lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <00f101cf2420$558a15a0$009e40e0$@acm.org>
Date: Fri, 7 Feb 2014 08:19:07 -0800
From: "Dennis E. Hamilton" <dennis.hamilton@....org>
To: <discussions@...sword-hashing.net>
Subject: RE: [PHC] Never read a patent

Putting fake accounts into database systems has been done for a very long time, certainly longer than the life of any patent.  Not necessarily for reasons related to password security, though.

Not that this matters in the context of the larger message (and concerns) about patents.

 - Dennis

-----Original Message-----
From: Bill Cox [mailto:waywardgeek@...il.com] 
Sent: Friday, February 7, 2014 07:46
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Never read a patent

On Fri, Feb 7, 2014 at 10:01 AM, Alan Kaminsky <ark@...rit.edu> wrote:
> In their book "Practical Cryptography" (Wiley Publishing, 2003), pages
> 375-376, noted cryptographers Neils Ferguson and Bruce Schneier say this:
>
> "One word of advice: never read a patent. That's right. You'd think that
> reading patents to see what they cover is a good idea. It is not. If you
> infringe on a patent without having known that you did so, you may end up
> paying damages to the patent holder. But if they can prove that you
> willfully infringed (because you knew about their patent), you may end up
> paying triple damages. So if you read a patent, you automatically increase
> your liability for infringing that patent by a factor of three.

[ ... ] I'm also bummed about a patent on
storing fake user accounts with weak passwords in the password
database as a strategy for detecting when the database has been leaked
to brute-force attackers.  This shouldn't impact the PHC, but it's
still a bummer.  It's one of those good ideas that now will be locked
away for 20 years when we need it most.  Software patents are such a
bad idea...

Bill

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ