Re: pgp in internet cafe (webpgp)
Delurking... Jesus. Stop picking at the guy (not just you, I mean everybody). Why not use your brains and suggest a few workarounds? Like: 1: Superencrypt beforehand. 2: Don't type if you can cut and paste. 3: Use one-time hard passwords 4: Use throw-away one time free email addresses 5: Use proxies to connect to privacy services you don't own 6: Use Regulatory (and other) arbitrage 7: Wear gloves, Margaret Thatcher halloween mask, leave no DNA, etc, etc. /flame off/ On Mon, 24 Mar 2003 10:51:49 -0500 (est), "Sunder" <[EMAIL PROTECTED]> said: > And (dumbass) you would trust the keyboard and display of an internet > cafe > is safe to type in your passphrase? Never heard of keystroke capturing? > > You're better off trying to find a WiFi access point - i.e. Starbucks or > whatever cafe and using that instead with your own trusted hardware. > > That said, you can use hushmail... > > > --Kaos-Keraunos-Kybernetos--- > + ^ + :NSA got $20Bil/year |Passwords are like underwear. You don't /|\ > \|/ :and didn't stop 9-11|share them, you don't hang them on your/\|/\ > <--*-->:Instead of rewarding|monitor, or under your keyboard, you \/|\/ > /|\ :their failures, we |don't email them, or put them on a web \|/ > + v + :should get refunds! |site, and you must change them very often. > [EMAIL PROTECTED] http://www.sunder.net > > On Sun, 23 Mar 2003, Anonymous wrote: > > > Assumptions: > > > > - I have https (SSL) access to a trusted unix box > > - I trust SSL > > - I'll take a risk of unknown machine running http client being subverted > > > > I want to use PGP while checking/sending e-mail via web interface on someone > > else's machine (say, internet cafe). So in one window I have webmail interface, > > and in the other window I have "webpgp" interface, and I paste ciphertext back and > > forth. > > > > The https-ed webpgp interface should authenticate me via some sort of passphrase > > and then I can submit ciphertext for decryption (encryption also requres > > authenticatin, in order to avoid browsing of my keyrings.) > > > > The question is - do I have to code this or has someone already done it ? > > -- contrary [EMAIL PROTECTED]
Re: Palm security
On Tue, 4 Jun 2002 16:58:16 -0400, "Adam Shostack" <[EMAIL PROTECTED]> said: > I find myself storing a pile of vaugely sensitive information on my > palm. Where do I find the competent analysis of this? Perhaps this will help.. http://www.atstake.com/research/reports/index.html#pdd_palm_forensics -- contrary [EMAIL PROTECTED] -- http://fastmail.fm - No WWW (Wait-Wait-Wait) required
RE: NAI pulls out the DMCA stick
On Fri, 24 May 2002 17:13:18 +1200 (NZST), "Peter Gutmann" <[EMAIL PROTECTED]> said: > "contrary" <[EMAIL PROTECTED]> writes: > > >As long as you obtain your S/MIME certificate from an apporved > >CA, using an > >approved payment method and appropriate identification. > > The only CA-issued certs I've ever used were free, and under a bogus > name. > Usually I just issue my own. You really need to find a better strawman > than > this if you want to criticise S/MIME. > > Peter. > OK, likewise. But I guess my point (if I had one) is that regardless of technical, usage, privacy and trust issues there is also one of linkage between a nym and meatspace. With pgp, it's easy to generate a new keypair, label or sign it anyway I care to, and exchange and use it for a single interaction. Relatively easy. (Joe Sixpack-'O-Bass-Ale) S/MIME certificates (by which I may just mean commercial CA's) seem mostly directed at strong authentication for commerce, and lean heavily toward linking to a credit card, driver's license number, or credential. This is a Good Thing for cryptography and for commerce, but not for 'nymity. Also not for "undeclared privacy" which is privacy that occurs below the attention threshold and without the permission of the censors. -- contrary [EMAIL PROTECTED] -- Access all of your messages and folders wherever you are! http://fastmail.fm - Get your mail using the web or your email software
RE: NAI pulls out the DMCA stick
Greetings, On Thu, 23 May 2002 00:24:00 -0700, "Lucky Green" <[EMAIL PROTECTED]> said: > Adam wrote: > > Which is too bad. If NAI-PGP went away completely, then > > compatability problems would be reduced. I also expect that > > the German goverment group currently funding GPG would be > > more willing to fund UI work for windows. > > Tell me about it. PGP, GPG, and all its variants need to die before > S/MIME will be able to break into the Open Source community, thus > removing the last, but persistent, block to an instant increase in > number of potential users of secure email by several orders of > magnitude. As long as you obtain your S/MIME certificate from an apporved CA, using an approved payment method and appropriate identification. IIRC Thawte has a procedure for authenticating their free certificates by proxy: A Thawte certificate holder certifies that s/he has seen the credentials of some other certificate holder, in absence of a physical Bank or Notary Public. Both the certifier and certified gain points by this validation process. > Here's to hoping, > --Lucky Indeed. -=c=- -- contrary [EMAIL PROTECTED] -- http://fastmail.fm - One of many happy users: http://www.fastmail.fm/docs/quotes.html
