RE: [Cryptography] Android Full Disk Encryption Broken - Extracting Qualcomm's KeyMaster Keys

Jeffrey Schiller writes: >If you look at the exploit you will see it is a simple case of failing to >check array/string bounds. ... which is exactly what was exploited in the 2013 attack, alongside a whole boatload of other missing defensive features, no DEP, no ASLR, executable

RE: [Cryptography] Android Full Disk Encryption Broken - Extracting Qualcomm's KeyMaster Keys

Jerry Leichter writes: >Lessons? Generality and power lead (to complexity, which is the enemy of >security. I think a more direct lesson here is that taking a security mechanism that consists of a bit flag used to tag a block of memory, defining any such tagged area as

RE: [FORGED] Fascism, Nazism, Henry Ford's successful sueing of the USGov, money and power - Fwd: A short clip from 'Everything Is A Rich Man's Trick'

Zenaan Harkness writes: >"WWII was the first time in history that the wealthy elite could purchase the >thuggery of an entire nation". That was happening at least as far back as ancient Rome. Peter.

RE: [FORGED] Re: [Cryptography] A humble recommendation

>"I've seen prisons."!! I've seen troopships on fire off the shoulder of Orion. Peter.

RE: Inside John Kerry's Photo Op With Hollywood Leaders: Anti-ISIS Pow-Wow Yields Few Plans, Ideas

Georgi Guninski writes: >Anyone already watched "war on terror porn"? You mean Chris Korda's work? Peter :-).

RE: [FORGED] Samsung Warns Customers: Watch Your Mouth

grarpamp writes: >Voice recognition, which allows the user to control the TV using voice >commands, is a Samsung Smart TV feature, which can be activated or >deactivated by the user. ... which can then be reactivated by anyone who walks through the 6.022e23 security holes

RE: [FORGED] Re: Brit spies can legally hack PCs and phones, say Brit spies' overseers

Lee writes: >I guess somebody decided it was best not to publish that particular ruling. "It is responsible discretion exercised in the national interest to prevent unnecessary disclosure of eminently justifiable procedures in which untimely revelation could severely impair

RE: New High School Principal's speech to students.

Александр writes: >I just hope he will not get fired by the end of the semester because of some >kind of liberal nonsense (""infringement of the rights"") or slander. Since it came from talk show host Dennis Prager and not any high school principal, it's unlikely anyone'll

RE: [FORGED] US Pres. Cand. Carly Fiorina Comes Out Against Crypto and Privacy

grarpamp quotes: >“First that means there has to be laws that have to be passed. There are some >things that have to be permissible legally, which would allow the private >sector and the public sector to share information,” she said. They need to pass an Enabling Act to

RE: The Moral Character of Cryptographic Work

Riad S. Wahby writes: >Phillip Rogaway (Professor of CS at UC Davis) has released in the form of an >essay his keynote talk from Asiacrypt. Very interesting reflection on the >politics of crypto, historically and at present. For those who missed the talk this morning, he's also

RE: [FORGED] NATO member Turkey just shot down Russian military jet

Zenaan Harkness writes: >"According to Putin, Russia has always treated Turkey not simply as a >close neighbour, but as a friendly state." If you ignore several centuries of political machinations and outright warfare then yes, Russia has been pretty friendly to Turkey. With

RE: [FORGED] Yoga class cancelled for "cultural issues" (insufficient awareness by class attendees of yoga origins)

Zenaan Harkness writes: >Student Federation Acting President Romeo Ahimakin told the Ottawa Sun that >the class has been put on hold until a way can be figured out “to make it >better, more accessible and more inclusive to certain groups of people that >feel left out in

RE: [FORGED] Re: [FORGED] Re: UK To Ban Crypto In Devices, Email And More

oshwm writes: >Can GPG be easier to use, I think so, is it too difficult to use by ordinary >people - no, they're just too fucking lazy and lack motivation. ... and this is pretty much the poster child for why we have so much unusable crypto today. Peter.

RE: [FORGED] Re: UK To Ban Crypto In Devices, Email And More

Joseph Gentle writes: >Industry grade crypto has existed for years, but things like PGP being simply >*inconvenient* has resulted in it having virtually no adoption. The big threat >to pervasive surveillance isn't pgp, its companies like apple and whatsapp >bringing that

RE: [FORGED] Re: UK To Ban Crypto In Devices, Email And More

Joseph Gentle writes: I don't really want to get involved in this debate (who has that much asbestos?), but wanted to comment on one thing: >You just don't see guns in Australia. I don't know anyone who has one. You're a townie then? If it's like NZ, pretty much every farm

RE: Introduce randommess in keypress timings

Michael Nelson writes: >Five minutes of Swedish death metal should get you around 256 bits. Wrong entropy source, if you go for Norwegian black metal you get at least 1024 bits of entropy [0]. Having said that, Putin's foreign policy speeches will get you at least 512

RE: Focusing x-rays

wirelesswarr...@safe-mail.net writes: >Its called Grazing Incidence > >https://en.wikipedia.org/wiki/X-ray_optics Ten out of ten for knowing what it was, but minus several million for using Wikipedia as the reference. Peter.

RE: Windows 10

Brenda Fernández writes: >W10 is free and it's being pushed hard by MS. They even force W7 and W8 users >to download it when they aren't interested in 'upgrading'. So, if the product >is free for you, who is the customer? You're the product, not Windows. That was the

RE: Re: Hackers spent at least a year spying on Mozilla to discover Firefox security holes ? and exploit them

stef writes: >On Mon, Sep 07, 2015 at 12:55:11PM -0400, Ulex Europae wrote: >> I wonder, is there an A-list of must-have extensions for Firefox? Because >> "the internet is for porn," and porn doesn't work on text-only browsers... > >NoScript, RequestPolicy, RefControl,

RE: Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Georgi Guninski <gunin...@guninski.com> writes: >On Sat, Sep 05, 2015 at 11:45:07AM +0000, Peter Gutmann wrote: >> The real question though is, why would anyone use parameters they didn't >> generate themselves? All DSA implementations I've seen (apart from some > >Wha

RE: Hackers spent at least a year spying on Mozilla to discover Firefox security holes – and exploit them

Juan writes: >On Sat, 5 Sep 2015 18:35:37 +0300 Georgi Guninski >wrote: > >> Likely the mozilla u$a comrades caught the less skilled attackers, >> not those with r00t access (having in mind what a mess >> their code is). > >Ah, but firefox keeps

RE: Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Alfonso De Gregorio writes: >Sure, the questions are: What is the origin of the current wording of the >standard, that opens an avenue for lax checks for group parameters? Or, if, >as you correctly pointed out, an implementation MAY NOT check group >parameters,

RE: Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Georgi Guninski writes: >Even if "affected implementations would be approximately zero", >can we count this as "crypto backdoored RFC" as per OP? Oh sure, it's definitely broken. OTOH I'm not sure if it's a deliberate backdoor, the whole thing is such a bad design to

RE: Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Georgi Guninski writes: >Well openessl appears to support dhparam: >https://www.openssl.org/docs/manmaster/apps/dhparam.html That just indicates support for PKCS #3 DH parameters, not anything else. In any case the page also says: OpenSSL currently only supports the

RE: Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

One saving grace about RFC 2631 was that it was pretty much universally ignored for the reason that it was, well, a pretty stupid way to do things, so the number of affected implementations would be approximately zero. (I only know of one, rather minor, vendor who implemented it. Microsoft

RE: Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Georgi Guninski writes: >Anyway, I would appreciate if someone checks if current implementations >accept composite $q$. Well, I think the problem will be finding any implementation of this at all, or at least any that's still around now. >What do you mean by DH

RE: Privacy advocates resign over facial recognition plans

Shelley shel...@misanthropia.org writes: mode #cypherpunks +b ~q: carimac...@gmail.com For procmail users, I've found that: :0 * ^From: *carimachet /dev/null :0 B * Cari Machet /dev/null gets rid of most of it. Peter.

Re: Hackers Remotely Kill a Jeep on the Highway

jim bell jdb10...@yahoo.com writes: There are some rather economical spectrum analyzers being sold today. You have to be careful with those, the straight USB-dongle ones are going to be SDR-based, typically the RTL820T meant for DVB-T use (and re-purposed by half the hacking world for all manner

RE: Intercept receivers (was Re: Hackers Remotely Kill a Jeep on the Highway)

wirelesswarr...@safe-mail.net wirelesswarr...@safe-mail.net writes: For example, Ettus' USRPs, covering VHF to 6 GHz or so, starting under $1000, that not long ago were in the $10,000s. The HackRF (which some have complained is little more than an IF strip) effectively covering down to below 10

RE: Hackers Remotely Kill a Jeep on the Highway

Georgi Guninski gunin...@guninski.com writes: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ quote I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold. . I remember saying something like I feel a bit lightheaded; maybe you should drive...

RE: $330 3.3 GHz Spectrum Analyzer

jim bell jdb10...@yahoo.com writes: [...] The SA0314 is low cost, fast with selectable Bandwidths of 58KHz to 813KHz. And there's the catch... Peter.

Re: Finally Barbie became clever the new hello Barbie

Lorenz Szabo bizdev...@icloud.com writes: Last one from my side but this “drunk” YouTube review of the Echo is funny: Amazon Echo - Drunk Tech Review https://www.youtube.com/watch?v=hHn_KP7hjHc Lamarr's review is more amusing: https://www.youtube.com/watch?v=_eewlRCfewQ Peter.

Re: Cryptoanarchist slogan

Encrypt the state and delete the key That's not such a good idea, because when you swap your state back in again you can't decrypt it any more and end up with a kernel panic. Peter.

Re: [Cryptography] trojans in the firmware

Henry Baker hbak...@pipeline.com writes: BTW, what's the point of AES encryption on this pre-p0wned device? More security theatre? Almost. Its sole use is for very fast drive erasure, i.e. you change the key and the data on it becomes inaccessible. Have a look at this presentation:

Re: get chipped at your local tattoo parlor

brian carroll electromagnet...@gmail.com writes: The rise of the Swedish cyborgs By Jane Wakefield Technology reporter http://www.bbc.com/news/technology-30144072 'The idea is to become a community that is why they get implants done together, [Mr Sjoblad] says.' Same idea as the WWI Pal's

Re: Re: Tox.im

Yaron Greenwald ygw...@brandeis.edu writes: Why is it that everyone here rocks at threat models as long as they get to own a computer. Why is it that everyone here can consider everything from if a Global Passive Adversary is directly targeting you to if your next door neighbor is doing, I dunno,

Re: What the fark is TFC

rysiek rys...@hackerspace.pl writes: my brain is fried and I can't get any sane result in my attempts to decipher the TFC acronym. It's Tennessee Fried Chicken (sometimes known as Tomato Fried Chicken due to the way it was served), an early, unsuccessful competitor to the more popular Kentucky

Re: Barrett Brown

Eric Mill e...@konklone.com writes: This is everything I ever wanted a cypherpunk mailing list to be I dunno, I think the Malcolm Tucker wannabe act from two or three messages ago was pretty dire. What makes Malcolm so entertaining is that he's a creative artist when it comes to swearing (This

Re: What the hell can be done with this trinity?

Badbiosvictim badbiosvic...@ruggedinbox.com writes: USPS interdiction of routers, computers, packages and mail has little over sight. USPS attempted to censor report of failure to follow safeguards. There's actually a security standard that's supposed to deal with this sort of thing, FIPS 140

Re: CITIZENFOUR (of Pole Dancer Girlfriends etc.)

Steve Kinney ad...@pilobilus.net writes: Questions raised by anomalies and inconsistencies present in the original reports of The Snowden Affair and the PRISM documents have not been resolved. There's an even bigger issue that's also still unresolved: http://i.imgur.com/Ge1hS.jpg Clearly a

Re: Crypto mechanics in ios8 and android L

coderman coder...@gmail.com writes: it is more private because you are separating domains of communication. the less trustworthy smartphone is used as a network link (cell or other uplink) and not trusted with the content of the encrypted communications it carries. That bites both ways. If I

Re: [cryptography] Email encryption for the wider public

stef s...@ctrlc.hu writes: let me summarize (and ask you to reread and understand) grapamps response to you: email is dead. ... he said, via email. Peter.

Re: is truecrypt dead?

Griffin Boyce grif...@cryptolab.net writes: Why is it that these things that thousands of people rely on are not audited in any real way? It's open-source, so there's the presumption of audit, I couldn't be bothered looking at it, but since it's open source someone else must have. The odd thing

Re: Fine grain Cross-VM Attacks on Xen and VMware (AES)

Griffin Boyce grif...@cryptolab.net writes: 'AES in a number popular cryptographic libraries including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s correlation attack when run in Xen and VMware virtual machines, the most popular VMs used by cloud service providers.' That's

Re: Whew, wondered where we'd put those 200,000 BTC!

=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?= l...@odewijk.nl writes: So how do they do that? If there's power failure on a specific box, what happens? Are all transactions synced to disk before commit, thus minimal rollbacks? A minimal rollback takes a very small margin of what would happen in

Re: Whew, wondered where we'd put those 200,000 BTC!

Kelly John Rose i...@kjro.se writes: Having worked on some complex banking and accounting systems before, I know there is a lot more to the equation than simple coding up some crappy ruby code and putting fixes in place whenever it doesn't quite do what you want. Financial cryptography is

Re: SHA-7 crypto patented by Italian Postal Service

Fabio Pietrosanti (naif) li...@infosecurity.ch writes: On italian government innovation portal it has been published a patent by the Italian Postal Service of SHA-7 : The encryption SHA-7 allows to generate a unique “message digest” LOL reading on

Re: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets

Greg Rose g...@seer-grog.net writes: You get the routers to create valid-looking certificates for the endpoints, to mount man-in-the-middle attacks. This is relatively easy for home routers, since the self-signed certs they're configured with are frequently CA certs. In other words they ship

Re: Red Pike cipher

Cathal Garvey cathalgar...@cathalgarvey.me writes: Is this any better than AES-ECB, then The interest isn't in any comparison with AES, it's that Red Pike is a classified GCHQ-designed cipher from the crypto wars. The code matches the description by Ross Anderson and Markus Kuhn, but if it's

Re: Gox

Lodewijk andré de la porte l...@odewijk.nl writes: Their current website announcement is a straight offense too. Wouldn't suprise me if some of them go to jail for Criminal Neglegence. What would they be prosecuted for, not storing the tulip bulbs under dry enough conditions? It's not as if

Re: Snowden and Compilers

The Doctor dr...@virtadpt.net writes: Like this? http://www.livehacking.com/tag/network-card-backdoor/ Proof of concept was been proven in 2010. Practical application is probably being done by now. Somebody is asleep behind the wheel if it is not. It was demonstrated well before then,

Re: cypherpunks and hackers who dont code?

coderman coder...@gmail.com writes: this is pre snowden thinking; usability demands that it immediately emits only one state on boot: a glowing blue LED SECURE. once the network is up, now lights SUPER SECURE. (it can only be SECURE, lest the wrong impression be conveyed by accident) Naah,

Re: Fwd: [tor-talk] giving up pseudonymity after collecting experiences with pseudonymous project development

coderman coder...@gmail.com writes: i find these kinds of experiments fascinating and would love to see more of them! His ideas are intriguing to you and you wish to subscribe to his newsletter? Peter.

Re: soft backdoors: ECDSA vs RSA vs EdDSA (aka EC Schnorr) (Re: BlueHat v13 crypto talks - request for leaks ; ))

Adam Back a...@cypherspace.org writes: Maybe this DSA flaw spotted by Bleichenbacker was another NSA soft-sabotage attempt (making standards security brittle in the knowledge that it some people will fail to harden it, It wasn't some people, it was almost every implementation at the time. When

Re: BlueHat v13 crypto talks - request for leaks ;)

Tom Ritter t...@ritter.vg writes: ECC has other attributes that make it attractive too, so let's get the plumbing ready, so we can support a quick pivot away from RSA and over to ECC if we have to. ECC however has the downside that it's incredibly brittle. For example there's the scary tendency

Re: Gmail's receiving mostly authenticated email

Bill Stewart bill.stew...@pobox.com writes: Saw an interesting article from Gmail on their inbound email statistics. Over 91% is authenticated with either DKIM or SPF. What percentage of that is using 512-bit keys? Peter.

Re: NSA: The Game

Pokokohua pokoko...@gmail.com writes: Would it work swapping renditions for drone strikes as an option? Yep, that would work too, I'll add it as an option. Also, when it was playtested here some folks found it easier to identify as the more traditional villagers rather than Internet users,

Re: [cryptography] NIST Randomness Beacon

Warren Kumari war...@kumari.net writes: I've often wondered if there is a clever way to do the inverse -- basically to have a latest timestamp? This seems like a much harder problem -- 'm looking for a movie plot type solution that the public can easily understand… You could do it with a

Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic

valdis.kletni...@vt.edu writes: You still haven't explained how the memories of those who are at the table help, when the NSA plant has very good reasons to say they're not an NSA plant, and you haven't explained how you can show they *are* a plant. Hi, my name's Bob, and I'm a villager. I

Re: True necessity of Records? [was: CryptoSeal]

coderman coder...@gmail.com writes: we always had the data; i can't speak to negative effects. [...] to be clear, this was not a direct LEO mandate. I got the same response from talking to techies at a large telco, they kept the records just in case they needed them (not for any specific LEO

Re: USB Block Erupters as RNG sources?

d.nix d@comcast.net writes: Curious; anyone know much about what these inexpensive (comparatively, price seems steadily falling) ASIC Block Erupter USB Bitcoin miners can be adapted to doing? Could they be repurposed as RNG sources? Very little, and no. They're basically custom

Re: [cryptography] The Compromised Internet

Tony Arcieri basc...@gmail.com writes: What threat are you trying to prevent that isn't already solved by the use of cryptography alone? The threat of people saying we'll just throw some cryptography at it and then all our problems will be solved. Peter.

Re: [coreboot] [liberationtech] Fwd: Firefox OS with built in support for OpenPGP encryption

Eugen Leitl eu...@leitl.org forwarded: And as far as FOSS firmware development goes, Gizmo Board ( http://www.gizmosphere.org/why-gizmo/gizmoboard/) is far superior and actually ships with fully functioning open source firmware derived from coreboot. No blobs, no restrictive licensing. Cute, but