Re: [Cryptography] Why is emailing me my password?
On Wed, 2 Oct 2013 10:16:42 -0400 Greg g...@kinostudios.com wrote: I'm interested in cases where Mailman passwords have been abused. Show me one instance where a nuclear reactor was brought down by an earthquake! Just one! Then I'll consider spending the $$ on it! Assume for a moment that there are no other systems involved, and compare the failure of a nuclear power plant to a leaked mailman password. On its own, a failure at a nuclear power plant can render tens of thousands of square miles uninhabitable. On its own, a leaked mailman password causes a few minutes of annoyance. Really, the issue here is not mailman. Mailman passwords address a very minor security issue and mailing them in plaintext has no effect on said security. The real issue is that passwords are being used in places where security really does matter, and that someone might have used the same password for mailman as they did for one of those systems. If you ask me, the problem is not mailman sending out the passwords, nor the fact that people often use the same password everywhere; the problem is that passwords are being used to secure important things. -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell signature.asc Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why is emailing me my password?
On Tue, 1 Oct 2013 10:28:48 -0400 Greg g...@kinostudios.com wrote: So, my password, iPoopInYourHat, is being sent to me in the clear by your servers. Two things to keep in mind: 1. The damage one can do to you with knowledge of this password is beyond minimal. You might have your list subscriptions changed; so what? 2. The password is sent just in case you forgot it and want to unsubscribe. Without the password, any troll might unsubscribe you from the list by simply forging headers. Were this to be encrypted, you would wind up with the classic problem of lost private keys, leaving people who forgot their password unable to unsubscribe (at least in any automated fashion). -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell signature.asc Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Fri, 6 Sep 2013 01:19:10 -0400 John Kelsey crypto@gmail.com wrote: I don't see what problem would actually be solved by dropping public key crypto in favor of symmetric only designs. I mean, if the problem is that all public key systems are broken, then yeah, we will have to do something else. But if the problem is bad key generation or bad implementations, those will be with us even after we abandon all the public key stuff. Not necessarily. A bad implementation of a block cipher will be probably spotted quickly if you need it to interoperate with a good implementation; a bad implementation of a public key cipher might interoperate just fine with good implementations. Public key systems often have parameters or requirements that affect security without affecting the correctness of encryption or decryption. ElGamal encryption might appear to work even though you are using a group where the DDH assumption does not hold. Elliptic curve systems have even more parameters that need to be set correctly for security. I am not saying that we should abandon public key cryptography, I am just saying that there a number of ways for public key systems to go wrong that do not apply to symmetric ciphers. Just my 2 cents, Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell signature.asc Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography