Ben Laurie b...@links.org writes:
I totally agree, and this is the thinking behind the Keyczar project (
http://www.keyczar.org/):
If we're allowed to do self-promotion I'll have to mention cryptlib, which had
as one of its principal design goals what was later stated by Ian Grigg as
there
On 19/2/09 14:36, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating around that
put the cost of password resets at $100-200 per user per year, depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as little as $5.
Steven M. Bellovin s...@cs.columbia.edu writes:
http://www.theregister.co.uk/2009/02/19/ssl_busting_demo/ -- we've talked
about this attack for quite a while; someone has now implemented it.
My analysis of this (part of a much longer writeup):
-- Snip --
[...] it's now advantageous for
List,
In a business, one must write down the passwords and one must have a
duplicate copy of it, with further backup, where management can access
it. This is SOP.
This is done not just in case the proverbial truck hits the employee, or
fire strikes the building, or for the disgruntled
I would assume (hope?) that when you have an OTP token, you get two factor
authentication and don't stop needing a password. You would need a password
either to unlock the OTP device or to enter alongside the OTP value. Otherwise,
someone who finds your token can impersonate you.
Assuming that's
On Feb 17, 2009, at 6:03 PM, R.A. Hettinga wrote:
Begin forwarded message:
From: Sarad AV jtrjtrjtr2...@yahoo.com
Date: February 17, 2009 9:51:09 AM EST
To: cypherpu...@al-qaeda.net
Subject: Shamir secret sharing and information theoretic security
hi,
I was going through the wikipedia
Summary: Sweden developed its own secure encryption system for
communicating with fighter jets. A new jet, which is scheduled to
replace all existing fighters by 2011, uses a NATO-standard encryption
system - only. There is no plan in place to upgrade the ground
systems to the NATO
On Fri, 20 Feb 2009, Jerry Leichter wrote:
On Feb 19, 2009, at 8:36 AM, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating around
that
put the cost of password resets at $100-200 per user per year, depending on
which survey you use (Gartner says so, it
http://blog.fortify.com/blog/fortify/2009/02/20/SHA-3-Round-1
Off by On
A Software Security Blog
Search:
Friday, 20 February 2009
SHA-3 Round 1: Buffer Overflows
« Gartner Magic Quadrant for Static Analysis | Main
NIST is currently holding a competition to choose a design for the
SHA-3
Hello,
I have been following this list for some time, and I wanted to comment
on one of the projects I'm working on, just to hear your comments about
it (and because I think is quite interesting for its security
implications...).
Starting on August 2009, all new Brazilian vehicles will need
On Feb 21, 2009, at 10:26 PM, Charlie Kaufman wrote:
Assuming that's true, OTP tokens add costs by introducing new
failure modes (e.g.,
I lost it, I ran it through the washing machine, etc.)
Or even more surprising hazards.
http://home.fnal.gov/~crawdad/CryptoCard.jpg
The token on the
Is it possible that the amount of information that the knowledge of a
sub-threshold number of Shamir fragments leaks in finite precision setting
depends on the finite precision implementation?
For example, if you know 2 of a 3 of 5 splitting and you also know that
the finite precision setting in
On February 21, 2009 14:34, Ed Gerck wrote:
In a business, one must write down the passwords and one must have a
duplicate copy of it, with further backup, where management can access
it. This is SOP.
This is done not just in case the proverbial truck hits the employee, or
fire strikes
On Sun, Feb 22, 2009 at 6:33 AM, Ed Gerck edge...@nma.com wrote:
List,
In a business, one must write down the passwords and one must have a
duplicate copy of it, with further backup, where management can access it.
This is SOP.
This is done not just in case the proverbial truck hits the
Is it possible that the amount of information that the knowledge of a
sub-threshold number of Shamir fragments leaks in finite precision setting
depends on the finite precision implementation?
For example, if you know 2 of a 3 of 5 splitting and you also know that
the finite precision
On 22/2/09 23:09, R.A. Hettinga wrote:
http://blog.fortify.com/blog/fortify/2009/02/20/SHA-3-Round-1
This just emphasizes what we already knew about C, even the most
careful, security conscious developer messes up memory management.
No controversy there.
Some
of you are saying, so what?
This just emphasizes what we already knew about C, even the most
careful, security conscious developer messes up memory management.
However I think it is not really efficient at this stage to insist on secure
programming for submission implementations. For the simple reason that
there are
17 matches
Mail list logo