On Sun, Nov 27, 2011 at 3:10 PM, Steven Bellovin s...@cs.columbia.edu wrote:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography? I'm looking for real-world attacks on
short key lengths, bad ciphers, faulty protocols, etc., by parties other
On Dec 2, 2011, at 5:26 27PM, Jeffrey Walton wrote:
On Sun, Nov 27, 2011 at 3:10 PM, Steven Bellovin s...@cs.columbia.edu wrote:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography? I'm looking for real-world attacks on
short key lengths,
Ilya Levin wrote:
On Tue, Nov 29, 2011 at 5:52 PM, Jon Callas j...@callas.org wrote:
But the other one is Drew Gross's observation. If you think like an attacker,
then you're a fool to worry about the crypto.
While generally true, this is kind of an overstatement. I'd say that
if you think
On Nov 29, 2011, at 8:33 PM, Ilya Levin wrote:
On Tue, Nov 29, 2011 at 5:52 PM, Jon Callas j...@callas.org wrote:
But the other one is Drew Gross's observation. If you think like an
attacker, then you're a fool to worry about the crypto.
While generally true, this is kind of an
On Nov 27, 2011, at 12:10 PM, Steven Bellovin wrote:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography? I'm looking for real-world attacks on
short key lengths, bad ciphers, faulty protocols, etc., by parties other
than governments and
Just my 2.373 cents:
I recently gave a talk entitled Cryptanalysis vs. reality that
covers the issues discussed in the present thread. The slides:
http://131002.net/data/talks/hashdays11_slides.pdf
On Tue, Nov 29, 2011 at 10:52 AM, Jon Callas j...@callas.org wrote:
On Nov 27, 2011, at 12:10
On Nov 29, 2011, at 7:44 AM, d...@geer.org wrote:
Steve/Jon, et al.,
Would you say something about whether you consider key management
as within scope of the phrase crypto flaw? There is a fair
amount of snake oil there, or so it seems to me in my line of
work (reading investment
On 28/11/11 15:00 PM, Peter Gutmann wrote:
Steven Bellovins...@cs.columbia.edu writes:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography?
Could you be a bit more precise about what flaws in cryptography covers? If
you mean exploiting
On 28/11/11 07:10 AM, Steven Bellovin wrote:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography? I'm looking for real-world attacks on
short key lengths, bad ciphers, faulty protocols, etc., by parties other
than governments and militaries.
On Nov 27, 2011, at 11:00 49PM, Peter Gutmann wrote:
Steven Bellovin s...@cs.columbia.edu writes:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography?
Could you be a bit more precise about what flaws in cryptography covers?
If
you
On 11/28/2011 04:56 PM, Steven Bellovin wrote:
I'm writing something where part of the advice is don't buy snake
oil crypto, get the good stuff. By good I mean well-accepted
algorithms (not proprietary for extra security!), and protocols
that have received serious analysis. I also want to
On 11/28/2011 05:58 PM, Marsh Ray wrote:
I heard it stated somewhere that an Apple product was using PBKDF2
with a work factor of 1. Does that count?
Follow-up.
It was Blackberry, not Apple:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3741
Vulnerability Summary for
On 11/28/2011 06:52 PM, Steven Bellovin wrote:
On Nov 28, 2011, at 6:58 PM, Marsh Ray wrote:
On 11/28/2011 04:56 PM, Steven Bellovin wrote:
I'm writing something where part of the advice is don't buy snake
oil crypto, get the good stuff. By good I mean well-accepted
algorithms (not
On Nov 28, 2011, at 8:03 PM, Nico Williams wrote:
The list is configured to set Reply-To. This is bad, and in some
cases has had humorous results. I recommend the list owners change
this ASAP.
Agree, strongly. The mailman documentation agrees with us. I'm on the
verge of unsubscribing
WEP? Again, we all know how bad it is, but has it really been used?
Evidence?
Yes, WEP was a confirmed vector in the Gonzales TJX hack:
http://www.jwgoerlich.us/blogengine/post/2009/09/02/TJ-Maxx-security-incident-timeline.aspx
On 2011-11-28 14:56, Steven Bellovin wrote:
On Nov 27, 2011, at 11:00 49PM, Peter Gutmann wrote:
Steven Bellovin s...@cs.columbia.edu writes:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography?
[...[
For GSM, is there
something I can
On 2011-11-28 2:00 PM, Peter Gutmann wrote:
Steven Bellovins...@cs.columbia.edu writes:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography?
Could you be a bit more precise about what flaws in cryptography covers? If
you mean exploiting
Steven Bellovin s...@cs.columbia.edu writes:
I'm writing something where part of the advice is don't buy snake oil
crypto, get the good stuff.
I wrote about this back in 2002 in Lessons Learned in Implementing and
Deploying Crypto Software, we've gone from straight snake oil to second-
order
On Tue, Nov 29, 2011 at 1:03 AM, Nico Williams n...@cryptonector.com wrote:
The list is configured to set Reply-To. This is bad, and in some
cases has had humorous results. I recommend the list owners change
this ASAP.
IMO its good. So there.
___
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
GSM and the Kaos club expert would be a good example. So would the recent $200
hardware break of hdmi encryption.
Steven Bellovin s...@cs.columbia.edu wrote:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws
Steven Bellovins...@cs.columbia.edu wrote:
Does anyone know of any (verifiable) examples of non-government
enemies exploiting flaws in cryptography? I'm looking for
real-world attacks on short key lengths, bad ciphers, faulty
protocols, etc., by parties other than governments and militaries.
* Steven Bellovin:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography?
DeCSS and subsequent DRM failures (including modchips), L0phtcrack,
the IMSI catcher*, some Elcomsoft products (particularly those better
than brute force), attacks on
On 27 November 2011 20:10, Steven Bellovin s...@cs.columbia.edu wrote:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography? I'm looking for real-world attacks on
short key lengths, bad ciphers, faulty protocols, etc., by parties other
than
On Mon, Nov 28, 2011 at 4:10 AM, Steven Bellovin s...@cs.columbia.edu wrote:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography? I'm looking for real-world attacks on
short key lengths, bad ciphers, faulty protocols, etc., by parties other
Landon Hurley ljrhur...@gmail.com writes:
So would the recent $200 hardware break of hdmi encryption.
HDCP was a social, political, and economic fail, not necessarily a crypto
fail. I certainly don't want to denigrate the work that the guys the the Ruhr
Uni did, but you've been able to buy
Marsh Ray ma...@extendedsubset.com writes:
* Here's an example of RSA-512 certificates being factored and used to sign
malware:
http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/
That's an example of *claims* of 512-bit keys being factored, with the
thinking being
Steven Bellovin s...@cs.columbia.edu writes:
Does anyone know of any (verifiable) examples of non-government enemies
exploiting flaws in cryptography?
Could you be a bit more precise about what flaws in cryptography covers? If
you mean exploiting bad or incorrect implementations of crypto then
On Mon, Nov 28, 2011 at 04:57:03PM +1300, Peter Gutmann wrote:
Marsh Ray ma...@extendedsubset.com writes:
* Here's an example of RSA-512 certificates being factored and used to sign
malware:
http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/
That's an example of
Solar Designer so...@openwall.com writes:
Here are some examples of 512-bit RSA keys factored:
Right, but that doesn't say anything about what happened here. In every other
case we know of in which malware has been signed by CA-issued certs, the keys
were either stolen or, more rarely, bought
On Mon, Nov 28, 2011 at 06:06:45PM +1300, Peter Gutmann wrote:
Solar Designer so...@openwall.com writes:
Here are some examples of 512-bit RSA keys factored:
Right, but that doesn't say anything about what happened here. [...]
Sure. I was not arguing with you, but rather I thought I'd
30 matches
Mail list logo