Authorities investigating the 2008 crash of Spanair flight 5022
have discovered a central computer system used to monitor technical
problems in the aircraft was infected with malware
http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/?gt1=43001
This was very poorly
What on earth happened? Was there a change in banking regulations in
the last few months?
No, but we know that banks move in herds, and they mostly talk to each
other, not anyone with outside expertise.
More likely someone noticed that computers are a lot faster than they
were a decade ago, you
Nice theses. I'm looking forward to the other 94. The first one is a
nice summary of why DKIM might succeed in e-mail security where S/MIME
failed. (Succeed as in, people actually use it.)
2 A third party attestation, e.g. any certificate issued by any modern
CA, is worth exactly as much as
we claimed we do something like two orders magnitude reduction in
fully-loaded costs by going to no personalization (and other things)
...
My concern with that would be that if everyone uses the the same
signature scheme and token, the security of the entire industry
becomes dependent on the
In this case, heck, no. The whole point of this thing is that it is
NOT remotely programmable to keep malware out.
Which is perhaps why it is not a good idea to embed an SSL engine in such
a device.
Agreed. A display and signing engine would be quite adequate.
Such a device does however
So should or should not an embedded system have a remote management
interface?
In this case, heck, no. The whole point of this thing is that it is
NOT remotely programmable to keep malware out.
If you have a modest and well-defined spec, it is well within our
abilities to produce reliable
At a meeting a few weeks ago I was talking to a guy from BITS, the
e-commerce part of the Financial Services Roundtable, about the way
that malware infected PCs break all banks' fancy multi-password logins
since no matter how complex the login process, a botted PC can wait
until you login, then
A bit too far for a quick visit (at least for me):
http://news.bbc.co.uk/2/hi/uk_news/england/8241617.stm
Bletchley Park is always worth a visit, with or without a special
exhibit, as is the adjacent National Museum of Computing which houses
Colossus and a lot more interesting stuff.
An
Speaking of seizing an Enigma, here's a picture of a handy one rotor
version I got at Bletchley Park. The rotor flips over so there's two
possible rotors and the determined cryptographer can use multiple
rotors by making several passes manually over the data.
http://www.taugh.com/enigma.jpeg
I have never seen a good catalog of computationally-strong
pseudo-random number generators.
Chapter 3 of Knuth's TAOCP is all about pseudo-random number
generators, starting with a fine example of the wrong way to do it.
My copy is several thousand miles away but my recollection is that his
main
This means a site paying attention to such things could notice a
change in IP address, or, if several users were attacked this way,
notice repeated connections from the same IP. (Granted the MITM
could distribute the queries over a botnet, but it raises the bar
somewhat.)
I have no idea if sites
of the dongle,
you're still subject to MITM attacks. But a dongle with a screen big
enough for my 87 year old father to read, and buttons big enough for
him to push reliably would be unlikely to fit on his keychain. It's a
very hard problem.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator
One idea I have not seen mentioned here (and which I have not yet
encountered in RL, but only weird people send me email these days) is
for the sending MTA to use pgp to encrypt mail using the recipient's
public key, available on one of the key servers near you.
I don't understand what problem
That's basically what I'm using, just without the digital signature
part: each person/organisation/website/whatever gets a different email
address for communicating with me (qmail makes this easy to implement)
I do that too -- I bet half the people on this list do, and there's
lots of free and
You know those crackpot ideas that keep showing up in snake oil crypto?
Well, e-postage is snake oil antispam.
While I think this statement may be true for POW coinage, because for a bot
net it grows on trees, for money that traces back to the international
monetary exchange system, it may not be
Richard Clayton and I claim that PoW doesn't work:
http://www.cl.cam.ac.uk/~rnc1/proofwork.pdf
I bumped into Cynthia Dwork, who originallyinvented PoW, at a CEAS
meeting a couple of years ago, and she said she doesn't think it
works, either.
R's,
John
with pointers to the mailing list and other
resources. One of our slow moving projects is a taxonomy of anti-spam
techniques, both ones that work and ones that don't work. If you'd
like to contribute, drop me a note and I'll give you a password so you
can edit it.
Regards,
John Levine, jo
I just received a phishing email, allegedly from HSBC:
Dear HSBC Member,
So did the link have a EV cert?
Hardly matters. HSBC has vast numbers of web servers all over the world,
some with EV certs, some without.
For example, their US customer site for deposit customers at
(Also, it's not clear that a deterministic POW works well for an
application like Bitcoin; it might let the owner of the fastest computer
win every POW race, giving him too much power.)
Indeed. And don't forget that through the magic of botnets, the bad
guys have vastly more compute power
Can't we just convert actual money in a bank account into bitbux --
cheaply and without a carbon tax? Please?
If only. People have been saying for at least a decade that all we
have to do to solve the spam problem is to charge a small fee for
every message sent. Unfortunately, there's a
As long as honest nodes control the most CPU power on the network,
they can generate the longest chain and outpace any attackers.
But they don't. Bad guys routinely control zombie farms of 100,000
machines or more. People I know who run a blacklist of spam sending
zombies tell me they often
The relationship to this list may then be thin
excepting that the collection and handling of
such data remains of substantial interest.
Actually, it points to cash settlement of road tolls.
That's not unknown. On the Niagara Falls toll bridges, they have an
ETC system where you buy your
So, I believe, at least for E-Z Pass, the attack would have to include
cloning the license plate and pictures may still be available whenever
a victim realizes they have been charged for trips they did not take.
The 407 toll road in Toronto uses entirely automated toll collection.
They
from the Trenton
P.O. so the allegedly correct answer is Trenton.
It's not too hard for me to figure these out, but given the amount of
plain wrong info in credit reports, this approach must lead to some
pretty frustrating failures.
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator
CERT/CC mentions this:
| It is important to note that without changes to the DNS protocol, such
| as those that the DNS Security Extensions (DNSSEC) introduce, these
| mitigations cannot completely prevent cache poisoning.
Why wouldn't switching to TCP lookups solve the problem? It's
arguably
However, we in the security circles don't need to spread the
Kaminsky finds meme.
Quite right. Paul Vixie mentioned it in 1995, Dan Bernstein started
distributing versions of dnscache with randomized port and sequence
numbers in 2001.
The take-away here is not that Dan didn't discover the
| Presumably the value they add is that they keep browsers from popping
| up scary warning messages
Apple's Mail.app checks certs on SSL-based mail server connections.
It has the good - but also bad - feature that it *always* asks for
user approval if it gets a cert it doesn't like.
Good
their browsers, which is always a losing battle, it's easier
just to pay the $15 protection money and get a CA signature.
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
More Wiener schnitzel
Are there any options that don't involve adding a new root CA?
Assuming your sites all use subdomains of your company domain,
a wildcard cert for *.whatever might do the trick. It's relatively
expensive, but you can use the same cert in all your servers.
I would think this would be rather
http://amtrak.bfi0.com/.
Lesson for phishers: If you want your phish to seem more legit, outsource it
to Bigfoot Interactive, which seems to lead back to Epsilon Agency Services,
who specialise in... well, phishing, but for the good guys. I bet the Russian
Business Network could do it for
They can't be as anonymous as cash if the party being dealt with
can be identified. And the party can be identified if the
transaction is online, real-time. Even if other clues are erased,
there's still traffic analysis in this case.
If I show up at a store and pay cash for something every
In article [EMAIL PROTECTED] you write:
http://www.google.com/patents?vid=USPAT6993661
Gee, the inventor is Simson Garfinkel, who's written a bunch of books
including Database Nation, published in 2000 by O'Reilly, about all
the way the public and private actors are spying on us.
I wonder
Does that mean that the new fiber is less tappable?
Somehow, I suspect that Corning and the relevant authorities have been
in touch to work out any problems.
Corning is a politically very well connected company. Amory Houghton,
a member of the family that has controlled the company since its
I do not believe the mentioned conflict exists. The aim of these
calculator-like devices is to make sure that no malware, virus etc can
create unauthorized transactions. The user should still be able to
debug, and inspect the software in the calculator-like device, or
virtual software
somewhere over the yrs the term certification authority was truncated
to certificate authority ... along with some impression that
certificates are being sold (as opposed to certification processes).
When I pay $14.95 for a certificate, with the investigation of my bona
fides limited to clicking
I've heard nothing formal, but my strong understanding is a lot of US
government machines, at least if we're talking workstations on
non-classified nets, are in fact 0wn3d at this point.
Well, here's an anecdote: at last year's CEAS conference, Rob Thomas
of Team Cymru gave the keynote on the
or routing or anything else, but the signing key will let them
Take Control of this Vital Resource in case of National Emergency.
You know, like they did in New Orleans.
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for
Dummies,
Information Superhighwayman wanna-be, http
but get people upset, but at
most this is a turf battle between two cabinet departments. The war
was over seven years ago.
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
More Wiener
Suppose we have a messaging service that, like Yahoo, is
also a single signon service, ...
Then you just change the attack model.
There are a bunch of sites that do various things with your address
book ranging from the toxic Plaxo which slurps it up and sends spam to
everyone in it masquerading
If you can persuade everyone to use a single system,
it's not hard to make communication adequately secure.
...
You are making the Katrina reaction we need someone in
charge. ...
Oh, not at all. I guess I wasn't clear. To the extent that people use
a single system it can be secure, but
8Kbit/second is enough if all you need is to understand what is being
said, not recognize the speaker. The processing power to do this is
pretty small on today's scale of things.)
With decent compression techniques, 8kbps is close to telephone
quality, and 2400bps has artifacts but is still
the list archives linked from
http://www.mipassoc.org/dkim/ietf-dkim.htm and at least argue about
something different?
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
More Wiener schnitzel
The conventional wisdom is that the successful US cryptanalytic efforts
against Japanese naval codes was a closely-held secret.
Has the conventional wisdom forgotten that it was reported in the
Chicago Tribune in 1942?
See, for example, http://www.newseum.org/warstories/essay/secrecy.htm
Have you noticed that airline tickets are once again de-facto
transferable? If you print your own boarding pass at home, you can
digitally change the name on it before you print.
Lots of us have noticed that, print one version for the person at
security with a name that matches the ID, print
http://www.guardian.co.uk/idcards/story/0,,1766266,00.html
The story may be exaggerated but it feels quite real. Certainly I've
found similar issues in the past.
It sounds real to me, with an airline whose security is slightly but
not greatly worse than typical.
I buy a lot of online
And, while there is a privacy issue, optical license plate readers
are getting good enough that the issue may soon be moot.
Seems moot now. The 407 toll road around Toronto has no toll booths
at all. If you drive on it frequently, you can get a transponder but
otherwise, they take a picture
Some Americans, analysts note, are already using a version of e-
cash to bypass toll lanes on highways.
Don't take that as a sign of consumer acceptance, though. In
Illinois, if you won't pre-pay your tolls in $40 increments, you will
pay double the rate in cash at the toolbooth.
Here in the
In article [EMAIL PROTECTED] you write:
http://www.informationweek.com/story/showArticle.jhtml?articleID=171200010
Summary: some phishes are going to SSL-secured sites that offer up
their own self-signed cert. Users see the warning and say I've seen
that dialog box before, no problem, and
, it's worth running. It needs Powerpoint:
http://www.radixlabs.com/idtheft/aaron-emigh-education.pps
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
I dropped the toothpaste, said Tom
and a $350 cert is: $340.
Next question?
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for
Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
I shook hands with Senators Dole and Inouye, said Tom, disarmingly
.
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies,
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
A book is a sneeze. - E.B. White, on the writing of Charlotte's Web
51 matches
Mail list logo