RE: Intel plans crypto-walled-garden for x86

2010-09-15 Thread ian.farquhar
I'd call this news announcement about Intel creating a run known good code facility about as credible as the joke that Otellini told his minions to go buy a copy of McAfee, and they didn't hear the copy of part. Noone will tolerate an Intel-moderated walled garden. Only Apple has customers

Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

2010-09-15 Thread Peter Gutmann
Tom Ritter writes: What's weird is I find confusing literature about what *is* the default for protecting the viewstate. I still haven't seen the paper/slides from the talk so it's a bit hard to comment on the specifics, but if you're using .NET's FormsAuthenticationTicket (for

Re: Debian encouraging use of 4096 bit RSA keys

2010-09-15 Thread Werner Koch
On Tue, 14 Sep 2010 17:01, said: I'd appreciate some input from this list about the Debian bias towards 4096 RSA main keys, instead of DSA2 (3072-bit) keys. Is it justified? We have made RSA the default in GnuPG for three reasons: First, DSA 1024 is only supported by more

Re: Hashing algorithm needed

2010-09-15 Thread Ben Laurie
On 15/09/2010 00:26, Nicolas Williams wrote: On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote: How do you deliver Javascript to the browser securely in the first place? HTTP? I'll note that Ben's proposal is in the same category as mine (which was, to remind you, implement SCRAM in

Re: Hashing algorithm needed

2010-09-15 Thread Ben Laurie
On 14/09/2010 21:16, Marsh Ray wrote: On 09/14/2010 09:13 AM, Ben Laurie wrote: Demo here: This Connection is Untrusted So? It's a demo. -- There is no limit to what a man can do or

Re: Haystack redux

2010-09-15 Thread Jacob Appelbaum
On 09/14/2010 09:57 AM, Steve Weis wrote: There have been significant developments around Haystack since the last message on this thread. Jacob Applebaum obtained a copy and found serious vulnerabilities that could put its users at risk. He convinced Haystack to immediately suspend operations.

Re: Haystack redux

2010-09-15 Thread Jim Youll
On Sep 15, 2010, at 6:16 AM, Jacob Appelbaum wrote: An interesting unintended consequence of the original media storm is that no one in the media enjoys being played; it seems that now most of the original players are lining up to ask hard questions. It may be too little and too late,

A mighty fortress is our PKI, Part III

2010-09-15 Thread Peter Gutmann
Some more amusing anecdotes from the world of PKI: - A standard type of fraud that's been around for awhile is for scammers to set up an online presence for a legit offline business, which appears to check out when someone tries to verify it. A more recent variation on this is to buy certs

Re: Haystack redux

2010-09-15 Thread Adam Fields
On Wed, Sep 15, 2010 at 03:16:34AM -0700, Jacob Appelbaum wrote: [...] What Steve has written is mostly true - though I was not working alone, we did it in an afternoon. It took quite a bit of effort to get Haystack to take this seriously. Eventually, there was an internal mutiny because of a

Re: A mighty fortress is our PKI, Part III

2010-09-15 Thread Andy Steingruebl
On Wed, Sep 15, 2010 at 8:39 AM, Peter Gutmann wrote: Some more amusing anecdotes from the world of PKI: Peter, Not to be too contrary (though at least a little) - not all of these are really PKI failures are they? - There's malware out there that pokes fake Verisign