Tales from the Crypto






         Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

Archive for May, 2006

May 27, 2006

PGP / Truecrypt brouhaha

Filed under: General Security,Why is PKI so hard? @ 8:10 pm

There’s a fascinating debate going on at present. Two ‘researchers’, called Abed and Adonis, are trumpeting their mad sk177z at cryptography. They have a few basic claims: They can bypass authentication on PGP self-decrypting archives. They can decrypt PGP-encrypted drives without knowing the passphrase. It’s an interesting read, and full of the sort of lack of […]

May 26, 2006

Forget that I asked you to ignore what I said about SAL.

Okay, so for the foreseeable future at least, SAL (and other code analysis goodness) is indeed available to all and sundry, like pie and chips, for free, on the Windows Vista Beta 2 SDK. Michael Howard and I had a very pleasant exchange (as always) over email, where neither of us quite seemed to grasp […]

Full Disclosure – how full is full?

Filed under: General Security @ 11:15 am

Bruce Schneier says “full disclosure is the best tool we have to improve security“. Woah, that’s rather like saying “wheeled vehicles are the best tool for ground transport of passengers”. There are many different kinds of wheeled vehicles, and there are many different kinds of “full disclosure”. Most often, “full disclosure” means “complete and immediate public […]

May 24, 2006

Security questions considered dangerous

Filed under: Biometrics,General Security @ 8:24 am

Keith Brown expresses concern over the security questions people ask themselves for password reset, and suggests that the user not be allowed to write the question, so that sufficiently secure questions can be asked. Congratulations – you’ve addressed half the problem. The server can now require that the server asks the user a complex question. […]

May 23, 2006

Why would someone hack my site?

Filed under: General Security @ 12:12 am

Sandi Hardmeier often has something to say that I want to listen to, even if she approaches things from a different perspective. Today, she posed the question “Why would somebody want to hack into my network?“ My first thought is to note that the “PC in Herndon, VA” may not necessarily be even as harmless […]

May 22, 2006

When is a virus not a virus?

Filed under: General Security @ 11:53 pm

When it doesn’t spread. There’s been a lot of press devoted of late to this “Word zero-day vulnerability“, some of it even referring to this as a virus. While it seems that the exploit in use could be further exploited in order to make this into a virus, the particular attack in question is being […]

May 21, 2006

Okay, scratch what I said about SAL

Despite what Michael Howard says about how wonderful SAL is, and my own post from earlier today, I really shouldn’t be telling you about it. Is that because it’s under NDA?  Is it because it’s a skill I learned at Microsoft, but can’t use outside because of a non-compete clause? No. It’s because most developers […]

May 20, 2006

SAL – pipped at the post by Michael Howard.

I’ve been spending some time this week in the evenings thinking on how I should introduce SAL – the Standard Annotation Language – to you all. Then Michael Howard managed to do it before I could get there. It’s been in use at Microsoft for some time now, albeit frequently rather grudgingly. I was introduced […]

May 14, 2006

How to scan SSL/TLS sites.

Filed under: Why is PKI so hard? @ 10:31 pm

The other day, I hit a conundrum. We couldn’t make LDAPS connections to a couple of domain controllers. A quick “TS” over to the systems in question indicated that we had a correct certificate in place, and that it was valid, but when we connected using “LDP” over port 636, we would be told that […]

May 9, 2006

Today’s bulletins.

Filed under: General Security @ 4:30 pm

Bulletin MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580) Okay, that’s special – a denial of service in MSDTC, and the workaround is to … disable MSDTC.  Clearly the workaround does exactly what the bulletin is trying to protect you against, so if you have any applications that rely on […]

Next Page »

© 2017 Tales from the Crypto   Provided by WPMU DEV -The WordPress Experts   Hosted by Microsoft MVPs