Re: "Free WiFi" man-in-the-middle scam seen in the wild.
On Tue, January 23, 2007 09:24, Perry E. Metzger wrote: > (Incidently, the article gets a few things wrong. It somewhat implies > that you are safe if you pick a WiFi network you have a previous > relationship with, which isn't true.) It also is only warning against ad-hoc connections with misleading names. While I see a bunch of these around (not necessarily in airports, either... several show up from my cube at work), it doesn't take much to put up a perfectly normal-looking access point. See http://www.ethicalhacker.net/content/view/66/24/ for examples. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "Antelope Freeway, one sixty-fourth of a mile." - TFT http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: [Cryptocollectors] STU III 2500
Richard Brisson wrote: > Good morning all, > > > > Available to those in the U.S., STU-III 2500 with manual and AC adapter (and > perhaps even a key in the plastic bag but it's not stated nor obvious) on > eBay: 330073910569 This is the first auction I've looked at where eBay is anonymizing the bidder list. It's probably a general policy, but interesting that the first one I saw was for crypto gear. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "It's just this little chromium switch, here." - TFT CRM114->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: UK Government to force disclosure of encryption keys.
Perry E. Metzger wrote: >Excerpt: > > The UK Government is preparing to give the police the authority to > force organisations and individuals to disclose encryption keys, a > move which has outraged some security and civil rights experts. > >http://news.zdnet.co.uk/0,39020330,39269746,00.htm > > Interesting. That's the second reference I've received just this morning to that page, which has gone 404. Anyone have a mirror? -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "It's just this little chromium switch, here." - TFT CRM114->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: crypto wiki -- good idea, bad idea?
Travis H. wrote: >Would a wiki specifically for crypto distribute the burden enough to be useful? >Or should we just stick to wikipedia? Is it doing a satisfactory job? > > I'd read it. More resources == better. But keep the current Wikipedia controversy in mind WRT the veracity of the contributed material. Then again, if it's a crypto wiki, I suppose we could expect some credentialing system to be incorporated. It could even be presented as a tutorial. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "It's just this little chromium switch, here." - TFT CRM114->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Clearing sensitive in-memory data in perl
Quoting Adam Shostack <[EMAIL PROTECTED]>: > I recall that for a while if you used gets, the linker would > complain. I can't recall what platform this was on. BSDi, maybe? There used to be a fairly standard set of #defines along this line that were added to or some other standard header file. Something like #define strcpy DONT_USE_STRCPY #define strncpy DONT_USE_STRNCPY #define strcat DONT_USE_STRCAT #define strncat DONT_USE_STRNCAT #define getsDONT_USE_GETS #define sprintf DONT_USE_SPRINTF I don't think it was standard in any platform, though. More of an ad hoc measure. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "It's just this little chromium switch, here." - TFT SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Another entry in the internet security hall of shame....
Quoting Ian G <[EMAIL PROTECTED]>: > Once you've configured iChat to connect to the Google Talk service, you may > receive a warning message that states your username and password will be > transferred insecurely. This error message is incorrect; your username and > password will be safely transferred. > -=-=- > > hmm Also noted in Psi. Google's instructions for Psi say to leave "Use SSL encryption" and "Allow Plaintext Login" unchecked, but both need to be checked for me to successfully login. I'm guessing Google is counting on the SSL tunnel to protect the plaintext logins. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "It's just this little chromium switch, here." - TFT SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Financial identity is *dangerous*? (was re: Fake companies, real money)
On Sun, 2004-10-24 at 09:35 -0400, [EMAIL PROTECTED] wrote: > | [EMAIL PROTECTED] writes: > | > | >I'm pretty sure that you are answering the question > | >"Why did Microsoft buy Connectix?" > | > | The answer to that one is actually "To provide a > | development environment for Windows CE (and later XP > | Embedded)" (the emulator that's used for development > | in those environments is VirtualPC). Thank you for > | playing. > > TILT > > No need to buy a company just to use its > product in your development shop. > > Please insert additional coins. I'd thought it was so Microsoft could offer an emulation-based migration path to all the apps that would be broken by Longhorn. MS has since backed off on the new filesystem proposal that would have been the biggest source of breakage (if rumors of a single-rooted, more *nix-like filesystem turned out to be true). -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "It's just this little chromium switch, here." - TFS SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EZ Pass and the fast lane ....
Jerrold Leichter wrote: How long before license plates have transponders built into them? After all, it's long-established law that you can be required to place an identifier on your car when it's on the public roads - why's there a difference between one that responds at optical frequencies and one that responds at a couple of gigahertz? (For that matter, even if you want to stick to optical and you can't get plate reading accurate enough, the technology for reading bar codes from moving vehicles is well-developed - it's been used for years to identify railroad cars, and many gated communities use them to open the gates for cars owned by residents.) An infrared-reflective bar code would not be visible to the naked eye. That would probably slip past the proles for a good while before the word got out. And once the infrastructure is in place, it would be hard to dislodge. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not "It's just this little chromium switch, here." - TFS SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: High hopes for unscrambling the vote
Roy M. Silvernail wrote: R. A. Hettinga quotes Declan McCullagh: Bottom line:The technology is still in its prototype stage--but a bigger obstacle may be whether notoriously conservative voting officials can be convinced to try something new. That's an interesting perspective, considering electronic voting already *is* "something new". A man with tinfoil inside his fez might wonder if this points to a greater conspiracy that hinges on the lack of a paper trail from the voting machines. Speaking of which, this[1] Cringely column doesn't seem to have received much notice, even though it points out that the Diebold machines *already have a printer* built in. While it's probably not equipped to do Chaumian voter receipts, it could certainly do the old-fashioned human-readable type. That's a SMOP. Sorry... left out the link. [1] http://www.pbs.org/cringely/pulpit/pulpit20040311.html -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: High hopes for unscrambling the vote
R. A. Hettinga quotes Declan McCullagh: Bottom line:The technology is still in its prototype stage--but a bigger obstacle may be whether notoriously conservative voting officials can be convinced to try something new. That's an interesting perspective, considering electronic voting already *is* "something new". A man with tinfoil inside his fez might wonder if this points to a greater conspiracy that hinges on the lack of a paper trail from the voting machines. Speaking of which, this[1] Cringely column doesn't seem to have received much notice, even though it points out that the Diebold machines *already have a printer* built in. While it's probably not equipped to do Chaumian voter receipts, it could certainly do the old-fashioned human-readable type. That's a SMOP. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Article on passwords in Wired News
Eugen Leitl wrote: Banks tried to push smart cards, but very half-heartedly (didn't offer free readers, which could have created critical mass). Ther was one of those "net-only" bank-like operations in the last days of the bubble that did offer free smart-card readers. That's what prompted me to sign up. Of course, the bubble burst and I never did get my free reader. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Simple SSL/TLS - Some Questions
iang wrote: > > Jill Ramonsky wrote: > > It's worth summing up the design goals here, so nobody gets confused. > > Trouble is, I haven't figured out what they should all be. The main > > point of confusion/contention right now seem to be (1) should it be in C > > or C++?, > > C. And write C++ wrappers or let someone else do it. Yes! Speaking from experience, it's far easier to write a C++ wrapper for a C lib than the other way around. And as Ian said, it's probably easier to get the implementation correct in C, at least as a first pass. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not http://www.rant-central.com is the new scytale Never Forget: It's Only 1's and 0's! SpamAssassin->procmail->/dev/null->bliss - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Don't kill the messenger (was: Re: Reliance on Microsoft called risk to U.S. security)
On Wednesday 01 October 2003 22:02, bear wrote: > No, it is not. You can make a hyperdocument that is completely > self-contained and therefore "text", but that is not how HTML is > normally made. HTML can cause your machine to do things other than > display it, and to that extent it is "code", not text. A small nit: HTML is, in fact, text. The effects you describe are the result of a client taking certain actions based on the text/html MIME type. That's the reason you use Pine (and I use Kmail). These clients (and others... yay, elm!) don't take unbidden actions to render HTML mail or cause executable attachments to execute. > You can't rely on "saving" an HTML document > and being able to read it years or decades later, because with > hypertext, maybe the part you're interested in (or need for evidence) > isn't even on the page you saved. True, but again, that's a property of HTML. That the HTML document was transmitted through mail is a side issue. It's not that email has been overloaded, through the use of MIME, to carry content other than text/plain. The problem is that certain MUAs have been built to take some default actions based on the MIME types received, and those clients have become (for whatever reason) popular among mail users of a, shall we say, non-technical bent. > The fact that sending HTML (and other code) through SMTP was not > considered a violation of SMTP has allowed a generation of mail > readers to become common that encourage mail viruses, macroviruses, > worms, and other malicious code. If we are interested in security, we > need some kind of protocol where we as a group just draw a line and > say "nothing but text through this port." SMTP is *already* such a protocol. Base-64 encoding (and UUENCODE before it) was designed to address the 7-bit gateway through which email once passed. MIME only describes and encapsulates non-textual content. (the first M originally stood for 'multimedia', not 'multipurpose') Some mail clients have evolved (or been designed *cough*outlook*cough*) to be infection vectors, but that's not the fault of the base transport protocol. It's the result of poor security decisions in the client design process. This is not to demonize MIME, either. Some applications, like PGP signatures, are elegant uses. Much better than the X-PGP-Signature header I was helping develop 10 years ago. There's nothing intrinsically wrong with extending mail to carry arbitrary content. The problem appears when the MUA is able to take some risky action with that content, whether automatically or through unwise user action. Grandma clicks on everything. Mail as a vulnerability is a client issue and a training issue. That said, I also despise HTML mail for all the reasons you describe. But between the September That Never Ended and the release of Mosaic, it's really no surprise that eye candy has become an imperative. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: VeriSign tapped to secure Internet voting
On Wednesday 01 October 2003 19:53, Ian Grigg wrote: > "Roy M. Silvernail" wrote: > > On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded: > > > VeriSign tapped to secure Internet voting > > > > > > "The solution we are building will enable absentee voters to exercise > > > their right to vote," said George Schu, a vice president at VeriSign. > > > "The sanctity of the vote can't be compromised nor can the integrity of > > > the system be compromised--it's security at all levels." > > > > One would wish that were a design constraint. Sadly, I'm afraid it's > > just a bullet point from the brochure. > > It's actually quite cunning. The reason that this > is going to work is because the voters are service > men & women, and if they attack the system, they'll > get their backsides tanned. Good observation. I missed that one. > Basically, it should > be relatively easy to put together a secure voting > application under the limitations, control structures > and security infrastructure found within the US military. > > It would be a mistake to apply the solution to wider > circumstances, and indeed another mistake to assume > that Verisign had anything to do with any purported > "success" in "solving" the voting problem. Definitely, but I can see Verisign doing both. The rabbit hole gets ever deeper. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: VeriSign tapped to secure Internet voting
On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded: > VeriSign tapped to secure Internet voting > "The solution we are building will enable absentee voters to exercise > their right to vote," said George Schu, a vice president at VeriSign. "The > sanctity of the vote can't be compromised nor can the integrity of the > system be compromised--it's security at all levels." One would wish that were a design constraint. Sadly, I'm afraid it's just a bullet point from the brochure. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: The real problem that https has conspicuously failed to fix
On Sunday 08 June 2003 06:11 pm, martin f krafft wrote: > also sprach James A. Donald <[EMAIL PROTECTED]> [2003.06.08.2243 +0200]: > > (When you hit the submit button, guess what happens) > > How many people actually read dialog boxes before hitting Yes or OK? It's slightly more subtle. The action tag of a form submission isn't usually visible to the user like links are. In the scam copy I received, all the links save one pointed to legitimate PayPal documents. Only the