. A. Hettinga]

--- begin forwarded text


From: Paul Syverson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: WPES04 submission deadline extended
User-Agent: Mutt/1.4.1i
Sender: [EMAIL PROTECTED]
List-Id: Primary NymIP discussion list 
List-Post: 
List-Help: 
List-Subscribe: ,

List-Archive: 
Date: Mon, 7 Jun 2004 10:45:16 -0400

   CALL FOR PAPERS

  3rd WORKSHOP ON PRIVACY IN THE ELECTRONIC SOCIETY
Washington, DC, USA - October 28, 2004
Sponsored by ACM SIGSAC
  Held in association with 11th ACM CCS 2004

 http://seclab.dti.unimi.it/wpes2004


Due to several requests the deadline is extended to June 17, 2004 (firm)


Privacy issues have been the subject of public debates and the need
for privacy-aware policies, regulations, and techniques has been
widely recognized. Goal of this workshop is to discuss the problems of
privacy in the global interconnected societies and possible solutions
to it. The 2004 Workshop is the third in what we hope will be a yearly
forum for papers on all the different aspects of privacy in today's
electronic society. The first two workshops in the series were held in
Washington, in conjunction with the 9th ACM CCS conference and with
the 10th ACM CCS conference, respectively. The success of the first
two editions of the workshop and the increased interest of the
community in privacy issues, is the main reason for repeating the
event.

The workshop seeks submissions from academia and industry presenting
novel research on all theoretical and practical aspects of electronic
privacy, as well as experimental studies of fielded systems. We
encourage submissions from other communities such as law and business
that present these communities' perspectives on technological
issues. Topics of interest include, but are not limited to:

- anonymity, pseudonymity, unlinkability
- business model with privacy requirements
- data protection from correlation and leakage attacks
- electronic communication privacy
- information dissemination control
- privacy-aware access control
- privacy in the digital business
- privacy enhancing technologies
- privacy policies and human rights
- privacy and anonymity in Web transactions
- privacy threats
- privacy and confidentiality management
- privacy in the electronic records
- privacy in health care and public administration
- public records and personal privacy
- privacy and virtual identity
- personally identifiable information
- privacy policy enforcement
- privacy and data mining
- relationships between privacy and security
- user profiling
- wireless privacy


PAPER SUBMISSIONS
Submitted papers must not substantially overlap papers that have been
published or that are simultaneously submitted to a journal or a
conference with proceedings. Papers should be at most 15 pages
excluding the bibliography and well-marked appendices (using 11-point
font and reasonable margins on letter-size paper), and at most 20
pages total. Committee members are not required to read the
appendices, and so the paper should be intelligible without
them. Papers should have a cover page with the title, authors,
abstract and contact information.

Authors are invited to submit their contributions electronically
through the web site
http://seclab.dti.unimi.it/wpes2004/submissions.html. Submission must
be in the form of a ps (Postscript), or pdf (Adobe) file. Do NOT
submit files formatted for word processing packages (e.g., Microsoft
Word or WordPerfect files).

Papers must be received by the deadline of June 11, 2004 in order to
be considered. Notification of acceptance or rejection will be sent to
authors by August 2, 2004. Authors of accepted papers must guarantee
that their paper will be presented at the workshop. Accepted papers
will be published by the ACM in a conference proceedings.



GENERAL CHAIR
Vijay Atluri
Rutgers University, USA
email: atluri at andromeda.rutgers.edu


PROGRAM CHAIRS
Sabrina De Capitani di Vimercati   Paul Syverson
University of MilanNaval Research Laboratory
email: samarati at dti.unimi.it   url: www.syverson.org


IMPORTANT DATES
Paper Submission due:June 17, 2004  (NEW)
Acceptance notification: August 2, 2004
Final papers due:August 30, 2004


PROGRAM COMMITTEE
JC Cannon, Microsoft, USA
Lorrie Cranor, Carnegie Mellon University, USA
Ernesto Damiani, University of Milan, Italy
George Danezis, University of Cambridge, UK
Roger Dingledine, The Free Haven Project, USA
Wenliang Du, Syracuse University, USA
Philippe Golle, Palo Alto Research Center, USA
Mike Gurski, Information & Privacy Commission/Ontario, C

Re: Article on passwords in Wired News

[Peter Fairbrother]

Peter Gutmann wrote:

>> An article on passwords and password safety, including this neat bit:
>> 
>> For additional security, she then pulls out a card that has 50
>> scratch-off codes. Jubran uses the codes, one by one, each time she
>> logs on or performs a transaction. Her bank, Nordea PLC, automatically
>> sends a new card when she's about to run out.
>> 
>> http://www.wired.com/news/infostructure/0,1377,63670,00.html
> 
> One-time passwords (TANs) was another thing I covered in the "Why isn't the
> Internet secure yet, dammit!" talk I mentioned here a few days ago.  From
> talking to assorted (non-European) banks, I haven't been able to find any that
> are planning to introduce these in the foreseeable future.  I've also been
> unable to get any credible explanation as to why not, as far as I can tell
> it's "We're not hurting enough yet".  Maybe it's just a cultural thing,
> certainly among European banks it seems to be a normal part of allowing
> customers online access to banking facilities.

My (European) bank uses "memorable information", an alphanumeric string
provided by me, and they ask for three randomly chosen characters when
authenticating online. There is also a fixed password.

Not terribly secure, or terribly one-time, but it would defeat a simple
keylogger or shoulder surfing attack, for instance. It doesn't give me the
warm fuzzies, but it does mean I would use a dodgy terminal at least once if
I was stuck in the badlands (and then change passwords etc.).


-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Article on passwords in Wired News

[Greg Rose]

At 21:04 2004-06-06 -0400, Adam Fields wrote:
On Sat, Jun 05, 2004 at 10:06:20AM +0530, Udhay Shankar N wrote:
> Citibank in India experimented with a special case of this a few years ago
> - "online credit cards" - basically, a credit card number valid for one 
use
> only, which would be ideal for online purchasing.
>
> IIRC, the offering was withdrawn because there weren't enough takers.

American Express still does this, although it's difficult to find and use.
They call it "Private Payments".
Actually, they just discontinued it too, as of end of may.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Australia   VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111/232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]