On Sat, 29 Jun 2013, Alec Muffett wrote:
> My own, personal guess is that it is obfuscation which translates as "using
> passwords" or "accessing a portal over SSL" plus "we're too embarrassed to
> admit that it was that easy".
Or simply:
http://cms.intranet.boozallen.com/document?id=${N}
http:/
On Fri, 20 Nov 2009, Peter Gutmann wrote:
> There's been a near-neverending debate about who should be responsible for
> improving online banking security measures: the users, the banks, the
> government, the OS vendor, ... . Here's an interesting perspective from Peter
> Benson , reposted with p
On Mon, 14 Sep 2009, Peter Gutmann wrote:
> Damien Miller writes:
>
> >The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I
> >don't think OpenSSL even supports a CTR mode through its EVP API.
>
> I first saw it reported on the Putty bu
On Wed, 9 Sep 2009, Peter Gutmann wrote:
> I was just going to reply with a variation of this, if you're implementing a
> full protocol that uses AES-CTR (or any algorithm/mode for that matter), find
> other implementations that do it too and make sure that you can talk to them.
> In theory everyo
On Tue, 16 Dec 2008, mhey...@gmail.com wrote:
> On Thu, Dec 11, 2008 at 8:42 PM, Damien Miller wrote:
> > On Thu, 11 Dec 2008, James A. Donald wrote:
> >
> >> If one uses a higher resolution counter - sub
> >> microsecond - and times multiple disk accesses, one g
On Thu, 11 Dec 2008, James A. Donald wrote:
> If one uses a higher resolution counter - sub
> microsecond - and times multiple disk accesses, one gets
> true physical randomness, since disk access times are
> effected by turbulence, which is physically true
> random.
Until someone runs your softw
On Thu, 11 Sep 2008, Peter Gutmann wrote:
> David Molnar <[EMAIL PROTECTED]> writes:
>
> >Dan Geer's comment about the street price of heroin as a metric for
> >success has me thinking - are people tracking the street prices of
> >digital underground goods over time?
>
> I've been (very informally
On Mon, 29 Oct 2007, [EMAIL PROTECTED] wrote:
> So back in the bad old days when hashing was DES encryption of the
> zero vector with a fixed key, someone came up with salt as a password
> strengthening mechanism.
>
> I'm not quite sure why it was called salt.
>
> It perturbed the S-boxes in DES
On Thu, 11 Oct 2007, james hughes wrote:
> I forgot to add the links...
> http://people.redhat.com/drepper/sha-crypt.html
> http://people.redhat.com/drepper/SHA-crypt.txt
>
> On Oct 11, 2007, at 10:19 PM, james hughes wrote:
>
> > A proposal for a new password hashing based on SHA-25
On Wed, 19 Sep 2007, Nash Foster wrote:
> http://labs.musecurity.com/2007/09/18/widespread-dh-implementation-weakness/
>
> Any actual cryptographers care to comment on this? I don't feel
> qualified to judge.
I "discovered" this minor weakness in most of the open source IPSec
implementations in
On Tue, 11 Sep 2007, Aram Perez wrote:
> The IronKey appears to provide decent security while it is NOT plugged into a
> PC. But as soon as you plug it in and you have to enter a password to unlock
> it, the security level quickly drops. This would be the case even if they
> supported Mac OS or *n
On Thu, 18 Jan 2007, Saqib Ali wrote:
> Since when did AES-128 become "snake-oil crypto"? How come I missed
> that? Compusec uses AES-128 . And as far as I know AES is NOT
> "snake-oil crypto"
It is even easier to use a good cryptographic transform in a way that is
utterly insecure then it is to
On Mon, 30 Oct 2006, Saqib Ali wrote:
> http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/10/30/BUGU2M1ETT1.DTL&type=printable
> http://www.theglobeandmail.com/servlet/story/RTGAM.20061030.wharddrive1029/BNStory/Front/?page=rss&id=RTGAM.20061030.wharddrive1029
> http://www.inf
On Mon, 23 Oct 2006, Bill Stewart wrote:
> Spammers have been including images in their email to evade anti-spammers.
> Anti-spammers have been using OCR to identify spammy words in images.
> Spammers have recently come up with tricks to work around OCRs,
> by doing steganography with animated GIF
On Fri, 15 Sep 2006, Jostein Tveit wrote:
> [EMAIL PROTECTED] (Peter Gutmann) writes:
>
> > What's more scary is that if anyone introduces a parameterised hash
> > (it's quite possible that this has already happened in some fields,
> > and with the current interest in randomised hashes it's only
On Wed, 9 Aug 2006, Travis H. wrote:
> Hey,
>
> I was mulling over some old emails about randomly-generated numbers
> and realized that if I had an imperfectly random source (something
> less than 100% unpredictable), that compressing the output would
> compress it to the point where it was nearl
On Mon, 7 Aug 2006, John Gilmore wrote:
> Here is the latest quick update on SSL Certs. It's interesting that
> generally prices have risen. Though ev1servers are still the best commercial
> deal out there.
>
> The good news is that CAcert seems to be posistioned for prime time debut,
> and yo
John Kelsey wrote:
> Guys,
>
> Some of my co-workers here at NIST got an email macro virus which
> appeared to be targeted to cryptographers. It appeared to be
> addressed to Moti Yung, and come from Lawrie Brown and Henri Gilbert
> (though that name was misspelled, maybe a transcription error fr
On Wed, 15 Mar 2006, Ed Gerck wrote:
> cybergio wrote:
> >
> > Zfone :: http://www.philzimmermann.com/EN/zfone/index.html
>
> "...it achieves security without reliance on a PKI, key certification,
> trust models, certificate authorities, or key management..."
>
> Good. But, uf course, there's a
James A. Donald wrote:
> --
> Has anyone been attacked through a certificate that
> would not have been issued under stricter security? The
> article does not mention any such attacks, nor have I
> ever heard of such an attack.
How much money does a phishing site make before it is forced to
David Mercer wrote:
> And my appologies to Ben Laurie and friends, but why after all these
> years is the UI interaction in ssh almost exactly the same when
> accepting a key for the first time as overriding using a different one
> when it changed on the other end, whether from mitm or just a
> ke
On Sun, 23 Oct 2005, Joseph Ashwood wrote:
- Original Message - Subject: [Tom Berson Skype Security Evaluation]
Tom Berson's conclusion is incorrect. One needs only to take a look at the
publicly available information. I couldn't find an immediate reference
directly from the Skype websi
On Tue, 30 Aug 2005, Peter Gutmann wrote:
- A non-spoofable means of password entry that only applies for TLS-PSK
passwords. In other words, something where a fake site can't trick the user
into revealing a TLS-PSK key.
This sounds like a solution replete with all the problems that password
R. A. Hettinga wrote:
> Luckily, there are alternatives. The National Institute of Standards and
> Technology already has standards for longer - and harder to break - hash
> functions: SHA-224, SHA-256, SHA-384, and SHA-512. They're already
> government standards, and can already be used. This is
Eric Rescorla wrote:
>>I don't find that argument at all convincing. After all, these bugs *are*
>>being found!
>
> Well, SOME bugs are being found. I don't know what you mean by
> "these" bugs. We don't have any real good information about
> the bugs that haven't been found. What makes you think
On Sun, 2003-10-19 at 00:47, Peter Gutmann wrote:
> >What was the motive for adding lip service into the document?
>
> So that it's possible to claim PGP and X.509 support if anyone's interested in
> it. It's (I guess) something driven mostly by marketing so you can answer
> "Yes" to any questio
On Mon, 2003-10-13 at 20:27, Ian Grigg wrote:
> The situation is so ludicrously unbalanced, that if
> one really wanted to be serious about this issue,
> instead of dismissing certs out of hand (which would
> be the engineering approach c.f., SSH), one would
> run ADH across the net and wait to se
27 matches
Mail list logo
