Re: padlocks with backdoors - TSA approved

2007-02-27 Thread Hadmut Danisch
Hi Allen, On Mon, Feb 26, 2007 at 09:23:30PM -0800, Allen wrote: Hi Hadmut, combination lock brands in the $30 to $45 USD range where you can set the combination to whatever you want. Guess what? They all seemed to use the same key to enable setting the combination. Why make it that

Re: padlocks with backdoors - TSA approved

2007-02-27 Thread Hadmut Danisch
On Tue, Feb 27, 2007 at 01:09:00AM -0500, David Chessler wrote: This is why I don't bother with padlocks until I get to the hotel room. It is a good idea to slow down the petty thief, but a twist tie from a plastic bag will work. I use the nylon straps used to hold cable bunches in place.

Re: padlocks with backdoors - TSA approved

2007-02-27 Thread Hadmut Danisch
On Mon, Feb 26, 2007 at 10:36:22PM -0600, Taral wrote: I'm just waiting for someone with access to photograph said keys and post it all over the internet. It does not need access to the keys. Do you know that car Volkswagen Golf? As far as I know also sold in the USA. In the eighties

Details of the backdoor-padlock

2007-02-27 Thread Hadmut Danisch
Hi, made two pictures of the padlock with the backdoor: shows the TSA keywhole: Just a very simple standard key cylinder, pretty easy to produce a general key from any lock. But that's waste of time. The lock suffers from the same weakness almost all

padlocks with backdoors - TSA approved

2007-02-26 Thread Hadmut Danisch
Hi, has this been mentioned here before? I just had my crypto mightmare experience. I was in a (german!) outdoor shop to complete my equipment for my next trip, when I came to the rack with luggage padlocks (used to lock the zippers). While the german brand locks were as usual, all the

Re: RSA SecurID SID800 Token vulnerable by design

2006-09-09 Thread Hadmut Danisch
Hi Lance, On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote: Another problem from what I see with Malware that steals data is the formgrabbing and on event logging of data. Malware can detect if SecureID is being used based on targeted events, example: Say HSBC (Hypothetical

RSA SecurID SID800 Token vulnerable by design

2006-09-08 Thread Hadmut Danisch
Hi, I recently tested an RSA SecurID SID800 Token The token is bundled with some windows software designed to make user's life easier. Interestingly, this software provides a function which directly copies the current

Re: PGP master keys

2006-04-28 Thread Hadmut Danisch
On Wed, Apr 26, 2006 at 10:41:12PM -0400, Steven M. Bellovin wrote: Ah -- corporate key escrow. An overt back door for Little Brother, rather than a covert one for Big Brother You should check the list of recipient keys in PGP messages from time to time anyway. I recently found a bug in

Re: History and definition of the term 'principal'?

2006-04-26 Thread Hadmut Danisch
Hi, On Wed, Apr 26, 2006 at 03:18:40PM -0400, Sean W. Smith wrote: I like the definition in Kaufman-Perlman-Speciner: A completely generic term used by the security community to include both people and computer systems. Coined because it is more dignified than 'thingy' and because

How security could benefit from high volume spam

2005-12-14 Thread Hadmut Danisch
against spam, we should take this into consideration. Maybe in near future the advantages of that noise produced by millions of bots will outweigh the disadvantages? Comments are welcome. Hadmut Danisch - The Cryptography Mailing

Re: HTTPS mutual authentication alpha release - please test

2005-11-07 Thread Hadmut Danisch
On Fri, Nov 04, 2005 at 09:16:16AM +, Nick Owen wrote: No, this is not it. It is this attack and similar: The phishers are not using valid certificates, but users are so immune to warnings about certificates that they don't pay attention to them. It may be

Re: Cryptanalytic attack on an RFID chip

2005-01-30 Thread Hadmut Danisch
On Sat, Jan 29, 2005 at 01:09:32PM -0500, Steven M. Bellovin wrote: This chip is used in anti-theft automobile immobilizers and in the ExxonMobil SpeedPass. If I recall correctly, there are two different electronic functions in key cars. One is the theft protection where the chip needs to

Re: Where to get a Jefferson Wheel ?

2005-01-05 Thread Hadmut Danisch
Dean, James wrote: The order of the wheels can't be changed. So this encryption device doesn't use any key? Only the most trivial; you choose the row to transmit. From what I've seen on the web not even that: Unlike the original Jefferson wheel these toys are not intended to choose any row,

Where to get a Jefferson Wheel ?

2005-01-04 Thread Hadmut Danisch
Hi, does anyone know where I can get a Jefferson Wheel or a replica? regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: M-209 broken in WWII

2004-09-29 Thread Hadmut Danisch
Anish wrote: could you please translate atleast the abstract for the rest of us :-) Sure, some of the first paragraphs: As a german codebreaker in World War II Klaus Schmeh 23.9.2004 For the first time a witness reported, who was involved in

Re: [anonsec] Re: potential new IETF WG on anonymous IPSec (fwd from [EMAIL PROTECTED]) (fwd from [EMAIL PROTECTED])

2004-09-18 Thread Hadmut Danisch
On Thu, Sep 16, 2004 at 12:41:41AM +0100, Ian Grigg wrote: It occurs to me that a number of these ideas could be written up over time ... a wiki, anyone? I think it is high past time to start documenting crypto patterns. Wikis are not that good for discussions, and I do believe that this

Forensic: Who gave this crypto talk?

2004-09-15 Thread Hadmut Danisch
Hi, I have again one of these special, strange, freaky questions. I'm still investigating some unusual activities in science and cryptography. There are some handwritten notes, they seem to be some kind of transcript of slides from a talk about cryptography. I need to find out when, where,

Re: Compression theory reference?

2004-09-01 Thread Hadmut Danisch
On Tue, Aug 31, 2004 at 05:07:30PM -0500, Matt Crawford wrote: Plus a string of log(N) bits telling you how many times to apply the decompression function! Uh-oh, now goes over the judge's head ... Yeah, I just posted a lengthy description why I think that this counterexample is not a

Re: Compression theory reference?

2004-09-01 Thread Hadmut Danisch
On Wed, Sep 01, 2004 at 04:02:02PM +1200, Peter Gutmann wrote: comp.compression FAQ, probably question #1 given the number of times this comes up in the newsgroup. (I've just checked, it's question #9 in part 1. Question #73 in part 2 may also be useful). Thanks, that's a pretty good

Compression theory reference?

2004-08-31 Thread Hadmut Danisch
Hi, I need a literature reference for a simple problem of encoding/compression theory: It can be easily shown that there is no lossless compression method which can effectively compress every possible input. Proof is easy: In a first step, consider all possible messages of length n bit, n0.

cryptograph(y|er) jokes?

2004-06-22 Thread Hadmut Danisch
Hi, does anyone know good jokes about cryptography, cryptographers, or security? regards Hadmut [Moderator's note: I know of several security systems that are jokes in and of themselves, but that doesn't seem to be what you meant. :) --Perry]

Re: The future of security

2004-05-08 Thread Hadmut Danisch
On Mon, Apr 26, 2004 at 08:21:43PM +0100, Graeme Burnett wrote: Would anyone there have any good predictions on how cryptography is going to unfold in the next few years or so? I have my own ideas, but I would love to see what others see in the crystal ball. My guess is that it is

Re: Do Cryptographers burn?

2004-04-04 Thread Hadmut Danisch
On Sat, Apr 03, 2004 at 11:49:15PM +0100, Dave Howe wrote: If you mean he gave a false assurance of the security of a product for a friend - why would he do that? I can't think of any of my friends who would want me to tell them sofware was secure if it wasn't. ... I suppose that depends on

Do Cryptographers burn?

2004-04-03 Thread Hadmut Danisch
Hi, this is not a technical question, but a rather academic or abstract one: Do Cryptographers burn? Cryptography is a lot about math, information theory, proofs, etc. But there's a certain level where all this is too complicated and time-consuming to follow all those theories and claims. At

Canon's Image Data Verification Kit DVK-E2 ?

2004-03-31 Thread Hadmut Danisch
Hi, Canon provides a so called Data Verification Kit which allegedly allows to detect whether a digital image has been tampered with since it has been taken with a digital camera. I found the announcement at They say: How it works

OOAPI-SSL/TLS (Was: Simple SSL/TLS - Some Questions)

2003-10-04 Thread Hadmut Danisch
On Fri, Oct 03, 2003 at 05:55:25PM +0100, Jill Ramonsky wrote: Having been greatly encouraged by people on this list to go ahead with a new SSL implementation, That's a pretty good idea, I also encourage you (and volunteer to support). The main point of confusion/contention right now

Re: invoicing with PKI

2003-09-02 Thread Hadmut Danisch
On Mon, Sep 01, 2003 at 12:23:28PM -0400, Ian Grigg wrote: The dream of PKI seems to revolve around these major areas: 1. invoicing, contracting - no known instances 2. authentication and authorisation - SSL client side certs deployed within organisations. 3. payments 4.