Re: Re: Encrypted Virtual Drives

2003-07-08 Thread John Ioannidis
Or you can run vmware under XP, run NetBSD under vmware, use CGD, and export it back to windows with samba. It's sick, but I know of at least one person who is doing this, and he says the performance is acceptable (on his 1+ GHz laptop). /ji

Bamford on the NSA and the Greek mobile phone tapping scandal

2006-05-13 Thread John Ioannidis
As some of you may remember, there was a scandal in Greece back in February 2006 involving the interception of mobile phones belonging to high-level government officials, including the Prime Minister. The CALEA software on the Ericsson switches used by Vodafone was blamed; it had apparently been

Re: Crypto hardware with secure key storage

2006-05-22 Thread John Ioannidis
Speaking of bulk encryption cards... does the linux 2.6 kernel support any? There is a reference to a crypto framework in the configuration menus, but as is typical of linux, there are no man pages or other documentation related to it, and I don't feel like reading source code.

Re: skype not so anonymous...

2006-09-04 Thread John Ioannidis
Although in this case it's obviously the man's stupidity using an instant messenger with his old virtual identity that got him tracked down. No one For that matter, he could just have gotten a phonecard and used a payphone. Wearing sunglasses, a wig and a false beard while limping to and

Re: cellphones as room bugs

2006-12-03 Thread John Ioannidis
On Sat, Dec 02, 2006 at 10:21:57AM -0500, Perry E. Metzger wrote: Quoting: The FBI appears to have begun using a novel form of electronic surveillance in criminal investigations: remotely activating a mobile phone's microphone and using it to eavesdrop on nearby conversations.

Re: cellphones as room bugs

2006-12-04 Thread John Ioannidis
On Sun, Dec 03, 2006 at 09:26:15PM -0600, Taral wrote: That's the same question I have. I don't remember seeing anything in the GSM standard that would allow this either. I'll hazard a guess: mobile providers can send a special type of message (not sure if it would be classed as an SMS) with

SSL (https, really) accelerators for Linux/Apache?

2007-01-02 Thread John Ioannidis
There is too much conflicting information out there. Can someone please recommend an SSL accelerator board that they have personally tested and used, that works with the 2.6.* kernels and the current release of OpenSSL, and is actually an *accelerator* (I've used a board from a certain otherwise

Re: Banking Follies

2007-01-14 Thread John Ioannidis
Citibank send me periodic reminders to switch to an electronic-only statement so that I am better protected against identity theft. John Cleese saying explain the logic underlying this conclusion in the cheese shop sketch comes to mind... The return address for the email message, although

Re: Banking Follies

2007-01-16 Thread John Ioannidis
On Sun, Jan 14, 2007 at 03:31:22PM -0500, Steven M. Bellovin wrote: On Sat, 13 Jan 2007 18:26:52 -0500 John Ioannidis [EMAIL PROTECTED] wrote: Citibank send me periodic reminders to switch to an electronic-only statement so that I am better protected against identity theft. The advice

Re: some thoughts about Oracle's security breach (by SAP)

2007-03-23 Thread John Ioannidis
occured in late November 2006, and the litigation is starting less than four months later. /ji -- John Ioannidis | Packet GENERAL Networks, Inc. [EMAIL PROTECTED] | http://www.packetgeneral.com/ - The Cryptography Mailing List

IBM Lost Tape(s)

2007-06-09 Thread John Ioannidis
Apparently, last February IBM lost some tapes with employee data. Yesterday, I received a notification from them, which I scanned and put (slightly redacted) in http://www.tla.org/private/ibmloss1.pdf for your amusement. Now, I haven't worked for IBM in a long time, and since then I have moved

Re: How the Greek cellphone network was tapped.

2007-07-08 Thread John Ioannidis
silvio wrote: Aren't run-of-the-mill cellphones these days powerful enough to use available software like OpenSSL to encrypt voice/datastreams? Again...what are the options for end-to-end cell encryption right now? Mobile phones have had spare cycles for doing strong crypto for a very long

Re: How the Greek cellphone network was tapped.

2007-07-10 Thread John Ioannidis
Florian Weimer wrote: It's also an open question whether network operators subject to interception requirements can legally offer built-in E2E encryption capabilities without backdoors. You probably meant device vendors, not network operators. The whole *point* of E2E security is that

Re: Lack of fraud reporting paths considered harmful.

2008-01-26 Thread John Ioannidis
Perry E. Metzger wrote: That's not practical. If you're a large online merchant, and your automated systems are picking up lots of fraud, you want an automated system for reporting it. Having a team of people on the phone 24x7 talking to your acquirer and reading them credit card numbers over

Re: House o' Shame: Amtrak

2008-02-15 Thread John Ioannidis
Not just Amtrak. The Economist and The New Yorker both do the same thing. I tried engaging them in a discussion on the subject. The Economist never replied, whereas the New Yorker assured me that those addresses were indeed theirs. I haven't figured out how to get past the clueless people

Just update the microcode (was: Re: defending against evil in all layers of hardware and software)

2008-04-28 Thread John Ioannidis
Intel and AMD processors can have new microcode loaded to them, and this is usually done by the BIOS. Presumably there is some asymmetric crypto involved with the processor doing the signature validation. A major power that makes a good fraction of the world's laptops and desktops (and hence

Re: Just update the microcode (was: Re: defending against evil in all layers of hardware and software)

2008-04-29 Thread John Ioannidis
truly trust. - Alex That we agree on! /ji - Original Message - From: John Ioannidis [EMAIL PROTECTED] To: Cryptography cryptography@metzdowd.com Subject: Just update the microcode (was: Re: defending against evil in all layers of hardware and software) Date: Mon, 28 Apr 2008 18:16:12

Re: Ransomware

2008-06-09 Thread John Ioannidis
Leichter, Jerry wrote: Computerworld reports: http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 This is no different than suffering a disk crash. That's what backups are for. /ji PS: Oh, backups you say.

Re: survey of instant messaging privacy

2008-06-09 Thread John Ioannidis
Perry E. Metzger wrote: Also from Declan McCullagh today, a full survey of instant message service security: http://news.cnet.com/8301-13578_3-9962106-38.html?part=rsstag=feedsubj=TheIconoclast Interesting. Of course, with the possible exception of Skype, only the over-the-network part of

Re: security questions

2008-08-07 Thread John Ioannidis
Does anyone know how this security questions disease started, and why it is spreading the way it is? If your company does this, can you find the people responsible and ask them what they were thinking? My theory is that no actual security people have ever been involved, and that it's just

Re: security questions

2008-08-08 Thread John Ioannidis
[EMAIL PROTECTED] wrote: John Ioannidis wrote: | Does anyone know how this security questions disease started, and why | it is spreading the way it is? If your company does this, can you find | the people responsible and ask them what they were thinking? The answer is Help Desk Call

Voting machine security

2008-08-15 Thread John Ioannidis
This just about sums it up: http://xkcd.com/463/ /ji - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Activation protocol for tracking devices

2009-03-02 Thread John Ioannidis
As it has been pointed out numerous times on this and other places, this is a singularly bad idea. The crypto isn't even the hardest part (and it's hard enough). Just don't do it. If you are going to spend your energy on anything, it should be to work against such a plan. /ji

Re: consulting question....

2009-05-27 Thread John Ioannidis
If you've already explained to them that what they are trying to do is both impossible and pointless, and they still want your consulting services, take as much of their money as you can and don't feel bad about it! Maybe you can get some more people on this list hired, too :) /ji

Re: consulting question.... (DRM)

2009-05-30 Thread John Ioannidis
John Gilmore wrote: ... PPS: On a consulting job one time, I helped my customer patch out the license check for some expensive Unix circuit simulation software they were running. They had bought a faster, newer machine and wanted to run it there instead of on the machine they'd bought the

Re: Against Rekeying

2010-03-25 Thread John Ioannidis
I think the problem is more marketing and less technology. Some marketoid somewhere decided to say that their product supports rekeying (they usually call it key agility). Probably because they read somewhere that you should change your password frequently (another misconception, but that's

Location services risks (was: Re: Spy/Counterspy)

2010-07-11 Thread John Ioannidis
Location-based services are already being used for dating services (big surprise here). Mobiles send their location to a server, the server figures out who is near whom, and matches them. There are lots of variants on that. An obvious risk here is that the server is acting as a location

Re: Fw: [IP] Malware kills 154

2010-08-23 Thread John Ioannidis
On 8/23/2010 5:17 PM, Thierry Moreau wrote: Commercial avionics certification looks like the most demanding among industrial sectors requiring software certification (public transportation, high energy incl. nuclear, medical devices, government IT security in some countries, electronic