headers
Stephen Farrell | 7 May 2013 16:39
Picon
Picon

Fwd: Just Announced: New NIST Security Controls Document - SP 800-53 Rev 4 Training


FYI

-------- Original Message --------
Subject: Just Announced:  New NIST Security Controls Document - SP
800-53 Rev 4 Training
Date: Tue, 07 May 2013 08:34:28 -0600
From: NIST Security Controls SP 800-53 Rev 4 Workshop
<Training <at> NIST800-53Rev4.potomacforum.org>
To: <stephen.farrell <at> cs.tcd.ie>

 Just Released NIST SP 800-53 Rev 4 (FINAL) Security Controls Document -
Released on April 30th. NIST Keynote and Featured Presentation. Workshop
will Present a Detailed Analysis of the Document-  Please Forward To
Your Associates - CIO, Security, IG, CFO, Program Managers & Staff,
Industry Interested in IT Security - Government & Industry -

New NIST Security Controls Publication
SP 800-53 Revision 4
(April 30, 2013)

http://www.potomacforum.org

http://www.potomacforum.org
Security and Privacy Controls
for Federal Information Systems and Organizations
Training Workshop

Gov Security Controls:
What is New
(Continue reading)

Permalink | Reply | 0 comments |
headers
hammondjohnson | 27 Apr 2013 20:03
Favicon

Biggest Fake Conference in Computer Science

We are researchers from different parts of the world and conducted a study on  
the world’s biggest bogus computer science conference WORLDCOMP 
( http://sites.google.com/site/worlddump1 ) organized by Prof. Hamid Arabnia 
from University of Georgia, USA.

We submitted a fake paper to WORLDCOMP 2011 and again (the same paper 
with a modified title) to WORLDCOMP 2012. This paper had numerous 
fundamental mistakes. Sample statements from that paper include: 

(1). Binary logic is fuzzy logic and vice versa
(2). Pascal developed fuzzy logic
(3). Object oriented languages do not exhibit any polymorphism or inheritance
(4). TCP and IP are synonyms and are part of OSI model 
(5). Distributed systems deal with only one computer
(6). Laptop is an example for a super computer
(7). Operating system is an example for computer hardware

Also, our paper did not express any conceptual meaning.  However, it 
was accepted both the times without any modifications (and without 
any reviews) and we were invited to submit the final paper and a 
payment of $500+ fee to present the paper. We decided to use the 
fee for better purposes than making Prof. Hamid Arabnia (Chairman 
of WORLDCOMP) rich. After that, we received few reminders from 
WORLDCOMP to pay the fee but we never responded. 

We MUST say that you should look at the above website if you have any thoughts 
to submit a paper to WORLDCOMP.  DBLP and other indexing agencies have stopped 
indexing WORLDCOMP’s proceedings since 2011 due to its fakeness. See 
http://www.informatik.uni-trier.de/~ley/db/conf/icai/index.html for of one of the 
conferences of WORLDCOMP and notice that there is no listing after 2010. See Section 2 of
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephen Farrell | 23 Apr 2013 22:33
Picon
Picon

BoF dates for Berlin IETF


Hiya,

If someone is interested in a security related BoF in Berlin
you probably need to be talking to Sean or me real soon now.

The dates are:

• 2013-06-17 (Monday): Cutoff date for BOF proposal requests to Area
Directors at UTC 24:00. To request a BOF, please see instructions on
Requesting a BOF.
• 2013-06-20 (Thursday): Cutoff date for Area Directors to approve BOFs
at UTC 24:00.

Cheers,
S.
Permalink | Reply | 0 comments |
headers
Magnus Westerlund | 18 Apr 2013 15:37
Picon
Favicon

Requesting review of AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP)

Hi,

The AVTCORE WG has developed this application of AES-GCM and AES-CCM as
cipher suit for SRTP. I would really appreciate if some more security
knowledgeable would take a look at it before we request publication. If
they have any understanding of SRTP it would be a big plus.

https://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-aes-gcm/

Thanks

Magnus Westerlund
AVTCORE WG chair
Permalink | Reply | 0 comments |
headers
Tatu Ylonen | 6 Apr 2013 15:45
Favicon

SSH user key management - new draft and mailing list

A new draft "SSH Key Management for Automated Access - Current Recommended Practice" is now available at https://tools.ietf.org/html/draft-ylonen-sshkeybcp-01

The draft is relevant for anyone interested in SSH user key management and more generally identity and
access management.  We have found hundreds of thousands to millions of SSH authorized keys from the IT
environments of many large enterprises (many times more than they have interactive users), and bringing
key-based access under control is very important.  The draft outlines the risks with unmanaged key-based
access and presents a process for remediating the situation in an existing environment and implanting an
ongoing process for monitoring and managing key-based access (and other automated passwordless access).

I am hoping the draft will evolve into a BCP (Best Current Practice) standard on managing SSH user keys in
organizations.  The draft is mostly about process and policy, not technical protocols, as SSH user key
management is really an identity and access management issue and the related problems largely policy,
process, and auditing issues related to controlling access to information systems in an organization,
especially with regards to automated machine-to-machine access.

A mailing list sshmgmt <at> ietf.org has been created for discussion about the draft (and other issues related
to managing SSH).  Please send comments on the draft to the list.  To subscribe (or unsubscribe), go to: https://www.ietf.org/mailman/listinfo/sshmgmt

Regards,

Tatu Ylonen
Permalink | Reply | 0 comments |
headers
Stephen Farrell | 30 Mar 2013 12:39
Picon
Picon

Fwd: Fwd: Choosing a header compression algorithm


The httpbis wg are trying to figure out how to
do compression in HTTP/2.0 in a way that's not
so vulnerable to the CRIME attack.

They'd like additional security eyeballs on what
is quite a tricky problem.

If you're willing and able to help then that'd be
best done on the httpbis wg list.

Any other questions feel free to ask me or Mark
(httpbis wg chair, cc'd) offlist.

S.

-------- Original Message --------
Subject: Fwd: Choosing a header compression algorithm
Date: Sat, 30 Mar 2013 16:50:32 +1100
From: Mark Nottingham <mnot <at> mnot.net>
To: Stephen Farrell <stephen.farrell <at> cs.tcd.ie>, Sean Turner
<turners <at> ieca.com>

Any input from Security would be most welcome here…

Cheers,

Begin forwarded message:

> Resent-From: ietf-http-wg <at> w3.org
(Continue reading)

Permalink | Reply | 0 comments |
headers
Moriarty, Kathleen | 25 Mar 2013 19:36

FW: New Version Notification for draft-moriarty-pkcs12v1-1-01.txt

Hello,

I believe the attached version addresses all of the outstanding questions.  Please let me know if there are
any further comments.  Once version 1.0 is published, then we can work on the more extensive changes in a revision.

Thank you,
Kathleen

-----Original Message-----
From: internet-drafts <at> ietf.org [mailto:internet-drafts <at> ietf.org] 
Sent: Monday, March 25, 2013 2:11 PM
To: Moriarty, Kathleen
Cc: mnystrom <at> microsoft.com; Parkinson, Sean; Rusch, Andreas; Scott, Michael2
Subject: New Version Notification for draft-moriarty-pkcs12v1-1-01.txt

A new version of I-D, draft-moriarty-pkcs12v1-1-01.txt
has been successfully submitted by Kathleen M. Moriarty and posted to the
IETF repository.

Filename:	 draft-moriarty-pkcs12v1-1
Revision:	 01
Title:		 PKCS 12 v1: Personal Information Exchange Syntax
Creation date:	 2013-03-25
Group:		 Individual Submission
Number of pages: 29
URL:             http://www.ietf.org/internet-drafts/draft-moriarty-pkcs12v1-1-01.txt
Status:          http://datatracker.ietf.org/doc/draft-moriarty-pkcs12v1-1
Htmlized:        http://tools.ietf.org/html/draft-moriarty-pkcs12v1-1-01
Diff:            http://www.ietf.org/rfcdiff?url2=draft-moriarty-pkcs12v1-1-01
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephen Farrell | 22 Mar 2013 19:23
Picon
Picon

IETF-86 draft saag minutes


Hi All,

Thanks to Tero for taking notes. Draft minutes are at [1]
Please send any corrections needed,

Cheers,
Stephen.
Permalink | Reply | 2 comments |
headers
Jeffrey Hutzelman | 18 Mar 2013 21:05
Picon
Favicon

Re: security consideration of CGA and SSAS - Ii-D action : draft-rafiee-6man-ssas

On Sun, 2013-03-17 at 16:46 +0000, Christian Huitema wrote:

> You may think that building public/private key pairs is a very
> expensive operation, but that is not true. The default algorithm for
> SSAS is RSA. Let's suppose you use 2048 bit long RSA keys. The key
> generation start by generating a set of 1024 bit long prime numbers. In
> theory, we need about 2*25 such numbers. Add a margin to be on the safe
> side. These numbers can be generated once, they don't have to be
> regenerated for every SSAS key being tried.

Hold on.  If I'm an attacker, who says my "primes" even have to be
prime?
Permalink | Reply | 0 comments |
headers
=JeffH | 14 Mar 2013 21:50

Off-the-Record (OTR) Messaging Protocol version 3

Off-the-Record Messaging Protocol version 3
http://www.cypherpunks.ca/otr/Protocol-v3-4.0.0.html

overall OTR project website: http://www.cypherpunks.ca/otr/
Permalink | Reply | 0 comments |
headers
=JeffH | 14 Mar 2013 21:48

Off-the-Record (OTR) Messaging Protocol version 2

Off-the-Record Messaging Protocol version 2
http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html
Permalink | Reply | 0 comments |

Gmane