On Sat, 6 Aug 2005, Perry E. Metzger wrote:
> We already have the term "snake oil" for a very different type of bad
> security idea, and the term has proven valuable for quashing such
> things. We need a term for this sort of thing -- the steel tamper
> resistant lock added to the tissue paper do
In Steve Bellovin and Eric Rescorla's paper, "Deploying a New Hash Algorithm"*,
the author's note the well known property of hash functions:
For two different stings x and y,
H(x) = H(y) ==> H(x||s) = H(y||s)
It seems to me that there might be a class of hash functions for which this
property
When I came to Washington DC last november, my portrait and
fingerprints were taken for the first time. I was the last one in the
queue and the immigration officer was a nice guy, so I asked him how
this should protect against terrorists. As far as I read in the
newspapers, the 911 attackers just c
Reminds me of the White Knight from Alice in Wonderland, who doesn't
understand his threat model, and doesn't know how to effectively use
his tools:
`I see you're admiring my little box,' the Knight said in a friendly
tone. `It's my own invention -- to keep clothes and sandwiches in. You
see I ca
Perry E. Metzger wrote:
> A variant on the moviefone.com model might work better for these folks
> -- have the person buy the tickets with a credit card, and use a
> machine to check that they are in physical possession of said card
> when they enter the theater. Most people will not loan their car
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
> Tickets are an excellent use for this, because it binds the printing to
> a specific physical object. The concert industry has had a problem
> with trying to use print-at-home tickets -- the fraudsters buy a single
> ticket, then print it mult
Anne & Lynn Wheeler wrote:
> random past posts on ssl domain name certificates ... some number dating
> back to the period of the original payment gateway.
> http://www.garlic.com/subpubkey.html#sslcert
oops, finger slip, that should be
http://www.garlic.com/~lynn/subpubkey.html#sslcert
... oh, a
In message <[EMAIL PROTECTED]
nk.net>, John Kelsey writes:
>
>On the other hand, think about the uses of this technology
>for paper bearer instruments. Design travelers' checks that
>include a 2D barcode with a BLS signature, bound to the
>piece of paper, and you can print the damned thing on
>re
Folks might want to look at http://www.huitema.net/talks/ietf63-security.ppt
the slides from a talk Christian Huitema gave at the Applications Area
at IETF63 this past week. Of particular interest is just how cheap it
is to brute-force a passphrase these days, especially if it's just used
as a
>From: "Perry E. Metzger" <[EMAIL PROTECTED]>
>Sent: Aug 6, 2005 2:28 PM
>To: cryptography@metzdowd.com
>Subject: solving the wrong problem
>Frequently, scientists who know nothing about security come
>up with ingenious ways to solve non-existent problems. Take
>this, for example:
>http://www.sci
Perry E. Metzger wrote:
We need a term for this sort of thing -- the steel tamper
resistant lock added to the tissue paper door on the wrong vault
entirely, at great expense, by a brilliant mind that does not
understand the underlying threat model at all.
Anyone have a good phrase in mind that
>From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
>Sent: Aug 5, 2005 12:04 PM
>To: Steve Furlong <[EMAIL PROTECTED]>
>Cc: cryptography@metzdowd.com
.Subject: Re: draft paper: "Deploying a New Hash Algorithm"
...
>I'd have phrased it differently than Perry did. I'd say
>that the attackers are often
Frequently, scientists who know nothing about security come up with
ingenious ways to solve non-existent problems. Take this, for example:
http://www.sciam.com/article.cfm?chanID=sa003&articleID=00049DB6-ED96-12E7-AD9683414B7F
Basically, some clever folks have found a way to "fingerprint" th
Mark Allen Earnest wrote:
> *yawn* Yet another person who confuses PK with PKI. Almost NOBODY has
> ever done PKI right. The I is the part everyone conveniently forgets
> when they claim otherwise.
when we were doing this stuff related to e-commerce ... we also had to
go out and audit some number
> I've personally
> designed and deployed many PKI solutions for large corporations for all
> sorts of security applications ranging from remote VPN access to wireless
> LAN security, and I can attest that the technology is simple, scalable, and
> reliable.
*yawn* Yet another person who conf
15 matches
Mail list logo
