Re: Anyone know anything about the new ATT encrypted voice service?
On Wed, Oct 06, 2010 at 08:19:29PM -0400, Steven Bellovin wrote: | | On Oct 6, 2010, at 6:19 01PM, Perry E. Metzger wrote: | | ATT debuts a new encrypted voice service. Anyone know anything about | it? | | http://news.cnet.com/8301-13506_3-20018761-17.html | | (Hat tip to Jacob Applebaum's twitter feed.) | | | http://www.att.com/gen/press-room?pid=18624cdvn=newsnewsarticleid=31260mapcode=enterprise says a bit more. | I've posted some thoughts on this, along with its relevance to the freedom-to-tinker/jailbreak/generativity debates at http://emergentchaos.com/archives/2010/10/att-voice-encryption-and-trust.html Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Haystack (helping dissidents?)
On Thu, Sep 16, 2010 at 04:49:19PM +, M.R. wrote: | I said (something like) this when Haystack first appeared on this | list... | | Words dissidents and oppressive regimes have no place in | serious discussions among cryptographers. Once we start assigning | ethical categorizations to those that protect and those that attack | (data files, communications channels, etc.) we are watering the | garden in which the weeds like Haystack flourish. Declarations about the appropriateness of the language of others have no place in serious discussions among cryptographers. Once we start assigning ethical categorizations to words, we are watering the garden in which flamewars flourish. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: password safes for mac
On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote: | On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote: | This would be great if LoginWindow.app didn't store your unencrypted | login and password in memory for your entire session (including screen | lock, suspend to ram and hibernate). | | I keep hearing that Apple will close my bug about this and they keep | delaying. I guess they use the credentials in memory for some things | where they don't want to bother the user (!) but they still want to be | able to elevate privileges. | | Suppose a user's Kerberos credentials are about to expire. What to do? What fraction of mac users are using Kerberos? Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: password safes for mac
On Wed, Jul 01, 2009 at 01:06:05PM -0500, Nicolas Williams wrote: | On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote: | I think he's pointing out a more general problem. | | Indeed. IIRC, the Mac keychain uses your login password as its passphrase | by default, which means that to keep your keychain unlocked requires | either keeping the password around (bad), keeping the keys in cleartext | around (worse?), or prompting for the password/passphrase every time | they are needed (unusable). | | This applies to ssh-agent, the GNOME keychain, etcetera. It also | applies to distributed authentication systems with password-based | options, like Kerberos. As I understand things (and I'm no expert in MacOS internals) LoginWindow is a mandatory process, those others are optional and configurable. I keep keychain and 1password on short leashes, which may not matter at all from the perspective of a sneaky trojan which waits around and then grabs the data, but makes me feel better. Adam #include stddisclaimer.h - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: password safes for mac
On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote: | | Adam Shostack a...@homeport.org writes: | On Tue, Jun 30, 2009 at 11:26:06AM -0500, Nicolas Williams wrote: | | On Mon, Jun 29, 2009 at 11:29:48PM -0700, Jacob Appelbaum wrote: | | This would be great if LoginWindow.app didn't store your unencrypted | | login and password in memory for your entire session (including screen | | lock, suspend to ram and hibernate). | | | | I keep hearing that Apple will close my bug about this and they keep | | delaying. I guess they use the credentials in memory for some things | | where they don't want to bother the user (!) but they still want to be | | able to elevate privileges. | | | | Suppose a user's Kerberos credentials are about to expire. What to do? | | What fraction of mac users are using Kerberos? | | I think he's pointing out a more general problem. Sure. The problem with general problems is you can't solve them or make tradeoffs around them. You have to delve into each and say what can we do about this? and how much engineering weight should we give this? In the case of Kerberos, I would venture to guess that it's pretty low. In which case, I think Apple might go back to Jake's security issue with LoginWindow, and ask if the Kerberos issue is reason enough to keep the behavior as is. Obviously, there's a tradeoff for Apple here, and Apple has people who have dug into the problem. Those folks may well have good reasons to keep things as they are. From my seat as an Apple customer, I don't understand those reasons, and the example given seems unlikely to be important. So I asked for more detail. Adam (Not speaking for my employer) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: password safes for mac
I'm using 1password, but mostly because of the UI, I haven't done a cryptanalysis of it. the wifi sync to the iphone is a little worrisome. Adam On Sat, Jun 27, 2009 at 09:57:39PM -0400, Perry E. Metzger wrote: | | Does anyone have a recommended encrypted password storage program for | the mac? | | Perry | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: preparing a web 2.0 crypto talk
On Fri, Feb 13, 2009 at 08:08:34PM -0600, Travis wrote: | http://video.google.com/videoplay?docid=-5187022592682372937 | | It has a lot of similar material, but I think his talk is much better | because it goes into how it would actually be attacked. He also must | have powerpoint-fu whereas I'm using lyx | | Any opinions? If his talk is already better, why don't you ask if you can use his deck? It seems foolish to reinvent the wheel, poorly, and doubly so when you know you're doing that. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Security by asking the drunk whether he's drunk
[Moderator's note: top posting and failing to trim what you're replying to are both considered bad form... --Perry] Peter, Do you have evidence of either Authenticode or business impersonation? I agree that they're highly plausible, but you say if the putative owner of an AuthentiCode certificate used to sign a piece of malware is ever tracked down then it's invariably some innocent victim somewhere... which would indicate that there are several of these reported on. (Using 'reporting' in its English, not academic sense.) Ditto with the business impersonation. I'd like stories, I'd be estatic with a frequency analysis that I could show to people. Adam Out of my own curiosity only, not speaking for my employer or yours. On Mon, Dec 22, 2008 at 01:18:31AM +1300, Peter Gutmann wrote: | In recently had an opportunity to talk to someone who had had a family member | become a victim of identity fraud, not in the usual manner to target them | directly but as a springboard to target others by registering a phishing site | in their name. Variations on this theme include using stolen identities to | buy code-signing certificates for malware and a variety of other end-runs | around identity-based accountability mechanisms. The problem here is the fact | that the market is so awash with stolen identities that vendors have to sell | them in bulk lots just to turn a profit. In other words a system designed to | defeat the problem of identity theft relies on the flawless functioning of a | global identity-based accountability infrastructure in order to work, a | classic catch22-situation. If it's possible to buy stolen identities with | almost arbitrary amounts of accompanying verification data to authenticate | them for purposes of financial fraud: | | We sell all you need to hack, shop cashout. | CardTipe / * CC Name / * CC Number / * CC Expiry / * CVV2 / * CC PIN | First Last Names / * Address City / * State Zip/Postal code / * | Country (US) / * Phone # | MMN [Mother's maiden name] / * SSN [Social security number] / * DOB | [Date of birth] | Bank Acc No / * Bank Routine [Routing] No | | On our forum you can buy: | Active eBay accounts with as many positive feedbacks as you need | Active and wealthy PayPal accounts | PINs for prepaided ATT and Sprint phone cards | Carded Western Union accounts for safe and quick money transfers | Carded UPS and FedEx accounts for quick and free worldwide shipping of | your stuff | Full info including Social Security Info, Driver Licence #, Mother' | Maiden Name and much more | Come and register today and get a bonus by your choice: | One Citybank account with online access with 3k on board, or 5 | COB' cards with 5k credit line | 10 eBay active eBay accounts with 100+ positive feedbacks | 25 Credit Cards with PINs for online carding | | then it's just as easy to turn those identities towards facilitating further | identity fraud, and indeed it's become pretty much standard practice to | register fraudulent domains and buy fraudulent X.509 certificates with stolen | credentials paid for with stolen financial information. As a result, if the | putative owner of an AuthentiCode certificate used to sign a piece of malware | is ever tracked down then it's invariably some innocent victim somewhere, | possibly someone who doesn't even use a computer. Even the argument that at | least the signed malware allows for the use of CRLs to disable it falls flat | when you consider the difference in speed between having the malware | identified and blocked by anti-virus software and the ponderous delays of the | CRL issue process, assuming that the end-user software even checks them. | | Another online fraud technique that's seen use in some countries, although | it's not widespread because it's still much easier to do the same thing via | less labour-intensive means, is to use stolen credentials to establish an | online presence for an existing business with a good credit history, use it | for whatever fraud you want to perpetrate, and then vanish before anyone's the | wiser, for example before the end of the monthly billing cycle when the real | business either gets sent paperwork that it isn't expecting or doesn't get | sent paperwork that it is. Since this is borrowing the identity of a bona | fide business rather than an individual, there's almost no way to catch such | problems because any (rational) amount of checking will simply confirm that | it's a long-established legitimate business. This type of fraud could | probably even defeat the verification used for EV certificates (at least as | set out in the guidelines published by some CAs), although at the moment it's | entirely unnecessary since it's possible to achieve the same ends through far | less laborious means. | | This is a classic case of asking the drunk whether he's drunk - a system | rampant with identity fraud is expected to function as the basis
Re: once more, with feeling.
On Mon, Sep 08, 2008 at 04:16:46PM +0100, Darren J Moffat wrote: | | I believe the only way both of these highly dubious deployment practices | will be stamped out is when the browsers stop allowing users to see such | web pages. So that there becomes a directly attributable financial | impact to the sites that deploy in that way. | | As much as I like Firefox Safari [ the only two browsers I use now ] | this has to be led by Microsoft with Internet Explorer since that will | have the biggest impact, given IE 8 is in beta this seems like a perfect | opportunity to get this in as a change for the next version. Not speaking for my employer here. Most browser vendors try to display pages as best they can. Both end users and businesses get very upset at browser makers who push security improvements by breaking existing practices. If such changes were to happen, then they should either be emergency (seems unlikely, given how long this has been around) or planned and communicated. Adding something high impact after beta 2 doesn't seem like good communication. What makes now the perfect time to address an issue which has been present for quite soem time? Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft COFEE
My understanding, based mostly on what I've read in the press, is that COFFEE is a set of scripts that run existing tools, making it easier for law enforcement to do things which are already known to be possible. Note the words executing 150 seperate commands, which, I think, would be odd if this was something other than scripts, but appear in a lot of the news stories. For example, I believe that there are several freely available password cracking tools and some commercial ones. For example, you can order John the Ripper to decrypt a system password on some operating systems. I have no idea if a password cracker is included. Speaking for me. Adam On Wed, Apr 30, 2008 at 03:36:28PM -0400, Arshad Noor wrote: | It can be ordered to decrypt system passwords??? So, I wonder | what attackers can do with this... | | Arshad Noor | StrongAuth, Inc. | | Microsoft revealed its development of a digital forensic analysis toolkit at a security conference yesterday as part of a wider discussion of how technology can be used to fight crime. The Computer Online Forensic Evidence Extractor, or COFEE for short, is a USB thumb drive that contains software capable of executing approximately 150 separate commands. Once plugged in, COFEE can be ordered to decrypt system passwords, display a history of internet activity, and search the system for evidence | | http://arstechnica.com/news.ars/post/20080429-new-microsoft-law-enforcement-tool-bypasses-pc-security.html | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
On Wed, Dec 26, 2007 at 04:34:55PM -0500, [EMAIL PROTECTED] wrote: | Quoting my friend Marcus Ranum, the Internet | will remain as insecure as it can and still | apparently function. Why should voting be | different? Voting is different (by which I mean worse) because the requirements are hard. Should voters and ballots be identified? Should you be required to show up in person? What about confirmability? How important is that versus usability? Electronic commerce, by comparison, is a walk in the park. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The bank fraud blame game
On Sun, Jul 01, 2007 at 04:01:03PM -0400, Perry E. Metzger wrote: | | Adam Shostack [EMAIL PROTECTED] writes: | On Mon, Jul 02, 2007 at 01:08:12AM +1200, Peter Gutmann wrote: | | Given that all you need for this is a glorified pocket calculator, | you could (in large enough quantities) probably get it made for | $10, provided you shot anyone who tried to introduce | product-deployment DoS mechanisms like smart cards and EMV into | the picture. Now all we need to do is figure out how to get there | from here. | | I'd suggest starting from the deployment, training, and help desk | costs. The technology is free, getting users to use it is not. I | helped several banks look at this stuff in the late 90s, when cost of | a smartcard reader was order ~25, and deployment costs were estimated | at $100, and help desk at $50/user/year. | | Of course, given the magnitude of costs of fraud, and where it may be | heading in the near term, the $50 a year may be well spent, especially | if it could be cut to $25 with some UI investment. It is all a | question of whether you'd rather pay up front with the security | apparatus or after the fact in fraud costs... It may be, indeed. You're going (as Lynn pointed out in another post) to be fighting an uphill battle against the last attempts. I don't think smartcards (per se) are the answer. What you really need is something like a palm pilot, with screen and input and a reasonably trustworthy OS, along with (as you say) the appropriate UI investment. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The bank fraud blame game
On Sun, Jul 01, 2007 at 11:09:16PM -0400, Leichter, Jerry wrote: | | | Given that all you need for this is a glorified pocket | | | calculator, you could (in large enough quantities) probably get | | | it made for $10, provided you shot anyone who tried to | | | introduce product-deployment DoS mechanisms like smart cards and | | | EMV into the picture. Now all we need to do is figure out how | | | to get there from here. | | | | | | I'd suggest starting from the deployment, training, and help desk | | | costs. The technology is free, getting users to use it is not. I | | | helped several banks look at this stuff in the late 90s, when cost | | | of a smartcard reader was order ~25, and deployment costs were | | | estimated at $100, and help desk at $50/user/year. | | | | | | Of course, given the magnitude of costs of fraud, and where it may | | | be heading in the near term, the $50 a year may be well spent, | | | especially if it could be cut to $25 with some UI investment. It is | | | all a question of whether you'd rather pay up front with the | | | security apparatus or after the fact in fraud costs... | | | | It may be, indeed. You're going (as Lynn pointed out in another post) | | to be fighting an uphill battle against the last attempts. I don't | | think smartcards (per se) are the answer. What you really need is | | something like a palm pilot, with screen and input and a reasonably | | trustworthy OS, along with (as you say) the appropriate UI investment. | | You do realize that you've just come down to what the TPM guys want to | build? (Of course, much of the driving force behind having TPM comes | from a rather different industry. We're all happy when TPM can be | used to ensure that our banking transactions actually do what the bank | says it will do for a particular set of instructions issued by us and | no one else, not so happy when they ensure that our music transactions | act the same way) I don't believe that's so. The TPM guys want to add a variety of controls to extant PC designs to make them secure. I want to add a new device to the mix. | Realistically, the only way these kinds of devices could catch on would | be for them to be standardized. No one would be willing to carry one | for their bank, another for their stock broker, a third for their | mortgage holder, a fourth for their credit card company, and so on. | But once they *are* standardized, almost the same potential for | undesireable uses appears as for TPM's. What's to prevent the movie | download service requiring that you present your Universal Safe Access | Fob before they authorize you to watch a movie? If the only significant | differences between this USAF and TPM is that the latter is more | convenient because more tightly tied to the machine, we might as well | have the convenience. Fair questions. I'm sure I don't have answers. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The bank fraud blame game
On Mon, Jul 02, 2007 at 01:08:12AM +1200, Peter Gutmann wrote: | | Given that all you need for this is a glorified pocket calculator, you could | (in large enough quantities) probably get it made for $10, provided you shot | anyone who tried to introduce product-deployment DoS mechanisms like smart | cards and EMV into the picture. Now all we need to do is figure out how to | get there from here. I'd suggest starting from the deployment, training, and help desk costs. The technology is free, getting users to use it is not. I helped several banks look at this stuff in the late 90s, when cost of a smartcard reader was order ~25, and deployment costs were estimated at $100, and help desk at $50/user/year. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
On Sat, May 19, 2007 at 05:01:03PM -0400, Perry E. Metzger wrote: | | Trei, Peter [EMAIL PROTECTED] writes: | 1. Do you have any particular evidence that any significant | number of US .gov machines are bots? They may well be, just | I haven't heard this. | | I've heard nothing formal, but my strong understanding is a lot of US | government machines, at least if we're talking workstations on | non-classified nets, are in fact 0wn3d at this point. This should http://blog.support-intelligence.com/2007/04/doa-week-14-2007.html claims to measure bot activity. Now, it may be that US .gov hosts are worth more, and so don't get used in random DOS attacks, but I think this is some of the more interesting evidence out there. I've asked some questions about it in http://www.emergentchaos.com/archives/2007/04/month_of_owned_corporatio.html Speaking for me only, Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Banking Follies
On Sun, Jan 14, 2007 at 03:31:22PM -0500, Steven M. Bellovin wrote: | Anyway -- we're so focused in this group on the Internet that we | sometimes forget about physical world attacks. Theft of financial data | (and financial objects, such as checks and credit cards) from physical | mailboxes (or garbage cans) is quite commonplace, and is -- according to | some -- a more significant vector for identity theft than Internet fun | and games. The Wall Street Journal advised people to use electronic | statements for just that reason (see | http://online.wsj.com/article/SB116830855255470919-search.html?KEYWORDS=%22identity+theft%22COLLECTION=wsjie/6month); | also note the list at | http://www.identitytheftassistance.org/How_Criminals_Steal.html If I had any confidence that my banks would send me emails that I could authenticate, I might take that advice. My banks seem to take pleasure in overcoming every hueristic I can find for authentication, sending emails from arbitrary domains, obfuscating their HTML, etc, etc. At least none (that have made it through my spam filter) have fallen to the level of ATT Wireless (or perhaps they were Cingular at that point) who sent me a Javascript executable email encrypted with my SSN as the key. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Can you keep a secret? This encrypted drive can...
On Tue, Oct 31, 2006 at 06:50:20PM -0500, Ivan Krsti?? wrote: | On the other hand, Vista is shipping with BitLocker enabled by default | in the upper editions (Enterprise or somesuch), and doesn't rely on Just a nit: as I understand things, Bitlocker is available, but not on, by default. Someone needs to actively flip a switch to make it go. Adam (Speaking for me.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Securely handling credit card transactions earns Blackboard kudos
Aren't these the same guys who sued a researcher to secure their systems? http://www.google.com/search?client=safarirls=enq=blackboard+billy+hoffmanie=UTF-8oe=UTF-8 On Sat, Jun 10, 2006 at 11:36:24AM -0600, Anne Lynn Wheeler wrote: | Securely handling credit card transactions earns Blackboard kudos | http://www.contactlessnews.com/library/2006/06/08/securely-handling-credit-card-transactions-earns-blackboard-kudos/ | | ... from above | | These programs utilize the Payment Card Industry (PCI) data security | standard as the foundation to assess third-party processors, he added. | This standard ensures that all third-party processes safely and | securely store, process, and transmit sensitive credit card data across | their network infrastructures. This is the second year that Blackboard | has achieved this milestone in the payment card industry. | | ... snip ... | | couple other refs | http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html | https://sdp.mastercardintl.com/ | | this can also somewhat be considered from the standpoint of my old | security proportional to risk posting | http://www.garlic.com/~lynn/2001h.html#61 | | however, it can also be interpreted that sensitive credit card data is | represented by an infrastructure with naked and vulnerable transactions: | http://www.garlic.com/~lynn/aadsm24.htm#5 New ISO standard aims to | ensure the security of financial transactions on the Internet | | i.e. that when dealing with naked and vulnerable transactions then the | overall infrastructure requires extensive armoring (as countermeasure to | attacks on naked transactions that otherwise don't have any of their own | protection) | | one might be tempted to draw an analogy with the bubble boy reference | http://www.imdb.com/title/tt0074236/ | http://www.imdb.com/title/tt0258470/ | | about the countermeasures needed for a boy that was w/o his own immune | system to combat attacks. | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Face and fingerprints swiped in Dutch biometric passport crack (anothercard skim vulnerability)
On Wed, Feb 01, 2006 at 02:03:10PM -0500, [EMAIL PROTECTED] wrote: | Anne Lynn Wheeler pointed out: | | Face and fingerprints swiped in Dutch biometric passport crack | http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/ | | Didn't the EU adopt the same design that the US uses? Passport standards are written by the International Air Travel Association (IATA). | Am I right to presume that the passport RFID chip used by the Dutch is the | same -- or functions the same -- as the one used in the new US digital | passports? | | From what I've read, it seems that the sequential numbering scheme the | Dutch use on their passports may have made this attack easier -- but it | was already feasible, and will be against the passports of other nations | which did not so helpfully minimize their obfuscation technique with | sequential numbering? | | Anyone got more details than those offered in the Rinscure press release? | Thoughts? The papers explain the attack in fair detail. I blogged every useful linksI could find a few days ago at http://www.emergentchaos.com/archives/002355.html, and there's more links in comments. Adam | _Vin | | | | The crack is attributed to Delft smartcard security specialist Riscure, | which explains that an attack can be executed from around 10 metres and | the security broken, revealing date of birth, facial image and | fingerprint, in around two hours. | | .. snip .. | | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: browser vendors and CAs agreeing on high-assurance certificates
Higher assurance means that when the CA gets duped, it's even better for the phishers, because that nice, reassuring green bar will be there. To preserve the internet channel as a means of communicating with customers, we need to move to bookmarks, not email with clickable URLs. That method is a black hole. (I've blogged somewhat verbosely about this too, if anyone cares: http://www.emergentchaos.com/archives/002104.html http://www.emergentchaos.com/archives/002060.html On Sun, Dec 18, 2005 at 10:06:10AM -0800, James A. Donald wrote: | -- | From: Steven M. Bellovin | [EMAIL PROTECTED] | The very first phishing attack I ever heard of was for | paypa1.com. As I recall, they did have a certificate. | | And would they not have had a high assurance | certificate, since presumably they really were | papypa1.com? | | Even if the vendors do implement a policy that all new | urls must be significantly different from known high | value urls, which is not their stated policy, this is | not going to help much with such high value urls as: | https://lb22.resources.hewitt.com; | | Proving true names is not much help, because there are | too many names. | | --digsig | James A. Donald | 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG | CS4AkcyJ2ZhuZtOouD5yH0AnqodmyrqySuYZgRXQ | 4Y1XkuPvMRrV9M2owdKcEoRRGZzIuxUqEcgxLcPX7 | | | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: US Banks: Training the next generation of phishing victims
On Wed, Oct 12, 2005 at 09:36:58PM +1300, Peter Gutmann wrote: | | Can anyone who knows Javascript better than I do figure out what the mess of | script on those pages is doing? It looks like it's taking the username and | password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so | it's a bit hard to follow what's going where. The phishers sure can, but they don't share. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: continuity of identity
On a somewhat related note, the other day, I was working on a shell script to automate Mac access to Google's Secure Access system. Now, as I did this, I was able to get curl to respect a single CA as the only CA it should accept, but I was totally unable to get any form of certificate persistance. Is there a way to do this, or am I forced to invoke openssl and parse its output? Adam On Tue, Sep 27, 2005 at 04:05:42PM -0400, John Denker wrote: | Jerrold Leichter mentioned that: | | a self- | signed cert is better than no cert at all: At least it can be used in an | SSH-like continuity of identity scheme. | | I agree there is considerable merit to a continuity of identity | scheme. | | But there are ways the idea can be improved. So let's discuss it. | | For starters, let me suggest that rather than having a self-signed | certificate of the type created more-or-less automatically when | you set up your Apache server or set up your SSH daemon, it makes | more sense to set up your own CA and issue your own certs from | there. In some sense this is just a different type of self-signing, | but it adds a possibly useful layer of indirection. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: An overview of cryptographic protocols to prevent spam
On Mon, Sep 26, 2005 at 09:28:19AM +0200, Amir Herzberg wrote: | John Gilmore wrote: | I wrote an overview of Cryptographic Protocols to Prevent Spam, | | I stopped reading on page V -- it was too painfully obvious that Amir | has bought into the whole censorship-list based anti-spam mentality. | John, I'm disappointed; I expected you to be more tolerant. You got mad | at me at page V which is still just reviewing the basic e-mail | architecture related to spam. In this part, I explained what open-relays | are and why people may try to disconnect from them, and described | port-25 blocking which is common practice and necessary to protect | domains from being blacklisted. necessary to protect domains from being blacklisted.? How about the more factual: Is used as a decision factor by many of the programmers who create blacklist-creation tools? Blacklists are not like blackholes, a natural result of laws of nature. They are the product of human action, and the people who made decisions around them ought to own up to the fact that they are making decisions. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Clearing sensitive in-memory data in perl
On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote: | On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote: | | My view is that C is fine, but it needs a real library and programmers | who learn C need to learn to use the real library, with the bare-metal | C-library used only by library developers to bootstrap new safe | primitives. | | So wouldn't the world be a better place if we could all agree on a | single such library? Or at least, a single API. Like the STL is for C++. | | | Yes, absolutely, but who is going to do it? The glibc people? The openbsd people? I recall that for a while if you used gets, the linker would complain. I can't recall what platform this was on. BSDi, maybe? Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Clearing sensitive in-memory data in perl
On Sat, Sep 17, 2005 at 08:36:11PM +0100, Ben Laurie wrote: | Adam Shostack wrote: | On Sat, Sep 17, 2005 at 11:40:26AM -0400, Victor Duchovni wrote: | | On Sat, Sep 17, 2005 at 11:53:20AM +0100, Ben Laurie wrote: | | | | My view is that C is fine, but it needs a real library and programmers | | who learn C need to learn to use the real library, with the bare-metal | | C-library used only by library developers to bootstrap new safe | | primitives. | | | | So wouldn't the world be a better place if we could all agree on a | | single such library? Or at least, a single API. Like the STL is for | C++. | | | | | | Yes, absolutely, but who is going to do it? | | The glibc people? The openbsd people? | | I recall that for a while if you used gets, the linker would | complain. I can't recall what platform this was on. BSDi, maybe? | | gets is so not the problem. Using strings that _can_ overflow is the | problem. That means wrapping the entire standard library. | | And, of course, the issue is that every other library in the universe | uses C-style strings (etc.), so unless we can all agree on a better | paradigm, we're screwed. I didn't mean to imply that gets was the issue, only that when your linker laughed at you for trying to use a function, it was an encouragement to move to other functions. That is it possible to get people to move, when there's something to move to. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: solving the wrong problem
Here's a thought: Putting up a beware of dog sign, instead of getting a dog. On Sun, Aug 07, 2005 at 09:10:51PM +0100, Dave Howe wrote: | Ilya Levin wrote: | John Denker [EMAIL PROTECTED] wrote: | | So, unless/until somebody comes up with a better metaphor, | I'd vote for one-picket fence. | | | Nonsense fence maybe less metaphoric but more clear. | I disagree - one picket fence gives a clear impression of a protective | device that is hardened at but one point - leaving the rest insecure. | nonsense fence doesn't give any real image. | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: the limits of crypto and authentication
On Tue, Jul 12, 2005 at 02:48:02PM -0700, Bill Stewart wrote: | At 09:29 PM 7/9/2005, Perry E. Metzger wrote: | The Blue Card, so far as I can tell, was poorly thought out beyond its | marketing potential. I knew some folks at Amex involved in the | development of the system, and I did not get the impression they had | much of a coherent idea of what the technologies would be used for | other than creating marketing buzz. | | On the other hand, only a short time before that, | Apple's iMac created a whole marketing revolution | and set of spinoff products and revitalized the company | by coming out with a semi-transparent blue-green case | that effectively packaged the Reality Distortion Field, | and they were able to maintain the effect over several years | by the radical introduction of several other semi-transparent colors. | | It'd be nice if good crypto and authentication methods | could create a market for improved products, | but hey, if blue-green translucent dancing pigs gets customers, | the marketing people have done _their_ job. In light of the ID theft drumbeat, companies that don't require your SSN have a marketable edge. I'm waiting for some to use it. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: City National Bank is the latest major US company to admit it has lost customer data.
If anyone knows how many people this affected, I'd love to know. (I'm assuming its their entire customer base) Adam On Mon, Jul 11, 2005 at 09:07:45AM -0600, Anne Lynn Wheeler wrote: | http://81.144.183.106/Articles/2005/07/11/210820/AnotherUSbanksownsuptodataloss.htm | | City National Bank is the latest major US company to admit it has lost | customer data. | | The bank says it lost data back-up tapes in April, while they were being | transported to a secure facility by third-party data storage company | Iron Mountain. | | The sensitive data contained account numbers, social security numbers... | | ... snip ... | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
On Fri, Jul 08, 2005 at 01:16:13PM -0400, Perry E. Metzger wrote: | | Dan Kaminsky [EMAIL PROTECTED] writes: | Credit card fraud has gone *down* since 1992, and is actually falling: | | 1992: $2.6B | 2003: $882M | 2004: $788M | | We're on the order of 4.7 cents on the $100. | | http://www.businessweek.com/technology/content/jun2005/tc20050621_3238_tc024.htm | | If it's any consolation, I was rather surprised myself. | | I seem to have gotten that one drastically wrong. Thanks for the | more accurate figures. | | A back of the envelope calculation makes me think that it is still | more than enough money to provide a good incentive for a change in | systems, though, especially when the cost of the anti-fraud measures | needed at every part of the system are taken in to account. I think those numbers are misleading. The FTC reports ID theft as a $50B problem, but I haven't seen that broken down by vector. I suspect most of it is CC (rather than cheque, mortgage/line of credit/auto loan), but have no data. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Why Blockbuster looks at your ID.
On Sun, Jul 10, 2005 at 12:13:42AM +0100, Peter Fairbrother wrote: | Perry E. Metzger wrote: | | A system in which the credit card was replaced by a small, calculator | style token with a smartcard style connector could effectively | eliminate most of the in person and over the net fraud we experience, | and thus get rid of large costs in the system and get rid of the need | for every Tom, Dick and Harry to see your drivers license when you | make a purchase. It would both improve personal privacy and help the | economy by massively reducing transaction costs. | | I agree that it might well reduce costs and fraud - but how will it improve | privacy? Your name is already on the card ... and the issuer will still have | a list of your transactions. | | Not having to show ID may save annoyance, but it doesn't significantly | improve privacy. Most credit card issuers will happily give you extra cards, so your friends can spend your money. In whatever name you want. If you need to show ID, this can become, umm, complicated. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: encrypted tapes (was Re: Papers about Algorithm hiding ?)
On Fri, Jun 10, 2005 at 01:11:45PM -0400, [EMAIL PROTECTED] wrote: | Ben Laurie wrote | Sure, but Equifax should. | | No, they shouldn't! If you think they should, you are missinformed. At | least in Canada, the Privacy Act protects the SIN, Equifax cannot demand | it. | See for example | http://www.privcom.gc.ca/fs-fi/02_05_d_02_e.asp | and | http://www.guardmycreditfile.org/index.php/content/view/244/139/ | which says the following: | Even credit reporting companies cant demand a SIN to generate a credit | report. Trans Union Canada and Equifax Canada both have the ability to | generate such reports without a SIN. If you ask these same companies to | generate a credit report in the United States, they both require a Social | Security Number. | | And if Equifax Canada can generate reports without a SIN, I don't see why | Equifax in any other country couldn't. Of course, they like to have the | SIN, since it makes things more convenient, but they don't really need it! | That is the problem in most cases. Actually, there's a difference between theory and practice here. When I signed up for a mobile phone, they demanded a SIN, or would put me on the sucker plan. When I complained to the Quebec privacy commissioner, they told me that that was OK. There are so many examples of this sort of thing that I gave up sending complaint letters. Then you look at CIBC, and the lack of fines... Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: encrypted tapes
On Thu, Jun 09, 2005 at 08:57:51AM +0100, [EMAIL PROTECTED] wrote: | | From: Perry E. Metzger [EMAIL PROTECTED] | | It is worse than that. At least one large accounting company sends new | recruits to a boot camp where they learn how to conduct security | audits by rote. They then send these brand new 23 year old security | auditors out to conduct security audits, with minimal supervision | from a partner or two. The audits are inevitably of the lowest | possible quality -- they run automated security scanners no better | | The worst security audit point I have ever seen came from KPMG and | said that logging on as a particular non-root unix account got root | access, based on the WARNING! YOU ARE SUPERUSER message seen at login. | What they'd never done was check something like sum /etc/shadow to | see whether it was permitted or denied, nor run id or similar checks. | So when this user's home directory is absent and he ends up using | / and /.profile (where the warning was in an echo statement) he gets | this message on the screen. So where they should be writing | misleading warning in some circumstances they write root access | immediately available for common users. | | I'm planning to teach a class of 5 existing internal auditors | next month on some security s/w and I am going to include: |- focussing on the more important stuff | (a long-running problem where I work) |- you must prove it before you can report it |- you must be able to state what is wrong with the observed state; | usually expressed as the policy point(s) violated | (just appearing in scanner output is not enough) |- you should have some idea of one way reasonable way to fix it oh, no, that's a reasonable treatment of those revenues. You have to prove its not before you can report on it. So, while I am sympathetic to what you are saying, the job of audit is to audit. If the system says You're root, fine, note it and move on. If as an auditor, I need to prove each problem I find, then I'm going depth-first, not breadth first, and will miss important stuff. I suggest a better fix is to have an interim audit report, which, with the participation of senior technical people on both sides, becomes a final audit report. In that process, you could probably win the /.profile argument. However, auditors MUST be allowed to point out whatever the hell they want. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Retailers Experiment With Biometric Payment article
On Thu, Jun 09, 2005 at 11:17:59AM -0400, Heyman, Michael wrote: | From | http://www.washingtonpost.com/wp-dyn/content/article/2005/06/08/AR20050 | 60802335_pf.html: | share its biometric data with government agencies, and | in fact, the full fingerprints are not stored in the | system. Instead, a complex mathematical algorithm is | created to represent identifying characteristics of | the fingerprint, which are matched to the real thing | when a user shows up at a checkout counter. | | No discussion on the threat of finger removal... | Has anyone ever studied the reversability of these algorithms? It seems to me that you could make some plausible guesses and generate fingerprints from certain representations. I don't know how likely those guesses are to be right. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: encrypted tapes (was Re: Papers about Algorithm hiding ?)
On Wed, Jun 08, 2005 at 01:33:45PM -0400, [EMAIL PROTECTED] wrote: | | Ken Buchanan wrote: | There are a number of small companies making products that can encrypt | data in a storage infrastructure, including tape backups (full disclosure: | I work for one of those companies). The solutions all involve appliances | priced in the tens of thousands. The costs come not from encryption (how | much does an FPGA cost these days?), but from solving the problems you | listed, plus some others you didn't. | | Now that the benefit of storage encryption is clearer, tape vendors | (StorageTek, HP, IBM, etc) are almost certainly looking at adding | encryption capability into their offerings. | | Another area where I predict vendors will (should) offer built in | solutions is with database encryption. Allot of laws require need-to-know | based access control, and with DBA's being able to see all entries that is | a problem. Also backups of db data can be a risk. | Oracle, for example, provides encryption functions, but the real problem | is the key handling (how to make sure the DBA can't get the key, cannot | call functions that decrypt the data, key not copied with the backup, | etc.). | There are several solutions for the key management, but the vendors should | start offering them. I would argue that the real problem is that encryption slows large searches (is percieved to slow large searches, anyway.) Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Papers about Algorithm hiding ?
On Tue, Jun 07, 2005 at 05:41:12PM +0100, Ian G wrote: | | The difficulty here is that there is what we might call | the Choicepoint syndrome and then there is the | specific facts about the actual Choicepoint heist. | When I say Choicepoint I mean the former, and the | great long list of similar failures as posted last week. Poor form there. | No it's not rocket science - it's economic science. | It makes no difference in whether the business is | small or large - it is simply a question of costs. If | it costs money to do it then it has to deliver a | reward. | | In the case of the backup tapes there was no reward | to be enjoyed. So they could never justify encrypting | them if it were to cost any money. Now, in an unusual Actually, that's not true. Over 10 years ago, I wrote a small script that took data very much like this, encrypted it, verified the output looked like PGP encrypted data, and copied it to a public ftp site so that a partner could pick it up. That saved a lot over tape, and reduced manual steps which introduced errors. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SSL stops credit card sniffing is a correlation/causality myth
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote: | | Ian G [EMAIL PROTECTED] writes: | Perhaps you are unaware of it because no one has chosen to make you | aware of it. However, sniffing is used quite frequently in cases where | information is not properly protected. I've personally dealt with | several such situations. | | This leads to a big issue. If there are no reliable reports, | what are we to believe in? Are we to believe that the | problem doesn't exist because there is no scientific data, | or are we to believe those that say I assure you it is a | big problem? | [...] | The only way we can overcome this issue is data. | | You aren't going to get it. The companies that get victimized have a | very strong incentive not to share incident information very | widely. However, those of us who actually make our living in the field | generally have a pretty strong sense of what is going wrong out there. I believe that this is changing, and that Choicepoint is the wedge. Organizations that are under no legal obligation to report breaches are doing so, some quite rapidly, to avoid the PR disaster that hit Choicepoint. That shift may lead to a change in public perceptions from breaches are rare to the reality, which is that breaches are common. If that shift takes place, then companies may be more willing to share data, and thats a good. [...] much deleted | Statistics and the sort of economic analysis you speak of depends on | assumptions like statistical independence and the ability to do | calculations. If you have no basis for calculation and statistical | independence doesn't hold because your actors are not random processes | but intelligent actors, the method is worthless. | | In most cases, by the way, the raw cost of attempting a cost benefit | analysis will cost far more than just implementing a safeguard. A | couple thou for encrypting a link or buying an SSL card is a lot | cheaper than the consulting hours, and the output of the hours would | be an utterly worthless analysis anyway. So, that may be the case when you're dealing with an SSL accelerator, but there are lots of other cases, say, implementing daabase security rules, or ensuring that non-transactional lookups are logged, which are harder to argue for, take more time and energy to implement, and may well entail not implementing customer-visible features to get them in on budget. Choicepoint and Lexis Nexis seemingly, had neither. Nor are they representational. We lack good data, and while there are a few hundred folks who have the experience, chops, and savvy to help their customers make good decisions, there are tens of thousands of companies, many of whom choose not to pay rates for that sort of advice, and hire an MCSE, instead. People who slap the label best practice on log truncation. I think that we need to promulgate the idea that Choicepoint is creating a shift, that it will be ok to talk about breaches, with the intent of getting better data over time. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Traffic Analysis in the New York Times
On Mon, May 23, 2005 at 11:46:25AM -0400, Perry E. Metzger wrote: | | The original article has some nice diagrams, but unfortunately, | because of the NY Times' policies, the article won't be online in a | few days. The times is trying to address this for RSS readers. Aaron Swartz has some code http://nytimes.blogspace.com/genlink This link should last: http://www.nytimes.com/2005/05/22/weekinreview/22kola.html?ex=1274414400en=9ff3763213102706ei=5090partner=rssuserlandemc=rss - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Secure Science issues preview of their upcoming block cipher
Really? How does one go about proving the security of a block cipher? My understanding is that you, and others, perform attacks against it, and see how it holds up. Many of the very best minds out there attacked AES, so for your new CS2 cipher to be provably just as secure as AES-128, all those people would have had to have spent as much time and energy as they did on AES. That strikes me as unlikely, there's a lot more interest in hash functions today. Adam PS: I've added the cryptography mail list to this. Some of the folks over there may be interested in your claims. On Wed, Mar 23, 2005 at 05:00:25PM -0800, BugTraq wrote: | Secure Science is offering a preview of one of the 3 ciphers they will | be publishing througout the year. The CS2-128 cipher is a 128-bit block | cipher with a 128 bit key. This cipher is proposed as an alternative | hardware-based cipher to AES, being that it is more efficient in | hardware, simpler to implement, and provably just as secure as AES-128. | | http://www.securescience.net/ciphers/csc2/ | | -- | Best Regards, | Secure Science Corporation | [Have Phishers stolen your customers' logins? Find out with DIA] | https://slam.securescience.com/signup.cgi - it's free! | - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Encryption plugins for gaim
On Tue, Mar 15, 2005 at 09:33:51PM +0100, Jim Cheesman wrote: | Ian G wrote: | | Adam Fields wrote: | | Given what may or may not be recent ToS changes to the AIM service, | I've recently been looking into encryption plugins for gaim. | Specifically, I note gaim-otr, authored by Ian G, who's on this list. | | | Just a quick note of clarification, there is a collision | in the name Ian G. 4 letters does not a message digest | make. | | | Perhaps if you were to prepend a random serial number to your name this | problem would be alleviated? They'd both randomly choose pi. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote: | Want to see a simple, working method to spoof sites, fooling | Mozilla/FireFox/... , even with an SSL certificate and `lock`? | | http://www.shmoo.com/idn/ | | See also: | | http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=3866526512 | | Want to protect your Mozilla/FireFox from such attacks? Install our | TrustBar: http://TrustBar.Mozdev.org | (this was the first time that I had a real reason to click the `I don't | trust this authority` button...) | | Opinions? Just because you can demonstrate that you're pre-emptively and pro-actively blocking attacks that the beat the current system doesn't mean I can't go on. My head would explode. Have you run end-user testing to demonstrate the user-acceptability of Trustbar? Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
On Wed, Feb 09, 2005 at 07:22:05PM +, Ian G wrote: | Adam Shostack wrote: | | Have you run end-user testing to demonstrate the user-acceptability of | Trustbar? | | | | Yes, this was asked over on the cap-talk list. | Below is what I posted there. I'm somewhat | sympathetic as doing a real field trial which | involves testing real responses to a browser | attack raises all sorts of heisenberg uncertainty / | experimental method issues. Off the top of | my head, I think this is a really tricky problem, | and if anyone knows how to test security | breaches on ordinary users, shout! There's an HCIsec group at YahooGroups: http://groups.yahoo.com/group/hcisec/ Most of the smart people who care about these issues hang out there. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Call For Papers : HITB Security Conference Bahrain 2005
Posting to Dave Aitel's DailyDave list, HD Moore complained that he had not been reimbursed for 2003. The organizers responded that payment is forthcoming. Richard Thieme suggested that the correct response is to ensure you put forth no money to speak at this event. On Tue, Feb 01, 2005 at 06:58:18PM -0800, alpha wrote: | Hack In The Box Security Conference 2005 : Bahrain | -- | | Greetings, | | We are inviting individuals or groups who are | interested in computer and network security, challenges and | practices to send in their papers for inclusion in HITBSecConf2005 Bahrain. | This deep knowledge network security event will take place from April 10th - 13th in the city of Manama, Bahrain. | | Topics of interest include, but are not limited to the following: | | · Analysis of network and security vulnerabilities | · Firewall technologies | · Intrusion detection / prevention | · Data Recovery and Incident Response | · GPRS and CDMA Security | · Identification and Entity Authentication | · Network Protocol and Analysis | · Smart Card Security | · Virus and Worms | · WLAN and Bluetooth Security. | · Analysis of malicious code | · Applications of cryptographic techniques | · Analysis of attacks against networks and machines | · Denial-of-service attacks and countermeasures | · File system security | · Security in heterogeneous and large-scale environments | · Espionage and Counter Intelligence | · Techniques for developing secure systems | · Military Security / Technology | | | Summaries not exceeding 250 words should be submitted (in plain text format) to cfp -at- hackinthebox.org for review and possible inclusion in the program. All flights and hotel accomodation will be provided should your paper be accepted. | | ## Note: We do not accept product or vendor related pitches. If your talk involves an advertisement for a new product or service your company is offering, please do not submit. | | | For event sponsorship details please contact Jorge Sebastiao (jorge[at]esgulf.com) | | | For further details regarding what we have planned, please take a look at our official conference website: | http://conference.hackinthebox.org/hitbsecconf2005/index.php?cat=1 | | | Thank you, | | alphademon[at]hackinthebox.org | - | HackInTheBox Security Conference 2005 | Bahrain | Apr 10 - 13 2005 | - | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Simson Garfinkel analyses Skype - Open Society Institute
On Sun, Jan 30, 2005 at 11:12:05AM -0500, John Kelsey wrote: | From: Adam Shostack [EMAIL PROTECTED] | Sent: Jan 29, 2005 12:45 PM | To: Mark Allen Earnest [EMAIL PROTECTED] | Cc: cryptography@metzdowd.com | Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute | | But, given what people talk about on their cell phones and cordless | phones, and what they send via unencrypted email, they are acting like | they think their communications are secure in the absence of any | encryption. So I don't think adding some 'cryptographic mumbo jumbo' | is going to change their sense of security in the wrong direction. | | One thing most people seem to miss about this, though, is that cellphones and cordless phones are *great* for privacy from other humans who live in your house or work in your office. When you don't want your children to hear a conversation, you can go take the call in the bathroom or in the car while you're driving alone. Everybody seems to miss this--cellphones and cordless phones don't diminish privacy, they just move it around. Sophisticated eavesdroppers can violate more of your privacy, but nosy family members, roommates, and office mates can violate a lot less. I thnk most people correctly evaluate which of these groups is more likely to do something unpleasant with what they learn by eavesdropping. | | It seems to me that VOIP pushes this in a somewhat different direction, because it's probably easy for your high-speed internet access (maybe a wireless hop to a router that talks to a cable modem) to be eavesdropped by moderately technically savvy nosy neighbors, and because there are a lot of criminals who are using more technology, and will surely target VOIP if they think they can make any money off it. Hi John, That's a very interesting point. There are clearly times when it's the case. I suspect, with no data to back me up, that a form of hyperbolic discounting occurs here: The family member who is clearly present ends up dominating consideration, and the less likely/understood eavesdropping threat disappears. (As does the 'yell for attention, pick up another extension attack,' but that's another story.) Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Simson Garfinkel analyses Skype - Open Society Institute
On Fri, Jan 28, 2005 at 02:38:49PM -0500, Mark Allen Earnest wrote: | Adam Shostack wrote: | I hate arguing by analogy, but: VOIP is a perfectly smooth system. | It's lack of security features mean there isn't even a ridge to trip | you up as you wiretap. Skype has some ridge. It may turn out that | it's very very low, but its there. Even if that's just the addition | of an openssl decrypt line to a reconstruct shell script. | | In that case, the value of 'better' is vanishingly small, but it will | still take an attacker at least 5 minutes to figure that out. | | I would contend that a false sense of security is worse than no security | at all. Someone's behavior may be different if they are wrongfully | assuming that their communications are encrypted by what they believe is | strong encryption when if fact it may be very very low. I fully agree with you that, if people had a sense of how their conversations could be eavesdropped on, then this would be the case. But, given what people talk about on their cell phones and cordless phones, and what they send via unencrypted email, they are acting like they think their communications are secure in the absence of any encryption. So I don't think adding some 'cryptographic mumbo jumbo' is going to change their sense of security in the wrong direction. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Simson Garfinkel analyses Skype - Open Society Institute
On Thu, Jan 27, 2005 at 03:22:09PM -0800, David Wagner wrote: | Adam Shostack [EMAIL PROTECTED] writes: | On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | | In article [EMAIL PROTECTED] you write: | | Voice Over Internet Protocol and Skype Security | | Is Skype secure? | | | | The answer appears to be, no one knows. The report accurately reports | | that because the security mechanisms in Skype are secret, it is impossible | | to analyze meaningfully its security. Most of the discussion of the | | potential risks and questions seems quite good to me. | | | | But in one or two places the report says things like A conversation on | | Skype is vastly more private than a traditional analog or ISDN telephone | | and Skype is more secure than today's VoIP systems. I don't see any | | basis for statements like this. Unfortunately, I guess these sorts of | | statements have to be viewed as blind guesswork. Those claims probably | | should have been omitted from the report, in my opinion -- there is | | really no evidence either way. Fortunately, these statements are the | | exception and only appear in one or two places in the report. | | The basis for these statements is what the other systems don't do. My | Vonage VOIP phone has exactly zero security. It uses the SIP-TLS | port, without encryption. It doesn't encrypt anything. So, its easy | to be more secure than that. So, while it may be bad cryptography, it | is still better than the alternatives. Unfortunately. | | I don't buy it. How do you know that Skype is more secure, let alone | vastly more private? Maybe Skype is just as insecure as those other | systems. For all we know, maybe Skype is doing the moral equivalent | of encrypting with the all-zeros key, or using a repeating xor with a | many-time pad, or somesuch. Without more information, we just don't know. The 'vastly more secure' is not my claim. My claim is that it is somewhat better. Even if it's using an RC4 key of all-zeros, it is somewhat better than what I have today, because today, my voip calls don't even have that, and as far as I can see, I can use asterisk's codec translator API to turn tcpdump captured streams into mp3. (http://www.asterisk.org/index.php?menu=architecture). The effort to get skype data is slightly higher. Until shown otherwise, I expect a grad student could do it in a weekend. However, that same grad student could build me a wiretap for VOIP in an hour. (By which metric, Skype is nearly 50x as secure :) | I'm sorry to pick nits, but I have to stand by my statement. No matter | how atrociously bad other systems may be, I don't see any basis for saying | that Skype is any better. It might be better, or it might be just as bad. | We don't know. I hate arguing by analogy, but: VOIP is a perfectly smooth system. It's lack of security features mean there isn't even a ridge to trip you up as you wiretap. Skype has some ridge. It may turn out that it's very very low, but its there. Even if that's just the addition of an openssl decrypt line to a reconstruct shell script. In that case, the value of 'better' is vanishingly small, but it will still take an attacker at least 5 minutes to figure that out. That was my claim. Similarly, I'd put VOIP above a POTs line, because I've tapped POTS lines with aligator clips and mis-functioning cordless phones. We agree that its not 'interesting' or 'useful' security. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Simson Garfinkel analyses Skype - Open Society Institute
On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote: | In article [EMAIL PROTECTED] you write: | Voice Over Internet Protocol and Skype Security | Simson L. Garfinkel | http://www.soros.org/initiatives/information/articles_publications/articles/security_20050107/OSI_Skype5.pdf | | Is Skype secure? | | The answer appears to be, no one knows. The report accurately reports | that because the security mechanisms in Skype are secret, it is impossible | to analyze meaningfully its security. Most of the discussion of the | potential risks and questions seems quite good to me. | | But in one or two places the report says things like A conversation on | Skype is vastly more private than a traditional analog or ISDN telephone | and Skype is more secure than today's VoIP systems. I don't see any | basis for statements like this. Unfortunately, I guess these sorts of | statements have to be viewed as blind guesswork. Those claims probably | should have been omitted from the report, in my opinion -- there is | really no evidence either way. Fortunately, these statements are the | exception and only appear in one or two places in the report. The basis for these statements is what the other systems don't do. My Vonage VOIP phone has exactly zero security. It uses the SIP-TLS port, without encryption. It doesn't encrypt anything. So, its easy to be more secure than that. So, while it may be bad cryptography, it is still better than the alternatives. Unfortunately. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Where to get a Jefferson Wheel ?
I got mine in Secret Codes by Jackson. It's a cheap plastic model in a kids book. I didn't try to assemble the morse code thing, so can't comment on its quality. http://www.amazon.com/exec/obidos/tg/detail/-/0762413514/ Adam On Sun, Jan 02, 2005 at 12:59:14PM +0100, Hadmut Danisch wrote: | Hi, | | does anyone know where I can get a | Jefferson Wheel or a replica? | | regards | Hadmut | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Blinky Rides Again: RCMP suspect al-Qaida messages
On Sat, Dec 11, 2004 at 10:24:09PM +0100, Florian Weimer wrote: | * R. A. Hettinga quotes a news article: | | There have been numerous media reports in recent years that terrorist | groups, including al-Qaida, were using steganographic techniques. | | As far as I know, these news stories can be tracked back to a | particular USA Today story. There's also been a bunch of stories how | a covert channel in TCP could be used by terrorists to hide their | communication. There's very good evidence that Al Qaida does *not* use strong crypto. I blogged on this at http://www.emergentchaos.com/archives/000561.html is was the first time I'd given such a talk since 9/11. It wasn't useful after we'd made the decision to stop hemorrhaging money by shutting down the Freedom Network. (That was May or June of 2001.) So I did a fair bit of reading about Al Qaeda's use of crypto. One of the more interesting techniques I found was the 'draft message' method. (http://www.jihadwatch.org/archives/002871.php) It seems consistent that Al Qaeda prefers being 'fish in the sea' to standing out by use of crypto. Also, given the depth and breadth of conspiracies they believe in, it seems that they might see all us cryptographers as a massive deception technique to get them to use bad crypto. (And hey, they're almost right! We love that they use bad crypto.) There's other evidence for this. In particular, the laptops captured have been exploited very quickly, in one case by a Wall St Journal reporter. So rumors of steganography or advanced crypto techniques have a burden of proof on them. And see the link there to Ian Grigg's http://www.financialcryptography.com/mt/archives/000246.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: RSA Implementation in C language
http://www.homeport.org/~adam/crypto/ On Mon, Nov 29, 2004 at 01:47:05PM +0530, Sandeep N wrote: | Hi, | | Can anybody tell me where I can get an implementation of RSA | algorithm in C language? I searched for it, but could not locate one. | I would be grateful to you if you could give me the location of the | source code. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Are new passports [an] identity-theft risk?
On Sun, Oct 24, 2004 at 12:58:56AM -0400, Dave Emery wrote: | On Sat, Oct 23, 2004 at 03:23:21PM -0400, Adam Shostack wrote: | | The technology will mature *very* rapidly if Virginia makes their | driver's licenses RFID-enabled, or if the US goes ahead with the | passports. Why? Because there will be a stunning amount of money to | be stolen by not identity thieves, but real thieves. Imagine sitting | with a laptop, a good antenna, and some software outside a metro | station in Virginia. Or an upscale restaurant in Adams-Morgan, | reading off the addresses of those who will be away from home for the | next 3 hours. | | Correct me if I am wrong, but don't most of the passive, cheap | RF or magnetic field powered RFIDs transmit maybe 128 bits of payload, | not thousands and thousands of bits which would be enough to include | addresses, names, useful biometric data and so forth ? Unclear. Presuming you're right, that 128 bit number will become your ID, just like your SSN is now. If you broadcast it at the right time, you'll be Alice. | And further it seems reasonable to suppose that if larger blocks | of useful data get dumped, it would be encrypted under carefully | controlled keys at least for passport and similar applications. | Granted that very sophisticated attackers might obtain some of these | keys, but the average thief presumably would not have access to them. You're reasonable, they're the United States Government, and they have responsed to questions about how to protect the keys that would be used to read it. (which, after all, would need to be in at least thousands of readers, just in the US, never mind in the other 190 odd countries which will want to verify passports..) ACLU's Technology and Liberty Program describes what they were told in a briefing by Frank Moss, USA Deputy Assistant Secretary of State for Passport Services and director of the State Department's Bureau of Consular Affairs: passport issued in San Diego from January 2005 to August 2005. But you can't use the public key to then create a signature on a fraudulent document. And the public key is not used to access the data on the document -- that is wide open -- it is used only to verify the authenticity of the passport. (From http://hasbrouck.org/blog/archives/000434.html) | It does occur to me that RFID equipped passports or internal | passports/driver licenses (your papers please) COULD be equipped with | some kind of press to read switch the would require active finger | pressure on the card to activate the RFID transmitter - this would | leave them disabled and incapable of transmitting the ID when sitting in | someone's wallet or purse. Aside from very sinister covert reading | applications I cannot think of any reason why a RFID equipped identity | card would need to be readable without the active cooperation and | awareness of the person carrying the card, thus such a safeing mechanism | would not be a real burden except to those with sinister covert agendas. And who is going to pay for this press to read addition? Maybe, rather than designing with RFID, they could use a smart-card chip which requires contact? seems easier, no? Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Are new passports [an] identity-theft risk?
On Fri, Oct 22, 2004 at 11:01:16AM -0400, Whyte, William wrote: | | R.A. Hettinga wrote: | | http://worldnetdaily.com/news/printer-friendly.asp?ARTICLE_ID=41030 | |An engineer and RFID expert with Intel claims there is | little danger of | unauthorized people reading the new passports. Roy Want | told the newssite: | It is actually quite hard to read RFID at a distance, | saying a person's | keys, bag and body interfere with the radio waves. | | Who was it that pointed out that radio waves don't | interfere, rather, receivers can't discriminate? | | Absolutely. I'd add that while it's *currently* hard to | read at a distance, passports typically have a lifetime | of 10 years and I'd be very surprised if the technology | wasn't significantly better five years out. 5 years? I don't think we have that long. The technology will mature *very* rapidly if Virginia makes their driver's licenses RFID-enabled, or if the US goes ahead with the passports. Why? Because there will be a stunning amount of money to be stolen by not identity thieves, but real thieves. Imagine sitting with a laptop, a good antenna, and some software outside a metro station in Virginia. Or an upscale restaurant in Adams-Morgan, reading off the addresses of those who will be away from home for the next 3 hours. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Academics locked out by tight visa controls
Hi Dan, Not Rome, but in Athens, Pericles said, in his funeral oration: The freedom which we enjoy in our democratic government extends also to our ordinary life. We throw open our city to the world, and never by alien acts exclude foreigners from any opportunity of learning or observing although the eyes of an enemy may occasionally profit by our liberality. We live exactly as we please and yet are just as ready to encounter every legitimate danger. If with habits not of labor but of ease, and courage not of art but of nature, we are still willing to encounter anger, we have the double advantage of not suffering hardships before we need to, and of facing them in the hour of need as fearlessly as those who are never free from them. The price of courage will surely be awarded most justly to those who best know the difference between hardship and pleasure and yet are never tempted to shrink from danger. And it is only democratic people who, fearless of consequences, confer their benefits not from calculations of expediency but in the confidence of liberality. Judging happiness to be the fruit of freedom and freedom of valor never decline the dangers of war. This has been at the top of my personal web page for most of the last 3 years. Adam On Tue, Sep 21, 2004 at 05:36:46PM -0400, [EMAIL PROTECTED] wrote: | | Lynn (or anyone) -- I have a small question of | history, viz., when Rome was in its heyday what | sort of rules and so forth did it have about | citizens versus non-citizens in the city? This | is not to start a long thread, or so I hope, but | if there is a lesson of history rather than | speculation perhaps this would be a good moment | to call for it to be remembered. Modify the | Rome to any place else if the lesson thus | improves in predictive value. | | --dan | | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Academics locked out by tight visa controls
On Mon, Sep 20, 2004 at 10:03:57AM -0400, John Kelsey wrote: | Academics locked out by tight visa controls | U.S. SECURITY BLOCKS FREE EXCHANGE OF IDEAS | By Bruce Schneier | | I guess I've been surprised this issue hasn't seen a lot more | discussion. It takes nothing more than to look at the names of the | people doing PhDs and postdocs in any technical field to figure out | that a lot of them are at least of Chinese, Indian, Arab, Iranian, | Russian, etc., ancestry. And only a little more time to find out that | a lot of them are not citizens, and have a lot of hassles with respect | to living and working here. What do you suppose happens to the US | lead in high-tech, when we *stop* drawing in some large fraction of | the smartest, hardest-working thousandth of a percent of mankind? Those people don't get a vote. The politicians in question will be dead and gone before the slope of the curve changes anything. Why *would* we discuss it? Adam the cynic. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: public-key: the wrong model for email?
On Thu, Sep 16, 2004 at 06:12:48PM +0100, Ian Grigg wrote: | Adam Shostack wrote: | Given our failure to deploy PKC in any meaningful way*, I think that | systems like Voltage, and the new PGP Universal are great. | | I think the consensus from debate back last year on | this group when Voltage first surfaced was that it | didn't do anything that couldn't be done with PGP, | and added more risks to boot. So, yet another biz | idea with some hand wavey crypto, which is great if | it works, but it's not necessarily security. Sure, I like the system even if it breaks, because it focuses on ease of use. I didn't say I thought it secure. | * I don't see Verisign's web server tax as meaningful; they accept no | liability, and numerous companies foist you off to unrelted domains. | We could get roughly the same security level from fully opportunistic | or memory-oportunistic models. | | Yes, or worse; it turns out that Verisign may very | well be the threat as well as the solution. As I | wrote here: | | http://www.financialcryptography.com/mt/archives/000206.html | | Verisign are in the eavesdropping business, which | not only calls into doubt their own certs, but also | all other CAs, and the notion of a trusted third | party as a workable concept. Yes. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: public-key: the wrong model for email?
Given our failure to deploy PKC in any meaningful way*, I think that systems like Voltage, and the new PGP Universal are great. * I don't see Verisign's web server tax as meaningful; they accept no liability, and numerous companies foist you off to unrelted domains. We could get roughly the same security level from fully opportunistic or memory-oportunistic models. Adam On Thu, Sep 16, 2004 at 02:05:15AM -0700, Ed Gerck wrote: | Benne, | | With Voltage, all communications corresponding to the same public key can be | decrypted using the same private key, even if the user is offline. To me, | this | sounds worse than the PKC problem of trusting the recipient's key. Voltage | also corresponds to mandatory key escrow, as you noted, with all its | drawbacks. | | Cheers, | Ed Gerck | | Weger, B.M.M. de wrote: | | Hi Ed, | | What about ID-based crypto: the public key can be any string, such as | your e-mail address. So the sender can encrypt even before the | recipient has a key pair. The private key is derived from the ... | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Anyone Remember Zero Knowledge Systems?
On Wed, Sep 10, 2003 at 11:32:29AM -0400, R. A. Hettinga wrote: | http://www.cryptonomicon.net/modules.php?name=Newsfile=printsid=455 | | Cryptonomicon.Net - | | Anyone Remember Zero Knowledge Systems? | Date: Wednesday, September 10 @ 11:15:00 EDT | Topic: Commercial Operations / Services | Unfortunately, they never quite made a compelling enough argument | for mass adoption of their system and eventually morphed the company | into a manufacturer or more conventional privacy tools. Freedom still | exists as a product, thought it is aimed at web users, only runs on | Windows clients, and routes requests through proxy servers owned by | Zero Knowledge Systems. Freedom Websecure is a different protocol set from Freedom.net. Websecure runs on linux, see http://websecure4linux.sourceforge.net/ The Freedom.net code is available for non-commercial use, see http://slashdot.org/articles/02/02/16/0320238.shtml?tid=158 or the shmoo group cvs server, http://cvs.shmoo.com/view/projects/freedom-server/ The problem with running Napster over Freedom was bandwidth costs. Users may be more willing to pay today, given the clear risk of paying $10,000 or more in fines. I'm sure that ZKS would be happy to sell someone a commercial use license. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Maybe It's Snake Oil All the Way Down
The assumption that having cracked a cipher leads to can make lots of money from the break is one held mostly by those who have never attacked real systems, which have evolved with lots of checks and balances. The very best way to make money from cracking ciphers seems to be to patent the break, and the fixes, and then consult to those who use the cipher, because they need your expertise to fix their systems. P. may have a patent on this method. Adam On Sun, Jun 01, 2003 at 07:05:44PM -0400, Scott Guthery wrote: | Suppose. Just suppose. That you figured out a factoring | algorithm that was polynomial. What would you do? Would | you post it immediately to cypherpunks?Well, OK, maybe | you would but not everyone would. In fact some might | even imagine they could turn a sou or two. And you can | bet the buyer wouldn't be doing any posting. With apologies | to Bon Ami, Hasn't cracked yet is not a compelling security | story. | | Cheers, Scott | | -Original Message- | From: Rich Salz [mailto:[EMAIL PROTECTED] | Sent: Sun 6/1/2003 6:16 PM | To: Eric Rescorla | Cc: Scott Guthery; cypherpunks; [EMAIL PROTECTED] | Subject: Re: Maybe It's Snake Oil All the Way Down | | | |There are a number of standard building blocks (3DES, AES, RSA, HMAC, |SSL, S/MIME, etc.). While none of these building blocks are known |to be secure .. | | So for the well-meaning naif, a literature search should result in no | news is good news. Put more plainly, if you looked up hash and didn't | find news of a SHA break, then you should know to use SHA. That assumes | you've heard of SHA in the first place. | | Perhaps a few best practices papers are in order. They might help | the secure (distributed) computing field a great deal. | /r$ | -- | Rich Salz Chief Security Architect | DataPower Technology http://www.datapower.com | XS40 XML Security Gateway http://www.datapower.com/products/xs40.html -- It is seldom that liberty of any kind is lost all at once. -Hume - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
