Re: Where to get a Jefferson Wheel ?
I got mine in Secret Codes by Jackson. It's a cheap plastic model in a kids book. I didn't try to assemble the morse code thing, so can't comment on its quality. http://www.amazon.com/exec/obidos/tg/detail/-/0762413514/ Adam On Sun, Jan 02, 2005 at 12:59:14PM +0100, Hadmut Danisch wrote: | Hi, | | does anyone know where I can get a | Jefferson Wheel or a replica? | | regards | Hadmut | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: AOL Help : About AOL® PassCode
* Ian G.: R.A. Hettinga wrote: http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 Have questions? Search AOL Help articles and tutorials: . If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service. To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode. OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out? I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens à la SecurID can only help if the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. (Traditional IPsec XAUTHis problematic for the very same reason, even with a SecurID token lookalike.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
New computerized passport raises safety concerns
http://www.sanluisobispo.com/mld/sanluisobispo/business/technology/10556269.htm?template=contentModules/printstory.jsp Posted on Mon, Jan. 03, 2005 New computerized passport raises safety concerns By Kristi Heim Seattle Times When traveling abroad these days, most Americans probably wouldn't want the contents of their passports to be secretly read by strangers. But when a new high-tech passport system goes into effect as early as next spring, that's exactly what critics say could happen. Before the end of the year, the first U.S. biometric passport will be issued with a tiny computer chip and antenna embedded inside it. The chip will contain a digital image of the person's face, along with other information such as name, birth date and birthplace. The data on the chip can be picked up wirelessly using a radio signal. When the traveler enters the United States, border-control officials will snap a digital photo of the person, scan the data from the passport and run a facial-recognition software program to compare the two images. The system is designed to prevent forged passports by making sure the original passport holder and the person standing at the immigration counter are one and the same. The problem, security and privacy experts say, is that the technical standard chosen for the system leaves passport data unprotected. The technology allows data on the chip to be read remotely using radio frequency identification or RFID. That means the passport does not have to be opened or even come in contact with a scanning device. Its contents can be read remotely -- some estimates claim as far away as 30 feet -- without the passport holder knowing anything about it. Privacy advocates and the American Civil Liberties Union have sharply criticized the proposed system, saying it effectively creates `a global infrastructure of surveillance.` `The U.S.-backed standard means that all the information on American passports can be read by anyone with an RFID reader, whether they are an identity thief, a terrorist trying to spot the Americans in a room or a government agent looking to vacuum up the identities of everyone at a political rally, gun show or mosque,` said Laura Murphy, director of the ACLU's Washington, D.C., legislative office. The ACLU also questioned the use of facial-recognition technology, which can be used to track people but is not foolproof when it comes to matching identity. The U.S. government is already requiring 27 foreign countries to include biometrics in their passports in order for their citizens to continue to travel to the United States without a visa. The mandate was passed in 2002 as part of an effort to tighten border security after the Sept. 11, 2001, attacks. Most of those countries, including the United Kingdom, have had trouble implementing the system and requested the deadline be postponed. Congress voted during the summer to extend the deadline one year to October 2005. Now the State Department plans to expand that program to include U.S. passports, which were not part of the original legislation. But it may only be a matter of time before countries required by the United States to issue biometric passports demand the same kind of passports from American visitors. By the end of 2005, according to the plan, all American passports produced domestically will be biometric passports. The new technology is set to go into diplomatic and official passports first, and move to all new and renewed regular passports around the middle of next year, said Kelly Shannon, spokeswoman in the State Department's Bureau of Consular Affairs. The standard being used for U.S. passports was developed by the International Civil Aviation Organization, a United Nations-affiliated group based in Montreal. As the standard was being decided this year, privacy and security experts argued it should include features to protect the data, such as encryption or the addition of a printed bar code inside the passport to `unlock` the data. Such features would let passport holders know who was reading their data and when. But the State Department so far has rejected proposals for encryption and other security measures. Department officials said encryption would hinder interoperability of the system among the different countries using it and slow down already tedious border crossings. It should function like RFID technology that monitors the flow of cars from a distance through automatic toll roads, for example. Security expert Bruce Schneier, founder and chief technical officer of Counterpane Internet Security, said encryption would not solve security problems for the passport system. Instead, he recommends a system that requires direct contact with the chip. `The owner of the passport has to acquiesce to give the data to somebody,` Schneier said. If the passport has to touch the reader or be opened before it can be read, there is less chance for secret `skimming` of personal data. That is a
RE: Banks Test ID Device for Online Security
R.A. Hettinga wrote: Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? At 12:24 PM 1/4/2005, Trei, Peter wrote: The slashdot article title is really, really misleading. In both cases, this is SecurID. Yup. It's the little keychain frob that gives you a string of numbers, updated every 30 seconds or so, which stays roughly in sync with a server, so you can use them as one-time passwords instead of storing a password that's good for a long term. So if the phisher cons you into handing over your information, they've got to rip you off in nearly-real-time with a MITM game instead of getting a password they can reuse, sell, etc. That's still a serious risk for a bank, since the scammer can use it to log in to the web site and then do a bunch of transactions quickly; it's less vulnerable if the bank insists on a new SecurID hit for every dangerous transaction, but that's too annoying for most customers. Bill Stewart [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Conspiracy Theory O' The Day
On Tue, 04 Jan 2005 15:41:12 -0500, John Denker [EMAIL PROTECTED] wrote: Udhay Shankar N wrote: I just got a batch of spam: perfectly justified blocks of random-looking characters. Makes me wonder if somebody is trying to train Bayesian filters to reject PGP messages. Or someone is trying to slip messages past bayesian filters trained to allow pgp messages. Most of these spams are awarded insanely high spam scores by spamassassin. Another hypothesis: Cover traffic, to defeat traffic analysis. The procedure: send N copies. N-M of them are spam, sent to uninterested parties. The other M parties are the intended recipients. Provided NM, and other mild restrictions, they achieve plausible deniability. I've been getting spam with blocks of text strongly resembling pgp signatures appended for years now. Got about 250 of them last year. And, amusingly enough, they seem to keep up on their patches (the versions of pgp seem to keep up with the official releases). Still, the signatures would never verify, as there were invalid base64 characters in the signature block. -- GDB has a 'break' feature; why doesn't it have 'fix' too? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The Pointlessness of the MD5 attacks
C. Scott Ananian wrote: On Wed, 22 Dec 2004, Ben Laurie wrote: Blimey. Finally. An attack I can actually believe in. Excellent. D131DD02C5E6EEC4693D9A0698AFF95C2FCAB58712467EAB4004583EB8FB7F8955AD340609F4B30283E488832571415A085125E8F7CDC99FD91DBDF280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E2B487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080A80D1EC69821BCB6A8839396F9652B6FF72A70001B is prime D131DD02C5E6EEC4693D9A0698AFF95C2FCAB50712467EAB4004583EB8FB7F8955AD340609F4B30283E4888325F1415A085125E8F7CDC99FD91DBD7280373C5BD8823E3156348F5BAE6DACD436C919C6DD53E23487DA03FD02396306D248CDA0E99F33420F577EE8CE54B67080280D1EC69821BCB6A8839396F965AB6FF72A70001B is not prime both have MD5 b4b12dc7ec1b9422f6596d2a863d7900. It's worth noting that the *currently known* MD5 collisions are very limited in number and form. Anyone who did not screen their binaries for these would be a fool. It was my understanding that they are very easy to generate. Are you scanning your binaries? Do you have a complete list? When more details emerge about the collision-generation technique, we'll be able to see if the MD5 collisions remain weak keys which we can efficiently check a binary for, or become general enough that it's impossible to rule out a collision in our binary material. But since Ben began this discussion by concentrating only on *currently-known* weaknesses in MD5, I would have to argue that this particular weakness, although possible to actually believe in, is pretty trivial to avoid. In fact, I'd argue strongly that any security review that neglected to notice a known MD5 collision in the key primes (in addition to checking that they are really prime, etc) would be incompetent. Given that we know (for some value of know) that these collisions can be generated with trivial amounts of work, but do not know how to detect them (yet), I wouldn't agree with this. What would be incompetent would be to rely on an MD5 hash. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banks Test ID Device for Online Security
On Tue, Jan 04, 2005 at 03:24:56PM -0500, Trei, Peter wrote: R.A. Hettinga wrote: Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? No. Really. I'm serious... Cheers, RAH The slashdot article title is really, really misleading. In both cases, this is SecurID. In some cases this also may be VASCO DigiPass, which is system very similar to SecurID, only cheaper. This technology seems to be quite popular in Europe as couple banks in Poland routinely issue tokens, both VASCO and SecurID to their customers for online authorization, and the tokens are used both in password generation (as described in article) and challenge-response modes. Alex -- mors ab alto 0x46399138 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Cryptography Research wants piracy speed bump on HD DVDs
From: [EMAIL PROTECTED] [mailto:owner- [EMAIL PROTECTED] On Behalf Of Adam Back Sent: Wednesday, December 22, 2004 11:48 PM I would think the simplest canonical counter-attack would be to make a p2p app that compares diffs in the binary output (efficiently rsync style) accumulates enough bits to strip the disk watermark, p2p rips and publishes. QED. Why not the way it happens right now - re-encoding? Few people post DVD images of movies on p2p networks, and even when they do, I prefer a DivX or XviD variant. (Much better given my 'net bandwidth.) I strongly doubt there's any chance of a watermark surviving an unknown re-encoding process (DivX has dozens of parameters you can change). Marcel - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banks Test ID Device for Online Security
Bill Stewart wrote: That's still a serious risk for a bank, since the scammer can use it to log in to the web site and then do a bunch of transactions quickly; it's less vulnerable if the bank insists on a new SecurID hit for every dangerous transaction, but that's too annoying for most customers. Here in Brazil it's common to ask for a new pin for every transaction Mads - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Where to get a Jefferson Wheel ?
The order of the wheels can't be changed. So this encryption device doesn't use any key? Only the most trivial; you choose the row to transmit. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Where to get a Jefferson Wheel ?
Dean, James wrote: The order of the wheels can't be changed. So this encryption device doesn't use any key? Only the most trivial; you choose the row to transmit. From what I've seen on the web not even that: Unlike the original Jefferson wheel these toys are not intended to choose any row, but to use the row directly under the plaintext row as cipher text. Instead of the line indicator from Jefferson, they have a sliding bar with two windows for two subsequent rows. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]