RE: Russian cyberwar against Estonia?
Bill Stewart wrote: > At 01:04 PM 5/18/2007, Trei, Peter wrote: >> If the Russians aren't behind this, who else should be suspected? It >> isn't like Estonia has a wide selection of enemies. :-) > There are three likely suspects > - the actual Russian government (or some faction thereof) > - Russian Mafia for whatever reasons (might not be distinct from a > faction of the government, > and usually if the Mafia's involved they're polite enough to > send a note demanding money or something.) > - Some teenage hacker who got annoyed at some other teenage hacker > because they got into an argument on WoW or Myspace > and decided to DDOS him (usually attacks like that > don't take down much more than a small ISP or a university, > but like "D00d, you're so 0wn3d, I can take down ur whole *country*" :-) > The latter isn't as far-fetched as it sounds (well, ok a bit...) This threatens to get off-topic. To drag it back, I'll note that NATO has sent electronic warfare experts to observe and advise, and there is much speculation as to how countries should respond to such cyber attacks - at what point do they become an act of war, and how much certainty of the source must there be to merit a response? I guess its possible this was a random hacker, but the timing seems implausible. Aside from the DDOS attacks, many Estonian websites have been vandalized, and the vandals made it clear the moving of the monument was their motivation. Check out: http://www.economist.com/world/europe/displaystory.cfm?story_id=9163598 In addition, Estonia's embassy in Moscow has been blockaded, Russia has cut off oil and coal shipments, and closed some road and rail links. Putin has described the move as a 'desecration'. This is a major diplomatic feud. In fairness, its worth noting that the issue is also mixed up in Estonian electoral politics: http://news.bbc.co.uk/1/hi/world/europe/6645789.stm The timing of the electronic attacks, and the messages left by vandals, leave little doubt that the 'Bronze Soldier' affair is the motivating factor. Whether Russian Government agents were involved in the attacks is not proven, but certainly seems possible. Peter Trei Disclaimer: My own opinions; not my employers. Full disclosure: My ancestry is half Estonian. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 307 digit number factored
On Mon, May 21, 2007 at 08:07:24PM -0700, Paul Hoffman wrote: > >The other issue is that sites will need multiple certs during any > >transition from RSA to ECC, because the entire Internet won't upgrade > >overnight. I am not expecting public CAs to cooperate by charging the > >same price for two certs (RSA and ECC) for the same subject name(s), > >this also may significantly impede migration. > > That's good of you not to expect it, given that zero of the major CAs > seem to support ECC certs today, and even if they did, those certs > would not work in IE on XP. We are not talking about this year or next of course. My estimate is that Postfix releases designed this year, ship next year, are picked up by some O/S vendors the year after and shipped perhaps a year after that, then customers take a few years to upgrade, ... So for some users Postfix 2.5 will be their MTA upgrade in 2011 or later. So we need to anticipate future demand by a few years to be current at the time that users begin to use the software. As 1024 RSA keys are not a major risk *today*, but that may be in sight, it is not unreasonable to explore the (multi-year) road to ECC adoption. There are many obstacles, it may take a long time, but I am removing the one obstacle I can remove... Initially ECC in Postfix will be used by private arrangements between sites that manually exchange keys and have no need of a public CA. Postfix, 2.5 also includes a new "fingerprint" security level, where the SMTP client verifies the server certificate by its md5, sha1, or SHA256/384/512 fingerprint. (No support for web-of-trust, one step at a time). -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 307 digit number factored
FWIW, according to Arjen Lenstra, there should be a better paper than the physorg.com article on the eprint.iacr.org site next week, hopefully. At 4:32 PM -0400 5/21/07, Victor Duchovni wrote: When do the Certicom patents expire? Which ones? They have many. Using EC depends on how brave you are and which country you are in. I really don't see ever longer RSA keys as the answer, and the patents are I think holding back adoption... Because I agree with the latter, I disagree with the former, at least for a few more years and until a few people are braver than I am. The other issue is that sites will need multiple certs during any transition from RSA to ECC, because the entire Internet won't upgrade overnight. I am not expecting public CAs to cooperate by charging the same price for two certs (RSA and ECC) for the same subject name(s), this also may significantly impede migration. That's good of you not to expect it, given that zero of the major CAs seem to support ECC certs today, and even if they did, those certs would not work in IE on XP. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 307 digit number factored
Victor Duchovni wrote: The other issue is that sites will need multiple certs during any transition from RSA to ECC, because the entire Internet won't upgrade overnight. I am not expecting public CAs to cooperate by charging the same price for two certs (RSA and ECC) for the same subject name(s), this also may significantly impede migration. in theory, certification authorities charge for the certification operations that they perform ... and the certificate is just a representation of that certification process. somewhere over the yrs the term "certification authority" was truncated to "certificate authority" ... along with some impression that certificates are being sold (as opposed to certification processes). doing quicky web search of licensing and certification agencies ... it looks like there is charge for replacing certificates/licenses ... but nothing compared to the charge for the original certification process. of course ... the whole licenses/credentials/certificates are an offline world paradigm licensing, credentialing, and certifications can be validated with online, real-time operations ... obsoleting any requirement for supporting offline methodologies. it would be really great to make it an excuse to move away from offline paradigm to real online operation ... getting totally rid of the need for domain name certificates ... DNS serving up both ip-addresses and public keys in single operation. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Russian cyberwar against Estonia?
Bill Stewart wrote: > - Some teenage hacker who got annoyed at some other teenage hacker > because they got into an argument on WoW or Myspace > and decided to DDOS him Some years back, I was on the receiving end of this type of scenario bringing down connectivity for a small European country, and it was a larger one than Estonia. Out of curiosity, does anyone have information on how fat Estonia's external pipes are? -- Ivan Krstić <[EMAIL PROTECTED]> | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]