RE: Welome to the Internet, here's your private key

2002-02-07 Thread Rick Smith at Secure Computing
At 12:20 PM 2/4/2002, Bill Stewart wrote: >A smartcard-only system probably _is_ too limited to generate keys, >but that's the only realistic case I see. Here are some manufacturer claims for the DataKey 330 smart card: average of 23 seconds to generate a 1,024-bit RSA key, average of 3 minutes

Re: Fingerprints (was: Re: biometrics)

2002-01-28 Thread Rick Smith at Secure Computing
At 02:46 PM 1/28/2002, [EMAIL PROTECTED] wrote: >The process took about 20-30 minutes; Have you been fingerprinted before? Did it take that long in that case? In my own experience, it only takes a few minutes to be fingerprinted on a standard card and, in theory, they should be able to build a

Re: biometrics

2002-01-28 Thread Rick Smith at Secure Computing
The essential problem I've always seen with biometrics (and one that Dorothy Denning acknowledged in her recent op ed piece without seriously examining) is the question of whether it's as efficient to deploy and manage biometrics safely as it is to deploy and manage some keyed alternative like

Re: when a fraud is a sale, Re: Rubber hose attack

2001-11-09 Thread Rick Smith at Secure Computing
At 06:48 PM 11/5/2001, David Jablon wrote: >Yet, strong network-based authentication of people does not require >complex secret information ... if "complex" means demanding >at least {64, 80, 128} random bits. > >With emerging strong password schemes, your average one-in-a-thousand >or one-in-a-m

Re: when a fraud is a sale, Re: Rubber hose attack

2001-11-06 Thread Rick Smith at Secure Computing
At 11:01 AM 11/5/2001, [EMAIL PROTECTED] wrote: >The problem with all authentication technologies in use today from >biometrics to PKI to digital certs, all finesse the identification process >and push it off to some "trusted" third party...all without clearly >defining what that third party m

Re: when a fraud is a sale, Re: Rubber hose attack

2001-11-05 Thread Rick Smith at Secure Computing
At 09:49 AM 11/5/2001, [EMAIL PROTECTED] wrote: >I tend to agree with you that we should extend the meaning >of end-to-end to mean user-to-user, instead of device or >token-to-token. I'm not sure what this means. If we get really specific, then a transaction between me and a small used-book sel

Re: Rubber hose attack

2001-11-02 Thread Rick Smith at Secure Computing
At 11:59 AM 11/2/2001, vertigo wrote: >I'm sorry, but I think I entered this thread a little late. What was >being said about .NET? I know very little about it, but from what you >have said it sounds pretty scary. The thread started with an op-ed piece by Diffie and Landau about MS .Net, brie

Re: Proving security protocols

2001-11-02 Thread Rick Smith at Secure Computing
At 09:00 AM 11/1/2001, Roop Mukherjee wrote: >Can someone offer some criticism of the practice formal verification in >general ? Okay, I'll grab this hot potato. There are a few cases where a commercial development organization performs formal verification, which would seem to indicate that it

Re: Rubber hose attack

2001-11-02 Thread Rick Smith at Secure Computing
>Rick Smith at Secure Computing writes: > > While I would feel compassion for consumers > > who are hurt or inconvenienced by some huge scam that exploited a poor > > Microsoft security implementation, such a scenario would be > entertaining to > > watch.

Re: Rubber hose attack

2001-11-02 Thread Rick Smith at Secure Computing
At 11:44 AM 11/2/2001, vertigo wrote: >The point is, without this cosmic notion of trust, _I_ could walk into a bank >in semi-rurual Turkey and pull hundreds of dollars from YOUR credit card ac- >count. Of course. But this hasn't prevented people from acquiring and using credit cards. More to t

Re: Rubber hose attack

2001-11-02 Thread Rick Smith at Secure Computing
At 11:08 AM 11/1/2001, vertigo wrote: > It appears that a lot >of work has to be done and a lot of money spent before even a small amount of >trust in an individual's proof of identity (on a world- or Internet-wide >scale) can be established. Hmmm. I'm able to walk into a bank in semi-rural Ita

Re: Scarfo "keylogger", PGP

2001-10-17 Thread Rick Smith at Secure Computing
At 09:59 AM 10/16/2001, Peter Fairbrother wrote: >The affidavit is extremely complex and hard to unravel, whether to try to >preserve secrecy, in the hope that it will confuse the defence/Court, or >perhaps it's just legalese, I don't know. I spoke to someone a couple of years ago who had tried

Re: Scarfo "keylogger", PGP

2001-10-17 Thread Rick Smith at Secure Computing
At 05:21 AM 10/16/2001, Ben Laurie wrote: >Rick Smith at Secure Computing wrote: > > >Is this a serious security failure in PGP? > > > > No, it's a problem with any programmable computer. If you can install new > > programs, you can install changes to existing

Re: Scarfo "keylogger", PGP

2001-10-15 Thread Rick Smith at Secure Computing
Stripping off the precise legal language, this looks like a software keystroke logger that was carefully crafted to collect a PGP passphrase while collecting as little other data as possible. Collecting evidence is tricky business. You have to collect exactly the information you need, but you

Re: Best practices/HOWTO for key storage in small office/home office setting?

2001-10-03 Thread Rick Smith at Secure Computing
At 11:41 AM 10/2/2001, Bill Stewart wrote: >At 07:23 PM 10/02/2001 +0300, Sampo Syreeni wrote: >>Or integrate some computing power into those IBM thingies, and use >>remotely keyed encryption. Enough power is available through USB so that >>you don't have to end up with battery power. > >Sounds li

Re: New encryption technology closes WLAN security loopholes

2001-10-01 Thread Rick Smith at Secure Computing
At 03:01 PM 9/30/2001, Dan Geer wrote: > > Or in other words, the first requirement for perimeter security is > > a perimeter. > >Wireless networks have no interior. What you have is a perimeter that shrinks to that of the individual devices. And you have to slice and dice your security pol

Re: New encryption technology closes WLAN security loopholes

2001-09-26 Thread Rick Smith at Secure Computing
At 05:44 PM 9/24/2001, [EMAIL PROTECTED] wrote: >In increasingly many environments, the term "perimeter" makes little sense. >See, for example, the CCS-2000 paper on Distributed Firewalls by Sotiris >Ioannidis et al. You can get it (among other places) from >http://www.research.att.com/~smb/pape

Re: Sen. Hollings plans to introduce DMCA sequel: The SSSCA

2001-09-10 Thread Rick Smith at Secure Computing
There are obviously a number of arguments that even Senators might listen to. 1) This Act actually creates two types of computers: those that comply with the Act and those that don't comply. 2) This Act artificially inflates the cost of a basic PC, making it much harder to install them in scho

Re: If we had key escrow, Scarfo wouldn't be a problem

2001-08-15 Thread Rick Smith at Secure Computing
Declan McCullagh quoted the Post article: >http://washingtonpost.com/wp-dyn/articles/A55606-2001Aug9.html >"...Although agreeing that surveillance should be done under strict >guidelines, Baker said that "to a degree, the privacy groups got us into >this by arguing that there should be no limit

Re: Criminalizing crypto criticism

2001-07-31 Thread Rick Smith at Secure Computing
At 01:13 PM 7/27/2001, Steven M. Bellovin wrote: >It's certainly not broad enough -- it protects "encryption" research, >and the definition of "encryption" in the law is meant to cover just >that, not "cryptography". And the good-faith effort to get permission >is really an invitation to harrass

Your password must be at least 18,770 char...

2001-07-09 Thread Rick Smith at Secure Computing
One of those recently posted lists of quotations included a reference to Microsoft Knowledge Base article Q276304, from late June, which described the following problem: "SYMPTOMS If you log on to an MIT realm, press CTRL+ALT+DELETE, click Change Password, type your existing MIT password, and