On Sat, 29 Jun 2013, Alec Muffett wrote:
My own, personal guess is that it is obfuscation which translates as using
passwords or accessing a portal over SSL plus we're too embarrassed to
admit that it was that easy.
Or simply:
http://cms.intranet.boozallen.com/document?id=${N}
On Fri, 20 Nov 2009, Peter Gutmann wrote:
There's been a near-neverending debate about who should be responsible for
improving online banking security measures: the users, the banks, the
government, the OS vendor, ... . Here's an interesting perspective from Peter
Benson
On Wed, 9 Sep 2009, Peter Gutmann wrote:
I was just going to reply with a variation of this, if you're implementing a
full protocol that uses AES-CTR (or any algorithm/mode for that matter), find
other implementations that do it too and make sure that you can talk to them.
In theory everyone
On Mon, 14 Sep 2009, Peter Gutmann wrote:
Damien Miller d...@mindrot.org writes:
The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I
don't think OpenSSL even supports a CTR mode through its EVP API.
I first saw it reported on the Putty bugs list [0], a good place
On Tue, 16 Dec 2008, mhey...@gmail.com wrote:
On Thu, Dec 11, 2008 at 8:42 PM, Damien Miller d...@mindrot.org wrote:
On Thu, 11 Dec 2008, James A. Donald wrote:
If one uses a higher resolution counter - sub
microsecond - and times multiple disk accesses, one gets
true physical
On Thu, 11 Dec 2008, James A. Donald wrote:
If one uses a higher resolution counter - sub
microsecond - and times multiple disk accesses, one gets
true physical randomness, since disk access times are
effected by turbulence, which is physically true
random.
Until someone runs your software
On Thu, 11 Sep 2008, Peter Gutmann wrote:
David Molnar [EMAIL PROTECTED] writes:
Dan Geer's comment about the street price of heroin as a metric for
success has me thinking - are people tracking the street prices of
digital underground goods over time?
I've been (very informally) tracking
On Wed, 19 Sep 2007, Nash Foster wrote:
http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
Any actual cryptographers care to comment on this? I don't feel
qualified to judge.
I discovered this minor weakness in most of the open source IPSec
implementations in May
On Mon, 30 Oct 2006, Saqib Ali wrote:
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/10/30/BUGU2M1ETT1.DTLtype=printable
http://www.theglobeandmail.com/servlet/story/RTGAM.20061030.wharddrive1029/BNStory/Front/?page=rssid=RTGAM.20061030.wharddrive1029
On Mon, 23 Oct 2006, Bill Stewart wrote:
Spammers have been including images in their email to evade anti-spammers.
Anti-spammers have been using OCR to identify spammy words in images.
Spammers have recently come up with tricks to work around OCRs,
by doing steganography with animated GIF
On Fri, 15 Sep 2006, Jostein Tveit wrote:
[EMAIL PROTECTED] (Peter Gutmann) writes:
What's more scary is that if anyone introduces a parameterised hash
(it's quite possible that this has already happened in some fields,
and with the current interest in randomised hashes it's only a
On Wed, 9 Aug 2006, Travis H. wrote:
Hey,
I was mulling over some old emails about randomly-generated numbers
and realized that if I had an imperfectly random source (something
less than 100% unpredictable), that compressing the output would
compress it to the point where it was nearly so.
On Mon, 7 Aug 2006, John Gilmore wrote:
Here is the latest quick update on SSL Certs. It's interesting that
generally prices have risen. Though ev1servers are still the best commercial
deal out there.
The good news is that CAcert seems to be posistioned for prime time debut,
and you
John Kelsey wrote:
Guys,
Some of my co-workers here at NIST got an email macro virus which
appeared to be targeted to cryptographers. It appeared to be
addressed to Moti Yung, and come from Lawrie Brown and Henri Gilbert
(though that name was misspelled, maybe a transcription error from an
On Wed, 15 Mar 2006, Ed Gerck wrote:
cybergio wrote:
Zfone :: http://www.philzimmermann.com/EN/zfone/index.html
...it achieves security without reliance on a PKI, key certification,
trust models, certificate authorities, or key management...
Good. But, uf course, there's a trust
James A. Donald wrote:
--
Has anyone been attacked through a certificate that
would not have been issued under stricter security? The
article does not mention any such attacks, nor have I
ever heard of such an attack.
How much money does a phishing site make before it is forced to
David Mercer wrote:
And my appologies to Ben Laurie and friends, but why after all these
years is the UI interaction in ssh almost exactly the same when
accepting a key for the first time as overriding using a different one
when it changed on the other end, whether from mitm or just a
On Sun, 23 Oct 2005, Joseph Ashwood wrote:
- Original Message - Subject: [Tom Berson Skype Security Evaluation]
Tom Berson's conclusion is incorrect. One needs only to take a look at the
publicly available information. I couldn't find an immediate reference
directly from the Skype
On Tue, 30 Aug 2005, Peter Gutmann wrote:
- A non-spoofable means of password entry that only applies for TLS-PSK
passwords. In other words, something where a fake site can't trick the user
into revealing a TLS-PSK key.
This sounds like a solution replete with all the problems that
R. A. Hettinga wrote:
Luckily, there are alternatives. The National Institute of Standards and
Technology already has standards for longer - and harder to break - hash
functions: SHA-224, SHA-256, SHA-384, and SHA-512. They're already
government standards, and can already be used. This is a
Eric Rescorla wrote:
I don't find that argument at all convincing. After all, these bugs *are*
being found!
Well, SOME bugs are being found. I don't know what you mean by
these bugs. We don't have any real good information about
the bugs that haven't been found. What makes you think that
On Sun, 2003-10-19 at 00:47, Peter Gutmann wrote:
What was the motive for adding lip service into the document?
So that it's possible to claim PGP and X.509 support if anyone's interested in
it. It's (I guess) something driven mostly by marketing so you can answer
Yes to any question of Do
22 matches
Mail list logo
