Derek, etal
If you (or anyone) goes, I'm sure we'd all appreciate some
notes on what transpired. I understand 17 different bills are
being considered at this hearing, so don't blink or
you may miss it.
Peter Trei
--
From: Derek Atkins[SMTP:[EMAIL PROTECTED]
Dave Emery
Sidney Markowitz writes:
They both require that the use of such technologies be for
the purpose of committing a crime.
The Massachusetts law defines as a crime:
(b) Offense defined.--Any person commits an offense if he knowingly
(1) possesses, uses, manufactures, develops, assembles,
reusch[SMTP:[EMAIL PROTECTED] wrote:
Via the Cryptome, http://www.cryptome.org/, RU sure, look
at http://www.aeronautics.ru/news/news002/news082.htm.
I'm amazed at their claims of radio interception. One would
expect that all US military communications, even trivial ones,
are
John Kelsey[SMTP:[EMAIL PROTECTED]
At 11:08 PM 3/12/03 +0100, Krister Walfridsson wrote:
...
This is not completely true -- I have seen some high-end cards that use
the PIN code entered by the user as the encryption key. And it is quite
easy to do similar things on Java cards...
Ian Brown[SMTP:[EMAIL PROTECTED] wrote:
Ed Gerck wrote:
Printing a paper receipt that the voter can see is a proposal
that addresses one of the major weaknesses of electronic
voting. However, it creates problems that are even harder to
solve than the silent subversion of
Francois Grieu[SMTP:[EMAIL PROTECTED]
Peter Trei wrote:
I'd prefer that the printed receipt be retained at the polling
station, after the voter has had an opportunity to examine it.
This serves two purposes: First, it prevents the vote selling
described above, and second, if a
Pete Chown[SMTP:[EMAIL PROTECTED]]
Arnold G. Reinhold wrote:
Indeed, but it is important to remember just how thickheaded the
anti-crypto effort of the '80s and '90s was and how much damage it did.
As a footnote to those times, 2 ** 40 is 1,099,511,627,776. My PC can
do 3,400,000
Arnold G. Reinhold[SMTP:[EMAIL PROTECTED]] wrote:
It's worth remembering that the original WEP used 40 bit keys. For
some time, RC4 with 40 bit keys was the only crypto system that could
be exported without a license. It's hard for me to believe that
export concerns were not the primary
Steven M. Bellovin[SMTP:[EMAIL PROTECTED]] wrote:
In message
[EMAIL PROTECTED]
m, Trei, Peter writes:
If I recall correctly (dee3: Can you help?) WEP is actually derived
from the encryption system used in the Apple Mobile Messaging
System, a PCMCIA paging card made for the Newton
Matthew Byng-Maddick[SMTP:[EMAIL PROTECTED]] writes:
On Sun, Feb 09, 2003 at 11:43:55PM -0500, Donald Eastlake 3rd wrote:
been that you either throw away the first 256 bytes of stream key output
or use a different key on every message. WEP does neither. TKIP, the new
You NEVER,
Adam Shostack[SMTP:[EMAIL PROTECTED]] writes:
I believe that DRM systems will require not just an authorized boot
sequence, but a secure remote attestation that that boot sequence was
followed, and a secure attestation as to the versions of the software
on your system. So, while a
John Gilmore[SMTP:[EMAIL PROTECTED]] writes:
Nomen writes:
How does this latest development change the picture? If there is no
Hollings bill, does this mean that Trusted Computing will be voluntary,
as its proponents have always claimed? And if we no longer have such
a threat
The PO tried marketing this service about 6 years ago.
As far as I can see, this is almost identical to the last try.
It failed in the marketplace then, and I see no reason
whatsoever to think it will suceed now.
Favorite paragraph:
Having a feature certified as secure by a federal agency
James A. Donald[SMTP:[EMAIL PROTECTED]] wrote:
Reading the Wifi report,
http://www.weca.net/OpenSection/pdf/Wi-
Fi_Protected_Access_Overview.pdf
it seems their customers stampeded them and demanded that the
security hole be fixed, fixed a damned lot sooner than they
intended to fix it.
[Moderator's note: FYI: no pragma is needed. This is what C's
volatile keyword is for. Unfortunately, not everyone writing in C
knows the language. --Perry]
From RISKS:
http://catless.ncl.ac.uk/Risks/22.35.html#subj6
Those of us who write code need to be reminded of this
now and then.
Peter
Branchaud, Marc writes:
Any thoughts on this device? At first glance, it doesn't seem
particularly impressive...
http://www.quizid.com/
Lovely idea of two-factor authentication:
The user then enters their user name (something they know) and the
8-digit Quizid passcode
Ralf-P. Weinmann[SMTP:[EMAIL PROTECTED]] wrote:
On Thu, Sep 26, 2002 at 02:45:12PM -0700, John Gilmore wrote:
[...]
After getting that getting started, though, I suggest beginning a
brute-force attack on the GSM cellphone encryption algorithm. That's
in use in hundreds of
First, the official PR release:
---
Distributed Team Collaborates to Solve Secret-Key Challenge
Contest designed to keep the cryptographic community updated
on new achievements and help organizations maintain highest
levels of security
Bedford,
Niels Ferguson[SMTP:[EMAIL PROTECTED]] wrote:
Well, I'm tired of this. AARG, or whoever is hiding behind this pseudonym,
is obviously not reading the responses that I send, as he keeps asking
questions I already answered. I'm not going to waste more of my time
responding to this. This is
Russell Nelson[SMTP:[EMAIL PROTECTED]] writes:
You're wearing your programmer's hat when you say that. But the
problem isn't programming, but is instead economic. Switch hats. The
changes that you list above may or may not offer some security
advantages. Who cares? What really matters
Jon Callas[SMTP:[EMAIL PROTECTED]]
On 8/1/02 1:14 PM, Trei, Peter [EMAIL PROTECTED] wrote:
So my question is: What is your reason for shielding your identity?
You do so at the cost of people assuming the worst about your
motives.
Is this a tacit way to suggest that the only
AARG! Anonymous[SMTP:[EMAIL PROTECTED]] writes
[...]
Now, there is an optional function which does use the manufacturer's key,
but it is intended only to be used rarely. That is for when you need to
transfer your sealed data from one machine to another (either because you
have
John S. Denker[SMTP:[EMAIL PROTECTED]] wrote:
Peter Gutmann wrote:
Actually I'm amazed no printer vendor has ever gone after companies who
produce
third-party Smartchips for remanufactured printer cartridges. This
sounds like
the perfect thing to hit with the DMCA universal
AM
To: [EMAIL PROTECTED]
Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: Re: DOJ proposes US data-rentention law.
Trei, Peter wrote:
- start quote -
Cyber Security Plan Contemplates U.S. Data Retention Law
http://online.securityfocus.com/news/486
Internet service
--
From: Nomen Nescio[SMTP:[EMAIL PROTECTED]]
Sent: Thursday, May 30, 2002 12:20 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: FC: Hollywood wants to plug analog hole, regulate A-D
converters
Peter Trei writes:
My mind has been boggled, my
Now, I'm sure no one on this list would trust MSVC6 rand() for anything
important, but this post from sci crypt (which I have not cofirmed)
may be of interest:
Peter Trei
- start quote -
Newsgroups: sci.crypt, sci.crypt.random-numbers
Subject: Warning: MSVC6 rand function
Russell Nelson[SMTP:[EMAIL PROTECTED]] wrote
Derek Atkins writes:
I think it's really about degree. I don't agree that having a
non-empty threat model implies you a paranoid.
Yes, you're right (and Phil Pennock points out that I meant
intersection, not union). Dictionary.com defines
R. A. Hettinga[SMTP:[EMAIL PROTECTED]]
At 3:54 PM -0400 on 4/16/02, Trei, Peter wrote:
Well, Lucky's not a business, and he's certainly not a military
institution (despite his fondness for ordnance). What does that
leave? Most of us who know him got a little chuckle out
Anonymous[SMTP:[EMAIL PROTECTED]]
Bruce Schneier writes in the April 15, 2002, CRYPTO-GRAM,
http://www.counterpane.com/crypto-gram-0204.html:
But there's no reason to panic, or to dump existing systems. I don't
think
Bernstein's announcement has changed anything. Businesses today
[Note: I'm just passing on posts from sci.crypt. I've
not confirmed this independently
It appears that not every product which uses smart
cards is secure
- pt]
From: [EMAIL PROTECTED] (Philippe Mestral)
Newsgroups: sci.crypt
Subject: I've
Distributed.net, which has won several of the RSA Secret Key
challenges, and is currently 73% of the way through the
RC5-64 contest, has lost it's ISP.
Peter Trei
From their front page:
- start quote
We need your help!
URGENT: We have recently learned that our
I might be able to help you. I was the person who
initiated the the DES Challenges, getting RSA
Data Security to sponsor them, and working
with people in RSA Labs on their design (this
was before I switched employers to RSA).
I also wrote one of the search engines.
I have a fair bit of data,
[The SSSCA would require all devices capable of
carrying media content to have hardware locks
to prevent copyright violations. Essentially,
it turns all computers as closed as set-top
boxes - and about as useful.
See http://www.politechbot.com/cgi-bin/politech.cgi?name=sssca
for background -pt ]
Ben Laurie[SMTP:[EMAIL PROTECTED]]
Keyring and Strip are both programs that provide secure DBs on Palms.
Keyring, at least, is free and open source.
However, since Palms have no MMU, there's no security against hostile
other apps, which makes them pretty useless devices for this kind
I read the article (in the dead tree edition), and despite it's
technical inaccuracies, thought it was generally
pretty good.
Don't forget that the MITM attack (which Schneier claims
takes 2^(2n) = 2^112 time), also requires 2^56 blocks
of storage. That's a lot, and the attack ceases to be
One other scheme I've seen, and which, while it doesn't give me
warm fuzzies, seems reasonable, is to issue the
the enduser a smartcard with a keypair on it. The SC generates
the pair onboard, and exports only the public half. The private
half never leaves the SC (there is no function on the card
There are plenty of 'thought experiment' crypto systems which
are utterly infeasible in practice. Rabin's is one.
It does have perfect forward secrecy in that if Eve doesn't know
ahead of transmission time what part of the keystream to grab,
she can't later decrypt the message.
But, as
I'm not the local expert on this, but there are SCs with
built-in crypto accelerators. They are designed for the
use I described:
* Generate an RSA key pair on board,
* export the public key,
* re-import the certificate,
* wrap/unwrap a data block
(typically a session key or hash for
Karsten M. Self[SMTP:[EMAIL PROTECTED]] writes:
Note that my reading the language of 1201 doesn't requre that the work
being accessed be copyrighted (and in the case of Afghanistan, there is
a real question of copyright status), circumvention itself is
sufficient, regardless of status of
(feel free to forward this message in its entirety)
The RSA Data Security Conference is being held
February 18-22, 2001, at the McEnery Convention
Center in San Jose, California.
This is the biggest computer security conference
in the world, with 200 vendors and over 10,000
attendees.
There's a much simpler reason why few or no stego'ed messages are
present in usenet images: They form an inefficient and unneeded
distribution mechanism.
Try taking a peek at the Usenet newsgroup alt.anonymous.messages.
Dozens for PGP'd messages a day, from our old friends Secret Squirrel,
Ben Laurie[SMTP:[EMAIL PROTECTED]] wrote:
[EMAIL PROTECTED] wrote:
Jay D. Dyson writes:
-BEGIN PGP SIGNED MESSAGE-
On Tue, 27 Nov 2001 [EMAIL PROTECTED] wrote:
Hrm, how about a worm with a built-in HTTP server that
installs itself
on some
[This response probably can't get to all of the lists to which
the original message was addressed to. Feel free to forward
it to those lists, if you can, and to other addresses as needed.
-pt]
Alex Alten[SMTP:[EMAIL PROTECTED]] wrote:
[.discussion of .NET weaknesses deleted]]
RC4
--
From: Alan Barrett[SMTP:[EMAIL PROTECTED]]
The DMCA said:
1201(a)(1)(A):
No person shall circumvent a technological measure that effectively
controls access to a work protected under this title.
What does effectively mean here?
If it has its plain
The only RSA Secret Key Challenge known to be under active attack
at this time is RC5-64, by distributed.net. Last night this reached the
50% mark, having tested 9,225,283,403,065,065,472 keys at the time I
write this, over 1331 days. The current rate is over 210 Gkeys/sec - they
should
45 matches
Mail list logo