Re: Article on passwords in Wired News

2004-06-07 Thread Peter Fairbrother
Peter Gutmann wrote:

 An article on passwords and password safety, including this neat bit:
 For additional security, she then pulls out a card that has 50
 scratch-off codes. Jubran uses the codes, one by one, each time she
 logs on or performs a transaction. Her bank, Nordea PLC, automatically
 sends a new card when she's about to run out.,1377,63670,00.html
 One-time passwords (TANs) was another thing I covered in the Why isn't the
 Internet secure yet, dammit! talk I mentioned here a few days ago.  From
 talking to assorted (non-European) banks, I haven't been able to find any that
 are planning to introduce these in the foreseeable future.  I've also been
 unable to get any credible explanation as to why not, as far as I can tell
 it's We're not hurting enough yet.  Maybe it's just a cultural thing,
 certainly among European banks it seems to be a normal part of allowing
 customers online access to banking facilities.

My (European) bank uses memorable information, an alphanumeric string
provided by me, and they ask for three randomly chosen characters when
authenticating online. There is also a fixed password.

Not terribly secure, or terribly one-time, but it would defeat a simple
keylogger or shoulder surfing attack, for instance. It doesn't give me the
warm fuzzies, but it does mean I would use a dodgy terminal at least once if
I was stuck in the badlands (and then change passwords etc.).

Peter Fairbrother

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

WPES04 submission deadline extended

2004-06-07 Thread R. A. Hettinga

--- begin forwarded text

From: Paul Syverson [EMAIL PROTECTED]
Subject: WPES04 submission deadline extended
User-Agent: Mutt/1.4.1i
List-Id: Primary NymIP discussion list
List-Post: mailto:[EMAIL PROTECTED]
List-Help: mailto:[EMAIL PROTECTED]
Date: Mon, 7 Jun 2004 10:45:16 -0400


Washington, DC, USA - October 28, 2004
Sponsored by ACM SIGSAC
  Held in association with 11th ACM CCS 2004

Due to several requests the deadline is extended to June 17, 2004 (firm)

Privacy issues have been the subject of public debates and the need
for privacy-aware policies, regulations, and techniques has been
widely recognized. Goal of this workshop is to discuss the problems of
privacy in the global interconnected societies and possible solutions
to it. The 2004 Workshop is the third in what we hope will be a yearly
forum for papers on all the different aspects of privacy in today's
electronic society. The first two workshops in the series were held in
Washington, in conjunction with the 9th ACM CCS conference and with
the 10th ACM CCS conference, respectively. The success of the first
two editions of the workshop and the increased interest of the
community in privacy issues, is the main reason for repeating the

The workshop seeks submissions from academia and industry presenting
novel research on all theoretical and practical aspects of electronic
privacy, as well as experimental studies of fielded systems. We
encourage submissions from other communities such as law and business
that present these communities' perspectives on technological
issues. Topics of interest include, but are not limited to:

- anonymity, pseudonymity, unlinkability
- business model with privacy requirements
- data protection from correlation and leakage attacks
- electronic communication privacy
- information dissemination control
- privacy-aware access control
- privacy in the digital business
- privacy enhancing technologies
- privacy policies and human rights
- privacy and anonymity in Web transactions
- privacy threats
- privacy and confidentiality management
- privacy in the electronic records
- privacy in health care and public administration
- public records and personal privacy
- privacy and virtual identity
- personally identifiable information
- privacy policy enforcement
- privacy and data mining
- relationships between privacy and security
- user profiling
- wireless privacy

Submitted papers must not substantially overlap papers that have been
published or that are simultaneously submitted to a journal or a
conference with proceedings. Papers should be at most 15 pages
excluding the bibliography and well-marked appendices (using 11-point
font and reasonable margins on letter-size paper), and at most 20
pages total. Committee members are not required to read the
appendices, and so the paper should be intelligible without
them. Papers should have a cover page with the title, authors,
abstract and contact information.

Authors are invited to submit their contributions electronically
through the web site Submission must
be in the form of a ps (Postscript), or pdf (Adobe) file. Do NOT
submit files formatted for word processing packages (e.g., Microsoft
Word or WordPerfect files).

Papers must be received by the deadline of June 11, 2004 in order to
be considered. Notification of acceptance or rejection will be sent to
authors by August 2, 2004. Authors of accepted papers must guarantee
that their paper will be presented at the workshop. Accepted papers
will be published by the ACM in a conference proceedings.

Vijay Atluri
Rutgers University, USA
email: atluri at

Sabrina De Capitani di Vimercati   Paul Syverson
University of MilanNaval Research Laboratory
email: samarati at   url:

Paper Submission due:June 17, 2004  (NEW)
Acceptance notification: August 2, 2004
Final papers due:August 30, 2004

JC Cannon, Microsoft, USA
Lorrie Cranor, Carnegie Mellon University, USA
Ernesto Damiani, University of Milan, Italy
George Danezis, University of Cambridge, UK
Roger Dingledine, The Free Haven Project, USA
Wenliang Du, Syracuse University, USA
Philippe Golle, Palo Alto Research Center, USA
Mike Gurski, Information  Privacy 

Passwords can sit on disk for years

2004-06-07 Thread Adam Fields

Tal Garfinkel (related to Simpson?) is a Stanford PHD student who has
put together a working model for tracking tainted data stored in RAM
in various popular applications.

This is the first mention I've seen of this - interesting stuff.

Abstract here:

- Adam


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]