Re: Is there a chance smartcards have a backdoor? (was Re: Any future for the Crypto Stick?)
Peter Lebbing pe...@digitalbrains.com wrote: On 05/12/13 13:20, Paul R. Ramer wrote: On that note, why assume that the manufacturer would not do the opposite: feign helping the spy agency by giving them a compromised ROM and then substituting a secure one on the real product. In either case, we are assuming the company would try to supply different bodies with different ROMs. We're debating the risk that a card is backdoored. If there is such a risk, that risk still exists if we allow for the possibility that manufacturers try to do what you say. They're not mutually exclusive; how come you infer that I assume that the manufacturer would not do the opposite? It was not my intent to make it seem that I had made any insinuations on your part. It was more that I wanted to express an alternate possibility rather than the nefarious one that was being discussed. It seemed that the only scenario involving pressure or coercion on the part of the U.S. being discussed was one of compliance by the company rather than a range of possibilities. Events in life do not always happen neatly and predictably. If we are going to discuss outcomes, we need to talk about more than one. Cheers, --Paul -- PGP: 3DB6D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Holiday giving (crowd-funding campaign?)
On Sat, 7 Dec 2013 07:31, pho...@panopticism.net said: Details were scarce, however. This sounds like perfect timing; perhaps either Sam or Werner can provide us with an update on the campaign? Sam is preparing the campaign and twittering on https://twitter.com/gnupg . This campaign will be about a better website and easier accessible information on GnuPG. Sam already has some sketches for the new website for example https://twitter.com/gnupg/status/408611650887905280 GnuPG has for too long been a tool like a sendmail/exim/postfix but deserves more user attention. This is what we want to change. In the course of the preparation, Sam convinced be that we need Twitter and even web site statistics. I have done the latter only the first two years of running GnuPG but stopped that for privacy reasons. Now we installed Piwik and people with JS enabled are tracked by us. Of course this is pseudo-anonymized and we won't hand out the raw data to anyone outside of g10 code. Piwik gives some interesting insights, for example most direct visits to gpg4win.org come from gnupg.org. Aside from the usual Google triggered visits, lifehacker.com and philzimmermann.com are top listed referrers for gnupg.org. gnupg.org has 2000 to 3000 visits a day, gpg4win.org 1500 to 2500. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any future for the Crypto Stick?
On Sat, 7 Dec 2013 11:29, ein...@pvv.org said: AFAIK, the US has no import restrictions on cryptography, and the RSA patent ran out years ago, so e.g. shop.kernelconcepts.de should be able to ship it to you. IIRC, Petra of kernelconcepts told me that there is no problem for them to ship to the US. You may also order by simple or encrypted mail (Petra's fingerprint is on their website); the shop is merely an email frontend to them. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a chance smartcards have a backdoor? (was Re: Any future for the Crypto Stick?)
Il 08/12/2013 14:15, Mark Schneider ha scritto: A little security is not real security. There always can be backdoors in the firmware (BIOS, closed source drivers etc). Why is everyone thinking 'BIOS' as backdoorable piece of sw? Why not the hard disk? http://spritesmods.com/?art=hddhack Just another piece to think of when building a secure system... BYtE, Diego. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a chance smartcards have a backdoor? (was Re: Any future for the Crypto Stick?)
Am 08.12.2013 19:13, schrieb NdK: Why is everyone thinking 'BIOS' as backdoorable piece of sw? Why not the hard disk? http://spritesmods.com/?art=hddhack Just another piece to think of when building a secure system... Excellent article! Thank you. Writing firmware I meant every piece of code for / inside all involved hardware components and in particular with their own controllers (eg. keyboard, USB ...) and not only the BIOS of the motherboard. Some backdoors can be hardcoded in the hardware of controller chips (eg. network controller etc). Sending a special sequence of data to them can turn them in the debug or whatever mode. Hacking smartcards is more complicated but possible. BTW: there is no video at: http://achtbaan.nikhef.nl/events/OHM/video/d2-t1-13-20130801-2300-hard_disks_more_than_just_block_devices-sprite_tm.m4v Kind regards, Mark -- m...@it-infrastrukturen.org http://rsync.it-infrastrukturen.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a chance smartcards have a backdoor? (was Re: Any future for the Crypto Stick?)
On 08/12/13 21:13, Mark Schneider wrote: BTW: there is no video at: http://achtbaan.nikhef.nl/events/OHM/video/d2-t1-13-20130801-2300-hard_disks_more_than_just_block_devices-sprite_tm.m4v You can find it at: http://bofh.nikhef.nl/events/OHM/video/d2-t1-13-20130801-2300-hard_disks_more_than_just_block_devices-sprite_tm.m4v And I've just told Sprite the link is dead :). I was just telling him he was just featured on this mailing list :). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
determine the source(s) of validity
Hello, I want to find out what makes a key valid (and with which certification level): a certification by one of the systems keys or one or more certifications from the WoT. I think that it is important that applications show this information in key selection dialogs. IIRC this has been discussed here a while ago and there is no way to get this information from GnuPG. I would like to know whether there is already software available which does this; no need to reinvent the wheel. If there isn't any I would do this (but maybe there is a better approach): 1) Find all keys which have ultimate trust. BTW: I noticed that a key becomes invalid if its certifying key expires and has complete trust. But if it has ultimate trust then the expiration does not make the certification invalid. Is this intentional? 2) Import all these keys plus the key to be checked (with import-clean) into a new keyring (with a separate trustdb). 3) If (the key was valid in the normal keyring and) the key is not valid in the check keyring then it is validated via the WoT. Otherwise I can look for the signature with the highest certification level (I am interested in this information). Another, related question: I was surprised to read the recommendation to create a local certification for keys which have been validated via the WoT. But the one who wrote that seems extremely competent to me with respect to OpenPGP. Is there a general concensus on that? What are your opinions? Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Holiday giving
Am Fr 06.12.2013, 23:16:57 schrieb Robert J. Hansen: And to encourage you to make your own contribution, And to make that easier I add the URL: http://www.g10code.de/gnupg-donation.html Furthermore I would like to encourage everyone to spread the mailinglist archive link to Rob's mail (together with the one above) via your blog, social network profile and so on: http://lists.gnupg.org/pipermail/gnupg-users/2013-December/048332.html Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users