Marsh Ray ma...@extendedsubset.com writes:
Right, so one of the lessons learned here was that if IETF had considered
APIs and not just protocols those bugs in TLS would have been found long ago.
A pen-tester I know once found a (fairly serious) security hole under the
influence of (equally
Ian G i...@iang.org writes:
The typical reasons for not using TLS would be
[...]
(c) it only delivers a relatively small subset of a fuller security model.
That's a legitimate reason for using JS crypto. What TLS gives you is the
archetypal armoured car from the guy who lives on a cardboard
On 06/22/2011 07:17 AM, Peter Gutmann wrote:
Crypto API designed by an individual or a single organisation:
CryptoAPI: A handful of guys at Microsoft
I always kind of thought this one looked like someone went a little wild
with the UML modeling tools.
PKCS #11: Someone at RSA (I've heard
http://www.darkreading.com/advanced-threats/167901091/security/application-security/231000129/malware-increasingly-being-signed-with-stolen-certificates.html
Not surprising to most readers of this list, I suspect...
--Steve Bellovin, https://www.cs.columbia.edu/~smb
On 06/22/2011 10:04 AM, Marsh Ray wrote:
Code signing. Occasionally useful.
I meant to add:
It's usually more useful as a means for an platform vendor to enforce
its policies on legitimate developers than as something which delivers
increased security to actual systems.
- Marsh
Marsh Ray ma...@extendedsubset.com writes:
On 06/22/2011 09:40 AM, Steven Bellovin wrote:
http://www.darkreading.com/advanced-threats/167901091/security/application-security/231000129/malware-increasingly-being-signed-with-stolen-certificates.html
Not surprising to most readers of this list, I
Marsh Ray ma...@extendedsubset.com writes:
It's usually more useful as a means for an platform vendor to enforce its
policies on legitimate developers than as something which delivers increased
security to actual systems.
Symbian being a prime example. With Android it's easier, you just publish
On 06/22/2011 08:04 AM, Marsh Ray wrote:
On 06/22/2011 09:40 AM, Steven Bellovin wrote:
http://www.darkreading.com/advanced-threats/167901091/security/application-security/231000129/malware-increasingly-being-signed-with-stolen-certificates.html
Not surprising to most readers of this list, I
On Wed, Jun 22, 2011 at 7:17 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Marsh Ray ma...@extendedsubset.com writes:
Right, so one of the lessons learned here was that if IETF had considered
APIs and not just protocols those bugs in TLS would have been found long ago.
A pen-tester I know
Just to split hairs, malware has stolen signing keys for years, but it's only
in the last few years that malware vendors have started using them.
Maybe that's it -- it's DRM for the malware vendors, to ensure that other
bad guys don't steal their code...
--Steve Bellovin,
What happens if the bad guy just strips the signature? What are the
circumstances under which an OS or user+OS will refuse to run code that just
isn't signed at all?
In the case of Microsoft Clickonce, the Install Dialog is changed from
Publisher: Discount Bob's Software Hanggliding to
Hi,
We've just released those, as part of John the Ripper 1.7.8, but freely
licensed for reuse anywhere else. Our understanding is that S-box
expressions themselves are mathematical formulas and thus are not
subject to copyright. The specific code implementing them is licensed
under a heavily
12 matches
Mail list logo