[Full-disclosure] Rapid integer factorization = end of RSA?
Hi list! I discovered a new method of integer factorization for any precision numbers, probable it should be an end of RSA era. Details: Let N - the ring and N = p*q Then, (-p) in terms of ring(N) is equal (N-p) Lemma: p*(-q)=p*q*(-p) and respective: (-p)*q=p*q*(-q) Proof: p*(-q)=p*(N-q) - by the data, then p*(-q)=p*(p*q-q)=p*pq-p*q=p*q*p-p*q=(p-1)*(p*q) (-p)*q=q*(N-p) - by the data, then (-p)*q=(p*q-p)*q=p*q*q-p*q=p*q*q-p*q=(q-1)*(p*q) Q. E. D. Gypothesis: Let N = p*q = A1*B1 + A2*B2... + An*Bn Then exists some subset(A1...An) and respective subset(B1...Bn), which satisfies for equality: A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1) or A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1) If found such (A1...An) and (B1...Bn), we can find p or q by dividing p*(q-1) on p*q: p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p or (p-1)*q=p*q*(q-1)=((-p)*q)/(p*q)=(q-1) = (q-1)+1 = q Sample: 21 = 3*7 Let's view a binary representation of this number: 10101 = 2^4 + 2^2 + 1 = 4*4+2*2+1*1 Then, we can try to find 7*(-3) in terms of ring(21): 4*(-4) + 2(-2) + 1*(-1) = 4*(21-4)+2*(21-2)+1*(21-1)=4*17+2*19+1*20 = 68+38+20= 68+38+20 = 126 = 6*21 6+1=7 This implementation of my gypothesis has very hard complexity (about a log2(N)! comparations), but exists a short way with fixed complexity for implementation of hypothesis (plan B) - but, by ethical reason, I'll not post it here. Regards, Eugene Chukhlomin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
On Thu, Apr 26, 2007 at 10:53:56AM +0400, Eugene Chukhlomin wrote: Hi list! I discovered a new method of integer factorization for any precision numbers, probable it should be an end of RSA era. Details: Let N - the ring and N = p*q Then, (-p) in terms of ring(N) is equal (N-p) Lemma: p*(-q)=p*q*(-p) and respective: (-p)*q=p*q*(-q) Proof: p*(-q)=p*(N-q) - by the data, then p*(-q)=p*(p*q-q)=p*pq-p*q=p*q*p-p*q=(p-1)*(p*q) (-p)*q=q*(N-p) - by the data, then (-p)*q=(p*q-p)*q=p*q*q-p*q=p*q*q-p*q=(q-1)*(p*q) Q. E. D. Funny way to pull the -1 out from the parenthesis. p * (-q) = p * (-1) * q = p * q * (-1) (mod pq) That is, p * (-q) = 0 (mod pq). Gypothesis: Let N = p*q = A1*B1 + A2*B2... + An*Bn Then exists some subset(A1...An) and respective subset(B1...Bn), which satisfies for equality: A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1) or A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1) For example, whole A_k and B_k, k = {1..n} sets? Second and third expressions in both lines are congruent to 0 mod pq. If found such (A1...An) and (B1...Bn), we can find p or q by dividing p*(q-1) on p*q: p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p ^ This is untrue. p * (q - 1) = p * q - p = -p != 0 (mod pq) p * q * (p - 1) = 0 * (p - 1) = 0 (mod pq) p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p ^^^ Dividing by zero in _any ring_ is illegal. By the way, if you find x = p * (q - 1) you can use Euclidean algorithm to find GCD(x, pq). Since GCD(q - 1, q) = 1, you get GCD(x, p), and that would be p as p divides x. Sample: 21 = 3*7 Let's view a binary representation of this number: 10101 = 2^4 + 2^2 + 1 = 4*4+2*2+1*1 Then, we can try to find 7*(-3) in terms of ring(21): ^^ 4*(-4) + 2(-2) + 1*(-1) = 4*(21-4)+2*(21-2)+1*(21-1)=4*17+2*19+1*20 = 68+38+20= 68+38+20 = 126 = 6*21 6+1=7 OK, but where did you get 7 and -3 (from underscored expression) from? 3*7 is public, but both 3 and 7, as elements of multiplication, are private. And if you get (7, -3) pair, why didn't you simply multiplicate the second element of this pair by -1? This implementation of my gypothesis has very hard complexity (about a log2(N)! comparations), but exists a short way with fixed complexity for implementation of hypothesis (plan B) - but, by ethical reason, I'll not post it here. Regards, Eugene Chukhlomin -- Stanislaw Klekot ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
Funny way to pull the -1 out from the parenthesis. p * (-q) = p * (-1) * q = p * q * (-1) (mod pq) That is, p * (-q) = 0 (mod pq). Well, let's proof: some days ago RSA-640 was factored, therefore I'll use this number for proofing. N = p*q = 3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609 p = 1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511579 q = 190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571 Hence p*(-q) = p*(N-q), we have: 1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511579*(3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609-190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571) = 5079801149330465928652035530544913704964519649664113022948507643221268839586387905945718488562426349551024378408981587404238854112680081565808050803367178098655476230508056302202082021498932996241380749611265431048278537997959344921052965979997472486960464297533557254211807262177876539002; and, by my gypothesis: p*(-q) = p*q *(p-1) = p*(N-q) 163473364580925384844313388386509085984178363092312181110852389333100104508151212118167511579*190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571*1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511578 = 5079801149330465928652035530544913704964519649664113022948507643221268839586387905945718488562426349551024378408981587404238854112680081565808050803367178098655476230508056302202082021498932996241380749611265431048278537997959344921052965979997472486960464297533557254211807262177876539002; Q.E.D Any new idea? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
On Thu, Apr 26, 2007 at 02:07:31PM +0400, Eugene Chukhlomin wrote: Funny way to pull the -1 out from the parenthesis. p * (-q) = p * (-1) * q = p * q * (-1) (mod pq) That is, p * (-q) = 0 (mod pq). Well, let's proof: some days ago RSA-640 was factored, therefore I'll use this number for proofing. N = p*q = 3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609 p = 1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511579 q = 190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571 Hence p*(-q) = p*(N-q), we have: 1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511579*(3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609-190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571) = 5079801149330465928652035530544913704964519649664113022948507643221268839586387905945718488562426349551024378408981587404238854112680081565808050803367178098655476230508056302202082021498932996241380749611265431048278537997959344921052965979997472486960464297533557254211807262177876539002; and, by my gypothesis: p*(-q) = p*q *(p-1) = p*(N-q) 163473364580925384844313388386509085984178363092312181110852389333100104508151212118167511579*190087128166482211312685157393541397547189678996851549338539088027103802104498957191261465571*1634733645809253848443133883865090859841783670033092312181110852389333100104508151212118167511578 = 5079801149330465928652035530544913704964519649664113022948507643221268839586387905945718488562426349551024378408981587404238854112680081565808050803367178098655476230508056302202082021498932996241380749611265431048278537997959344921052965979997472486960464297533557254211807262177876539002; Q.E.D Of course it's equal. And equal to zero modulo n, as I pointed. #v+ gap p; 163473364580925384844313388386509085984178367003309231218111085238933310010450\ 8151212118167511579 gap q; 19008712816648221131268515739354139754718967899685154933853908802710380210\ 4498957191261465571 gap n := p * q; 310741824049004372135075003588856793003734602284272754572016194882320644051808\ 150455634682967172328678243791627283803341547107310850191954852900733772482278\ 3525742386454014691736602477652346609 gap (p * (n - q)) mod n; 0 gap #v- What is it supposed to proove? -- Stanislaw Klekot ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
#v+ gap p; 163473364580925384844313388386509085984178367003309231218111085238933310010450\ 8151212118167511579 gap q; 19008712816648221131268515739354139754718967899685154933853908802710380210\ 4498957191261465571 gap n := p * q; 310741824049004372135075003588856793003734602284272754572016194882320644051808\ 150455634682967172328678243791627283803341547107310850191954852900733772482278\ 3525742386454014691736602477652346609 gap (p * (n - q)) mod n; 0 gap #v- What is it supposed to proove? My gypothesis: if exists subsets(A1...An) and (B1...Bn) which satisfies equality: A1*B1 +...An*Bn = N = p*q, then exists some of them, which satisfies equality A1*(-B1)+...An*(-Bn)=p*q*(q-1) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
On Thu, Apr 26, 2007 at 03:04:39PM +0400, Eugene Chukhlomin wrote: #v+ gap p; 163473364580925384844313388386509085984178367003309231218111085238933310010450\ 8151212118167511579 gap q; 19008712816648221131268515739354139754718967899685154933853908802710380210\ 4498957191261465571 gap n := p * q; 310741824049004372135075003588856793003734602284272754572016194882320644051808\ 150455634682967172328678243791627283803341547107310850191954852900733772482278\ 3525742386454014691736602477652346609 gap (p * (n - q)) mod n; 0 gap #v- What is it supposed to proove? My gypothesis: if exists subsets(A1...An) and (B1...Bn) which satisfies equality: A1*B1 +...An*Bn = N = p*q, then exists some of them, which satisfies equality A1*(-B1)+...An*(-Bn)=p*q*(q-1) But what does that proof have to do with your gypothesis? Except that p*q * (q-1) = p*q = p*q * (-1) = p*q * (N-1) = 0 (mod N) what is obvious equality. -- Stanislaw Klekot ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-453-2] rdesktop regression
=== Ubuntu Security Notice USN-453-2 April 26, 2007 rdesktop regression https://launchpad.net/bugs/104332 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: rdesktop 1.4.1-1.1ubuntu0.6.06 Ubuntu 6.10: rdesktop 1.4.1-1.1ubuntu0.6.10 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-453-1 provided an updated libx11 package to fix a security vulnerability. This triggered an error in rdesktop so that it crashed on startup. This update fixes the problem. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06.diff.gz Size/MD5:11767 3b0afb1bdeee63391599a725fdcd4ded http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06.dsc Size/MD5: 648 30e95d4a2c8d71edf12ef992684a8dfe http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1.orig.tar.gz Size/MD5: 218413 ce6b2369d633128ff00a2a8ae7c18ef8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06_amd64.deb Size/MD5: 111736 5d132e2fc201ff3fa5e8d45856b230bc i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06_i386.deb Size/MD5: 100916 3a88d294358e5c6446c52d22a07b564c powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06_powerpc.deb Size/MD5: 119442 878ccd8dfcf9eb10e9a1747fe4be8fdb sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.06_sparc.deb Size/MD5: 108146 759f8693ef44422dde20f7ea0f6996a4 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10.diff.gz Size/MD5:11766 816d50a1cd3069c9c482d27e04def3a1 http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10.dsc Size/MD5: 648 97e92e04c71fabcc7e65d708a870660e http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1.orig.tar.gz Size/MD5: 218413 ce6b2369d633128ff00a2a8ae7c18ef8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10_amd64.deb Size/MD5: 116906 7057e7d2f8ecdf54ede239298e6d8f89 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10_i386.deb Size/MD5: 104828 eeb7a363602301690bd9faf7582a6fe8 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10_powerpc.deb Size/MD5: 122984 87696d76d41f1cc76c77a1958d306e80 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/r/rdesktop/rdesktop_1.4.1-1.1ubuntu0.6.10_sparc.deb Size/MD5: 109380 c299593db906b4c4165d152f18da2bdf signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
If you have, in fact, come up with a fast method of integer factorization, the currently unfactored challenges (RSA-704 and above) would be better proof, no? Are you by any chance related to James Harris? http://www.crank.net/harris.html -Brendan On 4/26/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello, Eugene Chukhlomin wrote: Well, let's proof: some days ago RSA-640 was factored, therefore I'll use this number for proofing. N = p*q = 3107418240490043721... [...] Q.E.D that's an example. Not a *proof*. GTi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress v2.1.3 remote file include~
On 26 Apr 2007 14:44:02 -, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: None of these exploits you're posting actually work. It's like Full-Disclosure, but with more waiting for the moderation queue! I guess Symantec now justs moderate out spam, allowing unsupported hoaxes and rumors passage. Month of April Fools posts? -- [EMAIL PROTECTED] | ICQ: 335082155 | Note: Due to Google's privacy policy http://tinyurl.com/5xbtl and the United States' policy on electronic surveillance http://tinyurl.com/muuyl, please do not IM/e-mail me anything you wish to remain secret. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
Hello, Brendan Dolan-Gavitt wrote: If you have, in fact, come up with a fast method of integer factorization, the currently unfactored challenges (RSA-704 and above) would be better proof, no? no. We're talking about mathemetics, aren't we? So, an example for a assumption is not a *proof*. Neither are two or three... Are you by any chance related to James Harris? Nope. Trying to prove Fermat's theorem is not from interest for me :) GTi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
Get it peer-reviewed, or go away. On 4/25/07, Eugene Chukhlomin [EMAIL PROTECTED] wrote: Hi list! I discovered a new method of integer factorization for any precision numbers, probable it should be an end of RSA era. Details: Let N - the ring and N = p*q Then, (-p) in terms of ring(N) is equal (N-p) Lemma: p*(-q)=p*q*(-p) and respective: (-p)*q=p*q*(-q) Proof: p*(-q)=p*(N-q) - by the data, then p*(-q)=p*(p*q-q)=p*pq-p*q=p*q*p-p*q=(p-1)*(p*q) (-p)*q=q*(N-p) - by the data, then (-p)*q=(p*q-p)*q=p*q*q-p*q=p*q*q-p*q=(q-1)*(p*q) Q. E. D. Gypothesis: Let N = p*q = A1*B1 + A2*B2... + An*Bn Then exists some subset(A1...An) and respective subset(B1...Bn), which satisfies for equality: A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1) or A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1) If found such (A1...An) and (B1...Bn), we can find p or q by dividing p*(q-1) on p*q: p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p or (p-1)*q=p*q*(q-1)=((-p)*q)/(p*q)=(q-1) = (q-1)+1 = q Sample: 21 = 3*7 Let's view a binary representation of this number: 10101 = 2^4 + 2^2 + 1 = 4*4+2*2+1*1 Then, we can try to find 7*(-3) in terms of ring(21): 4*(-4) + 2(-2) + 1*(-1) = 4*(21-4)+2*(21-2)+1*(21-1)=4*17+2*19+1*20 = 68+38+20= 68+38+20 = 126 = 6*21 6+1=7 This implementation of my gypothesis has very hard complexity (about a log2(N)! comparations), but exists a short way with fixed complexity for implementation of hypothesis (plan B) - but, by ethical reason, I'll not post it here. Regards, Eugene Chukhlomin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1282-1] New php4 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1282-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff April 26th, 2006http://www.debian.org/security/faq - -- Package: php4 Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1711 CVE-2007-1718 CVE-2007-1777 Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1286 Stefan Esser discovered an overflow in the object reference handling code of the unserialize() function, which allows the execution of arbitrary code if malformed input is passed from an application. CVE-2007-1380 Stefan Esser discovered that the session handler performs insufficient validation of variable name length values, which allows information disclosure through a heap information leak. CVE-2007-1521 Stefan Esser discovered a double free vulnerability in the session_regenerate_id() function, which allows the execution of arbitrary code. CVE-2007-1711 Stefan Esser discovered a double free vulnerability in the session management code, which allows the execution of arbitrary code. CVE-2007-1718 Stefan Esser discovered that the mail() function performs insufficient validation of folded mail headers, which allows mail header injection. CVE-2007-1777 Stefan Esser discovered that the extension to handle ZIP archives performs insufficient length checks, which allows the execution of arbitrary code. For the oldstable distribution (sarge) these problems have been fixed in version 4.3.10-20. For the stable distribution (etch) these problems have been fixed in version 4.4.4-8+etch2. For the unstable distribution (sid) these problems have been fixed in version 4.4.6-1. php4 will be removed from sid; thus you are strongly advised to migrate to php5 if you prefer to follow the unstable distribution. We recommend that you upgrade your PHP packages. Packages for the arm, m68k and mipsen architectures are not yet available. They will be provided later. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-20.dsc Size/MD5 checksum: 1686 01afd17e8897a2ef890c00ab7946f4a6 http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-20.diff.gz Size/MD5 checksum: 530810 0cd90e33b3c9b935e2a70ccb52c00b31 http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10.orig.tar.gz Size/MD5 checksum: 4892209 73f5d1f42e34efa534a09c6091b5a21e Architecture independent components: http://security.debian.org/pool/updates/main/p/php4/php4-pear_4.3.10-20_all.deb Size/MD5 checksum: 249996 044f2497171ee49cb5e8ad9e72c9ebcf http://security.debian.org/pool/updates/main/p/php4/php4_4.3.10-20_all.deb Size/MD5 checksum: 1140 a6884d893fc7798b47cd32601d71351c Alpha architecture: http://security.debian.org/pool/updates/main/p/php4/libapache-mod-php4_4.3.10-20_alpha.deb Size/MD5 checksum: 1701574 8a139d9e3e8c1570ae49f3c78c933dd0 http://security.debian.org/pool/updates/main/p/php4/libapache2-mod-php4_4.3.10-20_alpha.deb Size/MD5 checksum: 1699008 878413e740d5e5a48a1d15198290962c http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.3.10-20_alpha.deb Size/MD5 checksum: 3466160 cd6100331fd994559b4a3bae498679b5 http://security.debian.org/pool/updates/main/p/php4/php4-cli_4.3.10-20_alpha.deb Size/MD5 checksum: 1743734 bbc30d1750d4401acee705a835de15cd http://security.debian.org/pool/updates/main/p/php4/php4-common_4.3.10-20_alpha.deb Size/MD5 checksum: 168528 449ff53d83073cd6269bf3405ba8e691 http://security.debian.org/pool/updates/main/p/php4/php4-curl_4.3.10-20_alpha.deb Size/MD5 checksum:18134 e7c509c845627791dc4b07174576f6ba http://security.debian.org/pool/updates/main/p/php4/php4-dev_4.3.10-20_alpha.deb Size/MD5 checksum: 328142 2f464c465adaaed4c3e41134e7d3ff57
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
[EMAIL PROTECTED] schrieb: Hello, Brendan Dolan-Gavitt wrote: If you have, in fact, come up with a fast method of integer factorization, the currently unfactored challenges (RSA-704 and above) would be better proof, no? no. We're talking about mathemetics, aren't we? So, an example for a assumption is not a *proof*. Neither are two or three... Are you by any chance related to James Harris? Nope. Trying to prove Fermat's theorem is not from interest for me :) GTi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Just factor a damn RSA-Challenge, then we'll believe you without seeing an actual proof. If not, you're just waisting our time with spamtastic entertainment. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
Spamtastic you say? GODWIN'S LAW GET? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
xxx xxx wrote: Lemma: p*(-q)=p*q*(-p) and respective: (-p)*q=p*q*(-q) Proof: p*(-q)=p*(N-q) - by the data, then p*(-q)=p*(p*q-q)=p*pq-p*q=p*q*p-p*q=(p-1)*(p*q) (-p)*q=q*(N-p) - by the data, then (-p)*q=(p*q-p)*q=p*q*q-p*q=p*q*q-p*q=(q-1)*(p*q) Q. E. D. Like Stanislaw said before be, this Lemma is obvious. You're saying that 0=0, and man, this is a thautology! You ask why? let N = p*q. Then, p*q = 0 mod N Now, let be -1 the opposite of the unit ( usually called e...) 0 = (-1)*0 = (-1)*p*q = (-1*p)*q = (-p)*q 0 = 0*(-q) = p*q*(-q) Gypothesis: Let N = p*q = A1*B1 + A2*B2... + An*Bn Then exists some subset(A1...An) and respective subset(B1...Bn), which satisfies for equality: A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1) or A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1) This is another obvious thing! if N = sum(A_i*B_i), then -N = -1*N = -1*sum(A_i*B_i) = 0 mod N and, for the distributive propeties, -1*sum(A_i*B_i) = sum (-1*A_i*B_i) = 0 mod N If found such (A1...An) and (B1...Bn), we can find p or q by dividing p*(q-1) on p*q: p*(q-1)=p*q*(p-1) = (p*(q-1))/(p*q)=(p-1) = (p-1)+1 = p or (p-1)*q=p*q*(q-1)=((-p)*q)/(p*q)=(q-1) = (q-1)+1 = q Here there's a mistake: p*(q-1) != p*q*(p-1) mod N. in fact, let N = 2*3. 2*2 = 4 ! = 6*1 = 0!!! Beeing this assumption wrong, all the remaining demostration is obviously false... ok, if your consequences are right, could you disprove this gypothesis? Gypothesis: Let N = p*q = A1*B1 + A2*B2... + An*Bn Then exists some subset(A1...An) and respective subset(B1...Bn), which satisfies for equality: A1*B1+A2*B2...+An*Bn = p*q and: A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1) or A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1) in terms of this gypothesis, could you really prove: there are no one subsets (A1..An) and respective (B1...Bn) which satisfies equality: A1*(-B1)+A2*(-B2)...+An*(-Bn) = p*(-q)=p*q*(p-1) or A1*(-B1)+A2*(-B2)...+An*(-Bn) = (-p)*q=p*q*(q-1) ? Another example in terms of gypothesis: 35 = 2^2*2^3 + 2*1 + 1 then one of possible subsets of 35 is: 4*8 + 2*1 + 1 (4,2,1) and (8,1,1) try one of possible cases for test subsets (A1...An) and (B1...Bn): 4*(35-8)+2*(35-1)+1*(-1) = 4*27 + 2*34 + 1*(34) = 108 + 102 = 210 then, 210 / 35 = 6 6+1=7 gcd(35,7)=5 Gypothesis is right (or written above is exception?) Your sample: 6 = 4 + 2 = 1*4 + 2*1 1*(6-4)+2*(6-1)=12 Divide result by 6: 12/6 = 2 Add one for 2: 2+1 = 3 Test: gcd(6,3)=2 Any other samples needed? More over, while no one present valid proof of incorrectness, it is correct, right? Link.asp?CardId=69;6e;63;6f;72;72;65;63;74;6e;65;73;73;0;4c;69;6e;67;76;6f;55;6e;69;76;65;72;73;61;6c;20;28;45;6e;2d;52;75;29 Has somebody more constructive ideas? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
On Thu, 26 Apr 2007 22:31:08 +0400, e.chukhlomin said: More over, while no one present valid proof of incorrectness, it is correct, right? Beware bugs in the above code; I have only proven it correct, not tested it. -- famous quiche-eater Don Knuth pgpq61YbrtJkV.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress v2.1.3 remote file include~
On 4/26/07, Tod Beardsley [EMAIL PROTECTED] wrote: On 26 Apr 2007 14:44:02 -, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: None of these exploits you're posting actually work. It's like Full-Disclosure, but with more waiting for the moderation queue! I guess Symantec now justs moderate out spam, allowing unsupported hoaxes and rumors passage. Month of April Fools posts? OpenSSH, there's a off-by-one in access.c -- Guasconi Vincent Etudiant. http://altmylife.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FW: Steganos Encrypted Safe NOT so safe
I forwarded the original issue to Steganos as I am a user of their software package. This is their reply and also posted on Security Focus. Regards Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:56 AM To: [EMAIL PROTECTED] Subject: Re: Steganos Encrypted Safe NOT so safe In response to frankrizzo604's comment, Steganos would like to dispel the rumor that its Steganos Safe encryption software is easily cracked. Steganos Safe enables users to create any number of secure virtual drives in which data is safely stored and encrypted. However frankrizzo604 goes through several steps 'teaching' users how to open others' encrypted files. In his last step, he claims Steganos will 'PUNISH you by resetting your encrypted drives passwords to 123 until you buy a registered copy', implying that the password feature can be circumvented thus opening anyone's safe. He conveniently left out that before he was able to reset the password to 123, he had to enter his original password to open the safe. Then, he saw this message box: http://www1.steganos.com/support/screenshots/safe8_123_infobox.png It is absolutely not possible to open any Steganos Encrypted File without having the original password. The Steganos support and development team reconstructed the process he described. It is not possible to open a Safe WITHOUT the original password. In the 2007 generation of Steganos products, Steganos decided to set the Safe attributes to write protect. Steganos would like its user to rest assured that their files are in fact still encrypted and safe from hackers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 04.26.07: Novell eDirectory NCP Fragment Denial of Service Vulnerability
Novell eDirectory NCP Fragment Denial of Service Vulnerability iDefense Security Advisory 04.26.07 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 26, 2007 I. BACKGROUND Novell eDirectory is a cross-platform lightweight directory access protocol (LDAP) server. In addition to LDAP, eDirectory also implements NCP over IP. More information can be found on Novell's web site at the following URL. http://www.novell.com/products/edirectory/ II. DESCRIPTION Remote exploitation of a denial of service (DoS) vulnerability in Novell Inc.'s eDirectory product could allow an attacker to force the running daemon to cease servicing requests. The problem specifically exists within the NCP functionality of eDirectory. Sending a sequence of specially crafted fragmented requests will cause a DoS condition. If the input is crafted properly, eDirectory will report to its error log that a fragment has been received with an invalid length. The error message includes the contents of the fragments in hexadecimal notation. However, if the length is negative, eDirectory will try to dump data to the log indefinitely. This results in a large amount of data being saved to the log. Once the end of the heap segment is reached, a memory access violation will occur and the server process will crash. III. ANALYSIS Successful exploitation of this vulnerability could allow an attacker to crash the server process. No credentials are required. Repeated attacks could allow the attacker to cause excessive disk space usage. IV. DETECTION iDefense has confirmed the existence of this vulnerability in version 8.8.1 of Novell Inc.'s eDirectory server with FTF1 applied. The earliest version tested was 8.8. Earlier versions are suspected to be vulnerable. V. WORKAROUND iDefense is unaware of any effective workaround for this issue. VI. VENDOR RESPONSE Novell has addressed this problem within FTF2 for eDirectory 8.8.1. More information is available in Novell Document ID 3924657 at the following URL. http://www.novell.com/support/search.do?cmd=displayKCdocType=kcexternalId=3924657sliceId=SAL_Public VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4520 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/17/2006 Initial vendor notification 08/18/2006 Initial vendor response 10/21/2006 Second vendor notification 10/23/2006 Vendor response 12/06/2006 Third vendor notification 12/18/2006 Vendor response 03/21/2007 Fourth vendor notification 04/25/2007 Fifth vendor notification 04/25/2007 Vendor advised that the fix was in FTF2 04/26/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe
It is funny that this stuff ever comes to surface. Now I am wondering if this a case of trying to spread FUD or someone who just didn't pay any attention to what was going on? Steven securityzone.org I forwarded the original issue to Steganos as I am a user of their software package. This is their reply and also posted on Security Focus. Regards Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:56 AM To: [EMAIL PROTECTED] Subject: Re: Steganos Encrypted Safe NOT so safe In response to frankrizzo604's comment, Steganos would like to dispel the rumor that its Steganos Safe encryption software is easily cracked. Steganos Safe enables users to create any number of secure virtual drives in which data is safely stored and encrypted. However frankrizzo604 goes through several steps 'teaching' users how to open others' encrypted files. In his last step, he claims Steganos will 'PUNISH you by resetting your encrypted drives passwords to 123 until you buy a registered copy', implying that the password feature can be circumvented thus opening anyone's safe. He conveniently left out that before he was able to reset the password to 123, he had to enter his original password to open the safe. Then, he saw this message box: http://www1.steganos.com/support/screenshots/safe8_123_infobox.png It is absolutely not possible to open any Steganos Encrypted File without having the original password. The Steganos support and development team reconstructed the process he described. It is not possible to open a Safe WITHOUT the original password. In the 2007 generation of Steganos products, Steganos decided to set the Safe attributes to write protect. Steganos would like its user to rest assured that their files are in fact still encrypted and safe from hackers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rapid integer factorization = end of RSA?
Hello, If you have, in fact, come up with a fast method of integer factorization, the currently unfactored challenges (RSA-704 and above) would be better proof, no? no. We're talking about mathemetics, aren't we? So, an example for a assumption is not a *proof*. Neither are two or three... Providing the factorization of a particular number (whose factorization is considered to be not known by anyone) is definitely a proof that you know the factorization of that number and that you had a method for finding it. Of course, it doesn't say anything about this method -- whether it is a general one or whether you were able to find the factors based on graph of temperature at the top of Elbrus :-) On a more relevant note, let me try to explain the method described by the original poster, hopefully in a more readable way: Take an unknown number N, which we are going to factor. Then, by some mysterious process, represent the number N, such that (I) N = A1*B1 + A2*B2 + ... An*Bn AND (II) A1*(N-B1) + A2*(N-B2) + ... + An*(N-Bn) = N*(q-1) holds. In the examples provided by the original poster, these numbers were always created by taking the usual binary expansion of the number and splitting each term into a product Ak*Bk. The problem is that not all (if any) such splits produce the desired results. The original poster correcly stated that the obvious method for obtaining such a split (if it really exists under these conditions) runs in log(N)! steps (that's factorial of log(N), not just an exclamation... clearly, this number is greater than N, thus rendering this approach worse than trial division). He also claimed to have a much faster approach, though. Naturally, IF this can be done, one can find q-1 (thus also p,q) easily. In fact, the easy part of the algorithm can be even more simplified. The sum A1*(N-B1) + A2*(N-B2) + ... An*(N-Bn) can be rewritten as N*(A1+A2+...+An) - (A1*B1 + A2*B2 + ... An*Bn) = N*(A1+A2+...+An - 1) and the property (II) tells us that this number is equal to N*(q-1). In other words, q = (A1+A2+...An), so -once- we obtain the right sets A,B, finding the factorization is nothing but summing up a few numbers. Now, here are two questions for the original poster: 1) Did I understand your factorization algorithm correctly? 2) Could you demonstrate how your algorithm works for the number 2^32+1, please? I have a quite good reason for asking about this particular number. Peter -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe
When this was first posted, I tried to duplicate the procedure written up before sending it off to Steganos. I was unable to, so I thought maybe I was missing something. Guess not... Dan Dan Bambach R.T.C., Inc. Engineering/Service Manager 915-584-6646 915-526-7635 (Cell) 915-584-6265 (Fax) -Original Message- From: Steven Adair [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 2:32 PM To: Dan Bambach Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe It is funny that this stuff ever comes to surface. Now I am wondering if this a case of trying to spread FUD or someone who just didn't pay any attention to what was going on? Steven securityzone.org I forwarded the original issue to Steganos as I am a user of their software package. This is their reply and also posted on Security Focus. Regards Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:56 AM To: [EMAIL PROTECTED] Subject: Re: Steganos Encrypted Safe NOT so safe In response to frankrizzo604's comment, Steganos would like to dispel the rumor that its Steganos Safe encryption software is easily cracked. Steganos Safe enables users to create any number of secure virtual drives in which data is safely stored and encrypted. However frankrizzo604 goes through several steps 'teaching' users how to open others' encrypted files. In his last step, he claims Steganos will 'PUNISH you by resetting your encrypted drives passwords to 123 until you buy a registered copy', implying that the password feature can be circumvented thus opening anyone's safe. He conveniently left out that before he was able to reset the password to 123, he had to enter his original password to open the safe. Then, he saw this message box: http://www1.steganos.com/support/screenshots/safe8_123_infobox.png It is absolutely not possible to open any Steganos Encrypted File without having the original password. The Steganos support and development team reconstructed the process he described. It is not possible to open a Safe WITHOUT the original password. In the 2007 generation of Steganos products, Steganos decided to set the Safe attributes to write protect. Steganos would like its user to rest assured that their files are in fact still encrypted and safe from hackers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe
Alot of times people find there bugs but what can we do! How do we know that the encrypted drives work? On 4/26/07, Dan Bambach [EMAIL PROTECTED] wrote: When this was first posted, I tried to duplicate the procedure written up before sending it off to Steganos. I was unable to, so I thought maybe I was missing something. Guess not... Dan Dan Bambach R.T.C., Inc. Engineering/Service Manager 915-584-6646 915-526-7635 (Cell) 915-584-6265 (Fax) -Original Message- From: Steven Adair [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 2:32 PM To: Dan Bambach Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe It is funny that this stuff ever comes to surface. Now I am wondering if this a case of trying to spread FUD or someone who just didn't pay any attention to what was going on? Steven securityzone.org I forwarded the original issue to Steganos as I am a user of their software package. This is their reply and also posted on Security Focus. Regards Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:56 AM To: [EMAIL PROTECTED] Subject: Re: Steganos Encrypted Safe NOT so safe In response to frankrizzo604's comment, Steganos would like to dispel the rumor that its Steganos Safe encryption software is easily cracked. Steganos Safe enables users to create any number of secure virtual drives in which data is safely stored and encrypted. However frankrizzo604 goes through several steps 'teaching' users how to open others' encrypted files. In his last step, he claims Steganos will 'PUNISH you by resetting your encrypted drives passwords to 123 until you buy a registered copy', implying that the password feature can be circumvented thus opening anyone's safe. He conveniently left out that before he was able to reset the password to 123, he had to enter his original password to open the safe. Then, he saw this message box: http://www1.steganos.com/support/screenshots/safe8_123_infobox.png It is absolutely not possible to open any Steganos Encrypted File without having the original password. The Steganos support and development team reconstructed the process he described. It is not possible to open a Safe WITHOUT the original password. In the 2007 generation of Steganos products, Steganos decided to set the Safe attributes to write protect. Steganos would like its user to rest assured that their files are in fact still encrypted and safe from hackers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe
I have tried to crack a safe drive and failed. I am not as crypto savvy as many on this group are, so my efforts may be view as first level. I did have a drive sent off to a recovery company a while ago and they were unable to crack the safe drive. I would think if there was a simple crack like the one posted, they would have been able to recover the drive. Dan _ From: James Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 7:27 PM To: Dan Bambach Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe Alot of times people find there bugs but what can we do! How do we know that the encrypted drives work? On 4/26/07, Dan Bambach [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: When this was first posted, I tried to duplicate the procedure written up before sending it off to Steganos. I was unable to, so I thought maybe I was missing something. Guess not... Dan Dan Bambach R.T.C., Inc. Engineering/Service Manager 915-584-6646 915-526-7635 (Cell) 915-584-6265 (Fax) -Original Message- From: Steven Adair [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 2:32 PM To: Dan Bambach Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe It is funny that this stuff ever comes to surface. Now I am wondering if this a case of trying to spread FUD or someone who just didn't pay any attention to what was going on? Steven securityzone.org I forwarded the original issue to Steganos as I am a user of their software package. This is their reply and also posted on Security Focus. Regards Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:56 AM To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: Re: Steganos Encrypted Safe NOT so safe In response to frankrizzo604's comment, Steganos would like to dispel the rumor that its Steganos Safe encryption software is easily cracked. Steganos Safe enables users to create any number of secure virtual drives in which data is safely stored and encrypted. However frankrizzo604 goes through several steps 'teaching' users how to open others' encrypted files. In his last step, he claims Steganos will 'PUNISH you by resetting your encrypted drives passwords to 123 until you buy a registered copy', implying that the password feature can be circumvented thus opening anyone's safe. He conveniently left out that before he was able to reset the password to 123, he had to enter his original password to open the safe. Then, he saw this message box: http://www1.steganos.com/support/screenshots/safe8_123_infobox.png It is absolutely not possible to open any Steganos Encrypted File without having the original password. The Steganos support and development team reconstructed the process he described. It is not possible to open a Safe WITHOUT the original password. In the 2007 generation of Steganos products, Steganos decided to set the Safe attributes to write protect. Steganos would like its user to rest assured that their files are in fact still encrypted and safe from hackers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/