Tim Dierks wrote:
> - Get browser makers to design better ways to communicate to users that
> UI elements can be trusted. For example, a proposal I saw recently which
> would have the OS decorate the borders of "trusted" windows with facts or
> images that an attacker wouldn't be able to predic
At 12:44 PM 06/07/2003 -0400, John S. Denker wrote:
On 06/07/2003 08:04 AM, Udhay Shankar N wrote:
I haven't seen this discussed here yet.
I hadn't seen this particular implementation of it discussed here
before your posting, but as John points out, the topic has been discussed.
It's somewhat cool,
Hi,
I'm currently preparing courses about telecommunication security
architectures and protocols of which certificates are a main
building block for authentication and authorisation.
I'm presenting the PKI/PMI-models with X.509 as mainly used
architecture today and PGP as the distributed model
John R. Levine wrote:
Crypto lets someone say "Hi! I absolutely definitely
have a name somewhat like the name of a large familiar organization,
and I'd like to steal your data!" ...
It might help if browsers displayed some details of the certificate
without being asked. For example, instead of
Hi all,
As some of you know, I'm working on a book titled `Intro to applied
cryptography for secure communication and commerce. It takes much longer
than planned (but I'm still hoping to finish it one day!). Anyway, I've
removed much of the chapters from the book site while I'm revising them,
Nomen Nescio <[EMAIL PROTECTED]> writes:
>I don't see how this is going to work. The concept seems to assume that
>there is a distinction between "trusted" and "untrusted" programs. But in the
>NGSCB architecture, Nexus Computing Agents (NCAs) can be written by anyone.
>If you've loaded a Trojan
[Dr. Wiebes ran the excellent conference on Cold War SIGINT, held
in the Netherlands a few years ago. -- John]
Date: Wed, 04 Jun 2003 21:14:21 +0200
From: "C.Wiebes" <[EMAIL PROTECTED]>
It is my pleasure to inform you that book dealing with the Intelligence and
the War in Bosnia 1992 - 1995 has
hi
( 03.06.10 01:52 - ) John R. Levine:
> Crypto lets someone say "Hi! I absolutely definitely have a name
> somewhat like the name of a large familiar organization, and I'd like
> to steal your data!" and lots of users will say "OK, fine, whatever."
i think this is more a problem with peopl
> For example, a proposal I saw recently which
> would have the OS decorate the borders of "trusted" windows with facts or
> images that an attacker wouldn't be able to predict: the name of your
> dog, or whatever.
But if the system is rooted, then the attacker merely has to find the
"today's secr
At 06:12 PM 6/8/2003 -0600, Anne & Lynn Wheeler wrote:
at a recent cybersecurity conference, somebody made the statement that (of
the current outsider, internet exploits, approximately 1/3rd are buffer
overflows, 1/3rd are network traffic containing virus that infects a
machine because of automa
> -Original Message-
> From: David Honig
> Sent: Monday, June 09, 2003 6:42 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Keyservers and Spam
>
> Why not publish your key under a bogus name that goes no-where?
The answer is simple. I cannot publish a PGP under a false nam
Pete Chown wrote:
> It might help if browsers displayed some details of the certificate
> without being asked. For example, instead of a padlock, the browser
> could have an SSL toolbar. This would show the verified name and
> address of the site you are connected to.
or just show the verified na
Jill --
I'm thinking that you may have answered your own question. The problem
really lies in the fact that none of us uses secured e-mail exclusively.
If so, then following a chain of signers to validate the sender creates
the essence of a whitelist, thereby avoiding most spam.
However since
At 04:54 PM 6/10/2003 +0100, [EMAIL PROTECTED] wrote:
> -Original Message-
> From: David Honig
> Sent: Monday, June 09, 2003 6:42 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Keyservers and Spam
>
> Why not publish your key under a bogus name that goes no-where?
The answer
[EMAIL PROTECTED] writes:
> The answer is simple. I cannot publish a PGP under a false name, because if
> I did, who would sign it to attest that the genuinely did belong to the
> person to whom it claimed to belong? Would you?
> I, personally, would never sign a bogus key. If I ever did find some
--
On 8 Jun 2003 at 14:47, tom st denis wrote:
> I disagree. That attack is more akin to a "Hi, I'm calling
> from {insert bank here} and we need your CC info to update
> your file."
>
> That doesn't mean credit cards [nor your bank] are flawed.
Actually credit cards, and your bank, are fla
--
James A. Donald:
> > I keep posting "you cannot do this using https", and people
> > keep replying "yes you can"
On 10 Jun 2003 at 1:52, John R. Levine wrote:
> I think there's two separate problems here. One is domain
> squatting. I've seen lots of phishes from domains like
> paypal-c
The solution to this problem is simple. We want to be able to look
up keys on the key servers by email address or user name or keyid.
But we don't want the system to be useful for spam harvesting.
Simply require that lookups be by valid email address or user name.
Eliminate the wildcard searching
The problem to be solved is this. Spoofed sites can acquire user
credentials, especially passwords, and then use those to impersonate the
user on the real sites. With paypal and e-gold, this allows stealing
real money.
Using client certificates to authenticate would solve this, because
even if t
--
On 8 Jun 2003 at 20:00, Anne & Lynn Wheeler wrote:
> that is why we coined the term merchant "comfort"
> certificates some time ago. my wife and I having done early
> work for payment gateway with small client/server startup in
> menlo park ... that had this thing called SSL/HTTPS ... and
>
--
On 9 Jun 2003 at 2:09, Dave Howe wrote:
> The problem is here, we are blaming the protective device for
> not being able to protect against the deliberate use of an
> attack that bypasses, not challenges it - by exploiting the
> gullibility or tendency to take the path of least resistance
>
At 5:12 PM -0700 6/8/03, Anne & Lynn Wheeler wrote:
>somebody (else) commented (in the thread) that anybody that currently
>(still) writes code resulting in buffer overflow exploit maybe should be
>thrown in jail.
A nice essay, partially on the need to include technological protections
against hum
At 04:54 PM 6/10/03 +0100, [EMAIL PROTECTED] wrote:
>> From: David Honig
>> Why not publish your key under a bogus name that goes no-where?
>
>The answer is simple. I cannot publish a PGP under a false name, because if
>I did, who would sign it to attest that the genuinely did belong to the
>pers
At 12:43 PM 6/10/03 -0400, Jeffrey Kay wrote:
>number (which I now use Call Intercept to avoid telephone solicitors).
But for privacy reasons, some folks will not automatically forward
their phone number. You either deny them access or require them
to jump through extra hoops (redial w/ special
--- begin forwarded text
Status: U
Date: Tue, 10 Jun 2003 00:22:02 -0500 (CDT)
From: InfoSec News <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [ISN] Cryptography at the core of sound IT security
Sender: [EMAIL PROTECTED]
Reply-To: InfoSec News <[EMAIL PROTECTED]>
http://www.computerworl
"James A. Donald" <[EMAIL PROTECTED]> writes:
>On 8 Jun 2003 at 14:47, tom st denis wrote:
>>I disagree. That attack is more akin to a "Hi, I'm calling
>>from {insert bank here} and we need your CC info to update
>>your file."
>>
>>That doesn't mean credit cards [nor your bank] are flawed.
>
>Actu
At 11:26 PM 6/10/2003 +0200, Anonymous wrote:
The problem to be solved is this. Spoofed sites can acquire user
credentials, especially passwords, and then use those to impersonate the
user on the real sites. With paypal and e-gold, this allows stealing
real money.
Using client certificates to aut
Yes, >NOW< if you can load yourself into kernel space, you can do anything
and everything - Thou Art God to quote Heinlein. This is true of every
OS. Except if you add that nice little TCPA bugger which can verify the
kernel image you're running is the right and approved one. Q.E.D.
Look at the
28 matches
Mail list logo