Re: [Cryptography] End to end
On 2013-09-17 Max Kington wrote: [snip] > Hence, store in the clear, keep safe at rest using today's archival mechanism > and when that starts to get dated move onto the next one en-masse, for all > your media not just emails. [snip] I would tend to agree for environments with very high regulations, where the need to comply with regulations is more important than the need to keep data confidential. I would suggest to balance that for every organisation. The risk to disclosure is much higher if data is stored unprotected. Any admin with access to the file system is able to read it. Maybe this could be a cultural difference between US and Europe, the regulative pressure in US is higher, in Europe the privacy is more important or more protected. I agree that both ways may be the right implementation for an organisation, but this has to be a management decision, balancing the needs. Best regards -- Christoph Gruber "If privacy is outlawed, only outlaws will have privacy." Phil Zimmermann ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] End to end
On 2013-09-16 Phillip Hallam-Baker wrote: [snip] > If people are sending email through the corporate email system then in many > cases the corporation has a need/right to see what they are sending/receiving. [snip] Even if an organisation has a need/right to look into people's email, it is necessary to protect the communication on transport and storage. Of course a certain way of key recovery has to be in place. Just my 2 cents > -- > Website: http://hallambaker.com/ > ___ > The cryptography mailing list > cryptography@metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: English 19-year-old jailed for refusal to disclose decryption key
Am 06.10.2010 um 22:57 schrieb Marsh Ray: > On 10/06/2010 01:57 PM, Ray Dillinger wrote: >> a 19-year-old just got a 16-month jail sentence for his refusal to >> disclose the password that would have allowed investigators to see >> what was on his hard drive. > > I am thankful to not be an English "subject". What about http://www.truecrypt.org/docs/?s=plausible-deniability Could this be used? -- Christoph Gruber "If privacy is outlawed, only outlaws will have privacy." Phil Zimmermann - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Spy/Counterspy
-- Christoph Gruber "If privacy is outlawed, only outlaws will have privacy." Phil Zimmermann Am 10.07.2010 um 12:57 schrieb Jerry Leichter : > On Jul 9, 2010, at 1:00 PM, Pawel wrote: > >> >> Hi, >> >> On Apr 27, 2010, at 5:38 AM, "Peter Gutmann (alt)" >> wrote: >> >>> GPS tracking units that you can fit to your car to track where your kids >>> are taking it [T]he sorts of places that'll sell you card skimmers and >>> RFID cloners have started selling miniature GPS jammers that plug >>> into cigarette-lighter sockets on cars In other words these are >>> specifically designed to stop cars from being tracked. >>> >>> (Some of the more sophisticated trackers will fall back to 3G GSM-based >>> tracking via UMTS modems if they lose the GPS signal, it'll be interested >>> to see how long it takes before the jammers are updated to deal with 3G >>> signals as well, hopefully while leaving 2G intact for phonecalls). >> >> Just wondering, why wouldn't GPS trackers use 2G to determine the location? >> >> And, also, does it even need a cell service subscription for location >> determination, or is it enough to query the cell towers (through some >> handshake protocols) to figure out the proximities and coordinates? > The 2G stuff wasn't designed to provide location information; that was hacked > in (by triangulating information received at multiple towers) after the fact. > I don't know that anyone has tried to do it from the receiver side - it seems > difficult, and would probably require building specialized receiver modules > (expensive). 3G provides location information as a standard service, so it's > cheap and easy. > > The next attack, of course, is to use WiFi base station triangulation. > That's widely and cheaply available already, and quite accurate in many > areas. (It doesn't work out in the countryside if you're far enough from > buildings, but then you don't have to go more than 60 miles or so from NYC to > get to areas with no cell service, either.) The signals are much stronger, > and you can get location data with much less information, so jamming would be > more of a challenge. Still, I expect we'll see that in the spy vs. spy race. > > I wrote message to Risks - that seems to never have appeared - citing an > article about GPS spoofing. (I've included it below.) In the spy vs. spy > game, of course, it's much more suspicious if the GPS suddenly stops working > than if it shows you've gone to the supermarket. Of course, WiFi (and > presumably UMTS equipment, though that might be harder) can also be spoofed. > I had an experience - described in another RISKS article - in which > WiFi-based location suddenly teleported me from Manhattan to the Riviera - > apparently because I was driving past a cruise ship in dock and its on-board > WiFi had been sampled while it was in Europe. >-- Jerry > > > The BBC reports (http://news.bbc.co.uk/2/hi/science/nature/8533157.stm) on > the growing threat of jamming to satellite navigation systems. The > fundamental vulnerability of all the systems - GPS, the Russian Glonass, and > the European Galileo - is the very low power of the transmissions. (Nice > analogy: A satellite puts out less power than a car headlight, illuminating > more than a third of the Earth's surface from 20,000 kilometers.) Jammers - > which simply overwhelm the satellite signal - are increasingly available > on-line. According to the article, low-powered hand-held versions cost less > than £100, run for hours on a battery, and can confuse receivers tens of > kilometers away. > > The newer threat is from spoofers, which can project a false location. This > still costs "thousands", but the price will inevitably come down. > > A test done in 2008 showed that it was easy to badly spoof ships off the > English coast, causing them to read locations anywhere from Ireland to > Scandinavia. > > Beyond simple hacking - someone is quoted saying "You can consider GPS a > little like computers before the first virus - if I had stood here before > then and cried about the risks, you would've asked 'why would anyone > bother?'." - among the possible vulnerabilities are to high-value cargo, > armored cars, and rental cars tracked by GPS. As we build more and more > "location-aware" services, we are inherently building more > "false-location-vulnerable" services at the same time. > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Blackberries insecure?
[EMAIL PROTECTED] schrieb: Steve, It could be that the linkage between user ids and auth keys is too weak, allowing a MITM attack to be undetected that sniffs the data encryption key. This seems to be common problem with many of the secure protocols I've examined. - Alex Ahoi! Nobody knows, what the blackberry does with the decrypted data. The whole device is a black-box, so it is able to do anything it is programmed for, with all the data transmitted to it. -- Grisu - Original Message - From: "Steven M. Bellovin" <[EMAIL PROTECTED]> To: cryptography@metzdowd.com Subject: Blackberries insecure? Date: Wed, 20 Jun 2007 23:41:20 -0400 According to the AP (which is quoting Le Monde), "French government defense experts have advised officials in France's corridors of power to stop using BlackBerry, reportedly to avoid snooping by U.S. intelligence agencies." That's a bit puzzling. My understanding is that email is encrypted from the organization's (Exchange?) server to the receiving Blackberry, and that it's not in the clear while in transit or on RIM's servers. In fact, I found this text on Blackberry's site: Private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry device user. Each secret key is stored only in the user's secure regenerated by the user wirelessly. Data sent to the BlackBerry device is encrypted by the BlackBerry Enterprise Server using the private key retrieved from the user's mailbox. The encrypted information travels securely across the network to the device where it is decrypted with the key stored there. Data remains encrypted in transit and is never decrypted outside of the corporate firewall. Of course, we all know there are ways that keys can be leaked. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
