On Wed, Aug 28, 2013 at 5:33 AM, ianG i...@iang.org wrote:
Yes. I was never scared of the NSA. But the NSA and the FBI and the DEA
and every local police force ... that's terrifying. That's a purer
terror, far worse than terrorism. We need a new word.
It's a boot stamping on a
On Wed, Aug 10, 2011 at 10:12 AM, Perry E. Metzger pe...@piermont.com wrote:
Today's XKCD is on password strength. The advice it gives is pretty
good in principle...
For a single password on a system with flexible rules, it's good advice.
Real world, with a dozen
I don't know if the new crack reveals anything new. We have
a writeup about the Skype protection techniques in
Surreptitious Software, our book on security-through-obscurity.
(Sorry for the blatant self-promotion).
I appreciate the self-promotion. My only request is that you include
On Fri, Sep 18, 2009 at 4:32 AM, Alec Muffett alec.muff...@gmail.com wrote:
Perry: plasma physics is wildly OT but I believe the relevance will be
obvious to those who remember the crypto wars, especially when they hit the
It’s a difficult subject: many people I interviewed
This just emphasizes what we already knew about C, even the most
careful, security conscious developer messes up memory management.
However I think it is not really efficient at this stage to insist on secure
programming for submission implementations. For the simple reason that
And long before Quantum Computers become strong enough to crack
2048-bit public key algorithms at a price that makes the
KGB want to waste its resources on you, there'll be
more convenient ways to blackbag machines, whether it's
including extra features in the OS through the audio CD player
My question is, what is the layperson supposed to do, if they must use
crypto and can't use an off-the-shelf product?
When would that be the case?
The only defensible situations I can think of in which a
non-crypto-specialist programmer would need to write crypto routines
would be an uncommon
On 10/5/05, R.A. Hettinga [EMAIL PROTECTED] wrote:
Can writing software be a crime?
The Perez-Melara case, in comparison, represents the first time the
government has attempted to prosecute the developer of a software that can
be used for both lawful purposes (surreptitiously
On 9/20/05, Rich Salz [EMAIL PROTECTED] wrote:
This is wandering way far afield of the list charter. In an effort
to maintain some relevance, I'll point out that code reviews, and
crypto programming, are rarely done, and arguably shouldn't, by
If by that you mean,
On 9/11/05, Jason Holt [EMAIL PROTECTED] wrote:
Securely deleting secrets is hard enough in C, much less high level languages.
But, but..Java is the be-all end-all!
Three years ago I advised a business/tech guy to avoid Java for crypto
and related purposes. I'll revise that somewhat in light of
On 9/13/05, Steven M. Bellovin [EMAIL PROTECTED] wrote:
There's an interesting tradeoff here: which is a bigger threat, crypto
secrets lying around memory or buffer overflows? What's your threat
model? For the average server, I suspect you're better off with Java,
especially if you use some
On 8/25/05, Trei, Peter [EMAIL PROTECTED] wrote:
Self-signed certs are only useful for showing that a given
set of messages are from the same source - they don't provide
any trustworthy information as to the binding of that source
Which is just fine. Pseudonymity is good.
On 8/22/05, Steven M. Bellovin [EMAIL PROTECTED] wrote:
In message [EMAIL PROTECTED], [EMAIL PROTECTED] writes
...the folks at Fort Meade had every
possible BSD password indexed by its /etc/passwd
I'm sorry, I flat-out don't believe that.
On 8/3/05, James A. Donald [EMAIL PROTECTED] wrote:
Is it possible for two web sites to arrange for cross
Does this question have a practical end in mind? If so, can you
simplify matters by running both web sites on the same host?
(cc-ing JAD because I never
[Moderator's note: ... attackers are often cleverer than protocol
Is that true? Or is it a combination of
(a) a hundred attackers for every designer, and
(b) vastly disparate rewards: continued employment and maybe some
kudos for a designer or implementer, access to
On 6/24/05, Perry E. Metzger [EMAIL PROTECTED] wrote:
For the record, the guys at Fidelity Investments have always seemed to
me to have their act together on security, unlike lots of other
A few years ago I did some consulting at Fidelity Investments, writing
code to spider their own websites
On 6/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Another alternative is the cyphersaber type of thing, where you could just
implement your crypto-code on the fly, as needed.
Yes, I could, and have. Presumably you could. Ben Laurie probably
could blindfolded with both hands tied behind his
On 5/31/05, Ian G [EMAIL PROTECTED] wrote:
I don't agree with your conclusion that hiding algorithms
is a requirement. I think there is a much better direction:
spread more algorithms. If everyone is using crypto then
how can that be relevant to the case?
This is so, in the ideal. But if
On Wed, 2004-10-06 at 06:27, Dave Howe wrote:
I have yet to see an advantage to QKE that even mildly justifies the
limitations and cost over anything more than a trivial link (two
buildings within easy walking distance, sending high volumes of
extremely sensitive material between them)
On Mon, 2004-08-02 at 15:03, John Denker wrote:
says in part:
The BBC's Zaffar Abbas, in Islamabad, says it appears that US
investigators were able to unscramble information on the computers
after Pakistan passed on
On Wed, 2004-06-30 at 06:49, Ian Grigg wrote:
Here's my question - is anyone in the security
field of any sort of repute being asked about
phishing, consulted about solutions, contracted
to build? Anything?
Nothing here. Spam is the main concern on people's minds, so far as I
Mail list logo