Re: New toy: SSLbar

2003-06-30 Thread Adam Fields
to verify a cert? I've done an informal survey of a few financial institutions whose sites use SSL, and the number of them that were able to provide me with a fingerprint over the phone was exactly zero. -- - Adam - Adam Fields, Managing Partner, [EMAIL PROTECTED

Re: voting, KISS, etc.

2004-04-09 Thread Adam Fields
On Fri, Apr 09, 2004 at 12:46:47PM -0400, Perry E. Metzger wrote: I think that those that advocate cryptographic protocols to ensure voting security miss the point entirely. [...] I'm a technophile. I've loved technology all my life. I'm also a security professional, and I love a good

Re: Yahoo releases internet standard draft for using DNS as public key server

2004-05-26 Thread Adam Fields
On Thu, May 20, 2004 at 10:07:43AM -0400, R. A. Hettinga wrote: [...] yahoo draft internet standard for using DNS as a public key server This sounds quite a lot like the ideas outlined in a paper I co-authored in 1995,

Re: Yahoo releases internet standard draft for using DNS as public key server

2004-05-28 Thread Adam Fields
On Fri, May 28, 2004 at 03:20:52PM -0400, [EMAIL PROTECTED] wrote: [...] How soon will the spammers get into the business of hosting free mailboxes for people who actually buy spamvertized products. Much easier to send the spam to their own users, let them indicate their preferences, set up

Re: Article on passwords in Wired News

2004-06-06 Thread Adam Fields
On Sat, Jun 05, 2004 at 10:06:20AM +0530, Udhay Shankar N wrote: Citibank in India experimented with a special case of this a few years ago - online credit cards - basically, a credit card number valid for one use only, which would be ideal for online purchasing. IIRC, the offering was

Passwords can sit on disk for years

2004-06-07 Thread Adam Fields
Tal Garfinkel (related to Simpson?) is a Stanford PHD student who has put together a working model for tracking tainted data stored in RAM in various popular applications. This is the first mention I've seen of this - interesting stuff.

Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

2005-02-16 Thread Adam Fields
On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote: [...] One member of this mailing list, in a private exchange, noted that he had asked his bank for their certificate's fingerprint. My response was that I was astonished he found someone who knew what he was talking about.

Re: Encryption plugins for gaim

2005-03-20 Thread Adam Fields
On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote: Why not help us make Jabber/XMPP more secure, rather than overloading AIM? With AIM/MSN/Yahoo your account will always exist at the will of Unfortunately, I already have a large network of people who use AIM, and they all each

Re: Encryption plugins for gaim

2005-03-20 Thread Adam Fields
On Tue, Mar 15, 2005 at 02:47:35PM -0500, Ian Goldberg wrote: this is actually a very good solution for me. The only thing I don't like about it is that it stores the private key on your machine. I understand why that is, but it also means that if you switch machines with the same login

Re: Citibank discloses private information to improve security

2005-05-31 Thread Adam Fields
On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote: [..] With bank web sites, experience has shown that only 0.3% of users are deterred by an invalid certificate, probably because very few users have any idea what a certificate authority is, what it does, or why they should

Re: Why Blockbuster looks at your ID.

2005-07-08 Thread Adam Fields
On Fri, Jul 08, 2005 at 12:19:38PM -0400, Perry E. Metzger wrote: [...] Actually, the people who would have to pay the investment -- the banks and merchants -- have an excellent incentive. The loss because of fraud is stunningly large. The real issue is that *consumers* have little incentive

Re: New Credit Card Scam (fwd)

2005-07-11 Thread Adam Fields
On Mon, Jul 11, 2005 at 09:37:36PM +, Jason Holt wrote: I remember the first time a site asked for the number on the back of my credit card. It was a Walmart or Amazon purchase, and with no warning they redirected me to some site with a questionable domain. I thought for sure my

Re: spyware targets bank customers. news at 11.

2005-08-10 Thread Adam Fields
On Wed, Aug 10, 2005 at 04:11:31PM +0200, Florian Weimer wrote: * Perry E. Metzger: A major identity theft ring has been discovered that affects up to 50 banks, according to Sunbelt Software, the security company that says it uncovered the operation. The operation, which is

Re: NY Times article on biometrics and border control

2005-08-10 Thread Adam Fields
On Wed, Aug 10, 2005 at 01:24:07PM -0400, Perry E. Metzger wrote: Thought this would be of some interest. Unfortunately, the article will not be visible after a few days, thanks to the NY Times' policies, and can only be viewed if you register. :( WASHINGTON | August 10, 2005 Hurdles

Re: A small editorial about recent events.

2005-12-21 Thread Adam Fields
On Sun, Dec 18, 2005 at 07:55:57PM -0500, Steven M. Bellovin wrote: [...] The Court also noted that Congress rejected an amendment which would have authorized such governmental seizures in cases of emergency. Given that the Patriot Act did amend various aspects of the wiretap statute, it's

Re: thoughts on one time pads

2006-01-27 Thread Adam Fields
On Thu, Jan 26, 2006 at 06:09:52PM -0800, bear wrote: [...] Of course, the obvious application for this OTP material, other than text messaging itself, is to use it for key distribution. Perhaps I missed something, but my impression was that the original post asked about how a CD full of

Re: Greek officials were tapped using law enforcement back door

2006-03-23 Thread Adam Fields
On Thu, Mar 23, 2006 at 09:30:30AM -0500, Perry E. Metzger wrote: A while ago, you may recall that members of the Greek government were wiretapped, and at the time, I speculated that the bad guys may have abused the built in CALEA software in the switch to do it. Well, it now appears that that

Re: Interesting bit of a quote

2006-07-11 Thread Adam Fields
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote: [...] Business ultimately depends on trust. There's some study out there - I don't recall a reference - that basically finds that the level of trust is directly related to the level of economic success of an economy. There are

Re: Designing and implementing malicious hardware

2008-04-26 Thread Adam Fields
On Sat, Apr 26, 2008 at 02:33:11AM -0400, Karsten Nohl wrote: [...] Assuming that hardware backdoors can be build, the interesting question becomes how to defeat against them. Even after a particular triggering string is identified, it is not clear whether software can be used to detect

Exploiting network card firmware

2008-05-22 Thread Adam Fields
I didn't see Ben forward this himself, but it's definitely relevant to the discussion of malware hiding in hardware: Without needlessly boring everyone with the various steps allow me to share an interesting observation: drivers often assume the hardware is misbehaved but never malicious. It is

Re: Voting machine security

2008-08-19 Thread Adam Fields
On Mon, Aug 18, 2008 at 10:16:02AM -0700, Paul Hoffman wrote: [...] Essentially no one would argue that is is quite expensive. I suspect that nearly everyone in the country would be happy to pay an additional $1/election for more reliable results. Without seeing all of the expense (and

Re: NSA offering 'billions' for Skype eavesdrop solution

2009-02-14 Thread Adam Fields
On Fri, Feb 13, 2009 at 11:24:35AM -0500, Steven M. Bellovin wrote: Counter Terror Expo: News of a possible viable business model for P2P VoIP network Skype emerged today, at the Counter Terror Expo in London. An industry source disclosed that America's supersecret National Security Agency

Re: Judge orders defendant to decrypt PGP-protected laptop

2009-03-03 Thread Adam Fields
On Tue, Mar 03, 2009 at 12:26:32PM -0500, Perry E. Metzger wrote: Quoting: A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about

Re: Judge orders defendant to decrypt PGP-protected laptop

2009-03-03 Thread Adam Fields
On Tue, Mar 03, 2009 at 01:20:22PM -0500, Perry E. Metzger wrote: Adam Fields writes: The privacy issues are troubling, of course, but it would seem trivial to bypass this sort of compulsion by having the disk encryption software allow multiple passwords

Re: FileVault on other than home directories on MacOS?

2009-09-22 Thread Adam Fields
On Mon, Sep 21, 2009 at 04:57:56PM -0400, Steven Bellovin wrote: Is there any way to use FileVault on MacOS except on home directories? I don't much want to use it on my home directory; it doesn't play well with Time Machine (remember that availability is also a security property);

Best practices for storing and using 3rd party passwords?

2010-07-09 Thread Adam Fields
I'm looking for a best practices guide (for a system architecture) or case studies for how best to handle storing and using 3rd party passwords. Specifically, I'm interested in the case where a program or service needs to store a password in such a way that it can be used (presented to another

Re: Five Theses on Security Protocols

2010-08-02 Thread Adam Fields
On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote: [...] 3 Any security system that demands that users be educated, i.e. which requires that users make complicated security decisions during the course of routine work, is doomed to fail. [...] I would amend this to say which

Re: GSM eavesdropping

2010-08-02 Thread Adam Fields
On Mon, Aug 02, 2010 at 04:55:04PM +0100, Adrian Hayter wrote: In a related story, hacker Chris Paget created his own cell-phone base station that turned off encryption on all devices connecting to it. The station then routes the calls through VoIP.

Re: Haystack redux

2010-09-15 Thread Adam Fields
On Wed, Sep 15, 2010 at 03:16:34AM -0700, Jacob Appelbaum wrote: [...] What Steve has written is mostly true - though I was not working alone, we did it in an afternoon. It took quite a bit of effort to get Haystack to take this seriously. Eventually, there was an internal mutiny because of a

Re: [Cryptography] Today's XKCD is on password strength.

2011-08-10 Thread Adam Fields
On Aug 10, 2011, at 10:12 AM, Perry E. Metzger wrote: Today's XKCD is on password strength. The advice it gives is pretty good in principle... You still need a password manager to remember which of the dozens of easily-remembered passwords you used, so you might as