Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Peter Gutmann
[EMAIL PROTECTED] (Hal Finney) writes: The idea of putting a TPM on a smart card or other removable device is even more questionable from this perspective. It's not just questionable, it's a really, really bad idea. TPMs are fundamentally just severely feature-crippled smart cards. That is,

Re: Quantum Cryptography

2007-06-26 Thread Greg Troxel
Victor Duchovni [EMAIL PROTECTED] writes: Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? It would be good to read the QKD literature before claiming that QKD is always unauthenticated.

Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread David G. Koontz
Peter Gutmann wrote: David G. Koontz [EMAIL PROTECTED] writes: There are third party TPM modules, which could allow some degree of standardization: As I said in my previous message, just because they exist doesn't mean they'll do anything if you plug them into a MB with the necessary

RE: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Hal Finney
Ian Farquhar writes: [Hal Finney wrote:] It seems odd for the TPM of all devices to be put on a pluggable module as shown here. The whole point of the chip is to be bound tightly to the motherboard and to observe the boot and initial program load sequence. Maybe I am showing my eternal

RE: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Dave Korn
On 26 June 2007 00:51, Ian Farquhar (ifarquha) wrote: It seems odd for the TPM of all devices to be put on a pluggable module as shown here. The whole point of the chip is to be bound tightly to the motherboard and to observe the boot and initial program load sequence. Maybe I am showing

Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread David G. Koontz
David G. Koontz wrote: I picked on one motherboard, a Gigabyte GA-P3-DQ6 which has the 20 pin header for the IEI TPM pluggable. After an extensive investigation I found no direct evidence you can actually do as Peter states and roll your own building a TPM enabled system. That includes

Re: ad hoc IPsec or similiar

2007-06-26 Thread Sandy Harris
On 6/23/07, Eugen Leitl [EMAIL PROTECTED] wrote: The general idea is that if you use keys in DNS to authenticate gateways Aye, that's the rub. Most hosts are in dynamic address space, and anything involving DNS will not fly. It is certainly a problem, but you can get around it partially

Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Alexander Klimov
On Mon, 25 Jun 2007, Hal Finney wrote: The idea of putting a TPM on a smart card or other removable device is even more questionable from this perspective. A TPM which communicates via an easily accessible and tamperable bus is almost useless for the security concepts behind the Trusted

Re: Quantum Cryptography

2007-06-26 Thread Nicolas Williams
On Fri, Jun 22, 2007 at 08:21:25PM -0400, Leichter, Jerry wrote: BTW, on the quantum subway tokens business: In more modern terms, what this was providing was unlinkable, untraceable e-coins which could be spent exactly once, with *no* central database to check against and none of this well,

Re: Quantum Cryptography

2007-06-26 Thread Victor Duchovni
On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote: 1) Do you believe the physics? (Most people who know physics seem to.) Yes. 2) Does the equipment in your lab correspond to the idealized models with which the proofs for (1) were done. (Not even close.) Does QKD address a

Re: ad hoc IPsec or similiar

2007-06-26 Thread Taral
On 6/26/07, Sandy Harris [EMAIL PROTECTED] wrote: It is certainly a problem, but you can get around it partially even if your IP address is dynamically assigned: http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/quickstart.html#opp.client You do need to use a dynamic DNS server to

Re: Quantum Cryptography

2007-06-26 Thread Nicolas Williams
On Mon, Jun 25, 2007 at 08:23:14PM -0400, Greg Troxel wrote: Victor Duchovni [EMAIL PROTECTED] writes: Secure in what sense? Did I miss reading about the part of QKD that addresses MITM (just as plausible IMHO with fixed circuits as passive eavesdropping)? It would be good to read the

Re: Quantum Cryptography

2007-06-26 Thread John Denker
On 06/25/2007 08:23 PM, Greg Troxel wrote: 1) Do you believe the physics? (Most people who know physics seem to.) Well, I do happen to know a thing or two about physics. I know -- there is quite a lot you can do with quantum physics, and -- there is quite a lot you cannot do with quantum

Re: ad hoc IPsec or similiar

2007-06-26 Thread Nicolas Williams
On Fri, Jun 22, 2007 at 10:43:16AM -0700, Paul Hoffman wrote: Note that that RFC is Informational only. There were a bunch of perceived issues with it, although I think they were more purity disagreements than anything. FWIW, if you do *not* care about man-in-the-middle attacks (called

Re: ad hoc IPsec or similiar

2007-06-26 Thread Paul Hoffman
At 2:49 PM -0500 6/26/07, Nicolas Williams wrote: On Fri, Jun 22, 2007 at 10:43:16AM -0700, Paul Hoffman wrote: This was discussed many times, and always rejected as not good enough by the purists. Then the IETF created the BTNS Working Group which is spending huge amounts of time getting

Re: ad hoc IPsec or similiar

2007-06-26 Thread Nicolas Williams
On Tue, Jun 26, 2007 at 01:20:41PM -0700, Paul Hoffman wrote: For all the other aspects of BTNS (IPsec connection latching [and channel binding], IPsec APIs, leap-of-faith IPsec) agreeing on a globally shared secret does not come close to being sufficient. Fully agree. BTNS will definitely

Re: ad hoc IPsec or similiar

2007-06-26 Thread Paul Hoffman
At 3:26 PM -0500 6/26/07, Nicolas Williams wrote: I strongly dislike the WG's name. Suffice it to say that it was not my idea :); it created a lot of controversy at the time, though perhaps that controversy helped sell the idea (why would you want this silly, insecure stuff? because it enables

Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Jon Callas
On Jun 25, 2007, at 7:23 PM, Matt Johnston wrote: On Mon, Jun 25, 2007 at 04:42:56PM +1200, David G. Koontz wrote: Apple (mis)uses TPM to unsuccessfully prevent OS X from running on non-Apple Hardware. All Apple on Intel machines have TPM, that's what 6 percent of new PCs? To nit