Re: solving the wrong problem
On Sat, 6 Aug 2005, Perry E. Metzger wrote: We already have the term snake oil for a very different type of bad security idea, and the term has proven valuable for quashing such things. We need a term for this sort of thing -- the steel tamper resistant lock added to the tissue paper door on the wrong vault entirely, at great expense, by a brilliant mind that does not understand the underlying threat model at all. Anyone have a good phrase in mind that has the right sort of flavor for describing this sort of thing? Chief Security Officer comes to mind... Perry -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF I like the idea of belief in drug-prohibition as a religion in that it is a strongly held belief based on grossly insufficient evidence and bolstered by faith born of intuitions flowing from the very beliefs they are intended to support. don zweig, M.D. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[OT] Re: [Forwarded] RealID: How to become an unperson.
On Tue, 5 Jul 2005 [EMAIL PROTECTED] wrote: your ID card. Exactly that circular problem as mentioned in the posting. But when I explained that circular problem, they checked by phone with the town's registry office and gave me the copy of the birth certificate without an ID card to solve the problem. While I am glad it worked out for you, I somehow doubt that the workers of the once great city of New York would be quite as accomodating :-/ Fortunately, I found a way around the problem that didn't force me to try and find out though! But nevertheless, I do not understand why americans are so afraid of an ID card. It has by far more advantages than disadvantages, and This is probably a uniquely american thing - culturally we are a bunch of loners, who all believe that the government has no *right* to identify or otherwise monitor us. As a scrappy bunch of loners with attitude problems, the pros vs. cons of The Card really never make it to the equation: as a people, most of us just naturally have a Time May reaction to authority in general and government authority in particular. Personally, I'd rather go back to the old paper license I used to have in the 80's that had no pic and was not usable as ID, but I know it isn't going to happen. Sigh... -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Never belong to any party, always oppose privileged classes and public plunderers, never lack sympathy with the poor, always remain devoted to the public welfare, never be satisfied with merely printing news, always be drastically independent, never be afraid to attack wrong, whether by predatory plutocracy or predatory poverty. Joseph Pulitzer 1907 Speech - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[OT] The Nazification Of America, Part 2 (Day 5) (fwd)
I was unaware that (a) this had hit Farber, or that (b) it had been cross posted to cryptography, prior to my second posting - which is attached below (for the sake of completeness). //Alif -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF -- Forwarded message -- Date: Tue, 5 Jul 2005 19:01:21 -0500 (CDT) From: J.A. Terranson [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: The Nazification Of America, Part 2 (Day 5) When last I wrote, I was facing a dilemma: how to get a copy of my brith certificate so that I could get a copy of my birth certificate :-/ I managed to clear the hurdle of the missing brith certificate. Kinda. Sorta maybe... So, new certificate in hand, I went off to the DMV to get my picture taken (wearing my Frisk Me, I'm A Terrorist T-Shirt of course). At 8:50am I was eagerly awaiting the opening of the local DMV office, and by the opening bell at 9:00, there was actually a *line* behind me! I rushed to the counter, plopped down my proof of insurance, proof of address (a recent mailed in voter reg card), my old Illinois drivers license, social security card, and held my breath. They took them, and handed me back a form to check that everything was correct prior to snapping the pic. Oddly, it wasn't: the date of birth was wrong, and it took them about 15 minutes to fix it (apparently the computers are programmed to avoid the changing of a DOB, and they were dumbfounded at how to proceed). Finally, the moment arrived, and I was the proud owner of not just a new Missouri driver's license (with clearly shoing T-Shirt on the photo), but a Missouri state ID as well. Then it was my wife's turn. Unfortunately, she was turned away: even though she had everything I did, she forgot to bring a certified copy of our marriage license! Without it, they refused to use her married name for the license... I trudged over to the city for a copy of said marriage license, and lo, of course, there was aline out the door - women of every age and description suddenly finding it necessary to get a certified copy of their marriage license! What a shocker - the Collector of Revenue is having a field day with this. She will try again tomorrow, and I certain that this time it will all work out, but still, I am left with disturbing questions. For instance, when we went to get *her* birth certificate, why did they not give a damn *who* was asking for it? Why is everyone on earth getting to charge an extra $12.00 here and $12.00 there to allow us the privelege of complying with this absurd law (which, BTW, even the fucking British refuse to pass)? This country is out of control, bouncing endlessly between administrative fiat and endless taxation, and all we can worry about is that some ephemeral Terrorist is going to blow up a bus? To be honest, I'm *far* more worried that George will blow up another country that I am about some guy stealing my ID and using it to defeat democracy in Quebec -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Never belong to any party, always oppose privileged classes and public plunderers, never lack sympathy with the poor, always remain devoted to the public welfare, never be satisfied with merely printing news, always be drastically independent, never be afraid to attack wrong, whether by predatory plutocracy or predatory poverty. Joseph Pulitzer 1907 Speech - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Trojan horse attack involving many major Israeli companies, executives
John Saylor wrote: hi ( 05.05.30 15:34 +0200 ) Amir Herzberg: See more info e.g. at http://www.haaretz.com/hasen/spages/581790.html an excellent tale [still unfolding]- no doubt coming to a bookstore or movie theatre near you real soon. of course, it was never mentioned in the article, but they *had* to be running windows. So, how long before someone, possibly even me, points out that all Checkpoint software is built in Israel? -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Never belong to any party, always oppose privileged classes and public plunderers, never lack sympathy with the poor, always remain devoted to the public welfare, never be satisfied with merely printing news, always be drastically independent, never be afraid to attack wrong, whether by predatory plutocracy or predatory poverty. Joseph Pulitzer 1907 Speech - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Crack in Computer Security Code Raises Red Flag
On Tue, 15 Mar 2005, The Wall Street Journal Wrote: SHA-1 is a federal standard promulgated by the National Institute of Standards and Technology and used by the government and private sector for handling sensitive information. It is thought to be the most widely used hash function, and it is regarded as the state of the art. ^^ NEXT! -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Quadriplegics think before they write stupid pointless shit...because they have to type everything with their noses. http://www.tshirthell.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [IP] SHA-1 cracked?
On Wed, 16 Feb 2005, Ben Laurie wrote: A work factor of 2^69 is still a serious amount of work. Yep. Does anyone recall DeepCrack's specs? -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Quadriplegics think before they write stupid pointless shit...because they have to type everything with their noses. http://www.tshirthell.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Researchers Combat Terrorists by Rooting Out Hidden Messages
On Wed, 2 Feb 2005, Alan wrote: If you really want to send secret messages, just send it in the chaff in spam. Everyone is programmed to ignore it or filter it out. Yeah, but it doesn't make for great story copy or funding proposals ;-) -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Civilization is in a tailspin - everything is backwards, everything is upside down- doctors destroy health, psychiatrists destroy minds, lawyers destroy justice, the major media destroy information, governments destroy freedom and religions destroy spirituality - yet it is claimed to be healthy, just, informed, free and spiritual. We live in a social system whose community, wealth, love and life is derived from alienation, poverty, self-hate and medical murder - yet we tell ourselves that it is biologically and ecologically sustainable. The Bush plan to screen whole US population for mental illness clearly indicates that mental illness starts at the top. Rev Dr Michael Ellner - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New IBM Thinkpad includes biometrics
On Wed, 13 Oct 2004, Anton Stiglic wrote: http://www.theregister.co.uk/2004/10/05/biometric_thinkpad_t42/ I wonder how well it can counter the attacks discussed by researchers in the last few years. Like reactivating a fingerprint authentication by breathing on the sensor's surface containing residue fat traces of the finger, or placing a bag of water. Or the jelly finger trick. The biometric authentication might very well make the laptop less secure than password-based authentication. --Anton The company I'm currently associated with (United Forensics) is currently working on this very question - I'll let everyone know when we have an answer. -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF An ill wind is stalking while evil stars whir and all the gold apples go bad to the core S. Plath, Temper of Time - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Microsoft .NET PRNG (fwd)
Forwarded here as the original forum is having no success. IIRC, Matt Blaze examined the early CrptoAPI and associated PRNG, but I can't seem to find the post/article that I am thinking of. -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF ...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them. Osama Bin Laden - - - There aught to be limits to freedom!George Bush - - - Which one scares you more? -- Forwarded message -- Date: Fri, 30 Jul 2004 10:52:12 -0300 From: Pablo Milano [EMAIL PROTECTED] To: 'Yvan Boily' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Microsoft .NET PRNG I'm looking for the same information. I want to know which method does MS Crypto API use in order to obtain strong random seeds. The most in-deep information about this I could find was http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/s ecurity/cpgenrandom.asp. Anyway, I'm still not sure if what is explained there is what the function SHOULD do, or what the function ACTUALLY DOES. Any help would be appreciated. Regards. -Mensaje original- De: Yvan Boily [mailto:[EMAIL PROTECTED] Enviado el: MiƩrcoles, 28 de Julio de 2004 04:40 p.m. Para: [EMAIL PROTECTED] Asunto: Microsoft .NET PRNG I have read both FoundStone's and @Stakes reviews of the PRNG included with the Microsoft .NET 1.1 framework (also the Win32 CryptoAPI) , however there is little information available (that I have been able to locate) that discusses the actual method used, or an analysis of how reliable it is from a cryptographic perspective. I don't profess to be expert enough on random number generation and cryptography to criticize the implementation, however I would like to know more about it as most code samples I have seen and now an application I am auditing is relying extensively on the CryptoAPI to provide facilities for random key generation. Does anyone have any technical resources which discuss concerns or commendations of the implementation? Regards, Yvan Boily - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]