Re: [cryptography] NSA Molecular Nanotechnology hardware trojan
Guys, are you trying to kill this list as well? Can you, please, move this discussion to the sci-fi or theory of conspiracy _forums_. Before posting here, please, consider how relevant the discussion is to Cryptography and how many people will have to read through your insanely smart comments. Cheers, Krassimir On Mon, Jan 6, 2014 at 7:22 AM, Kevin kevinsisco61...@gmail.com wrote: On 1/5/2014 10:22 PM, Roth Paxton wrote: I know that this is going to sound nearly impossible and I cannot fully explain how it works but after witnessing the evidence left behind by this technology I feel that it is necessary to inform the more intelligent out there of the reality of how the NSA is bridging the air gap on secure systems. Several years ago at a friends house I for some reason got to looking around the house with a magnifying glass and discovered some very small perfectly straight scratches on objects around the house. I thought that I could determine whether or not they were man-made because they just appeared too straight and something about them just looked funny. I attempted to align several magnifying glasses with alligator clamps and a metal base so that I could study the scratches under a variety of different lights. I tried ultra violet, green and red light from varying angles. Immediately I noticed that what I thought to be scratches were actually microscopic inscriptions. Unable to read them I went to the hardware store and procured a small pen microscope. By holding the green light at a 45 degree angle I could make out the words THE UNITED STATES OF AMERICA written multiple times. The words themselves were inscribed so perfectly that they appeared to be a scratch to the naked eye. At 75x magnification in all caps they were barely legible. After finding this I began to wonder how it had been done. All that I can figure is that the NSA is using nanites to spy on us. If this is accurate then they have a device that is essentially comprised of millions of nanites that have cutting tools and exhibit swarm behavior that work collectively to infiltrate computer systems by cutting directly into our boards and chips. These devices are mobile hardware trojans. Dont ask me how something so small could be capable of transmitting but I have witnessed it. Whatever frequency they are emitting is not a standard electromagnetic frequency. I believe that they are emitting some other type of frequency that is maybe positronic or some other wierd science. The NSA has all the geniuses. Sent from Yahoo Mail on Androidhttp://overview.mail.yahoo.com/mobile/?.src=Android ___ cryptography mailing listcryptography@randombit.nethttp://lists.randombit.net/mailman/listinfo/cryptography Let's assume (for a second, ha ha) that everything you said is the truth. So what? What do you propose we do about it? Now let's get realistic! Yes, such technology is out there but I see this as propaganda. Verry dangerous propaganda at that. -- Kevin ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Can we move to a forum, please?
This _was_ a good quality very high signal to noise ratio list but over the past 3 months had turned into a very noisy, full of social chatter one. I am thinking there is a way to combine the best of both worlds by moving the social element to a forum and keep the legit content on the mailing list. Cheers, Krassimir On Tue, Dec 24, 2013 at 4:41 PM, Aaron Turner synfina...@gmail.com wrote: This is a solution in search of a problem. This list is neither high traffic or diverse enough to warrant a forum. -- Aaron Turner http://synfin.net/ Twitter: @synfinatic Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] not a Paypal phish using EV certificate
To: James, just with the scope of large/small cookies. The problem is that if your cookie is a single number and you have multiple frontends able to process the request (and you are load balancing) you need to have those share state in which might not make sense (esp. if you have geo-distributed LB that allows users to migrate between different data centers because at that point you need to account for cross data center latency). So usually people end up putting the state data in the cookie and then sign it in some way. Sometimes the large and multiple cookies are a matter of low level of coordination between teams writing different parts of the app/libraries, and sometimes it's pure incompetency :) Regarding multiple domains, one of the reasons is the larger companies would push the static content to CDN and only keep the core logic on site, thus accelerating delivery. In addition to that in PP's case they are moving to the CDN a lot of user provided content so combine that with what was already said about separating the domain so cookies cannot be stolen. Best, Krassi On Tue, Aug 13, 2013 at 4:38 PM, Seth David Schoen sch...@eff.org wrote: James A. Donald writes: Although websites often use huge numbers of huge cookies, one can easily optimize one's cookie use. I can see no reason why anyone would ever need more than a single 96 bit cookie that is a random number. They might want to make the content and purpose of the cookie transparent to the user, and perhaps even reassure the user that the cookie can't easily be used as a unique identifier for the user's browser. On the flip side, there are also some mechanisms to store authenticated, encrypted session state in its entirety on the client in order to _avoid_ storing it in a database on the server. -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Certificate expiry reminder tool?
Also be aware of the caveat that if you have a VIP with SSL termination behind it (i.e. on the hosts) and the CN points to the VIP you will be hitting only one of the many servers when doing verification. Same story with geo load balancing. It gets worse with active-passive deployments since you may change the active (which you are probing) and when it fails and you automatically fall back to the backup you may find it with broken certificates. So make sure you test all resources that have the certificate and not just the resource that the CN resolves to. Cheers, Krassi On Thu, May 23, 2013 at 8:18 AM, Moritz mor...@headstrong.de wrote: A generic solution is any kind of scheduler/calendar/reminder, right? Or what kind of tool to you imagine, and how is that specific to crypto? On 23.05.2013 16:05, Hans-Joachim Knobloch wrote: Dear all, is anyone of you aware of a (preferably open source) tool that keeps a database of certificates and sends e-mail reminders about the impending expiry (and hence the probable necessity of a renewal) to configurable e-mail address of the respective responsible person? Regards, Hans-Joachim. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
To the best of my knowledge in Russia (no, I'm not Russian nor have lived there so I'm not 100% sure) you need to submit a copy of the private key if you are operating a website providing encryption on their territory to allow for legal intercept. They also have other provisions about wiretapping and monitoring which would mean that Skype really has not options if they want to _legally_ operate there... It's just the way the local legislation is rather than a function of how Skype is. They are just following the law. Now if somebody does not like the law there are other ways to approach this but breaking/violating it is usually one that is not effective. I think this discussion is focusing too much into the technical details and forgets a simple detail - doing some of those things to increase privacy may itself be _illegal_ in certain jurisdictions which make this even more fun. It's not impossible but it is usually very difficult to provide technical solutions to political/politics problems. That's of course just my experience :) Cheers, Krassimir On Sat, May 18, 2013 at 10:12 PM, Jane th...@angels.la wrote: At the risk of sounding rude, crude, and yellow-pressish, I'd like to provide this link http://www.themoscownews.com/russia/20130314/191336455/FSB-Russian-police-could-tap-Skype-without--court-order.html If software has a soul, Skype's is long since sold. Sincerely yours, Jane On Sun, May 19, 2013 at 8:05 AM, John Levine jo...@iecc.com wrote: I was a technical expert in a pump and dump spam trial last fall, and a large part of the evidence was Skype chat logs among the members of the spamming group. Who provided the chat logs? Were they provided by Skype or where they provided by one or the other members? The reason I ask is that if there is any sensitivity in sources, the prosecutors will routinely obscure the sources. I got them from the prosecutors. They appeared to have been provided by Skype. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] The NSA and secure VoIP
The way I read it is something much simpler than attacking the encryption - it seams to be about operational procedures security. Think if somebody mis-configures something on the first layer you still have the second layer. Now if you add two separate teams managing each layer then you have a good chance they will not do the same mistake. Or if I have to be a bit more cold war - if keying material managed in one of the layers leaks out then the other layer provides protection. So two teams, to operation procedure sets and two sets of keys (oversimplifying here) and an attacker has to be able to infiltrate both... Krassimir On Fri, Mar 2, 2012 at 6:48 AM, Steven Bellovin s...@cs.columbia.edu wrote: On Mar 2, 2012, at 2:59 AM, Marsh Ray wrote: On 03/01/2012 09:31 PM, Jeffrey Walton wrote: Interesting. I seem to recall that cascading ciphers is frowned upon on sci.crypt. I wonder if this is mis-information Not mis-information. You could easily end up enabling a meet-in-the-middle attack just like double DES. https://en.wikipedia.org/wiki/Meet-in-the-middle_attack Meet-in-the-middle attacks don't weaken things; they merely don't give you as much advantage as one might suppose. Note, though, that you need 2^n storage. This is Suite B/Top Secret, which means 256-bit AES, which means that you would need 2^260 bytes of storage. That's too much, even for NSA, so those attacks aren't even relevant. Where NSA has a strong edge over most civilian crypto folks is that they understand that they're dealing with a *system* -- not just a cipher, but key exchange, key storage, timing attacks and other side channels, buggy implementations, very fallible (or corrupt[ed]) people, etc. Maybe SRTP is weak in a way they haven't found. Maybe IPsec is. They've looked at both and don't think so, but they can't rule it out. But if you combine both *and* you do it in a way you think actually buys you something, you've protected yourself against a lot of those failures. Both would have to fail, and in a compatible way, for there to be a weakness. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
While I'm not a lawyer and my opinion is in noway authoritive I do not believe there is any violation. They ay be an accessory to a potential crime but they themselves did not do the tapping. Now on the other hand those companies that did the tapping should be OK for as long as they are clear with the employees that they cannot expect privacy, which usually is the case. Usually this is in the paperwork you sing when you start working there in the section privacy policy. KTT On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 4:04 AM, Adam Back a...@cypherspace.org wrote: So it happened, per recent discussion on this list, it seems that at least one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 mozilla is threatening to remove the CA from their browser. Trustwave says they have/will revoke all these sub-CAs and will not issue any more. They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. So says the US Attorney General in New Jersey when he charged Wiseguys Tickets with gaming the TicketMaster systems [1,2]. If the Attorney General is to be believed, Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). Jeff [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
Again, I'm not a lawyer but if somebody legally purchases a gun from you for a legitimate purpose and then abuse it your are not liable (US context here). The same way if somebody purchases this cert to monitor their employees for data exfiltration (perfectly good reason, if specified in the privacy policy), thus they are being totally legal. You have no way of knowing if they abuse the certificate to tap their neighbors for example. No on the USC items that were mentioned. They are about exceeding access, etc. They would not be exceeding access if it is in the privacy policy that they can monitor you for X activity. Best, Krassimir On Sun, Feb 12, 2012 at 3:09 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov mailli...@krassi.biz wrote: While I'm not a lawyer and my opinion is in noway authoritive I do not believe there is any violation. They ay be an accessory to a potential crime but they themselves did not do the tapping. I think its a bit broader than an accessory since they knoew what the company wanted to do. Trustwave was onsite and set the system up - they were clearly a co-conspirator. They even bragged about how ethical it was because they used an HSM. Jeff On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Feb 12, 2012 at 4:04 AM, Adam Back a...@cypherspace.org wrote: So it happened, per recent discussion on this list, it seems that at least one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 mozilla is threatening to remove the CA from their browser. Trustwave says they have/will revoke all these sub-CAs and will not issue any more. They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. So says the US Attorney General in New Jersey when he charged Wiseguys Tickets with gaming the TicketMaster systems [1,2]. If the Attorney General is to be believed, Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). Jeff [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography