Re: Free WiFi man-in-the-middle scam seen in the wild.

2007-01-23 Thread Roy M. Silvernail
On Tue, January 23, 2007 09:24, Perry E. Metzger wrote:

 (Incidently, the article gets a few things wrong. It somewhat implies
 that you are safe if you pick a WiFi network you have a previous
 relationship with, which isn't true.)

It also is only warning against ad-hoc connections with misleading names. 
While I see a bunch of these around (not necessarily in airports,
either... several show up from my cube at work), it doesn't take much to
put up a perfectly normal-looking access point.  See
http://www.ethicalhacker.net/content/view/66/24/ for examples.
-- 
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
Antelope Freeway, one sixty-fourth of a mile. - TFT
http://www.rant-central.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Cryptocollectors] STU III 2500

2007-01-14 Thread Roy M. Silvernail
Richard Brisson wrote:
 Good morning all,
 
  
 
 Available to those in the U.S., STU-III 2500 with manual and AC adapter (and
 perhaps even a key in the plastic bag but it's not stated nor obvious) on
 eBay: 330073910569

This is the first auction I've looked at where eBay is anonymizing the
bidder list.  It's probably a general policy, but interesting that the
first one I saw was for crypto gear.
-- 
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
It's just this little chromium switch, here. - TFT
CRM114-procmail-/dev/null-bliss
http://www.rant-central.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: UK Government to force disclosure of encryption keys.

2006-05-19 Thread Roy M. Silvernail
Perry E. Metzger wrote:

Excerpt:

   The UK Government is preparing to give the police the authority to
   force organisations and individuals to disclose encryption keys, a
   move which has outraged some security and civil rights experts.

http://news.zdnet.co.uk/0,39020330,39269746,00.htm
  

Interesting.  That's the second reference I've received just this
morning to that page, which has gone 404.  Anyone have a mirror?

-- 
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
It's just this little chromium switch, here. - TFT
CRM114-procmail-/dev/null-bliss
http://www.rant-central.com


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: crypto wiki -- good idea, bad idea?

2005-12-12 Thread Roy M. Silvernail
Travis H. wrote:

Would a wiki specifically for crypto distribute the burden enough to be useful?
Or should we just stick to wikipedia?  Is it doing a satisfactory job?
  

I'd read it.  More resources == better.  But keep the current Wikipedia
controversy in mind WRT the veracity of the contributed material.  Then
again, if it's a crypto wiki, I suppose we could expect some
credentialing system to be incorporated.  It could even be presented as
a tutorial.

-- 
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
It's just this little chromium switch, here. - TFT
CRM114-procmail-/dev/null-bliss
http://www.rant-central.com


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Another entry in the internet security hall of shame....

2005-08-24 Thread Roy M. Silvernail
Quoting Ian G [EMAIL PROTECTED]:

 Once you've configured iChat to connect to the Google Talk service, you may
 receive a warning message that states your username and password will be
 transferred insecurely. This error message is incorrect; your username and
 password will be safely transferred.
 -=-=-

 hmm

Also noted in Psi.  Google's instructions for Psi say to leave Use SSL
encryption and Allow Plaintext Login unchecked, but both need to be checked
for me to successfully login.  I'm guessing Google is counting on the SSL
tunnel to protect the plaintext logins.
-- 
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
It's just this little chromium switch, here. - TFT
SpamAssassin-procmail-/dev/null-bliss
http://www.rant-central.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-28 Thread Roy M. Silvernail
On Sun, 2004-10-24 at 09:35 -0400, [EMAIL PROTECTED] wrote:
 |   [EMAIL PROTECTED] writes:
 |
 |   I'm pretty sure that you are answering the question
 |   Why did Microsoft buy Connectix?
 |
 |   The answer to that one is actually To provide a
 |   development environment for Windows CE (and later XP
 |   Embedded) (the emulator that's used for development
 |   in those environments is VirtualPC).  Thank you for
 |   playing.
 
 TILT
 
 No need to buy a company just to use its
 product in your development shop.
 
 Please insert additional coins.

I'd thought it was so Microsoft could offer an emulation-based migration
path to all the apps that would be broken by Longhorn.  MS has since
backed off on the new filesystem proposal that would have been the
biggest source of breakage (if rumors of a single-rooted, more *nix-like
filesystem turned out to be true).
-- 
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
It's just this little chromium switch, here. - TFS
SpamAssassin-procmail-/dev/null-bliss
http://www.rant-central.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: EZ Pass and the fast lane ....

2004-07-12 Thread Roy M. Silvernail
Jerrold Leichter wrote:
How long before license plates have transponders built into them?  After all,
it's long-established law that you can be required to place an identifier on
your car when it's on the public roads - why's there a difference between one
that responds at optical frequencies and one that responds at a couple of
gigahertz?  (For that matter, even if you want to stick to optical and you
can't get plate reading accurate enough, the technology for reading bar codes
from moving vehicles is well-developed - it's been used for years to identify
railroad cars, and many gated communities use them to open the gates for cars
owned by residents.)
 

An infrared-reflective bar code would not be visible to the naked eye.  
That would probably slip past the proles for a good while before the 
word got out.  And once the infrastructure is in place, it would be hard 
to dislodge.

--
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
It's just this little chromium switch, here. - TFS
SpamAssassin-procmail-/dev/null-bliss
http://www.rant-central.com
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: High hopes for unscrambling the vote

2004-06-08 Thread Roy M. Silvernail
R. A. Hettinga quotes Declan McCullagh:
 Bottom line:The technology is still in its prototype stage--but a bigger
obstacle may be whether notoriously conservative voting officials can be
convinced to try something new.
That's an interesting perspective, considering electronic voting already 
*is* something new.  A man with tinfoil inside his fez might wonder if 
this points to a greater conspiracy that hinges on the lack of a paper 
trail from the voting machines.

Speaking of which, this[1] Cringely column doesn't seem to have received 
much notice, even though it points out that the Diebold machines 
*already have a printer* built in.  While it's probably not equipped to 
do Chaumian voter receipts, it could certainly do the old-fashioned 
human-readable type.   That's a SMOP.
--
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
Never Forget:  It's Only 1's and 0's!
SpamAssassin-procmail-/dev/null-bliss
http://www.rant-central.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Article on passwords in Wired News

2004-06-03 Thread Roy M. Silvernail
Eugen Leitl wrote:
Banks tried to push smart cards, but very half-heartedly (didn't offer free
readers, which could have created critical mass). 
Ther was one of those net-only bank-like operations in the last days 
of the bubble that did offer free smart-card readers.  That's what 
prompted me to sign up.  Of course, the bubble burst and I never did get 
my free reader.
--
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
Never Forget:  It's Only 1's and 0's!
SpamAssassin-procmail-/dev/null-bliss
http://www.rant-central.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Simple SSL/TLS - Some Questions

2003-10-03 Thread Roy M. Silvernail
iang wrote:
 
 Jill Ramonsky wrote:

  It's worth summing up the design goals here, so nobody gets confused.
  Trouble is, I haven't figured out what they should all be. The main
  point of confusion/contention right now seem to be (1) should it be in C
  or C++?,
 
 C.  And write C++ wrappers or let someone else do it.

Yes!  Speaking from experience, it's far easier to write a C++ wrapper 
for a C lib than the other way around.  And as Ian said, it's probably
easier to get the implementation correct in C, at least as a first pass.
-- 
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
http://www.rant-central.com is the new scytale
Never Forget:  It's Only 1's and 0's!
SpamAssassin-procmail-/dev/null-bliss

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Don't kill the messenger (was: Re: Reliance on Microsoft called risk to U.S. security)

2003-10-02 Thread Roy M. Silvernail
On Wednesday 01 October 2003 22:02, bear wrote:

 No, it is not.  You can make a hyperdocument that is completely
 self-contained and therefore text, but that is not how HTML is
 normally made.  HTML can cause your machine to do things other than
 display it, and to that extent it is code, not text.

A small nit: HTML is, in fact, text.  The effects you describe are the result 
of a client taking certain actions based on the text/html MIME type.  That's 
the reason you use Pine (and I use Kmail).  These clients (and others... yay, 
elm!) don't take unbidden actions to render HTML mail or cause executable 
attachments to execute.

 You can't rely on saving an HTML document
 and being able to read it years or decades later, because with
 hypertext, maybe the part you're interested in (or need for evidence)
 isn't even on the page you saved.

True, but again, that's a property of HTML. That the HTML document was 
transmitted through mail is a side issue.

It's not that email has been overloaded, through the use of MIME, to carry 
content other than text/plain.  The problem is that certain MUAs have been 
built to take some default actions based on the MIME types received, and 
those clients have become (for whatever reason) popular among mail users of 
a, shall we say, non-technical bent.

 The fact that sending HTML (and other code) through SMTP was not
 considered a violation of SMTP has allowed a generation of mail
 readers to become common that encourage mail viruses, macroviruses,
 worms, and other malicious code.  If we are interested in security, we
 need some kind of protocol where we as a group just draw a line and
 say nothing but text through this port.

SMTP is *already* such a protocol.  Base-64 encoding (and UUENCODE before it) 
was designed to address the 7-bit gateway through which email once passed.  
MIME only describes and encapsulates non-textual content.  (the first M 
originally stood for 'multimedia', not 'multipurpose') Some mail clients have 
evolved (or been designed *cough*outlook*cough*) to be infection vectors, but 
that's not the fault of the base transport protocol.  It's the result of poor 
security decisions in the client design process.

This is not to demonize MIME, either.  Some applications, like PGP signatures, 
are elegant uses. Much better than the X-PGP-Signature header I was helping 
develop 10 years ago.  There's nothing intrinsically wrong with extending 
mail to carry arbitrary content.  The problem appears when the MUA is able to 
take some risky action with that content, whether automatically or through 
unwise user action.  Grandma clicks on everything.

Mail as a vulnerability is a client issue and a training issue.

That said, I also despise HTML mail for all the reasons you describe.  But 
between the September That Never Ended and the release of Mosaic, it's really 
no surprise that eye candy has become an imperative.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: VeriSign tapped to secure Internet voting

2003-10-01 Thread Roy M. Silvernail
On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded:

 VeriSign tapped to secure Internet voting

 The solution we are building will enable absentee voters to exercise
 their right to vote, said George Schu, a vice president at VeriSign. The
 sanctity of the vote can't be compromised nor can the integrity of the
 system be compromised--it's security at all levels.

One would wish that were a design constraint.  Sadly, I'm afraid it's just a 
bullet point from the brochure.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: VeriSign tapped to secure Internet voting

2003-10-01 Thread Roy M. Silvernail
On Wednesday 01 October 2003 19:53, Ian Grigg wrote:
 Roy M. Silvernail wrote:
  On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded:
   VeriSign tapped to secure Internet voting
  
   The solution we are building will enable absentee voters to exercise
   their right to vote, said George Schu, a vice president at VeriSign.
   The sanctity of the vote can't be compromised nor can the integrity of
   the system be compromised--it's security at all levels.
 
  One would wish that were a design constraint.  Sadly, I'm afraid it's
  just a bullet point from the brochure.

 It's actually quite cunning.  The reason that this
 is going to work is because the voters are service
 men  women, and if they attack the system, they'll
 get their backsides tanned.  

Good observation.  I missed that one.

 Basically, it should
 be relatively easy to put together a secure voting
 application under the limitations, control structures
 and security infrastructure found within the US military.

 It would be a mistake to apply the solution to wider
 circumstances, and indeed another mistake to assume
 that Verisign had anything to do with any purported
 success in solving the voting problem.

Definitely, but I can see Verisign doing both.  The rabbit hole gets ever 
deeper.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]