Re: [Cryptography] Petnames Zooko's triangle -- theory v. practice (was Email and IM are...)

2013-08-28 Thread Steve Furlong
On Wed, Aug 28, 2013 at 5:33 AM, ianG wrote: Yes. I was never scared of the NSA. But the NSA and the FBI and the DEA and every local police force ... that's terrifying. That's a purer essence of terror, far worse than terrorism. We need a new word. It's a boot stamping on a

Re: [Cryptography] Today's XKCD is on password strength.

2011-08-10 Thread Steve Furlong
On Wed, Aug 10, 2011 at 10:12 AM, Perry E. Metzger wrote: Today's XKCD is on password strength. The advice it gives is pretty good in principle... For a single password on a system with flexible rules, it's good advice. Real world, with a dozen

Re: Anyone make any sense out of this skype hack announcement?

2010-07-12 Thread Steve Furlong
I don't know if the new crack reveals anything new. We have a writeup about the Skype protection techniques in Surreptitious Software, our book on security-through-obscurity. (Sorry for the blatant self-promotion). I appreciate the self-promotion. My only request is that you include ISBN,

Re: From Ivory Tower to Iron Bars: Scientists Risk Jail Time for Violating Export Laws

2009-09-18 Thread Steve Furlong
On Fri, Sep 18, 2009 at 4:32 AM, Alec Muffett wrote: Perry: plasma physics is wildly OT but I believe the relevance will be obvious to those who remember the crypto wars, especially when they hit the fifth paragraph: It’s a difficult subject: many people I interviewed

Re: SHA-3 Round 1: Buffer Overflows

2009-02-23 Thread Steve Furlong
This just emphasizes what we already knew about C, even the most careful, security conscious developer messes up memory management. However I think it is not really efficient at this stage to insist on secure programming for submission implementations. For the simple reason that there are

Re: crypto for the average programmer

2005-12-12 Thread Steve Furlong
My question is, what is the layperson supposed to do, if they must use crypto and can't use an off-the-shelf product? When would that be the case? The only defensible situations I can think of in which a non-crypto-specialist programmer would need to write crypto routines would be an uncommon

Re: [Clips] Can writing software be a crime?

2005-10-05 Thread Steve Furlong
On 10/5/05, R.A. Hettinga [EMAIL PROTECTED] wrote: Can writing software be a crime? ... The Perez-Melara case, in comparison, represents the first time the government has attempted to prosecute the developer of a software that can be used for both lawful purposes (surreptitiously

Re: Java: Helping the world build bigger idiots

2005-09-21 Thread Steve Furlong
On 9/20/05, Rich Salz [EMAIL PROTECTED] wrote: This is wandering way far afield of the list charter. In an effort to maintain some relevance, I'll point out that code reviews, and crypto programming, are rarely done, and arguably shouldn't, by programming wizards. If by that you mean,

Re: Clearing sensitive in-memory data in perl

2005-09-13 Thread Steve Furlong
On 9/11/05, Jason Holt [EMAIL PROTECTED] wrote: Securely deleting secrets is hard enough in C, much less high level languages. But, but..Java is the be-all end-all! Three years ago I advised a business/tech guy to avoid Java for crypto and related purposes. I'll revise that somewhat in light of

Re: Clearing sensitive in-memory data in perl

2005-09-13 Thread Steve Furlong
On 9/13/05, Steven M. Bellovin [EMAIL PROTECTED] wrote: There's an interesting tradeoff here: which is a bigger threat, crypto secrets lying around memory or buffer overflows? What's your threat model? For the average server, I suspect you're better off with Java, especially if you use some

Re: Another entry in the internet security hall of shame....

2005-08-25 Thread Steve Furlong
On 8/25/05, Trei, Peter [EMAIL PROTECTED] wrote: Self-signed certs are only useful for showing that a given set of messages are from the same source - they don't provide any trustworthy information as to the binding of that source to anything. Which is just fine. Pseudonymity is good. If,

Re: online MD5 crack database

2005-08-22 Thread Steve Furlong
On 8/22/05, Steven M. Bellovin [EMAIL PROTECTED] wrote: In message [EMAIL PROTECTED], [EMAIL PROTECTED] writes : ...the folks at Fort Meade had every possible BSD password indexed by its /etc/passwd representation. I'm sorry, I flat-out don't believe that. snip calculations Probably

Re: Cross logins

2005-08-04 Thread Steve Furlong
On 8/3/05, James A. Donald [EMAIL PROTECTED] wrote: -- Is it possible for two web sites to arrange for cross logins? snippety-do-dah Does this question have a practical end in mind? If so, can you simplify matters by running both web sites on the same host? (cc-ing JAD because I never

Re: draft paper: Deploying a New Hash Algorithm

2005-08-04 Thread Steve Furlong
[Moderator's note: ... attackers are often cleverer than protocol designers. ... Is that true? Or is it a combination of (a) a hundred attackers for every designer, and (b) vastly disparate rewards: continued employment and maybe some kudos for a designer or implementer, access to

Re: Some companies are just asking for it.

2005-06-25 Thread Steve Furlong
On 6/24/05, Perry E. Metzger [EMAIL PROTECTED] wrote: For the record, the guys at Fidelity Investments have always seemed to me to have their act together on security, unlike lots of other A few years ago I did some consulting at Fidelity Investments, writing code to spider their own websites

Re: Papers about Algorithm hiding ?

2005-06-03 Thread Steve Furlong
On 6/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Another alternative is the cyphersaber type of thing, where you could just implement your crypto-code on the fly, as needed. Yes, I could, and have. Presumably you could. Ben Laurie probably could blindfolded with both hands tied behind his

Re: Papers about Algorithm hiding ?

2005-06-02 Thread Steve Furlong
On 5/31/05, Ian G [EMAIL PROTECTED] wrote: I don't agree with your conclusion that hiding algorithms is a requirement. I think there is a much better direction: spread more algorithms. If everyone is using crypto then how can that be relevant to the case? This is so, in the ideal. But if

Re: Quantum cryptography gets practical

2004-10-08 Thread Steve Furlong
On Wed, 2004-10-06 at 06:27, Dave Howe wrote: I have yet to see an advantage to QKE that even mildly justifies the limitations and cost over anything more than a trivial link (two buildings within easy walking distance, sending high volumes of extremely sensitive material between them) But

Re: Al Qaeda crypto reportedly fails the test

2004-08-03 Thread Steve Furlong
On Mon, 2004-08-02 at 15:03, John Denker wrote: News article says in part: The BBC's Zaffar Abbas, in Islamabad, says it appears that US investigators were able to unscramble information on the computers after Pakistan passed on

Re: Question on the state of the security industry

2004-07-01 Thread Steve Furlong
On Wed, 2004-06-30 at 06:49, Ian Grigg wrote: Here's my question - is anyone in the security field of any sort of repute being asked about phishing, consulted about solutions, contracted to build? Anything? Nothing here. Spam is the main concern on people's minds, so far as I can tell.