At 03:38 PM 8/10/00, Michael Paul Johnson wrote:
>In case you haven't figured it out, yes, I am seriously contemplating
>writing such a book.
There's certainly a need for defensive programming books oriented towards
security functions, and crypto functions in particular. On the other hand,
th
>Robert Hettinga <[EMAIL PROTECTED]> writes:
>> ... using an encrypted link with at least SSL, and, at some point, people
>> will demand much cheaper and faster internet-level encryption ala IPSEC to
>> move their money (and their other bits worth money) around.
At 09:28 AM 11/3/98 -0800, EKR rep
At 10:47 PM 12/26/98 +0200, Amir Herzberg wrote:
> ... I'll appreciate any pointers to good available foils or really
>good lecture notes (I did look up Rivest's, for example).
Take a look at presentation files on my web site:
http://www.visi.com/crypto/
They're all in PDF (originally FrameMa
I wrote:
>> Let me raise another possible problem with substituting IPSEC for SSL --
>> does anyone *really* have an IPSEC implementation that interfaces as
>> effectively with secure applications? ...
And Robert Hettinga replied:
>IPsec happens at the network layer, SSL between the transport l
At 02:29 PM 3/8/99 +1100, Greg Rose wrote:
> For part of this, I wanted to
>refer to the incident where someone mounted a password sniffer at a major
>network hub (MAE-West?) a couple of years ago. But I haven't turned up
>anything useful in a Web search. I didn't dream this incident, d
Arnold Reinhold quoted a site containing rumors about upcoming security
features in Mac OS 8.7:
> The security features controlling all of this will be very similar to
>those used in OS X and are to be considered extremely secure. No external
>testing has been applied yet, but Apple sources s
At 06:10 PM 6/1/99 +0100, Markus Kuhn wrote:
>Those who are more comfortable with reading German than Mathematics and
>who are looking for a really entry-level book will enjoy
>
> Alfred Beutelspacher: Kryptologie.
> Vieweg, 1996, ISBN 3-528-48990-1, 34.00 DEM, 179 p.
Internet Cryptography has
Just got back from vacation in a low tech wilderness (the BWCA) and I
didn't have a chance to pass this on sooner.
Just before I left (Friday June 18) I met Senator John McCain at SCC's
offices in San Jose. We talked about export controls. I went through the
usual explanations and analogies to ex
I took the time to look at this report while stuck on an airplane (we use
Northwest up here) and I'm astonished that the FBI can't do any better than
this. They trotted out the same old anecdotes of this terrorist
"recommending" crypto to friends and that investigation "encountering"
encrypted fil
>Hans asked:
>
>>When implementing PGP base encryption, is this implementation MUST use
>>symetrically Algorithms ?? Is it possible to use only the >public/private
key ?
At 01:43 PM 7/19/99 -0600, [EMAIL PROTECTED] replied:
>There currently isn't a way to do it under the OpenPGP Draft. Why wo
Declan McCullagh <[EMAIL PROTECTED]> writes:
>
>>> The sponsor of yesterday's amendment, Rep. Weldon, said that he wants to
>>> have a classified briefing //on the House floor// to scare members into
>>> voting his way. Look for killer amendments to SAFE to be offered during
>>> that floor vote, p
At 11:27 AM 7/27/99, Peter Gutmann wrote:
>(Given that NT now has a UK E3 certification, I don't think you need to get
>it recertified in the US, since it's transferrable to all participating
>contries, so I don't think it'd have to be certified by the above lab).
I'm not sure this is true. Th
Regarding the general direction of these comments
>"William H. Geiger III" wrote:
>> Well I have my doubts on this. Either they refuse to certify Microsoft &
>> Netscape software and alienate 90% of the consumer market, or they do
>> certify them making their certification worthless.
At 04:
I wrote about Java-bashing relative to security in e-commerce:
>>Naturally I understand the logic behind these, but it's a bit like saying
>>"We won't sell anyone a car unless it's burglarproof." People use their
>>cars quite a bit even though they're expensive and risk of being stolen.
At 10:15
At 09:54 AM 7/29/99 -0700, Tom Perrine wrote:
>Ever taken a look for pgp.2.6.x, Kerberos, SSH or other "controlled
>software" available for anonymous FTP from .GOV and .MIL systems? A
>few minutes with your favorite search engine is quite enlightening :-)
What astonishes me is that some governm
At 02:19 AM 8/3/99, Peter Gutmann wrote:
>[1] There isn't any rule of thumb for the work involved in attaining the
higher
>assurance levels because it's done so rarely, although in terms of
cost and
>time I've seen an estimate of $40M for an A1 Multics (it never
eventuated)
>and DEC's
At 10:44 AM 8/10/99 -0400, Dan Geer proposed an explanation:
>2. we already have our draft conclusions in white paper
>form and we need to have the appearance of due process
I expect the conclusions can be inferred from that other recent
Administration exercise: "Encryption: Impact on Law Enforc
Peter Gutman said:
>> Smart cards with thumbprint readers are one step in this
>> direction, although they're currently prohibitively expensive.
American Biometrics (www.abio.com) has their Biomouse II, which I once
heard was supposed to retail around $250 or so. The old finger-only
Biomouse sho
The subject of government mediated evaluations of computer security
products has come up a few times on this list, so I'm taking this
opportunity to ask the readership for assistance in a survey I've been
working on.
I'm collecting information about security product evaluations under formal
crite
At 03:24 PM 9/30/99 -0400, Andy Maslar wrote:
>At the risk of being flamed for being a hopeless newbie, or perhaps as
>one asking a practical question about export regs, (something that seems
>in bad taste lately) I will nevertheless proceed:
>
>Are hash functions (MD5 specifically) controlled by
I said:
>> If it's programmable it's vulnerable.
Ben Laurie replied:
>Oh, right. There's no attack you can defend against, right?
One has to be careful with one's universal quantifiers.
"There's no attack you can defend against." - false
"There are defenses against some attacks." - true
"Ther
>"paul a. bauerschmidt" wrote:
>> one password will decrypt correctly, many other passwords will produce
>> alternate, valid-looking keys to fool an attacker.
>>
>> is this an example of security through obscurity (a thought which many
>> frown upon, it seems)?
At 05:12 PM 10/8/99 -0700, Ed
Regarding certain properties of the OS 9 crypto:
*) Introducing crypto to the masses
If they're putting crypto on the desktop that "the rest of us" can use, my
hat goes off to them. Netscape pioneered "crypto to the masses" by hiding
the operations entirely. If Apple has taken the next step and
At 07:03 PM 11/11/99 +0100, Chr. Schulzki-Haddouti wrote:
>I am looking for help to identify following three crypto devices, which were
>presumably used by NATO and Eastern Countries. You can have a look here:
>http://members.aol.com/infowelt/kdevice.htm
>
>At the moment I am preparing an article
At 08:59 AM 12/12/1999 -0500, Arnold G. Reinhold wrote:
>As I recall, classified documents are required to carry a legend on
>each page saying something like "This document contains information
>affecting the national defense within the meaning of the espionage
>laws, Title 18 793 and 794, the
At 04:49 PM 01/18/2000 -0700, [EMAIL PROTECTED] wrote:
>I've got something with around 100 bytes of ram and an 8-bit multiply.
>Is there an authentication mechanism that can fit in this?
What types of attacks are you concerned with? That's the main question. If
you have a direct, unsniffable con
At 07:20 PM 01/25/2000 -, lcs Mixmaster Remailer wrote:
>Steganography is successful if the attacker can't distinguish
>message-holding data from ordinary data without the key. Ideally, he
>can't guess whether a message is present any better upon inspecting the
>cover data than he could with
At 04:23 PM 01/25/2000 -0600, I asked:
>>With this model there is no problem in making everyone aware of where to
>>look for cover traffic with stego data in it.
>
>Has anyone actually built a steganographic system that has achieved this?
Okay, I've seen a half dozen messages saying "it's no pr
>Rick Smith wrote:
>> It sounds like there are a number of interesting design questions. For
>> example, the sender and recipient must obviously share a secret key.
At 10:18 PM 01/26/2000 +, Ben Laurie wrote:
>Why is that obvious? What's wrong with encoding with the
At 12:12 AM 01/27/2000 +, Ben Laurie wrote:
>I can't quite see the point of forward stego.
I'll leave it to Russ to explain his application if he wants to.
> Why not publish something
>public key encrypted and publish the private key later?
Symmetric cryptography has two advantages in this
At 03:19 PM 02/03/2000 -0800, Phil Karn wrote:
>This is one of the sloppiest and misinformed judicial opinions I've
>read in a long time. ...
I read the hearing transcript and the judge seemed particularly impatient
with the defense attorneys. There was the business about the defense
attorneys
At 05:43 PM 02/21/2000 -0800, Eugene Leitl wrote:
>HDCP uses a 56-bit key, with individual keys distributed to the
>various vendors. A violated key could be tracked down and revoked over
>a satellite broadcast network, for example.
This design does not consider potential end user reactions. Cons
Regarding the following article:
>>From The Register,
>http://www.theregister.co.uk/000412-20.html
>-
>Posted 12/04/2000 5:56pm by Graham Lea ...
> . The
>Register has seen an unofficial transcript of a luncheon meeting on Capitol
>Hill of the Internet Caucus Panel Discussion about the ne
While writing about OS back-doors, I said:
>I'm incredibly skeptical that Microsoft, IBM, or any other vendor
>intentionally provides back-doors for the NSA or anyone else.
This was too strong, because there is in fact a counterexample that I'd
forgotten while composing that e-mail.
Jim Gillogy
At 05:05 PM 04/30/2000 -0700, Steve Reid wrote:
>Below is some sample output. The amount of entropy per passphrase should
>be more than 89 bits, or almost the same as seven Diceware words.
>However, if you generate N passphrases and pick the one that is easiest
>to remember then you should subtra
At 11:42 AM 05/10/2000 +0200, Sergio Tabanelli wrote:
>Perhaps this can be out of topic, but recently I was involved in a
>discussion on metods to generate strong password starting from easy to
>remember word or sentence, there I proposed to use a private key to encrypt
>easy to remember words. I
At 08:03 AM 05/11/2000 +0530, Udhay Shankar N wrote:
>http://www.firstmonday.dk/issues/issue2_5/rowland/
>
>The TCP/IP protocol suite has a number of weaknesses that allow an attacker
>to leverage techniques in the form of covert channels to surreptitiously
>pass data in otherwise benign packets.
At 02:25 PM 05/19/2000 -0400, Arnold G. Reinhold wrote:
> . But a cooperative relationship between Microsoft and NSA
>(or any vendor and their local signals security agency) can be more
>subtle. What if Microsoft agreed not to fix that bug? What if
>Microsoft gives NSA early access to sou
At 03:48 PM 05/23/2000 -0700, John Gilmore wrote:
>Rick Smith wrote:
>> If the NSA approaches Microsoft to acquire their support of NSA's
>> surveillance mission, then the information will have to be shared
>> with a bunch of people inside Microsoft, and they're not
>Enzo Michelangeli noted some primality checking software:
>> CERTIFIX is an executable for Win95, Win98, NT (hardware Intel
>> compatible).
And Ben Laurie wrote:
>'nuff said!
Of course, this increases the size of the conspiracy at Microsoft -- if you
have anti-backdoor code, then Microsoft ne
Before continuing, let me state my three opinions that this is based on:
1) There is a non-zero risk of backdoors in commercial software, but the
perpetrators are as likely (IMHO more likely) to be outside parties and not
US agencies like NSA.
2) A persistent backdoor in Windows would have to be
At 10:01 PM 05/24/2000 +0100, Ben Laurie wrote:
>Amusing though the MS/NSA speculations are, I'm more interested in the
>general point: i.e. proving that primes are prime. Having a black box
>that claims to do that doesn't really light my fire.
The most interesting thing I find about the discuss
At 06:42 PM 05/24/2000 -0500, Jim Choate wrote:
>
>On Wed, 24 May 2000, Eugene Leitl wrote:
>
>> Rick Smith writes:
>>
>> If NSA/MS are not doing it, they must be pretty stupid, because I'd do
>> it in their place. The prudent assumption is hence: your
At 10:10 PM 05/24/2000 -0400, Arnold G. Reinhold wrote:
>Maybe this is where our outlooks differ the most. I view a
>"localized thing with limited effects" as *more* sophisticated than
>some big lump of snuck-in code that searches your hard drive and
>sends periodic e-mail to [EMAIL PROTECTED
At 09:12 AM 05/25/2000 -0700, David Honig wrote:
>Your data still goes through an operating system, etc., so the
>real issue is a closed system: encrypt on a PDA which is under your
>close personal control and does not download new executables. Let your
>untrustworthy networked-PC be merely its
At 04:06 PM 06/08/2000 -0400, David Jablon wrote:
>A recent announcement by Verisign describes a system for strong network
>password authentication, with the added twist of using two or more servers,
>such that no individual server keeps any crackable password verifiers. ...
I read the marketing
I've been trying to track down some information for my authentication book,
and I'm currently wrestling with the lack of easy to find Microsoft
internal specs. So I thought I'd ask the community.
I've been writing about what I call "indirect authentication" which refers
to the use of an authen
At 09:20 PM 10/29/00, Peter Wayner wrote:
>What is obsolete anyways? The question to me sounds like the one children
>would ask: "how old is old?" Well, it's as old as you feel. Are Sony Beta
>tapes obsolete? Most will say yes, but I think there are devotees who will
>say "No". I know that the
At 05:04 PM 12/5/00, Ray Dillinger wrote:
>If someone wants to enter "sex" as a password, s/he deserves
>what s/he gets (although you may put up an "insecure passphrase"
>warning box for him/her).
The problem is that there's no objective way of knowing when a passphrase
becomes 'insecure' since
At 02:43 PM 12/7/00, Peter Fairbrother wrote:
>In WW2 SOE and OSS used original poems which were often pornographic. See
>"Between Silk and Cyanide" by Leo Marks for a harrowing account.
Yes, a terrific book. However, the book also contains an important lesson
regarding human memory.
Marks was
50 matches
Mail list logo
