Alex Alten wrote:
Generally any standard encrypted protocols will
probably eventually have to support some sort of CALEA
capability. For example, using a Verisign ICA
certificate to do MITM of SSL, or possibly requiring
Ebay to provide some sort of legal access to Skype
private keys.
And
On Fri, 2008-01-18 at 02:31 -0800, Alex Alten wrote:
At 07:35 PM 1/18/2008 +1000, James A. Donald wrote:
And all the criminals will of course obey the law.
Why not just require them to set an evil flag on all
their packets?
These are trite responses. Of course not. My point is
that
Alex Alten wrote:
Generally any standard encrypted protocols will
probably eventually have to support some sort of CALEA
capability. For example, using a Verisign ICA
certificate to do MITM of SSL, or possibly requiring
Ebay to provide some sort of legal access to Skype
private keys.
I can
At 07:35 PM 1/18/2008 +1000, James A. Donald wrote:
Alex Alten wrote:
Generally any standard encrypted protocols will
probably eventually have to support some sort of CALEA
capability. For example, using a Verisign ICA
certificate to do MITM of SSL, or possibly requiring
Ebay to provide
Alex Alten wrote:
[snip]
These are trite responses. Of course not. My point is
that if the criminals are lazy enough to use a standard
security protocol then they can't expect us not to put
something in place to decrypt that traffic at will if necessary.
[snip]
Look, the criminals have
On Jan 12, 2008 9:32 AM, Alex Alten [EMAIL PROTECTED] wrote:
Generally any standard encrypted protocols will probably eventually have
to support some sort of CALEA capability. ...
That's a rather large and distinctly dangerous assumption. Here's the
IETF's official line on the question, the
On Fri, 11 Jan 2008 17:32:04 -0800
Alex Alten [EMAIL PROTECTED] wrote:
Generally any standard encrypted protocols will probably eventually
have to support some sort of CALEA capability. For example, using a
Verisign ICA certificate to do MITM of SSL, or possibly requiring
Ebay to provide
From: Alex Alten [EMAIL PROTECTED]
Writing in support of CALEA capability to assist prosecuting botnet
operators etc ...
Generally any standard encrypted protocols will probably eventually have
to support some sort of CALEA capability.
So you havn't heard that the UK has closed down the
Perry E. Metzger wrote:
I think Steve is completely correct in the case of
cryptography. We have a lot of experience of real
world security failures these days, and they're not
generally the sort that crypto would fix.
They are the sort that a different sort of way of using
crypto could fix.
Crypto solves certain problems very well. Against others, it's worse
than useless -- worse, because it blocks out friendly IDSs as well as
hostile parties.
Yawn. IDS is dead, has been for a while now. The bottom line discovery
has been that:
1) Anomaly detection doesn't work because
At 11:23 PM 1/3/2008 +, Steven M. Bellovin wrote:
On Thu, 03 Jan 2008 11:52:21 -0500
[EMAIL PROTECTED] wrote:
The aspect of this that is directly relevant to this
list is that while we have labored to make network
comms safe in an unsafe transmission medium, the
world has now reached
On Dec 31, 2007, at 4:46 PM, Bill Frantz wrote:
My favorite virtual machine use is for the virus to install itself
as a virtual machine, and run the OS in the virtual machine. This
technique should be really good for hiding from virus scanners.
It's not, and despite the press handwaving
With this discussion of virtualization and security, it might be a
good time to note:
IEEE Security Privacy
Special issue on virtualization
September/October 2008
Deadline for submissions: 6 February 2008
Visit www.computer.org/portal/pages/security/author.xml to submit a
manuscript
Leichter, Jerry wrote:
Virtualization has become the magic pixie dust of the decade.
When IBM originally developed VMM technology, security was not a primary
goal. People expected the OS to provide security, and at the time it
was believed that OS's would be able to solve the security
Today's VMMs aren't even designed to fit the formal criteria for a VMM
(at least as expressed, intelligently, by Popek and Goldberg back in the
70s). VMM-aware malware leverages this: for example, by making calls to
VMware's backdoor communications channel from the guest (ie. jerry.c).
If the
however, another interpretation is that the defenders
have chosen extremely poor position to defend ... and are
therefor at enormous disadvantage. it may be necessary
to change the paradigm (and/or find the high ground)
in order to successfully defend.
First, it is evident that the
[EMAIL PROTECTED] (Jason) on Wednesday, January 2, 2008 wrote:
On the other hand, writing an OS that doesn't get infected in the first place
is a fundamentally winning battle: OSes are insecure because people make
mistakes, not because they're fundamentally insecurable.
I fully agree that a
On Thu, 03 Jan 2008 11:52:21 -0500
[EMAIL PROTECTED] wrote:
The aspect of this that is directly relevant to this
list is that while we have labored to make network
comms safe in an unsafe transmission medium, the
world has now reached the point where the odds favor
the hypothesis that
On Dec 29, 2007, at 6:37 PM, Anne Lynn Wheeler wrote:
Virtualization still hot, death of antivirus software imminent
My favorite virtual machine use is for the virus to install itself
as a virtual machine, and run the OS in the virtual machine. This
technique should be really good for hiding
Bill Frantz wrote:
My favorite virtual machine use is for the virus to install itself
as a virtual machine, and run the OS in the virtual machine. This
technique should be really good for hiding from virus scanners.
re:
http://www.garlic.com/~lynn/aadsm28.htm#2 Death of antivirus software
There was a paper in IEEE Security Privacy 2006 by Sam King on how
to do this kind of attack (his system was called SubVirt):
http://www.eecs.umich.edu/virtual/papers/king06.pdf
However, in practice it turns out this is a much harder than people
think. See Tal Garfinkel's paper on
Virtualization has become the magic pixie dust of the decade.
When IBM originally developed VMM technology, security was not a primary
goal. People expected the OS to provide security, and at the time it
was believed that OS's would be able to solve the security problems.
As far as I know, the
Anne Lynn Wheeler wrote:
Virtualization still hot, death of antivirus software imminent, VC says
http://www.networkworld.com/news/2007/121707-crystal-ball-virtualization.html
Interesting how virtualization seems to imply safe in the public
mind (and explicitly in that article) right now
On Dec 29, 2007, at 6:37 PM, Anne Lynn Wheeler wrote:
Virtualization still hot, death of antivirus software imminent
My, that sounds awfully familiar:
http://radian.org/~krstic/talks/2007/auscert/slides.pdf
I note that, come the January OLPC software update, I will be using my
XO laptop
24 matches
Mail list logo