I wrote:
Let me raise another possible problem with substituting IPSEC for SSL --
does anyone *really* have an IPSEC implementation that interfaces as
effectively with secure applications? ...
And Robert Hettinga replied:
IPsec happens at the network layer, SSL between the transport layer
Arnold Reinhold quoted a site containing rumors about upcoming security
features in Mac OS 8.7:
The security features controlling all of this will be very similar to
those used in OS X and are to be considered extremely secure. No external
testing has been applied yet, but Apple sources
Just got back from vacation in a low tech wilderness (the BWCA) and I
didn't have a chance to pass this on sooner.
Just before I left (Friday June 18) I met Senator John McCain at SCC's
offices in San Jose. We talked about export controls. I went through the
usual explanations and analogies to
I took the time to look at this report while stuck on an airplane (we use
Northwest up here) and I'm astonished that the FBI can't do any better than
this. They trotted out the same old anecdotes of this terrorist
"recommending" crypto to friends and that investigation "encountering"
encrypted
Hans asked:
When implementing PGP base encryption, is this implementation MUST use
symetrically Algorithms ?? Is it possible to use only the public/private
key ?
At 01:43 PM 7/19/99 -0600, [EMAIL PROTECTED] replied:
There currently isn't a way to do it under the OpenPGP Draft. Why would
you
Declan McCullagh [EMAIL PROTECTED] writes:
The sponsor of yesterday's amendment, Rep. Weldon, said that he wants to
have a classified briefing //on the House floor// to scare members into
voting his way. Look for killer amendments to SAFE to be offered during
that floor vote, perhaps even
At 02:19 AM 8/3/99, Peter Gutmann wrote:
[1] There isn't any rule of thumb for the work involved in attaining the
higher
assurance levels because it's done so rarely, although in terms of
cost and
time I've seen an estimate of $40M for an A1 Multics (it never
eventuated)
and DEC's A1
Peter Gutman said:
Smart cards with thumbprint readers are one step in this
direction, although they're currently prohibitively expensive.
American Biometrics (www.abio.com) has their Biomouse II, which I once
heard was supposed to retail around $250 or so. The old finger-only
Biomouse should
The subject of government mediated evaluations of computer security
products has come up a few times on this list, so I'm taking this
opportunity to ask the readership for assistance in a survey I've been
working on.
I'm collecting information about security product evaluations under formal
I said:
If it's programmable it's vulnerable.
Ben Laurie replied:
Oh, right. There's no attack you can defend against, right?
One has to be careful with one's universal quantifiers.
"There's no attack you can defend against." - false
"There are defenses against some attacks." - true
"There
"paul a. bauerschmidt" wrote:
one password will decrypt correctly, many other passwords will produce
alternate, valid-looking keys to fool an attacker.
is this an example of security through obscurity (a thought which many
frown upon, it seems)?
At 05:12 PM 10/8/99 -0700, Ed Gerck
Regarding certain properties of the OS 9 crypto:
*) Introducing crypto to the masses
If they're putting crypto on the desktop that "the rest of us" can use, my
hat goes off to them. Netscape pioneered "crypto to the masses" by hiding
the operations entirely. If Apple has taken the next step and
At 07:03 PM 11/11/99 +0100, Chr. Schulzki-Haddouti wrote:
I am looking for help to identify following three crypto devices, which were
presumably used by NATO and Eastern Countries. You can have a look here:
http://members.aol.com/infowelt/kdevice.htm
At the moment I am preparing an article for
At 08:59 AM 12/12/1999 -0500, Arnold G. Reinhold wrote:
As I recall, classified documents are required to carry a legend on
each page saying something like "This document contains information
affecting the national defense within the meaning of the espionage
laws, Title 18 793 and 794, the
At 04:49 PM 01/18/2000 -0700, [EMAIL PROTECTED] wrote:
I've got something with around 100 bytes of ram and an 8-bit multiply.
Is there an authentication mechanism that can fit in this?
What types of attacks are you concerned with? That's the main question. If
you have a direct, unsniffable
At 07:20 PM 01/25/2000 -, lcs Mixmaster Remailer wrote:
Steganography is successful if the attacker can't distinguish
message-holding data from ordinary data without the key. Ideally, he
can't guess whether a message is present any better upon inspecting the
cover data than he could without
At 12:12 AM 01/27/2000 +, Ben Laurie wrote:
I can't quite see the point of forward stego.
I'll leave it to Russ to explain his application if he wants to.
Why not publish something
public key encrypted and publish the private key later?
Symmetric cryptography has two advantages in this
At 03:19 PM 02/03/2000 -0800, Phil Karn wrote:
This is one of the sloppiest and misinformed judicial opinions I've
read in a long time. ...
I read the hearing transcript and the judge seemed particularly impatient
with the defense attorneys. There was the business about the defense
attorneys
At 05:43 PM 02/21/2000 -0800, Eugene Leitl wrote:
HDCP uses a 56-bit key, with individual keys distributed to the
various vendors. A violated key could be tracked down and revoked over
a satellite broadcast network, for example.
This design does not consider potential end user reactions.
Regarding the following article:
From The Register,
http://www.theregister.co.uk/000412-20.html
-
Posted 12/04/2000 5:56pm by Graham Lea ...
. The
Register has seen an unofficial transcript of a luncheon meeting on Capitol
Hill of the Internet Caucus Panel Discussion about the new
While writing about OS back-doors, I said:
I'm incredibly skeptical that Microsoft, IBM, or any other vendor
intentionally provides back-doors for the NSA or anyone else.
This was too strong, because there is in fact a counterexample that I'd
forgotten while composing that e-mail.
Jim Gillogy
At 05:05 PM 04/30/2000 -0700, Steve Reid wrote:
Below is some sample output. The amount of entropy per passphrase should
be more than 89 bits, or almost the same as seven Diceware words.
However, if you generate N passphrases and pick the one that is easiest
to remember then you should subtract
At 11:42 AM 05/10/2000 +0200, Sergio Tabanelli wrote:
Perhaps this can be out of topic, but recently I was involved in a
discussion on metods to generate strong password starting from easy to
remember word or sentence, there I proposed to use a private key to encrypt
easy to remember words. Is
At 08:03 AM 05/11/2000 +0530, Udhay Shankar N wrote:
http://www.firstmonday.dk/issues/issue2_5/rowland/
The TCP/IP protocol suite has a number of weaknesses that allow an attacker
to leverage techniques in the form of covert channels to surreptitiously
pass data in otherwise benign packets. This
At 02:25 PM 05/19/2000 -0400, Arnold G. Reinhold wrote:
. But a cooperative relationship between Microsoft and NSA
(or any vendor and their local signals security agency) can be more
subtle. What if Microsoft agreed not to fix that bug? What if
Microsoft gives NSA early access to source
At 03:48 PM 05/23/2000 -0700, John Gilmore wrote:
Rick Smith wrote:
If the NSA approaches Microsoft to acquire their support of NSA's
surveillance mission, then the information will have to be shared
with a bunch of people inside Microsoft, and they're not all going
to keep it secret.
Two
Enzo Michelangeli noted some primality checking software:
CERTIFIX is an executable for Win95, Win98, NT (hardware Intel
compatible).
And Ben Laurie wrote:
'nuff said!
Of course, this increases the size of the conspiracy at Microsoft -- if you
have anti-backdoor code, then Microsoft needs
Before continuing, let me state my three opinions that this is based on:
1) There is a non-zero risk of backdoors in commercial software, but the
perpetrators are as likely (IMHO more likely) to be outside parties and not
US agencies like NSA.
2) A persistent backdoor in Windows would have to
At 06:42 PM 05/24/2000 -0500, Jim Choate wrote:
On Wed, 24 May 2000, Eugene Leitl wrote:
Rick Smith writes:
If NSA/MS are not doing it, they must be pretty stupid, because I'd do
it in their place. The prudent assumption is hence: your online system
can't be completely trusted, whether
At 09:12 AM 05/25/2000 -0700, David Honig wrote:
Your data still goes through an operating system, etc., so the
real issue is a closed system: encrypt on a PDA which is under your
close personal control and does not download new executables. Let your
untrustworthy networked-PC be merely its
At 03:38 PM 8/10/00, Michael Paul Johnson wrote:
In case you haven't figured it out, yes, I am seriously contemplating
writing such a book.
There's certainly a need for defensive programming books oriented towards
security functions, and crypto functions in particular. On the other hand,
I've been trying to track down some information for my authentication book,
and I'm currently wrestling with the lack of easy to find Microsoft
internal specs. So I thought I'd ask the community.
I've been writing about what I call "indirect authentication" which refers
to the use of an
At 05:04 PM 12/5/00, Ray Dillinger wrote:
If someone wants to enter "sex" as a password, s/he deserves
what s/he gets (although you may put up an "insecure passphrase"
warning box for him/her).
The problem is that there's no objective way of knowing when a passphrase
becomes 'insecure' since
At 02:43 PM 12/7/00, Peter Fairbrother wrote:
In WW2 SOE and OSS used original poems which were often pornographic. See
"Between Silk and Cyanide" by Leo Marks for a harrowing account.
Yes, a terrific book. However, the book also contains an important lesson
regarding human memory.
Marks was
34 matches
Mail list logo