[cryptography] cryptography Digest, Vol 25, Issue 3

=?windows-874?B?vsPgvuetIMrYx8PDs8rYog==?= npnunglovely at hotmail.co.th
Thu Mar 1 21:40:07 EST 2012


> From: cryptography-request at randombit.net
> Subject: cryptography Digest, Vol 25, Issue 3
> To: cryptography at randombit.net
> Date: Thu, 1 Mar 2012 20:21:21 -0500
> 
> Send cryptography mailing list submissions to
> 	cryptography at randombit.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.randombit.net/mailman/listinfo/cryptography
> or, via email, send a message with subject or body 'help' to
> 	cryptography-request at randombit.net
> 
> You can reach the person managing the list at
> 	cryptography-owner at randombit.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cryptography digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Constitutional Showdown Voided as Feds Decrypt	Laptop
>       (Steven Bellovin)
>    2. Re: Constitutional Showdown Voided as Feds Decrypt	Laptop
>       (Jeffrey Walton)
>    3. Re: Constitutional Showdown Voided as Feds Decrypt	Laptop
>       (Nico Williams)
>    4. Re: Constitutional Showdown Voided as Feds Decrypt	Laptop
>       (Nico Williams)
>    5. Re: Constitutional Showdown Voided as Feds Decrypt Laptop
>       (James A. Donald)
>    6. Re: Constitutional Showdown Voided as Feds Decrypt	Laptop
>       (dan at geer.org)
>    7. Re: Constitutional Showdown Voided as Feds Decrypt Laptop
>       (Jeffrey I. Schiller)
>    8. Re: Constitutional Showdown Voided as Feds Decrypt Laptop
>       (Jeffrey I. Schiller)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 1 Mar 2012 17:49:09 -0500
> From: Steven Bellovin <smb at cs.columbia.edu>
> To: Nico Williams <nico at cryptonector.com>
> Cc: Crypto List <cryptography at randombit.net>
> Subject: Re: [cryptography] Constitutional Showdown Voided as Feds
> 	Decrypt	Laptop
> Message-ID: <5CA03EDE-52BD-4CB5-9E51-BB29ACFBA345 at cs.columbia.edu>
> Content-Type: text/plain; charset=us-ascii
> 
> 
> On Mar 1, 2012, at 4:33 12PM, Nico Williams wrote:
> 
> > On Thu, Mar 1, 2012 at 3:22 PM, Randall  Webmail <rvh40 at insightbb.com> wrote:
> >> From: "Jeffrey Walton" <noloader at gmail.com>
> >>> Perhaps Fricosu reused a password and was on a mailing list using Mailman...
> >> 
> >> Yeah - what's the deal with Mailman sending the password in clear-text, once a month?
> >> 
> >> Did anyone really think that was a good idea?  Was it a tradeoff between security and help desk support costs?   What other reason could there be?
> > 
> > Mailman passwords are of very low value.
> 
> 
> Precisely correct.  The security mechanism is commensurate with the general
> risk.  And if you're running that high-value a mailing list, you simply
> disable that feature.
> 
> 		--Steve Bellovin, https://www.cs.columbia.edu/~smb
> 
> 
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 1 Mar 2012 17:56:48 -0500
> From: Jeffrey Walton <noloader at gmail.com>
> To: Steven Bellovin <smb at cs.columbia.edu>
> Cc: Crypto List <cryptography at randombit.net>
> Subject: Re: [cryptography] Constitutional Showdown Voided as Feds
> 	Decrypt	Laptop
> Message-ID:
> 	<CAH8yC8nsyKWPV=__k-rigkBOES_wy5VnXduFFS7PBxBDHMwB2A at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> On Thu, Mar 1, 2012 at 5:49 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
> >
> > On Mar 1, 2012, at 4:33 12PM, Nico Williams wrote:
> >
> >> On Thu, Mar 1, 2012 at 3:22 PM, Randall ?Webmail <rvh40 at insightbb.com> wrote:
> >>> From: "Jeffrey Walton" <noloader at gmail.com>
> >>>> Perhaps Fricosu reused a password and was on a mailing list using Mailman...
> >>>
> >>> Yeah - what's the deal with Mailman sending the password in clear-text, once a month?
> >>>
> >>> Did anyone really think that was a good idea? ?Was it a tradeoff between security and help desk support costs? ? What other reason could there be?
> >>
> >> Mailman passwords are of very low value.
> >
> >
> > Precisely correct. ?The security mechanism is commensurate with the general
> > risk. ?And if you're running that high-value a mailing list, you simply
> > disable that feature.
> Low value to whom? Considering all the password reuse, some (such as
> the bad guys) would consider the username/password list high value.
> 
> Jeff
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 1 Mar 2012 17:09:03 -0600
> From: Nico Williams <nico at cryptonector.com>
> To: noloader at gmail.com
> Cc: Crypto List <cryptography at randombit.net>
> Subject: Re: [cryptography] Constitutional Showdown Voided as Feds
> 	Decrypt	Laptop
> Message-ID:
> 	<CAK3OfOhJBEA9NHQA7Bqk03kb5aPH1P75tGH1=SjS=T9278q2cw at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> On Thu, Mar 1, 2012 at 4:56 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> >>> Mailman passwords are of very low value.
> >>
> >>
> >> Precisely correct. ?The security mechanism is commensurate with the general
> >> risk. ?And if you're running that high-value a mailing list, you simply
> >> disable that feature.
> > Low value to whom? Considering all the password reuse, some (such as
> > the bad guys) would consider the username/password list high value.
> 
> I let mailman generate passwords.  And I never use them, much less
> re-use them.  Well, I do use them when I need to change e-mail
> addresses, which happens very rarely, and then I start by asking
> mailman to send my my passwords because I don't remember them -- I've
> done this like once in the past decade.
> 
> These are all public mailing lists.  With public archives.  To which
> people post unsigned messages.
> 
> As for non-public lists, see Steven's reply.
> 
> Yeah, mailman passwords are of low value from a security point of view.
> 
> Nico
> --
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 1 Mar 2012 17:09:52 -0600
> From: Nico Williams <nico at cryptonector.com>
> To: Crypto List <cryptography at randombit.net>
> Subject: Re: [cryptography] Constitutional Showdown Voided as Feds
> 	Decrypt	Laptop
> Message-ID:
> 	<CAK3OfOg2hXieELrNh8kSnC=-wAn3mNAwv23e7TYgM3OpOAuknA at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> IOW, I doubt mailman is how they got Fricosu's password.
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Fri, 02 Mar 2012 09:13:00 +1000
> From: "James A. Donald" <jamesd at echeque.com>
> To: cryptography at randombit.net
> Subject: Re: [cryptography] Constitutional Showdown Voided as Feds
> 	Decrypt Laptop
> Message-ID: <4F50027C.8050800 at echeque.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
> On 2012-03-01 8:53 AM, James S. Tyre wrote:
> > The authorities seized the encrypted Toshiba laptop from defendant Ramona Fricosu in 2010
> > with valid court warrants while investigating alleged mortgage fraud, and demanded she
> > decrypt it. Colorado U.S. District Judge Robert Blackburn ordered the woman in January to
> > decrypt the laptop by the end of February. The judge refused to stay his decision to allow
> > Fricosu time to appeal.
> >
> > "They must have used or found successful one of the passwords the co-defendant provided
> > them," Fricosu's attorney, Philip Dubois, said in a telephone interview Wednesday.
> 
> What one man knows, no one knows, what two men know, everyone knows.
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Thu, 01 Mar 2012 18:42:39 -0500
> From: dan at geer.org
> To: jamesd at echeque.com
> Cc: cryptography at randombit.net
> Subject: Re: [cryptography] Constitutional Showdown Voided as Feds
> 	Decrypt	Laptop
> Message-ID: <20120301234239.5B55E33CC0 at absinthe.tinho.net>
> 
> 
>  > What one man knows, no one knows, what two men know, everyone knows.
> 
> Can I rely on that?
> 
> --dan
> 
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Thu, 01 Mar 2012 20:18:32 -0500
> From: "Jeffrey I. Schiller" <jis at qyv.net>
> To: cryptography at randombit.net
> Subject: Re: [cryptography] Constitutional Showdown Voided as Feds
> 	Decrypt Laptop
> Message-ID: <4F501FE8.8000907 at qyv.net>
> Content-Type: text/plain; charset=UTF-8
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/01/2012 06:09 PM, Nico Williams wrote:
> > I let mailman generate passwords.  And I never use them, much less
> > re-use them.  Well, I do use them when I need to change e-mail
> > addresses, which happens very rarely, and then I start by asking
> > mailman to send my my passwords because I don't remember them -- I've
> > done this like once in the past decade.
> 
> Perhaps mailman should be changed to require you to use its generated
> passwords, or better yet, to only generate a password when you ask it
> to send you your password, and then invalidate it after a few days. So
> it isn't really a password but a "thunk" of limited value.
> 
> In this fashion we can be more assured that people aren't re-using
> passwords with mailman.
> 
> Because... you and I may know better... the manager at the bank where
> are money is stored (or the doctors office where are medical records
> are located) may not know better...   ;-)
> 
>                         -Jeff
> 
> - --
> _______________________________________________________________________
> Jeffrey I. Schiller
> MIT Technologist, Consultant, and Cavy Breeder
> Cambridge, MA 02139-4307
> 617.910.0259 - Voice
> jis at qyv.net
> http://jis.qyv.name
> _______________________________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iD8DBQFPUB+98CBzV/QUlSsRAme0AKD68AevJfdboYC8zd/OeShRtwSS8QCgnRTr
> oL3z9rBPfkYy3vPLrSdsQ6M=
> =TPD+
> -----END PGP SIGNATURE-----
> 
> 
> 
> ------------------------------
> 
> Message: 8
> Date: Thu, 01 Mar 2012 20:21:18 -0500
> From: "Jeffrey I. Schiller" <jis at qyv.net>
> To: cryptography at randombit.net
> Subject: Re: [cryptography] Constitutional Showdown Voided as Feds
> 	Decrypt Laptop
> Message-ID: <4F50208E.2010208 at qyv.net>
> Content-Type: text/plain; charset="utf-8"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> s/are/our/ grrr... :-)
> 
> - - --
> _______________________________________________________________________
> Jeffrey I. Schiller
> MIT Technologist, Consultant, and Cavy Breeder
> Cambridge, MA 02139-4307
> 617.910.0259 - Voice
> jis at qyv.net
> http://jis.qyv.name
> _______________________________________________________________________
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iD8DBQFPUCBa8CBzV/QUlSsRAltxAJwPgKaSNEMhRJJ3dOUr29Tq1vT2bwCgggla
> Ew6HH+WhiaNj2QMj+lmXHok=
> =B3Cs
> - -----END PGP SIGNATURE-----
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iD8DBQFPUCCN8CBzV/QUlSsRAuNFAJ9LI2MkEA8UrifmPI0DwC81db6jhQCfdNRJ
> /PrCjjWaXXosN6+mRoTtyiY=
> =0+8y
> -----END PGP SIGNATURE-----
> 
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 4881 bytes
> Desc: S/MIME Cryptographic Signature
> URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120301/97b82e64/smime.p7s>
> 
> ------------------------------
> 
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
> 
> 
> End of cryptography Digest, Vol 25, Issue 3
> *******************************************
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120302/aa677094/attachment.html>


More information about the cryptography mailing list