This isn't worked out enough to be a proof of concept, but I can imagine
a piece of code that has a comment This can't overflow because value X
computed from the magic bits table will always be between A and B. Get
0.1% speed boost by leaving out range check here but don't change magic
bits.
Ben Laurie writes:
Dan Kaminsky's recent posting seems to have caused some excitement, but
I really can't see why. In particular, the idea of having two different
executables with the same checksum has attracted attention.
But the only way I can see to exploit this would be to have code that
Ben Laurie writes:
Indeed, but what's the point? If you control the binary, just distribute
the malicious version in the first place.
Where this argument breaks down is that someone might have partial
but not total control over the binary. This partial control might
not be enough for them to
On Wed, 15 Dec 2004, Tim Dierks wrote:
Here's an example, although I think it's a stupid one, and agree with
[...]
I send you a binary (say, a library for doing AES encryption) which
you test exhaustively using black-box testing.
The black-box testing would obviously be the mistake. How can you
John Kelsey wrote:
So, to exploit this successfully, you need code that cannot or will
not be inspected. My contention is that any such code is untrusted
anyway, so being able to change its behaviour on the basis of
embedded bitmap changes is a parlour trick. You may as well have it
ping a website
Jay Sulzberger wrote:
On Tue, 14 Dec 2004, Ben Laurie wrote:
Ondrej Mikle wrote:
[snipped many assertions without supporting evidence that MD5 cracks
improve attacks]
So, to exploit this successfully, you need code that cannot or will not
be inspected. My contention is that any such code is
What CR does instead is much simpler and more direct. It tries to cut off
any player that has been used for mass piracy.
Let me get this right. ...
When a pirate makes a copy of a film encoded as SPDC, the output file is
cryptographically bound to a set of player decryption keys. So it is
For this discussion, I think we are missing the point here...
1. With a rogue binary distribution with correct hash, this is -at
least- a denial of service where the customer will install the rogue
binary and it will crash in the area that the information was changed.
MD5 based Tripwire will
* Victor Duchovni:
The third mode is quite common for STARTTLS with SMTP if I am not
mistaken. A one day sample of inbound TLS email has the following cipher
frequencies:
8221(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
6529(using TLSv1 with cipher
**Call For Papers
*
DIMACS Workshop on Large-Scale Games
April 17 - 19, 2005
**Location: Evanston Campus, Northwestern University,
Evanston, Illinois**
Organizers:
Lance Fortnow,
http://online.wsj.com/article_print/0,,SB110348908376704197,00.html
The Wall Street Journal
December 20, 2004
Digipass Starts to Make a Mark
Vasco Enhances Online Security
As Web Banks Gain Popularity
By STEVE DE BONVOISIN
DOW JONES NEWSWIRES
December 20, 2004
BRUSSELS --
--- begin forwarded text
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
Date: Tue, 21 Dec 2004 00:08:49 -0800 (PST)
From: Sarad AV [EMAIL PROTECTED]
Subject: Re: International meet on cryptology in Chennai
To: R.A. Hettinga [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
--- R.A.
Florian Weimer wrote:
Would you recommend to switch to /dev/urandom (which doesn't block if
the entropy estimate for the in-kernel pool reaches 0), and stick to
generating new DH parameters for each connection,
No, I wouldn't.
or ...
generate them once per day and use it for several connections?
On Dec 15, 2004, at 11:54, Taral wrote:
What stops someone using 3 players and majority voting on frame data
bits?
As I understand it, they use such a huge number of bits for marking,
that any reasonably-sized assembly of players will still coincide on
some marked bits.
(However, I very much
On Sun, Dec 19, 2004 at 05:24:59PM +0100, Florian Weimer wrote:
* Victor Duchovni:
The third mode is quite common for STARTTLS with SMTP if I am not
mistaken. A one day sample of inbound TLS email has the following cipher
frequencies:
8221(using TLSv1 with cipher
David Wagner wrote:
Ben Laurie writes:
Dan Kaminsky's recent posting seems to have caused some excitement, but
I really can't see why. In particular, the idea of having two different
executables with the same checksum has attracted attention.
But the only way I can see to exploit this would be
On Dec 22, 2004, at 8:53, R.A. Hettinga wrote:
Do we need a national ID card?
The comment period on NIST's draft FIPS-201 (written in very hasty
response to Homeland Security Presidential Directive HSPD-12) ends
tomorrow. The draft, as written, enables use of the card by Smart
IEDs and for
From: Ben Laurie [EMAIL PROTECTED]
Sent: Dec 22, 2004 12:24 PM
To: David Wagner [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
Subject: Re: The Pointlessness of the MD5 attacks
...
Assuming you could find a collision s.t. the resulting decryption looked
safe with one version and unsafe with the
* Victor Duchovni:
The Debian folks have recently stumbled upon a problem in this area:
Generating the ephemeral DH parameters is expensive, in terms of CPU
cycles, but especailly in PRNG entropy. The PRNG part means that it's
not possible to use /dev/random on Linux, at least on servers.
On Wed, Dec 22, 2004 at 10:58:11AM -0600, Matt Crawford wrote:
On Dec 15, 2004, at 11:54, Taral wrote:
What stops someone using 3 players and majority voting on frame data
bits?
As I understand it, they use such a huge number of bits for marking,
that any reasonably-sized assembly of
So PGP are now running a pgp key server which attempts to consilidate
the inforamtion from the existing key servers, but screen it by
ability to receive email at the address.
So they send you an email with a link in it and you go there and it
displays your key userid, keyid, fingerprint and email
http://www.washingtontimes.com/functions/print.php?StoryID=20041220-103705-9177r
The Washington Times
www.washingtontimes.com
Border Patrol hails new ID system
By Jerry Seper
THE WASHINGTON TIMES
Published December 21, 2004
Border Patrol agents assigned to U.S. Customs and Border Protection
22 matches
Mail list logo