Re: solving the wrong problem

2005-08-06 Thread J.A. Terranson
On Sat, 6 Aug 2005, Perry E. Metzger wrote: > We already have the term "snake oil" for a very different type of bad > security idea, and the term has proven valuable for quashing such > things. We need a term for this sort of thing -- the steel tamper > resistant lock added to the tissue paper do

Possible non-extension property for hash functions

2005-08-06 Thread Bill Frantz
In Steve Bellovin and Eric Rescorla's paper, "Deploying a New Hash Algorithm"*, the author's note the well known property of hash functions: For two different stings x and y, H(x) = H(y) ==> H(x||s) = H(y||s) It seems to me that there might be a class of hash functions for which this property

Re: solving the wrong problem

2005-08-06 Thread Hadmut Danisch
When I came to Washington DC last november, my portrait and fingerprints were taken for the first time. I was the last one in the queue and the immigration officer was a nice guy, so I asked him how this should protect against terrorists. As far as I read in the newspapers, the 911 attackers just c

Re: solving the wrong problem

2005-08-06 Thread Sherri Davidoff
Reminds me of the White Knight from Alice in Wonderland, who doesn't understand his threat model, and doesn't know how to effectively use his tools: `I see you're admiring my little box,' the Knight said in a friendly tone. `It's my own invention -- to keep clothes and sandwiches in. You see I ca

Re: solving the wrong problem

2005-08-06 Thread Anne & Lynn Wheeler
Perry E. Metzger wrote: > A variant on the moviefone.com model might work better for these folks > -- have the person buy the tickets with a credit card, and use a > machine to check that they are in physical possession of said card > when they enter the theater. Most people will not loan their car

Re: solving the wrong problem

2005-08-06 Thread Perry E. Metzger
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes: > Tickets are an excellent use for this, because it binds the printing to > a specific physical object. The concert industry has had a problem > with trying to use print-at-home tickets -- the fraudsters buy a single > ticket, then print it mult

Re: [Clips] Does Phil Zimmermann need a clue on VoIP?

2005-08-06 Thread Anne & Lynn Wheeler
Anne & Lynn Wheeler wrote: > random past posts on ssl domain name certificates ... some number dating > back to the period of the original payment gateway. > http://www.garlic.com/subpubkey.html#sslcert oops, finger slip, that should be http://www.garlic.com/~lynn/subpubkey.html#sslcert ... oh, a

Re: solving the wrong problem

2005-08-06 Thread Steven M. Bellovin
In message <[EMAIL PROTECTED] nk.net>, John Kelsey writes: > >On the other hand, think about the uses of this technology >for paper bearer instruments. Design travelers' checks that >include a 2D barcode with a BLS signature, bound to the >piece of paper, and you can print the damned thing on >re

cracking passwords and challenge/response

2005-08-06 Thread Steven M. Bellovin
Folks might want to look at http://www.huitema.net/talks/ietf63-security.ppt the slides from a talk Christian Huitema gave at the Applications Area at IETF63 this past week. Of particular interest is just how cheap it is to brute-force a passphrase these days, especially if it's just used as a

Re: solving the wrong problem

2005-08-06 Thread John Kelsey
>From: "Perry E. Metzger" <[EMAIL PROTECTED]> >Sent: Aug 6, 2005 2:28 PM >To: cryptography@metzdowd.com >Subject: solving the wrong problem >Frequently, scientists who know nothing about security come >up with ingenious ways to solve non-existent problems. Take >this, for example: >http://www.sci

Re: solving the wrong problem

2005-08-06 Thread John Denker
Perry E. Metzger wrote: We need a term for this sort of thing -- the steel tamper resistant lock added to the tissue paper door on the wrong vault entirely, at great expense, by a brilliant mind that does not understand the underlying threat model at all. Anyone have a good phrase in mind that

Re: draft paper: "Deploying a New Hash Algorithm"

2005-08-06 Thread John Kelsey
>From: "Steven M. Bellovin" <[EMAIL PROTECTED]> >Sent: Aug 5, 2005 12:04 PM >To: Steve Furlong <[EMAIL PROTECTED]> >Cc: cryptography@metzdowd.com .Subject: Re: draft paper: "Deploying a New Hash Algorithm" ... >I'd have phrased it differently than Perry did. I'd say >that the attackers are often

solving the wrong problem

2005-08-06 Thread Perry E. Metzger
Frequently, scientists who know nothing about security come up with ingenious ways to solve non-existent problems. Take this, for example: http://www.sciam.com/article.cfm?chanID=sa003&articleID=00049DB6-ED96-12E7-AD9683414B7F Basically, some clever folks have found a way to "fingerprint" th

Re: [Clips] Does Phil Zimmermann need a clue on VoIP?

2005-08-06 Thread Anne & Lynn Wheeler
Mark Allen Earnest wrote: > *yawn* Yet another person who confuses PK with PKI. Almost NOBODY has > ever done PKI right. The I is the part everyone conveniently forgets > when they claim otherwise. when we were doing this stuff related to e-commerce ... we also had to go out and audit some number

Re: [Clips] Does Phil Zimmermann need a clue on VoIP?

2005-08-06 Thread Mark Allen Earnest
> I've personally > designed and deployed many PKI solutions for large corporations for all > sorts of security applications ranging from remote VPN access to wireless > LAN security, and I can attest that the technology is simple, scalable, and > reliable. *yawn* Yet another person who conf