Re: SHA-1 results available
* Jack Lloyd: http://theory.csail.mit.edu/~yiqun/shanote.pdf Thanks for the pointer. No real details, just collisions for 80 round SHA-0 (which I just confirmed) and 58 round SHA-1 (which I haven't bothered with), plus the now famous work factor estimate of 2^69 for full SHA-1. As usual, Technical details will be provided in a forthcoming paper. I'm not holding my breath. In addition, there's no trace of the second-preimage attack some persons recently alluded to.
Re: AOL Help : About AOL® PassCode
* Ian G.: R.A. Hettinga wrote: http://help.channels.aol.com/article.adp?catId=6sCId=415sSCId=4090articleId=217623 Have questions? Search AOL Help articles and tutorials: . If you no longer want to use AOL PassCode, you must release your screen name from your AOL PassCode so that you will no longer need to enter a six-digit code when you sign on to any AOL service. To release your screen name from your AOL PassCode 1. Sign on to the AOL service with the screen name you want to release from your AOL PassCode. OK. So all I have to do is craft a good reason to get people to reset their PassCode, craft it into a phishing mail and send it out? I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens à la SecurID can only help if the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. (Traditional IPsec XAUTHis problematic for the very same reason, even with a SecurID token lookalike.)
Re: Blinky Rides Again: RCMP suspect al-Qaida messages
* Adam Shostack: On Sat, Dec 11, 2004 at 10:24:09PM +0100, Florian Weimer wrote: | * R. A. Hettinga quotes a news article: | | There have been numerous media reports in recent years that terrorist | groups, including al-Qaida, were using steganographic techniques. | | As far as I know, these news stories can be tracked back to a | particular USA Today story. There's also been a bunch of stories how | a covert channel in TCP could be used by terrorists to hide their | communication. There's very good evidence that Al Qaida does *not* use strong crypto. However, they use some form of crypto. From a recent press release of our attorney general: | Als mitgliedschaftliche Betätigung im Sinne der Strafvorschrift des § | 129b StGB für die Ansar al Islam wird den Beschuldigten vor allem | zur Last gelegt, einen Mordanschlag auf den irakischen | Ministerpräsidenten während seines Staatsbesuches in Deutschland am | 2. und 3. Dezember 2004 geplant zu haben. Dies ergibt sich aus dem | Inhalt einer Vielzahl zwischen den Beschuldigten seit dem 28. November | 2004 verschlüsselt geführter Telefongespräche http://www.generalbundesanwalt.de/news/index.php?Artikel=158Thema=5Start=0 (Very rough translation: The persons are accused of being members of Ansar al Islam and planning the assassination of the Iraqi prime minister during his visit to Germany on the 2nd and 3rd December, 2004. This follows from the contents of a multitude of encrypted telephone calls the accussed exchanged since November 28, 2004.) Probably, they just used code words, and no real cryptography. I'm trying to obtain a confirmation, though.
Re: Blinky Rides Again: RCMP suspect al-Qaida messages
* R. A. Hettinga quotes a news article: There have been numerous media reports in recent years that terrorist groups, including al-Qaida, were using steganographic techniques. As far as I know, these news stories can be tracked back to a particular USA Today story. There's also been a bunch of stories how a covert channel in TCP could be used by terrorists to hide their communication. Unfortunately, when such stories are retold for the second time, the could be used part tends to change to is used. 8-(