Re: Free WiFi man-in-the-middle scam seen in the wild.
On Tue, January 23, 2007 09:24, Perry E. Metzger wrote: (Incidently, the article gets a few things wrong. It somewhat implies that you are safe if you pick a WiFi network you have a previous relationship with, which isn't true.) It also is only warning against ad-hoc connections with misleading names. While I see a bunch of these around (not necessarily in airports, either... several show up from my cube at work), it doesn't take much to put up a perfectly normal-looking access point. See http://www.ethicalhacker.net/content/view/66/24/ for examples. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Antelope Freeway, one sixty-fourth of a mile. - TFT http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Cryptocollectors] STU III 2500
Richard Brisson wrote: Good morning all, Available to those in the U.S., STU-III 2500 with manual and AC adapter (and perhaps even a key in the plastic bag but it's not stated nor obvious) on eBay: 330073910569 This is the first auction I've looked at where eBay is anonymizing the bidder list. It's probably a general policy, but interesting that the first one I saw was for crypto gear. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT CRM114-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: UK Government to force disclosure of encryption keys.
Perry E. Metzger wrote: Excerpt: The UK Government is preparing to give the police the authority to force organisations and individuals to disclose encryption keys, a move which has outraged some security and civil rights experts. http://news.zdnet.co.uk/0,39020330,39269746,00.htm Interesting. That's the second reference I've received just this morning to that page, which has gone 404. Anyone have a mirror? -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT CRM114-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto wiki -- good idea, bad idea?
Travis H. wrote: Would a wiki specifically for crypto distribute the burden enough to be useful? Or should we just stick to wikipedia? Is it doing a satisfactory job? I'd read it. More resources == better. But keep the current Wikipedia controversy in mind WRT the veracity of the contributed material. Then again, if it's a crypto wiki, I suppose we could expect some credentialing system to be incorporated. It could even be presented as a tutorial. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT CRM114-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Another entry in the internet security hall of shame....
Quoting Ian G [EMAIL PROTECTED]: Once you've configured iChat to connect to the Google Talk service, you may receive a warning message that states your username and password will be transferred insecurely. This error message is incorrect; your username and password will be safely transferred. -=-=- hmm Also noted in Psi. Google's instructions for Psi say to leave Use SSL encryption and Allow Plaintext Login unchecked, but both need to be checked for me to successfully login. I'm guessing Google is counting on the SSL tunnel to protect the plaintext logins. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Financial identity is *dangerous*? (was re: Fake companies, real money)
On Sun, 2004-10-24 at 09:35 -0400, [EMAIL PROTECTED] wrote: | [EMAIL PROTECTED] writes: | | I'm pretty sure that you are answering the question | Why did Microsoft buy Connectix? | | The answer to that one is actually To provide a | development environment for Windows CE (and later XP | Embedded) (the emulator that's used for development | in those environments is VirtualPC). Thank you for | playing. TILT No need to buy a company just to use its product in your development shop. Please insert additional coins. I'd thought it was so Microsoft could offer an emulation-based migration path to all the apps that would be broken by Longhorn. MS has since backed off on the new filesystem proposal that would have been the biggest source of breakage (if rumors of a single-rooted, more *nix-like filesystem turned out to be true). -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: EZ Pass and the fast lane ....
Jerrold Leichter wrote: How long before license plates have transponders built into them? After all, it's long-established law that you can be required to place an identifier on your car when it's on the public roads - why's there a difference between one that responds at optical frequencies and one that responds at a couple of gigahertz? (For that matter, even if you want to stick to optical and you can't get plate reading accurate enough, the technology for reading bar codes from moving vehicles is well-developed - it's been used for years to identify railroad cars, and many gated communities use them to open the gates for cars owned by residents.) An infrared-reflective bar code would not be visible to the naked eye. That would probably slip past the proles for a good while before the word got out. And once the infrastructure is in place, it would be hard to dislodge. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFS SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: High hopes for unscrambling the vote
R. A. Hettinga quotes Declan McCullagh: Bottom line:The technology is still in its prototype stage--but a bigger obstacle may be whether notoriously conservative voting officials can be convinced to try something new. That's an interesting perspective, considering electronic voting already *is* something new. A man with tinfoil inside his fez might wonder if this points to a greater conspiracy that hinges on the lack of a paper trail from the voting machines. Speaking of which, this[1] Cringely column doesn't seem to have received much notice, even though it points out that the Diebold machines *already have a printer* built in. While it's probably not equipped to do Chaumian voter receipts, it could certainly do the old-fashioned human-readable type. That's a SMOP. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Article on passwords in Wired News
Eugen Leitl wrote: Banks tried to push smart cards, but very half-heartedly (didn't offer free readers, which could have created critical mass). Ther was one of those net-only bank-like operations in the last days of the bubble that did offer free smart-card readers. That's what prompted me to sign up. Of course, the bubble burst and I never did get my free reader. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Don't kill the messenger (was: Re: Reliance on Microsoft called risk to U.S. security)
On Wednesday 01 October 2003 22:02, bear wrote: No, it is not. You can make a hyperdocument that is completely self-contained and therefore text, but that is not how HTML is normally made. HTML can cause your machine to do things other than display it, and to that extent it is code, not text. A small nit: HTML is, in fact, text. The effects you describe are the result of a client taking certain actions based on the text/html MIME type. That's the reason you use Pine (and I use Kmail). These clients (and others... yay, elm!) don't take unbidden actions to render HTML mail or cause executable attachments to execute. You can't rely on saving an HTML document and being able to read it years or decades later, because with hypertext, maybe the part you're interested in (or need for evidence) isn't even on the page you saved. True, but again, that's a property of HTML. That the HTML document was transmitted through mail is a side issue. It's not that email has been overloaded, through the use of MIME, to carry content other than text/plain. The problem is that certain MUAs have been built to take some default actions based on the MIME types received, and those clients have become (for whatever reason) popular among mail users of a, shall we say, non-technical bent. The fact that sending HTML (and other code) through SMTP was not considered a violation of SMTP has allowed a generation of mail readers to become common that encourage mail viruses, macroviruses, worms, and other malicious code. If we are interested in security, we need some kind of protocol where we as a group just draw a line and say nothing but text through this port. SMTP is *already* such a protocol. Base-64 encoding (and UUENCODE before it) was designed to address the 7-bit gateway through which email once passed. MIME only describes and encapsulates non-textual content. (the first M originally stood for 'multimedia', not 'multipurpose') Some mail clients have evolved (or been designed *cough*outlook*cough*) to be infection vectors, but that's not the fault of the base transport protocol. It's the result of poor security decisions in the client design process. This is not to demonize MIME, either. Some applications, like PGP signatures, are elegant uses. Much better than the X-PGP-Signature header I was helping develop 10 years ago. There's nothing intrinsically wrong with extending mail to carry arbitrary content. The problem appears when the MUA is able to take some risky action with that content, whether automatically or through unwise user action. Grandma clicks on everything. Mail as a vulnerability is a client issue and a training issue. That said, I also despise HTML mail for all the reasons you describe. But between the September That Never Ended and the release of Mosaic, it's really no surprise that eye candy has become an imperative. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: VeriSign tapped to secure Internet voting
On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded: VeriSign tapped to secure Internet voting The solution we are building will enable absentee voters to exercise their right to vote, said George Schu, a vice president at VeriSign. The sanctity of the vote can't be compromised nor can the integrity of the system be compromised--it's security at all levels. One would wish that were a design constraint. Sadly, I'm afraid it's just a bullet point from the brochure. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: VeriSign tapped to secure Internet voting
On Wednesday 01 October 2003 19:53, Ian Grigg wrote: Roy M. Silvernail wrote: On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded: VeriSign tapped to secure Internet voting The solution we are building will enable absentee voters to exercise their right to vote, said George Schu, a vice president at VeriSign. The sanctity of the vote can't be compromised nor can the integrity of the system be compromised--it's security at all levels. One would wish that were a design constraint. Sadly, I'm afraid it's just a bullet point from the brochure. It's actually quite cunning. The reason that this is going to work is because the voters are service men women, and if they attack the system, they'll get their backsides tanned. Good observation. I missed that one. Basically, it should be relatively easy to put together a secure voting application under the limitations, control structures and security infrastructure found within the US military. It would be a mistake to apply the solution to wider circumstances, and indeed another mistake to assume that Verisign had anything to do with any purported success in solving the voting problem. Definitely, but I can see Verisign doing both. The rabbit hole gets ever deeper. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]