On 13/07/11 9:25 AM, Marsh Ray wrote:
On 07/12/2011 04:24 PM, Zooko O'Whielacronx wrote:
On Tue, Jul 12, 2011 at 11:10 AM, Hill, Bradbh...@paypal-inc.com
wrote:
I have found that when H3 meets deployment and use, the reality
too often becomes: Something's gotta give. We haven't yet found
a
On 13/07/11 3:10 AM, Hill, Brad wrote:
Re: H3, There is one mode and it is secure
I have found that when H3 meets deployment and use, the reality too often becomes:
Something's gotta give. We haven't yet found a way to hide enough of the
complexity of security to make it free, and this
I know it sounds good, but has it ever worked? Has any vendor ever been
successfully attacked through a
weak demo system, and then rolled out a new one *which happened to be
prepared in time for this eventuality* ?
Not a shining example of secure protocol design, but here's one example:
On 07/13/2011 01:01 AM, Ian G wrote:
On 13/07/11 9:25 AM, Marsh Ray wrote:
But the entire purpose of securing a system is to deny access to
the protected resource.
And that's why it doesn't work; we end up denying access to the
protected resource.
Denying to the attacker - good.
Denying
You know this is why you should use ssh-keys and disable password
authentication. First thing I do when someone gives me an ssh account.
ssh-keys is the EKE(*) equivalent for ssh. EKE for web login is decades
overdue and if implemented and deployed properly in the browser and server
could
Ralph Holz h...@net.in.tum.de writes:
The question, after all, is how often do you really read the SSH warnings?
How often do you just type on or retry or press accept? What if you're the
admin who encounters this maybe 2-3 times day?
The August (I think) issue of ;login, the Usenix magazine (
Adam Back a...@cypherspace.org writes:
EKE for web login is decades overdue and if implemented and deployed properly
in the browser and server could pretty much wipe out phishing attacks on
passwords.
We have source code for apache, mozilla, maybe could persuade google; and
perhaps microsoft and
Hi,
On 07/13/2011 01:34 PM, Ian G wrote:
Is there any reason why the ssh client-side can't generate the key, take
the password from the user, login and install the key, all in one
operation?
Hm, I think there's actually a tool to do just that, although I don't
remember the name. You'd
Andy Steingruebl a...@steingruebl.com writes:
The way it for for everyone I knew that went through it was:
1. Sniffing was sort of a problem, but most people didn't care
2. Telnet was quite a bit of a pain, especially when using NAT, and wanting
to do X11 forwarding
3. Typing in your password
I normally wouldn't post about any old software release, but with the
recent discussion of SSH and authentication these release notes from
PuTTY seem appropriate.
- Marsh
http://lists.tartarus.org/pipermail/putty-announce/2011/16.html
It's been more than four years since 0.60 was
On 2011-07-13 8:43 PM, d...@geer.org wrote:
I'll certainly agree that security cannot be made free,
on the obvious grounds that security's costs are decision
making under uncertainty plus enforcement of those decisions.
Skype is an excellent example of free security.
Skype has not one click
On 2011-07-13 9:10 PM, Peter Gutmann wrote:
As for Microsoft, Opera, etc who knows? (If you work on, or have worked on,
any of these browsers, I'd like to hear more about why it hasn't been
considered). I think it'll be a combination of two factors:
1. Everyone knows that passwords are
On Wed, Jul 13, 2011 at 2:17 PM, James A. Donald jam...@echeque.com wrote:
On 2011-07-13 9:10 PM, Peter Gutmann wrote:
As for Microsoft, Opera, etc who knows? (If you work on, or have worked
on,
any of these browsers, I'd like to hear more about why it hasn't been
considered). I think
On 07/13/2011 01:33 PM, Jeffrey Walton wrote:
I believe Mozilla is [in]directly supported by Google. Mozilla has
made so much money, they nearly lost their tax exempt status:
http://tech.slashdot.org/story/08/11/20/1327240/IRS-Looking-at-GoogleMozilla-Relationship.
Mozilla has a lot of cash
On 14/07/11 4:33 AM, Jeffrey Walton wrote:
On Wed, Jul 13, 2011 at 2:17 PM, James A. Donaldjam...@echeque.com wrote:
On 2011-07-13 9:10 PM, Peter Gutmann wrote:
As for Microsoft,
Microsoft have a big interest in bypassing the status quo, and they've
tried several times. But each time it
Ian G wrote:
Well, not financially, more like the policy side is impacted by the
CAs, which are coordinated in a confidential industry body called
CABForum. This body communicates internally to Mozilla (being a
member) and via private comment by CAs to the CA desk.
AFAIK, the CABForum has a
Hello list,
Recently, Wired published material on their website which are claimed to be
logs of instant message conversations between Bradley Manning and Adrian Lamo
in that infamous case. [1] I have only casually skimmed them, but did notice
the following two lines:
(12:24:15 PM)
Andy Steingruebl a...@steingruebl.com writes:
Hmm, do you know that many sysadmins outside high-security conscious areas
that really cared about typing the root password over telnet, especially back
in 1997? I don't. Academia and banks cared, and often deployed things like
securid or OPIE/SKEY
On Wed, Jul 13, 2011 at 8:40 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Maybe we travel in different circles, but both in sysadmin circles and in
instances where it's come up in the past on security lists as an example of a
successful security protocol, it reason for success has always
Ian G i...@iang.org writes:
Microsoft have a big interest in bypassing the status quo, and they've tried
several times. But each time it isn't for the benefit of the users, more for
their own benefit, in that they've tried to rebuild the security
infrastructure with themselves in control.
On Wed, Jul 13, 2011 at 11:39 AM, Andy Steingruebl a...@steingruebl.com wrote:
On Wed, Jul 13, 2011 at 7:11 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Andy Steingruebl a...@steingruebl.com writes:
The way it for for everyone I knew that went through it was:
1. Sniffing was sort of a
Ian G wrote:
The chances of them approving or agreeing to EKE are next to nil.
The problem with Mozilla security
coding is more this: most (all?) of the programmers who work in that
area are all employees of the big software providers. And they all
have a vested interest in working for the
22 matches
Mail list logo
