Re: New DoD encryption mandate

2007-08-17 Thread Alex Alten

At 04:02 AM 8/17/2007 -0700, =?UTF-8?Q?Ivan_Krsti=C4=87?= wrote:

On Aug 16, 2007, at 8:30 AM, Ali, Saqib wrote:

The other problem is that it lacks any centralized management. If you
are letting TPM manage your Bitlocker keys you still need a TPM
management suite with key backup/restore/transfer/migrate capabilities
in case your computer goes bad.


How so? If your computer goes bad, you need a *backup*. That's
entirely orthogonal to the drive encryption problem. Bitlocker uses
the TPM to provide assurance that your drive -- really, volume -- is
locked to your computer, and that the early boot environment hasn't
been messed with. When either check fails, you use the BitLocker
recovery password (either on a USB stick or entered manually) to
recover your data. This holds in the event that you take your drive
out and stick it in a different machine. In other words, the TPM is
not a single point of failure, so I don't understand why you think
you care about TPM backup/restore/transfer.


It depends on your requirements.  For a large numbers of computers
owned by a corporation/organization centralized key management
makes a lot of sense.  For a single user with a privately purchased
computer then the recovery password makes more sense.


The third problem is that it is software based encryption, which uses
the main CPU to perform the encryption.


Security is never free, but in 2007, we can afford the cycles. What's
a better use for them? Drawing semi-transparent stained glass window
borders?


Agreed, for most requirements.  Sometimes one may need to keep keys
in trusted hardware only.  The only real fly-in-the-ointment is that current
hash algorithms (SHA-1, SHA-2, etc.) don't scale across multiple CPU
cores (assuming you need integrity along with your privacy).

- Alex

--

Alex Alten
[EMAIL PROTECTED]



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: Skype new IT protection measure

2007-08-17 Thread dan

Ed Gerck writes:
 | We've heard it so many times: "There's nothing to worry about."
 | Now, Skype adds a new IT protection measure -- "love":
 | 
 |   "The Skype system has not crashed or been victim of a cyber
 |   attack. We love our customers too much to let that happen."
 | 


-- Forwarded message --

From: Valery Marchuk <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Fri, 17 Aug 2007 10:30:50 +0300
Subject: [Full-disclosure] Skype Network Remote DoS Exploit

Hi all!

On SecurityLab.ru forum an exploit code was published by an anonymous
user.  Reportedly it must have caused Skype massive disconnections
today.

The PoC uses standard Skype client to call to a specific number.
This call causes denial of service of current Skype server and
forces Skype to reconnect to another server. The new server also
"freezes" and so on ... the entire network.

Liks: http://www.securitylab.ru/news/301422.php
PoC: http://en.securitylab.ru/poc/301420.php

Best regards,

Valery Marchuk
www.SecurityLab.ru

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: Skype new IT protection measure

2007-08-17 Thread J. Wren Hunt
Ed Gerck wrote:

> BTW, one may wonder what is really happening. Any other reports?
> 
The NYT today had this article:
http://www.nytimes.com/2007/08/17/business/17ebay.html

Wren

begin:vcard
fn:J. Wren Hunt
n:Hunt;J. Wren
adr;dom:;;;Cambridge;MA;02138
email;internet:[EMAIL PROTECTED]
title:Sr. Engineer
tel;fax:1-270-897-0159 
x-mozilla-html:FALSE
url:http://wrenhunt.com
version:2.1
end:vcard



smime.p7s
Description: S/MIME Cryptographic Signature


Re: New DoD encryption mandate

2007-08-17 Thread Ivan Krstić

On Aug 16, 2007, at 8:30 AM, Ali, Saqib wrote:

The other problem is that it lacks any centralized management. If you
are letting TPM manage your Bitlocker keys you still need a TPM
management suite with key backup/restore/transfer/migrate capabilities
in case your computer goes bad.


How so? If your computer goes bad, you need a *backup*. That's  
entirely orthogonal to the drive encryption problem. Bitlocker uses  
the TPM to provide assurance that your drive -- really, volume -- is  
locked to your computer, and that the early boot environment hasn't  
been messed with. When either check fails, you use the BitLocker  
recovery password (either on a USB stick or entered manually) to  
recover your data. This holds in the event that you take your drive  
out and stick it in a different machine. In other words, the TPM is  
not a single point of failure, so I don't understand why you think  
you care about TPM backup/restore/transfer.



The third problem is that it is software based encryption, which uses
the main CPU to perform the encryption.


Security is never free, but in 2007, we can afford the cycles. What's  
a better use for them? Drawing semi-transparent stained glass window  
borders?


--
Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Skype new IT protection measure

2007-08-17 Thread Ed Gerck
We've heard it so many times: "There's nothing to worry about."
Now, Skype adds a new IT protection measure -- "love":

  "The Skype system has not crashed or been victim of a cyber
  attack. We love our customers too much to let that happen."

Of course, these two phrases are a non sequitur. No amount of
a company's "love" for customers will prevent their IT system from
crashing or hackers from attacking and being successful. At the
very least, Skype is making users uneasy with such statements.

What's happening, and that's why Skype wrote about "love", is
that Skype users worldwide cannot call or hear voicemail for
many hours now.

The visible error is that users cannot login -- hence can't call,
etc. While this could understandable, what is not understandable
is Skype's love declaration.

BTW, one may wonder what is really happening. Any other reports?

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]