On Wed, Aug 28, 2013 at 5:33 AM, ianG wrote:
> Yes. I was never scared of the NSA. But the NSA and the FBI and the DEA
> and every local police force ... that's terrifying. That's a purer
essence of
> terror, far worse than terrorism. We need a new word.
It's a boot stamping on a human face, f
On Wed, Aug 10, 2011 at 10:12 AM, Perry E. Metzger wrote:
> Today's XKCD is on password strength. The advice it gives is pretty
> good in principle...
>
> http://xkcd.com/936/
For a single password on a system with flexible rules, it's good advice.
Real world, with a dozen non-reused passwords n
> I don't know if the new crack reveals anything new. We have
> a writeup about the Skype protection techniques in
> "Surreptitious Software", our book on security-through-obscurity.
> (Sorry for the blatant self-promotion).
I appreciate the self-promotion. My only request is that you include
ISBN
On Fri, Sep 18, 2009 at 4:32 AM, Alec Muffett wrote:
> Perry: plasma physics is wildly OT but I believe the relevance will be
> obvious to those who remember the crypto wars, especially when they hit the
> fifth paragraph:
>>
>> It’s a difficult subject: many people I interviewed felt Roth showed
>> This just emphasizes what we already knew about C, even the most
>> careful, security conscious developer messes up memory management.
> However I think it is not really efficient at this stage to insist on secure
> programming for submission implementations. For the simple reason that
> there
> And long before Quantum Computers become strong enough to crack
> 2048-bit public key algorithms at a price that makes the
> KGB want to waste its resources on you, there'll be
> more convenient ways to blackbag machines, whether it's
> including extra features in the OS through the audio CD play
> My question is, what is the layperson supposed to do, if they must use
> crypto and can't use an off-the-shelf product?
When would that be the case?
The only defensible situations I can think of in which a
non-crypto-specialist programmer would need to write crypto routines
would be an uncommon
On 10/5/05, R.A. Hettinga <[EMAIL PROTECTED]> wrote:
> Can writing software be a crime?
...
> The Perez-Melara case, in comparison, represents the first time the
> government has attempted to prosecute the developer of a software that can
> be used for both lawful purposes (surreptitiously mon
On 9/20/05, Rich Salz <[EMAIL PROTECTED]> wrote:
> This is wandering way far afield of the list charter. In an effort
> to maintain some relevance, I'll point out that code reviews, and
> crypto programming, are rarely done, and arguably shouldn't, by
> programming wizards.
If by that you mean, "
On 9/13/05, Steven M. Bellovin <[EMAIL PROTECTED]> wrote:
> There's an interesting tradeoff here: which is a bigger threat, crypto
> secrets lying around memory or buffer overflows? What's your threat
> model? For the average server, I suspect you're better off with Java,
> especially if you use
On 9/11/05, Jason Holt <[EMAIL PROTECTED]> wrote:
> Securely deleting secrets is hard enough in C, much less high level languages.
But, but..Java is the be-all end-all!
Three years ago I advised a business/tech guy to avoid Java for crypto
and related purposes. I'll revise that somewhat in light
On 8/25/05, Trei, Peter <[EMAIL PROTECTED]> wrote:
> Self-signed certs are only useful for showing that a given
> set of messages are from the same source - they don't provide
> any trustworthy information as to the binding of that source
> to anything.
Which is just fine. Pseudonymity is good.
On 8/22/05, Steven M. Bellovin <[EMAIL PROTECTED]> wrote:
> In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes
> :
> >
> >...the folks at Fort Meade had every
> >possible BSD password indexed by its /etc/passwd
> >representation.
> I'm sorry, I flat-out don't believe that.
Probably some d
> [Moderator's note: ... attackers are often cleverer than protocol
> designers. ...
Is that true? Or is it a combination of
(a) a hundred attackers for every designer, and
(b) vastly disparate rewards: continued employment and maybe some
kudos for a designer or implementer, access to $1,000,000,
On 8/3/05, James A. Donald <[EMAIL PROTECTED]> wrote:
>--
> Is it possible for two web sites to arrange for cross
> logins?
<>
Does this question have a practical end in mind? If so, can you
simplify matters by running both web sites on the same host?
(cc-ing JAD because I never see any res
On 6/24/05, Perry E. Metzger <[EMAIL PROTECTED]> wrote:
> For the record, the guys at Fidelity Investments have always seemed to
> me to have their act together on security, unlike lots of other
A few years ago I did some consulting at Fidelity Investments, writing
code to spider their own website
On 6/3/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Another alternative is the cyphersaber type of thing, where you could just
> implement your crypto-code on the fly, as needed.
Yes, I could, and have. Presumably you could. Ben Laurie probably
could blindfolded with both hands tied behind h
On 5/31/05, Ian G <[EMAIL PROTECTED]> wrote:
> I don't agree with your conclusion that hiding algorithms
> is a requirement. I think there is a much better direction:
> spread more algorithms. If everyone is using crypto then
> how can that be "relevant" to the case?
This is so, in the ideal. Bu
On Wed, 2004-10-06 at 06:27, Dave Howe wrote:
> I have yet to see an advantage to QKE that even mildly justifies the
> limitations and cost over anything more than a trivial link (two
> buildings within easy walking distance, sending high volumes of
> extremely sensitive material between them)
But
On Mon, 2004-08-02 at 15:03, John Denker wrote:
> News article
>http://news.bbc.co.uk/2/hi/americas/3528502.stm
> says in part:
>
> > The BBC's Zaffar Abbas, in Islamabad, says it appears that US
> > investigators were able to unscramble information on the computers
> > after Pakistan passed o
On Wed, 2004-06-30 at 06:49, Ian Grigg wrote:
> Here's my question - is anyone in the security
> field of any sort of repute being asked about
> phishing, consulted about solutions, contracted
> to build? Anything?
Nothing here. Spam is the main concern on people's minds, so far as I
can tell. P
21 matches
Mail list logo