On Aug 10, 2011, at 10:12 AM, Perry E. Metzger wrote:
> Today's XKCD is on password strength. The advice it gives is pretty
> good in principle...
>
> http://xkcd.com/936/
You still need a password manager to remember which of the dozens of
easily-remembered passwords you used, so you might as
On Wed, Sep 15, 2010 at 03:16:34AM -0700, Jacob Appelbaum wrote:
[...]
> What Steve has written is mostly true - though I was not working alone,
> we did it in an afternoon. It took quite a bit of effort to get Haystack
> to take this seriously. Eventually, there was an internal mutiny because
> of
On Mon, Aug 02, 2010 at 04:55:04PM +0100, Adrian Hayter wrote:
> In a related story, hacker Chris Paget created his own cell-phone base
> station that turned off encryption on all devices connecting to it. The
> station then routes the calls through VoIP.
>
> http://www.wired.com/threatlevel/201
On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote:
[...]
> 3 Any security system that demands that users be "educated",
> i.e. which requires that users make complicated security decisions
> during the course of routine work, is doomed to fail.
[...]
I would amend this to say "w
I'm looking for a best practices guide (for a system architecture) or
case studies for how best to handle storing and using 3rd party
passwords.
Specifically, I'm interested in the case where a program or service
needs to store a password in such a way that it can be used (presented
to another ser
On Mon, Sep 21, 2009 at 04:57:56PM -0400, Steven Bellovin wrote:
> Is there any way to use FileVault on MacOS except on home
> directories? I don't much want to use it on my home directory; it
> doesn't play well with Time Machine (remember that availability is
> also a security property); b
On Tue, Mar 03, 2009 at 01:20:22PM -0500, Perry E. Metzger wrote:
> Adam Fields writes:
> > The privacy issues are troubling, of course, but it would seem trivial
> > to bypass this sort of compulsion by having the disk encryption
> > software allow multiple passwords, ea
On Tue, Mar 03, 2009 at 12:26:32PM -0500, Perry E. Metzger wrote:
>
> Quoting:
>
>A federal judge has ordered a criminal defendant to decrypt his
>hard drive by typing in his PGP passphrase so prosecutors can view
>the unencrypted files, a ruling that raises serious concerns about
>
On Fri, Feb 13, 2009 at 11:24:35AM -0500, Steven M. Bellovin wrote:
> Counter Terror Expo: News of a possible viable business model for P2P
> VoIP network Skype emerged today, at the Counter Terror Expo in London.
> An industry source disclosed that America's supersecret National
> Security Agency
On Mon, Aug 18, 2008 at 09:24:33AM -0700, Eric Rescorla wrote:
[...]
> Without directly addressing the question of the quality of Diebold's
> offerings, I actually don't think the criticism implied here is
> entirely fair. If you're going to have voting machines, even precinct
> count optical scann
On Mon, Aug 18, 2008 at 10:16:02AM -0700, Paul Hoffman wrote:
[...]
> Essentially no one would argue that is is "quite expensive". I
> suspect that nearly everyone in the country would be happy to pay an
> additional $1/election for more reliable results.
Without seeing all of the expense (and l
I didn't see Ben forward this himself, but it's definitely relevant to
the discussion of malware hiding in hardware:
"Without needlessly boring everyone with the various steps allow me to
share an interesting observation: drivers often assume the hardware is
misbehaved but never malicious. It is f
On Sat, Apr 26, 2008 at 02:33:11AM -0400, Karsten Nohl wrote:
[...]
> Assuming that hardware backdoors can be build, the interesting question
> becomes how to defeat against them. Even after a particular triggering
> string is identified, it is not clear whether software can be used to
> detect
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote:
[...]
> Business ultimately depends on trust. There's some study out there -
> I don't recall a reference - that basically finds that the level of
> trust is directly related to the level of economic success of an
> economy. There a
On Thu, Mar 23, 2006 at 09:30:30AM -0500, Perry E. Metzger wrote:
> A while ago, you may recall that members of the Greek government were
> wiretapped, and at the time, I speculated that the bad guys may have
> abused the built in CALEA software in the switch to do it. Well, it
> now appears that t
This item was posted to the IP list today about some efforts to add
encryption to bittorrent for the sole purpose of disguising the
traffic.
A side note is that they're using known insecure encryption methods as
a cpu tradeoff because it doesn't matter if the traffic is decrypted
eventually, as lo
On Thu, Jan 26, 2006 at 06:09:52PM -0800, bear wrote:
[...]
> Of course, the obvious application for this OTP material,
> other than text messaging itself, is to use it for key
> distribution.
Perhaps I missed something, but my impression was that the original
post asked about how a CD full of ran
On Sun, Dec 18, 2005 at 07:55:57PM -0500, Steven M. Bellovin wrote:
[...]
> The Court also noted that "Congress rejected an amendment which would
> have authorized such governmental seizures in cases of emergency."
> Given that the Patriot Act did amend various aspects of the wiretap
> statute, it'
On Wed, Aug 10, 2005 at 01:24:07PM -0400, Perry E. Metzger wrote:
>
>
> Thought this would be of some interest. Unfortunately, the article
> will not be visible after a few days, thanks to the NY Times'
> policies, and can only be viewed if you register. :(
>
>
> WASHINGTON | August 10, 2005
>
On Wed, Aug 10, 2005 at 04:11:31PM +0200, Florian Weimer wrote:
> * Perry E. Metzger:
>
> >"A major identity theft ring has been discovered that affects up to 50
> > banks, according to Sunbelt Software, the security company that says
> > it uncovered the operation. The operation, whic
On Mon, Jul 11, 2005 at 09:37:36PM +, Jason Holt wrote:
> I remember the first time a site asked for the number on the back of my
> credit card. It was a Walmart or Amazon purchase, and with no warning they
> redirected me to some site with a questionable domain. I thought for sure
> my ses
On Fri, Jul 08, 2005 at 12:19:38PM -0400, Perry E. Metzger wrote:
[...]
> Actually, the people who would have to pay the investment -- the banks
> and merchants -- have an excellent incentive. The loss because of
> fraud is stunningly large. The real issue is that *consumers* have
> little incentiv
On Fri, Jul 08, 2005 at 10:42:02AM -0400, Perry E. Metzger wrote:
[...]
> A system in which the credit card was replaced by a small, calculator
> style token with a smartcard style connector could effectively
> eliminate most of the in person and over the net fraud we experience,
> and thus get rid
On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote:
[..]
> With bank web sites, experience has shown that only 0.3%
> of users are deterred by an invalid certificate,
> probably because very few users have any idea what a
> certificate authority is, what it does, or why they
> shou
On Tue, Mar 15, 2005 at 02:47:35PM -0500, Ian Goldberg wrote:
> > this is actually a very good solution for
> > me. The only thing I don't like about it is that it stores the private
> > key on your machine. I understand why that is, but it also means that
> > if you switch machines with the same l
On Tue, Mar 15, 2005 at 12:54:19PM -0600, Peter Saint-Andre wrote:
> Why not help us make Jabber/XMPP more secure, rather than overloading
> AIM? With AIM/MSN/Yahoo your account will always exist at the will of
Unfortunately, I already have a large network of people who use AIM,
and >they< all eac
Given what may or may not be recent ToS changes to the AIM service,
I've recently been looking into encryption plugins for gaim.
Specifically, I note gaim-otr, authored by Ian G, who's on this list.
Ian - would you care to share some insights on this? Is it ready for
prime time or just a proof-o
On Thu, Feb 10, 2005 at 06:24:46PM -0500, Steven M. Bellovin wrote:
[...]
> One member of this mailing list, in a private exchange, noted that
> he had asked his bank for their certificate's fingerprint. My
> response was that I was astonished he found someone who knew what
> he was talking about.
Tal Garfinkel (related to Simpson?) is a Stanford PHD student who has
put together a working model for tracking tainted data stored in RAM
in various popular applications.
This is the first mention I've seen of this - interesting stuff.
http://www.newscientist.com/news/news.jsp?id=ns5064
Ab
On Sat, Jun 05, 2004 at 10:06:20AM +0530, Udhay Shankar N wrote:
> Citibank in India experimented with a special case of this a few years ago
> - "online credit cards" - basically, a credit card number valid for one use
> only, which would be ideal for online purchasing.
>
> IIRC, the offering w
On Fri, May 28, 2004 at 03:20:52PM -0400, [EMAIL PROTECTED] wrote:
[...]
> How soon will the spammers get into the business of hosting free mailboxes
> for people who actually buy spamvertized products. Much easier to send the
> spam to their own users, let them indicate their preferences, set up
>
On Thu, May 20, 2004 at 10:07:43AM -0400, R. A. Hettinga wrote:
[...]
> yahoo draft internet standard for using DNS as a public key server
> http://www.ietf.org/internet-drafts/draft-delany-domainkeys-base-00.txt
This sounds quite a lot like the ideas outlined in a paper I
co-authored in 1995, pro
On Fri, Apr 09, 2004 at 12:46:47PM -0400, Perry E. Metzger wrote:
> I think that those that advocate cryptographic protocols to ensure
> voting security miss the point entirely.
[...]
> I'm a technophile. I've loved technology all my life. I'm also a
> security professional, and I love a good crypt
ecure such products (other than the
workshop, which I will not be able to attend)?
--
- Adam
-
Adam Fields, Managing Partner, [EMAIL PROTECTED]
Surgam, Inc. is a technology consulting firm with strong background in
delivering scalable and robust enterprise web
tupid question, but exactly how are you supposed to
use this information to verify a cert? I've done an informal survey of
a few financial institutions whose sites use SSL, and the number of
them that were able to provide me with a fingerprint over the phone
was exactly zero.
--
35 matches
Mail list logo