ANNOUNCING the "Hack Tahoe!" contest
Sat, 19 Jul 2008 00:02:00 +0000
Folks:This contest is inspired by Sameer Parekh's "Hack Netscape!" contest in the fall of 1995.It is already eliciting some really good security insights from smart people.Regards,Zooko ANNOUNCING the "Hack Tahoe!" contesthttp://hacktahoe.orgTahoe, the Least-Authority Filesystem [1], is a secure, decentralizedfilesystem. It is developed as a Free Software, Open Source project.The .. .. read more..
Re: Dutch chipmaker sues to silence security researchers
Fri, 18 Jul 2008 18:08:00 +0000
Latest updates (17.07.08):Dutch courts OKs publishing how to hack NXP chiphttp://uk.reuters.com/article/governmentFilingsNews/idUKL186838820080718saqibhttp://doctrina.wordpress.com/---------------------------------------------------------------------The Cryptography Mailing ListUnsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com .. .. read more..
Re: ?A Practical Attack on the MIFARE Classic?
Wed, 16 Jul 2008 20:06:00 +0000
* Karsten Nohl:> The benefits clearly outweigh the risks since half a year after> announcing the vulnerabilities, Mifare Classic is hopefully not used> in any high security application anymore.Isn't this a bit of wishful thinking?The dynamics are probably very involved because you usually don't buyfrom NXP, but an integrated product from a reseller. An upgrade isn't afree patch, either, so it .. .. read more..
Re: how bad is IPETEE?
Wed, 16 Jul 2008 16:42:00 +0000
On Jul 15, 2008, at 16:33 PM, Leichter, Jerry wrote:> The goal is> to use some form of opportunistic encryption to make as much> Internet traffic as possible encrypted as quickly as possible -> which puts all kinds of constraints on a solution,Oh, then they should learn about Adam Langley's Obfuscated TCP:http://code.google.com/p/obstcp/One of the design constraints for Obfuscated TCP was that an .. .. read more..
Re: how bad is IPETEE?
Wed, 16 Jul 2008 00:42:00 +0000
At Tue, 15 Jul 2008 18:33:10 -0400 (EDT),Leichter, Jerry wrote:> For an interesting discussion of IPETEE, see:>> www.educatedguesswork.org/moveabletype/archives/2008/07/ipetee.html>> Brief summary: This is an initial discussion - the results of a> drinking session - that got leaked as an actual proposal. The> guys behind it are involved with The Pirate Bay. The goal is> to use some form of .. .. read more..
Re: how bad is IPETEE?
Tue, 15 Jul 2008 22:33:00 +0000
For an interesting discussion of IPETEE, see:www.educatedguesswork.org/moveabletype/archives/2008/07/ipetee.htmlBrief summary: This is an initial discussion - the results of adrinking session - that got leaked as an actual proposal. Theguys behind it are involved with The Pirate Bay. The goal isto use some form of opportunistic encryption to make as muchInternet traffic as possible encrypted .. .. read more..
Re: ?A Practical Attack on the MIFARE Classic?
Tue, 15 Jul 2008 18:10:00 +0000
On Jul 15, 2008, at 5:06 PM, Perry E. Metzger wrote:> Although the paper seems to be gone from Wikileaks, it is on cryptome:>> http://cryptome.org/mifare-classic.pdfThis is a paper published on arXiv in March that does not contain the type of information NXP is suing over, which is why it was removed from Wikileaks.The law suit is about a full disclosure of the Crypto1 security system that .. .. read more..
?A Practical Attack on the MIFARE Classic?
Tue, 15 Jul 2008 15:06:00 +0000
Although the paper seems to be gone from Wikileaks, it is on cryptome:http://cryptome.org/mifare-classic.pdfNothing shocking to regular readers of this list in thepaper. However, it is yet more evidence that no manufacturer, nomatter how large or reputable, should ever be trusted when they say"our secret security system is really good, trust us."Perry-- Perry E. Metzger perry@piermont.com------- .. .. read more..
[FDE] ver 6.0 of TrueCrypt
Mon, 14 Jul 2008 19:19:00 +0000
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1New features include (my summary):* parallelized encryption/decryption (to take advantage of multi-corecomputers that are all the rage these days)* plausibly deniable hidden OS support* backup of volume header (reliability update)* ability to create hidden volumes on Mac/Linux* some other stuff...Of all the new features, the "hidden OS support" looks .. .. read more..
Re: Kaminsky finds DNS exploit
Mon, 14 Jul 2008 16:06:00 +0000
At 4:27 PM +0200 7/14/08, Florian Weimer wrote:>Implementors say that in many cases, their software as it's currently>implemented can't take the load. It's not much worse than web traffic,>that's why I think it can be made to work (perhaps easier with kernel>support, who knows). But code changes are apparently required.That whole paragraph, taken together, makes no sense.>And once you need code .. .. read more..
Re: Kaminsky finds DNS exploit
Mon, 14 Jul 2008 14:52:00 +0000
On Mon, 14 Jul 2008 16:27:58 +0200Florian Weimer wrote: > On top of that, some operators decided not to offer TCP service at> all.Right. There's a common misconception, on both security and networkoperator mailing lists, that DNS servers use TCP only for zonetransfers, and that all such connection requests should be blocked.See, for example, the NANOG thread starting athttp:// .. .. read more..
Re: Mifare
Mon, 14 Jul 2008 14:42:00 +0000
On Sun, Jul 13, 2008 at 02:41:29PM +1000, James A. Donald wrote:>> Now everyone is going to say it should have been put out for review, and > of course it should have been, and had they done so they would have > avoided these particular mistakes, but DNSSEC and WPA was reviewed to > hell and back, and the result was still no damned good.Really? From a cryptographic -- not a political -- point .. .. read more..
Re: Kaminsky finds DNS exploit
Mon, 14 Jul 2008 14:27:00 +0000
* John Levine:>>CERT/CC mentions this:>>>>| It is important to note that without changes to the DNS protocol, such>>| as those that the DNS Security Extensions (DNSSEC) introduce, these>>| mitigations cannot completely prevent cache poisoning.>> Why wouldn't switching to TCP lookups solve the problem?It requires code changes on both types of servers, in order to make themmore scalable.> It's .. .. read more..
Re: Kaminsky finds DNS exploit
Mon, 14 Jul 2008 14:22:00 +0000
>CERT/CC mentions this:>>| It is important to note that without changes to the DNS protocol, such>| as those that the DNS Security Extensions (DNSSEC) introduce, these>| mitigations cannot completely prevent cache poisoning.Why wouldn't switching to TCP lookups solve the problem? It'sarguably more traffic than DNSSEC, but it has the large practicaladvantage that they actually work with deployed .. .. read more..
Re: Kaminsky finds DNS exploit
Sun, 13 Jul 2008 18:50:00 +0000
* Jack Lloyd:> Perhaps there is something subtle here that is more dangerous than the> well known problems, and all these source port randomization and> transaction id randomization fixes are just a smokescreen of sorts for> a fix for something Dan found.It's not a smokescreen, it's a statistical workaround.CERT/CC mentions this:| It is important to note that without changes to the DNS protocol, .. .. read more..
Mifare
Sun, 13 Jul 2008 04:41:00 +0000
http://www.youtube.com/watch?v=NW3RGbQTLhE shows the researchersbreaking Mifare.And in the comments, we see posts (I presume from mifare people) complaining that what is happening cannot possibly be happening.Everyone on this list knows the correct way to do what Mifare does wrong.So, since we all know how to do it right, why did Mifare come up with their own super secret snake oil algorithm that .. .. read more..
Re: how bad is IPETEE?
Fri, 11 Jul 2008 17:15:00 +0000
On Fri, Jul 11, 2008 at 05:08:39PM +0100, Dave Korn wrote:> It does sound a lot like "SSL/TLS without certs", ie. SSL/TLSweakened to> make it vulnerable to MitM. Then again, if no Joe Punter ever knows the> difference between a real and spoofed cert, we're pretty much in the same> situation anyway.Note that this is not all that bad because many apps can doauthentication at the application .. .. read more..
RE: how bad is IPETEE?
Fri, 11 Jul 2008 16:08:00 +0000
John Ioannidis wrote on 10 July 2008 18:03:> Eugen Leitl wrote:>> In case somebody missed it,>>>> http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE)>>>> If this is a joke, I'm not getting it.>> /ji I thought the bit about "Set $wgLogo to the URL path to your own logoimage" was quite funny. But they did misspell 'teh' in "Transparentend-to-end encryption for teh internets". .. .. read more..
Re: how bad is IPETEE?
Thu, 10 Jul 2008 20:26:00 +0000
On Thu, Jul 10, 2008 at 02:31:12PM -0400, James Cloos wrote:>>>>>> "Eugen" == Eugen Leitl writes:>> Eugen> I'm not sure what the status of http://postel.org/anonsec/>> The IETF just created a new list and subscribed all anonsec subscribers:>> https://www.ietf.org/mailman/listinfo/btnsIndeed. But it's as quiet as the old list :/Seriously, the work of the BTNS WG is, IMO, .. .. read more..
Re: how bad is IPETEE?
Thu, 10 Jul 2008 18:31:00 +0000
>>>>> "Eugen" == Eugen Leitl writes:Eugen> I'm not sure what the status of http://postel.org/anonsec/The IETF just created a new list and subscribed all anonsec subscribers:https://www.ietf.org/mailman/listinfo/btns-JimC-- James Cloos OpenPGP: 1024D/ED7DAEA6---------------------------------------------------------------------The Cryptography Mailing .. .. read more..
Re: how bad is IPETEE?
Thu, 10 Jul 2008 18:22:00 +0000
On Thu, Jul 10, 2008 at 06:10:27PM +0200, Eugen Leitl wrote:> In case somebody missed it, >> http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE)I did miss it. Thanks for the link. I don't think in-band key exchangeis desirable here, but, you never know what will triumph in themarketplace.> I'm not sure what the status of http://postel.org/anonsec/> is, the mailing list traffic .. .. read more..
Re: Dutch chipmaker sues to silence security researchers
Thu, 10 Jul 2008 17:58:00 +0000
Ali, Saqib wrote:> Dutch chipmaker NXP Semiconductors has sued a university in The> Netherlands to block publication of research that details security> flaws in NXP's Mifare Classic wireless smart cards, which are used in> transit and building entry systems around the world.Ah, more 3 monkeys syndrome? If a flaw exists but nobody knows about the details, it no longer exists? If we don't publish .. .. read more..
Re: how bad is IPETEE?
Thu, 10 Jul 2008 17:17:00 +0000
At Thu, 10 Jul 2008 18:10:27 +0200,Eugen Leitl wrote:>>> In case somebody missed it, >> http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE)>> I'm not sure what the status of http://postel.org/anonsec/> is, the mailing list traffic dried up a while back.This is the first I have heard of this.That said, some initial observations:- It's worth asking why, if you're doing .. .. read more..
Re: how bad is IPETEE?
Thu, 10 Jul 2008 17:03:00 +0000
Eugen Leitl wrote:> In case somebody missed it, >> http://www.tfr.org/wiki/index.php?title=Technical_Proposal_(IPETEE)> If this is a joke, I'm not getting it./ji---------------------------------------------------------------------The Cryptography Mailing ListUnsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com .. .. read more..
Re: Permanent Privacy - Are Snake Oil Patents a threat?
Thu, 10 Jul 2008 16:28:00 +0000
On Wed, 2008-07-09 at 13:02 +1200, David G. Koontz wrote:>> I did a quick check to look for patent applications or patents by them and> didn't find any. This isn't definitive if a patent application isn't> published. The newest published patent application I found on encryption> had an application date of 11 Dec 2007. Some recently published patent> applications are 6 or 7 years old, too.This .. .. read more..