On Aug 10, 2011, at 10:12 AM, Perry E. Metzger wrote:
Today's XKCD is on password strength. The advice it gives is pretty
good in principle...
http://xkcd.com/936/
You still need a password manager to remember which of the dozens of
easily-remembered passwords you used, so you might as
On Wed, Sep 15, 2010 at 03:16:34AM -0700, Jacob Appelbaum wrote:
[...]
What Steve has written is mostly true - though I was not working alone,
we did it in an afternoon. It took quite a bit of effort to get Haystack
to take this seriously. Eventually, there was an internal mutiny because
of a
On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote:
[...]
3 Any security system that demands that users be educated,
i.e. which requires that users make complicated security decisions
during the course of routine work, is doomed to fail.
[...]
I would amend this to say which
On Mon, Aug 02, 2010 at 04:55:04PM +0100, Adrian Hayter wrote:
In a related story, hacker Chris Paget created his own cell-phone base
station that turned off encryption on all devices connecting to it. The
station then routes the calls through VoIP.
I'm looking for a best practices guide (for a system architecture) or
case studies for how best to handle storing and using 3rd party
passwords.
Specifically, I'm interested in the case where a program or service
needs to store a password in such a way that it can be used (presented
to another
On Mon, Sep 21, 2009 at 04:57:56PM -0400, Steven Bellovin wrote:
Is there any way to use FileVault on MacOS except on home
directories? I don't much want to use it on my home directory; it
doesn't play well with Time Machine (remember that availability is
also a security property);
On Tue, Mar 03, 2009 at 12:26:32PM -0500, Perry E. Metzger wrote:
Quoting:
A federal judge has ordered a criminal defendant to decrypt his
hard drive by typing in his PGP passphrase so prosecutors can view
the unencrypted files, a ruling that raises serious concerns about
On Tue, Mar 03, 2009 at 01:20:22PM -0500, Perry E. Metzger wrote:
Adam Fields cryptography23094...@aquick.org writes:
The privacy issues are troubling, of course, but it would seem trivial
to bypass this sort of compulsion by having the disk encryption
software allow multiple passwords
On Fri, Feb 13, 2009 at 11:24:35AM -0500, Steven M. Bellovin wrote:
Counter Terror Expo: News of a possible viable business model for P2P
VoIP network Skype emerged today, at the Counter Terror Expo in London.
An industry source disclosed that America's supersecret National
Security Agency
On Mon, Aug 18, 2008 at 10:16:02AM -0700, Paul Hoffman wrote:
[...]
Essentially no one would argue that is is quite expensive. I
suspect that nearly everyone in the country would be happy to pay an
additional $1/election for more reliable results.
Without seeing all of the expense (and
I didn't see Ben forward this himself, but it's definitely relevant to
the discussion of malware hiding in hardware:
Without needlessly boring everyone with the various steps allow me to
share an interesting observation: drivers often assume the hardware is
misbehaved but never malicious. It is
On Sat, Apr 26, 2008 at 02:33:11AM -0400, Karsten Nohl wrote:
[...]
Assuming that hardware backdoors can be build, the interesting question
becomes how to defeat against them. Even after a particular triggering
string is identified, it is not clear whether software can be used to
detect
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote:
[...]
Business ultimately depends on trust. There's some study out there -
I don't recall a reference - that basically finds that the level of
trust is directly related to the level of economic success of an
economy. There are
On Thu, Mar 23, 2006 at 09:30:30AM -0500, Perry E. Metzger wrote:
A while ago, you may recall that members of the Greek government were
wiretapped, and at the time, I speculated that the bad guys may have
abused the built in CALEA software in the switch to do it. Well, it
now appears that that
On Thu, Jan 26, 2006 at 06:09:52PM -0800, bear wrote:
[...]
Of course, the obvious application for this OTP material,
other than text messaging itself, is to use it for key
distribution.
Perhaps I missed something, but my impression was that the original
post asked about how a CD full of
On Sun, Dec 18, 2005 at 07:55:57PM -0500, Steven M. Bellovin wrote:
[...]
The Court also noted that Congress rejected an amendment which would
have authorized such governmental seizures in cases of emergency.
Given that the Patriot Act did amend various aspects of the wiretap
statute, it's
On Wed, Aug 10, 2005 at 04:11:31PM +0200, Florian Weimer wrote:
* Perry E. Metzger:
A major identity theft ring has been discovered that affects up to 50
banks, according to Sunbelt Software, the security company that says
it uncovered the operation. The operation, which is
On Wed, Aug 10, 2005 at 01:24:07PM -0400, Perry E. Metzger wrote:
Thought this would be of some interest. Unfortunately, the article
will not be visible after a few days, thanks to the NY Times'
policies, and can only be viewed if you register. :(
WASHINGTON | August 10, 2005
Hurdles
On Mon, Jul 11, 2005 at 09:37:36PM +, Jason Holt wrote:
I remember the first time a site asked for the number on the back of my
credit card. It was a Walmart or Amazon purchase, and with no warning they
redirected me to some site with a questionable domain. I thought for sure
my
On Fri, Jul 08, 2005 at 12:19:38PM -0400, Perry E. Metzger wrote:
[...]
Actually, the people who would have to pay the investment -- the banks
and merchants -- have an excellent incentive. The loss because of
fraud is stunningly large. The real issue is that *consumers* have
little incentive
On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote:
[..]
With bank web sites, experience has shown that only 0.3%
of users are deterred by an invalid certificate,
probably because very few users have any idea what a
certificate authority is, what it does, or why they
should
On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote:
Why not help us make Jabber/XMPP more secure, rather than overloading
AIM? With AIM/MSN/Yahoo your account will always exist at the will of
Unfortunately, I already have a large network of people who use AIM,
and they all each
On Tue, Mar 15, 2005 at 02:47:35PM -0500, Ian Goldberg wrote:
this is actually a very good solution for
me. The only thing I don't like about it is that it stores the private
key on your machine. I understand why that is, but it also means that
if you switch machines with the same login
On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote:
[...]
One member of this mailing list, in a private exchange, noted that
he had asked his bank for their certificate's fingerprint. My
response was that I was astonished he found someone who knew what
he was talking about.
Tal Garfinkel (related to Simpson?) is a Stanford PHD student who has
put together a working model for tracking tainted data stored in RAM
in various popular applications.
This is the first mention I've seen of this - interesting stuff.
http://www.newscientist.com/news/news.jsp?id=ns5064
On Sat, Jun 05, 2004 at 10:06:20AM +0530, Udhay Shankar N wrote:
Citibank in India experimented with a special case of this a few years ago
- online credit cards - basically, a credit card number valid for one use
only, which would be ideal for online purchasing.
IIRC, the offering was
On Thu, May 20, 2004 at 10:07:43AM -0400, R. A. Hettinga wrote:
[...]
yahoo draft internet standard for using DNS as a public key server
http://www.ietf.org/internet-drafts/draft-delany-domainkeys-base-00.txt
This sounds quite a lot like the ideas outlined in a paper I
co-authored in 1995,
On Fri, Apr 09, 2004 at 12:46:47PM -0400, Perry E. Metzger wrote:
I think that those that advocate cryptographic protocols to ensure
voting security miss the point entirely.
[...]
I'm a technophile. I've loved technology all my life. I'm also a
security professional, and I love a good
to verify a cert? I've done an informal survey of
a few financial institutions whose sites use SSL, and the number of
them that were able to provide me with a fingerprint over the phone
was exactly zero.
--
- Adam
-
Adam Fields, Managing Partner, [EMAIL PROTECTED
29 matches
Mail list logo