Re: How to Stop Junk E-Mail: Charge for the Stamp

Barry Shein <[EMAIL PROTECTED]> writes: >Eventually email will just collapse (as it's doing) and the RBOCs et al will >inherit it and we'll all be paying 15c per message like their SMS services. And the spammers will be using everyone else's PC's to send out their spam, so the spam problem will s

SHA-1 cracked

According to Bruce Schneier's blog (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html), a team has found collisions in full SHA-1. It's probably not a practical threat today, since it takes 2^69 operations to do it and we haven't heard claims that NSA et al. have built massively p

Schneier on Security: SHA-1 Broken

Bruce Schneier Schneier on Security A weblog covering security and security technology. « RSA Conference | Main February 15, 2005 SHA-1 Broken SHA-1 has been broken. Not a reduced-round version. Not a simplified version.

SHA-1 broken, says Schneier

>From Bruce Schneier's weblog: http://www.schneier.com/blog/archives/2005/02/sha1_broken.html # SHA-1 has been broken. Not a reduced-round version. Not a simplified # version. The real thing. # # The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly # from Shandong University i

Digital Water Marks Thieves

Until, of course, people figure out that taggants on everything do nothing but confuse evidence and custody, not help it. Go ask the guys in the firearms labs about *that* one. Cheers, RAH --- Wired News Digital Water Marks Thieves B

'Trustworthy' Computing Now Gates' Focus

Yahoo! 'Trustworthy' Computing Now Gates' Focus 1 hour, 21 minutes ago By MATTHEW FORDAHL, AP Technology Writer SAN JOSE, Calif. - Microsoft Corp. co-founder Bill Gates (news - web s

TSA's Secure Flight (was Re: CRYPTO-GRAM, February 15, 2005)

At 6:23 AM -0600 2/15/05, Bruce Schneier wrote: >TSA's Secure Flight > > > >As I wrote last month, I am participating in a working group to study >the security and privacy of Secure Flight, the U.S. government's >program to match airline passengers with a terrorist watch list. In th

Making your IM secure--and deniable

CNET News Making your IM secure--and deniable By Robert Lemos Story last modified Mon Feb 14 17:05:00 PST 2005 SAN FRANCISCO--When you hit the Send button on an instant message, do you really know who is on the other end?

That's gratitude for ya...

The other day I sent Amir Herzberg a private note saying I thought his new tool was pretty neat, and though I'm sure he's heard it a lot, thanks. He said nope, nobody else has said it, and I was stunned. As we all know, but apparently don't fully appreciate, the social aspects of security don'

NSA May Be 'Traffic Cop' for U.S. Networks

Posted on Mon, Feb. 14, 2005 NSA May Be 'Traffic Cop' for U.S. Networks TED BRIDIS Associated Press WASHINGTON - The Bush administration is considering making the National Security Agenc

critical bits in certs

Has anyone got any experience or tips on critical bits in certificates? These are bits that can be set in optional records that a certificate creator puts in there to do a particular job. The critical bit says "don't interpret this entire certificate if you don't understand this record." x.509 ce

Fighting Net crime with code / Surge in phishing e-mails to take spotlight at cryptography conference

www.sfgate.com Return to regular view Fighting Net crime with code Surge in phishing e-mails to take spotlight at cryptography conference - Carrie Kirby, Chronicle S

banks and ssl fingerprints

On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote: > One member of this mailing list, in a private exchange, noted that > he had asked his bank for their certificate's fingerprint. My > response was that I was astonished he found someone who knew what > he was talking about. I sp

Break-In At SAIC Risks ID Theft

The Washington Post washingtonpost.com Break-In At SAIC Risks ID Theft Computers Held Personal Data on Employee-Owners By Griff Witte Washington Post Staff Writer Saturday, February 12, 2005; Page E01 Some of the n

Re: fyi: Fingerprinting CPUs

[EMAIL PROTECTED] said: > This subject came up before. > http://citeseer.ist.psu.edu/shankar04side.html ah, yes, in various forms. The refs in that paper lead to this, fwiw.. http://dynamo.ecn.purdue.edu/~kennell/genuinity/publications.html JeffH

Security show set to spark debate

Security show set to spark debate Catch it if you can Roger Howorth, IT Week 11 Feb 2005 The RSA Conference 2005, hosted by security specialist RSA, kicks off in San Francisco on Monday. Keynote speakers include Bill Gates of Microsoft and fraud author

Re: TLS session resume concurrency?

On Fri, Feb 11, 2005 at 11:31:16AM -0500, Tim Dierks wrote: > On Thu, 10 Feb 2005 15:59:04 -0500, Victor Duchovni > <[EMAIL PROTECTED]> wrote: > > If the symmetric cypher is fully re-keyed when sessions are resumed > > while avoiding the fresh start PKI overhead, then life is simple > > and sessio

House backs major shift to electronic IDs

CNET News House backs major shift to electronic IDs By Declan McCullagh Story last modified Thu Feb 10 17:46:00 PST 2005 The U.S. House of Representatives approved on Thursday a sweeping set of rules aimed at forcing states

Re: TLS session resume concurrency?

On Thu, 10 Feb 2005 15:59:04 -0500, Victor Duchovni <[EMAIL PROTECTED]> wrote: > If the symmetric cypher is fully re-keyed when sessions are resumed > while avoiding the fresh start PKI overhead, then life is simple > and sessions can be re-used unmodified. Otherwise I may need to > ponder on desig

Re: Desire safety on Net? (n) code has the solution

On Feb 10, 2005, at 12:42, Dan Kaminsky wrote: The SEC also asserts that the company's 10-Q bore an unauthorized electronic signature of Guccione Electronic but not digital, perhaps? - The Cryptography Mailing List Unsubscribe by

(Fwd) OpenPGP flaw prompts quick fix

http://www.pgp.com/library/ctocorner/openpgp.html 10 Feb 2005 Today, cryptographers Serge Mister and Robert Zuccherato from Entrust released a paper outlining an attack on the way OpenPGP does symmetric cryptography. They have been kind enough to give the OpenPGP community advance notice of their

[Announce] Attack against OpenPGP encryption

--- begin forwarded text Date: Thu, 10 Feb 2005 20:00:17 -0500 From: David Shaw <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.7i Cc: Subject: [Announce] Attack against OpenPGP encryption Sender: [EMAIL PROTECTED

Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

Steven M. Bellovin wrote: "Unusual CA"? I'm not sure what a *usual* CA is. Just for fun, I opened up the CA list that came with my copy of Firefox. There are no fewer than 40 different entities listed, many of whom have more than one certificate. I personally know less than half of them to be

Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

"Steven M. Bellovin" <[EMAIL PROTECTED]> writes: >Is a private root key (or the equivalent signing device) an asset that can be >acquired under bankruptcy proceedings? Almost certainly. Absolutely certainly. Even before Baltimore, CA's private keys had been bought and sold from/to third parties

more skype -- how are super nodes chosen/is diversity used

Anyone else actually know about these things? On 2/10/05 7:48 PM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > david, thanks for your helpful analysis. > > one thing i haven't been able to find is a description of how supernodes are > selected for a particular call. > > (i'd assume they'd

Re: TLS session resume concurrency?

Victor Duchovni <[EMAIL PROTECTED]> writes: > If multiple processes (or threads) have access to a shared TLS session > cache, does the cache need N sessions to serve N threads? Or can (I > think unlikely if sessions resume stream-ciphers from internal state > in the cache) the same session be used

Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote: [...] > One member of this mailing list, in a private exchange, noted that > he had asked his bank for their certificate's fingerprint. My > response was that I was astonished he found someone who knew what > he was talking about.