Eric Rescorla wrote on 08 August 2008 16:06:
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
However, since the CRLs will almost certainly not be checked, this
means the site will still be vulnerable to attack for the lifetime of
the certificate (and perhaps beyond, depending on user
Eric Rescorla wrote on 08 August 2008 17:58:
At Fri, 8 Aug 2008 17:31:15 +0100,
Dave Korn wrote:
Eric Rescorla wrote on 08 August 2008 16:06:
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
However, since the CRLs will almost certainly not be checked, this
means the site
John Ioannidis wrote on 10 July 2008 18:03:
Eugen Leitl wrote:
In case somebody missed it,
http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE)
If this is a joke, I'm not getting it.
/ji
I thought the bit about Set $wgLogo to the URL path to your own logo
image was
Dave Howe wrote on 11 June 2008 19:13:
The Fungi wrote:
On Tue, Jun 10, 2008 at 11:41:56PM +0100, Dave Howe wrote:
The key size would imply PKI; that being true, then the ransom may
be for a session key (specific per machine) rather than the
master key it is unwrapped with.
Per the
Leichter, Jerry wrote on 11 June 2008 20:04:
Why are we wasting time even considering trying to break the public
key?
If this thing generates only a single session key (rather, a host
key) per machine, then why is it not trivial to break? The actual
encryption algorithm used is RC4,
Perry E. Metzger wrote on 27 May 2008 16:14:
Excerpt:
In a major change of stance, Canada-based Research In Motion (RIM)
may allow the Indian government to intercept non-corporate emails
sent over BlackBerrys.
Florian Weimer wrote on 27 May 2008 18:49:
* Dave Korn:
In a major change of stance, Canada-based Research In Motion (RIM)
may allow the Indian government to intercept non-corporate emails
sent over
Hagai Bar-El wrote on 18 March 2008 10:17:
All they
need to do is make sure (through a user-controlled but default-on
feature) that when the workstation is locked, new Firewire or PCMCIA
devices cannot be introduced. That hard?
Yes it is, without redesigning the PCI bus. A bus-mastering
On 11 February 2008 04:13, Ali, Saqib wrote:
I installed TrueCrypt on my laptop and ran some benchmark tests/
Benchmark Results:
http://www.full-disk-encryption.net/wiki/index.php/TrueCrypt#Benchmarks
Thanks for doing this!
Cons:
1) Buffered Read and Buffered Transfer Rate was almost
On 30 January 2008 17:01, Jim Cheesman wrote:
James A. Donald:
SSL is layered on top of TCP, and then one layers
one's actual protocol on top of SSL, with the result
that a transaction involves a painfully large number
of round trips.
Richard Salz wrote:
Perhaps theoretically painful,
On 30 January 2008 17:03, Perry E. Metzger wrote:
My main point here was, in fact, quite related to yours, and one that
we make over and over again -- innovation in such systems for its own
sake is also not economically efficient or engineering smart.
Hear hear! This maxim should be
On 30 January 2008 17:03, Eric Rescorla wrote:
We really do need to reinvent and replace SSL/TCP,
though doing it right is a hard problem that takes more
than morning coffee.
TCP could need some stronger integrity protection. 8 Bits of checksum isnĀ“t
enough in reality. (1 out of 256
On 22 January 2008 18:38, Ed Gerck wrote:
It is misleading to claim that port 587 solves the security problem of
email eavesdropping, and gives people a false sense of security. It is
worse than using a 56-bit DES key -- the email is in plaintext where it is
most vulnerable.
Well, yes:
On 23 January 2008 04:45, Ali, Saqib wrote:
can anyone please shed more light on this patent. It seems like a
patent on the simple process of cryptographic erase..
As far as I can tell, they're describing a hardware pass-through OTF
encryption unit that plugs inline with a hard drive
On 07 January 2008 17:14, Leichter, Jerry wrote:
Reported on Computerworld recently: To improve security, a system
was modified to ask one of a set of fixed-form questions after the
password was entered. Users had to provide the answers up front to
enroll. One question: Mother's maiden
I've been through the code. As far as I can see, there's nothing in
expand_builtin_memset_args that treats any value differently, so there can't be
anything special about memset(x, 0, y). Also as far as I can tell, gcc doesn't
optimise out calls to memset, not even thoroughly dead ones: for
On 09 December 2007 06:16, Peter Gutmann wrote:
Reading through Secure Programming with Static Analysis, I noticed an
observation in the text that newer versions of gcc such as 3.4.4 and 4.1.2
treat the pattern:
memset(?, 0, ?)
differently from any other memset in that it's not
On 19 September 2007 22:01, Nash Foster wrote:
http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
Any actual cryptographers care to comment on this?
IANAAC.
I don't feel qualified to judge.
Nor do I, but I'll have a go anyway. Any errors are all my own
On 13 September 2007 04:18, Aram Perez wrote:
to circumvent keylogging spyware - More on this later...
The first time you plug it in, you initialize it with a password -
Oh, wait until I disable my keylogging spyware.
You enter that password to unlock your secure files -
On 12 September 2007 19:28, Steven M. Bellovin wrote:
On Wed, 12 Sep 2007 09:28:51 -0400
Perry E. Metzger [EMAIL PROTECTED] wrote:
A rare 17th century crypto book is being auctioned.
http://www.liveauctioneers.com/item/4122383/
As I commented to Bruce, see what Kahn says about it:
On 07 September 2007 21:28, Leichter, Jerry wrote:
Grow up. *If* the drive vendor keeps the mechanism secret, you have
cause for complaint. But can you name a drive vendor who's done
anything like that in years?
All DVD drive manufacturers. That's why nobody could write a driver for
On 31 August 2007 02:44, travis+ml-cryptography wrote:
I think it might be fun to start up a collection of snake oil
cryptographic methods and cryptanalytic attacks against them.
I was going to post about crypto done wrong after reading this item[*]:
On 02 September 2007 01:13, Nash Foster wrote:
I don't think fingerprint scanners work in a way that's obviously
amenable to hashing with well-known algorithms. Fingerprint scanners
produce an image, from which some features can be identified. But, not
all the same features can be extracted
On 20 August 2007 16:00, Steven M. Bellovin wrote:
http://www.esecurityplanet.com/prevention/article.php/3694711
I'd sure like technical details...
Well, how about 'it can't possibly work [well]'?
[ ... ] The article provides a detailed example of how 20 messages can be
hidden in a 100
On 26 June 2007 00:51, Ian Farquhar (ifarquha) wrote:
It seems odd for the TPM of all devices to be put on a pluggable module as
shown here. The whole point of the chip is to be bound tightly to the
motherboard and to observe the boot and initial program load sequence.
Maybe I am showing
On 21 June 2007 04:41, Steven M. Bellovin wrote:
According to the AP (which is quoting Le Monde), French government
defense experts have advised officials in France's corridors of power
to stop using BlackBerry, reportedly to avoid snooping by U.S.
intelligence agencies.
That's a bit
On 26 May 2007 04:33, James Muir wrote:
Anyone heard of this before?
Been happening all over the place for several years now. Many references at
http://www.schneier.com/blog/archives/2006/10/please_stop_my.html
cheers,
DaveK
--
Can't think of a witty .sigline today
On 22 May 2007 14:51, Trei, Peter wrote:
In fairness, its worth noting that the issue is also mixed up
in Estonian electoral politics:
http://news.bbc.co.uk/1/hi/world/europe/6645789.stm
The timing of the electronic attacks, and the messages left by
vandals, leave little doubt that the
On 18 May 2007 05:44, Alex Alten wrote:
This may be a bit off the crypto topic,
You betcha!
but it is interesting nonetheless.
Russia accused of unleashing cyberwar to disable Estonia
http://www.guardian.co.uk/print/0,,329864981-103610,00.html
Estonia accuses Russia of 'cyberattack'
On 01 May 2007 22:33, Jon Callas wrote:
On May 1, 2007, at 12:53 PM, Perry E. Metzger wrote:
unsigned char* guess_key(void)
{
unsigned
char key[] = {0x0a, 0xFa, 0x12, 0x03,
0xD9, 0x42, 0x57, 0xC6,
0x9E, 0x75, 0xE4, 0x5C,
On 27 April 2007 20:34, Eastlake III Donald-LDE008 wrote:
See http://xkcd.com/c221.html.
Donald
http://web.archive.org/web/20011027002011/http://dilbert.com/comics/dilbert/ar
chive/images/dilbert2001182781025.gif
cheers,
DaveK
--
Can't think of a witty .sigline today
On 06 April 2007 00:50, Paul Hoffman wrote:
because, with it, one can sign the appropriate
chain of keys to forge records for any zone one likes.
If the owner of any key signs below their level, it is immediately
visible to anyone doing active checking.
Only if they get sent that
On 04 April 2007 00:44, Perry E. Metzger wrote:
Not that WEP has been considered remotely secure for some time, but
the best crack is now down to 40,000 packets for a 50% chance of
cracking the key.
http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
Sorry, is that actually better
Afternoon all,
This story is a couple of days old now but I haven't seen it mentioned
on-list yet.
The DHS has requested the master key for the DNS root zone.
http://www.heise.de/english/newsticker/news/87655
http://www.theregister.co.uk/2007/04/03/dns_master_key_controversy/
On 05 April 2007 16:48, [EMAIL PROTECTED] wrote:
Dave,
For the purposes of discussion,
(1) Why should I care whether Iran or China sign up?
I think it would be consistent to either a) care that *everybody* signs up,
or b) not care about DNSSEC at all, but I think that a fragmentary
On 08 September 2006 00:38, Travis H. wrote:
At home I have an excellent page on making fake fingerprints, but I
cannot find it
right now. It used gelatin (like jello) and was successful at fooling a
sensor.
http://search.theregister.co.uk/?q=gummi should be a start.
cheers,
On 28 August 2006 15:30, Ondrej Mikle wrote:
Ad. compression algorithm: I conjecture there exists an algorithm (not
necessarily *finite*) that can compress large numbers
(strings/files/...) into small space, more precisely, it can
compress number that is N bytes long into O(P(log N)) bytes,
On 28 August 2006 17:12, Ondrej Mikle wrote:
We are both talking about the same thing :-)
Oh!
I am not saying there is a finite deterministic algorithm to compress
every string into small space, there isn't. BTW, thanks for There
is ***NO*** way round the counting theory. :-)
All I
On 24 August 2006 03:06, Ondrej Mikle wrote:
Hello.
We discussed with V. Klima about the recent bug in PGPdisk that
allowed extraction of key and data without the knowledge of passphrase.
The result is a *very*wild*hypothesis*.
Cf. http://www.safehack.com/Advisory/pgp/PGPcrack.html
[ Originally tried to post this through gmane, but it doesn't seem to work;
apologies if this has been seen before. ]
Max A. wrote:
Hello!
Could anybody familiar with PGP products look at the following page
and explain in brief what it is about and what are consequences of the
described
Ondrej Mikle [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Max A. wrote:
Hello!
Could anybody familiar with PGP products look at the following page
and explain in brief what it is about and what are consequences of the
described bug?
J. Bruce Fields wrote:
On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote:
So what they've been doing at my local branch of Marks Spencer
for the past few weeks is, at the end of the transaction after the
(now always chip'n'pin-based) card reader finishes authorizing your
Olle Mulmo wrote:
On Mar 20, 2006, at 21:51, [EMAIL PROTECTED] wrote:
I was tearing up some old credit card receipts recently - after all
these years, enough vendors continue to print full CC numbers on
receipts that I'm hesitant to just toss them as is, though I doubt
there
are many
Werner Koch wrote:
On Mon, 13 Feb 2006 03:07:26 -0500, John Denker said:
Again, enough false dichotomies already! Just because error codes
are open to abuse doesn't mean exiting is the correct thing to do.
For Libgcrypt's usage patterns I am still convinced that it is the
right decision.
Werner Koch wrote:
On Sat, 11 Feb 2006 12:36:52 +0100, Simon Josefsson said:
1) It invoke exit, as you have noticed. While this only happen
in extreme and fatal situations, and not during runtime,
it is not that serious. Yet, I agree it is poor design to
do this in a
Alexander Klimov wrote:
On Tue, 7 Feb 2006, Adam Fields wrote:
Over the past months more Bittorrent users noticed that their ISP is
killing all Bittorrent traffic . ISP?s like Rogers are using bit-
shaping applications to throttle the traffic that is generated by
Bittorrent.
A side note is
46 matches
Mail list logo