Jeffrey Schiller writes:
>If you look at the exploit you will see it is a simple case of failing to
>check array/string bounds.
... which is exactly what was exploited in the 2013 attack, alongside a whole
boatload of other missing defensive features, no DEP, no ASLR, executable
Jerry Leichter writes:
>Lessons? Generality and power lead (to complexity, which is the enemy of
>security.
I think a more direct lesson here is that taking a security mechanism that
consists of a bit flag used to tag a block of memory, defining any such tagged
area as
Zenaan Harkness writes:
>"WWII was the first time in history that the wealthy elite could purchase the
>thuggery of an entire nation".
That was happening at least as far back as ancient Rome.
Peter.
>"I've seen prisons."!!
I've seen troopships on fire off the shoulder of Orion.
Peter.
Georgi Guninski writes:
>Anyone already watched "war on terror porn"?
You mean Chris Korda's work?
Peter :-).
grarpamp writes:
>Voice recognition, which allows the user to control the TV using voice
>commands, is a Samsung Smart TV feature, which can be activated or
>deactivated by the user.
... which can then be reactivated by anyone who walks through the 6.022e23
security holes
Lee writes:
>I guess somebody decided it was best not to publish that particular ruling.
"It is responsible discretion exercised in the national interest to prevent
unnecessary disclosure of eminently justifiable procedures in which untimely
revelation could severely impair
Александр writes:
>I just hope he will not get fired by the end of the semester because of some
>kind of liberal nonsense (""infringement of the rights"") or slander.
Since it came from talk show host Dennis Prager and not any high school
principal, it's unlikely anyone'll
grarpamp quotes:
>“First that means there has to be laws that have to be passed. There are some
>things that have to be permissible legally, which would allow the private
>sector and the public sector to share information,” she said.
They need to pass an Enabling Act to
Riad S. Wahby writes:
>Phillip Rogaway (Professor of CS at UC Davis) has released in the form of an
>essay his keynote talk from Asiacrypt. Very interesting reflection on the
>politics of crypto, historically and at present.
For those who missed the talk this morning, he's also
Zenaan Harkness writes:
>"According to Putin, Russia has always treated Turkey not simply as a
>close neighbour, but as a friendly state."
If you ignore several centuries of political machinations and outright warfare
then yes, Russia has been pretty friendly to Turkey.
With
Zenaan Harkness writes:
>Student Federation Acting President Romeo Ahimakin told the Ottawa Sun that
>the class has been put on hold until a way can be figured out “to make it
>better, more accessible and more inclusive to certain groups of people that
>feel left out in
oshwm writes:
>Can GPG be easier to use, I think so, is it too difficult to use by ordinary
>people - no, they're just too fucking lazy and lack motivation.
... and this is pretty much the poster child for why we have so much unusable
crypto today.
Peter.
Joseph Gentle writes:
>Industry grade crypto has existed for years, but things like PGP being simply
>*inconvenient* has resulted in it having virtually no adoption. The big threat
>to pervasive surveillance isn't pgp, its companies like apple and whatsapp
>bringing that
Joseph Gentle writes:
I don't really want to get involved in this debate (who has that much
asbestos?), but wanted to comment on one thing:
>You just don't see guns in Australia. I don't know anyone who has one.
You're a townie then? If it's like NZ, pretty much every farm
Michael Nelson writes:
>Five minutes of Swedish death metal should get you around 256 bits.
Wrong entropy source, if you go for Norwegian black metal you get at least
1024 bits of entropy [0]. Having said that, Putin's foreign policy speeches
will get you at least 512
wirelesswarr...@safe-mail.net writes:
>Its called Grazing Incidence
>
>https://en.wikipedia.org/wiki/X-ray_optics
Ten out of ten for knowing what it was, but minus several million for using
Wikipedia as the reference.
Peter.
Brenda Fernández writes:
>W10 is free and it's being pushed hard by MS. They even force W7 and W8 users
>to download it when they aren't interested in 'upgrading'. So, if the product
>is free for you, who is the customer?
You're the product, not Windows. That was the
stef writes:
>On Mon, Sep 07, 2015 at 12:55:11PM -0400, Ulex Europae wrote:
>> I wonder, is there an A-list of must-have extensions for Firefox? Because
>> "the internet is for porn," and porn doesn't work on text-only browsers...
>
>NoScript, RequestPolicy, RefControl,
Georgi Guninski <gunin...@guninski.com> writes:
>On Sat, Sep 05, 2015 at 11:45:07AM +0000, Peter Gutmann wrote:
>> The real question though is, why would anyone use parameters they didn't
>> generate themselves? All DSA implementations I've seen (apart from some
>
>Wha
Juan writes:
>On Sat, 5 Sep 2015 18:35:37 +0300 Georgi Guninski
>wrote:
>
>> Likely the mozilla u$a comrades caught the less skilled attackers,
>> not those with r00t access (having in mind what a mess
>> their code is).
>
>Ah, but firefox keeps
Alfonso De Gregorio writes:
>Sure, the questions are: What is the origin of the current wording of the
>standard, that opens an avenue for lax checks for group parameters? Or, if,
>as you correctly pointed out, an implementation MAY NOT check group
>parameters,
Georgi Guninski writes:
>Even if "affected implementations would be approximately zero",
>can we count this as "crypto backdoored RFC" as per OP?
Oh sure, it's definitely broken. OTOH I'm not sure if it's a deliberate
backdoor, the whole thing is such a bad design to
Georgi Guninski writes:
>Well openessl appears to support dhparam:
>https://www.openssl.org/docs/manmaster/apps/dhparam.html
That just indicates support for PKCS #3 DH parameters, not anything else. In
any case the page also says:
OpenSSL currently only supports the
One saving grace about RFC 2631 was that it was pretty much universally
ignored for the reason that it was, well, a pretty stupid way to do things, so
the number of affected implementations would be approximately zero.
(I only know of one, rather minor, vendor who implemented it. Microsoft
Georgi Guninski writes:
>Anyway, I would appreciate if someone checks if current implementations
>accept composite $q$.
Well, I think the problem will be finding any implementation of this at all,
or at least any that's still around now.
>What do you mean by DH
Shelley shel...@misanthropia.org writes:
mode #cypherpunks +b ~q: carimac...@gmail.com
For procmail users, I've found that:
:0
* ^From: *carimachet
/dev/null
:0 B
* Cari Machet
/dev/null
gets rid of most of it.
Peter.
jim bell jdb10...@yahoo.com writes:
There are some rather economical spectrum analyzers being sold today.
You have to be careful with those, the straight USB-dongle ones are going to
be SDR-based, typically the RTL820T meant for DVB-T use (and re-purposed by
half the hacking world for all manner
wirelesswarr...@safe-mail.net wirelesswarr...@safe-mail.net writes:
For example, Ettus' USRPs, covering VHF to 6 GHz or so, starting under $1000,
that not long ago were in the $10,000s. The HackRF (which some have
complained is little more than an IF strip) effectively covering down to
below 10
Georgi Guninski gunin...@guninski.com writes:
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
quote
I was driving 70 mph on the edge of downtown St. Louis when the exploit
began to take hold.
.
I remember saying something like I feel a bit lightheaded; maybe you should
drive...
jim bell jdb10...@yahoo.com writes:
[...]
The SA0314 is low cost, fast with selectable Bandwidths of 58KHz to 813KHz.
And there's the catch...
Peter.
Lorenz Szabo bizdev...@icloud.com writes:
Last one from my side but this âdrunkâ YouTube review of the Echo is funny:
Amazon Echo - Drunk Tech Review
https://www.youtube.com/watch?v=hHn_KP7hjHc
Lamarr's review is more amusing:
https://www.youtube.com/watch?v=_eewlRCfewQ
Peter.
Encrypt the state and delete the key
That's not such a good idea, because when you swap your state back in again
you can't decrypt it any more and end up with a kernel panic.
Peter.
Henry Baker hbak...@pipeline.com writes:
BTW, what's the point of AES encryption on this pre-p0wned device? More
security theatre?
Almost. Its sole use is for very fast drive erasure, i.e. you change the
key and the data on it becomes inaccessible. Have a look at this
presentation:
brian carroll electromagnet...@gmail.com writes:
The rise of the Swedish cyborgs
By Jane Wakefield Technology reporter
http://www.bbc.com/news/technology-30144072
'The idea is to become a community that is why they get implants done
together, [Mr Sjoblad] says.'
Same idea as the WWI Pal's
Yaron Greenwald ygw...@brandeis.edu writes:
Why is it that everyone here rocks at threat models as long as they get to
own a computer. Why is it that everyone here can consider everything from if
a Global Passive Adversary is directly targeting you to if your next door
neighbor is doing, I dunno,
rysiek rys...@hackerspace.pl writes:
my brain is fried and I can't get any sane result in my attempts to decipher
the TFC acronym.
It's Tennessee Fried Chicken (sometimes known as Tomato Fried Chicken due to
the way it was served), an early, unsuccessful competitor to the more popular
Kentucky
Eric Mill e...@konklone.com writes:
This is everything I ever wanted a cypherpunk mailing list to be
I dunno, I think the Malcolm Tucker wannabe act from two or three messages ago
was pretty dire. What makes Malcolm so entertaining is that he's a creative
artist when it comes to swearing (This
Badbiosvictim badbiosvic...@ruggedinbox.com writes:
USPS interdiction of routers, computers, packages and mail has little over
sight. USPS attempted to censor report of failure to follow safeguards.
There's actually a security standard that's supposed to deal with this sort of
thing, FIPS 140
Steve Kinney ad...@pilobilus.net writes:
Questions raised by anomalies and inconsistencies present in the original
reports of The Snowden Affair and the PRISM documents have not been resolved.
There's an even bigger issue that's also still unresolved:
http://i.imgur.com/Ge1hS.jpg
Clearly a
coderman coder...@gmail.com writes:
it is more private because you are separating domains of communication. the
less trustworthy smartphone is used as a network link (cell or other uplink)
and not trusted with the content of the encrypted communications it carries.
That bites both ways. If I
stef s...@ctrlc.hu writes:
let me summarize (and ask you to reread and understand) grapamps response to
you: email is dead.
... he said, via email.
Peter.
Griffin Boyce grif...@cryptolab.net writes:
Why is it that these things that thousands of people rely on are not audited
in any real way?
It's open-source, so there's the presumption of audit, I couldn't be bothered
looking at it, but since it's open source someone else must have. The odd
thing
Griffin Boyce grif...@cryptolab.net writes:
'AES in a number popular cryptographic libraries including OpenSSL, PolarSSL
and Libgcrypt are vulnerable to Bernsteinâs correlation attack when run in
Xen and VMware virtual machines, the most popular VMs used by cloud service
providers.'
That's
=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?= l...@odewijk.nl writes:
So how do they do that? If there's power failure on a specific box, what
happens? Are all transactions synced to disk before commit, thus minimal
rollbacks? A minimal rollback takes a very small margin of what would happen
in
Kelly John Rose i...@kjro.se writes:
Having worked on some complex banking and accounting systems before, I know
there is a lot more to the equation than simple coding up some crappy ruby
code and putting fixes in place whenever it doesn't quite do what you want.
Financial cryptography is
Fabio Pietrosanti (naif) li...@infosecurity.ch writes:
On italian government innovation portal it has been published a patent by
the Italian Postal Service of SHA-7 : The encryption SHA-7 allows to
generate a unique âmessage digestâ
LOL reading on
Greg Rose g...@seer-grog.net writes:
You get the routers to create valid-looking certificates for the endpoints,
to mount man-in-the-middle attacks.
This is relatively easy for home routers, since the self-signed certs they're
configured with are frequently CA certs. In other words they ship
Cathal Garvey cathalgar...@cathalgarvey.me writes:
Is this any better than AES-ECB, then
The interest isn't in any comparison with AES, it's that Red Pike is a
classified GCHQ-designed cipher from the crypto wars. The code matches the
description by Ross Anderson and Markus Kuhn, but if it's
Lodewijk andré de la porte l...@odewijk.nl writes:
Their current website announcement is a straight offense too. Wouldn't
suprise me if some of them go to jail for Criminal Neglegence.
What would they be prosecuted for, not storing the tulip bulbs under dry
enough conditions? It's not as if
The Doctor dr...@virtadpt.net writes:
Like this?
http://www.livehacking.com/tag/network-card-backdoor/
Proof of concept was been proven in 2010. Practical application is probably
being done by now. Somebody is asleep behind the wheel if it is not.
It was demonstrated well before then,
coderman coder...@gmail.com writes:
this is pre snowden thinking; usability demands that it immediately emits
only one state on boot: a glowing blue LED SECURE.
once the network is up, now lights SUPER SECURE. (it can only be SECURE,
lest the wrong impression be conveyed by accident)
Naah,
coderman coder...@gmail.com writes:
i find these kinds of experiments fascinating and would love to see more of
them!
His ideas are intriguing to you and you wish to subscribe to his newsletter?
Peter.
Adam Back a...@cypherspace.org writes:
Maybe this DSA flaw spotted by Bleichenbacker was another NSA soft-sabotage
attempt (making standards security brittle in the knowledge that it some
people will fail to harden it,
It wasn't some people, it was almost every implementation at the time. When
Tom Ritter t...@ritter.vg writes:
ECC has other attributes that make it attractive too, so let's get the
plumbing ready, so we can support a quick pivot away from RSA and over to ECC
if we have to.
ECC however has the downside that it's incredibly brittle. For example
there's the scary tendency
Bill Stewart bill.stew...@pobox.com writes:
Saw an interesting article from Gmail on their inbound email statistics. Over
91% is authenticated with either DKIM or SPF.
What percentage of that is using 512-bit keys?
Peter.
Pokokohua pokoko...@gmail.com writes:
Would it work swapping renditions for drone strikes as an option?
Yep, that would work too, I'll add it as an option. Also, when it was
playtested here some folks found it easier to identify as the more traditional
villagers rather than Internet users,
Warren Kumari war...@kumari.net writes:
I've often wondered if there is a clever way to do the inverse -- basically
to have a latest timestamp? This seems like a much harder problem -- 'm
looking for a movie plot type solution that the public can easily
understandâ¦
You could do it with a
valdis.kletni...@vt.edu writes:
You still haven't explained how the memories of those who are at the table
help, when the NSA plant has very good reasons to say they're not an NSA
plant, and you haven't explained how you can show they *are* a plant.
Hi, my name's Bob, and I'm a villager.
I
coderman coder...@gmail.com writes:
we always had the data; i can't speak to negative effects.
[...]
to be clear, this was not a direct LEO mandate.
I got the same response from talking to techies at a large telco, they kept
the records just in case they needed them (not for any specific LEO
d.nix d@comcast.net writes:
Curious; anyone know much about what these inexpensive (comparatively, price
seems steadily falling) ASIC Block Erupter USB Bitcoin miners can be adapted
to doing? Could they be repurposed as RNG sources?
Very little, and no. They're basically custom
Tony Arcieri basc...@gmail.com writes:
What threat are you trying to prevent that isn't already solved by the use of
cryptography alone?
The threat of people saying we'll just throw some cryptography at it and then
all our problems will be solved.
Peter.
Eugen Leitl eu...@leitl.org forwarded:
And as far as FOSS firmware development goes, Gizmo Board (
http://www.gizmosphere.org/why-gizmo/gizmoboard/) is far superior and
actually ships with fully functioning open source firmware derived from
coreboot. No blobs, no restrictive licensing.
Cute, but
63 matches
Mail list logo