[Clips] The Word Crunchers

2005-06-03 Thread R.A. Hettinga
Even anonymous plaintext ain't so anonymous, boys and girls... Cheers, RAH --- begin forwarded text Date: Fri, 3 Jun 2005 23:30:57 -0400 To: Philodox Clips List <[EMAIL PROTECTED]> From: "R.A. Hettinga" <[EMAIL PROTECTED]> Subject: [Clips] The Word Crunchers Reply-To: [EMAIL PROTECTED] Sender:

Re: Papers about "Algorithm hiding" ?

2005-06-03 Thread Steve Furlong
On 6/3/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Another alternative is the cyphersaber type of thing, where you could just > implement your crypto-code on the fly, as needed. Yes, I could, and have. Presumably you could. Ben Laurie probably could blindfolded with both hands tied behind h

Re: Papers about "Algorithm hiding" ?

2005-06-03 Thread astiglic
Well, everyone who has Windows on their machine (at least a Windows 95 updated version and up, I think) has at least Microsoft's crypto provider, and MS CAPI to use it! Most broswers implement HTTPS, so you have crypto there as well. I think we are already in a state where practically everybody

Re: Bluetooth cracked further

2005-06-03 Thread Perry E. Metzger
Matt Crawford <[EMAIL PROTECTED]> writes: > On Jun 3, 2005, at 11:55, Perry E. Metzger wrote: >> 2) They also have a way of forcing pairing to happen, by impersonating >>one of the devices and saying "oops! I need to pair again!" to the >>other. > > Do the devices then pair again without u

Re: Bluetooth cracked further

2005-06-03 Thread Edgar Danielyan
> If you have a pair of bluetooth devices that are paired, best to keep > them in a faraday cage at all times. "Buy a Bluetooth phone and get a matching colour Faraday cage for FREE!" * * Faraday not included. ... - The Cryptog

Re: Bluetooth cracked further

2005-06-03 Thread Matt Crawford
On Jun 3, 2005, at 11:55, Perry E. Metzger wrote: 2) They also have a way of forcing pairing to happen, by impersonating one of the devices and saying "oops! I need to pair again!" to the other. Do the devices then pair again without user intervention, re-using the PIN that paired them i

Re: Bluetooth cracked further

2005-06-03 Thread Perry E. Metzger
"Perry E. Metzger" <[EMAIL PROTECTED]> writes: > Cracking the Bluetooth PIN > > http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/index.html I realized I didn't mention the really evil part. 1) They can crack your security if they can listen in to the pairing communication. 2) They also ha

Bluetooth cracked further

2005-06-03 Thread Perry E. Metzger
Cracking the Bluetooth PIN http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/index.html Abstract: This paper describes the implementation of an attack on the Bluetooth security mechanism. Specifically, we describe a passive attack, in which an attacker can find the PIN used during the p

Re: Digital signatures have a big problem with meaning

2005-06-03 Thread John Gilmore
> That cuts both ways though. Since so many systems *do* screw with data (in > insignificant ways, e.g. stripping trailing blanks), anyone who does massage > data in such a way that any trivial change will be detected is going to be > inundated with false positives. Just ask any OpenPGP implement

Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

2005-06-03 Thread Ian G
On Friday 03 June 2005 14:38, Greg Rose wrote: > At 00:48 2005-06-03 +0100, Ian G wrote: > >Just to make it more interesting, the AG of New York, Elliot Spitzer > >has introduced a package of legislation intended to "rein in identity > > theft" including: > > > > Facilitating prosecutions agains

Re: Digital signatures have a big problem with meaning

2005-06-03 Thread Peter Gutmann
Anne & Lynn Wheeler <[EMAIL PROTECTED]> writes: >the problem was that xml didn't have a deterministic definition for encoding >fields. Yup, see "Why XML Security is Broken", http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, for more on this. Mind you ASN.1 is little better, there are rules

Re: Digital signatures have a big problem with meaning

2005-06-03 Thread Anne & Lynn Wheeler
Peter Gutmann wrote: That cuts both ways though. Since so many systems *do* screw with data (in insignificant ways, e.g. stripping trailing blanks), anyone who does massage data in such a way that any trivial change will be detected is going to be inundated with false positives. Just ask any Op

Re: [Clips] Paying Extra for Faster Airport Security

2005-06-03 Thread Anne & Lynn Wheeler
there were several news URLs a month or so ago about the issue of "faster" in conjunction with the orlanda effort and some of the predictions on possibly 40mil (most frequently travelling) people sign up if such programs were rolled out around the country. the issue raised was that they were e

Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

2005-06-03 Thread Greg Rose
At 00:48 2005-06-03 +0100, Ian G wrote: Just to make it more interesting, the AG of New York, Elliot Spitzer has introduced a package of legislation intended to "rein in identity theft" including: Facilitating prosecutions against computer hackers by creating specific criminal penalties for

Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

2005-06-03 Thread Thierry Moreau
Adam Shostack wrote: No. If I get your database with SQL injection, all conditions are met, and I have your plaintext. But, the data is in an encrypted form, and you're saved. I'm not familiar with SQL injection vulnerabilities. Perhaps the issue is misrepresentation by the SQL provider

Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

2005-06-03 Thread Adam Shostack
On Fri, Jun 03, 2005 at 12:12:31AM -0400, Thierry Moreau wrote: | Here is a suggestion for an encrypted data exception based on reasonable | key management principles: | | | | Sec xyz) The [breach notification requirement set forth in section ...] | does not apply to [breac

Re: Digital signatures have a big problem with meaning

2005-06-03 Thread Peter Gutmann
Rich Salz <[EMAIL PROTECTED]> writes: >I think signatures are increasingly being used for technical reasons, not >legal. That is, sign and verify just to prove that all the layers of >middleware and Internet and general bugaboos didn't screw with it. That cuts both ways though. Since so many s

[Clips] Security Woes Don't Slow Reed's Push Into Data Collection

2005-06-03 Thread R.A. Hettinga
--- begin forwarded text Date: Thu, 2 Jun 2005 23:45:21 -0400 To: Philodox Clips List <[EMAIL PROTECTED]> From: "R.A. Hettinga" <[EMAIL PROTECTED]> Subject: [Clips] Security Woes Don't Slow Reed's Push Into Data Collection Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED]

Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

2005-06-03 Thread Thierry Moreau
Posted on cryptography@metzdowd.com: EWeek Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills May 31, 2005 By Caron Carlson Spurred by the ongoing flood of sensitive data breaches this spring, nearly a dozen states m