Re: entropy depletion

2005-01-26 Thread Steven M. Bellovin
Let me raise a different issue: a PRNG might be better *in practice* because of higher assurance that it's actually working as designed at any given time. Hardware random number generators are subject to all sorts of environmental issues, including stuck bits, independent oscillators that

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-26 Thread Adam Shostack
On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article [EMAIL PROTECTED] you write: | Voice Over Internet Protocol and Skype Security | Simson L. Garfinkel | http://www.soros.org/initiatives/information/articles_publications/articles/security_20050107/OSI_Skype5.pdf | | Is

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-26 Thread Peter Gutmann
David Wagner [EMAIL PROTECTED] writes: Is Skype secure? The answer appears to be, no one knows. There have been other posts about this in the past, even though they use known algorithms the way they use them is completely homebrew and horribly insecure: Raw, unpadded RSA, no message

Re: entropy depletion

2005-01-26 Thread Ian G
Ben Laurie wrote: William Allen Simpson wrote: Why then restrict it to non-communications usages? Because we are starting from the postulate that observation of the output could (however remotely) give away information about the underlying state of the entropy generator(s). Surely observation of

Re: Entropy and PRNGs

2005-01-26 Thread John Denker
Ed Gerck wrote: Let me comment, John, that thermal noise is not random When did you figure that out? If you'd been paying attention, you'd know that I figured that out a long time ago. First of all, the phrase not random is ambiguous. I said Some people think random should denote 100% entropy

Re: entropy depletion

2005-01-26 Thread Ian G
Ben Laurie wrote: William Allen Simpson wrote: Why then restrict it to non-communications usages? Because we are starting from the postulate that observation of the output could (however remotely) give away information about the underlying state of the entropy generator(s). Surely observation of

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-26 Thread Chris Palmer
People may already have seen this, but maybe not. Another Skype analysis: http://www.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf -- Chris Palmer Technology Manager, Electronic Frontier Foundation 415 436 9333 x124 (desk), 415 305 5842 (cell) 81C0 E11D CE73

Re: entropy depletion

2005-01-26 Thread William Allen Simpson
Ben Laurie wrote: William Allen Simpson wrote: Why then restrict it to non-communications usages? Because we are starting from the postulate that observation of the output could (however remotely) give away information about the underlying state of the entropy generator(s). Surely observation of

Re: entropy depletion

2005-01-26 Thread William Allen Simpson
Ian G wrote: The *requirement* is that the generator not leak information. This requirement applies equally well to an entropy collector as to a PRNG. Now here we disagree. It was long my understanding that the reason the entropy device (/dev/random) could be used for both output and input, and

Re: OpenVPN and SSL VPNs

2005-01-26 Thread James Yonan
* Stefan Mink: a) It would be good to hear from this community if there are any negative aspects of OpenVPN (vs. IPsec VPNs). It's not standardized, and it only interoperates with itself (but this is true for many IPsec implementations as well). This is more than compensated by its

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-26 Thread Joseph Ashwood
- Original Message - From: David Wagner [EMAIL PROTECTED] Subject: Simson Garfinkel analyses Skype - Open Society Institute In article [EMAIL PROTECTED] you write: Is Skype secure? The answer appears to be, no one knows. The report accurately reports that because the security

DIMACS Workshop on Security of Web Services and E-Commerce

2005-01-26 Thread Linda Casals
Call for Participation Deadline January 17, 2005 *** DIMACS Workshop on Security of Web Services and E-Commerce May 5 - 6, 2005 DIMACS Center, Rutgers University, Piscataway, NJ Organizer: Brian

Effort to Speed Airport Security Is Going Private

2005-01-26 Thread R.A. Hettinga
http://online.wsj.com/article_print/0,,SB110549106703823542,00.html The Wall Street Journal January 12, 2005 Effort to Speed Airport Security Is Going Private Move Aims to Expand Program That Preregisters People Who Travel Frequently By AMY SCHATZ Staff Reporter of THE WALL STREET

Re: entropy depletion

2005-01-26 Thread Ben Laurie
William Allen Simpson wrote: Ben Laurie wrote: William Allen Simpson wrote: Why then restrict it to non-communications usages? Because we are starting from the postulate that observation of the output could (however remotely) give away information about the underlying state of the entropy

[EMAIL PROTECTED]: [fc-announce] FC'05 - Registration Now Open]

2005-01-26 Thread R. Hirschfeld
From: Stuart E. Schechter [EMAIL PROTECTED] Subject: [fc-announce] FC'05 - Registration Now Open To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wed, 12 Jan 2005 21:29:22 -0500 Registration now open at http://www.ifca.ai/fc05/registration.html Call for Participation

Network World: NIST dubious about 802.11 TKIP; wants AES

2005-01-26 Thread John Gilmore
NIST mulls new WLAN security guidelines By Ellen Messmer The National Institute of Standards and Technology, the federal agency responsible for defining security standards and practices for the government, plans to issue new guidelines pertaining to wireless LANs in the near future. The

Re: entropy depletion

2005-01-26 Thread Ian G
William Allen Simpson wrote: Ian G wrote: The *requirement* is that the generator not leak information. This requirement applies equally well to an entropy collector as to a PRNG. Now here we disagree. It was long my understanding that the reason the entropy device (/dev/random) could be used for

Sun creates worlds smallest SSL Web server

2005-01-26 Thread R.A. Hettinga
http://www.cbronline.com/article_news.asp?guid=38DE2210-C6D9-4A59-B84F-98588FA24962 - Computer Business Review Sun creates world's smallest SSL Web server Sun Microsystems Inc has created what can truly be called a microsystem. The tiny server, nicknamed Sizzle (from Slim SSL), is the size and

Hanging the Pirates

2005-01-26 Thread R.A. Hettinga
http://www.forbes.com/forbes/2005/0131/096_print.html Forbes Security Hanging the Pirates 01.31.05 Paul Kocher has a way to save Hollywood from illegal copying. Over the past few months top brass from Hollywood and Japan's consumer electronics giants have been hashing out their futures in

[Fwd: Call for Papers: Virtual Goods 2005]

2005-01-26 Thread Ed Gerck
Dear Virtual Goods Community, here is the link to the cfp: http://virtualgoods.tu-ilmenau.de/2005/cfp_short.txt Please feel free to distrubute it. Best regards Juergen Here is the text: C A L L F O R P A P E R S The 3rd International Workshop for

Driver's license scandals raise national security worries

2005-01-26 Thread R.A. Hettinga
http://www.nynewsday.com/news/local/state/ny-bc-ct--illegallicenses0115jan15,0,6884979,print.story?coll=ny-region-apconnecticut Driver's license scandals raise national security worries By JOHN CHRISTOFFERSEN Associated Press Writer January 15, 2005, 5:30 PM EST BRIDGEPORT, Conn. --

Texas Instruments to Deliver RFID Solution for MasterCard PayPass

2005-01-26 Thread R.A. Hettinga
http://biz.yahoo.com/prnews/050117/nym042_1.html?printer=1 Yahoo! Finance Search - Finance Home - Yahoo! - Help Financial News Enter symbol(s) Symbol Lookup Press Release Source: Texas Instruments Texas Instruments to Deliver RFID Solution for MasterCard PayPass Monday January 17, 10:00 am

[i2p] Tunnel cryptography for I2P 0.5 (corrected typo) (fwd from [EMAIL PROTECTED])

2005-01-26 Thread Eugen Leitl
From: [EMAIL PROTECTED] Subject: [i2p] Tunnel cryptography for I2P 0.5 (corrected typo) To: [EMAIL PROTECTED] Date: Mon, 17 Jan 2005 22:15:33 -0800 Citizens of I2P, The following is a discussion of tunnel cryptography plans for I2P 0.5. There are two options; one will be chosen. [1] and [2]

Re: [i2p] Tunnel cryptography for I2P 0.5 (corrected typo)

2005-01-26 Thread jrandom
Thanks Connelly for the writeup and the discussion, The following is a discussion of tunnel cryptography plans for I2P 0.5. There are two options; one will be chosen. A few key changes were missed in this draft, and I've incorporated all of the suggestions from yesterday into [1]. The

Webpay system open to voucher fraud

2005-01-26 Thread R.A. Hettinga
http://www.theregister.co.uk/2005/01/17/webpay_voucher_fraud/print.html The Register Biting the hand that feeds IT The Register » Security » Network Security » Original URL: http://www.theregister.co.uk/2005/01/17/webpay_voucher_fraud/ Webpay system open to voucher fraud By Jan Libbenga

DIMACS Workshop on Theft in E-Commerce: Content, Identity, and Service

2005-01-26 Thread Linda Casals
CALL FOR PARTICIPATION** * DIMACS Workshop on Theft in E-Commerce: Content, Identity, and Service April 14 - 15, 2005 DIMACS Center, Rutgers University, Piscataway, NJ Organizers:

Word and Excel have RC4 flaw, claim

2005-01-26 Thread R.A. Hettinga
http://www.theinquirer.net/print.aspx?article=20790print=1 Word and Excel have RC4 flaw, claim Cryptic cross words By: Nick Farrell Wednesday 19 January 2005, 07:50 SECURITY EXPERT Bruce Schneier claims that Microsoft's Word and Excel security protection systems have amateurish flaws which

Schneier on Security: Microsoft RC4 Flaw

2005-01-26 Thread R.A. Hettinga
http://www.schneier.com/blog/archives/2005/01/microsoft_rc4_f.html Bruce Schneier Schneier on Security A weblog covering security and security technology. January 18, 2005 Microsoft RC4 Flaw One of the most important rules of stream ciphers is to never use the same keystream to

Consumer-Electronics Firms Join To Develop Antipiracy Software

2005-01-26 Thread R.A. Hettinga
http://online.wsj.com/article_print/0,,SB110609171910929502,00.html The Wall Street Journal January 19, 2005 Consumer-Electronics Firms Join To Develop Antipiracy Software By DON CLARK Staff Reporter of THE WALL STREET JOURNAL January 19, 2005; Page D5 Some of the biggest

DIMACS Workshop on Bounded Rationality

2005-01-26 Thread Linda Casals
Registration Deadline: January 24, 2005** * DIMACS Workshop on Bounded Rationality January 31 - February 1, 2005 DIMACS Center, Rutgers University, Piscataway, NJ Organizers: Lance Fortnow,

Tor 0.0.9.3 is out (fwd from [EMAIL PROTECTED])

2005-01-26 Thread R.A. Hettinga
--- begin forwarded text Date: Sat, 22 Jan 2005 10:01:46 +0100 From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Tor 0.0.9.3 is out (fwd from [EMAIL PROTECTED]) User-Agent: Mutt/1.4i Sender: [EMAIL PROTECTED] From: Roger Dingledine [EMAIL PROTECTED] Subject: Tor 0.0.9.3 is out

New Scientist article: Wireless boom is hackers' heaven

2005-01-26 Thread Jim Cheesman
[From: http://www.newscientist.com/article.ns?id=dn6894] Setting up a wireless computer network at home has never been easier or cheaper. But the freedom to access the internet from anywhere in or around the house comes at a cost: Wi-Fi networks leave home computer users open to unprecedented

PET 2005 Submission deadline approaching (7 Feb) and PET Award (21 Feb)

2005-01-26 Thread R.A. Hettinga
--- begin forwarded text To: sec-lists: ;, anonymity researchers: ;, David Martin [EMAIL PROTECTED] Date: Tue, 25 Jan 2005 15:05:55 + From: George Danezis [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: PET 2005 Submission deadline approaching (7 Feb) and PET Award (21 Feb)

Sleuthing Spyware--And Its Corporate Sponsors

2005-01-26 Thread R.A. Hettinga
http://www.forbes.com/2005/01/19/cx_pp_0120spyedelman_print.html Forbes Software Sleuthing Spyware--And Its Corporate Sponsors Penelope Patsuris, 01.19.05, 5:34 PM ET Benjamin Edelman became a spyware expert before most of us had any idea what was even clogging our computers. He's