John Gilmore <[EMAIL PROTECTED]> writes:
>Despite a bunch of PC graphics chips and boards having announced HDCP
>support, according to the above article, it turns out that none of them will
>actually work. It looks like something slipped somewhere, and an extra
>crypto-key chip needed to be added
Jack Lloyd <[EMAIL PROTECTED]> writes:
>On Fri, Feb 10, 2006 at 07:21:05PM +1300, Peter Gutmann wrote:
>> Well, that's the exact problem that I pointed out in my previous message - in
>> order to get this right, people have to read the mind of the paper author to
>>
Jack Lloyd <[EMAIL PROTECTED]> writes:
>On Thu, Feb 09, 2006 at 05:01:05PM +1300, Peter Gutmann wrote:
>> So you can use encrypt-then-MAC, but you'd better be *very*
>> careful how you apply it, and MAC at least some of the additional
>> non-message-
>> data
"James A. Donald" <[EMAIL PROTECTED]> writes:
>2. Html encourages legitimate businesses to use complicated and obfuscated
>actual targets for their urls, indistinguishable from those used by phishers.
I think a more general extension of this is "HTML allows the use of
arbitrarily sophisticated pre
Sidney Markowitz <[EMAIL PROTECTED]> writes:
>Krawczyk's paper shows that authenticate before encryption is not secure
>under assumptions that are not realistic, such as the encryption being
>subject to a chosen ciphertext attack, use of ECB mode, separate MAC
>authentication of each block along wi
Jack Lloyd <[EMAIL PROTECTED]> writes:
>Bellare and Namprempre have a paper on this [worth reading IMO;
>http://www-cse.ucsd.edu/~mihir/papers/oem.html] which suggests that this
>method (which they term Encrypt-and-MAC) has problems in terms of information
>leakage. An obvious example occurs when u
Ben Laurie <[EMAIL PROTECTED]> writes:
>Dave Howe wrote:
>>Oh - before I forget, I was thinking about covert channels and cds a few days
>>ago and realised there is already one - CDs support a special mode called
>>"CD+G"
>>- this is used making "karaoke" cds to support the video data stream; the
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>What makes this interesting is how it was done: software was installed on the
>switch that diverted calls to a prepaid phone. Think about who could manage
>that.
Just in case people think the answer is "The MIB", it's actually "Any kid with
a bit
Jonathan Thornburg <[EMAIL PROTECTED]> writes:
>Melting the CD should work... but in practice that takes a specialized "oven"
>(I seriously doubt my home oven gets hot enough), and is likely to produce
>toxic fumes, and leave behind a sticky mess (stuck to the surface of the
>specialized oven).
F
Anne & Lynn Wheeler <[EMAIL PROTECTED]> writes:
>The Kama Sutra worm can fool WIndows into accepting a malicious ActiveX
>control
>by spoofing a digital signature, a security company said Tuesday.
If you track down the original Fortinet advisory you'll see that the
Information-
Week text is sl
In 1996, New Zealander Nicky Hager wrote a book "Secret Power" containing a
great deal of information on Echelon, with a particular NZ perspective. A few
days ago, papers held by the Prime Minister of the time were accidentally
released and appeared in the Sunday Star Times. Some quotes from the
"Perry E. Metzger" <[EMAIL PROTECTED]> writes:
>The latest round of "SSL and X.509 certs in browsers are broken" has gone on
>too long.
It's been a good start though. The first step towards recovery is admitting
that you have a problem...
Hi. My name is Peter and I have an X.509 problem. Init
Jack Lloyd <[EMAIL PROTECTED]> writes:
>Does anyone know of any 'standard' [*] ways of encrypting private keys in the
>usual PKCS #8 format without using password-based encryption? It is obviously
>not hard to do, as you can stick whatever you like into the
>encryptionAlgorithm field, so it would
Philipp =?utf-8?q?G=C3=BChring?= <[EMAIL PROTECTED]> writes:
>What is wrong with the following black-box test?
>
>* Open browser
>* Go to a dummy CA's website
>* Let the browser generate a keypair through the or cenroll.dll
>* Import the generated certificate
>* Backup the certificate together wi
Ian Grigg's blog has a neat tongue-in-cheek review of the year in security.
Here's a sample:
Browser manufacturers have moved slightly faster than your average glacier.
Microsoft moved forward by announcing that phishing was a browser problem
(Mozilla and KDE followed 8 months later), and ag
"James A. Donald" <[EMAIL PROTECTED]> writes:
>But is what they are doing wrong?
The users? No, not really, in that given the extensive conditioning that
they've been subject to, they're doing the logical thing, which is not paying
any attention to certificates. That's why I've been taking the
Victor Duchovni <[EMAIL PROTECTED]> writes:
>On Thu, Dec 22, 2005 at 10:28:47AM +0100, Philipp G?hring wrote:
>> I think the better way would be if I had a possibility to verify the quality
>> of the random numbers used in a certificate request myself, without the
>> dependence on the vendor.
>
>Th
"James A. Donald" <[EMAIL PROTECTED]> writes:
>If no attacks, this is just an excuse for higher priced holy water, an
>attempt to alter the Browser interface to increase revenue, not increase
>security - to solve the CA's problem, not solve the user's problem.
That's a somewhat cynical view :-)
"Travis H." <[EMAIL PROTECTED]> writes:
>In Peter Gutmann's godzilla cryptography tutorial, he has some really good
>(though terse) advice on subtle gotchas in using DH/RSA/Elgamal. I learned a
>few no-nos, such as not sending the same message to 3 seperate users in RSA
>(if using 3 as an encrypti
"JXrn" Schmidt <[EMAIL PROTECTED]> writes:
>However, there are only two countries, to the best of my knowledge, that
>outright ban cryptography: Russia and China. And even that's only a de-facto
>ban since both only require individuals to obtain a license to use
>cryptography in any way, shape or
Lee Parkes <[EMAIL PROTECTED]> writes:
>A colleague of mine is locked in a battle with a client about the use of NULL
>ciphers for OpenSSL. The client claims that he has/wants to allow NULL
>ciphers so that people in countries that ban the use of crypto can still use
>the website. My colleague wan
Tero Kivinen <[EMAIL PROTECTED]> writes:
>If I understood correctly the tools they used now did generate specific hand-
>crafted packets having all kind of wierd error cases. When testing with the
>crypto protocols the problem is that you also need to do the actual crypto,
>key exchangement etc to
bear <[EMAIL PROTECTED]> writes:
>On Sat, 19 Nov 2005, Peter Gutmann wrote:
>>- The remaining user base replaced it with on-demand access to network
>> engineers who come in and set up their hardware and/or software for them and
>> hand-carry the keys from one endp
William Allen Simpson <[EMAIL PROTECTED]> writes:
>So, where is the community to replace ISAKMP with something more robust?
Already happened, unfortunately it's diverged into three different branches:
- VPN hardware vendors replaced it with "management tunnels", typically things
like single-DE
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>In message <[EMAIL PROTECTED]>, Paul Hoffman writes:
>>Which "proper programming tools" would check for a logic path failure
>>when a crafted packet includes Subpacket A that is only supposed to
>>be there when Subpacket B is there, but the packet d
Florian Weimer <[EMAIL PROTECTED]> writes:
>* Perry E. Metzger:
>
>> I haven't been following the IPSec mailing lists of late -- can anyone
>> who knows details explain what the issue is?
>
>These bugs have been uncovered by a PROTOS-style test suite. Such test
>suites can only reveal missing chec
"Marcel Popescu" <[EMAIL PROTECTED]> writes:
>> From: [EMAIL PROTECTED] [mailto:owner-
>> [EMAIL PROTECTED] On Behalf Of Peter Gutmann
>
>> I can't understand why they didn't just use TLS for the handshake (maybe
>> YASSL) and IPsec s
Chris Palmer <[EMAIL PROTECTED]> writes:
>James A. Donald writes:
>
>> Further, genuinely secure systems are now becoming available, notably
>> Symbian.
>
>What does it mean for Symbian to be genuinely secure? How was this determined
>and achieved?
By executive fiat.
Peter.
A number of CAs have started offering high-assurance certificates in an
attempt to... well, probably to make more money from them, given that the
bottom has pretty much fallen out of the market when you can get a standard
certificate for as little as $9.95. The problem with these certificates is
t
Jack Lloyd <[EMAIL PROTECTED]> writes:
>I just reread those sections and I still don't see anything about RSA
>encryption padding either. 3.2.2 just has some useless factoids about the RSA
>implementation (but neglects to mention important implementation points, like
>if blinding is used, or if si
I've finally got around to finishing a major update of my Godzilla crypto and
security tutorial to cover newer material like WEP, WPA, and WPA2. It's
available from http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html and
comprises 784 slides in 10 parts.
The tutorial covers security threats
Sidney Markowitz <[EMAIL PROTECTED]> writes:
>It looks like they are all getting their web sites from the same Hack-In-A-
>Box.
My original comment on that was "Looks like they got their security
certification from the same cornflakes packet" :-). An anonymous contributor
sent in the following c
Banks like Bank of America have taken some flak in the past for their awful
online banking security practices. I was poking around their home page today
because I wanted some screenshots to use as examples of how not to do it and I
noticed the following incredible message, which appears when you c
In order to use encryption with SIP, you're stuck with using certificates
(there's no way to do authenticated DH like a number of other secure-phone
devices allow you to do). However, one vendor has found a nice way around
this: You go to their web page, enter your device IP address and SIP user I
Found on the Daily WTF, http://www.thedailywtf.com/forums/43223/ShowPost.aspx:
try {
int idx = 0;
while (true) {
displayProductInfo(prodnums[idx]);
idx++;
}
}
catch (IndexOutOfBoundException ex) {
// nil
}
The editor also comments that when he
Eugen Leitl <[EMAIL PROTECTED]> writes:
>On Wed, Sep 07, 2005 at 06:08:25PM -0400, Pat Farrell wrote:
>> Something tells me that soon is not gonna happen in what I would
>> call soon. Smartcards (the smart part) were moderately interesting
>> when there was no networking. We've been at ubiquitous n
Pat Farrell <[EMAIL PROTECTED]> writes:
>Is there a real problem that they uniquely solve, sufficient to drive the
>building of the needed infrastructure? I don't see it, and I'd love to be
>made smarter.
Smart cards were cool in the 1970s because back then it was almost science-
fiction technolo
Stephan Neuhaus <[EMAIL PROTECTED]> writes:
>I think you're talking about me here,
Oh no, I wasn't focusing on any one person, it was a characterisation of the
general response from security people when this sort of thing is mentioned.
Long before the discussion on this list, there were already m
Alaric Dailey <[EMAIL PROTECTED]> writes:
>While I admit that PKI is flawed, I don't see anyway that PSK could used
>effectively.
>
>How are PSKs going to be shared in a secure way?
>are we talking about generating a new key for every connection?
>if so how do you validate the key?
>if not
"James A. Donald" <[EMAIL PROTECTED]> writes:
>From: [EMAIL PROTECTED] (Peter Gutmann)
>> TLS-PSK fixes this problem by providing mutual
>> authentication of client and server as part of the key
>> exchange. Both sides demonstrate proof-of- possession
Dave Howe <[EMAIL PROTECTED]> writes:
>Nicolas Williams wrote:
>> Yes, a challenge-response password authentication protocol, normally
>> subject to off-line dictionary attacks by passive and active attackers
>> can be strengthened by throwing in channel binding to, say, a TLS
>> channel, such that
John Kelsey <[EMAIL PROTECTED]> writes:
>Recently, Earthlink's webmail server certificate started showing up as
>expired. (It obviously expired a long time ago; I suspect someone must have
>screwed up in changing keys over or something, because the problem wasn't
>happening up until recently.)
Th
Raymond Chen's blog has an interesting look at companies trying to bypass
Windows XP's checks that a driver has been WHQL-certified:
My favorite stunt was related to my by a colleague who was installing a
video card driver whose setup program displayed a dialog that read, roughly,
"After cli
Adam Back <[EMAIL PROTECTED]> writes:
>Not to defend PKI, but what about delta-CRLs?
You mean something like
http://img.photobucket.com/albums/v232/CaleyD/turd_polish.jpg ?
They don't work, no matter how much polish you apply. See e.g.
http://www.cs.auckland.ac.nz/~pgut001/pubs/notdead.pdf.
P
In the 1950s we had cheque blacklists, which were used in an attempt to manage
bad cheques.
They didn't work well, and were abandoned as soon as better mechanisms
became available.
In the 1960s and 70s we had credit card blacklists, which were used in an
attempt to manage bad credit cards.
Stephan Neuhaus <[EMAIL PROTECTED]> writes:
>So, the optimism of the article's author aside, where *do* we stand on PKI
>deployment?
The same place we were standing on OSI deployment 15 years ago.
Peter.
-
The Cryptography Mail
$25 and a bit of marijuana, apparently. See:
http://www.wjla.com/news/stories/0305/210558.html
http://www.wjla.com/news/stories/0105/200474.html
Although the story doesn't mention this, the "ID" in question was the DoD
Common Access Card, a smart card containing a DoD-issued certificate. To
Peter Fairbrother <[EMAIL PROTECTED]> writes:
>Peter Gutmann wrote:
>> Peter Fairbrother <[EMAIL PROTECTED]> writes:
>>> Didn't the people who did US/USSR nuclear arms verification do something
>>> very similar, except the characterised surface was sp
Adam Shostack <[EMAIL PROTECTED]> writes:
>Let me propose another answer to Perry's question:
> "Wearing a millstone around your neck to ward off vampires."
>
>This expresses both ends of a lose/lose proposition:
> -- a burdensome solution
> -- to a fantastically unimportant problem.
That s
Peter Fairbrother <[EMAIL PROTECTED]> writes:
>Perry E. Metzger wrote:
>> Frequently, scientists who know nothing about security come up with
>> ingenious ways to solve non-existent problems. Take this, for example:
>>
>> http://www.sciam.com/article.cfm?chanID=sa003&articleID=00049DB6-ED96-12E7-AD
"James A. Donald" <[EMAIL PROTECTED]> writes:
>The PKI that was designed to serve no very useful function other than make
>everyone in the world pay $100 a year to Verisign is dead.
>
>Yet the technology is potent, and the problems of identity and authenticity
>are severe. We shall, bye and bye,
John Kelsey <[EMAIL PROTECTED]> writes:
>One nontrivial reason is that many organizations have spent a lot of time and
>money building up elaborate rules for using PKI, after long negotiations
>between legal and technical people, many hours of writing and revising,
>gazillions of dollars in consul
Ian Brown <[EMAIL PROTECTED]> writes:
>Steven M. Bellovin wrote:
>>>Cambridge Trust puts your picture on the back of your VISA card, for
>>>instance. They have for more than a decade, maybe even two.
>>
>> One New York bank -- long since absorbed into some megabank -- did the
>> same thing about 30
"Perry E. Metzger" <[EMAIL PROTECTED]> writes:
>Why is it, then, that banks are not taking digital photographs of customers
>when they open their accounts so that the manager's computer can pop up a
>picture for him, which the bank has had in possession the entire time and
>which I could not have
[EMAIL PROTECTED] writes:
>Take a look at Boojum Mobile -- it is precisely the idea of using the cell
>phone as an out-of-band chanel for an in-band transaction.
>
>http://www.boojummobile.com
Banks here have been using it to authenticate higher-value electronic
transactions as well. The way it
Ian Grigg <[EMAIL PROTECTED]> writes:
>Alternatively, if one is in the unfortunate position of being an oracle for a
>single block encryption then the packet could be augmented with a cleartext
>random block to be xor'd with the key each request.
Moves you from being an encryption oracle to a rel
Ian G <[EMAIL PROTECTED]> writes:
>On Tuesday 21 June 2005 13:45, Peter Gutmann wrote:
>>Best Current Practice, a special-case type of RFC. Based on recent experience
>>with this style of collaborative document editing, I've set up a wiki at
>>http://blockci
Peter Fairbrother <[EMAIL PROTECTED]> writes:
>Steven M. Bellovin wrote:
>> Designing a system that deflects this sort of attack is challenging.
>> The right answer is smart cards that can digitally sign transactions
>
>No, it isn't! A handwritten signature is far better, it gives post-facto
>evide
Ian G <[EMAIL PROTECTED]> writes:
>>Definitely. Maybe time for a BCP, not just for AES but for general block
>>ciphers?
>
>What is a BCP? Best Coding Practices? Block Cipher Protocol?
Best Current Practice, a special-case type of RFC. Based on recent experience
with this style of collaborativ
Stephan Neuhaus <[EMAIL PROTECTED]> writes:
>Concerning the practical use of AES, you may be right (even though it would
>be nice to have some advice on what one *should* do instead).
Definitely. Maybe time for a BCP, not just for AES but for general block
ciphers?
>But as far as I know, resist
[EMAIL PROTECTED] ("Hal Finney") writes:
>Steven M. Bellovin writes:
>> Dan Bernstein has a new cache timing attack on AES:
>> http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
>This is a pretty alarming attack.
It is? Recovering a key from a server custom-written to act as an oracle f
Jerrold Leichter <[EMAIL PROTECTED]> writes:
>They also sold a full solution for encrypted Ethernet - KDC, encrypting
>Ethernet adapters, associated software. None of this stuff went anywhere.
>People just weren't interested.
That wasn't quite the case for the Ethernet encryption. What happened
Rich Salz <[EMAIL PROTECTED]> writes:
>Peter's shared earlier drafts with me, and we've exchanged email about this.
>The only complaint that has a factual basis is this:
>
>I don't want to have to implement XML processing to do
>XML Digital Signatures
I don't want to have
"Perry E. Metzger" <[EMAIL PROTECTED]> writes:
>"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone who cleverly
[EMAIL PROTECTED] writes:
>I saw allot of requirements by security auditors that looked pretty silly.
"Must use 128-bit RSA encryption" has to be the all-time favourite.
One I saw recently was a requirement for using X9.17 key management... in SSL.
Peter.
--
Ben Laurie <[EMAIL PROTECTED]> writes:
>Anne & Lynn Wheeler wrote:
>> Peter Gutmann wrote:
>>> That cuts both ways though. Since so many systems *do* screw with
>>> data (in
>>> insignificant ways, e.g. stripping trailing blanks), anyone who do
Anne & Lynn Wheeler <[EMAIL PROTECTED]> writes:
>the problem was that xml didn't have a deterministic definition for encoding
>fields.
Yup, see "Why XML Security is Broken",
http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, for more on this. Mind
you ASN.1 is little better, there are rules
Rich Salz <[EMAIL PROTECTED]> writes:
>I think signatures are increasingly being used for technical reasons, not
>legal. That is, sign and verify just to prove that all the layers of
>middleware and Internet and general bugaboos didn't screw with it.
That cuts both ways though. Since so many s
"Heyman, Michael" <[EMAIL PROTECTED]> writes:
>The false positive I was referring to is the "something is telling me
>something unimportant" positive. I didn't mean to infer that the users
>likely went through a thought process centered around the possible causes of
>the certificate failure, speci
"Heyman, Michael" <[EMAIL PROTECTED]> writes:
>In this situation, I believe that the users, through hard won experience with
>computers, _correctly_ assumed this was a false positive.
Probably not. This issue was discussed at some length on the hcisec list,
(security usability, http://groups.yah
"James A. Donald" <[EMAIL PROTECTED]> writes:
>With bank web sites, experience has shown that only 0.3% of users are
>deterred by an invalid certificate, probably because very few users have any
>idea what a certificate authority is, what it does, or why they should care.
James (and others): I re
Invalid banking cert spooks only one user in 300
Stephen Bell, Computerworld
16/05/2005 09:19:10
Up to 300 New Zealand BankDirect customers were presented with a security
alert when they visited the bank's website earlier this month - and all but
one dismissed the warning and carried o
Erwann ABALEA <[EMAIL PROTECTED]> writes:
>On Fri, 25 Mar 2005, Florian Weimer wrote:
>>* Adam Back:
>>>Does anyone have info on the cost of sub-ordinate CA cert with a name
>>>space constraint (limited to issue certs on domains which are
>>>sub-domains of a your choice... ie only valid to issue ce
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>We all understand the need to move to better hash algorithms than SHA1. At a
>minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is
>the right way to go. The problem is how to get there from here.
>
>So -- what should we
Ian G <[EMAIL PROTECTED]> writes:
>Or is this merely a distinction in adspace only? Just a way to separate more
>dollars from Alice?
It's a distinction in adspace only, in the same way that you're expected to
think that a $200 DVD play from Sony Corp is better than a $40 player from Foo
Yuk Corp
Ian G <[EMAIL PROTECTED]> writes:
>In the below, John posted a handy dandy table of cert prices, and Nelson
>postulated that we need to separate high assurance from low assurance.
>Leaving aside the technical question of how the user gets to see that for
>now, note how godaddy charges $90 for thei
>From a news.com story about features of gcc 4.0, available at
http://news.com.com/Key+open-source+programming+tool+due+for+overhaul/2100-7344_3-5615886.html
Key open-source programming tool due for overhaul
Published: March 14, 2005, 10:46 AM PST
By Stephen Shankland
Staff Writer, CNET Ne
Anne & Lynn Wheeler <[EMAIL PROTECTED]> writes:
>the purpose of a certificate is analogous to the old letters of credit in the
>sailing ship days it supposedly establishes the bonifides of the
>individual in an offline, non-connected world where the relying party has no
>other recourse regard
"R.A. Hettinga" <[EMAIL PROTECTED]> forwarded:
>Briefly, it works like this: point A transmits an encrypted message to point
>B. Point B can decrypt this, if it knows the password. The decrypted text is
>then sent back to point A, which can verify the decryption, and confirm that
>point B really d
Rich Salz <[EMAIL PROTECTED]> writes:
>Why would mozilla embed this? If they came here, to the putative experts,
>for an evaluation, they'd leave thinking Amir and company just invented
>Rot-13. It's not that. It's also not perfect. BFD -- you got anything
>better?
This ties in to one of my f
Barry Shein <[EMAIL PROTECTED]> writes:
>Eventually email will just collapse (as it's doing) and the RBOCs et al will
>inherit it and we'll all be paying 15c per message like their SMS services.
And the spammers will be using everyone else's PC's to send out their spam, so
the spam problem will s
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>Is a private root key (or the equivalent signing device) an asset that can be
>acquired under bankruptcy proceedings? Almost certainly.
Absolutely certainly. Even before Baltimore, CA's private keys had been
bought and sold from/to third parties
Erwann ABALEA <[EMAIL PROTECTED]> writes:
>I've read your objections. Maybe I wasn't clear. What's wrong in installing a
>cryptographic device by default on PC motherboards? I work for a PKI 'vendor',
>and for me, software private keys is a nonsense.
A simple crypto device controlled by the same
"Tyler Durden" <[EMAIL PROTECTED]> writes:
>That "chip"...is it likely to be an ASIC or is there already such a thing as
>a security network processor? (ie, a cheaper network processor that only
>handles security apps, etc...)
>
>Or could it be an FPGA?
Neither. Currently they've typically bee
David Wagner <[EMAIL PROTECTED]> writes:
>>Is Skype secure?
>
>The answer appears to be, "no one knows".
There have been other posts about this in the past, even though they use known
algorithms the way they use them is completely homebrew and horribly insecure:
Raw, unpadded RSA, no message au
"Perry E. Metzger" <[EMAIL PROTECTED]> writes:
>Not the 5.3 version but I have looked a bit at earlier versions. I was pretty
>scared, frankly.
The "improved" homebrew RNG covers all 5.x versions AFAIK. The OS X guys did
the same thing BTW, both OSes use a weird Yarrow-derived implementation and
Ian G <[EMAIL PROTECTED]> writes:
>To add a postscript to that, yesterday's LAWgram
>reported that $10 DVD *players* are now selling
>in the US.
I heard from a friend of mine who works for an organisation that deals with
China a fair bit that the DVD licensing costs make up the majority of the
"R.A. Hettinga" <[EMAIL PROTECTED]> forwarded:
>"Promoting implanted RFID devices as a security measure is downright 'loco,'"
>says Katherine Albrecht. "Advertising you've got a chip in your arm that
>opens important doors is an invitation to kidnapping and mutilation."
Since kidnapping is sort o
Jack Lloyd <[EMAIL PROTECTED]> writes"
>Looking at my logs, about 95% of all STARTTLS connections are DHE-RSA-AES256-
>SHA; I'm guessing this is because most STARTTLS-enabled SMTP servers (ie
>Postfix, Sendmail, Qmail) use OpenSSL, and recent versions of OpenSSL have
>DHE-RSA-AES256-SHA as the top
David Honig <[EMAIL PROTECTED]> writes:
>EETimes 25 Oct 04 has an article about how the testing structures on ICs
>makes them vulnerable to attacks.
A link (http://www.eetimes.com/showArticle.jhtml?articleID=51200146) would
have been useful...
>The basic idea is that to test a chip, you need t
[EMAIL PROTECTED] writes:
>No need to buy a company just to use its product in your development shop.
They're not "using it in their development shop", that's their standard
development environment that they ship to all Windows CE, Pocket PC,
SmartPhone, and XP Embedded developers (and include fr
[EMAIL PROTECTED] writes:
>I'm pretty sure that you are answering the question "Why did Microsoft buy
>Connectix?"
The answer to that one is actually "To provide a development environment for
Windows CE (and later XP Embedded)" (the emulator that's used for development
in those environments is Vi
Anne & Lynn Wheeler <[EMAIL PROTECTED]> writes:
>one of the market targets of biometrics has been those that write their
>password on their machine (or don't even bother with a password).
Even that may not be a valid market target. If your threat model is script
kiddies/hackers in eastern Europe
Eric Rescorla <[EMAIL PROTECTED]> writes:
>In particular, Verisign's is very long and I seem to remember someone telling
>me it was a hach but I don't recall the details...
It's just a SHA-1 hash. Many CAs use this to make traffic analysis of how
many (or few) certificates they're issuing imposs
Bill Stewart <[EMAIL PROTECTED]> writes:
>In the past, there have been two main problems with the Via crypto sets
>
>- availability of convenient software
VIA AES support is included in Brian Gladman's AES implementation, which is
pretty much the de facto standard AES implementation. The RNG cod
Ben Laurie <[EMAIL PROTECTED]> writes:
>Oh yeah, another gem from the eVAT FAQ:
>
>"The Government Gateway and Digital Certificate authorities do not currently
>support the use of Digital Certificates on Apple Macintosh"
>
>Well, of course not, because everyone knows that Apple X.509 is completely
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>>Maybe it's worth doing some sort of generic RFC for this security model to
>>avoid scattering the same thing over a pile of IETF WGs,
>
>Sounds good. Who wants to write it...?
Since there seems to be at least some interest in this, I'll make a
Eugen Leitl <[EMAIL PROTECTED]> writes:
>It does not authenticate the endpoint's identification, other than "same place
>I had been talking to."
So in other words it's the same baby-duck security model that's been quite
successfully used by SSH for about a decade, is also used in some SSL
impleme
Hadmut Danisch <[EMAIL PROTECTED]> writes:
>I need a literature reference for a simple problem of encoding/compression
>theory:
comp.compression FAQ, probably question #1 given the number of times this
comes up in the newsgroup.
(I've just checked, it's question #9 in part 1. Question #73 in pa
Yeterday I watched Gillo Pontecorvo's 1966 film "The Battle of Algiers", a
dramatisation of real events that looks at France's own "war on terror" in
Algeria in the 1950s. The police attempt to control things by only allowing
people who can show valid ID into the european quarter of Algiers via a
401 - 500 of 596 matches
Mail list logo
