Isn't this what Rivest's "Chaffing and Winnowing" is all about?
http://theory.lcs.mit.edu/~rivest/chaffing.txt
Cheers, Scott
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hadmut Danisch
Sent: Thursday, May 26, 2005 5:51 PM
To: cryptography@metzdowd.com
On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote:
[..]
> With bank web sites, experience has shown that only 0.3%
> of users are deterred by an invalid certificate,
> probably because very few users have any idea what a
> certificate authority is, what it does, or why they
> shou
> -Original Message-
> Hadmut Danisch wrote:
>
> ...
> Plenty of research has been done about information hiding.
> But this special court case requires "algorithm hiding" as a kind of
> response. Do you know where to look for papers about this subject?
> ...
Here is the list that you can
"James A. Donald" <[EMAIL PROTECTED]> writes:
>With bank web sites, experience has shown that only 0.3% of users are
>deterred by an invalid certificate, probably because very few users have any
>idea what a certificate authority is, what it does, or why they should care.
James (and others): I re
HD> What about designing an algorithm good for encryption which someone
HD> can not prove to be an encryption algorithm?
Hmmm, but to do that one needs to have a good definition of 'encryption
algorithm' and perhaps also some other apparently fundamental terms. But
we have none, I am afraid ... at
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald
> Sent: Saturday, May 28, 2005 1:48 PM
>
> With bank web sites, experience has shown that only 0.3% of
> users are deterred by an invalid certificate, probably
> because very few users have any idea what a certif
- Forwarded message from David Farber <[EMAIL PROTECTED]> -
From: David Farber <[EMAIL PROTECTED]>
Date: Tue, 31 May 2005 08:17:59 -0400
To: Ip ip
Subject: [IP] Intel quietly embeds DRM in it's 945 chips firmware
X-Mailer: Apple Mail (2.730)
Reply-To: [EMAIL PROTECTED]
Begin forwarded
| Hi,
|
| you most probably have heard about the court case where the presence
| of encryption software on a computer was viewed as evidence of
| criminal intent.
|
| http://www.lawlibrary.state.mn.us/archive/ctappub/0505/opa040381-0503.htm
|
http://news.com.com/Minnesota+court+takes+dim+view+of
John, yes, I believe the Trojan ran on Windows. In fact, I just met my
kids schoolmaster, and turns out she was also a victim of that person -
already 3-4 years ago!!! Her daughter learned with his in the same
school, and apparently he got mad at them and started abusing them in
the most crazy
On Saturday 28 May 2005 18:47, James A. Donald wrote:
> Do we have any comparable experience on SSH logins?
> Existing SSH uses tend to be geek oriented, and do not
> secure stuff that is under heavy attack. Does anyone
> have any examples of SSH securing something that was
> valuable to the user
With bank web sites, experience has shown that only 0.3%
of users are deterred by an invalid certificate,
probably because very few users have any idea what a
certificate authority is, what it does, or why they
should care. (And if you have seen the experts debating
what a certificate autho
In message <[EMAIL PROTECTED]>, "James A. Donald" writes:
>--
>PKI was designed to defeat man in the middle attacks
>based on network sniffing, or DNS hijacking, which
>turned out to be less of a threat than expected.
>
First, you mean "the Web PKI", not PKI in general.
The next part of this i
On Thursday 26 May 2005 22:51, Hadmut Danisch wrote:
> Hi,
>
> you most probably have heard about the court case where the presence
> of encryption software on a computer was viewed as evidence of
> criminal intent.
>
> http://www.lawlibrary.state.mn.us/archive/ctappub/0505/opa040381-0503.htm
> htt
On Tue, May 31, 2005 at 02:45:56PM +0100, Ian G wrote:
> On Saturday 28 May 2005 18:47, James A. Donald wrote:
>
> > Do we have any comparable experience on SSH logins?
> > Existing SSH uses tend to be geek oriented, and do not
> > secure stuff that is under heavy attack. Does anyone
> > have an
"Heyman, Michael" <[EMAIL PROTECTED]> writes:
>In this situation, I believe that the users, through hard won experience with
>computers, _correctly_ assumed this was a false positive.
Probably not. This issue was discussed at some length on the hcisec list,
(security usability, http://groups.yah
Ed Gerck wrote:
Suppose you choose "A4RT" as your codeword. The codeword has no privacy
concern
(it does not identify you) and is dynamic -- you can change it at will,
if you
suspect someone else got it.
Compare with the other two identifiers that Citibank is using. Your full
name
is private
> John Saylor wrote:
> > hi
> >
> > ( 05.05.30 15:34 +0200 ) Amir Herzberg:
> >
> >>See more info e.g. at http://www.haaretz.com/hasen/spages/581790.html
> >
> >
> > an excellent tale [still unfolding]- no doubt coming to a bookstore or
> > movie theatre near you real soon.
> >
> > of course, it w
Adam Fields wrote:
Moreover, in my experience (as I've mentioned before on this list),
noticing an invalid certificate is absolutely useless if the banks
won't verify via another channel a) that it changed, b) what the new
value is or c) what the old value is.
I've tried. They won't/can't.
one
On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, "James A. Donald" writes:
> >--
> >PKI was designed to defeat man in the middle attacks
> >based on network sniffing, or DNS hijacking, which
> >turned out to be less of a threat than expected.
>
> First,
James A. Donald wrote:
PKI was designed to defeat man in the middle attacks
based on network sniffing, or DNS hijacking, which
turned out to be less of a threat than expected.
asymmetric cryptography has a pair of keys ... the other of the key-pair
decodes what has been encoding by one of them
In message <[EMAIL PROTECTED]>, Ian G writes:
>On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
>> In message <[EMAIL PROTECTED]>, "James A. Donald" writes:
>> >--
>> >PKI was designed to defeat man in the middle attacks
>> >based on network sniffing, or DNS hijacking, which
>> >turned o
Ian G <[EMAIL PROTECTED]> writes:
> On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
>> The next part of this is circular reasoning. We don't see network
>> sniffing for credit card numbers *because* we have SSL.
>
> I think you meant to write that James' reasoning is
> circular, but stran
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can "register" your
computer; if your account is
Steven M. Bellovin wrote:
Given the prevalance of password sniffers as early as 1993, and given
that credit card number sniffing is technically easier -- credit card
numbers will tend to be in a single packet, and comprise a
self-checking string, I stand by my statement.
the major exploits ha
Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can "register" your
c
Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can "register" your
c
just for the heck of it ... something today more from the physical world
ATM scams added to GASA’s fraud library
http://www.atmmarketplace.com/news_story_23307.htm
CAPE TOWN, South Africa and BROOKINGS, S.D. — The ATM Industry
Association's Global ATM Security Alliance launched its online libra
oops, sorry, forgot to include this one
Hong Kong banks to introduce two-factor authentication for online
transactions
http://www.finextra.com/fullstory.asp?id=13744
Banks in Hong Kong are set to introduce two-factor authentication
services to the country's 2.7 million Internet banking custom
On Tuesday 31 May 2005 21:03, Perry E. Metzger wrote:
> Ian G <[EMAIL PROTECTED]> writes:
> > On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
> >> The next part of this is circular reasoning. We don't see network
> >> sniffing for credit card numbers *because* we have SSL.
> >
> > I think
Ed Gerck wrote:
Also, in an effort to make their certs more valuable, CAs have made
digitally
signed messages imply too much -- much more than they warrant or can
even represent.
There are now all sorts of legal implications tied to PKI signatures, in
my opinion
largely exagerated and casuisti
Ian G <[EMAIL PROTECTED]> writes:
>> Perhaps you are unaware of it because no one has chosen to make you
>> aware of it. However, sniffing is used quite frequently in cases where
>> information is not properly protected. I've personally dealt with
>> several such situations.
>
> This leads to a bi
31 matches
Mail list logo