| U.S. law generally requires that stolen goods be returned to the
| original owner without compensation to the current holder, even if
| they had been purchased legitimately (from the thief or his agent) by
| an innocent third party.
This is incorrect. The law draws a distinction between
On Tue, 15 Nov 2005, Perry E. Metzger wrote:
| Does the tension between securing one's own communications and
| breaking an opponents communications sometimes drive the use of COMSEC
| gear that may be too close to the edge for comfort, for fear of
| revealing too much about more secure methods?
| In many cases, the observed time depends both on the input and on some
| other random noise. In such cases, averaging attacks that use the same
| input over and over again will continue to work, despite the use of
| a pseudorandom input-dependent delay. For instance, think of a timing
|
| Why do you need to separate f from f+d? The attack is based on a timing
| variation that is a function of k and x, that's all. Think of it this
way:
| Your implementation with the new d(k,x) added in is indistinguishable,
in
| externally visible behavior, from a *different* implementation
| ...basically, there was suppose to be a binding between the URL the user
| typed in, the domain name in the URL, the domain name in the digital
| certificate, the public key in the digital certificate and something
| that certification authorities do. this has gotten terribly obfuscated
| and
| Hi,
| Apologies if this has been asked before.
|
| The company I work for has been asked to prove the randomness of a random
| number generator. I assume they mean an PRNG, but knowing my employer it
| could be anything.. I've turned the work down on the basis of having
another
| gig that week.
| You know, I'd wonder how many people on this
| list use or have used online banking.
|
| To start the ball rolling, I have not and won't.
Until a couple of months ago, I avoided doing anything of this sort at all.
Simple reasoning: If I know I never do any financial stuff on-line, I can
| There's another definition of randomness I'm aware of, namely that the
| bits are derived from independent samples taken from some sample space
| based on some fixed probability distribution, but that doesn't seem
| relevant unless you're talking about a HWRNG. As another poster
| pointed out,
[From Computerworld - see
http://www.computerworld.com/securitytopics/security/story/0,10801,106832,00
.html?source=NLT_PMnid=106832
]
Security firm detects IM bot that chats with you
Bot replies with messages such as 'lol no its
not its a virus'
On Mon, 12 Dec 2005, Steve Furlong wrote:
| My question is, what is the layperson supposed to do, if they must use
| crypto and can't use an off-the-shelf product?
|
| When would that be the case?
|
| The only defensible situations I can think of in which a
| non-crypto-specialist programmer
| 2) the vast majority of e-commerce sites did very few number of
| transactions each. this was the market segment involving e-commerce
| sites that aren't widely known and/or represents first time business. it
| is this market segment that is in the most need of trust establishment;
| however, it
| Imagine a E-commerce front end: Instead of little-guy.com buying a
cert
| which you are supposed to trust, they go to e-commerce.com and pay for a
| link. Everyone trusts e-commerce.com and its cert. e-commerce provides
a
| guarantee of some sort to customers who go through it, and
| | But is what they are doing wrong?
| |
| | The users? No, not really, in that given the extensive conditioning
that
| | they've been subject to, they're doing the logical thing, which is not
paying
| | any attention to certificates. That's why I've been taking the
(apparently
| | somewhat
| 18 USC 2702(c) says
|
| A provider described in subsection (a) may divulge a record or
| other information pertaining to a subscriber to or customer of
| such service (not including the contents of communications
| covered by subsection (a)(1) or (a)(2)) ...
|
|
| Even though triple-DES is still considered to have avoided that
| trap, its relatively small block size means you can now put the
| entire decrypt table on a dvd (or somesuch, I forget the maths).
|
|
| This would need 8 x 2^{64} bytes of storage which is approximately
| 2,000,000,000
| From what I understand simple quantum computers can easily brute-force
| attack RSA keys or other
| types of PK keys.
|
| My understanding is that quantum computers cannot easily do anything.
|
|
| Au contraire, quantum computers can easily perform prime factoring or
| perform
| I'm fairly ignorant of quantum computers,
I'm no expert myself. I can say a few things, but take them with a grain of
salt.
| having had the opportunity
| to see Schor lecture at a local university but unfortunately finding
| myself quickly out of my
[CD destruction]
| You missed the old standby - the microwave oven.
|
| The disk remains physically intact (at least after the
| 5 seconds or so I've tried), but a great deal of pretty
| arcing occurs in the conductive data layer. Where the
| arcs travel, the data layer is vapourized.
|
| The
From a description of the Imperva SecureSphere technology. Imperva makes
firewalls that can look inside SSL sessions:
SSL Security that Maintains Non-Repudiation
SecureSphere can inspect the contents of both HTTP and HTTPS
(SSL) traffic. SecureSphere delivers higher
| I disagree strongly here. Any code which detects an impossible state
| or an error clearly due to a programming error by the caller should
| die as soon as possible.
|
| That is a remarkably unprofessional suggestion. I hope the people
| who write software for autopilots, pacemakers,
DHS: Sony rootkit may lead to regulation U.S. officials aim to avoid future
security threats caused by copy protection software
News Story by Robert McMillan
FEBRUARY 16, 2006 (IDG NEWS SERVICE) - A U.S. Department of Homeland
Security
official warned today that if software distributors
Does anyone have an idea of what this is about? (From Computerworld):
-- Jerry
FEBRUARY 23, 2006 (NETWORK WORLD) - A University of Toronto professor
and researcher has demonstrated for the first time a new technique for
safeguarding data
I was tearing up some old credit card receipts recently - after all
these years, enough vendors continue to print full CC numbers on
receipts that I'm hesitant to just toss them as is, though I doubt there
are many dumpster divers looking for this stuff any more - when I found
a great example of
| Anyone see a reason why the digits of Pi wouldn't form an excellent
| public large (infinite, actually) string of random bits?
|
| There's even an efficient digit-extraction (a/k/a random access to
| fractional bits) formula, conveniently base 16:
| http://mathworld.wolfram.com/BBPFormula.html
| Let me rephrase my sequence. Create a sequence of 256 consecutive
| bytes, with the first byte having the value of 0, the second byte the
| value of 1, ... and the last byte the value of 255. If you measure
| the entropy (according to Shannon) of that sequence of 256 bytes, you
| have
PayPad (www.paypad.com) is an initiative that seems to have JPMorganChase
Chase behind it to provide an alternative method for paying transactions
on line. You buy a PayPad device, a small card reader with integrated
keypad. It connects to your PC using USB. To pay using PayPad at
a merchant
| Min-entropy of a probability distribution is
|
| -lg ( P[max] ),
|
| minus the base-two log of the maximum probability.
|
| The nice thing about min-entropy in the PRNG world is that it leads to
| a really clean relationship between how many bits of entropy we need
| to seed the PRNG, and
| If all that information's printed on the outside of the card, then
| isn't this battle kind of lost the moment you hand the card to them?
|
| 1- I don't hand it to them. I put it in the chip-and-pin card reader
| myself. In any case, even if I hand it to a cashier, it is within my
sight
| I think the Rip Van Winkle cipher was mentioned in Schneier's Applied
| Cryptography. Also, I vaguely recall another news story (1999?) that
| reported on an encryption technique that hypothesized a stream of random
| bits generated by an orbiting satellite.
Probably Rabin's work on beacons.
From Computerworld:
New phishing scam model leverages VoIP
Novelty of dialing a phone number lures in the unwary
News Story by Cara Garretson
APRIL 26, 2006
(NETWORK WORLD) - Small businesses and consumers aren't the only ones
enjoying the cost savings of switching to voice over IP
| the other point that should be made about voip is that callerid is
| trivial to spoof.
|
| so if you are counting on the calling party being who they say the
| are, or even within your company, based on callerid, don't.
|
| i predict a round of targeted attacks on help desks and customer
|
| issues did start showing up in the mid-90s in the corporate world ...
| there were a large number of former gov. employees starting to show up
| in different corporate security-related positions (apparently after
| being turfed from the gov). their interests appeared to possibly reflect
| I got this pointer off of Paul Hoffman's blog. Basically, a reporter
| uses information on a discarded boarding pass to find out far too much
| about the person who threw it away
|
| http://www.guardian.co.uk/idcards/story/0,,1766266,00.html
|
| The story may be exaggerated but it feels
Summary: The deluge of reports of problems at on-line banks is having
an effect. Customer attitudes are increasing negative, and customers
mention concerns about security as worrying them. The adoption rate
for internet banking has dropped to only 3.1% for the last quarter
of 2005, about
|The Locate appliance sits passively on the network and
|analyzes packets in real time to garner ID info from sources
|like Active Directory, IM and e-mail traffic, then associates
|this data with network information.
|
| This is really nothing new -- I've been
| - Stream ciphers (additive)
|
| This reminds me, when people talk about linearity with regard to a
| function, for example CRCs, exactly what sense of the word do they
| mean? I can understand f(x) = ax + b being linear, but how exactly
| does XOR get involved, and are there +-linear
| Hi,
|
| I've been wondering about the proper application of statistics with
| regard to comparing PRNGs and encrypted text to truly random sources.
|
| As I understand it, when looking at output, one can take a
| hypothetical source model (e.g. P(0) = 0.3, P(1) = 0.7, all bits
| independent)
| ...This is the trusted-path problem. Some examples of proposed
| solutions to trusted-path are:
|
| - Dim the entire screen.
| - Use special window borders.
| - Use flashing window borders.
| - Use specially shaped windows.
| - Attach a warning label to all untrusted
| What kind of problems do people run into when they try to make
| cryptographic algorithms that reduce to problems of known complexity?
| I'm expecting that the literature is full of such attempts, and one
| could probably spend a lifetime reading up on them, but I have other
| plans and would
| The specification is secret and confidential. It uses the SMS4
| block cipher, which is secret and patented. [*]
|
| Secret and patented are mutually exclusive.
Actually, they are not. There is a special provision in the law under
which something submitted to the patent office can be
| On 7/3/06, Leichter, Jerry [EMAIL PROTECTED] wrote:
| You're damned if you do and damned if you don't. Would you want to use
a
| hardware RNG that was *not* inside a tamper-proof package - i.e., inside
| of a package that allows someone to tamper with it?
|
| Yes. If someone has physical
...from a round-table discussion on identity theft in the current
Computerworld:
IDGNS: What are the new threats that people aren't thinking
about?
CEO Dean Drako, Sana Security Inc.: There has been a market
change over the last five-to-six years, primarily due to
On Tue, 11 Jul 2006, Anne Lynn Wheeler wrote:
| ...independent operation/sources/entities have been used for a variety of
| different purposes. however, my claim has been then auditing has been used
to
| look for inconsistencies. this has worked better in situations where there
was
| independent
On Thu, 13 Jul 2006, John Kelsey wrote:
| From: Anne Lynn Wheeler [EMAIL PROTECTED]
| ...
| my slightly different perspective is that audits in the past have
| somewhat been looking for inconsistencies from independent sources. this
| worked in the days of paper books from multiple different
From a Computerworld blog.
--Jerry
When encryption doesn't work
By Robert L. Mitchell on Wed, 07/26/2006 - 12:00pm
In my interview with Ontrack Data Recovery this week (see
Recovery specialists bring data back from the dead:
| Have you seen the technique used at http://www.griddatasecurity.com ? Sounds
| a lot like your original idea.
Nah - more clever than what I had (which was meant for an age when you
couldn't carry any computation with you, and things you interacted with
on a day by day basis didn't have
46 matches
Mail list logo