On Sep 11, 2011, at 6:40 PM, Marsh Ray wrote:
> On 09/11/2011 07:26 PM, Paul Hoffman wrote:
>> Some of us observe a third, more likely
>> approach: nothing significant happens due to this event. The
>> "collapse of faith" is only among the security folks whose faith was
>> never there in the firs
On 2011-09-12 9:50 AM, Ian G wrote:
> Google has one more notable advantage: it is the only
> player with all interests aligned.
>
> ... google is already the third person, because it also
> serves the ad. It knows the merchant. So the next thing
> that is going to happen is google will serve up t
It seems to me that if you use dynamic sql, you are bound to get
injection attacks unless you are always careful, and you are not
*always* going to be careful. So if you use dynamic sql, will always
get injection attacks.
If you use mysqli and stored procedures, and *never* use dynamic sql,
>While PKI has many shortcomings, DigiNotar has shown the industry can
>effectively kill off a deficient CA. Are there any measures in place
>to keep a deficient registrar out of DNS? Or will NetNames still be
>serving up records with a promise to do better?
Interesting question. For registars fo
On 09/11/2011 07:26 PM, Paul Hoffman wrote:
Some of us observe a third, more likely
approach: nothing significant happens due to this event. The
"collapse of faith" is only among the security folks whose faith was
never there in the first place. A week after the event, who was
talking about it ot
On Sep 11, 2011, at 4:50 PM, Ian G wrote:
> So, what happens now? As we all observe, there are two approaches to dealing
> with the collapse of faith of the PKI system: incremental fixes, and complete
> rewrite.
We don't "all" observe that. Some of us observe a third, more likely approach:
no
While PKI has many shortcomings, DigiNotar has shown the industry can
effectively kill off a deficient CA. Are there any measures in place
to keep a deficient registrar out of DNS? Or will NetNames still be
serving up records with a promise to do better? [Naively, I thought
the DNS hacks were relat
Lucky & Peter said:
>
>> Moreover, I noticed that some posts list one or more desirable properties
>> and requirements together with a proposed solution.
>
> That's the nice thing about PKI, there's more than enough fail to go around.
So, what happens now? As we all observe, there are two app
Ian G writes:
>To figure this out we need military thinking. The old aphorism is that the
>battle is won by the general who imposes his will over the other.
A far more basic one is "get there first with the most men". While the
defenders are sitting around debating whose theoretical security m
"James A. Donald" writes:
>On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
>> 1. Phishing isn't the only problem right?
>> 2. To some degree this is a game where we have to guess their next
>> step, and make that harder too.
>
>If we were doing something about their first step, then it would be nec
>Wasn't there a paper on the underground economy that investigated such
>things by monitoring drop zones? And they found CC numbers, I thought? I
>could be wrong. I can't remember the title, but Thorsten Holz was one of
>the authors (no, not a relative of mine).
"Learning More About the Undergroun
Andy Steingruebl writes:
>On Sat, Sep 10, 2011 at 4:46 PM, John Levine wrote:
>> But Steve, generic malware runs on your PC or in your browser. =A0If
>> they wanted to steal card numbers, they'd steal card numbers today,
>> from the browser or by key logging, before the numbers got TLS-ed.
>> Sin
On Sep 11, 2011, at 9:25 AM, Thierry Moreau wrote:
>
> E.g. http://datatracker.ietf.org/wg/dane/ (DNS-based Authentication of Named
> Entities (dane))
Which makes a huge assumption about DNS SEC that is just not realistic. Namely,
the one I just mentioned, that end clients would actually be va
Ian G wrote:
Hi Adam,
On 10/09/2011, at 20:16, Adam Back wrote:
So I hear CA pinning mentioned a bit as a probable way forward, but I didnt
see anyone define it on this list,
Adam described it in this list. The specific mechanism is less important than
what it achieves: the browser knows t
Hi,
>> But Steve, generic malware runs on your PC or in your browser. If
>> they wanted to steal card numbers, they'd steal card numbers today,
>> from the browser or by key logging, before the numbers got TLS-ed.
>> Since they don't do it now, I don't see any reason to think they'd do
>> it if i
On Sun, Sep 11, 2011 at 8:58 AM, Ian G wrote:
>
>
> On 11/09/2011, at 7:50, Steven Bellovin wrote:
>
>>
>> On Sep 10, 2011, at 4:14 00PM, John Levine wrote:
>>
[SNIP]
>
>> The issue, then, is one of
>> motivation -- given the current market price for stolen credit card
>> numbers, are they m
On 11/09/2011, at 7:50, Steven Bellovin wrote:
>
> On Sep 10, 2011, at 4:14 00PM, John Levine wrote:
>
>>> This makes no sense whatsoever. Credit card numbers are *universally*
>>> encrypted; of course there's no interception of them.
>>
>> There's a fair amount of low-level ecommerce by e-
On 11/09/2011, at 9:10, Andy Steingruebl wrote:
> On Sat, Sep 10, 2011 at 4:01 PM, Peter Gutmann
> wrote:
>>
>> Sure, figuring out whether it'll actually work is an experiment. OTOH we
>> have
>> vast masses of data on what phishers are doing,
Which can be reduced to one observation:
Phis
>> On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
>>> 1. Phishing isn't the only problem right?
On 2011-09-11 7:44 PM, Ian G wrote:
> Malware + breaches might be the other 2 biggies.
We now know in principle how to make malware resistant operating
systems, http://jim.com/security/safe_operatin
On 11/09/2011, at 10:02, "James A. Donald" wrote:
> On 2011-09-11 9:10 AM, Andy Steingruebl wrote:
>> 1. Phishing isn't the only problem right?
Malware + breaches might be the other 2 biggies.
Note that the malware/pc takeover market was probably financed by profits from
phishing. Breaches
20 matches
Mail list logo