Comments for zaphCoder

Comment on Cryptography pioneer: We need good code by Lucas

Lucas — Sun, 29 Nov 2015 01:19:48 +0000

SSL decryption in Wireshark or SSLdump reqerius you to own the private keys used to decrypt the connection.In an EDH, no such keys exist. It’s a straight DH exchange, with randomly generated keys.In a straight DH exchange, this would be vulnerable to MITM attacks (the snoop would simply complete DH exchanges with both sides of the connection, deriving two different keys, and translate etween the two).EDH uses the cert keypairs to guarantee that the DH exchange happened without an MITM tampering.EDH has “perfect forward secrecy” because no stationary set of keys is used to protect all the sessions. If you compromise the server key, all you get is the ability to sign DH parameters in a future session.

Comment on Cryptography pioneer: We need good code by Ade

Ade — Sun, 29 Nov 2015 01:14:53 +0000

lonervamp,There is more.The failure to dyepcrt is not just with Diffie Hellman Ephemeral. The dyepcrtion method used by Wireshark, ssldump, unsniff will not work for exportable RSA keys either (i.e less than 1024 bit).This is because a temporary RSA key exchange takes place to negotiate a exportable cipher. This is just like DHE, but for weaker encryption and uses RSA.This may sound weird, but the so called weak export ciphers are actually immune to dyepcrtion using tools like Wireshark / ssldump / unsniff etc. However unlike DHE , RSA “ephemeral” for export is vulnerable to brute force. This means agencies like NSA in the United States can simply brute force keys like DES56, irrespective of the key exchange strength !A hobby attacker, or someone who has stolen server keys, can certainly not brute force an export cipher like DES56 very easily.

Comment on Books by Sudheesh

Sudheesh — Sun, 29 Nov 2015 01:06:50 +0000

Having a CISSP certification is more than an HR thing. As meoninted, its not about technical skills and merit. It’s about having a professional understanding of the 10 bodies of knowledge and being able to apply that thinking in an infosec kind of way. It is purposefully “an inch deep, and a mile wide” for a reason.In the realm of information security, before we even THINK about technical safeguards we have to understand the real problems. The real risks. The real threats. The biggest failure in the industry right now is having geeks think they are information security professionals. It is rather sad to see a person with an A+ Security cert or Cisco Security cert try to sit around a table and talk about applying qualitative risk analysis to determine what assets need to be protected, and to what degree. They fail miserably because they were taught that security was a technical problem, and not a business one. Big mistake there.I always look at it like this. A CSO/CISO/security consultant would have a CISSP. The people that report to him and apply the technical safeguards to meet corporate security policies would have a SANS GIAC or something similar.Is the CISSP a good cert to have? Absolutely. It means you have a good understanding of the 10 bodies of knowledge and can have a competent conversation with other infosec pros in the process of doing your job function. And if you take the certification seriously, it also shows that you follow a code of ethics in how you conduct yourself and your work in the field. I really wish security vendors would have more CISSP… then we wouldn’t see so much FUD being spread around.Is the CISSP essential to show your ‘leet Snort skills? Absolutely not. But it wasn’t designed for that. Combining a cert to show you understand deeper, more important infosec principles and practices (ie: CISSP) with a technical cert like GIAC gives you the breadth of knowledge needed to be an infosec pro in this day and age.I don’t think you are giving yourself the credit you deserve. The security principles and practices that you learned and had re-enforced are now part of you. It can’t be taken away. And that might be why you look back and think it doesn’t echo your views on how security principles should be taught. I have no idea of your full background, but if you are like most, the CISSP looks trivial NOW because you already went through it. A combination of real world experience and the 10 CBK have given you a stronger foundation than most people in the field. Don’t give up on it so quickly. Renew.

Comment on Sort times for NSMutableArray by James

James — Sun, 29 Nov 2015 01:02:09 +0000

great overview! I love it. How is the coxliempty relationship interpreted, e.g., between quicksort und mergesort the coxliempty path is quadratic what does that mean? Thanks a lot for your work and sharing this with us! lnxnt

Comment on Cryptography pioneer: We need good code by Maria

Maria — Sun, 29 Nov 2015 00:48:57 +0000

Russ,Your comment, “The core prolebm with being only focused on “the real world” is that you only have incentives to solve the immediate prolebms at hand, and only to an acceptable level. There is no incentive, time, or resources to deal with the general case, and especially the values and needs of all stakeholders, not just the people paying your salary.”Really is at the core of the prolebm, which is IMHO, fundamentally a research prolebm which will require interdisciplinary teams of scientists.There is so much evidence that people, in their personal or professional endeavors, simply don’t see the incentive to pay for security. This is the reason why “metrics” and “RoI on security” etc. has(is?) dominated the research funding/attention for so long. As we continue to debate on how to govern cybersapce the research presented at WEIS is increasingly pertinent, and is the only source of it’s kind. Glad to have seen you there!

Comment on Medical costs by Frank

Frank — Sun, 29 Nov 2015 00:29:18 +0000

I just had a CT scan done they charged my inuscanre $542.00 and I owe nothing. I have awesome inuscanre. My inuscanre paid the entire amount. Now I also had an MRI done recently, but I have not got the EOB on that one yet. I’m sure they paid well on that too. I am guessing if you don’t have ins. you would have to pay the MRI place the full amount.

Comment on Medical costs by Kali

Kali — Sun, 29 Nov 2015 00:07:51 +0000

Most health iaesrnncus WILL cover standard Radiographic tests such as CT scans, X-rays and MRI’s. As far as not having health insurance, most hospitals and maybe doctors offices will offer a financial aid for people who do not have health insurance. MRI’s are used for diagnostic purposes so, if you need one and your doctor has ordered one, then I don’t see why you would have a hard time getting your health insurance to cover it, or to get financial aid for one. If you can’t get financial aid to assist you, than the MRI place or hospital will be able to work a payment plan out with you. Good Luck!

Comment on Cryptography pioneer: We need good code by Matti

Matti — Sat, 28 Nov 2015 23:58:21 +0000

they can break DH. Sure, but you need the private key used in that exnhgcae from at least one of the partys(say, A). If you have that key you can just use it as exponent for the public value of the other party(B). Just like A would do it.This private key you need differs for DH and EDH.For DH, your secret is the private key of the certificate that you use. The peer will decrypt this with the public key of your certificate. You’re authenticated at this very moment, different certificates with different public keys won’t work, DH would produce different keys for the two parties.For EDH, your secret is a random value that you only need as long as the handshake takes. The key-pair of your certificate is only used for authentication, eg you can in addition sign your public value.After an (E)DH key agreement, there are always exatly two parties posessing the resulting key. You need authentication to make sure they are the right two parties and not A-Attacker and Attacker-B.Simple DH is probably pretty old. It took a moment for me to realise that it’s the stupid variant of what I learned in my studies during the last few years.Now, did I earn one of your many books? *g*

Comment on Medical costs by Sunil

Sunil — Sun, 22 Feb 2015 03:52:48 +0000

There are a lot of variables to your quoetisn. The allowable amount of the procedure would hidge on the zip code where services are rendered, procedure codes billed and the contract with that paticular facility. Generally speaking the MRI companies bill somewhere in the range of $1200 per episode. The insurance company will leverage about $600-$900. If you are looking to get this done, I would suggest reaching out to a radiology facility versus doing this out-patient hospital. You are more likely to work a deal with the smaller facility then the monster hospital system. Call around you may get a better deal in the less populated areas of town. FYI- Keep in mind that the MRI itself is not the only charge A radiologist will often sneak a seperate bill in there for about $100-200.

Comment on Medical costs by Krishna

Krishna — Sun, 22 Feb 2015 00:50:38 +0000

Assuming you are in the US an MRI can easily run 2000-2500. Plus you will have to pay sereval hundred to the radiologist who reads the MRI.If you have health insurance, you pay per your health insurance plan. Call the customer service for your health insurance and ask them about your plan details. Most health insurance companies have an approved charge that is about 60% of what the providers normal charge is. You would pay your co-pay amount (ex: 20%) of the approved charge.If you do not have health insurance, the hospital will bill you the full price. You can call them and set up a payment plan- say 100 per month. This is usually interest free. As long as you make your payments every month- they will not put it on your credit. If you can pay them a lump sum, they may be willing to negotiate with you and accept less.