At 04:29 PM 6/14/03 -0400, Sunder wrote:
...
If the day comes where MS Office DRM only works with MS Office DRM, how
many people will switch to it? If your company is willing to switch to
it, then they'll give you a PC with it on it. If they don't, then they
can't expect you to interact with them
> Oh get over it. There are other formats.
You ever heard of XML? HTML? RTF?
There are output formats and input formats.
It's easy to output data in formats other people can read -
if you want something prettier than ASCII,
HTML is usually fine, though there's not much support
for embedded pictu
On Sat, 14 Jun 2003, Sunder wrote:
> Oh get over it. There are other formats. You ever heard of
> XML? HTML? RTF?
Yes, as a matter of fact. RTF is an MS format, BTW. They do change it
sometimes, breaking various attempts at interoperability. They don't do
it much; it seems like something they
A charming naivete.
*Plonk*
On Sat, Jun 14, 2003 at 04:29:23PM -0400, Sunder wrote:
| Oh get over it. There are other formats. You ever heard of
| XML? HTML? RTF?
|
| If the day comes where MS Office DRM only works with MS Office DRM, how
| many people will switch to it? If your company is
Oh get over it. There are other formats. You ever heard of
XML? HTML? RTF?
If the day comes where MS Office DRM only works with MS Office DRM, how
many people will switch to it? If your company is willing to switch to
it, then they'll give you a PC with it on it. If they don't, then they
can'
On Sat, Jun 14, 2003 at 03:30:47PM -0400, Sunder wrote:
| Um, how's that agin? How does Ballmer and Gates force you, Adam Shostack
| to run Microsoft Office? Did they put a gun to your head? Did they
| manage to twist Congress's arms to put a gun to your head?
|
| Compatibility you say? Well,
Um, how's that agin? How does Ballmer and Gates force you, Adam Shostack
to run Microsoft Office? Did they put a gun to your head? Did they
manage to twist Congress's arms to put a gun to your head?
Compatibility you say? Well, that's your choice. You can decide if it's
important enough to yo
Adam Lydick wrote:
>The faq (see attached) claims that "anyone can write a nexus" and that
>"users control which nexus(s) run".
>
>I certainly didn't see anything that suggests that anyone can force you
>to run arbitrary code, regardless of who has signed it.
"Force", maybe not. No one can "forc
On Sat, Jun 14, 2003 at 11:20:16AM -, a Microsoft employee wrote:
| Adam Shostack writes:
|
| > Actually, most of the features of Nogsuccob are features that I
| > want, like integrity protected, authenticated boot. The problem,
| > bundled with those features, is the ability of the system
Adam Shostack writes:
> Actually, most of the features of Nogsuccob are features that I
> want, like integrity protected, authenticated boot. The problem,
> bundled with those features, is the ability of the system to attest to
> its secure boot. This can be fixed by not letting the host know
The faq (see attached) claims that "anyone can write a nexus" and that
"users control which nexus(s) run".
I certainly didn't see anything that suggests that anyone can force you
to run arbitrary code, regardless of who has signed it. I also find it
absurd to worry about what code Microsoft is run
The problem with these stop crackers and hackers by law is that it allows
software developers to get away with leaving huge gaping security holes
unfixed. Anecodatal evidence: The classic well known Robin Hood and Friar
Tuck "hack".
These days, the bug wouldn't get fixed and the guys reporting it
On Fri, Jun 13, 2003 at 11:04:42PM +0200, Thomas Shaddack wrote:
| > The problem (among others) is that this allows a virus to steal the
| > client cert. If it is protected by a password, the malware must hang
| > around long enough for the user to unlock the cert (perhaps because the
| > malware
> The problem (among others) is that this allows a virus to steal the
> client cert. If it is protected by a password, the malware must hang
> around long enough for the user to unlock the cert (perhaps because the
> malware sent a spoofed email calling for the user to visit the site,
> even the r
At 03:39 PM 6/10/03 -0700, Bill Frantz wrote:
>At 5:12 PM -0700 6/8/03, Anne & Lynn Wheeler wrote:
>>somebody (else) commented (in the thread) that anybody that currently
>>(still) writes code resulting in buffer overflow exploit maybe should
be
>>thrown in jail.
Not a very friendly bug-submission
On Fri, 13 Jun 2003, Nomen Nescio wrote:
> Apparently you neglected to read
> http://www.microsoft.com/resources/ngscb/NGSCB_Overview.mspx, where
> Microsoft says (as they have repeated many times) "Customers and partners
> need reliable ways to ensure the quality of technology that addresses
> th
Joe Ashwood writes:
> From: "Anonymous"
> > You clearly know virtually nothing about Palladium.
> I still stand by, "Arbitrarily trusting anyone to write a secure program
> simply doesn't work" regardless of how many times MS says "trust us" any
> substantially educated person should as well
- Original Message -
From: "Anonymous" <[EMAIL PROTECTED]>
Subject: CDR: Re: An attack on paypal --> secure UI for browsers
> You clearly know virtually nothing about Palladium.
Actually, properly designed Palladium would be little more than a smart card
welded
At 10:56 AM 6/11/2003 -0400, Sunder wrote:
In either case, we wouldn't need to worry about paying Verisign or anyone
else if we had properly secured DNS. Then you could trust those pop-up
self-signed SSL cert warnings.
actually, if you had a properly secured DNS then you could trust DNS
to d
In message <[EMAIL PROTECTED]>, "Matt Crawford" writ
es:
>> The worst trouble I've had with https is that you have no way to use host
>> header names to differentiate between sites that require different SSL
>> certificates.
>
>True as written, but Netscrape ind Internet Exploder each have a hack
>
Sunder <[EMAIL PROTECTED]> writes:
> The worst trouble I've had with https is that you have no way to use host
> header names to differentiate between sites that require different SSL
> certificates.
>
> i.e. www.foo.com www.bar.com www.baz.com can't all live on the same IP and
> have individual s
"Matt Crawford" <[EMAIL PROTECTED]> writes:
>True as written, but Netscrape ind Internet Exploder each have a hack for
>honoring the same cert for multiple server names. Opera seems to honor at
>least one of the two hacks, and a cert can incorporate both at once.
>
> /C=US/ST=Illinois/L=Bat
> "Matt Crawford" <[EMAIL PROTECTED]> writes:
> >... Netscrape ind Internet Exploder each have a hack for
> >honoring the same cert for multiple server names. Opera seems to honor at
> >least one of the two hacks, and a cert can incorporate both at once.
> >
> > /C=US/ST=Illinois/L=Batavia/O
> You can also use *.fnal.gov
Yes, we know, but our in-house CA operator (me) won't issue such a
certificate.
At 11:01 AM -0700 6/11/03, Major Variola (ret) wrote:
>At 03:39 PM 6/10/03 -0700, Bill Frantz wrote:
>>IMHO, the problem is that the C language is just too error prone to be
>used
>>for most software. In "Thirty Years Later: Lessons from the Multics
>>Security Evaluation", Paul A. Karger and Rog
The worst trouble I've had with https is that you have no way to use host
header names to differentiate between sites that require different SSL
certificates.
i.e. www.foo.com www.bar.com www.baz.com can't all live on the same IP and
have individual ssl certs for https. :( This is because the cer
James A. Donald wrote:
> How many attacks have there been based on automatic trust of
> verisign's feckless ID checking? Not many, possibly none.
I imagine if there exists a https://www.go1d.com/ site for purposes of
fraud, it won't be using a self-signed cert. Of course it is possible that
the a
> the lack of buffer overruns in Multics. However, in the
> Unix/Linux/PC/Mac
> world, a successor language has not yet appeared.
Work on the existing C/C++ language will have a better chance
of actually being used earlier. Not that it removes the problem
entirely, but it should catches a lot of
- Original Message -
From: "Anonymous" <[EMAIL PROTECTED]>
Subject: CDR: Re: An attack on paypal --> secure UI for browsers
> In short, if Palladium comes with the ability to download site-specific
> DLLs that can act as NCAs
Ok what flavor of crack are you sm
> The solution to this is Palladium (NGSCB).
>
> You'd want each ecommerce site to download a Nexus Computing Agent into
> the client. This should be no more difficult than downloading an Active-X
> control or some other DLL. The NCA has a manifest file associated with it
No shit? This is moron
The problem to be solved is this. Spoofed sites can acquire user
credentials, especially passwords, and then use those to impersonate the
user on the real sites. With paypal and e-gold, this allows stealing
real money.
Using client certificates to authenticate would solve this, because
even if t
Adam Lydick writes:
> I'd guess that no applications (besides the secure nexus) would
> have access to your "list of doggie names", just the ability to display
> it. The list just indicates that you are seeing a window from one of
> your partitioned and verified applications. I would also assume t
At 5:12 PM -0700 6/8/03, Anne & Lynn Wheeler wrote:
>somebody (else) commented (in the thread) that anybody that currently
>(still) writes code resulting in buffer overflow exploit maybe should be
>thrown in jail.
A nice essay, partially on the need to include technological protections
against hum
--
On 9 Jun 2003 at 2:09, Dave Howe wrote:
> The problem is here, we are blaming the protective device for
> not being able to protect against the deliberate use of an
> attack that bypasses, not challenges it - by exploiting the
> gullibility or tendency to take the path of least resistance
>
--
On 8 Jun 2003 at 20:00, Anne & Lynn Wheeler wrote:
> that is why we coined the term merchant "comfort"
> certificates some time ago. my wife and I having done early
> work for payment gateway with small client/server startup in
> menlo park ... that had this thing called SSL/HTTPS ... and
>
Yes, >NOW< if you can load yourself into kernel space, you can do anything
and everything - Thou Art God to quote Heinlein. This is true of every
OS. Except if you add that nice little TCPA bugger which can verify the
kernel image you're running is the right and approved one. Q.E.D.
Look at the
It's simple. It solves the problem that Microsoft Salesmen have. In
order to sell shit, you have to make it look like gold. Cee Eee Ohs have
heard it said that Microsoft software is insecure crap. Now the Microsoft
Salesmen can do fancy demos with pretty colors and slick Operators Are
standing
> For example, a proposal I saw recently which
> would have the OS decorate the borders of "trusted" windows with facts or
> images that an attacker wouldn't be able to predict: the name of your
> dog, or whatever.
But if the system is rooted, then the attacker merely has to find the
"today's secr
Nomen Nescio <[EMAIL PROTECTED]> writes:
>I don't see how this is going to work. The concept seems to assume that
>there is a distinction between "trusted" and "untrusted" programs. But in the
>NGSCB architecture, Nexus Computing Agents (NCAs) can be written by anyone.
>If you've loaded a Trojan
Tim Dierks wrote:
> - Get browser makers to design better ways to communicate to users that
> UI elements can be trusted. For example, a proposal I saw recently which
> would have the OS decorate the borders of "trusted" windows with facts or
> images that an attacker wouldn't be able to predic
Amir Herzberg <[EMAIL PROTECTED]> writes:
>Ka Ping Yee, User Interface Design for Secure System, ICICS, LNCS 2513, 2002.
Ka-Ping Yee has a web page at http://zesty.ca/sid/ and a lot of interesting
things to say about secure HCI (and HCI in general), e.g. a characterisation
of safe systems vs. gen
James A. Donald wrote:
> Attached is a spam mail that constitutes an attack on paypal similar
> in effect and method to man in the middle.
>
> The bottom line is that https just is not working. Its broken.
HTTPS works just fine.
The problem is - people are broken.
At the very lea
At 02:55 PM 6/8/2003, James A. Donald wrote:
Attached is a spam mail that constitutes an attack on paypal similar
in effect and method to man in the middle.
The bottom line is that https just is not working. Its broken.
The fact that people keep using shared secrets is a symptom of https
not
43 matches
Mail list logo
