two-person login?

2008-01-29 Thread John Denker
Hi Folks -- I have been asked to opine on a system that requires a two-person login. Some AIX documents refer to this as a common method of increasing login security http://www.redbooks.ibm.com/redbooks/pdfs/sg245962.pdf However, I don't think it is very common; I get only five hits from

Earliest indication of Prime numbers

2008-01-29 Thread [EMAIL PROTECTED]
From a fun article on the history of computing http://www.neatorama.com/2008/01/25/the-wonderful-world-of-early-computing The 20,000-year-old bone revealed that early civilization had mastered arithmetic series and even the concept of prime numbers. This predates the Egyptian and

Re: Dutch Transport Card Broken

2008-01-29 Thread Ivan Krstić
On Jan 25, 2008, at 4:27 PM, Perry E. Metzger wrote: However, you should be very skeptical when someone claims that they need to use a home grown crypto algorithm or that they need to use a home grown protocol instead of a well proven one. I'm beginning to suspect that more often than

Re: two-person login?

2008-01-29 Thread The Fungi
On Mon, Jan 28, 2008 at 03:56:11PM -0700, John Denker wrote: [...] I don't think it is very common; I get only five hits from http://www.google.com/search?q=two-person-login [...] Try searching for secret splitting instead. From the foregoing, you might conclude that the two-person login

Gutmann Soundwave Therapy

2008-01-29 Thread Perry E. Metzger
Clearly, more people need to know about Gutmann Soundwave Therapy. Ivan Krstić [EMAIL PROTECTED] writes: [...] but nowadays I ask that they Google the famous Gutmann Sound Wave Therapy[0] and mail me afterwards. I've never heard back. [0] Last paragraph,

Re: two-person login?

2008-01-29 Thread mark seiden-via mac
another term you might look for (used in physical security and financial controls) is dual custody or sometimes double custody. (if you're searching, add -child or security for better search quality) i don't see why the analogies are not apt. one question is whether the two people can

RE: Dutch Transport Card Broken

2008-01-29 Thread Crawford Nathan-HMGT87
Why require contactless in the first place? Is swiping one's card, credit-card style too difficult for the average user? I'm thinking two parallel copper traces on the card could be used to power it for the duration of the swipe, with power provided by the reader. Why, in a billion-dollar

Re: two-person login?

2008-01-29 Thread Ian G
John Denker wrote: We need to talk about threat models: a) The purveyors of the system in question don't have any clue as to what their threat model is. I conjecture that they might be motivated by the non-apt analogies itemized above. b) In the system in question, there are myriad

Re: two-person login?

2008-01-29 Thread Nicolas Williams
On Tue, Jan 29, 2008 at 06:34:29PM +, The Fungi wrote: On Mon, Jan 28, 2008 at 03:56:11PM -0700, John Denker wrote: So now I throw it open for discussion. Is there any significant value in two-person login? That is, can you identify any threat that is alleviated by two-person login,

Re: two-person login?

2008-01-29 Thread John Denker
On 01/29/2008 11:34 AM, The Fungi wrote: I don't think it's security theater at all, as long as established procedure backs up this implementation in a sane way. For example, in my professional life, we use this technique for commiting changes to high-priority systems. Procedure is that two

Re: Dutch Transport Card Broken

2008-01-29 Thread Harald Koch
Crawford Nathan-HMGT87 wrote: Why require contactless in the first place? Is swiping one's card, credit-card style too difficult for the average user? As compared to slapping your wallet on the reader? yes. I swipe my Visa / debit / Tim Horton's cards regularly. With the plethora of bad

Re: Dutch Transport Card Broken

2008-01-29 Thread Perry E. Metzger
Harald Koch [EMAIL PROTECTED] writes: Crawford Nathan-HMGT87 wrote: Why require contactless in the first place? Is swiping one's card, credit-card style too difficult for the average user? As compared to slapping your wallet on the reader? yes. I swipe my Visa / debit / Tim Horton's

Re: two-person login?

2008-01-29 Thread The Fungi
On Tue, Jan 29, 2008 at 03:37:26PM -0600, Nicolas Williams wrote: I think you missed John's point, which is that two-person *login* says *nothing* about what happens once logged in -- logging in enables arbitrary subsequent transactions that may not require two people to acquiesce. Certainly,

US reforming export controls

2008-01-29 Thread Steven M. Bellovin
The Bush administration is reforming the way export controls are administered; see http://www.fas.org/blog/ssp/2008/01/bush_administration_unveils_ne.php It's too soon to know if crypto will be affected; certainly, it's something to watch. --Steve Bellovin,

Re: two-person login?

2008-01-29 Thread Philipp Gühring
Hi, I have been asked to opine on a system that requires a two-person login. Some AIX documents refer to this as a common method of increasing login security http://www.redbooks.ibm.com/redbooks/pdfs/sg245962.pdf I would like to have a two-person remote login: The server is in the

Re: Dutch Transport Card Broken

2008-01-29 Thread James A. Donald
Ivan Krstic' wrote: Some number of these muppets approached me over the last couple of years offering to donate a free license for their excellent products. I used to be more polite about it, but nowadays I ask that they Google the famous Gutmann Sound Wave Therapy[0] and mail me

Beating Colossus: an interview with Joachim Schueth

2008-01-29 Thread Sean McGrath
http://www.netbsd.org/gallery/schueth-interview.html Beating Colossus: an interview with Joachim Schueth Joachim Schueth has beaten a reconstruction of the famous Colossus Mark II code breaking machine in November 2007. The Colossus computers were used in World War II to break the German