Re: Quiet in the list...

2008-09-06 Thread Sidney Markowitz
IanG wrote, On 7/9/08 2:06 AM: Then, when a new Thunderbird comes out, you load that up and the other packages cease to work As far as I recall, the last time Thunderbird had an upgrade it told me that one was available, I clicked to upgrade, and the addons, including Enigmail, continue to

Re: Kaminsky finds DNS exploit

2008-07-10 Thread Sidney Markowitz
Udhay Shankar N wrote, On 9/7/08 5:52 PM: I think Dan Kaminsky is on this list. Any other tidbits you can add prior to Black Hat? He's posted a quite long article on his blog http://www.doxpara.com/?p=1162 that looks like all the details he is likely to provide for the next 30 days. It

Re: SSL/TLS and port 587

2008-01-23 Thread Sidney Markowitz
by Google within the hour. (As an aside, see Google Taking Blog Comments Searching Real-Time? http://www.groklaw.net/article.php?story=20080122132516514 for a discussion of this remarkable update to their search engine). Sidney Markowitz http://www.sidney.com

Re: Question on export issues

2008-01-07 Thread Sidney Markowitz
Ivan Krsti? wrote, On 6/1/08 1:33 PM: On Jan 3, 2008, at 10:47 PM, Peter Gutmann wrote: That's because there's nothing much to publish: In the US, notify the BIS via email. Our outside counsel -- specializing in this area -- thought this was insufficient That's the problem with using

Re: Question on export issues

2007-12-31 Thread Sidney Markowitz
Ivan Krsti? wrote, On 31/12/07 12:48 PM: We've recently had to jump through the BIS crypto export hoops at OLPC I find that very strange considering this from a BIS FAQ http://www.bis.doc.gov/encryption/encfaqs6_17_02.html all encryption source code that would be considered publicly

Re: Scare tactic?

2007-09-21 Thread Sidney Markowitz
Sidney Markowitz wrote, On 21/9/07 8:24 AM: Ben Laurie wrote, On 21/9/07 1:34 AM: Entity i cannot be coerced into sharing a key with entity j without i’s knowledge, ie, when i believes the key is shared with some entity l != j. The without i's knowledge part is critical to the argument

Re: Scare tactic?

2007-09-20 Thread Sidney Markowitz
attacker who is eavesdropping. That is an awfully impractical constraint on the threat model, which makes this issue moot in practice. Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending

Latest AACS key cracked a week before release

2007-05-18 Thread Sidney Markowitz
/10065) -- Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Yet a deeper crack in the AACS

2007-05-04 Thread Sidney Markowitz
Article AACS cracks cannot be revoked, says hacker http://arstechnica.com/news.ars/post/20070415-aacs-cracks-cannot-be-revoked-says-hacker.html Excerpt: The latest attack vector bypasses the encryption performed by the Device Keys -- the same keys that were revoked by the WinDVD update -- and

Re: 128 bit number T-shirt?

2007-05-02 Thread Sidney Markowitz
Ivan Krstić wrote, On 3/5/07 4:50 AM: But all the artwork is just ugly numbers in a monospace font My thoughts too. This one looks much better, but I don't see a link anywhere to get it. Perhaps the author just photoshopped the picture as a proof of concept to go with his blog comment?

Re: Cryptome cut off by NTT/Verio

2007-04-29 Thread Sidney Markowitz
Cryptome.org has not been shut down yet (the notice from Verio dated 28 April says they were being given two weeks to find another provider). They seem to have been slashdotted. The shutdown notice page is not yet archivd at archive.org, but is mirrored on a responsive site, mirror.org:

Re: AES128-CBC Question

2007-04-19 Thread Sidney Markowitz
-stuttgart.de/openpgp/2003/04/msg00026.html It points out that a fixed IV results in information leakage if the first block or more of plaintext is the same in two messages encrypted with the same key. Sidney Markowitz http://www.sidney.com

Re: general defensive crypto coding principles

2006-02-08 Thread Sidney Markowitz
the communication channel, not the CPU. He also presents arguments for authenticating before encrypting which I won't repeat here -- It's all there in a pretty clear three pages in his book. -- Sidney Markowitz http://www.sidney.com

Re: serious threat models

2006-02-04 Thread Sidney Markowitz
that recorded the conversations. Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: RNG quality verification

2006-01-03 Thread Sidney Markowitz
that there are none of the more subtle vulnerabilities that are only discovered by many smart people taking a very hard look over a significant time period. -- Sidney Markowitz http://www.sidney.com - The Cryptography Mailing

Re: browser vendors and CAs agreeing on high-assurance certificat es

2005-12-18 Thread Sidney Markowitz
to customers who go through it, and charges the little guys for the right. Do you mean like Amazon Marketplace and Amazon zShops? I think it's been done already: http://www.amazon.com/exec/obidos/tg/browse/-/1161232/103-4791981-1614232 -- Sidney Markowitz http://www.sidney.com

Re: Fermat's primality test vs. Miller-Rabin

2005-12-06 Thread Sidney Markowitz
Joseph Ashwood wrote: Apparently, they are, I'm ran a sample, but even with the added second sanity check, every one of them that passes a single round comes up prime. I then proceeded to move it to 2048-bit numbers. It takes longer and the gaps between primes is averaging around 700 right

Re: Fermat's primality test vs. Miller-Rabin

2005-12-05 Thread Sidney Markowitz
Joseph Ashwood wrote: Granted this is only a test of the generation of 128 numbers, but I got 128 primes (based on 128 MR rounds). That doesn't make sense, unless I'm misinterpreting what you are saying. Primes aren't that common, are they? I don't have time right now to look for a bug in

Re: Fermat's primality test vs. Miller-Rabin

2005-12-03 Thread Sidney Markowitz
a 511 bit positive integer, not 512 bit. It also is unnecessarily complicated compared to this form of the BigInteger constructor and the or method (see the javadoc): curNum = BigInteger.ONE.or(new BigInteger(512, rand)); -- Sidney Markowitz http://www.sidney.com

Re: NSA Suite B Cryptography

2005-10-15 Thread Sidney Markowitz
: BSD licensed Suite B code may be possible, GPL'd Suite B code is not possible unless Certicom makes appropriate free license to the patents available for software licensed under GPL. -- Sidney Markowitz http://www.sidney.com

Re: NSA Suite B Cryptography

2005-10-14 Thread Sidney Markowitz
the GPL and maybe FOSS in general in countries in which the patents are valid. -- Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: NSA Suite B Cryptography

2005-10-14 Thread Sidney Markowitz
be an interesting twist. -- Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: US Banks: Training the next generation of phishing victims

2005-10-12 Thread Sidney Markowitz
if I wanted to. Well, there is a way. If I notice the URL of the invalid user error page I can guess that https://ebanking.bayfed.com/ might work, and indeed it does present a login page. Thanks, BayFed. -- Sidney Markowitz http://www.sidney.com

Re: European country forbids its citizens from smiling for passport photos

2005-09-17 Thread Sidney Markowitz
on their faces and there is nothing wrong with having passport photos to match http://www.greens.org.nz/searchdocs/PR8903.html -- Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending

Clearing sensitive in-memory data in perl

2005-09-11 Thread Sidney Markowitz
information in garbage collected strings when writing in perl. Google and reading perl documentation hasn't helped me so far, but I find it hard to believe that this has not been considered when writing crypto software in perl. Thanks, Sidney Markowitz http://www.sidney.com

Re: AES implementation in C - any recommendations?

2005-09-03 Thread Sidney Markowitz
Ian G wrote: I'm after an AES implementation in C, preferably with something approximating BSD/open licence. Does anyone have a view on which would be a current favourite? Brian Gladman's code is the fastest free version I know of, is widely used, and has a BSD-like license.

Re: Motorist wins case after maths whizzes break speed camera code

2005-08-12 Thread Sidney Markowitz
with the same numberplate to get the same value. -- Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Digital Water Marks Thieves

2005-02-22 Thread Sidney Markowitz
in a bank vault -- which also has its uses and its drawbacks. Now it will be easier to tie the dyed material and the dyed thieves to the specific crime. It is not a big deal that it does not solve all problems in one stroke. -- sidney markowitz http://www.sidney.com

Re: The Pointlessness of the MD5 'attacks'

2004-12-22 Thread Sidney Markowitz
This isn't worked out enough to be a proof of concept, but I can imagine a piece of code that has a comment This can't overflow because value X computed from the magic bits table will always be between A and B. Get 0.1% speed boost by leaving out range check here but don't change magic bits.

Re: [OT] Encryption

2004-01-03 Thread Sidney Markowitz
[Moderator's note: that's one -- but only one -- of the reasons I think Bob found the exchange so funny. --Perry] Ah, I thought he was being honest but naive and couldn't understand how he could apply for clearance from the US for an import. I looked at the rest of the thread in their mailing

Re: yahoo to use public key technology for anti-spam

2003-12-09 Thread Sidney Markowitz
[EMAIL PROTECTED] wrote: Does anybody know what has become of the low-tech, no-cryptography-needed RMX DNS record entry proposal? A google search for rmx dns without quotes brings up as its first hit the Internet Draft at IETF which is dated October 2003. The subsequent hits show lots of

Re: yahoo to use public key technology for anti-spam

2003-12-07 Thread Sidney Markowitz
Carl Ellison wrote: So, in capsule: this proposal assumes that you use the same machine for outgoing and incoming e-mail. No, it implies a service that your outgoing mail server makes available that has you authenticate to it in some way and then signs your mail in some way. The article doesn't

Re: yahoo to use public key technology for anti-spam

2003-12-07 Thread Sidney Markowitz
[EMAIL PROTECTED] wrote: To avoid replay attacks one needs to sign a string that is tied to a specific message or time period I agree. Even time period and message content aren't good enough: Let's say that the outgoing SMTP mailer at example.com is trusted. Spammer gets an account at

Re: Open Source Embedded SSL - Export Questions

2003-11-26 Thread Sidney Markowitz
As a separate issue from whether you want to implement AES, if you do decide to implement it look at Brian Gladman's code at http://fp.gladman.plus.com/cryptography_technology/rijndael/ It is the fastest free implementation of AES that I know of, and has a good history and credentials behind

Re: Are there...one-way encryption algorithms

2003-11-19 Thread Sidney Markowitz
Enzo Michelangeli wrote: but the slight risk of collision, although practically negligible, is a bit irksome If you quantify the practically negligible risk, it might be less irksome: SHA-1 is a 160 bit hash. The birthday paradox says that you would need to hash 2^80 different credit card

Re: Attacking networks using DHCP, DNS (Updated news)

2003-06-29 Thread Sidney Markowitz
It turned out that the ISP, Charter, was not compromised. The user had some nasty spyware install itself on his computer. Here are the details: http://ask.slashdot.org/comments.pl?cid=6260281sid=68266tid=172 -- sidney - The