On Aug 10, 2011, at 12:19 53PM, Perry E. Metzger wrote:
On Wed, 10 Aug 2011 11:59:53 -0400 John Ioannidis j...@tla.org wrote:
On Tue, Aug 9, 2011 at 8:02 PM, Sampo Syreeni de...@iki.fi wrote:
Thus, why not turn the Trusted Computing idea on its head? Simply
make P2P public key cryptography
On Oct 8, 2010, at 11:21 16AM, Perry E. Metzger wrote:
My question: if someone plants something in your car, isn't it your
property afterwards?
http://gawker.com/5658671/dont-post-pictures-of-an-fbi-tracking-device-you-find-on-a-car-to-the-internet
See
On Oct 6, 2010, at 6:19 01PM, Perry E. Metzger wrote:
ATT debuts a new encrypted voice service. Anyone know anything about
it?
http://news.cnet.com/8301-13506_3-20018761-17.html
(Hat tip to Jacob Applebaum's twitter feed.)
Does anyone know of any ciphers where bits of keys modify the control path,
rather than just data operations? Yes, I know that that's a slippery concept,
since ultimately things like addition and multiplication can be implemented
with loops in the hardware or firmware. I also suspect that
Per
http://news.softpedia.com/news/New-Trojan-Steals-Digital-Certificates-157442.shtml
there's a new Trojan out there that looks for a steals Cert_*.p12 files --
certificates with private keys. Since the private keys are password-protected,
it thoughtfully installs a keystroke logger as
On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote:
From the ukcrypto mailing list:
Just had a new Lloyds credit card delivered, it had a sticker saying I have
to call a number to activate it. I call, it's an automated system.
It asks for the card number, fair enough. It asks for the
http://arstechnica.com/tech-policy/news/2010/09/claimed-hdcp-master-key-leak-could-be-fatal-to-drm-scheme.ars
--Steve Bellovin, http://www.cs.columbia.edu/~smb
-
The Cryptography Mailing List
Unsubscribe by
On Sep 13, 2010, at 11:58 57PM, John Gilmore wrote:
http://arstechnica.com/business/news/2010/09/intels-walled-garden-plan-to-put-av-vendors-out-of-business.ars
In describing the motivation behind Intel's recent purchase of McAfee
for a packed-out audience at the Intel Developer Forum,
On Aug 25, 2010, at 4:37 16PM, travis+ml-cryptogra...@subspacefield.org wrote:
3) Is determinism a good idea?
See Debian OpenSSL fiasco. I have heard Nevada gaming commission
regulations require non-determinism for obvious reasons.
It's worth noting that the issue of determinism vs.
On Aug 25, 2010, at 9:04 20AM, Richard Salz wrote:
Also, note that HSTS is presently specific to HTTP. One could imagine
expressing a more generic STS policy for an entire site
A really knowledgeable net-head told me the other day that the problem
with SSL/TLS is that it has too many
On Aug 24, 2010, at 12:32 19PM, Chad Perrin wrote:
On Mon, Aug 23, 2010 at 03:35:45PM -0400, Steven Bellovin wrote:
And the articles I've seen do not say that the problem caused the
crash. Rather, they say that a particular, important computer was
infected with malware; I saw no language
On Aug 23, 2010, at 11:50 30AM, John Levine wrote:
Authorities investigating the 2008 crash of Spanair flight 5022
have discovered a central computer system used to monitor technical
problems in the aircraft was infected with malware
On Aug 23, 2010, at 11:11 13AM, Peter Gutmann wrote:
Perry E. Metzger pe...@piermont.com forwards:
Authorities investigating the 2008 crash of Spanair flight 5022
have discovered a central computer system used to monitor technical
problems in the aircraft was infected with malware
On Aug 16, 2010, at 9:19 49PM, John Gilmore wrote:
who's your enemy? The NSA? The SVR? Or garden-variety cybercrooks?
Enemy? We don't have to be the enemy for someone to crack our
security. We merely have to be in the way of something they want;
or to be a convenient tool or foil in
On Aug 17, 2010, at 5:19 10PM, Samuel Neves wrote:
On 17-08-2010 21:42, Perry E. Metzger wrote:
On Tue, 17 Aug 2010 22:32:52 +0200 Simon Josefsson
si...@josefsson.org wrote:
Bill Stewart bill.stew...@pobox.com writes:
Basically, 2048's safe with current hardware
until we get some radical
On Aug 15, 2010, at 1:17 30PM, Peter Gutmann wrote:
Ray Dillinger b...@sonic.net writes:
On Fri, 2010-08-13 at 14:55 -0500, eric.lengve...@wellsfargo.com wrote:
The big drawback is that those who want to follow NIST's recommendations
to migrate to 2048-bit keys will be returning to the
. I'll add that the code is now up on SourceForge under a BSD license:
http://sourceforge.net/projects/simple-vpn/
Original Message
Subject: Re: new tech report on easy-to-use IPsec
Date: Wed, 28 Jul 2010 21:36:47 -0400
From: Steven Bellovin s...@cs.columbia.edu
To: Adam
On Jul 30, 2010, at 3:58 08PM, Perry E. Metzger wrote:
On Fri, 30 Jul 2010 09:38:44 +0200 Stefan Kelm sk...@bfk.de wrote:
Perry,
The administration wants to add just four words -- electronic
communication transactional records -- to a list of items that
the law says the FBI may demand
On Jul 28, 2010, at 8:21 33AM, Ben Laurie wrote:
On 28/07/2010 13:18, Peter Gutmann wrote:
Ben Laurie b...@links.org writes:
I find your response strange. You ask how we might fix the problems, then
you
respond that since the world doesn't work that way right now, the fixes
won't
I don't know, if it is truly only a ten line change to a common WPA2
driver to read, intercept and alter practically any traffic on the
network even in enterprise mode, that would seem like a serious issue
to me. Setting up the enterprise mode stuff to work is a lot of time
and effort. If
On Jul 26, 2010, at 10:30 19PM, Perry E. Metzger wrote:
On Mon, 26 Jul 2010 21:42:53 -0400 Steven Bellovin
s...@cs.columbia.edu wrote:
I don't know, if it is truly only a ten line change to a common
WPA2 driver to read, intercept and alter practically any traffic
on the network even
There is a claim of a flaw in WPA2-Enterprise -- see
http://wifinetnews.com/archives/2010/07/researchers_hints_8021x_wpa2_flaw.html
--Steve Bellovin, http://www.cs.columbia.edu/~smb
-
The Cryptography
On Jul 17, 2010, at 3:30 05PM, Taral wrote:
On Sat, Jul 17, 2010 at 7:41 AM, Paul Wouters p...@xelerance.com wrote:
Several are using old SHA-1 hashes...
old ?
old in that they are explicitly not recommended by the latest specs
I was looking at.
DNSSEC signatures do not need to have a
Folks on this list may be interested in a new tech report:
Shreyas Srivatsan, Maritza Johnson, and Steven M. Bellovin. Simple-VPN:
Simple IPsec configuration. Technical Report CUCS-020-10, Department of
Computer Science, Columbia University, July 2010.
http://www.technologyreview.com/blog/arxiv/25189/
Not at all to my surprise, they broke it by exploiting a difference between a
theoretical system and a real-world implementation.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
For years, there have been unverifiable statements in the press about assorted
hostile parties using steganography. There may now be a real incident -- or at
least, the FBI has stated in court documents that it happened.
According to the Justice Department
On Jul 9, 2010, at 1:55 12PM, Jonathan Katz wrote:
CTR mode seems a better choice here. Without getting too technical, security
of CTR mode holds as long as the IVs used are fresh whereas security of CBC
mode requires IVs to be random.
In either case, a problem with a short IV (no matter
While I'm quite skeptical that QKD will prove of practical use, I do think it's
worth investigating. The physics are nice, and it provides an interesting and
different way of thinking about cryptography. I think that there's a
non-trivial chance that it will some day give us some very
On Mar 23, 2010, at 11:21 AM, Perry E. Metzger wrote:
Ekr has an interesting blog post up on the question of whether protocol
support for periodic rekeying is a good or a bad thing:
http://www.educatedguesswork.org/2010/03/against_rekeying.html
I'd be interested in hearing what people
On Oct 24, 2009, at 5:31 PM, Jerry Leichter wrote:
The article at http://www.net-security.org/article.php?id=1322
claims that both are easily broken. I haven't been able to find any
public analyses of Keychain, even though the software is open-source
so it's relatively easy to check. I
On Sep 29, 2009, at 10:31 AM, Perry E. Metzger wrote:
Stephan Neuhaus neuh...@st.cs.uni-sb.de writes:
For business reasons,
Alice can't force Bob to use a particular TTA, and it's also
impossible to stipulate a particular TTA as part of the job
description (the reason is that Alice and the
Is there any way to use FileVault on MacOS except on home
directories? I don't much want to use it on my home directory; it
doesn't play well with Time Machine (remember that availability is
also a security property); besides, different directories of mine have
different sensitivity
Threat Level Privacy, Crime and Security Online
NSA-Intercepted E-Mails Helped Convict Would-Be Bombers
The three men convicted in the United Kingdom on Monday of a plot to
bomb several transcontinental flights were prosecuted in part using
crucial e-mail correspondences intercepted by the
On Aug 26, 2009, at 6:26 AM, Ben Laurie wrote:
On Mon, Aug 10, 2009 at 6:35 PM, Peter Gutmannpgut...@cs.auckland.ac.nz
wrote:
More generally, I can't see that implementing client-side certs
gives you much
of anything in return for the massive amount of effort required
because the
problem
David Kahn's Seizing the Enigma is back in print. However, it's
only available from Barnes and Noble -- their publishing arm is doing
the reprint. According to the preface, the new edition corrects minor
errors, but didn't give any details.
35 matches
Mail list logo