On Wed, Oct 06, 2010 at 08:19:29PM -0400, Steven Bellovin wrote:
|
| On Oct 6, 2010, at 6:19 01PM, Perry E. Metzger wrote:
|
| ATT debuts a new encrypted voice service. Anyone know anything about
| it?
|
| http://news.cnet.com/8301-13506_3-20018761-17.html
|
| (Hat tip to Jacob
On Thu, Sep 16, 2010 at 04:49:19PM +, M.R. wrote:
| I said (something like) this when Haystack first appeared on this
| list...
|
| Words dissidents and oppressive regimes have no place in
| serious discussions among cryptographers. Once we start assigning
| ethical categorizations to those
On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote:
| On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote:
| This would be great if LoginWindow.app didn't store your unencrypted
| login and password in memory for your entire session (including screen
| lock, suspend to
On Wed, Jul 01, 2009 at 01:06:05PM -0500, Nicolas Williams wrote:
| On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote:
| I think he's pointing out a more general problem.
|
| Indeed. IIRC, the Mac keychain uses your login password as its passphrase
| by default, which means that
On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote:
|
| Adam Shostack a...@homeport.org writes:
| On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote:
| | On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote:
| | This would be great if LoginWindow.app
I'm using 1password, but mostly because of the UI, I haven't done a
cryptanalysis of it. the wifi sync to the iphone is a little
worrisome.
Adam
On Sat, Jun 27, 2009 at 09:57:39PM -0400, Perry E. Metzger wrote:
|
| Does anyone have a recommended encrypted password storage program for
| the
On Fri, Feb 13, 2009 at 08:08:34PM -0600, Travis wrote:
| http://video.google.com/videoplay?docid=-5187022592682372937
|
| It has a lot of similar material, but I think his talk is much better
| because it goes into how it would actually be attacked. He also must
| have powerpoint-fu whereas I'm
[Moderator's note: top posting and failing to trim what you're
replying to are both considered bad form... --Perry]
Peter,
Do you have evidence of either Authenticode or business impersonation?
I agree that they're highly plausible, but you say if the putative
owner of an AuthentiCode
On Mon, Sep 08, 2008 at 04:16:46PM +0100, Darren J Moffat wrote:
|
| I believe the only way both of these highly dubious deployment practices
| will be stamped out is when the browsers stop allowing users to see such
| web pages. So that there becomes a directly attributable financial
| impact
My understanding, based mostly on what I've read in the press, is that
COFFEE is a set of scripts that run existing tools, making it easier
for law enforcement to do things which are already known to be
possible. Note the words executing 150 seperate commands, which, I
think, would be odd if this
On Wed, Dec 26, 2007 at 04:34:55PM -0500, [EMAIL PROTECTED] wrote:
| Quoting my friend Marcus Ranum, the Internet
| will remain as insecure as it can and still
| apparently function. Why should voting be
| different?
Voting is different (by which I mean worse) because the requirements
are hard.
On Sun, Jul 01, 2007 at 04:01:03PM -0400, Perry E. Metzger wrote:
|
| Adam Shostack [EMAIL PROTECTED] writes:
| On Mon, Jul 02, 2007 at 01:08:12AM +1200, Peter Gutmann wrote:
|
| Given that all you need for this is a glorified pocket calculator,
| you could (in large enough quantities
On Sun, Jul 01, 2007 at 11:09:16PM -0400, Leichter, Jerry wrote:
| | | Given that all you need for this is a glorified pocket
| | | calculator, you could (in large enough quantities) probably get
| | | it made for $10, provided you shot anyone who tried to
| | | introduce
On Mon, Jul 02, 2007 at 01:08:12AM +1200, Peter Gutmann wrote:
|
| Given that all you need for this is a glorified pocket calculator, you could
| (in large enough quantities) probably get it made for $10, provided you shot
| anyone who tried to introduce product-deployment DoS mechanisms like
On Sat, May 19, 2007 at 05:01:03PM -0400, Perry E. Metzger wrote:
|
| Trei, Peter [EMAIL PROTECTED] writes:
| 1. Do you have any particular evidence that any significant
| number of US .gov machines are bots? They may well be, just
| I haven't heard this.
|
| I've heard nothing formal, but
On Sun, Jan 14, 2007 at 03:31:22PM -0500, Steven M. Bellovin wrote:
| Anyway -- we're so focused in this group on the Internet that we
| sometimes forget about physical world attacks. Theft of financial data
| (and financial objects, such as checks and credit cards) from physical
| mailboxes (or
On Tue, Oct 31, 2006 at 06:50:20PM -0500, Ivan Krsti?? wrote:
| On the other hand, Vista is shipping with BitLocker enabled by default
| in the upper editions (Enterprise or somesuch), and doesn't rely on
Just a nit: as I understand things, Bitlocker is available, but not
on, by default.
Aren't these the same guys who sued a researcher to secure their
systems?
http://www.google.com/search?client=safarirls=enq=blackboard+billy+hoffmanie=UTF-8oe=UTF-8
On Sat, Jun 10, 2006 at 11:36:24AM -0600, Anne Lynn Wheeler wrote:
| Securely handling credit card transactions earns Blackboard
On Wed, Feb 01, 2006 at 02:03:10PM -0500, [EMAIL PROTECTED] wrote:
| Anne Lynn Wheeler pointed out:
|
| Face and fingerprints swiped in Dutch biometric passport crack
| http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/
|
| Didn't the EU adopt the same design that the US
Higher assurance means that when the CA gets duped, it's even better
for the phishers, because that nice, reassuring green bar will be
there.
To preserve the internet channel as a means of communicating with
customers, we need to move to bookmarks, not email with clickable
URLs. That method is a
On Wed, Oct 12, 2005 at 09:36:58PM +1300, Peter Gutmann wrote:
|
| Can anyone who knows Javascript better than I do figure out what the mess of
| script on those pages is doing? It looks like it's taking the username and
| password and posting it to an HTTPS URL, but it's rather spaghetti-ish
On a somewhat related note, the other day, I was working on a shell
script to automate Mac access to Google's Secure Access system.
Now, as I did this, I was able to get curl to respect a single CA as
the only CA it should accept, but I was totally unable to get any form
of certificate
On Mon, Sep 26, 2005 at 09:28:19AM +0200, Amir Herzberg wrote:
| John Gilmore wrote:
| I wrote an overview of Cryptographic Protocols to Prevent Spam,
|
| I stopped reading on page V -- it was too painfully obvious that Amir
| has bought into the whole censorship-list based anti-spam mentality.
On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote:
| On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote:
|
| My view is that C is fine, but it needs a real library and programmers
| who learn C need to learn to use the real library, with the bare-metal
| C-library used
On Sat, Sep 17, 2005 at 08:36:11PM +0100, Ben Laurie wrote:
| Adam Shostack wrote:
| On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote:
| | On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote:
| |
| | My view is that C is fine, but it needs a real library and programmers
Here's a thought:
Putting up a beware of dog sign, instead of getting a dog.
On Sun, Aug 07, 2005 at 09:10:51PM +0100, Dave Howe wrote:
| Ilya Levin wrote:
| John Denker [EMAIL PROTECTED] wrote:
|
| So, unless/until somebody comes up with a better metaphor,
| I'd vote for one-picket fence.
|
On Tue, Jul 12, 2005 at 02:48:02PM -0700, Bill Stewart wrote:
| At 09:29 PM 7/9/2005, Perry E. Metzger wrote:
| The Blue Card, so far as I can tell, was poorly thought out beyond its
| marketing potential. I knew some folks at Amex involved in the
| development of the system, and I did not get the
If anyone knows how many people this affected, I'd love to know. (I'm
assuming its their entire customer base)
Adam
On Mon, Jul 11, 2005 at 09:07:45AM -0600, Anne Lynn Wheeler wrote:
|
http://81.144.183.106/Articles/2005/07/11/210820/AnotherUSbanksownsuptodataloss.htm
|
| City National Bank
On Fri, Jul 08, 2005 at 01:16:13PM -0400, Perry E. Metzger wrote:
|
| Dan Kaminsky [EMAIL PROTECTED] writes:
| Credit card fraud has gone *down* since 1992, and is actually falling:
|
| 1992: $2.6B
| 2003: $882M
| 2004: $788M
|
| We're on the order of 4.7 cents on the $100.
|
|
On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote:
| Perry E. Metzger wrote:
|
| A system in which the credit card was replaced by a small, calculator
| style token with a smartcard style connector could effectively
| eliminate most of the in person and over the net fraud we
On Fri, Jun 10, 2005 at 01:11:45PM -0400, [EMAIL PROTECTED] wrote:
| Ben Laurie wrote
| Sure, but Equifax should.
|
| No, they shouldn't! If you think they should, you are missinformed. At
| least in Canada, the Privacy Act protects the SIN, Equifax cannot demand
| it.
| See for example
|
On Thu, Jun 09, 2005 at 08:57:51AM +0100, [EMAIL PROTECTED] wrote:
|
| From: Perry E. Metzger [EMAIL PROTECTED]
|
| It is worse than that. At least one large accounting company sends new
| recruits to a boot camp where they learn how to conduct security
| audits by rote. They then send these
On Thu, Jun 09, 2005 at 11:17:59AM -0400, Heyman, Michael wrote:
| From
| http://www.washingtonpost.com/wp-dyn/content/article/2005/06/08/AR20050
| 60802335_pf.html:
| share its biometric data with government agencies, and
| in fact, the full fingerprints are not stored in the
| system.
On Wed, Jun 08, 2005 at 01:33:45PM -0400, [EMAIL PROTECTED] wrote:
|
| Ken Buchanan wrote:
| There are a number of small companies making products that can encrypt
| data in a storage infrastructure, including tape backups (full disclosure:
| I work for one of those companies). The solutions
On Tue, Jun 07, 2005 at 05:41:12PM +0100, Ian G wrote:
|
| The difficulty here is that there is what we might call
| the Choicepoint syndrome and then there is the
| specific facts about the actual Choicepoint heist.
| When I say Choicepoint I mean the former, and the
| great long list of
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote:
|
| Ian G [EMAIL PROTECTED] writes:
| Perhaps you are unaware of it because no one has chosen to make you
| aware of it. However, sniffing is used quite frequently in cases where
| information is not properly protected. I've
On Mon, May 23, 2005 at 11:46:25AM -0400, Perry E. Metzger wrote:
|
| The original article has some nice diagrams, but unfortunately,
| because of the NY Times' policies, the article won't be online in a
| few days.
The times is trying to address this for RSS readers. Aaron Swartz has
some code
Really? How does one go about proving the security of a block cipher?
My understanding is that you, and others, perform attacks against it,
and see how it holds up. Many of the very best minds out there
attacked AES, so for your new CS2 cipher to be provably just as
secure as AES-128, all those
On Tue, Mar 15, 2005 at 09:33:51PM +0100, Jim Cheesman wrote:
| Ian G wrote:
|
| Adam Fields wrote:
|
| Given what may or may not be recent ToS changes to the AIM service,
| I've recently been looking into encryption plugins for gaim.
| Specifically, I note gaim-otr, authored by Ian G, who's on
On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote:
| Want to see a simple, working method to spoof sites, fooling
| Mozilla/FireFox/... , even with an SSL certificate and `lock`?
|
| http://www.shmoo.com/idn/
|
| See also:
|
|
On Wed, Feb 09, 2005 at 07:22:05PM +, Ian G wrote:
| Adam Shostack wrote:
|
| Have you run end-user testing to demonstrate the user-acceptability of
| Trustbar?
|
|
|
| Yes, this was asked over on the cap-talk list.
| Below is what I posted there. I'm somewhat
| sympathetic as doing
Posting to Dave Aitel's DailyDave list, HD Moore complained that he
had not been reimbursed for 2003. The organizers responded that
payment is forthcoming. Richard Thieme suggested that the correct
response is to ensure you put forth no money to speak at this event.
On Tue, Feb 01, 2005 at
On Sun, Jan 30, 2005 at 11:12:05AM -0500, John Kelsey wrote:
| From: Adam Shostack [EMAIL PROTECTED]
| Sent: Jan 29, 2005 12:45 PM
| To: Mark Allen Earnest [EMAIL PROTECTED]
| Cc: cryptography@metzdowd.com
| Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute
|
| But, given what
On Fri, Jan 28, 2005 at 02:38:49PM -0500, Mark Allen Earnest wrote:
| Adam Shostack wrote:
| I hate arguing by analogy, but: VOIP is a perfectly smooth system.
| It's lack of security features mean there isn't even a ridge to trip
| you up as you wiretap. Skype has some ridge. It may turn out
On Thu, Jan 27, 2005 at 03:22:09PM -0800, David Wagner wrote:
| Adam Shostack [EMAIL PROTECTED] writes:
| On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote:
| | In article [EMAIL PROTECTED] you write:
| | Voice Over Internet Protocol and Skype Security
| | Is Skype secure
On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote:
| In article [EMAIL PROTECTED] you write:
| Voice Over Internet Protocol and Skype Security
| Simson L. Garfinkel
|
http://www.soros.org/initiatives/information/articles_publications/articles/security_20050107/OSI_Skype5.pdf
|
| Is
I got mine in Secret Codes by Jackson. It's a cheap plastic model
in a kids book. I didn't try to assemble the morse code thing, so
can't comment on its quality.
http://www.amazon.com/exec/obidos/tg/detail/-/0762413514/
Adam
On Sun, Jan 02, 2005 at 12:59:14PM +0100, Hadmut Danisch wrote:
|
On Sat, Dec 11, 2004 at 10:24:09PM +0100, Florian Weimer wrote:
| * R. A. Hettinga quotes a news article:
|
| There have been numerous media reports in recent years that terrorist
| groups, including al-Qaida, were using steganographic techniques.
|
| As far as I know, these news stories can
http://www.homeport.org/~adam/crypto/
On Mon, Nov 29, 2004 at 01:47:05PM +0530, Sandeep N wrote:
| Hi,
|
| Can anybody tell me where I can get an implementation of RSA
| algorithm in C language? I searched for it, but could not locate one.
| I would be grateful to you if you could give me the
On Sun, Oct 24, 2004 at 12:58:56AM -0400, Dave Emery wrote:
| On Sat, Oct 23, 2004 at 03:23:21PM -0400, Adam Shostack wrote:
|
| The technology will mature *very* rapidly if Virginia makes their
| driver's licenses RFID-enabled, or if the US goes ahead with the
| passports. Why? Because
On Fri, Oct 22, 2004 at 11:01:16AM -0400, Whyte, William wrote:
|
| R.A. Hettinga wrote:
|
| http://worldnetdaily.com/news/printer-friendly.asp?ARTICLE_ID=41030
|
|An engineer and RFID expert with Intel claims there is
| little danger of
| unauthorized people reading the new
Hi Dan,
Not Rome, but in Athens, Pericles said, in his funeral oration:
The freedom which we enjoy in our democratic government extends also
to our ordinary life. We throw open our city to the world, and never
by alien acts exclude foreigners from any opportunity of learning or
observing
On Mon, Sep 20, 2004 at 10:03:57AM -0400, John Kelsey wrote:
| Academics locked out by tight visa controls
| U.S. SECURITY BLOCKS FREE EXCHANGE OF IDEAS
| By Bruce Schneier
|
| I guess I've been surprised this issue hasn't seen a lot more
| discussion. It takes nothing more than to look at the
On Thu, Sep 16, 2004 at 06:12:48PM +0100, Ian Grigg wrote:
| Adam Shostack wrote:
| Given our failure to deploy PKC in any meaningful way*, I think that
| systems like Voltage, and the new PGP Universal are great.
|
| I think the consensus from debate back last year on
| this group when Voltage
Given our failure to deploy PKC in any meaningful way*, I think that
systems like Voltage, and the new PGP Universal are great.
* I don't see Verisign's web server tax as meaningful; they accept no
liability, and numerous companies foist you off to unrelted domains.
We could get roughly the same
On Wed, Sep 10, 2003 at 11:32:29AM -0400, R. A. Hettinga wrote:
| http://www.cryptonomicon.net/modules.php?name=Newsfile=printsid=455
|
| Cryptonomicon.Net -
|
| Anyone Remember Zero Knowledge Systems?
| Date: Wednesday, September 10 @ 11:15:00 EDT
| Topic: Commercial Operations / Services
The assumption that having cracked a cipher leads to can make lots
of money from the break is one held mostly by those who have never
attacked real systems, which have evolved with lots of checks and
balances.
The very best way to make money from cracking ciphers seems to be to
patent the break,
57 matches
Mail list logo
