[cryptography] Fwd: MalwareBytes

I originally sent this to John Levine privately, but the discussion seems to have leaked onto this list so I’m re-sending my response to John here for the record. Begin forwarded message: > From: Ron Garret <r...@flownet.com> > Subject: Re: [cryptography] MalwareBytes > Date

Re: [cryptography] MalwareBytes

What matters is not the certificate. The certificate is public. You can’t “steal" a certificate. What you *can* steal is the private key associated with a certificate, and the more time goes by the more likely it becomes that someone has done so. However, the expiration date is completely

[cryptography] Stealthy analog trojans

Coming soon to a microprocessor near you http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf?token=Sqki%2BUKuhrHYxCqc2HU9B1dlHEQ%3D ___ cryptography mailing list cryptography@randombit.net

Re: [cryptography] [FORGED] Re: Kernel space vs userspace RNG

On May 17, 2016, at 11:46 PM, Jon Callas wrote: > Sadly, people's prejudices get them overcomplicating the issue. Indeed. > It's certainly true that a geiger counter measures something that's truly > random (for some suitable value of truly random) because of quantum

[cryptography] You can be too secure

On May 5, 2016, at 11:13 AM, Kevin wrote: > One can never be to secure! Actually, I learned the hard way last week that this is not true. Four years ago I bought a 2010 MacBook air from a private party (i.e. I’ve owned it for four years, and it was two years old

Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM

On Apr 14, 2016, at 2:36 AM, stef <s...@ctrlc.hu> wrote: > On Tue, Apr 12, 2016 at 08:12:52PM -0700, Tony Arcieri wrote: >> On Tue, Apr 12, 2016 at 7:26 PM, Ron Garret <r...@flownet.com> wrote: >> Well, that's true, but it's also hundreds of times bigger than a to

Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM

On Apr 13, 2016, at 4:16 PM, Jerry Leichter wrote: >>> Yes, make it significantly smaller than the current form factor. >> >> Ah. OK, well, that is certainly doable, though how small you can make it is >> ultimately limited by the size of the display. How small do you want

Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM

On Apr 13, 2016, at 2:22 PM, Bill Frantz <fra...@pwpconsult.com> wrote: > On 4/13/16 at 10:14 AM, r...@flownet.com (Ron Garret) wrote: > >> Here’s a photo of an earlier version of the HSM using a seven-segment >> display instead of the current 128x32 pixel OLED, next to

Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM

On Apr 13, 2016, at 8:27 AM, John Ioannidis <j...@tla.org> wrote: > On Tue, Apr 12, 2016 at 11:28 AM, Ron Garret <r...@flownet.com> wrote: >> One of the biggest challenges in crypto is protecting your keys against an >> attacker who pwns your machin

Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM

On Apr 13, 2016, at 8:56 AM, Tony Arcieri wrote: > On Wed, Apr 13, 2016 at 2:06 AM, Thierry Moreau > wrote: > Who wants to be optimistic with respect to threat models in the current IT > landscape? > > I prefer to be realistic about threats,

Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM

On Apr 12, 2016, at 5:39 PM, Tony Arcieri <basc...@gmail.com> wrote: > On Tue, Apr 12, 2016 at 8:28 AM, Ron Garret <r...@flownet.com> wrote: > Some hardware tokens have an input device built in (usually a push button, > sometimes a fingerprint sensor) which needs t

Re: [cryptography] [Cryptography] Secure universal message addressing

On Apr 4, 2016, at 7:55 AM, Natanael wrote: > The key idea here is that you get to have *one* identifier for yourself under > your control, that you can use everywhere, securely. Knowing that people have > your real address should provide a strong guarantee that messages

Re: [cryptography] [Cryptography] USG v. Apple, Apple Motion to Vacate Decrypt Order

On Feb 26, 2016, at 8:13 AM, Henry Baker wrote: > It would be quite interesting for DOJ to publicly stipulate that NSA could > (or could not) break into iOS 8 or 9. Why? Lying to the public (and even to Congress) seems to be standard operating procedure for the

Re: [cryptography] [Cryptography] Design of a secure hardware dongle

cular ARM processor can keep a secret if it > gets into the wrong hands. People with logic analyzers and chip probes. > > Gé > On Tue, Jan 19, 2016 at 12:38 Ron Garret <r...@flownet.com> wrote: > I’m working on a design for a minimalist secure hardware dongle. The goal is &g

[cryptography] Design of a secure hardware dongle

I’m working on a design for a minimalist secure hardware dongle. The goal is to have it be usable as an HSM for the secure storage of secrets. I have a prototype running on a Teensy3, but I’ve come to the conclusion that in order to really be secure there has to be some I/O on the dongle

Re: [cryptography] ISIS’ OPSEC Manual

On Nov 23, 2015, at 9:00 AM, John Young wrote: > https://www.wired.com/wp-content/uploads/2015/11/ISIS-OPSEC-Guide.pdf This is ironic: [ron@mighty:~]➔ wget https://www.wired.com/wp-content/uploads/2015/11/ISIS-OPSEC-Guide.pdf --09:08:54--

Re: [cryptography] a little help with cookies please

On Sep 16, 2015, at 6:31 AM, Lodewijk andré de la porte wrote: > No. Every request has a header with the cookies in it. > > Again: /every request contains the cookie/ > > This is also a reason for placing static content on a seperate server; it > saves bandwidth by not

Re: [cryptography] LastPass have been hacked, so it seems.

From the department of ironic timing comes this recent posting on Hacker News: https://news.ycombinator.com/item?id=9727297 On Jun 16, 2015, at 9:59 AM, d...@deadhat.com wrote: Are there any password managers that let the user specify where to store a remote copy of the passwords (FTP server,

[cryptography] SC4 has completed its first security audit

SC4 is a PGP replacement based on tweetnacl-js that runs in a browser. It has completed its first security audit, conducted by Cure53: https://github.com/Spark-Innovations/SC4/blob/master/audit-report.pdf The TL;DR version: Our verdict is that SC4 has developed from a proof-of-concept to an

[cryptography] Introducing SC4 -- feedback appreciated

a9C8lRa1PfP7/rcR8qwUM3BvXkBvT8kaZMJhcCoPCw== ---END KEY--- Thanks, Ron Garret ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Introducing SC4 -- feedback appreciated

On Apr 17, 2015, at 11:27 AM, Dominik Schuermann domi...@dominikschuermann.de wrote: what problem of traditional PGP implementations did you solve? The fact that to use PGP you have to install an application. (This is true for Peerio as well.) That turns out to be too much friction for

Re: [cryptography] Introducing SC4 -- feedback appreciated

On Apr 17, 2015, at 12:32 PM, z...@manian.org wrote: I don't think this really solves any actual crypto problems. Just to be clear, I’m not claiming to solve any actual crypto problems. I’m claiming (or maybe “aiming” is a better word) to solve a UI/UX problem. I also suspect it's pretty

Re: [cryptography] Introducing SC4 -- feedback appreciated

On Apr 17, 2015, at 3:51 PM, Tony Arcieri basc...@gmail.com wrote: On Fri, Apr 17, 2015 at 11:56 AM, Ron Garret r...@flownet.com wrote: The fact that to use PGP you have to install an application. (This is true for Peerio as well.) That turns out to be too much friction for most people

Re: [cryptography] Introducing SC4 -- feedback appreciated

On Apr 17, 2015, at 6:59 PM, Tony Arcieri basc...@gmail.com wrote: On Fri, Apr 17, 2015 at 4:25 PM, Ron Garret r...@flownet.com wrote: Why should anyone trust anyone’s web page? When was the last time you obtained a software application that was *not* delivered via the web? There's a big

Re: [cryptography] How far are we from quantum cryptography?

On Jan 25, 2015, at 9:17 PM, Ryan Carboni rya...@gmail.com wrote: Actually D-wave supposedly managed 512-Qubits. Yes, but they’re not all mutually entangled. Each qubit only communicates with six others. (Even that is pretty impressive though.) rg

Re: [cryptography] How far are we from quantum cryptography?

, 2015, at 9:34 PM, Watson Ladd watsonbl...@gmail.com wrote: On Sun, Jan 25, 2015 at 9:21 PM, Ron Garret r...@flownet.com wrote: On Jan 25, 2015, at 9:17 PM, Ryan Carboni rya...@gmail.com wrote: Actually D-wave supposedly managed 512-Qubits. Yes, but they’re not all mutually entangled

Re: [cryptography] How far are we from quantum cryptography?

Far. The state of the art in quantum computing hardware is a small handful of qbits. I think the current record is three or four, and the engineering challenges grow more daunting as the number grows. It might turn out that practical quantum computing is in fact not possible. But if that’s