Re: Anyone know anything about the new ATT encrypted voice service?

2010-10-07 Thread Adam Shostack
On Wed, Oct 06, 2010 at 08:19:29PM -0400, Steven Bellovin wrote: | | On Oct 6, 2010, at 6:19 01PM, Perry E. Metzger wrote: | | ATT debuts a new encrypted voice service. Anyone know anything about | it? | | http://news.cnet.com/8301-13506_3-20018761-17.html | | (Hat tip to Jacob

Re: Haystack (helping dissidents?)

2010-09-28 Thread Adam Shostack
On Thu, Sep 16, 2010 at 04:49:19PM +, M.R. wrote: | I said (something like) this when Haystack first appeared on this | list... | | Words dissidents and oppressive regimes have no place in | serious discussions among cryptographers. Once we start assigning | ethical categorizations to those

Re: password safes for mac

2009-07-01 Thread Adam Shostack
On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote: | On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote: | This would be great if LoginWindow.app didn't store your unencrypted | login and password in memory for your entire session (including screen | lock, suspend to

Re: password safes for mac

2009-07-01 Thread Adam Shostack
On Wed, Jul 01, 2009 at 01:06:05PM -0500, Nicolas Williams wrote: | On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote: | I think he's pointing out a more general problem. | | Indeed. IIRC, the Mac keychain uses your login password as its passphrase | by default, which means that

Re: password safes for mac

2009-07-01 Thread Adam Shostack
On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote: | | Adam Shostack a...@homeport.org writes: | On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote: | | On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote: | | This would be great if LoginWindow.app

Re: password safes for mac

2009-06-28 Thread Adam Shostack
I'm using 1password, but mostly because of the UI, I haven't done a cryptanalysis of it. the wifi sync to the iphone is a little worrisome. Adam On Sat, Jun 27, 2009 at 09:57:39PM -0400, Perry E. Metzger wrote: | | Does anyone have a recommended encrypted password storage program for | the

Re: preparing a web 2.0 crypto talk

2009-02-14 Thread Adam Shostack
On Fri, Feb 13, 2009 at 08:08:34PM -0600, Travis wrote: | http://video.google.com/videoplay?docid=-5187022592682372937 | | It has a lot of similar material, but I think his talk is much better | because it goes into how it would actually be attacked. He also must | have powerpoint-fu whereas I'm

Re: Security by asking the drunk whether he's drunk

2008-12-23 Thread Adam Shostack
[Moderator's note: top posting and failing to trim what you're replying to are both considered bad form... --Perry] Peter, Do you have evidence of either Authenticode or business impersonation? I agree that they're highly plausible, but you say if the putative owner of an AuthentiCode

Re: once more, with feeling.

2008-09-08 Thread Adam Shostack
On Mon, Sep 08, 2008 at 04:16:46PM +0100, Darren J Moffat wrote: | | I believe the only way both of these highly dubious deployment practices | will be stamped out is when the browsers stop allowing users to see such | web pages. So that there becomes a directly attributable financial | impact

Re: Microsoft COFEE

2008-05-01 Thread Adam Shostack
My understanding, based mostly on what I've read in the press, is that COFFEE is a set of scripts that run existing tools, making it easier for law enforcement to do things which are already known to be possible. Note the words executing 150 seperate commands, which, I think, would be odd if this

Re: 2008: The year of hack the vote?

2007-12-28 Thread Adam Shostack
On Wed, Dec 26, 2007 at 04:34:55PM -0500, [EMAIL PROTECTED] wrote: | Quoting my friend Marcus Ranum, the Internet | will remain as insecure as it can and still | apparently function. Why should voting be | different? Voting is different (by which I mean worse) because the requirements are hard.

Re: The bank fraud blame game

2007-07-02 Thread Adam Shostack
On Sun, Jul 01, 2007 at 04:01:03PM -0400, Perry E. Metzger wrote: | | Adam Shostack [EMAIL PROTECTED] writes: | On Mon, Jul 02, 2007 at 01:08:12AM +1200, Peter Gutmann wrote: | | Given that all you need for this is a glorified pocket calculator, | you could (in large enough quantities

Re: The bank fraud blame game

2007-07-02 Thread Adam Shostack
On Sun, Jul 01, 2007 at 11:09:16PM -0400, Leichter, Jerry wrote: | | | Given that all you need for this is a glorified pocket | | | calculator, you could (in large enough quantities) probably get | | | it made for $10, provided you shot anyone who tried to | | | introduce

Re: The bank fraud blame game

2007-07-01 Thread Adam Shostack
On Mon, Jul 02, 2007 at 01:08:12AM +1200, Peter Gutmann wrote: | | Given that all you need for this is a glorified pocket calculator, you could | (in large enough quantities) probably get it made for $10, provided you shot | anyone who tried to introduce product-deployment DoS mechanisms like

Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)

2007-05-19 Thread Adam Shostack
On Sat, May 19, 2007 at 05:01:03PM -0400, Perry E. Metzger wrote: | | Trei, Peter [EMAIL PROTECTED] writes: | 1. Do you have any particular evidence that any significant | number of US .gov machines are bots? They may well be, just | I haven't heard this. | | I've heard nothing formal, but

Re: Banking Follies

2007-01-16 Thread Adam Shostack
On Sun, Jan 14, 2007 at 03:31:22PM -0500, Steven M. Bellovin wrote: | Anyway -- we're so focused in this group on the Internet that we | sometimes forget about physical world attacks. Theft of financial data | (and financial objects, such as checks and credit cards) from physical | mailboxes (or

Re: Can you keep a secret? This encrypted drive can...

2006-11-02 Thread Adam Shostack
On Tue, Oct 31, 2006 at 06:50:20PM -0500, Ivan Krsti?? wrote: | On the other hand, Vista is shipping with BitLocker enabled by default | in the upper editions (Enterprise or somesuch), and doesn't rely on Just a nit: as I understand things, Bitlocker is available, but not on, by default.

Re: Securely handling credit card transactions earns Blackboard kudos

2006-06-10 Thread Adam Shostack
Aren't these the same guys who sued a researcher to secure their systems? http://www.google.com/search?client=safarirls=enq=blackboard+billy+hoffmanie=UTF-8oe=UTF-8 On Sat, Jun 10, 2006 at 11:36:24AM -0600, Anne Lynn Wheeler wrote: | Securely handling credit card transactions earns Blackboard

Re: Face and fingerprints swiped in Dutch biometric passport crack (anothercard skim vulnerability)

2006-02-02 Thread Adam Shostack
On Wed, Feb 01, 2006 at 02:03:10PM -0500, [EMAIL PROTECTED] wrote: | Anne Lynn Wheeler pointed out: | | Face and fingerprints swiped in Dutch biometric passport crack | http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/ | | Didn't the EU adopt the same design that the US

Re: browser vendors and CAs agreeing on high-assurance certificates

2005-12-18 Thread Adam Shostack
Higher assurance means that when the CA gets duped, it's even better for the phishers, because that nice, reassuring green bar will be there. To preserve the internet channel as a means of communicating with customers, we need to move to bookmarks, not email with clickable URLs. That method is a

Re: US Banks: Training the next generation of phishing victims

2005-10-12 Thread Adam Shostack
On Wed, Oct 12, 2005 at 09:36:58PM +1300, Peter Gutmann wrote: | | Can anyone who knows Javascript better than I do figure out what the mess of | script on those pages is doing? It looks like it's taking the username and | password and posting it to an HTTPS URL, but it's rather spaghetti-ish

Re: continuity of identity

2005-09-29 Thread Adam Shostack
On a somewhat related note, the other day, I was working on a shell script to automate Mac access to Google's Secure Access system. Now, as I did this, I was able to get curl to respect a single CA as the only CA it should accept, but I was totally unable to get any form of certificate

Re: An overview of cryptographic protocols to prevent spam

2005-09-26 Thread Adam Shostack
On Mon, Sep 26, 2005 at 09:28:19AM +0200, Amir Herzberg wrote: | John Gilmore wrote: | I wrote an overview of Cryptographic Protocols to Prevent Spam, | | I stopped reading on page V -- it was too painfully obvious that Amir | has bought into the whole censorship-list based anti-spam mentality.

Re: Clearing sensitive in-memory data in perl

2005-09-17 Thread Adam Shostack
On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote: | On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote: | | My view is that C is fine, but it needs a real library and programmers | who learn C need to learn to use the real library, with the bare-metal | C-library used

Re: Clearing sensitive in-memory data in perl

2005-09-17 Thread Adam Shostack
On Sat, Sep 17, 2005 at 08:36:11PM +0100, Ben Laurie wrote: | Adam Shostack wrote: | On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote: | | On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote: | | | | My view is that C is fine, but it needs a real library and programmers

Re: solving the wrong problem

2005-08-07 Thread Adam Shostack
Here's a thought: Putting up a beware of dog sign, instead of getting a dog. On Sun, Aug 07, 2005 at 09:10:51PM +0100, Dave Howe wrote: | Ilya Levin wrote: | John Denker [EMAIL PROTECTED] wrote: | | So, unless/until somebody comes up with a better metaphor, | I'd vote for one-picket fence. |

Re: the limits of crypto and authentication

2005-07-12 Thread Adam Shostack
On Tue, Jul 12, 2005 at 02:48:02PM -0700, Bill Stewart wrote: | At 09:29 PM 7/9/2005, Perry E. Metzger wrote: | The Blue Card, so far as I can tell, was poorly thought out beyond its | marketing potential. I knew some folks at Amex involved in the | development of the system, and I did not get the

Re: City National Bank is the latest major US company to admit it has lost customer data.

2005-07-11 Thread Adam Shostack
If anyone knows how many people this affected, I'd love to know. (I'm assuming its their entire customer base) Adam On Mon, Jul 11, 2005 at 09:07:45AM -0600, Anne Lynn Wheeler wrote: | http://81.144.183.106/Articles/2005/07/11/210820/AnotherUSbanksownsuptodataloss.htm | | City National Bank

Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Adam Shostack
On Fri, Jul 08, 2005 at 01:16:13PM -0400, Perry E. Metzger wrote: | | Dan Kaminsky [EMAIL PROTECTED] writes: | Credit card fraud has gone *down* since 1992, and is actually falling: | | 1992: $2.6B | 2003: $882M | 2004: $788M | | We're on the order of 4.7 cents on the $100. | |

Re: Why Blockbuster looks at your ID.

2005-07-09 Thread Adam Shostack
On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote: | Perry E. Metzger wrote: | | A system in which the credit card was replaced by a small, calculator | style token with a smartcard style connector could effectively | eliminate most of the in person and over the net fraud we

Re: encrypted tapes (was Re: Papers about Algorithm hiding ?)

2005-06-13 Thread Adam Shostack
On Fri, Jun 10, 2005 at 01:11:45PM -0400, [EMAIL PROTECTED] wrote: | Ben Laurie wrote | Sure, but Equifax should. | | No, they shouldn't! If you think they should, you are missinformed. At | least in Canada, the Privacy Act protects the SIN, Equifax cannot demand | it. | See for example |

Re: encrypted tapes

2005-06-09 Thread Adam Shostack
On Thu, Jun 09, 2005 at 08:57:51AM +0100, [EMAIL PROTECTED] wrote: | | From: Perry E. Metzger [EMAIL PROTECTED] | | It is worse than that. At least one large accounting company sends new | recruits to a boot camp where they learn how to conduct security | audits by rote. They then send these

Re: Retailers Experiment With Biometric Payment article

2005-06-09 Thread Adam Shostack
On Thu, Jun 09, 2005 at 11:17:59AM -0400, Heyman, Michael wrote: | From | http://www.washingtonpost.com/wp-dyn/content/article/2005/06/08/AR20050 | 60802335_pf.html: | share its biometric data with government agencies, and | in fact, the full fingerprints are not stored in the | system.

Re: encrypted tapes (was Re: Papers about Algorithm hiding ?)

2005-06-08 Thread Adam Shostack
On Wed, Jun 08, 2005 at 01:33:45PM -0400, [EMAIL PROTECTED] wrote: | | Ken Buchanan wrote: | There are a number of small companies making products that can encrypt | data in a storage infrastructure, including tape backups (full disclosure: | I work for one of those companies). The solutions

Re: Papers about Algorithm hiding ?

2005-06-07 Thread Adam Shostack
On Tue, Jun 07, 2005 at 05:41:12PM +0100, Ian G wrote: | | The difficulty here is that there is what we might call | the Choicepoint syndrome and then there is the | specific facts about the actual Choicepoint heist. | When I say Choicepoint I mean the former, and the | great long list of

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Adam Shostack
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote: | | Ian G [EMAIL PROTECTED] writes: | Perhaps you are unaware of it because no one has chosen to make you | aware of it. However, sniffing is used quite frequently in cases where | information is not properly protected. I've

Re: Traffic Analysis in the New York Times

2005-05-24 Thread Adam Shostack
On Mon, May 23, 2005 at 11:46:25AM -0400, Perry E. Metzger wrote: | | The original article has some nice diagrams, but unfortunately, | because of the NY Times' policies, the article won't be online in a | few days. The times is trying to address this for RSS readers. Aaron Swartz has some code

Re: Secure Science issues preview of their upcoming block cipher

2005-03-25 Thread Adam Shostack
Really? How does one go about proving the security of a block cipher? My understanding is that you, and others, perform attacks against it, and see how it holds up. Many of the very best minds out there attacked AES, so for your new CS2 cipher to be provably just as secure as AES-128, all those

Re: Encryption plugins for gaim

2005-03-20 Thread Adam Shostack
On Tue, Mar 15, 2005 at 09:33:51PM +0100, Jim Cheesman wrote: | Ian G wrote: | | Adam Fields wrote: | | Given what may or may not be recent ToS changes to the AIM service, | I've recently been looking into encryption plugins for gaim. | Specifically, I note gaim-otr, authored by Ian G, who's on

Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

2005-02-09 Thread Adam Shostack
On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote: | Want to see a simple, working method to spoof sites, fooling | Mozilla/FireFox/... , even with an SSL certificate and `lock`? | | http://www.shmoo.com/idn/ | | See also: | |

Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

2005-02-09 Thread Adam Shostack
On Wed, Feb 09, 2005 at 07:22:05PM +, Ian G wrote: | Adam Shostack wrote: | | Have you run end-user testing to demonstrate the user-acceptability of | Trustbar? | | | | Yes, this was asked over on the cap-talk list. | Below is what I posted there. I'm somewhat | sympathetic as doing

Re: Call For Papers : HITB Security Conference Bahrain 2005

2005-02-02 Thread Adam Shostack
Posting to Dave Aitel's DailyDave list, HD Moore complained that he had not been reimbursed for 2003. The organizers responded that payment is forthcoming. Richard Thieme suggested that the correct response is to ensure you put forth no money to speak at this event. On Tue, Feb 01, 2005 at

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-30 Thread Adam Shostack
On Sun, Jan 30, 2005 at 11:12:05AM -0500, John Kelsey wrote: | From: Adam Shostack [EMAIL PROTECTED] | Sent: Jan 29, 2005 12:45 PM | To: Mark Allen Earnest [EMAIL PROTECTED] | Cc: cryptography@metzdowd.com | Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute | | But, given what

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-29 Thread Adam Shostack
On Fri, Jan 28, 2005 at 02:38:49PM -0500, Mark Allen Earnest wrote: | Adam Shostack wrote: | I hate arguing by analogy, but: VOIP is a perfectly smooth system. | It's lack of security features mean there isn't even a ridge to trip | you up as you wiretap. Skype has some ridge. It may turn out

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-28 Thread Adam Shostack
On Thu, Jan 27, 2005 at 03:22:09PM -0800, David Wagner wrote: | Adam Shostack [EMAIL PROTECTED] writes: | On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | | In article [EMAIL PROTECTED] you write: | | Voice Over Internet Protocol and Skype Security | | Is Skype secure

Re: Simson Garfinkel analyses Skype - Open Society Institute

2005-01-26 Thread Adam Shostack
On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article [EMAIL PROTECTED] you write: | Voice Over Internet Protocol and Skype Security | Simson L. Garfinkel | http://www.soros.org/initiatives/information/articles_publications/articles/security_20050107/OSI_Skype5.pdf | | Is

Re: AOL Help : About AOL® PassCode

2005-01-05 Thread Adam Shostack
On Tue, Jan 04, 2005 at 08:44:11PM +, Ian G wrote: | R.A. Hettinga wrote: | | http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 | Have questions? Search AOL Help articles and tutorials: | . | If you no longer want to use AOL PassCode, you must release

Re: Where to get a Jefferson Wheel ?

2005-01-05 Thread Adam Shostack
I got mine in Secret Codes by Jackson. It's a cheap plastic model in a kids book. I didn't try to assemble the morse code thing, so can't comment on its quality. http://www.amazon.com/exec/obidos/tg/detail/-/0762413514/ Adam On Sun, Jan 02, 2005 at 12:59:14PM +0100, Hadmut Danisch wrote: |

Re: Blinky Rides Again: RCMP suspect al-Qaida messages

2004-12-11 Thread Adam Shostack
On Sat, Dec 11, 2004 at 10:24:09PM +0100, Florian Weimer wrote: | * R. A. Hettinga quotes a news article: | | There have been numerous media reports in recent years that terrorist | groups, including al-Qaida, were using steganographic techniques. | | As far as I know, these news stories can

Re: RSA Implementation in C language

2004-11-30 Thread Adam Shostack
http://www.homeport.org/~adam/crypto/ On Mon, Nov 29, 2004 at 01:47:05PM +0530, Sandeep N wrote: | Hi, | | Can anybody tell me where I can get an implementation of RSA | algorithm in C language? I searched for it, but could not locate one. | I would be grateful to you if you could give me the

Re: Are new passports [an] identity-theft risk?

2004-10-25 Thread Adam Shostack
On Sun, Oct 24, 2004 at 12:58:56AM -0400, Dave Emery wrote: | On Sat, Oct 23, 2004 at 03:23:21PM -0400, Adam Shostack wrote: | | The technology will mature *very* rapidly if Virginia makes their | driver's licenses RFID-enabled, or if the US goes ahead with the | passports. Why? Because

Re: Are new passports [an] identity-theft risk?

2004-10-23 Thread Adam Shostack
On Fri, Oct 22, 2004 at 11:01:16AM -0400, Whyte, William wrote: | | R.A. Hettinga wrote: | | http://worldnetdaily.com/news/printer-friendly.asp?ARTICLE_ID=41030 | |An engineer and RFID expert with Intel claims there is | little danger of | unauthorized people reading the new

Re: Academics locked out by tight visa controls

2004-09-22 Thread Adam Shostack
Hi Dan, Not Rome, but in Athens, Pericles said, in his funeral oration: The freedom which we enjoy in our democratic government extends also to our ordinary life. We throw open our city to the world, and never by alien acts exclude foreigners from any opportunity of learning or observing

Re: Academics locked out by tight visa controls

2004-09-20 Thread Adam Shostack
On Mon, Sep 20, 2004 at 10:03:57AM -0400, John Kelsey wrote: | Academics locked out by tight visa controls | U.S. SECURITY BLOCKS FREE EXCHANGE OF IDEAS | By Bruce Schneier | | I guess I've been surprised this issue hasn't seen a lot more | discussion. It takes nothing more than to look at the

Re: public-key: the wrong model for email?

2004-09-17 Thread Adam Shostack
On Thu, Sep 16, 2004 at 06:12:48PM +0100, Ian Grigg wrote: | Adam Shostack wrote: | Given our failure to deploy PKC in any meaningful way*, I think that | systems like Voltage, and the new PGP Universal are great. | | I think the consensus from debate back last year on | this group when Voltage

Re: public-key: the wrong model for email?

2004-09-16 Thread Adam Shostack
Given our failure to deploy PKC in any meaningful way*, I think that systems like Voltage, and the new PGP Universal are great. * I don't see Verisign's web server tax as meaningful; they accept no liability, and numerous companies foist you off to unrelted domains. We could get roughly the same

Re: Anyone Remember Zero Knowledge Systems?

2003-09-10 Thread Adam Shostack
On Wed, Sep 10, 2003 at 11:32:29AM -0400, R. A. Hettinga wrote: | http://www.cryptonomicon.net/modules.php?name=Newsfile=printsid=455 | | Cryptonomicon.Net - | | Anyone Remember Zero Knowledge Systems? | Date: Wednesday, September 10 @ 11:15:00 EDT | Topic: Commercial Operations / Services

Re: Maybe It's Snake Oil All the Way Down

2003-06-02 Thread Adam Shostack
The assumption that having cracked a cipher leads to can make lots of money from the break is one held mostly by those who have never attacked real systems, which have evolved with lots of checks and balances. The very best way to make money from cracking ciphers seems to be to patent the break,