Re: [Fwd: BugTraq - how to coverup the security]
Ian Grigg wrote: I've only skimmed it so far, but it looks like you are well ahead of us here. I'm curious to hear how successful you have been convincing the Mozilla people to adopt this? Now that Mozilla.org is truly free from AOL/Netscape http://www.mozilla.org/press/mozilla-foundation.html the project would be much more likely to look at a submission such as this. I suggest you contact them once again. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Latest Da Vinci mystery: judge's own secret code
Latest Da Vinci mystery: judge's own secret code Thu Apr 27, 2006 8:11 AM ET By Peter Graff LONDON (Reuters) - Three weeks after a British court passed judgment in the copyright case involving Dan Brown's bestseller "The Da Vinci Code," a lawyer has uncovered what may be a secret message buried in the text of the ruling. Lawyer Dan Tench noticed some letters in the judgment had been italicized, and it suddenly dawned on him that they spelled a phrase that included the name of the judge: "Smith code." Justice Peter Smith, who during the trial displayed a sense of humor unusual in the rarified world of bewigged barristers and ancient tradition, appears to have embraced the mysterious world of codes and conspiracy that run through the novel. "I thought it was a mistake, that there were some stray letters that had been italicized because the word processor had gone wrong," Tench told Reuters. Tench initially told The Times newspaper that apparently random letters in the judge's ruling appeared in italics. Wouldn't it be clever if the judge had embedded a secret message in the text? The Times ran a jokey item. "And then I got an e-mail from the judge," said Tench. He said Smith told him to look back at the first paragraphs. The italicized letters scattered throughout the judgment spell out: "smithcodeJaeiextostpsacgreamqwfkadpmqz." Those in the first paragraphs spell out "smith code." But what does the rest mean? The novel, and upcoming movie starring Tom Hanks, are about a secret code that reveals ancient mysteries about Jesus Christ. Smith, who ruled that author Brown had not plagiarized his hugely popular thriller from another book, "The Holy Blood and the Holy Grail," has so far not given any clues to his own mystery code. For now, the judge is not speaking. His clerk said he is refusing interviews. She would not confirm whether there truly was a secret mystery embedded in his judgment. But she did confirm that he is, generally speaking, a humorous type of person. smime.p7s Description: S/MIME Cryptographic Signature
Solution revealed
Da Vinci judge's secret code revealed Fri Apr 28, 2006 8:25 AM ET By Peter Graff LONDON (Reuters) - Mystery solved. It was the admiral. A secret code embedded in the text of a court ruling in the case of Dan Brown's bestseller "The Da Vinci Code" has been cracked, but far from revealing an ancient conspiracy it is simply an obscure reference to a Royal Navy admiral. British High Court Justice Peter Smith, who handed down a ruling that Brown had not plagiarized his book, had embedded his own secret message in his judgment by italicizing letters scattered throughout the 71-page document. In Brown's book, a secret code reveals an ancient conspiracy to hide facts about Jesus Christ. The judge's own code briefly caused a wave of amused speculation when it was discovered by a lawyer this week, nearly a month after the ruling was handed down. But the lawyer, Dan Tench, cracked it after a day of puzzling. The judge's code was based on the Fibonacci sequence, a mathematical progression discussed in the book. "After much trial and error, we found a formula which fitted," wrote Tench, who had nothing to do with the Brown case but discovered the italicized letters when studying the ruling. The judge's secret message was: "Jackie Fisher, who are you? Dreadnought," Tench wrote in the Guardian newspaper. Judge Smith is known as a navy buff, and Fisher was a Royal Navy admiral who developed the idea for a giant battleship called the HMS Dreadnought in the early 20th century. Tench wrote that the judge had e-mailed him to confirm he had guessed the secret code right. The judge later confirmed the existence of the code, and revealed that the Fibonacci sequence was indeed the secret to its solution. "The message reveals a significant but now overlooked event that occurred virtually 100 years to the day of the start of the trial," he said in a statement. He said that he is not normally much of a fan of puzzles, such as the Japanese number puzzles that have become an obsession of the British press. "The preparation of the Code took about 40 minutes and its insertion another 40 minutes or so," he wrote. "I hate crosswords and do not do Sudoku as I do not have the patience." smime.p7s Description: S/MIME Cryptographic Signature
Re: Status of SRP
James A. Donald wrote: > The obvious solution to the phishing crisis is the widespread deployment > of SRP, but this does not seem to happening. SASL-SRP was recently > dropped. What is the problem? Unfortunately, SRP is not the solution to the phishing problem. The phishing problem is made up of many subtle sub-problems involving the ease of spoofing a web site and the challenges involved in securing the enrollment and password change mechanisms. SRP would allow a client to know that a service is in fact the correct service when the authentication succeeds. However, it would not help in the situation when the authentication fails. This could be because the user is not sure of what the password is or even sure which account name was being used. Solving the phishing problem requires changes on many levels: (1) Some form of secure chrome for browsers must be deployed where the security either comes from a "trusted desktop" or by per-user customizations that significantly decrease the chances that the attacker can fake the web site experience. (Prevent the attacker from replicating the browser frame, toolbars, lock icons, certificate dialogs, etc.) (2) Reducing the number of accounts and passwords (or other identifiers) that end users need to remember. With a separate identifier for each and every web site it is no surprise that my extended family can never remember what was used at each site. Therefore, it is not much of a surprise when a site says that the authentication failed. (3) Secure mechanisms must be developed for handling enrollment and password changing. Only then can we truly address the phishing problem. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: Status of SRP
James A. Donald wrote: > -- > Jeffrey Altman wrote: >> Unfortunately, SRP is not the solution to the phishing >> problem. The phishing problem is made up of many >> subtle sub-problems involving the ease of spoofing a >> web site and the challenges involved in securing the >> enrollment and password change mechanisms. > > With SRP, the web site cannot be spoofed, for it must > prove it knows the user's secret passphrase. James, SRP can only prevent spoof's of successful authentications and it can only prevent spoof's when it is actually used. It cannot prevent spoof's of unsuccessful authentications and that is where a huge part of the problem lies. Consider the reaction of many individuals when they receive a page that indicates that their username and/or password are incorrect? Sites that offer the common secret question(s) can be spoofed. The attacker spoof's sits in the middle, captures the question from the real site, the answer from the user, and if the real site says that the new password is being sent, puts up a new page indicating that the password should be changed online along with prompts for private information that the attacker wants. Stopping phishing with successful authentication is not even half the problem. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: New article on root certificate problems with Windows
[EMAIL PROTECTED] wrote: > The executive summary, so I've got something to reply to: > > In the default configuration for Windows XP with Service Pack 2 (SP2), > if a > user removes one of the trusted root certificates, and the certifier who > issued that root certificate is trusted by Microsoft, Windows will > silently > add the root certificate back into the user's store and use the original > trust settings. > > While I don't agree with this behaviour, I can see why Microsoft would do > this, and I can't see them changing it at any time in the future. It's the > same reason why they ignore key usage restrictions and allow (for > example) an > encryption-only key to be used for signatures, and a thousand other > breaches > of PKI etiquette: There'd be too many user complaints if they didn't. The real flaw that I see in their design is that they permit certificates that they installed to be removed. Instead they should have provided a "disabled" feature so that those who wish to disable installed certs can do so and thereby ensure that in the future they won't be restored. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: Another Snake Oil Candidate
Damien Miller wrote: > It protects against the common threat model of lost/stolen USB keys. Why is > this snake oil? Your criticism seems akin to calling a physical lock insecure > because it doesn't protect you from burglars once you have unlocked it. Many many years ago an office that a startup I was working for was burglarized by picking the lock on the office door. They took a number of computers. The police recommended that we replace the locks with XYZ super lock that could not be picked and we did so at significant expense prior to replacing all of the computers. Three or four weeks later the office was burglarized again. They could not pick the lock so they took a sledgehammer to the wall next to the door, reached in unlocked the door from the inside and proceeded to go about their business. This wasn't a failure of the lock. The lock did its job. --- The product you are describing is not snake oil. You have a valid gripe that the product is not marketed along with a description of the attack vectors it protects against and those that it does not. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature