Re: Ostiary
On Tue, 2 Aug 2005, Udhay Shankar N wrote: Sounds interesting. Has anybody used this, and are there any comments? For similar purpose I used to use .qmail based system: the script started from .qmail when a message to some special address arrives, the script checks the digital signature on the message, compare the first line with stored counter (to avoid replay attacks) and executes the needed command. The positive side of this technique is that it is very simple (just few lines to code), does not need to open a port (and so it is firewall-friendly, no need to talk with sysadmins, ...), very unlikely to introduce security holes (qmail has quite good records, and in my case the mail was needed anyway). -- Regards, ASK P.S. If the moderator is troubled with spam let us agree on some special word in subject so that he can automatically reject the messages which do not have it. [Moderator's note: blocking messages from non-subscribers has been 100% effective already. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Last WWII Comanche code talker dies in Oklahoma
Andreas Hasenack Wasn't that navajo instead? I wondered about that myself. With some googling, I have found that native american code talkers were used from a number of tribes (Navajo, Comanche, Choctaw). Code talkers were also used in WW I. Here are some links: http://www.comanchelanguage.org/code_talkers.htm http://codetalkers.info/content/view/20/37/ -Dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Standardization and renewability
Dear Colleagues, I am currently in the process of writing a short position paper about standardization of broadcast renewability schemes. Along with the usual challenges that need to be addressed when defining renewability methods (methods that allow a system to survive successful attacks, basically by changing itself throughout its lifecycle), I am trying to tackle what I consider to be the biggest problem of standardizing a renewability scheme, which is that evolving a standard is too slow and cumbersome of a process to be incorporated into another process that is all about prompt response. Simply put, if a broadcast mechanism is broken there is no time for the standardization committee to re-define it - too much content will be lost by the time the job is done. Up till now I could come up with three approaches to solve this problem: 1. Limit renewability to keying. 2. Generalize the scheme (like the SPDC concept, or MPEG IPMP), more or less by making the standard part general, with non-standard profiles. 3. Standardize sets of key management methods at once, so to have spares for immediate switching. If any one of you has any other approach towards solving this issue I will be glad if he posts it on the list. Also, if any one of you would like to get a copy of this paper when it's done, please let me know by e-mailing me directly. Regards, Hagai. --- Hagai Bar-El - Information Security Analyst T/F: 972-8-9354152 Web: www.hbarel.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Online ID Thieves Exploit Lax ATM Security
two-factor authentication nominal objective is to have different vulnerabilities, i.e. PINs (something you know) is nominally countermeasure to lost/stolen cards (something you have). However, skimming exploits can copy both magstripe and pin for producing a counterfeit magstripe card that can be used with stolen PIN (common vulnerability) ... minor reference found with search engine: http://wiki.whatthehack.org/index.php/Time_to_Ditch_the_Magstripe The phishing vulnerability can steal both account number and PIN for producing counterfeit magstripe card for use with the stolen pin; again, common vulnerability defeating objective of using two-factor authentication. back in the dark ages there were attacks on magstripe credit cards that used the algorithms for valid account numbers to generate counterfeit magstripe credit cards. magstripes then acquired effectively a kind of hash code as countermeasure to counterfeit mastripes with algorithm generated account numbers. this turns out to also be a countermeasure for counterfeit magstripe credit cards that have been created from phished account number (however this isn't a countermeasure to skimmed magstripe exploit that produces counterfeit magstripe with all the exact information). description of magstripe (and descretionary data field) format: http://en.wikipedia.org/wiki/Magnetic_stripe_card PINs have also been used as countermeasure to counterfeit magstripe debit cards ... possibly based on assumption that counterfeit debit magstripe from phishing exploits were similar threat to lost/stolen card. However, this isn't a effective countermeasure when both the PIN and the account number (magstripe) have a common vulnerability (phishing) As an aside, a countermeasure for lost/stolen cards is also early reporting (owner is aware of the missing card). However this is not applicable to skimmed/phished information since the card owner might not even be aware that it has happened (until after discovering fraudulent transactions). ... spate of recent articles on phishing and ATM/debit Analysts Say ATM Systems Highly Vulnerable To Fraud http://www.banktech.com/aml/showArticle.jhtml?articleID=167100238 Something Phishy's Going On http://www.banktech.com/aml/showArticle.jhtml?articleID=167100396 Analysts Say ATM Systems Highly Vulnerable To Fraud http://www.banktech.com/news/showArticle.jhtml?articleID=167100238 E-Fraud | Cybercrooks Target ATM And Debit Cards, Steal Billions http://www.techweb.com/wire/security/167100202 Analysts Say ATM Systems Highly Vulnerable To Fraud http://www.financetech.com/utils/www.banktech.com/story/enews/showArticle.jhtml?articleID=167100238 Phishers exploiting lax ATM security - Gartner http://www.finextra.com/fullstory.asp?id=14058 Banks let phishers get away with $2.75bn http://www.vnunet.com/vnunet/news/2140690/banks-let-phishers-away-75b Banks let phishers get away with $2.75bn http://www.pcw.co.uk/vnunet/news/2140690/banks-let-phishers-away-75b Phishing attacks highlight banks' weaknesses http://news.zdnet.co.uk/internet/security/0,39020375,39211852,00.htm Phishers cash in on ATM cards http://www.zdnetasia.com/news/security/0,39044215,39246973,00.htm ATM Systems Highly Vulnerable http://www.newsfactor.com/story.xhtml?story_id=00302F1U - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Apple adopts controversial security chip
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Wed, 3 Aug 2005 12:21:15 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Apple adopts controversial security chip Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.vnunet.com/vnunet/news/2140687/apple-embraces-controversial VNUNet Apple adopts controversial security chip Trusted Platform Module limits OS X to Macs, but could do more Tom Sanders in California, vnunet.com 03 Aug 2005 Developer preview models of Apple's forthcoming Intel-powered computer contain a security chip that has come under fire for its ability to compromise the privacy of users. Apple recently started shipping Developer Transition Kits that help developers test and prepare software for the switch to the Intel-powered computers next year. The kit contains a version of OS X for Intel, and a Mac computer featuring an Intel processor. The computer features a security chip called the Trusted Platform Module (TPM), an open industry standard governed by the not-for-profit Trusted Computing Group which develops security standards. The chip's inclusion with the Apple hardware does not come as a complete surprise. It has been previously suggested that Apple could use the TPM to prevent computer users installing the OS X operating system on a non-Mac computer. The TPM is going to be the barrier for moving the Mac software to any PC, Martin Reynolds, a research fellow at analyst firm Gartner told vnunet.com. Each TPM chip contains an encrypted serial number that allows the operating system to verify whether it is running on Apple hardware. Hackers could in theory forge the serial number, according to Reynolds, fooling the software into believing that it is running on Mac hardware even when it is not. The security chips are currently included with some PCs for the enterprise market from IBM/Lenovo and HP. They use the TPM to security store passwords or encrypt data. The upcoming Windows Vista relies on the TPM for a technology dubbed Secure Startup, which blocks access to the computer if the content of the hard drive is compromised. This prevents a laptop thief from swapping out the hard drive, or booting the system from a floppy disk to circumvent security features. Reynolds suggested that in the future software developers could use the chip as an anti-piracy device. The vendor would link the TPM identification number to the software registration key. However, the TPM has also gained notoriety because it is seen as a way to invade user privacy. The identifying number built into the chip could be used to limit the fair use of digital media by enforcing digital rights management technologies, or to track users online. But Reynolds insisted that the fear of such scenarios is overstated, and that privacy-infringing schemes are uncovered sooner or later at great expense to the computer maker. There are things that manufacturers could do with the TPM that are very much against the interests of the user. But, in practice, manufacturers have found that it is best not to do that, he said. Apple did not respond to questions about the TPM in time for this story's posting. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]