RE: Unforgeable dialog.
This is concept is surprisingly complex. Once the attacker sees the secure dialog, what prevents them from using the same techniques and/or code to create a visually identical spoof? There have been several OS-level designs to create hardware-supported secure dialogs. Needless to say, these schemes became exceedingly complex and had a variety of implementation issues (i.e. special graphics hardware, drivers, TCMs, etc.) I don't see your proposals as providing 'secure' data viewing or data entry solutions. IMHO, the best bet is currently provided by layered security software where each component monitors and reports on the others. Even this approach is temporary at best as we're now seeing with malware that attacks by first disabling the currently available protection layers (e.g., anti-virus, firewalls). -Piers -- Piers Bowness I know what I believe, and I believe what I believe is right. - G.W. Bush - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Face and fingerprints swiped in Dutch biometric passport crack (anothercard skim vulnerability)
Anne Lynn Wheeler pointed out: Face and fingerprints swiped in Dutch biometric passport crack http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/ Didn't the EU adopt the same design that the US uses? Am I right to presume that the passport RFID chip used by the Dutch is the same -- or functions the same -- as the one used in the new US digital passports? From what I've read, it seems that the sequential numbering scheme the Dutch use on their passports may have made this attack easier -- but it was already feasible, and will be against the passports of other nations which did not so helpfully minimize their obfuscation technique with sequential numbering? Anyone got more details than those offered in the Rinscure press release? Thoughts? _Vin The crack is attributed to Delft smartcard security specialist Riscure, which explains that an attack can be executed from around 10 metres and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. .. snip .. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CD shredders, was Re: thoughts on one time pads
On Feb 1, 2006, at 3:50 AM, Travis H. wrote: On 1/28/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In our office, we have a shredder that happily takes CDs and is designed to do so. It is noisy and cost $500. Here's one for $40, although it doesn't appear to shred them so much as make them pitted: http://www.thinkgeek.com/gadgets/security/6d7f/ For a few more dollars, you can get one where the residue is powder: http://www.securityprousa.com/dodcddestroyer.html. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Face and fingerprints swiped in Dutch biometric passport crack (anothercard skim vulnerability)
On Wed, Feb 01, 2006 at 02:03:10PM -0500, [EMAIL PROTECTED] wrote: | Anne Lynn Wheeler pointed out: | | Face and fingerprints swiped in Dutch biometric passport crack | http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/ | | Didn't the EU adopt the same design that the US uses? Passport standards are written by the International Air Travel Association (IATA). | Am I right to presume that the passport RFID chip used by the Dutch is the | same -- or functions the same -- as the one used in the new US digital | passports? | | From what I've read, it seems that the sequential numbering scheme the | Dutch use on their passports may have made this attack easier -- but it | was already feasible, and will be against the passports of other nations | which did not so helpfully minimize their obfuscation technique with | sequential numbering? | | Anyone got more details than those offered in the Rinscure press release? | Thoughts? The papers explain the attack in fair detail. I blogged every useful linksI could find a few days ago at http://www.emergentchaos.com/archives/002355.html, and there's more links in comments. Adam | _Vin | | | | The crack is attributed to Delft smartcard security specialist Riscure, | which explains that an attack can be executed from around 10 metres and | the security broken, revealing date of birth, facial image and | fingerprint, in around two hours. | | .. snip .. | | | - | The Cryptography Mailing List | Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CD shredders, was Re: thoughts on one time pads
I have an Executive Machines EPS-1501X cross-cut shredder (15 sheet, I think) which also shreds CDs. And it really shreds them, into about 1/4 x 1 strips. It's no louder than any home/office other shredder I've used, though it is louder when shredding CDs. Jim --- Travis H. [EMAIL PROTECTED] wrote: On 1/28/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In our office, we have a shredder that happily takes CDs and is designed to do so. It is noisy and cost $500. Here's one for $40, although it doesn't appear to shred them so much as make them pitted: http://www.thinkgeek.com/gadgets/security/6d7f/ -- The generation of random numbers is too important to be left to chance. -- Robert Coveyou -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- --- - --- --- James K. Deane Physicist and Geospatial Analyst [EMAIL PROTECTED] -- --- - -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
serious threat models
I hate to play clipping service, but this story is too important not to mention. Many top Greek officials, including the Prime Minister, and the U.S. embassy had their mobile phones tapped. What makes this interesting is how it was done: software was installed on the switch that diverted calls to a prepaid phone. Think about who could manage that. http://www.guardian.co.uk/mobile/article/0,,1701298,00.html http://www.globetechnology.com/servlet/story/RTGAM.20060202.wcelltap0202/BNStory/International/ --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]