Re: [Cryptography] Crypto being blamed in the London riots.

2011-08-10 Thread Steven Bellovin
On Aug 10, 2011, at 12:19 53PM, Perry E. Metzger wrote: On Wed, 10 Aug 2011 11:59:53 -0400 John Ioannidis j...@tla.org wrote: On Tue, Aug 9, 2011 at 8:02 PM, Sampo Syreeni de...@iki.fi wrote: Thus, why not turn the Trusted Computing idea on its head? Simply make P2P public key cryptography

Re: Photos of an FBI tracking device found by a suspect

2010-10-08 Thread Steven Bellovin
On Oct 8, 2010, at 11:21 16AM, Perry E. Metzger wrote: My question: if someone plants something in your car, isn't it your property afterwards? http://gawker.com/5658671/dont-post-pictures-of-an-fbi-tracking-device-you-find-on-a-car-to-the-internet See

Re: Anyone know anything about the new ATT encrypted voice service?

2010-10-06 Thread Steven Bellovin
On Oct 6, 2010, at 6:19 01PM, Perry E. Metzger wrote: ATT debuts a new encrypted voice service. Anyone know anything about it? http://news.cnet.com/8301-13506_3-20018761-17.html (Hat tip to Jacob Applebaum's twitter feed.)

ciphers with keys modifying control flow?

2010-09-27 Thread Steven Bellovin
Does anyone know of any ciphers where bits of keys modify the control path, rather than just data operations? Yes, I know that that's a slippery concept, since ultimately things like addition and multiplication can be implemented with loops in the hardware or firmware. I also suspect that

Certificate-stealing Trojan

2010-09-27 Thread Steven Bellovin
Per http://news.softpedia.com/news/New-Trojan-Steals-Digital-Certificates-157442.shtml there's a new Trojan out there that looks for a steals Cert_*.p12 files -- certificates with private keys. Since the private keys are password-protected, it thoughtfully installs a keystroke logger as

Re: Something you have, something else you have, and, uh, something else you have

2010-09-17 Thread Steven Bellovin
On Sep 17, 2010, at 4:53 51AM, Peter Gutmann wrote: From the ukcrypto mailing list: Just had a new Lloyds credit card delivered, it had a sticker saying I have to call a number to activate it. I call, it's an automated system. It asks for the card number, fair enough. It asks for the

HDCP master key supposedly leaked

2010-09-14 Thread Steven Bellovin
http://arstechnica.com/tech-policy/news/2010/09/claimed-hdcp-master-key-leak-could-be-fatal-to-drm-scheme.ars --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by

Re: Intel plans crypto-walled-garden for x86

2010-09-14 Thread Steven Bellovin
On Sep 13, 2010, at 11:58 57PM, John Gilmore wrote: http://arstechnica.com/business/news/2010/09/intels-walled-garden-plan-to-put-av-vendors-out-of-business.ars In describing the motivation behind Intel's recent purchase of McAfee for a packed-out audience at the Intel Developer Forum,

Re: questions about RNGs and FIPS 140

2010-08-26 Thread Steven Bellovin
On Aug 25, 2010, at 4:37 16PM, travis+ml-cryptogra...@subspacefield.org wrote: 3) Is determinism a good idea? See Debian OpenSSL fiasco. I have heard Nevada gaming commission regulations require non-determinism for obvious reasons. It's worth noting that the issue of determinism vs.

Re: towards https everywhere and strict transport security (was: Has there been a change in US banking regulations recently?)

2010-08-25 Thread Steven Bellovin
On Aug 25, 2010, at 9:04 20AM, Richard Salz wrote: Also, note that HSTS is presently specific to HTTP. One could imagine expressing a more generic STS policy for an entire site A really knowledgeable net-head told me the other day that the problem with SSL/TLS is that it has too many

Re: [IP] Malware kills 154

2010-08-24 Thread Steven Bellovin
On Aug 24, 2010, at 12:32 19PM, Chad Perrin wrote: On Mon, Aug 23, 2010 at 03:35:45PM -0400, Steven Bellovin wrote: And the articles I've seen do not say that the problem caused the crash. Rather, they say that a particular, important computer was infected with malware; I saw no language

Re: [IP] Malware kills 154

2010-08-23 Thread Steven Bellovin
On Aug 23, 2010, at 11:50 30AM, John Levine wrote: Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware

Re: [IP] Malware kills 154

2010-08-23 Thread Steven Bellovin
On Aug 23, 2010, at 11:11 13AM, Peter Gutmann wrote: Perry E. Metzger pe...@piermont.com forwards: Authorities investigating the 2008 crash of Spanair flight 5022 have discovered a central computer system used to monitor technical problems in the aircraft was infected with malware

Re: Has there been a change in US banking regulations recently?

2010-08-17 Thread Steven Bellovin
On Aug 16, 2010, at 9:19 49PM, John Gilmore wrote: who's your enemy? The NSA? The SVR? Or garden-variety cybercrooks? Enemy? We don't have to be the enemy for someone to crack our security. We merely have to be in the way of something they want; or to be a convenient tool or foil in

Re: 2048-bit RSA keys

2010-08-17 Thread Steven Bellovin
On Aug 17, 2010, at 5:19 10PM, Samuel Neves wrote: On 17-08-2010 21:42, Perry E. Metzger wrote: On Tue, 17 Aug 2010 22:32:52 +0200 Simon Josefsson si...@josefsson.org wrote: Bill Stewart bill.stew...@pobox.com writes: Basically, 2048's safe with current hardware until we get some radical

Re: Has there been a change in US banking regulations recently?

2010-08-16 Thread Steven Bellovin
On Aug 15, 2010, at 1:17 30PM, Peter Gutmann wrote: Ray Dillinger b...@sonic.net writes: On Fri, 2010-08-13 at 14:55 -0500, eric.lengve...@wellsfargo.com wrote: The big drawback is that those who want to follow NIST's recommendations to migrate to 2048-bit keys will be returning to the

Re: new tech report on easy-to-use IPsec

2010-08-14 Thread Steven Bellovin
. I'll add that the code is now up on SourceForge under a BSD license: http://sourceforge.net/projects/simple-vpn/ Original Message Subject: Re: new tech report on easy-to-use IPsec Date: Wed, 28 Jul 2010 21:36:47 -0400 From: Steven Bellovin s...@cs.columbia.edu To: Adam

Re: Obama administration seeks warrantless access to email headers.

2010-07-30 Thread Steven Bellovin
On Jul 30, 2010, at 3:58 08PM, Perry E. Metzger wrote: On Fri, 30 Jul 2010 09:38:44 +0200 Stefan Kelm sk...@bfk.de wrote: Perry, The administration wants to add just four words -- electronic communication transactional records -- to a list of items that the law says the FBI may demand

Re: A mighty fortress is our PKI, Part II

2010-07-28 Thread Steven Bellovin
On Jul 28, 2010, at 8:21 33AM, Ben Laurie wrote: On 28/07/2010 13:18, Peter Gutmann wrote: Ben Laurie b...@links.org writes: I find your response strange. You ask how we might fix the problems, then you respond that since the world doesn't work that way right now, the fixes won't

Re: MITM attack against WPA2-Enterprise?

2010-07-26 Thread Steven Bellovin
I don't know, if it is truly only a ten line change to a common WPA2 driver to read, intercept and alter practically any traffic on the network even in enterprise mode, that would seem like a serious issue to me. Setting up the enterprise mode stuff to work is a lot of time and effort. If

Re: MITM attack against WPA2-Enterprise?

2010-07-26 Thread Steven Bellovin
On Jul 26, 2010, at 10:30 19PM, Perry E. Metzger wrote: On Mon, 26 Jul 2010 21:42:53 -0400 Steven Bellovin s...@cs.columbia.edu wrote: I don't know, if it is truly only a ten line change to a common WPA2 driver to read, intercept and alter practically any traffic on the network even

MITM attack against WPA2-Enterprise?

2010-07-25 Thread Steven Bellovin
There is a claim of a flaw in WPA2-Enterprise -- see http://wifinetnews.com/archives/2010/07/researchers_hints_8021x_wpa2_flaw.html --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography

Re: Root Zone DNSSEC Deployment Technical Status Update

2010-07-18 Thread Steven Bellovin
On Jul 17, 2010, at 3:30 05PM, Taral wrote: On Sat, Jul 17, 2010 at 7:41 AM, Paul Wouters p...@xelerance.com wrote: Several are using old SHA-1 hashes... old ? old in that they are explicitly not recommended by the latest specs I was looking at. DNSSEC signatures do not need to have a

new tech report on easy-to-use IPsec

2010-07-14 Thread Steven Bellovin
Folks on this list may be interested in a new tech report: Shreyas Srivatsan, Maritza Johnson, and Steven M. Bellovin. Simple-VPN: Simple IPsec configuration. Technical Report CUCS-020-10, Department of Computer Science, Columbia University, July 2010.

Commercial quantum cryptography system broken

2010-07-09 Thread Steven Bellovin
http://www.technologyreview.com/blog/arxiv/25189/ Not at all to my surprise, they broke it by exploiting a difference between a theoretical system and a real-world implementation. --Steve Bellovin, http://www.cs.columbia.edu/~smb

A real case of malicious steganography in the wild?

2010-07-09 Thread Steven Bellovin
For years, there have been unverifiable statements in the press about assorted hostile parties using steganography. There may now be a real incident -- or at least, the FBI has stated in court documents that it happened. According to the Justice Department

Re: Question w.r.t. AES-CBC IV

2010-07-09 Thread Steven Bellovin
On Jul 9, 2010, at 1:55 12PM, Jonathan Katz wrote: CTR mode seems a better choice here. Without getting too technical, security of CTR mode holds as long as the IVs used are fresh whereas security of CBC mode requires IVs to be random. In either case, a problem with a short IV (no matter

Re: Quantum Key Distribution: the bad idea that won't die...

2010-04-22 Thread Steven Bellovin
While I'm quite skeptical that QKD will prove of practical use, I do think it's worth investigating. The physics are nice, and it provides an interesting and different way of thinking about cryptography. I think that there's a non-trivial chance that it will some day give us some very

Re: Against Rekeying

2010-03-25 Thread Steven Bellovin
On Mar 23, 2010, at 11:21 AM, Perry E. Metzger wrote: Ekr has an interesting blog post up on the question of whether protocol support for periodic rekeying is a good or a bad thing: http://www.educatedguesswork.org/2010/03/against_rekeying.html I'd be interested in hearing what people

Re: Security of Mac Keychain, Filevault

2009-11-02 Thread Steven Bellovin
On Oct 29, 2009, at 11:25 PM, Jerry Leichter wrote: A couple of days ago, I pointed to an article claiming that these were easy to break, and asked if anyone knew of security analyses of these facilities. I must say, I'm very disappointed with the responses. Almost everyone attacked

Re: Security of Mac Keychain, File Vault

2009-10-26 Thread Steven Bellovin
On Oct 24, 2009, at 5:31 PM, Jerry Leichter wrote: The article at http://www.net-security.org/article.php?id=1322 claims that both are easily broken. I haven't been able to find any public analyses of Keychain, even though the software is open-source so it's relatively easy to check. I

Review of new book on the NSA

2009-10-14 Thread Steven Bellovin
There's a new book on the NSA, based largely on documents received via Freedom of Information Act requests. Bamford's review is at http://www.nybooks.com/articles/23231 . --Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: [Barker, Elaine B.] NIST Publication Announcements

2009-09-30 Thread Steven Bellovin
On Sep 29, 2009, at 10:31 AM, Perry E. Metzger wrote: Stephan Neuhaus neuh...@st.cs.uni-sb.de writes: For business reasons, Alice can't force Bob to use a particular TTA, and it's also impossible to stipulate a particular TTA as part of the job description (the reason is that Alice and the

FileVault on other than home directories on MacOS?

2009-09-21 Thread Steven Bellovin
Is there any way to use FileVault on MacOS except on home directories? I don't much want to use it on my home directory; it doesn't play well with Time Machine (remember that availability is also a security property); besides, different directories of mine have different sensitivity

NSA intercepts led to a terrorist conviction

2009-09-09 Thread Steven Bellovin
Threat Level Privacy, Crime and Security Online NSA-Intercepted E-Mails Helped Convict Would-Be Bombers The three men convicted in the United Kingdom on Monday of a plot to bomb several transcontinental flights were prosecuted in part using crucial e-mail correspondences intercepted by the

Re: Client Certificate UI for Chrome?

2009-09-08 Thread Steven Bellovin
On Sep 3, 2009, at 12:26 AM, Peter Gutmann wrote: Steven Bellovin s...@cs.columbia.edu writes: This returns us to the previously-unsolved UI problem: how -- with today's users, and with something more or less like today's browsers since that's what today's users know -- can a spoof-proof

Re: Client Certificate UI for Chrome?

2009-09-04 Thread Steven Bellovin
On Aug 26, 2009, at 6:26 AM, Ben Laurie wrote: On Mon, Aug 10, 2009 at 6:35 PM, Peter Gutmannpgut...@cs.auckland.ac.nz wrote: More generally, I can't see that implementing client-side certs gives you much of anything in return for the massive amount of effort required because the problem

Kahn's Seizing the Enigma back in print -- with a catch

2009-08-13 Thread Steven Bellovin
David Kahn's Seizing the Enigma is back in print. However, it's only available from Barnes and Noble -- their publishing arm is doing the reprint. According to the preface, the new edition corrects minor errors, but didn't give any details.