Re: Plan B - Who carries the torch?
On 1/5/21 8:24 AM, Konstantin Ryabitsev wrote: On Tue, Jan 05, 2021 at 07:27:14AM -0500, Jean-David Beyer via Gnupg-users wrote: Building a web of trust is so hopeless, from my point of view, that I have abandonned gnupg. I have made keys for myself, obtained enigmail for my Firefox browser, etc. But those with whom I correspond by e-mail has diminished to almost the vanishing point. They use text messages on their cell phones, Facebook messages, etc. While a few worry about the "CIA" snooping on them, none will consider gnupg and enigmail. So for me, it is pointless. -- .~. Jean-David Beyer /V\ Shrewsbury, New Jersey /( )\ Red Hat Enterprise Linux ^^-^^ up 4 days, 13 hours, 37 minutes I noticed your signature, so I must point out that RHEL and the Linux Kernel development process rely heavily on GnuPG and the web of trust. Every time you update packages on your system, large parts of the supply chain were verified using GnuPG, relying on the integrity of the trust store shipped with RHEL. So, you may not see it in your person-to-person communication, but you use GnuPG every day. -K I sit corrected: $ rpm -qf /usr/bin/gpg gnupg2-2.2.9-1.el8.x86_64 I posted, not so much to criticize GnuPG as to criticize my associates who talk security paranoia, but refuse to do anything about it. When all is said and done, more is said than done. At least, with my associates. -- .~. Jean-David Beyer /V\ Shrewsbury, New Jersey /( )\ Red Hat Enterprise Linux ^^-^^ up 4 days, 15 hours, 2 minutes ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Plan B - Who carries the torch?
On 1/4/21 9:31 PM, ï¿œngel wrote: Finally, every user will need to discard their now-useless keys, generate new ones and rebuild the chain of turst from the ground up. Building a web of trust is so hopeless, from my point of view, that I have abandonned gnupg. I have made keys for myself, obtained enigmail for my Firefox browser, etc. But those with whom I correspond by e-mail has diminished to almost the vanishing point. They use text messages on their cell phones, Facebook messages, etc. While a few worry about the "CIA" snooping on them, none will consider gnupg and enigmail. So for me, it is pointless. -- .~. Jean-David Beyer /V\ Shrewsbury, New Jersey /( )\ Red Hat Enterprise Linux ^^-^^ up 4 days, 13 hours, 37 minutes ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We have GOT TO make things simpler
On 10/7/19 9:32 AM, Phillip Susi wrote: > Bingo! And as long as the user is not interested in it, and won't learn > how to properly use it, all they will get is the veneer of privacy and > learn the hard way that they really aren't secure. You just can't make > security idiot proof. I had a realistic uncle who used to say, "You can always design a system to be fool-proof; but if you do, a damned-fool will come along. -- .~. Jean-David Beyer /V\ PGP-Key:166D840A 0C610C8B /( )\ Shrewsbury, New Jersey ^^-^^ 15:45:01 up 13 days, 21:19, 2 users, load average: 4.39, 4.72, 4.87 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generating revocation certificate
On 4/6/19 12:32 PM, Markus Reichelt wrote: > i'm using on slackware64-current (if you are using windows, all hands > are off) > > gpg --version > gpg (GnuPG) 2.2.15 > libgcrypt 1.8.4 Mine's bigger than yours (older, too): $ gpg --version gpg (GnuPG) 2.0.14 libgcrypt 1.4.5 Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 -- .~. Jean-David Beyer /V\ PGP-Key:166D840A 0C610C8B /( )\ Shrewsbury, New Jersey ^^-^^ 12:45:01 up 22:44, 2 users, load average: 4.26, 4.55, 4.53 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020)
/gnupg.org/documentation/manuals/gnupg.pdf . >> >> The chapters on gpg-agent, gpg and gpgsm include information on how to >> set up the whole thing. You may also want to search the GnuPG mailing >> list archives or ask on the gnupg-users mailing list for advise on how >> to solve problems. Most of the new features are around for several >> years and thus enough public experience is available. >> >> Please consult the archive of the gnupg-users mailing list before >> reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>. >> We suggest to send bug reports for a new release to this list in favor >> of filing a bug at <https://bugs.gnupg.org>. If you need commercial >> support check out <https://gnupg.org/service.html>. >> >> If you are a developer and you need a certain feature for your project, >> please do not hesitate to bring it to the gnupg-devel mailing list for >> discussion. >> >> >> Thanks >> == >> >> Maintenance and development of GnuPG is mostly financed by donations. >> The GnuPG project currently employs one full-time developer and one >> contractor. Both work exclusively on GnuPG and closely related software >> like Libgcrypt, GPGME, and GPA. We are planning to extend our team >> again and to help developers to improve integration of crypto in their >> applications. >> >> We have to thank all the people who helped the GnuPG project, be it >> testing, coding, translating, suggesting, auditing, administering the >> servers, spreading the word, and answering questions on the mailing >> lists. >> >> Many thanks to our numerous financial supporters, both corporate and >> individuals. Without you it would not be possible to keep GnuPG in a >> good shape and address all the small and larger requests made by our >> users. Thanks. >> >> >> Happy hacking, >> >>Your GnuPG hackers >> >> >> >> p.s. >> This is an announcement only mailing list. Please send replies only to >> the gnupg-users'at'gnupg.org mailing list. >> >> p.p.s >> List of Release Signing Keys: >> >> To guarantee that a downloaded GnuPG version has not been tampered by >> malicious entities we provide signature files for all tarballs and >> binary versions. The keys are also signed by the long term keys of >> their respective owners. Current releases are signed by one or more >> of these four keys: >> >> rsa2048 2011-01-12 [expires: 2019-12-31] >> Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >> Werner Koch (dist sig) >> >> rsa2048 2014-10-29 [expires: 2019-12-31] >> Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 >> David Shaw (GnuPG Release Signing Key) >> >> rsa2048 2014-10-29 [expires: 2020-10-30] >> Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 >> NIIBE Yutaka (GnuPG Release Key) >> >> rsa3072 2017-03-17 [expires: 2027-03-15] >> Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 >> Andre Heinecke (Release Signing Key) >> >> The keys are available at <https://gnupg.org/signature_key.html> and >> in any recently released GnuPG tarball in the file g10/distsigkey.gpg . >> Note that this mail has been signed by a different key. >> === >> >> [1] If you want to test whether you are affected by this bug, remove the >> indentation from the following block >> >> -BEGIN PGP MESSAGE- >> >> jA0EBwMC1pW2pqoYvbXl0p4Bo5z/v7PXy7T1BY/KQxWaE9uTBRbf4no64/+5YYzX >> +BVNqP+82aBFYXEsD9x1vGuYwofQ4m/q/WcQDEPXhRyzU+4yiT3EOuG7sTTaQR3b >> 8xAn2Qtpyq5tO7k9CN6dasaXKSduXVmFUqzgU+W9WaTLOKNDFw6FYV3lnOoPtFcX >> rzhh2opkX9Oh/5DUkZ6YmUIX3j/A0z+59/qNO1i2hQ== >> =zswl >> -END PGP MESSAGE- >> >> and pass to this pipeline >> >> gpg --no-options -vd 2>&1 | grep '^\[GNUPG:] INJECTED' >> >> If you get some output you are using a non-fixed version. >> >> >> >> ___ >> Gnupg-announce mailing list >> gnupg-annou...@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-announce >> >> >> >> ___ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > It says part of your message to me was encrypted and prompted me for my passphrase, but it must not have been encrypted with my public key. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 16:45:01 up 19 days, 21:28, 2 users, load average: 6.09, 5.31, 4.80 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Break backwards compatibility already: it’s time. Ignore the haters. I trust you.
On 05/20/2018 08:51 PM, Jeremy Davis wrote: > I just read the awesome article "Efail: A Postmortem" by Robert Hansen. > > Thanks for this Robert. Great work! > > As suggested by Robert, I've signed up to say: > > Break backwards compatibility already: it’s time. Ignore the haters. I > trust you! :) > One of the problems with Windows is that they preserved the backwards compatibility for far too long, so they could never clean it up enough to make it any good. I admit that Windows 7 is better than Windows XP that was much better than Windows 95. I wonder just how much complexity there is in my FiOS box to convert the fiber-optic to plain old telephone service that must still be compatible with my old rotary dial telephone that requires 90 volt 20 cycle power to ring the bell. And all my electronic telephones with electronic ringers that must be protected from that 90 volt ringing current. Can you imagine the redesign that would be required so I could start the gasoline engine in my Prius with a hand crank in the front? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 23:05:01 up 4 days, 6:55, 1 user, load average: 4.04, 4.05, 4.07 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Efail or OpenPGP is safer than S/MIME
On 05/19/2018 09:00 AM, Patrick Brunschwig wrote: > On 19.05.18 14:15, Werner Koch wrote: >> On Fri, 18 May 2018 12:18, patr...@enigmail.net said: >> >>> How far back will that solution work? I.e. is this supported by all >>> 2.0.x and 2.2.x versions of gpg? >> >> 2.0.19 (2012) was the first to introduce DECRYPTION_INFO In any case >> 2.0 is end-of-life. In theory we could backport that to 1.4 but I don't >> think that makes sense. > > Enigmail runs on many long-term Linux distributions that still ship > older, presumably patched, versions of GnuPG. For example, Red Hat EL > 6.9/Centos 6.9 contains GnuPG 2.0.14, but current versions of Thunderbird. > > GnuPG 2.0.x will therefore still be relevant for me for many years to come. > Me too! Red Hat Enterprise Linux Server release 6.9 (Santiago) thunderbird-52.7.0-1.el6_9.x86_64 gnupg2-2.0.14-8.el6.x86_64 Enigmail 2.0.4 -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 09:40:01 up 2 days, 17:30, 2 users, load average: 4.15, 4.27, 4.46 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: your message could not,be delivered to one or more recipients.
On 11/17/2017 03:09 AM, Werner Koch wrote: > On Thu, 16 Nov 2017 17:56, w...@uter.be said: > >> Alternatively, AOL might be trying to send the mail from a different > > Very likely - greylistd comes with a list of whitelisted AOL server > pools. 204.29.186.0/24 is not yet in this list - I added it to the > local installations. > > > Salam-Shalom, > >Werner > Thank you. I used to use Verizon as my SMTP provider, but when they bought AOL, they discontinued serving e-mail and transferred everything to AOL's servers. I usually have no trouble posting to gnupg-users@gnupg.org but that one did not go through. Yesterday, I did a whois on 204.29.186.9 and it came up as AOL, but AOL for the .ru area (it came up with other areas where presumably AOL serves). But today there seems to be only the main entry in Dulles, VA. If someone had been messing with the DNS, no wonder gnupg.org would be suspicious. Right now everything looks OK. $ dig -x 204.29.186.9 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 204.29.186.9 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;9.186.29.204.in-addr.arpa. IN PTR ;; ANSWER SECTION: 9.186.29.204.in-addr.arpa. 300 IN PTR omr-m007e.mx.aol.com. ;; AUTHORITY SECTION: 186.29.204.in-addr.arpa. 3600 IN NS dns-07.ns.aol.com. 186.29.204.in-addr.arpa. 3600 IN NS dns-02.ns.aol.com. 186.29.204.in-addr.arpa. 3600 IN NS dns-01.ns.aol.com. 186.29.204.in-addr.arpa. 3600 IN NS dns-06.ns.aol.com. ;; ADDITIONAL SECTION: dns-01.ns.aol.com. 126866 IN A 64.12.51.132 dns-02.ns.aol.com. 126866 IN A 205.188.157.232 dns-07.ns.aol.com. 126866 IN A 64.236.1.107 dns-06.ns.aol.com. 126866 IN A 207.200.73.80 ;; Query time: 123 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Nov 17 08:53:27 2017 ;; MSG SIZE rcvd: 228 -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 08:35:01 up 2 days, 15:50, 2 users, load average: 4.42, 4.27, 4.14 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
your message could not,be delivered to one or more recipients.
This is the mail system at host omr-m007e.mx.aol.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system : host kerckhoffs.g10code.com[217.69.77.222] said: 451-204.29.186.9 is not yet authorized to deliver mail from 451 to . Please try later. (in reply to RCPT TO command) _ Reporting-MTA: dns; omr-m007e.mx.aol.com X-Outbound-Mail-Relay-Queue-ID: 58F77380004C X-Outbound-Mail-Relay-Sender: rfc822; jeandav...@verizon.net Arrival-Date: Wed, 15 Nov 2017 09:01:43 -0500 (EST) Final-Recipient: rfc822; gnupg-users@gnupg.org Original-Recipient: rfc822;gnupg-users@gnupg.org Action: failed Status: 4.0.0 Remote-MTA: dns; kerckhoffs.g10code.com Diagnostic-Code: smtp; 451-204.29.186.9 is not yet authorized to deliver mail from 451 to . Please try later. __ >From where does it get port 451? My SMTP port is 465 204.29.186.9 is my ISP for e-mail: AOL. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 08:40:01 up 1 day, 15:55, 2 users, load average: 4.81, 4.90, 4.72 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Counterarguments Supporting GnuPG over Off The Record (OTR)
On 01/19/2017 04:06 AM, Stephan Beck wrote: > 15-20 years from now, OpenPGP will have expired and be a case of study > for computer historians. > I agree. 20 years from now, we will all be using telepathy, and the telephone and Internet will be redundant. Without electromagnetic communication, and without paper communication, we will be unable to encrypt anything. Will there be an equivalent to OpenPGP that works with telepathy? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 11:10:01 up 8 days, 19:55, 3 users, load average: 5.18, 4.96, 4.87 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/25/2015 12:50 PM, Ingo Klöcker wrote: > On Thursday 24 December 2015 17:02:54 Matthias Apitz wrote: >> Hello, >> >> I do not fully understand why some 4 random words like >> >> Correct, horse! Battery staple! >> >> is a better passphrase like, for example >> >> Und allein dieser Mangel und nichts anderes führte zum Tod. >> >> i.e. some phrasing which could be memorized better? > > The second sentence is found by search engines (2 hits in > DuckDuckGo). Don't use it or any other phrase that's has been > published on the internet. A phrase of 4 random words has a high > probability that it has not been published on the internet (or > anywhere else). The tricky part is that you must never put your > 4-random-words phrase into a search engine to check this. > > Instead of using a 4-random-words phrase you can use a proper > sentence with equivalent entropy provided that you do not use a > sentence that has been published anywhere. Come up with your own > sentence. Ideally come up with a sentence that doesn't make any > sense like "The horse was correct. You cannot staple batteries." > This phrase might be easier to remember and has a similar entropy > as the above mentioned 4-random-words phrase. > > A favorite of mine, not usable then, and even less so now, is the following: At Night We Walk in Circles and Are Consumed by Fire In Latin, that is a palindrome. It is now the name of a musical composition, and has a group of its own on Facebook. https://www.wnyc.org/radio/#/ondemand/510001 - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 10:35:01 up 1 day, 11:08, 2 users, load average: 4.16, 4.24, 4.19 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iQEcBAEBAgAGBQJWfrg0AAoJEBZthAoMYQyLcOMH/3q0mmnai7E49VontTna/2gf yZD9FHbiVE7tQl2OZmjNa16AzVMwpTlJxpS82/n3/8ljVxWbyd0JzdStAyq4xONV hdYN05SL6A43L8dobaO0IQLMB7ZdzJYawQW8wLfKQzevXMMXMiGg5BLMVdhNMqWo TPOLu8GFPfDGqC1P6EzKplCremb2NsMvrxw1RpxQcNwIksz1S3XO+YZWAYegUmsC fUCVH3qgTNrlaiG/FFGqBols0RJYS9EsWC/0EWSOZN0TCqzfoWbwPSse76HolV9Y lkXklPCxaqwan09jtkGwwSye1sTTHjmHA6t1YtK8yRxNc5k/zQKiY3mvLtt23Nc= =2AOW -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can it be made even easier!?
On 10/04/2015 10:30 AM, Don Saklad wrote: > How can it be made even easier!? > > Trying to encourage M.D.'s to use it is met with complaints about not > having time to learn about it. Set up is a too complicated sequence of > steps that aren't entirely clear. The steps can get hampered where there > aren't instructions that cover what to do when one of the steps goes > awry! > Not just doctors. My lawyer has the same problem. She really needs signed e-mails and encrypted e-mails, but has not the time to learn all about how to install and use it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 17:30:01 up 18 days, 4:32, 3 users, load average: 5.27, 5.59, 5.68 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: General brute force attack question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/16/2015 06:28 PM, James Moe wrote: > Hello, My understanding of en-/decryption is that there is no > indication of progress toward finding a successful key match of a > given encryption. Only when the key is exactly correct will the > encrypted data be revealed. I have seen numerous TV and movie > stories where someone is frantically attempting to decrypt > something and there is a progress meter to indicate the current > degree of success. Every time I see this I think "That is total BS! > It is all or nothing." Related to this is the oft-repeated request > to avoid identifiable information (initials, birth date, etc.) in a > cryptographic key. I presume this gives an attacker a preferred set > of characters to attempt before moving on to truly random > combinations. Finally, a brute force attack requires potentially > billions of attempts. Obviously this cannot be done by trying the > usual log in screens or prompts; there are delays between attempts, > and a limited number of attempts per some interval. How does an > attacker then perform a brute force attack? Does he cadge a block > of encrypted text and hammer on that until success? > > Is this a correct interpretation? > I do not know what people do now, but in the old days, the black hat team obtained a copy of the password file, /etc/passwd in UNIX and Linux systems. This file was owned by the super-user but had to be readable by anyone else. The password file did not and does not contain the passwords at all. It contains a string that is obtained by using the password to encrypt a constant string (typically a bunch of blanks) and the encrypted result is stored in that file. This scheme was quite effective when the bad guys were trying to dial up and login from outside. First of all, it was slow to log in so you could not try that many passwords per hour. Furthermore, I had a system where the delay for a new prompt increased with every failure, and even then after a while, the system hung up on the attacker. When it became possible to just export that file, he could do so, and then work much faster on a faster dedicate machine. To get around that, there was a shadow file (/etc/shadow) that could only be read or written by the super user and no one else. It was sometimes hidden somewhere else, but I doubt that helped security much. But that file could not be taken except if actually present in the machine room. My information on what is done these days ends about 1990, so they may be more sophisticated now. For one thing, for Linux systems, one can run SELinux, where even the super-user could have a difficult time getting at that shadow file. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 21:25:01 up 7 days, 19 min, 2 users, load average: 4.81, 4.91, 4. 80 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iQEcBAEBAgAGBQJVgNGyAAoJEBZthAoMYQyL/BkH/2Oc0NYh0woR7Hio4aLDwRKr Zafzy7687ckT5YZwcpjl7hdVjI0zu+2B9751P1RJbM6Zrwmtz0yZKTWTlQLfGS2t rAl0rWwCXhM7Xh7zyKmNIOY/W10ADJWhWPjjLhJBawqO6JGhGCzd+3lwlb4KVfha DhdLLvTQqYICQ9eHPXfezOwXpANhc2Iaf2VX3UuNeWkDTDW69cRG0EkQVLhibPIt ugBFdDti9fOQE/0lzf6+BUm0hSRAsmWA/s0CWvnt71KnryZWHsuyHaRVvXBloR+I aBu+3w54ASktnAcGAk/C7miKlFdI+Wa+WCiZBocq6JhvumqAshetdZihZnO/6U8= =44Mu -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Random Seed for Generating PGP Keys
On 05/24/2015 05:11 PM, kendrick eastes wrote: > > On Sun, May 24, 2015 at 10:35 AM, George Lee <mailto:geo...@cmtytech.org>> wrote: > > Hello, > > I'm interested in seeing if rather than relying on the built-in > software to generate randomness when creating a PGP key, if it is > possible to configure GnuPG to use a manually entered random seed. > That way I could generate a seed using coins, dice, my magic > cauldron, etc. > > Is this possible to do? How much entropy in a seed would I need? > > I also imagine that folks might say the software is very good at > generating random numbers. Feel free to share more details why, e.g. > how many bits of entropy are provided and how to make sure they're > truly random. But it would still be helpful to know if the above > customization is possible. > > Thank you! > > - George > > > > would it not be more reliable and simpler to use a HWRNG to generate > entropy? In theory, no software random number generator can generate truly random numbers, since they will repeat. They function they generate is cyclic, just as sin(t) is cyclic, though their period is much greater. But once you use an algorithm to generate random numbers, you have sinned. If you used a good HwRNG. > > https://en.wikipedia.org/wiki/Comparison_of_hardware_random_number_generators > has a list of commercially available generators, and i know i have seen > at least 2 homebrew designs that had source and HW schematics released. > This article would have been more useful if the author had subjected these random number generator to the usual mathematical tests for randomness. Here is what was, at the time it was written, a very good paper on software random number generators. Almost 50 years old now. I have not kept up with the field, so I do not know how much progress, if any, has been made since. https://dl.acm.org/citation.cfm?id=321379 I remember in the past when I needed a random number generator, I made plots on a crt where one random number was used as the x-coordinate and the next one was used as the y-coordinate of a plotted point. I expected to see a mess of noise, but there were, instead, stripes. Turns out there was a bug in the RNG I was using. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 07:35:01 up 23 days, 15:26, 2 users, load average: 4.22, 4.37, 4.69 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple instances of gpg-agent
On 05/21/2015 05:30 AM, Werner Koch wrote:
> On Thu, 21 May 2015 04:37, jeandav...@verizon.net said:
>
>>> >> --write-env-file "$@{HOME@}/.gpg-agent-info"
>> >
>> > I tried this and it would not work. No such file or directory.
>> >
>> > I removed the @ signs and then that part worked.
> Sorry, I copied it from the texinfo source and missed these escape
> sequences.
No harm done. It did not take long to figure it out.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521.
/( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net
^^-^^ 19:45:01 up 20 days, 3:36, 2 users, load average: 5.35, 4.96, 4.73
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple instances of gpg-agent
On 05/19/2015 12:11 PM, Werner Koch wrote:
> On Mon, 18 May 2015 14:38, jeandav...@verizon.net said:
>
>> I run Red Hat Enterprise Linux 6 and I get lots of them too. I just
>> kill them once in a while, but surely that is not ideal.
>
> The man pages gives hints on how to avoid starting several
> instances of gpg-agent. You should start it in your ~/.xsession script:
>
> gpg-agent --daemon --enable-ssh-support \
> --write-env-file "$@{HOME@}/.gpg-agent-info"
I tried this and it would not work. No such file or directory.
I removed the @ signs and then that part worked.
>
> and for each login shell you run this:
>
> if [ -f "${HOME}/.gpg-agent-info" ]; then
> . "${HOME}/.gpg-agent-info"
> export GPG_AGENT_INFO
> export SSH_AUTH_SOCK
> fi
I put that into .bashrc and it seems to work.
Thank you.
>
> However it is easier to put "use-standard-socket" into
> ~/.gnupg/gpg-agent.conf and let gpg start gpg-agent as needed. This is
> the same procedure as used by 2.1 and which has always used with 2.0 on
> Windows (where use-standard-socket is the default).
>
>
> Salam-Shalom,
>
>Werner
>
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521.
/( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net
^^-^^ 22:35:01 up 19 days, 6:26, 2 users, load average: 4.61, 4.47, 4.34
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: generating revocation certs non-interactively
On 05/19/2015 06:51 AM, Michelle Gmail wrote: > U cheated, u lied, u manipulated me, u destroyed my credit the > apartment , my life ur beautiful daughter that's so happy and just > loves for us all to be together, ur stepson now can not get a > birthday gift because I do not know how I will be able to pay rent or > other bills or food , we can not even afford another apartment, what > U have done was so cold as if we just all met, then u lied repeatedly > too u were blue in the face denying u had a girlfriend and denied > that all those things I said weren't true BUT THEY WERE. The planning > u did the roll u played was as if u believed ur own lies and no one I > mean no one would ever understand what u did to me and the kids. It > wasn't something that a normal adult would do. Well let's go on then > u developed a pretty dependent habit but u were after years later > still not wanting to do anything for urself but u expected and wanted > whenever u asked. U took took took u ran me dry then u moved on as if > we didn't exsist but the crazy thing is u played a role as if u were > this nice guy that did so much for me and with the kids but in fact u > did not u verbally tortured me for hours with name calling and ur > gossip talk about ur co workers ALL OF THEN I did so much more > than what u have me credit for, and the blaming all ur mistakes on me > daily cuz jason Boyer does no wrong. I'm gonna say I was warned my > many people in which some had proof about ur problem. But I said he > was young and gave u the benefit of doubt haha And then wow I mean > WOW what I just lived more do past few months since u met girlfriend > was by far the strangest behavior I have ever seen, I seen on jerry > springer and all but never did I ever think that an individual would > do something like this to his girl and family intentional. Oh yes > hard to believe but believe it cuz he won't stop trying to destroye > as if I was the one cheating but I wasn't but he's treating his > family mostly myself as if I committed this horrible horrible crime > that affected him in a way that he is so messed up now. But no > everyone that indeed is not true ither this is the strangest behavior > I have ever witness. He played the role of the good guy and the one > who loved me sooo much and did everything w kids and his family but > no no None of that is true especially since he met his sugar mama it > was total ignore the kids day after day as well as the verbal abuse > got worse and worse > It looks something like plain text, but I cannot figure out how to decrypt it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 21:25:01 up 19 days, 5:16, 2 users, load average: 4.31, 4.49, 4.82 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple instances of gpg-agent
On 05/17/2015 09:02 PM, MFPA wrote: > > > I have read several times that multiple instances of gpg-agent is > not good. But I regularly see six or seven listings of > "gpg-agent.exe" in Task Manager or Process Explorer. If I don't > re-boot in the meantime (or kill the gpg-agent.exe processes with > Task Manager) they can hang around for at least a day after last > use. Is this likely to cause any problems? > > I am currently running GnuPG version 2.1.4 under Windows XP. GnuPG > is used by my email client, by a GUI key manager, occasional > commandline use, and by Mike Ingle's Confidant Mail. > I run Red Hat Enterprise Linux 6 and I get lots of them too. I just kill them once in a while, but surely that is not ideal. I tried the following script in my .bash_profile that I thought would work, but it does not. SOCKET=S.gpg-agent PIDOF=`pidof gpg-agent` declare -x PIDOF #RETVAL=$? kill -s SIGHUP $PIDOF 2>/dev/null rm $HOME/.gnupg/$SOCKET rm -fr /tmp/gpg-* eval $(gpg-agent --daemon) GPG_SOCKET_FILE=`find /tmp/gpg-* -name $SOCKET` 2>/dev/null ln -s $GPG_SOCKET_FILE $HOME/.gnupg #echo .bash_profile ran `/bin/date +%Y%b%d%R ` $GPG_SOCKET_FILE >> /home/jeandavid8/XprofileLog.txt -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 08:15:01 up 16 days, 16:06, 2 users, load average: 5.37, 5.13, 4. 87 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anything that just works easily for folks?... without knowing this stuff.
On 03/09/2015 01:19 AM, Don Warner Saklad wrote: > It's too complicated to setup, a too complicated learning curve to > setup... How to make it easier needs to be a greater priority. > Albert Einstein is credited with saying: Everything should be made as simple as possible: BUT NO SIMPLER. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 09:40:01 up 8 days, 16:48, 2 users, load average: 5.03, 4.93, 4.78 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg in a cybercafé
On 03/06/2015 05:05 AM, Werner Koch wrote: > On Fri, 6 Mar 2015 09:12, htd...@fritha.org said: > >> In case you're allowed to boot from an external medium, this still won't be >> secure. Because you have no control over the hardware built into the >> computer, > > Does not even need to be hardware: A (remotely) modified firmware might > first boot you into a virtual machine and only then boot the OS from > disk or USB. > > I built a virtual machine once. I had a computer with no memory management hardware. And I had a FORTRAN compiler for it that worked pretty well, but if I wrote too many EQUIVALENCE statements, the computer crashed. A FORTRAN compiler is pretty big and inspecting all its code was out of the question. I wrote a program for a virtual machine that had all the same instructions as the real hardware did, so that was trivial: took less than a day to write it. But it had a little extra feature: memory management. The virtual machine ran as its input, the binary instructions of the programs that would normally run on the real machine. Like the OS, the compilers, etc. The easiest way to tell if the real machine was running or the virtual machine was that the virtual machine ran about 20x slower. I loaded the virtual machine and started it up. Then I invoked the FORTRAN compiler and presented it with a program with a lot of EQUIVALENCE statements, and saw that it was over-writing the interrupt vectors at the bottom of RAM, and further, what the offending instruction was. The original compiler had a bug were an index register needed to be specified, and it was omitted. Pretty simple. Now a black hat could easily put any old virtual machine on that machine, so doing nasty things would have been pretty easy. I suppose it is a little more difficult at a cyber cafe or public library. But not if I owned the cafe or worked in the library. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 14:25:01 up 6 days, 22:33, 2 users, load average: 4.02, 4.07, 4.11 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
On 11/04/2013 05:40 PM, Robert J. Hansen wrote: >> I tried to check that out, and I have never needed more than about >> three hops. > > Sure, but then again you're trying to hit people with *extremely* large > networks, and whose first-order networks are themselves *extremely* > well-connected. Even the exotic ones like Ronald Coase -- he > co-authored a ton of papers and attended a lot of conferences and > advised a lot of Ph.D. candidates and taught a lot of courses. > > If you can map out a line to my great-uncle Ormo Rasmussen in three hops > without using me as a link, I'll be impressed. ;) > I would not even know how to go about it. In my little list, I did not pick these people and see how to link to them; they were people I new directly (the one-hop ones), Or I knew someone who knew them (my piano teacher: Gorgbachev, my grandfather: Albert Einstein). Getting to Richard Nixon was a bit harder. A friend of mine knew his mother. I am actually surprised and impressed by my list. Not that anyone else should care. And on this list, David Wagner was easy since I worked with his mother at Bell Labs and met him not long after he was born. He surely has no recollection of me. Speaking of Bell Labs, kind of a name-dropping switchboard. My grandfather worked there, so I am a two handshakes away from Clinton Davisson. And I worked there and knew Doug McIlroy, and knew Ken Thompson and Dennis Ritchie very slightly. Also Bela Julesz. And Vic Vyssotsky was the most compulsive cigarette smokers I ever met, but a uniquely brilliant computer scientist. Jean Felker, who lead the TRADIC project (possibly the first transistorized electronic computer) interviewed me when I first tried, as a high school student, to get a summer job there. We talked about round-off problems when using fixed-length and fixed-point arithmetic. Oh! Well! Memories. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:55:01 up 20:16, 2 users, load average: 4.74, 4.61, 4.54 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/04/2013 04:29 PM, MFPA wrote: > That's phenomenal: isn't everybody in the world separated by an > average of just six hops? I tried to check that out, and I have never needed more than about three hops. Three hops to former president Richard Nixon. Two hops from me to Mikhail Gorbachev, Albert Einstein. One hop from me to Margaret Leng Tan, Maurice Wilkes, Phyllis Chen, Claire Chase, David Wagner (I met him when he was a baby), Eric Lamb, Ronald Coase, Sylvia Milo, Nathan Davis. Some of these are very famous, and some are famous in their own fields. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:00:01 up 19:21, 2 users, load average: 4.77, 4.67, 4.52 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSeB2QAAoJEBZthAoMYQyLbTgIAKn1VLcsgXEAUgwacr/fU09Q teXaJ6JnUNfVmEH/hdwlyfwTlBkbV8SmFQ3aN8LZjz5b2osI659P9tNA3LXEi7Jz +H0wa0aE/HBy/neumxv24Bu0s5bdeI3CU+FYqPBYtYjx1Q0Qeoug6VZqqI4TbJZo lcby5oWvXldwFunS9jvAbmtpl5G9uchzDSP+Y2hI3XEmT4OISb3jZPP0LHt8sPYc kv1qAedpg67GrANlPOJqsZaPbfm/hJnNm0z2qGbc+l5tl/hoXM6M30pFrNFoB6n4 ZFqPrwHjxgGfoaHD+sO9ZEWjLg8bKz70dmdQmtoKANQY9PuXSplkfBWsD4aH2y8= =IzJe -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Recommended key size for life long key
On 09/08/2013 04:02 PM, Filip M. Nowak wrote: [snip] > "Breakthroughs in factoring have occurred regularly over the past > several decades, allowing us to break ever-larger public keys. Much of > the public-key cryptography we use today involves elliptic curves, > something that is even more ripe for mathematical breakthroughs. It is > not unreasonable to assume that the NSA has some techniques in this area > that we in the academic world do not. Certainly the fact that the NSA is > pushing elliptic-curve cryptography is some indication that it can break > them more easily."** > I would think the NSA would have two teams, that might work together at times. One is interested in breaking the encryption of those they deem to be enemies. The other is making encryption mechanisms that are as difficult to break as they know how, for the use of our own secret services, state department, and so on. So perhaps the snooping division is pushing elliptic curve technology because they have a technique for breaking those that they have not published and that has not yet been leaked. But the other division is developing some superior technique, such as hyperbolic curves (I made that name up; it has nothing to do with reality) that is at least an order of magnitude more difficult to break. For use by any government agency that has secrets to keep but must communicate from place to place, or from time to time. Some might need public key encryption methods, some might manage with symmetric key methods. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:55:01 up 10 days, 23:40, 3 users, load average: 4.76, 4.43, 4.30 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: need help for GPG 1.2.1 binary for REHL 5.8
On 08/20/2013 03:43 PM, Peter Lebbing wrote: >> we are searching for binary for GPG 1.2.1 version for Red Hat Enterprise >> Linux 5.8 > > You're trying to install a version released in 2002 on an OS released in 2012. True, but Red Hat support their major releases for 10 years, so implying that the O.P.'s release is obsolete is a bit extreme. We are not talking about Fedora releases now. > I'm not surprised you can't find binaries! Why do you want to do this? 1.2.1 > has > known issues and should not be used these days. It's more than a decade old! > > I think your effort is much better spent on changing your workflow to use the > latest 1.4 release. Again, why do you want to install 1.2.1? > > HTH, > > Peter. > I have CentOS 5.9. similar to RHEL5.9 that, as far as I know, is the current release for RHEL5. I run RHEL 6 on my main machine. The 5.9 has gnupg2-2.0.10-3.el5.1.i386 as its current release and that requires the following libraries: libksba-1.0.5-2.el5 pinentry-0.7.3-3.el5 pth-2.0.7-6.el5. As Peter asks, "why do you want to install 1.2.1?" -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:30:01 up 8 days, 21:55, 2 users, load average: 4.01, 4.24, 4.27 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#JYM-378-41570]: Re: Why trust any software?
On 08/06/2013 02:32 PM, MFPA wrote: > Hi > > > On Tuesday 6 August 2013 at 3:28:55 AM, in > , Henry Hertz Hobbit wrote: > > >> I received no comment from TeamSpeak's technical person >> so I am going to be blocking ALL of their hosts in my >> blocking hosts file. I have no other choice. You >> don't listen to your attorney saying to not say >> anything if you are the victime. You cure the problem. >> They didn't reply so I have no choice. > > > Definitely something wrong when messages to > get returned "550 Recipient unknown." > > Is the address ab...@teamspeakusa.com actually required? I know "postmas...@teamspeakusa.com" is required and it must go to a real person, but is any other? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:45:01 up 4 days, 10 min, 2 users, load average: 4.31, 4.37, 4.40 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#JYM-378-41570]: Re: Why trust any software?
On 08/05/2013 09:09 PM, Robin Kipp wrote: > Hi Jean, no, I think you can be fairly certain that you never > contacted any piracy department. If you look back through the last > messages that have been going over the lest you'll find this has been > going on for a while now, also for others posting to this list. Seems > like their contact address got on this list somehow, hence a new > ticket gets created each time someone on this list starts a new > discussion. So, looks like their Piracy Department is getting lots of > work for no reason :-) HTH! Robin Oh! Good! I was afraid it was something I did. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 06:50:01 up 2 days, 22:15, 2 users, load average: 4.22, 4.39, 4.43 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#JYM-378-41570]: Re: Why trust any software?
On 08/05/2013 09:23 AM, TeamSpeak Piracy wrote: > Jean-David Beyer, > > Thank you for contacting us. This is an automated response confirming > the receipt of your ticket. One of our agents will get back to you as > soon as possible. For your records, the details of the ticket are listed > below. When replying, please make sure that the ticket ID is kept in the > subject line to ensure that your replies are tracked appropriately. > >*Ticket ID: *JYM-378-41570 >*Subject: *Re: Why trust any software? >*Department: *Piracy [English] >*Type: *Issue >*Status: *Open > > You can check the status of or reply to this ticket online at: > https://support.teamspeakusa.com/index.php?/Tickets/Ticket/View/JYM-378-41570 > > Kind regards, > > TeamSpeak USA, Inc. > > > TeamSpeak Piracy > e-Mail: pir...@teamspeakusa.com <mailto:pir...@teamspeakusa.com> > Visit: http://www.TeamSpeak.com > Knowledgebase: http://support.TeamSpeakUSA.com > > Hours of operation for this department are Monday - Friday, 9AM to 5PM > Pacific Time (UTC-8). We are committed to responding to your inquiry > within 48 hours, and typically will reply within 24 hours, excluding > weekends and holidays. I thought I posted to gnupg-users list. I was making a remark to a previous post. I was not filing a trouble report, and do not think I was even addressing the issue of piracy. Hence I am very confused that I seem to have been issued a trouble ticket and getting two e-mails about this. Is something wrong with a server? Or an autoresponder? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:40:01 up 2 days, 12:05, 2 users, load average: 4.34, 4.52, 4.52 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust any software?
On 08/05/2013 06:31 AM, kardan wrote: > Hi, > > I would like to widen the view of this thread as the question not > only apply to windows software in my eyes. > > On Thu, 25 Jul 2013 21:17:43 + atair > wrote: > >> This basically means, that everyone(!) can access, modify and >> redistribute the source code of the program (see [2] if you're >> interested). There are lots of people (usually volunteers from >> all over the wold) who do peer reviews on the sources (and if >> you start with [2], _you_ can be another one). Therefore, >> changes that look like back doors are VERY unlikely to find their >> way in a release, because hundreds of people are looking how the >> software evolves and will reject such a patch. > > This is heard very often. How can I check if this is true for a > particular piece of software? For the kernel reviews can be > tracked via LKML but not every code is so popular. How to see how > many people really read and approved a patch for example? Also the > number may not be that relevant than if experienced developers > did. > > On Fri, 26 Jul 2013 09:22:32 -0400 "Mark H. Wood" > wrote: > >> But it takes only one person who can and does do this >> inspection, to reveal the evil deed. And that person could be >> anywhere. He very likely won't be identified until he announces >> his presence by announcing his discovery of the attack. > > I would love this person even showing up to approve if there is no > attack - just for me feeling better. > > On Fri, 26 Jul 2013 00:14:08 +0200 "Julian H. Stacey" > wrote: > >> However you missed the point that many MS users are not >> programmers, & will not be compiling their own binaries, so any >> malign entity could regularly hack their nasty extras in, >> compile & issue binaries that dont match published source [...] > > Also many linux users look strange at me if I say I do compile > parts of my debian system. > If somehow you trust the Linux kernel you are using, that is already a big assumption. That would assure you that the Kernel source was used to compile the kernel. And if all was properly signed, and you have somehow obtained the fingerprint of the signing key in some reliable way, that would give high assurance. But how about the compiler that was used. It could have been sabotaged too, to insert a back door into any code it compiled, or only code for files with names that exist in the compiler and a kernel, perhaps. So not only need you trust the people who examined the source code for the kernel, you need to trust the people who support the kernel to have done the same thing for the compiler they use. And the compiler they used for compiling that compiler. To really trust (or not trust), you have to take all that C-code for the first compiler and compile it by hand to binary (not assembly level). Then use that to make the assembler that has been similarly verified, then the C compiler you really want to use, and so on. I am not sufficiently paranoid to do this, and I would not live long enough to do it even were I motivated to do it. Maybe Ken Thompson or Dennis Ritchie could do it, but I bet he would not. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:10:01 up 1 day, 23:35, 2 users, load average: 4.49, 4.43, 4.56 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG weakness
On 07/25/2013 08:59 AM, Manu García wrote: > Are devs taking some measures to make GPG really secure? I am not an encryption expert, but if I were going to store a lot of stuff in the cloud, I would not use GPG or any other public (assymetric) key encryption system. I would use a simpler symmetric key, since no one other than I would need to know the key. The scheme outlined in the article is by no means new. It has been known at least 10 years and probably even more. It is of theoretical interest only, IMAO. As for the part of your post shown above, measures to make GPG really secure from what threats? Because the answer to that question really matters. I bet they cannot make it secure from my posting my private key on Facebook, for example, or from some black hat torturing my passphrase out of me, or from the FBI putting a keylogger on my machine, or even more easy, from my sending an encrypted e-mail to a friend of mine who then forwards it unencrypted to someone else. The developers of GPG cannot do anything to protect against these threats. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:20:01 up 44 days, 18:06, 2 users, load average: 4.22, 4.50, 4.72 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why OpenPGP is not wanted - stupid is in vogue right now
On 06/11/2013 12:23 AM, Robert J. Hansen wrote: > On 6/10/2013 11:37 PM, Jean-David Beyer wrote: >> Of course he did not seriously propose the idea as a real course of >> action. But it is interesting to think about. > > I drive a Mustang GT with enough engine work to make it genuinely > dangerous to unprepared drivers. When I was taking a couple of advanced > driving classes (because I don't want to be a hazard on the road behind > such a vehicle), one of my instructors -- a police driving instructor -- > told me about a collision he recently saw with a tricked-out Mustang GT > like mine. > Come to think of it, I had a friend who drove a Griffith (or some name like that) which was basically a TVR designed with an 1800 cc British engine in it. To make it into a Griffith, you swap out that little engine and put in a Ford 275 (or so) cubic inch one. I think the clutch and transmission get replaced too, but I do not remember (or care). this must have been in the early 1960s. Well, when he took the thing to the inspection station, you sometimes get an inspector who fancies himself a race car driver. But do not actually have the knowledge or skill for it. Well this one takes it to the brake testing machine, which here is a long instrumented track. The drill is to take the car up to some modest speed, and hit the brakes. The machine measures the braking forces of all four wheels, etc. Well this clown revs up the engine and pops the clutch. If I remember correctly, that car would do 0 to 60 in something like 4 seconds. It would not handle worth a damn, but it sure would accelerate. By the time he got his foot off the gas and onto the brake, he had run past the end of the machine and almost hit the car ahead (it did have good brakes). Since he missed the car ahead, he gave my friend a pass on that test. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why OpenPGP is not wanted - stupid is in vogue right now
On 06/11/2013 12:23 AM, Robert J. Hansen wrote: > On 6/10/2013 11:37 PM, Jean-David Beyer wrote: >> Of course he did not seriously propose the idea as a real course of >> action. But it is interesting to think about. > > I drive a Mustang GT with enough engine work to make it genuinely > dangerous to unprepared drivers. When I was taking a couple of advanced > driving classes (because I don't want to be a hazard on the road behind > such a vehicle), one of my instructors -- a police driving instructor -- > told me about a collision he recently saw with a tricked-out Mustang GT > like mine. > I had been driving Alfa Romeo Giulietta Spiders for a while, and one Giulia (same car, 1600 cc engine). Then I bought a Lotus 26. I had driven my current Alfa to NYC (the nearest Lotus dealer to Buffalo NY where I was living). I had already bought and paid for the car, but it needed preparation so I could not take delivery until the next day. Nevertheless, the owner of the dealership took me to dinner at a fancy French Restaurant on his bill. He started by buying me a Martini. I drank it, but did not like it much. He then bought me another. I nursed it along, but finished it. He then ordered me a third. I told him I did not want it, that two were enough. He insisted. I took one sip to be polite, but I was not going to drink any more. He surprised me, though. He took the drink from my hand and smashed it to the floor. He then pointed out the old saw about martinis were like breasts on a woman: one is not enough, but three are too many. His point, as he explained, was that the Lotus 26 was not like the Alfa Romeos that I was accustomed to, and if I drove the Lotus the same way, I would kill myself. He then explained some of the fine points of a car that normally understeered but under the right circumstances, could oversteer, and that I better go to a large vacant parking lot and learn to handle that. Which I did. Luckily, in Buffalo at the time, there were blue laws that prohibited shopping malls from being open on Sundays so even if I spun out the car, other than a little excitement, I could not really hurt anything. The Lotus 26 was not like the 300 SL or the W-186 in switching from under to oversteer, but it could do it. It saved my life once or twice when driving on snow with glare ice (that I did not know was there) underneath it. But it takes nerve, when the front end is losing it to shift down a gear and floor it, when instinct and reflexes make you want to hit the brakes. But none of that will work on my Prius. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why OpenPGP is not wanted - stupid is in vogue right now
On 06/10/2013 03:39 PM, Mark Rousell wrote: > I just wanted to say that you have neatly encapsulated my feelings > on the subject: Stupid is in vogue. > > My concern is that it will be for a long time to come. It is > ironic that technology is, to a considerable extent, what has made > it possible. So much is taken care of by technology that it is > simple and easy to be "stupid". You can get away with it. That > suits the data miners of this world just fine. > In 1962, Consumers Union hosted a conference entitled Passenger Car Design and Highway Safety. Lots of engineers, etc., were there and presented papers. One was a guy named John Fitch who designed and drove race cars. While it was not the main point of his presentation, at one point he mused that perhaps all cars should be designed like race cars. In particular, 6 speed non-synchromesh manual transmissions, grabbing clutches, no power steering, no power brakes, no radios, etc. He said the added complexity would have two benefits: 1.) Some really stupid people would not be able to drive them because they would be stalled out most of the time. 2.) Those who could get them to move would have to pay a higher level of attention to what they were doing than the average driver. Of course he did not seriously propose the idea as a real course of action. But it is interesting to think about. https://en.wikipedia.org/wiki/John_Fitch_%28racing_driver%29 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: Re: Why OpenPGP is not wanted - stupid is in vogue right now
Sorry, I sent it privately by mistake... Original Message Subject: Re: Why OpenPGP is not wanted - stupid is in vogue right now Date: Mon, 10 Jun 2013 06:59:59 -0400 From: Jean-David Beyer Organization: Institute for Regimented Whimsey To: Johan Wevers On 06/10/2013 06:40 AM, Johan Wevers wrote: > On 10-06-2013 10:46, Henry Hertz Hobbit wrote: > >> Nobody but me uses my signatures on the stuff I >> deliver. It isn't because my keys aren't part of the WOT. It >> is because for what ever reason they want to complain like mad >> about Prism but then go to Facebook and broadcast their personal >> lives to the entire world. I was just at a discussion of this by people wringing their hands, helpless as deer staring at the headlights of moving automobiles. But they absolutely will not consider sending and receiving encrypted e-mail for their communications. In fact, most no longer use e-mail, but Facebook, Twitter, and so on. They protest that encryption is too technical and complicated, but never actually learned anything about it (and I do not even mean that they do not know how encryption works, what public key encryption is). They do not know that enigmail is a simple to use add-on to Thunderbird because they do not use Thunderbird, but some web-browser interface to Google or something like that. They do not complain that automobiles and television sets are too technical. That microwave ovens and their cell phones are too technical. So they run around like chickens with their heads cut off, but refuse to do anything about it. > > Privacy has much more to do with encryption than with signing. On the > contrary, when I sign a message it is much easier to prove, or at the > very least make it probable, that I wrote it, thus reducing my privacy. My correspondents hate it when I even sign something because they think the signature is some kind of error message that they do not understand, and they ignore stuff they do not understand (like messages to update their virus scanner, etc.). > > When I want privacy from government agencies I would use encryption for > sensitive or 1 to 1 messages. Signing will not help, when some 3-letter > agancy starts sending messages in my name that is easily detected by me. When I want privacy, I wring my hands in despair because only one person I know even has a copy of gnupg and runs an enigmail interface to it. Very few use Linux. And as far as I know, he uses it only because it is interesting technically, and when he gets bored with it, because I am the only one he knows who has the capability of using it, he will probably stop using it too. So when I want privacy, I cannot use it anyway because none of my correspondents will use it. And even if they did, they would decrypt what I said, and then forward it clear text to others. So in my view it is useless except in very small communities of committed users, and I am in no such community. > > For email this is easy, I'm now figuring out how to set up myn own > encrypted VOIP server for secure phone conversations within a group. > This proves much more complicated, most private VOIP services either > don't support encryption, support it in an unsafe way (unencrypted key > exchange, who the ^$*#E%#%& invented that?) or assume you're using fixed > phones instead of mobiles over 3G. > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: WARNING: unsafe ownership on homedir
On 06/04/2013 03:22 PM, ira.kirsch...@sungard.com wrote: > I am running on Red Hat Linux 6.4.6 What release is that? I have support from Red Hat that is up to date as of today, and it claims to be: $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.4 (Santiago) Nothing about a third level of releases. It is running this kernel: vmlinuz-2.6.32-358.6.2.el6.x86_64 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Why are you using the GPG / PGP keys?
On 05/28/2013 03:28 PM, Werner Koch wrote: > On Tue, 28 May 2013 18:17, forlasa...@gmail.com said: > >> crazy and doesn't function correctly, the house is half wood and half >> brick, and/Jack forgot to put locks on the doors./ > > Well, the mailbox at my door has no lock either and it suffers from the > spam problem too. The solution is not to remove the mailbox and do > without snail mail. Instead I sort spam out and almost all useful or > important mail arrives just fine; well as long as such mail comes in a > nice and ads free envelope with a real stamp on it. I demand a return address on it as well, including the name of the sender. Lacking that, I assume they are ashamed of themselves and are afraid I would not open it if I knew who it was from. So I do not open them. Return addresses like Suite 12345 123 Frammis Avenue Washington, D.C. 98765 go into the trash too. No name, no open. Of course, some senders also go straight into the trash, too. This would not be as useful with e-mail, since I can put any address I want into the From: field. Of course, people could do that with their envelopes, too, but they seem to do it less often. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Why are you using the GPG / PGP keys?
On 05/26/2013 06:50 AM, Zece Anonimescu wrote: > Zece Anonimescu: >> Robert J. Hansen: >>> Email is dying and has been for years. Ask a college student today[...] >> >> I don't like the mass media estimates: the next big thing, the yesterday >> thing, the dying thing. I thought for a good ten minutes and I could not >> find ONE single thing that was how predicted. > > According to Technology Review [1] some 154 billion emails are sent each > day. So much for a dying technology. I rest my case. > Last I heard, and it seems to me to be true, something like 95% of e-mails are spam. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]
On 04/06/2013 01:10 PM, Ryan Sawhill wrote: > I wouldn't have to work at Red Hat to find your imagining of all this > hilarious. No offense meant. I am not offended; just ignorant of some of the details of this. > > What makes the most sense: that all packages are built on a handful of > central build servers (individual maintainers building packages? > seriously?) on a private network and that as part of that automated > build process, the packages are signed. And then of course yes, some > sort of manual process to push packages out to publicly-accessible > servers for customers. I guess we agree here. Perhaps not on the details. So that part must not be hilarious, is it? > > Also, for the record, you're wrong about "with extremely few exceptions, > they do not do enhancements: those are delayed until the next major > release up to 18 months later". Most packages will stay at the same > upstream version for the life of a RHEL major release, Right. > but > feature-enhancements still happen all the time with minor releases > (every 6 months) and sometimes even sooner. Well, the bug and security fixes can come out several times a day (though that is not usual), and new RHEL kernels seem to be coming out every month or so these days. But those are bug fixes and security fixes. When I read their release notes on those things, they do not describe enhancements on the kernel. Similarly for things like postgresql, they may backport bug fixes but they do not put in enhancements as far as I can tell. Perhaps they enhanced Firefox, but that is not the usual thing. I notice no enhancements for GnuCash that is quite a ways behind what other distributions are using. They try to keep up with Java, but that is to hope to keep up with the security failures in that. >(Also, new major releases > don't happen every 18 months.) > I know major releases do not happen exactly every 18 month. IIRC, they said that was their goal. I know it was over two years for one of them to come out. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]
On 04/05/2013 04:27 PM, Peter Lebbing wrote: > I have no idea how Red Hat does this, but it seems unlikely to me. It's > not connected to the internet, but signs the whole repository, and each > individual security update etcetera. Is there a guy who keeps going back > and forth with a USB stick between this terminal and another? I do not know how they do it either. I assumed that each major release, that for Red Hat occurs only about every 18 months, they do sign each and every file in the repository. They probably have an automatic way to do that. And then someone sneakernets it over to the Internet-connected machines that do the downloads to the customers. For updates, I assume they do that to each file that has been touched and carry them over to the Internet-connected servers in a batch, say once a day. But maybe they resign and carry over everything in the repository to save the trouble of figuring out which have been touched and which have not. The whole release fits on one DVD. Recall that for Red Hat Enterprise Linux, with extremely few exceptions, they do not do enhancements: those are delayed until the next major release up to 18 months later. They only do bug and security fixes (and that time-zone file change). So once a day (or whenever the regression testing is completed successfully) some clerk can do the carry over at some time, presumably late at night. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]
On 04/05/2013 11:39 AM, Stan Tobias wrote: > The problem we're trying to solve here is how to ascertain originality > of a software development line, IOW how to authenticate it. What I do is get my OS (a Linux distribution from Red Hat) on a DVD directly from them. It contains, along with everything else, their public key that I do not validate by any other means; I assume that it is authentic. And they sign all the software they download to me from their site. So unless a man in the middle, working for the Post Office or UPS or FedEx (I forget which) substitutes DVDs ... . But as long as Mr. Red and Ms. Hat can be trusted, I do not care if they are the two individuals, a corporation, or what. SO * I am not protected from any black hats subversively working for Red Hat. * I am not protected if their site is highjacked by black hats until they discover it and correct it. But unless they also hijack the computer not connected to the Internet (see below), this will not be enough. * I am not protected if the DNS is damaged somewhere and when my update software tries to get updates from Red Hat, some other site that has Red Hat's private key signs whatever they choose to download to my machine. I suppose bribery or physical violence might get that key faster than exhaustive search... . Probably the software Red Hat supplies is kept on a machine that is not on the Internet and it is all signed on that machine. At which point, the signed software is placed on an Internet-connected machine for downloading (seems like a good idea to me). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How insecure is using /dev/random for entropy generation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/30/2013 10:46 PM, Hauke Laging wrote: [snip] > gpg uses /dev/random. That's why key generation usually blocks due > to lack of entropy if you do it right and boot a secure medium for > key generation. > > The kernel fills /dev/random from e.g. key strokes, disk accesses, > and (if available and configured) internal CPU state (havaged) or a > real hardware number generator. The kernel should take care that > the entropy in /dev/random is "perfect". > > The amount of available entropy can be seen in > /proc/sys/kernel/random/entropy_avail I run RHEL 6. Last reboot (had to run Windows for a little while) was a little over 6 days ago. I tried that and got: $ cat /proc/sys/kernel/random/entropy_avail 1849 Is that a lot or a little? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJRWA/9AAoJEBZthAoMYQyLK2IH/23tmS71RlUq1zlmQozvL4Mn 8N0Wbfj3uLuIOPOt9il0oApkdmZsOseZtp6XsF0OxtMHjuOdU9d83cKb+jzZE8Ee oeno2/eRH09z/xIigUA7bYcS14gYq/WFV18Jnk6eez2BeAK8UsVva6GBI2aFi6QX jphnprCdCfe/52yA9iS89S3zPrtShIMQnW3gL6iZr+bTiGjloEFGVpZv8rc4eAwv aW76WOSck38E9L+mE1OeQ1eHEVWz68sbWQEjN3evOdPT1MvlgSBwvCLBTCJF2LPQ y58tPHgkb3T1/k/K/sIasehniS3GdF+PAsbhDO5oZ5BJU2AUvJZR+gpisXQ/9L8= =hKVy -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: passing information among several users
On 01/21/2013 11:56 AM, Rita wrote:
> Hello,
>
>
> Here is what I am trying to do in my environment.
>
>
> I have 6 users: maseruser and user{A,B,C,D,E}
>
> Masteruser will be generating data and I would like userA and userC be
> able to decypt the data and others not to. However, in the future I
> would like to add userE to decrypt the data and remove userA (any old
> data she has is fine). I was wondering how I can achieve this using gpg
>
Sure you can do this.
Or do you want to know how?
1.) get gnupg software. http://gnupg.org/
Install it, generate your keys and your revocation certificate (you
never know when you will need ont.
2.) Upload your public key to a keyserver.
3, Have A, and C do the same.
3a.) If you want to anytime, have B and D do it too.
4.) When you want to send data get the public keys for A and C.
5.) Encrypt these data with the public the public keys of A and C.
Am I missing something?
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how vulnerable is "hidden-encrypt-to"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hauke Laging wrote: > Am Fr 17.08.2012, 21:05:32 schrieb auto15963931: > >> In the example >> of yours it appears as though the message was encrypted to two different >> keys, one of which was hidden and the other not. Is that right? > > That is right. --hidden-encrypt-to needs other recipients. But you may use > ‑‑throw-keyids or --hidden-recipient instead. > > >> Incidentally, when I looked at your reply and noticed it was signed, I >> tried verifying the signature. > >> Why is the signature failing? Thanks. > > That's a bug in my MUA which is triggered by the email being encoded as ascii: > > https://bugs.kde.org/show_bug.cgi?id=305171 > > This bug (or rather: problem) has been discovered here on the list – it > occurs > almost only in English emails. I have added a non-ASCII char to my text > signature thus forcing a charset different from ascii. Thus the signature of > this email should be OK. Hey! OpenPGP Security Info UNTRUSTED Good signature from Hauke Laging Key ID: 0x3A403251 / Signed on: 08/17/2012 10:24 PM Key fingerprint: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:3EDBB65E 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 23:10:01 up 30 days, 3:11, 3 users, load average: 4.42, 4.42, 4.43 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFQLwgZPtu2XpovyZoRAiU2AKDVSMsLyT5eg5DfPYLsyFAnpgQP6gCfaHlK dYa2u4OhhM8+1yLfPtM7z48= =ylCp -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
l I can say is ... nothing, really. I used to be > able to get a lot of outrage summoned up over this subject, but now I've > been reduced to making faint whimpering noises. A new scientific truth does not triumph by convincing opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it. -- Max Planck -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:3EDBB65E 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:10:01 up 13 days, 24 min, 3 users, load average: 4.28, 4.34, 4.24 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Some people say longer keys are silly. I think they should be supported by gpg.
MFPA wrote: > Hi > > > On Monday 28 May 2012 at 3:12:24 AM, in > , Robert J. Hansen wrote: > > >> The problem isn't the fraction of the population. The >> problem is command and control. > > That will always be a problem if the planting is uncoordinated. > > As a thought experiment, what happens when all the "real" protesters > have gone on to something else and plants from various agencies make > up 100%? > > My mother once told me that it was easy in the late 1930s and 1940s for Communist Party members to identify the FBI informants. The informants were the only ones who paid their dues. Real communists could not afford it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:40:01 up 1 day, 2:00, 4 users, load average: 1.26, 1.36, 1.35 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: There may be more to security than password length, or even its complexity.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mustrum wrote: > Http://xkcd.com/538 > > :-) I like that. It may be my passphrase is too long. I want it easier for the black hats to crack my stuff than for them to torture my passphrase out of me. I recently tested a (retired) password to my computer out on a couple of web sites that told my how hard it would be to crack it. One of them said more than 10 million years. I guess that one is good enough, though my current ones have two more characters. Maybe I should shorten them. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:45:01 up 33 days, 14:22, 3 users, load average: 4.61, 4.57, 4.54 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFPvYVKPtu2XpovyZoRAhhLAKDBF0JRi2IErOHUIeIWiRh/f1e6/wCfSehd 4VK5VllC9uXNHKz33TSlowc= =82DQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
There may be more to security than password length, or even its complexity.
http://2.bp.blogspot.com/-v15Nbl_zG7s/T6BFiQoGDEI/AHs/U5eU7O6MG3o/s1600/security-fail.jpg -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 07:40:01 up 33 days, 1:17, 3 users, load average: 4.45, 4.52, 4.64 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use (was Re: META)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Remco Rijnders wrote: > I appreciate signed mails on this list (and any other lists). Most > problems these days on the internet are, in my opinion, related to > people being completely anonymous. If you stand behind your words, > show so by signing your posts. > OK. I stand behind this post. But other than amusing myself, does it really make any difference? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:05:01 up 20 days, 21:31, 3 users, load average: 4.52, 4.76, 4.84 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFPKDwqPtu2XpovyZoRAlfyAJ4k3TxXHBy8hSHorl6xowjoUl9vrwCbBuUr ZU51SVdnmQg12VS77wVOpcc= =7Cba -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use (was Re: META)
Jerry wrote: > I totally agree. I have never seen or heard any logical excuse for the > signing of list traffic. I almost never sign anything unless I suspect the destination can at least ignore the signature. The people with whom I send e-mail (a diminishing population because most have moved to texting on cell phones, or twitter or Facebook) have no interest in security, though they sometimes act in a paranoid fashion about eavesdropping. But they refuse to do anything about it. They cannot deal with MIME signatures (at least those still using AOL), and cannot ignore them either. They hate the inline signatures too. When I do sign, it is just to draw attention to the fact I have a public key and can accept signed and encrypted e-mail. And so far, other than complaints about extraneous text in my emails, that is about it. I really get no use from it. So signing to this list, and an occasional test that my stuff is still working is the only use I get from gnupg and enigmail. The stuff I would really prefer to send encrypted I cannot send that way because those to whom I would send it could not read it (they have no software and no public keys). And if they could, they would probably save it in clear text somewhere, forward it, or whatnot. I think PGP and gnupg are really great ideas, whose time has not yet come. And by the time people realize its usefulness, the snooping community will have made it impossible to use it anymore. People sending encrypted e-mail will be disappeared. The time for that has not yet come. I hope it is postponed until after I can no longer use a computer. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 13:45:01 up 20 days, 21:11, 3 users, load average: 4.78, 4.89, 4.99 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
d...@geer.org wrote: >> With respect to your question: what we offer is privacy, but most >> people do not understand privacy, do not care about privacy, and >> would not care about privacy even if they understood it. >> [snip] > > You got that right, Brother. > > To be more pointed, how many folks on this list carry a cell phone? > > --dan > I carry one about half the time, but it is usually powered off unless I am expecting a call, or when I need to make one. Also about once every other month to use the GPS navigation feature. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:10:01 up 4 days, 18:16, 3 users, load average: 4.84, 5.14, 5.11 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
Matthias-Christian Ott wrote: > > What about making everyone their own provider? The efforts in this > direction intiated by Eben Moglen that lead to the FreedomBox and other > projects seem to go in the right direction. It doesn't seem to me less > realistic than requiring cooperation from providers. > I was my own provider for many years, and that was easy enough. I got a static IP address from my ISP for $10/month and ran sendmail as my MTA. I used mutt am MUA. But when I switched to Verizon as ISP in order to get FiOS, they wanted $150/month for a static IP address and an additional fee (I forget what it was) to be allowed to run sendmail as a server. Verizon is a great ISP 8-( They discontinued Usenet, so I have to pay a fee to another provider to use Usenet. They did not reduce their fees when the reduced the level of service. Greed and Profit before Service: it is the American way. 8-( -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 10:05:01 up 19:11, 4 users, load average: 4.93, 4.98, 5.11 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The problem is "motivational"
Robert J. Hansen wrote: > On 10/20/11 11:34 AM, M.R. wrote: >> I propose this way of thinking is counterproductive. It will not >> succeed in any meaningful way, because "encryption by default" >> is a completely unrealistic goal... > > "Only he who attempts the absurd is capable of achieving the > impossible." -- Miguel de Unamuno > > "He who says a thing cannot be done is expressly forbidden from > interfering with one who is doing it." -- Anonymous "The Reasonable man adapts himself to the world. "The Unreasonable one persists in trying to adapt the world to himself. "Therefore all progress depends on the unreasonable man. George Bernard Shaw. > > > I'm sympathetic to your position. I think it's an impossible goal and > one that will never be realized. That said, I also think it's possible > I may be mistaken, and for that reason I'm not going to attempt to > persuade smart people to stop attempting the absurd. > > By all means, you should direct your energies to where you feel they can > do the most good -- but we should also respect their decisions about > where they feel their energies can do the most good. :) > -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 12:05:01 up 13 days, 20:38, 4 users, load average: 4.49, 4.55, 4.51 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert J. Hansen wrote: > On 10/11/2011 05:14 PM, Jean-David Beyer wrote: >> Let us assume you are the bad guy > > Okay. > >> Unless you have my encrypted keys, you have to access my computer >> (unless you have already stolen it, in which case there are much >> easier ways to invade the machine), you will have to try logging in >> through the Internet (in the case of my machine), and the first >> thing you will hit is the login program. > > Hold on a second there. You seem to be making some extremely > unwarranted assumptions. Quite possibly. And unwarranted assumptions are especially pernicious because those are typically those I am unaware of making. I am not a security expert anymore. I really was never a security expert, though I was once put in charge of security for 10 VAX machines running UNIX, but this was around 30 years ago almost before the Internet. Some of us were using uucp on dialup, but that was about it. In those days it was almost impossible to get the users to use passwords on their accounts. > > If I want your secret key material, I'm not going to steal your > computer. I'm going to use an exploit to bypass your login, plant a > Trojaned version of GnuPG, and laugh all the way to the bank. I realize if you stole my computer that I would notice it. If you broke into my house skillfully enough that I did not notice it, you could install a key logger, or copy my hard drives, steal my backup tapes, ... . But you could also remove all protections by getting in as the root user (on UNIX-Linux). And I might not notice that. The trick is to do that from the Internet. I have some safeguards to protect me, and they may protect me from amateurs, but an expert might be able to defeat me. It seems to me that to do much damage to my machine, you need to get a shell with root access. And to do that, do you not pretty much need the root password? Or hijack a program that is currently running with the root privileges? I never run a web browser as root. But there are demons that run and some have root privileges. Such as the download mechanism to download updates from Red Hat. My nameserver does not run as root. I do not run telnet. ssh will talk only to specified IP addresses on my LAN. My firewall will not accept messages from outside unless in reply to something I sent out, so I believe it would take a man-in-the-middle attack to get past that unless the firewall is defective. I actually have two firewalls; a primitive one in the router that comes with Verizon's FiOS service, and another one using iptables. These, too, could have bugs, especially if I made a mistake in programming the iptables firewall. > > Modern-day operating systems are frightening -- terrifyingly -- > insecure. A while ago Vint Cerf estimated that about one desktop PC > in five was already pwn3d. That's a number that keeps me awake at > night. > At one extreme, the only way to be pretty safe is to have a machine that is not connected to the Internet, and have U.S.Marines to guard the hardware and access to it. I do not choose to defend myself against threats that would reasonably require that. I want my security to be weak enough that the black hats would not resort to torture to get the information they want. The friends of mine that even know what computer security might mean do not even encrypt their e-mails, though they worry about it's being intercepted. Friends complain if I digitally sign my e-mails. I assume if they could accept encrypted e-mails, that they would save them in clear form on their machines anyway. So maybe I am kidding myself. I do not think my machine has been taken over. For one thing, I can pretty much see the Internet traffic from it, and when I am not doing anything, not much goes down the Internet. A friend whose machine was hacked (Windows ME) had lots of Internet traffic and the machine got impossibly slow. The hard drives never stopped clicking. I do not have that, though the hard drives on this machine do not click, but the Xosview program shows that when nothing is going on, nothing except BOINC programs run. The demons do, but they do not use any processor time. If I ran this machine as a server, my problems would surely be worse. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:50:01 up 6 days, 17:23, 4 users, load average: 5.14, 4.93, 4.94 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFOlu/MPtu2XpovyZoRArvUAKC022RLKvUmsbM1XD5shR+xrB06kQCdEDE+ gx/6aDndO7obVhfgZVEMk6o= =yjMn -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
Robert J. Hansen wrote: > Accurate to 6%, there are 2**25 seconds in a year. Worth remembering: > it makes certain kinds of computations much easier. (It follows there > would be about 2**35 seconds in a thousand years, or 2**45 seconds in a > million.) > > E.g., let's say you want to brute-force an 64-bit key on a CPU that can > do a million (2**20) attempts per second. This requires, on average, > 2**63 attempts. 2**63 / 2**20 = 2**43 seconds: 2**43 / 2**45 = 2**-2 = > a quarter of a million years. Let us assume you are the bad guy and have computing power that can do an arbitrarily large number of key attempts per second. Unless you have my encrypted keys, you have to access my computer (unless you have already stolen it, in which case there are much easier ways to invade the machine), you will have to try logging in through the Internet (in the case of my machine), and the first thing you will hit is the login program. This can probably handle only a few attempts per second, and if I were serious about security, I would have it double the time to reply each time it got a failed login on that connection. In the days of dialup, I would have the machine hang up on the connection with too many failed login attempts. Of course, if you could get into my machine and login as the only user with access to my encrypted password file, you could copy that file to your high speed facility and crack it at your leisure. But if you could do that, you could already do anything you wanted with my machine -- install trojan horse keyloggers, defeat the security in the login program, etc. > > I don't know why it took me so long to notice that: seems like the sort > of thing I should've noticed a decade ago. It makes certain kinds of > computations so much easier. > > Anyway, figured I'd throw it out on the off chance there were others who > hadn't noticed it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:05:02 up 5 days, 1:38, 4 users, load average: 4.73, 4.76, 4.82 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
David Tomaschik wrote (in part): > If you value your OpenPGP key, I would not trust it to 24 bits of > entropy. My off-card backup of my key is protected by a 32-character > passphrase that I believe to be highly resistant to dictionary > attack (and contains sufficient special characters that I believe its > entropy to be close to the optimal 6.5 bits per symbol). But perhaps > I'm delusional. > I do not know about delusional. But in a sense, was it not unwise to tell me your passphrase length? I will now set up my hypothetical exhaustive search cracker not to bother with passphrases less than 32 characters or longer than 32 characters. This reduces the size of the search space I must examine. Of coarse, the shorter ones can be tested faster than the longer ones. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:35:01 up 4 days, 18:08, 4 users, load average: 5.13, 5.25, 5.22 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: An Invitation to Neuroscientists and Physicists: Singapore Citizen Mr. Teo En Ming (Zhang Enming) Reports First Hand Account of Mind Intrusion and Mind Reading
Andre Amorim wrote: > It's Called INCEPTION ! > I thought it was callee SPAM ! If I thought the O.P. would even read this, I might suggest he resume his medication. If I believed he was not schizophrenic, I would refer him to this web site: http://www.biomindsuperpowers.com/Pages/intro.html Ingo Swann, whose site it is, is not a kook nor is he a nut. He has been closely involved in scientific investigations of what are usually called psychic phenomena since the early 1970s, if not before. Many of these studies were done at Stanford Research Institute, under the sponsorship of various 3-letter agencies. Studying that web site (there are hundreds of pages) would show that "psychic" phenomena have been known since at least 400 B.C.E., and have been scientifically investigated since about 1875, or a little earlier, by quite reputable scientists. Mind reading, better known as telepathy has been shown statistically significant, as have remote viewing, and related phenomena. There are dozens of books on these subjects by people, some of whom worked in this area for the U.S.Military. If the O.P. is serious, he could do some research on this on the Internet. But encryption, such as by using gpg, will not be a defense from "attacks" of this kind. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:50:01 up 31 days, 21:08, 3 users, load average: 5.10, 4.95, 4.87 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Best practice for periodic key change?
Jerome Baum wrote: > On Sat, May 7, 2011 at 15:54, MFPA <mailto:expires2...@ymail.com>> wrote: > > (snip huge email) > > > Next time can you read the whole email and reply to it as a whole? > > As for signature checking, I stand by my point: Over here, signing a > document today and claiming on the signature that it was signed tomorrow > is going to be an offense (if there is a loss to a third party, of > course -- a lie isn't fraud until there is damage). > > The post-dated cheque doesn't say "I signed this in the future", but > "only accept this from that point in the future". That's a big > difference. As for the clerk, he's an idiot and probably liable for > accepting it. It's not my problem if people don't check the signature > timestamp, I can only do my part on making the date accurate -- plus > maybe educating my recipient on checking the timestamp. > When I was on a grand jury, the prosecutor said that while the words of the law made it illegal to write a post dated check (in this state), that they did not prosecute for this unless there was intent to commit a fraud, and that is difficult to prove. A friend who worked at a bank said they never looked at the dates, but cashed them when presented unless there were insufficient funds to honor them. So there is no use in writing a post dated check unless the person to whom it is presented holds on to it until the date. As treasurer of a tax deductible organization, I use the date on the check as the date of the donation except sometimes I do not. I do not when it is dated something late in December, but postmarked mid January or later. In that case, I use the postmark date. So people writing pre-dated or post-date checks are wasting their time. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 13:10:01 up 21 days, 16:28, 3 users, load average: 4.57, 4.78, 5.01 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OFF LIST - Your signed posts.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Acker wrote: > thanks for the note > > i have PGP/MIME set ON so this should not happen (and HTML has to be MIMEd ) > > from your note it sounds like Thunderbird is sending BOTH .txt and .html > formats. I would expect your e/mail client to selecvt one of these -- > and either should verify -- which would mean the message has to carry > two signatures > > we might see if anyone on the list has any info on this... > > -- > /MIKE > > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users The only info I have, is this: Error - signature verification failed; click on 'Details' button for more information I am running Thunderbird 2.0.0.24 on Linux. It did come with this attachment that looks like a signature. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk25h+8ACgkQS/NNXDZDAccnJAD/Qeck95CG/1feZrnEILzWIMRt kbHn0zSl6mP5lyxW1ZoBAI8/ptcE0jXNH7lRCpnAmLoBXhKj4K0PnNdmBmbYpFqg =TcLe -END PGP SIGNATURE- - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 11:50:01 up 12 days, 15:08, 3 users, load average: 4.66, 4.94, 4.84 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFNuY3aPtu2XpovyZoRAmSBAKDBWkzI/54lgqBfKqIw/5QcipJhUgCeOER3 v3qKKYENi9B0EbC4REJaeQQ= =8HS6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keylogers
Mike Acker wrote (in part): > this is the only way to certify a system: a running system cannot be > used to certify itself. for those who don't understand this an old and > common malware trick is to replace the directory list program. when the > system owner types dir c:\windows\*.* the modified dir list program > simply fails to report the presence of the malware programs, instead > adding the space taken by the malware back into the reported > free-space. the original dir program is hidden someplace on the c: > drive and then reported on the dir list with its orignal directory > info. if you dump the program out you get this back-up copy; but when > you run it -- the bad copy runs. the system-- has had a bug purposely > installed,-- one with produces INCOROUT (incorrect output) ,-- it has > been "pwn3d". > I run Linux and I used to run the tripwire program to certify what ran on it. What it actually did was assume at some point that all your programs were valid, and compute some checksums of each one. Whenever you ran the test, it would make sure the checksums were still valid. http://sourceforge.net/projects/tripwire/ There were some serious problems, it seemed to me, with this. First of all, I would have to install everything from the distribution disks onto a blank machine, and trust the vendor to supply safe software. I thought Red Hat pretty good in this respect, but could not prove it. Trouble is that tripwire did not come with the distributions at that time, so I had to go on line to get it, and that would run the risk of getting my machine infected while I was on line. The second problem is that there are a lot of updates that come down as the system ages, and they all fail the tripwire testing. And how do I know that the downloaded updates are correct? These days, the updates come with checksums and sometimes have digital signatures, so they may be OK. But for every update, I have to reset the signature database, and that got to be so much trouble that I have not used tripwire in several years. There is SELINUX on my machine, but I have never enabled it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:20:01 up 12 days, 12:38, 3 users, load average: 5.00, 4.67, 4.68 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MFPA wrote: > Hi > > > On Thursday 21 April 2011 at 2:20:51 PM, in > , Jean-David Beyer wrote: > > >> I do not think it is entirely not wanting to be >> educated. But if the education takes several hours a >> week to keep up with and to administer my own >> responsibilities in the process( generating new >> passwords, and different ones on a frequent basis, >> finding some way to remember them other than writing >> them on a post-it note on a monitor, keeping up with >> password rules (Must have letters in both cases, >> special characters, digits, at least some length, not >> to exceed some other length, not a simple permutation >> of the last few used on this system, etc. But some >> require some or all of these. Some allow only letters >> and digits, and so on. Who can keep up?), then >> management would have to budget the time so I could do >> it, and they will not. There has to be a better way, >> and I do not know what it is. > > > Your employee ID card acting as a hardware ID token, Our ID cards were good enough for military security in the late 1950s. They had no magnetic stripe, no machine readable bar codes, no nothing. Later they got Polaroid cards that had color pictures of us on them. Still nothing machine readable. > a single > passphrase to log onto your workstation, No workstations in those days. ASR-33 teletypes that you did not log into. Later some electronic junk remote terminals by Teletype Corp. Remember that we were still using punched cards in those days for most work. Only the far-out people got to use dumb terminals, such as ADM-3. It was the computer at the other end, typically a cobbled up version of System/360 TSS for some systems, UNIX for other systems, GECOS for the GE 635s, all different. Some times we had to log into what would now be called a LAN in the building where the server might be first, then dial the number of the server on that LAN, then log into that server. > and the administrators of > each app taking care of which staff are allowed to use their system. > No further passwords/usernames are necessary, just a short timeout > feature to lock the workstation if the employee is stupid enough to > leave their ID card inserted when they leave their desk. > Oh! Yes. Once I got stuck implementing security on a bunch of UNIX servers on a battery of PDP-11/70s and Vaxes. I made it necessary for each user to assign himself a password. I gave them 30 days and cut off those who had not done it. I almost got lynched. I also put slowdowns in the login program. If you got the password wrong, it waited a second before you could try again. If you failed a second time, I doubled it, etc. When it got up to a minute, I had it hang up on them. People then got to leaving their terminals logged in, so I put a timer in there and if they did no input for an hour, I logged them out. They hated that too. That was not enough. Some @$$holes would wander around and change passwords of people who deserted their terminals. I got so many people mad at me that I was relieved of my responsibility for that, thank goodness. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:45:01 up 6 days, 3 min, 4 users, load average: 5.48, 5.18, 5.01 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFNsNLQPtu2XpovyZoRAl64AJ9rzq5xlXPIn1/8/XCL/WLh2+UcTQCeMUmd bRYiBGvBPYYG7IxdhW2R3XI= =pw5h -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
Robert J. Hansen wrote: >> In short: don't force a particular strategy on your users. Much >> better to explain to users the general problem, and then leave it >> up to them to pick a password. > > Historically speaking, this has shown not to work. I'll try to dig > up the HCI references if people really want, but the gist of it is > people don't want to have to learn and understand: they just want to > get their work done. The instant you make compliance voluntary and > education-based, the vast majority of users say "meh" and choose > "password" as their login credential. Way back when (1970s, I guess) we had a computer where I worked that was networked to another one many miles away that acted as a server. We used punched cards in those days. Passwords were up to 6 6-bit characters. To run a job, you put a job card ahead of the stuff you wanted to run. We had a whole box of those gang-punched and you took one and used it for your job. The password was PASSWD. Some security. 8-( Later I had to use multiple machines, and some I could log into with a Teletype or similar communication device. Each had a different rule for acceptable passwords. So there was no way I could use the same password on all the machines. Now I now know that it is not a good idea to do that in any case, but we were not supposed to write down our passwords. And some required changing the password every month, so there was no way to remember them all in any case. Even if I could remember them, I could not even remember what login to use on each machine, and which password went with which login so I did write them down and to hell with the management rules. > > The belief that security problems can be solved by educating users is > a common one: it is also a deluded one. It handwaves the very > serious problem of most users not wanting to be educated and being > actively hostile to it. "Why do I have to learn all this > propellerheaded geek stuff? I just want to get my work done!" > I do not think it is entirely not wanting to be educated. But if the education takes several hours a week to keep up with and to administer my own responsibilities in the process( generating new passwords, and different ones on a frequent basis, finding some way to remember them other than writing them on a post-it note on a monitor, keeping up with password rules (Must have letters in both cases, special characters, digits, at least some length, not to exceed some other length, not a simple permutation of the last few used on this system, etc. But some require some or all of these. Some allow only letters and digits, and so on. Who can keep up?), then management would have to budget the time so I could do it, and they will not. There has to be a better way, and I do not know what it is. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:10:01 up 5 days, 12:28, 3 users, load average: 5.32, 4.95, 4.88 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability [SIC]
Jerry wrote: > On Sun, 3 Apr 2011 11:48:13 +0100 > MFPA articulated: > >> Isn't it a fairly standard maxim that "ignorance of the law is no >> defence?" > > http://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat > > > > Ignorantia juris non excusat or ignorantia legis neminem excusat (Latin > for "ignorance of the law does not excuse" or "ignorance of the law > excuses no one") is a legal principle holding that a person who is > unaware of a law may not escape liability for violating that law merely > because he or she was unaware of its content. In the United States, > exceptions to this general rule are found in cases such as Lambert v. > California (knowledge of city ordinances) and Cheek v. United States > (willfulness requirement in U.S. federal tax crimes). > > > > See also: > > http://en.wikipedia.org/wiki/Plausible_deniability > If I remember correctly, the U.S.Criminal Code is a set of volumes that takes about 4 to 5 feet of shelf space at my public library. This probably does not include the collection of Federal Regulations. It is my understanding that for most bills passed by congress, the congressmen and senators never even read the bills, though they sometimes read the summaries prepared by their assistants. One time I got a copy of a bill because I was urged to oppose it. The bill was illegible because it was the form of a set of amendments to the existing law. So there was page after page of stuff of the form change Page xxx, line yy, change will do to will not do So it is useless to even read that without running it through some kind of text processor to do all those changes. My view is the dolts in congress do not even know what they are voting for or against. Then there are state and municipal laws and regulations. While ignorance may be no excuse, there is now way to be informed either. The turkeys that pass the laws do not even know that, and there is no way we could keep up even if we tried. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:05:01 up 31 days, 4:06, 3 users, load average: 5.14, 4.84, 4.74 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "This key may be unsafe"
Grant Olson wrote: > Here's a case where the difference between < and <= is HUGE. > > gnupg 1.4 only switched the defaults from 1024 DSA/ElGamal to 2048 > RSA/RSA in 1.4.10, which isn't even two years old. I still see plenty > of boxes in the wild that only have 1.4.9, and not just those ones that > are old and creaky and people are afraid to reboot for fear of an actual > hardware failure. > > Like you said, I would avoid creating one that size now, but even just a > year-and-a-half ago, your mantra of "use the defaults unless you know > what you're doing" would have resulted in 1024 bit keys for most users. > > Meanwhile, warning about keys < 1024 bit would be a little more > practical, at least until ECC hits the standard. > I run Red Hat Enterprise Linux 5.6 (the latest of the RHEL5 series) and they are only up to gnupg-1.4.5-14.el5_5.1, They will probably not move up until RHEL 6 (that I believe has just recently come out). It looks as though that one is: gnupg2-2.0.14-4.el6.i686 (for my 32-bit machines); unless I am confused. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 21:50:01 up 4 days, 6:51, 3 users, load average: 4.73, 4.72, 4.92 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME considered harmful for mobile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Faramir wrote: > El 27-02-2011 15:30, Martin Gollowitzer escribió: >> * David Tomaschik [110227 19:22]: >>> How about "inline confuses users who don't know anything about OpenPGP"? >> 100% agreed. Thank you! > >IMHO they would be even more confused if they can read the message. > And some others see the attached signatures and think "Virus! Hit > delete, hit delete!". > >Best Regards If someone sees my inline signature and thinks Virus..., let them. If it were a virus, by the time they saw that it would be too late, would it not? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 18:50:01 up 40 days, 3:25, 3 users, load average: 4.69, 4.82, 4.75 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFNauRHPtu2XpovyZoRAtJiAJ9dO+uuWXq+1BnBdgLpH0dhjF8IpwCZAQl5 0jDGfUbfhOm0qdFPzd708tY= =O0EK -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how slow are 4Kbit RSA keys? [was: Re: multiple keys vs multiple identities]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Smith wrote: > Daniel Kahn Gillmor wrote: >> On 09/24/2010 09:54 AM, David Shaw wrote: >>> It won't work with the current generation of OpenPGP smartcards. >>> It also will be dreadfully slow if you (or someone you are >>> communicating with) ever uses the key on a small machine (think >>> smart phone). If you are usually on a "full power" computer, >>> then they generally have the CPU to spare for this sort of thing, >>> and you'll rarely if ever notice a difference. >> i'm curious to see some quantitative data about what "dreadfully >> slow" means. > > Not truly "quantitative, but I notice a significant difference > between encrypting emails to people with 1024-bit keys vs people with > 4096-bit keys. I'd say that the difference is in the order 3-6 > seconds. > > I'm running GnuPG 1.4.x on a Sun Ultra10 with a 500 MHz CPU and 1 GB > RAM. Yes, I know it's old. :-) > > We're forced to use 4096-bit keys because some of our customers > require it. > Am I missing something? I thought the keys were used to encrypt the block containing the session key (that is, IIRC, 512 bits). And it is the session key that is used to encrypt and decrypt the actual message. Since the session key is small, encrypting or decrypting it should not take a lot of time compared with doing an entire message (depends on its length, of course). So unless the time to encrypt or decrypt the session key is large compared with the time to encrypt or decrypt the actual message, is this discussion not about the wrong thing? What is the message size of the messages being used to come up with the numbers on this thread? Are they realistically large (whatever that might be)? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 10:35:01 up 6 days, 2:03, 3 users, load average: 4.96, 4.74, 4.57 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMoK43Ptu2XpovyZoRAu73AJ0dIGF415+emazvMRK7OYEpjzzYVACdFNQu Y4rA9L516xM4TFSkw9T6Ako= =AYQV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Where is FAQ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have what I am sure is a frequently asked question, but I cannot find a FAQ. I can find the archives, but I know no good way to search them. It is the question about the order of signing and encrypting a message. I am pretty sure that is the correct order, but a while ago there was a thread about this and I would like to find it. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:10:01 up 16 days, 1:56, 3 users, load average: 4.67, 4.70, 4.57 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMSgZZPtu2XpovyZoRAkIaAKCKoqHhAl92EVSw8uf2HVq4B97OjQCff6Wi KJb0tNzL42UbRbNl+LlJscM= =FmEw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decryption failed: secret key not available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rahul R wrote: > But how to generate a secret key in command mode... i have the public > key with me and imported it.. but still not able to decrypt... > My guess is that your best bet is to generate a new key-pair and send the public key to a key-server. Then notify whoever sent you the original message of the problem and to send it again with the new key. You might wish to revoke the old key-pair if you have a revocation certificate on your machine. I do not know how you lost your secret key. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:40:01 up 14 days, 1:26, 3 users, load average: 4.84, 4.75, 4.79 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMR1wOPtu2XpovyZoRAiCvAJ9sPuI069kgQRIG2sbkTxxAeeCJLACcDbKT 95wgHVIUeJ2NFYaMvYGNWA0= =JuL2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Locating GnuPG 2.0.16 RH4 binaries...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Breen Mullins wrote: > * Jean-David Beyer [2010-07-20 14:53 -0400]: > >> John Espiro wrote: >>> Greetings... >>> My google skills must not be working lately... Can anyone help point me >>> to the 2.0.16 binary for GnuPG / RHEL4? >>> >>> Thanks, >>> John >>> >> Is there one? >> I run RHEL 5.4 that is up-to-date as of this morning, and that binary >> rpm is gnupg-1.4.5-14.el5_5.1. >> >> If I look at CentOS 4, the binary for it is gnupg-1.2.6-9.i386.rpm > > On Fedora, and I expect on RHEL too, 2.0.16 would be installed by the > gnupg2 rpm. > > You might look at > http://fedoraproject.org/wiki/EPEL > > which provides ports of Fedora packages to EL. > > Breen > Looks like it is there for RHEL 5, but not for RHEL 4. Probably too many incompatibilities for that older release. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 21:35:01 up 13 days, 6:21, 3 users, load average: 4.65, 4.79, 4.76 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMRlAMPtu2XpovyZoRAmIMAKDEHJbEIy5ZQ+ulpcE6IrEetciA3gCgh0T5 6CxIZAfcWY81yH/GeokvqQg= =UPjt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Locating GnuPG 2.0.16 RH4 binaries...
John Espiro wrote: > Greetings... > My google skills must not be working lately... Can anyone help point me > to the 2.0.16 binary for GnuPG / RHEL4? > > Thanks, > John > Is there one? I run RHEL 5.4 that is up-to-date as of this morning, and that binary rpm is gnupg-1.4.5-14.el5_5.1. If I look at CentOS 4, the binary for it is gnupg-1.2.6-9.i386.rpm -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:45:01 up 12 days, 23:31, 3 users, load average: 4.47, 4.64, 4.69 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
David Smith wrote:
> Jean-David Beyer wrote:
>> If I understand correctly, this is done by setting the precedence of the
>> vacation e-mail to "bulk" instead of something else ("list"?), and that
>> mailing list programs do not send the stuff marked bulk.
>>
>> Is that not how mailing list programs work?
>
>
> Not quite.
>
> Mailing lists programs normally send mails with the "Precedence: bulk"
> or "Precedence: junk" header, and then the autoresponder should
> recognise this and choose not to respond to mails with the "bulk" or
> "junk" precedence header. It is up to the autoresponder to act correctly.
>
Well, the stuff I get from the Gnupg-users@gnupg.org list has
"precedence: list" set. Other lists to which I subscribe use "Precedence
normal" or "precedence: bulk". Regular e-mail does not have precedence
set at all. It seems to me that mailing lists should get their acts
together.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jerseyhttp://counter.li.org
^^-^^ 09:10:01 up 42 days, 17:05, 3 users, load average: 4.63, 4.80, 4.74
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
Jerry wrote:
> On Thu, 17 Jun 2010 16:04:41 -0600
> I was just stating to a colleague that it had been months since an
> errant "vacation" message had been posted on this forum. Well, thanks
> to Bob, that drought has been quenched. With the summer season now
> upon us and vacations becoming the norm, I rest assured that more such
> individuals will be advising us of their schedule.
>
> Then again, maybe, just maybe, this might be a good time for all of us
> to check that we have our mail programs, be them what they may,
> properly configured so as to not pollute forums with useless
> OOF/vacation garbage announcements.
>
If I understand correctly, this is done by setting the precedence of the
vacation e-mail to "bulk" instead of something else ("list"?), and that
mailing list programs do not send the stuff marked bulk.
Is that not how mailing list programs work?
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jerseyhttp://counter.li.org
^^-^^ 08:20:01 up 42 days, 16:15, 3 users, load average: 4.65, 4.81, 4.56
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Test mail to gnupg.user
Ingo Klöcker wrote: > On Sunday 13 June 2010, Jean-David Beyer wrote: >> Ingo Klöcker wrote: >>> On Saturday 12 June 2010, Jerry wrote: >>>> Conversely, many MUAs support the "reply to list" function that >>>> should work correctly on this list. >> Perhaps so, but my Thunderbird 2.0.0.24 dies not, and it is the >> latest version available in .rpm for my distribution (RHEL 5.5). I >> hear Thunderbird 3 does have something like this. > > https://addons.mozilla.org/en-US/thunderbird/addon/4455/ > > > Regards, > Ingo > > Thank you. It works. I used it on this e-mail. It takes time, though. When I pressed Reply-List, it first put your personal e-mail address in the To: field and only later did it change it to the list itself. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:10:01 up 37 days, 16:05, 4 users, load average: 4.46, 4.63, 4.85 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Test mail to gnupg.user
Ingo Klöcker wrote: > On Saturday 12 June 2010, Jerry wrote: >> On Sat, 12 Jun 2010 16:40:28 -0400 >> >> Jean-David Beyer articulated: >>> I see no way to do that. I have a Reply button and a Reply All >>> button and no others. There is no such button on that screen that >>> allows diddling buttons. Thunderbird 2.0.0.16, which is the latest >>> for Red Hat Enterprise Linux 5. >> Unfortunately, it might prove to be academic anyway. Unlike several >> other lists that I am subscribed to, this mailing list does not use a >> "Reply-To:" in the e-mail headers. It would definitely facilitate >> replying to list mail if the maintainer(s) of this list configured >> the mailer to insert such a header that pointed to this list. > > There is such a header: > List-Post: <mailto:gnupg-users@gnupg.org> So there is. > > Reply-to is intended to be used by the sender to state his preference > for replies. If he prefers off-list replies then he should set it to his > address and if he prefers on-list replies then he should set it to the > mailing list address. (In fact, there's also the Mail-followup-to header > which is even better suited for this than the Reply-to header.) > > IMNSHO, it's not up to the mailing list admins to dictate where replies > to my posts should go. Therefore, the mailing list software should not > touch the Reply-to header. > OK. > >> Conversely, many MUAs support the "reply to list" function that >> should work correctly on this list. Perhaps so, but my Thunderbird 2.0.0.24 dies not, and it is the latest version available in .rpm for my distribution (RHEL 5.5). I hear Thunderbird 3 does have something like this. > > Exactly. It works correctly because those MUAs use the above mentioned > standardized (RFC 2369) List-Post header. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 07:00:01 up 37 days, 14:55, 3 users, load average: 5.59, 4.62, 4.33 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Test mail to gnupg.user
Sonja Michelle Lina Thomas wrote: my e-mailer honored it automatically (perhaps it does). Because some lists to which I subscribe automatically reply to the lists, and some automatically reply to the original sender, and I cannot remember which is which. I know asking any particular list to change is not worth the trouble; each list has its own policy and unwilling to change. I try to remember which is which. It is sometimes suggested to hit Reply-All, but this results in the original poster's getting two replies. I To handle this issue I added the "reply to list" button to Thunderbird. Whenever I deal with a list, I hit that button. I added it through the right click > customize menu and drug the button to my toolbar. I see no way to do that. I have a Reply button and a Reply All button and no others. There is no such button on that screen that allows diddling buttons. Thunderbird 2.0.0.16, which is the latest for Red Hat Enterprise Linux 5. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:35:01 up 37 days, 30 min, 4 users, load average: 4.40, 4.57, 4.59 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver spam example
Jerry wrote: On Sat, 12 Jun 2010 06:22:47 -0500 Sonja Michelle Lina Thomas articulated: I use gmail for my SMTP needs. I have accounts on a couple of unix machines, yahoo, gmail, aim, my business hosted via godaddy and I choose gmail as the default SMTP server for all of them. Works like a charm. http://lifehacker.com/66/how-to-use-gmail-as-your-smtp-server Give them a try. Gmail is free and it can be a good account to pass to sites that you feel may be spam generators. Gmail has web/pop/imap access and has fairly decent spam filters. I would not trust Google with your data, far less mine. They have all ready been accused of illegally pilfering through user data and mining for user wireless information. I avoid them like the plague whenever possible. What I would like to know is if the OP tried using the ISP's SMTP server, often referred to as "smarthost" feature in several MTAs. Yes, I did. They will not accept anything from my MTA even when I use the smarthost feature. I can use either their web site server (that I detest) or Firefox, but they will not allow sendmail even with smarthost. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:35:01 up 36 days, 16:30, 3 users, load average: 4.62, 4.51, 4.56 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver spam example
MFPA wrote: The Spamhaus PBL might very well list you. 76.185.38.113 is listed in the PBL Mailservers using this blocklist would probably block mail from you. Of course, even Spamhaus's own website says the PBL is not a blacklist and that you can remove your IP address from their list if you are running a "legitimate" mail server, but only if it's a static Ip address. They provide no definition (that I can find) of what constitutes a "legitimate" mail server Obtaining a static IP is easily done so I don't know why someone would want to risk using a dynamic IP. My current ISP (Verizon) wants US$100/month more for a static IP address than for a dynamic one. In addition, I am not permitted to use my own MTA (in my case, sendmail) unless I have a commercial account instead of a home owner's account. Most ISPs I have seen charge considerably more for a static IP address; generally, commercial prices rather than home-user or small-business prices. Unless you have relatively high bandwidth requirements there is no point. It is *definitely* not worth the expense just just to avoid an occasional over-zealous mailserver admin spuriously binning one of your perfectly valid email messages. Even if you are hosting a website or an incoming mail server, there are plenty of dynamic DNS services available for many times less cost than having a static IP address. My sister lives in France. I believe her ISP is the French Post Office. While I can receive e-mail from her, she cannot receive e-mail from me, even though I use Verizon as my ISP. My home has a dynamic IP address, but I assume Verizon have static IP addresses. We have worked on this for several years, but I cannot send to that sister. I have another sister in Canada. She has no trouble sending e-mail to her sister in France. Someone in France does seem to be blocking Verizon. At least, they are blocking me, and I cannot imagine it is just me. In any case, a very large percentage of SPAM originates from dynamic IPs, which is why I routinely block them. A large percentage of spam originates from the USA. It would be just as rational to block mail from all IP addresses that are listed as being there. (-; Maybe France is blocking all of USA, or all of Verizon. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 06:50:01 up 36 days, 14:45, 3 users, load average: 5.01, 4.73, 4.49 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Test mail to gnupg.u...@seibercom.net
Jerry wrote (in part): Which reminds me; there is a request at the end of every post I make. Would it be to much of an imposition for you to honor that request? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. I looked at the headers, and there is no Reply-To header in the e-mail I received from the list. An entire page of headers, but not that one. Even if Reply-To was a header, it would be too much to honor it unless my e-mailer honored it automatically (perhaps it does). Because some lists to which I subscribe automatically reply to the lists, and some automatically reply to the original sender, and I cannot remember which is which. I know asking any particular list to change is not worth the trouble; each list has its own policy and unwilling to change. I try to remember which is which. It is sometimes suggested to hit Reply-All, but this results in the original poster's getting two replies. I particularly hate this method as I then reply to which ever one I get first, usually direct to the author, thinking he wants a private reply since he sent it to me privately. Then a little later I get one from the list, and it is usually too much trouble to send another reply to the list. I wish all lists were set up so a reply to a message from the list went back to the list, but there is no point asking that from a list that does things another way. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:05:01 up 35 days, 16:00, 3 users, load average: 4.46, 4.45, 4.45 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OTR plugin with Pidgin for verifying GPG public key fingerprints
Robert J. Hansen wrote: But all that aside, I'm pretty sure news reports, etc. of human traffickers, smugglers, spies, etc. all confirm the fact that national IDs such as passports can be forged and do in fact slip by immigration authorities pretty commonly. Only because the news doesn't report on people who get arrested based on false identity documents. By the very nature of journalism, it pays more attention to the extreme and the unusual than it does the mundane and humdrum. If a madman shoots 14 people in a shopping mall in Oconomowoc, that's news: if 1,400 people die of cancer nationwide that day, it doesn't even get a mention. Following the news would lead you to thinking you needed to buy body armor, not that you could stand to lose a few pounds and you should stop smoking. A larger example is that if some madmen flew aircraft into the World Trade Center killing 3000 or so people, that gets a lot of news and a Department of Homeland Security set up, but if we kill 10 times that every year in automobile accidents, do we get highways redesigned, automobiles redesigned, driving tests improved, etc.? Be careful about forming your opinions of normalcy from watching news reports. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 12:05:01 up 52 days, 13:25, 4 users, load average: 4.36, 4.36, 4.64 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark H. Wood wrote:
|
| Still, it's another technology-intractable problem. If people cared,
| they would train themselves to look for trouble indicators, like
| scanning the dashboard from time to time for problems with speed,
| fuel, temperature, etc. We're trained to operate motor vehicles, but
| not to operate browsers or MUAs. ("It's intuitive!" Not.)
I know drivers who have no clue about all those trouble indicators.
I was a passenger with a friend and I noticed the engine temperature
gauge was too high. I urged her to stop the car until it could cool down
and we could see what the trouble was. She said she would do that after
lunch, but she did not have time then. I told her to turn the heater on
full, and since this was summer, she objected, but did it. When we got
to the restaurant, she turned the motor off. After lunch it had cooled
down some, so I looked into the radiator where there was no noticeable
water. We got some from the restaurant. I forgot what the trouble was
(defective radiator hose, loose clamp, etc.), but at least she did not
need to get a new engine.
People often drive for months with the "Check Engine" light on. When I
ask about this, they say it is nothing: it is always on. They have seen
it so long they have gotten used to it. They just do not care.
I knew a guy who had a Pontiac station wagon he bought new. He never had
it serviced or even checked the oil or the oil pressure light. Well one
of those will go about 25,000 miles before seizing up.
- --
~ .~. Jean-David Beyer Registered Linux User 85642.
~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939.
~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org
~ ^^-^^ 10:05:01 up 4 days, 12:00, 3 users, load average: 4.56, 4.59, 4.68
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/
iD8DBQFLTJGhPtu2XpovyZoRAoziAKCwQV3ZfYoLK3u/K5UUKMntfo4lpwCeNYcv
2OElW0+lwjTgll0fSK4a/8M=
=4tgG
-END PGP SIGNATURE-
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 8192bit RSA keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shaw wrote: | On Jul 6, 2009, at 4:21 AM, martin f krafft wrote: | |> Hey folks, |> |> Two years ago, there was a thread on this list, in which RSA key |> sizes >2048 were discussed [0]. In these two years, the crypto-world |> has been shaken up a bit, and computers got yet a bit more powerful. |> |> 0. http://lists.gnupg.org/pipermail/gnupg-users/2007-June/031285.html |> |> I am trying to decide whether I want to create myself a new RSA key |> and am looking at key lengths of 2k, 4k, and 8k. In theory, I'd like |> to use the 8k variant, simply because I postulate that my machines |> can handle it (I don't use GPG on a PDA/SmartPhone (yet)), but |> I don't know if this makes sense in practice. | | It depends on what you're protecting against. For most common cases, | a 8192-bit RSA key is likely so vastly stronger than the rest of your | environment that a smart attacker wouldn't bother to attack it. | They'd just go after what they want via other attacks against you and/ | or your environment. Mind you, the same thing is true for a 2048-bit | RSA key as well. (I'd wager that for many people, the same thing is | also true for a 512-bit RSA key). If you can get the same end result | with a smaller key, you need to ask yourself what the big key actually | buys you. | | If you're looking for a more immediate reason, though, note that if | you make a RSA key larger than 2048 bits you can't use it with the | spiffy new OpenPGP smartcard. | Another reason is that even if increasing my key size to would increase my security in some sense, I do not want my GPG security to be so strong that the black hats would bypass it and torture the key out of me. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 14:00:01 up 20 days, 49 min, 3 users, load average: 4.05, 4.34, 4.48 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKVN/vPtu2XpovyZoRAsT/AJ4k/O4O517+YH7KYaLevt28VFOT+wCeO5GW 9I/aKv70703nlIyx7PbfJow= =Trab -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New Revocation Certificate...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel Kahn Gillmor wrote: | On 06/28/2009 04:44 PM, Jean-David Beyer wrote: |> If I add a subkey to my key (e.g., because the previous one expired), do I |> have to generate a new revocation certificate, or is the old one still |> good? | | I'm assuming you're asking about the revocation certificate for your | your entire GnuPG-generated OpenPGP key. | | That revocation certificate is designed to revoke the primary key. | Without a valid primary key, all associated subkeys are considered | invalid. So you should not need to re-generate your revocation | certificate based on a new subkey. | | This is because the action triggered by the publication of the | revocation certificate is the invalidation of the primary key. Make sense? | | Hope this helps, | Fine; it is a nuisance to generate it each time, but I would have hated to find I could not use it. Yes, that is what I meant. If the primary key is compromised, I would wish to revoke it and everything on it. Too bad I would lose all the signatures on it, but since it would be no good, there would be no sense in transferring the signatures to my new key, even if that were possible (and I hope it is not). - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 17:10:01 up 10 days, 3:59, 3 users, load average: 4.84, 4.48, 4.31 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKR92pPtu2XpovyZoRAt3dAKCVERCpnUAcC6gzC22OpP97NgS7DACfel5X 0AoDxHPi87BlpF3P1VHGv9Q= =UzS0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
New Revocation Certificate...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If I add a subkey to my key (e.g., because the previous one expired), do I have to generate a new revocation certificate, or is the old one still good? I may never need to know the answer, but better before than after the compromise of a key. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 16:40:01 up 10 days, 3:29, 4 users, load average: 4.07, 4.11, 4.18 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKR9Y+Ptu2XpovyZoRAuloAJ0QN3VUnY0JGTs32wMirLmcDykhCgCeI86j 2KgENOCAIzAfSX/RxSOyfzs= =UkMC -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Email signature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Cilissen wrote: | Hi There, | | First of all: I like this email signing en encryption. But I have a | "problem". No one I know uses PGP to sign mails. This seems to be a common problem. There may be organizations that use PGP or GPG to sign and even encrypt their e-mail. But the average computer user does not seem willing to do anything to increase the security of their electronic communications. They talk about big brother intruding on their communications, they worry about eavesdropping, and so on, but are absolutely unwilling to use GPG, or even Enigmail, to accomplish it. WHen all is said and done, more is said than done. | Now I don't want to act | as the cumputernerd and send everybody unasked signed mails and hope | they also ara going to use PGP. That is a problem. I tend to sign my e-mails except on mailing lists where they are not welcome (but I forget and sign them sometimes when I forget). I used to be resigned to be relegated to the computernerd class, but I get complaints at times from people whose mail client cannot seem to tolerate signatures. | Is there some subtile standard text/logo | to add to your email signature where you can say: hey! I can use | signing/encryption! My view is that the signature is already subtle enough for this. At least you do not encrypt your messages to people who cannot decrypt them. Of course, you cannot, since you need their public key to encrypt. | | Of course I can create something myself, but is there some standard? | I have no idea. I suppose people would not know what your logo meant anyway. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 07:45:01 up 5 days, 22:40, 3 users, load average: 4.27, 4.24, 4.44 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKMPBVPtu2XpovyZoRAhvgAJ9hceJMwFWMSslOPB6m0/XYcPBXzwCgmyBU pDsKFf4Kzdmr/paefmuFkgo= =LGcS -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Security Concern: Unsigned Windows Executable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert J. Hansen wrote: | Insert mandatory "reflections on trusting trust" reference here. | | The sentiment of "I must build it from source if I'm going to trust it" | is great, but then you have to ask questions about your compiler, your | system libraries, etc., until you're left hand-hacking Assembly | instructions for a low transistor count CPU you've personally | lithographed yourself from your own personal design. | Let's say I did all that. But do I trust the guy who looked over my shoulder to be sure I did not make a mistake in my own personal design? And if I believe, in principle, in automatically proving programs (or hardware, their equivalent) correct, do I trust the program that does that? And the rules given that program that the program to be verified is to meet? We get into the very problem Rene Descartes was stuck in until he came up with "Cogito, ergo sum." Which I do not think was a solution at all. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 08:50:01 up 69 days, 15:04, 3 users, load average: 4.06, 4.24, 4.31 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKJSFOPtu2XpovyZoRAmheAKC7PlUg4LWQsz9HdbP09cXdu/mIHwCcDrYG X15Zb0CWZ1SbmpgFl+JibYs= =NdyX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Someone has harvested my address
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Robert J. Hansen wrote:
| When confronted with the fact many PCs (typically Win32, but there's no
| reason to think exclusively so) are compromised without us knowing it,
| what then should our response to it be in terms of effective usage of
| GnuPG?
|
| (My answer is 'use OS X and/or Linux, and always suspect the endpoints
| are leaky'. Other people's may differ, of course.)
|
I suspect that Linux and OSX may be more resistant to compromise than
Windows systems, but I would not wish to be dogmatic about it ("Do not step
in the dogma."). I never get e-mail or browse the web when I am root. I run
~ a firewall. The only servers I run do not serve the Internet (ntpd and
sendmail and named). So I am pretty safe. But if I desired to prove that my
machine were uncompromised, how would I go about it?
I imagine it is not so easy. Once I tried to write test programs that
pinpointed hardware errors. I wanted them mathematically correct. I could
not because I always needed to assume some of the machine was working
correctly. Thus, a memory test program assumes, at least, that the
processor(s) are working correctly. A processor test assumes the memory is
working correctly, and so on.
It seems to be a chicken and egg problem both for software and hardware.
The original problem is easy: a chicken is an egg's way of reproducing itself.
- --
~ .~. Jean-David Beyer Registered Linux User 85642.
~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939.
~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org
~ ^^-^^ 17:40:01 up 33 days, 23:46, 4 users, load average: 5.07, 4.55, 4.31
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iD8DBQFIxu8pPtu2XpovyZoRAlPeAKCRvFDkXuujdSW0HK1fY4oEkk7zGACfTseP
dgfUMl2hXkvX8uZ/TD/NXi8=
=jtBO
-END PGP SIGNATURE-
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Securely delete files...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shaw wrote (in part): > That's exactly the problem - given modern disks, and modern > filesystems, there is not a perfect guarantee that you'll hit the same > disk blocks that the original file landed on. The disk could > invisibly remap a block out from under you at any time (it does this > automatically when the disk firmware detects a bad block), the > filesystem could be doing journaling games, etc, etc. A program > running on the computer the disk is attached to can't really do much > about disk block remapping since it doesn't see this. It always asks > for (for example) block 100. If the file was written when block 100 > pointed to block 100, but by the time the overwrite happens, block 100 > has become 12345, then the computer doesn't know it needs to overwrite > both 100 and 12345 to get all traces of the file. > To make matters worse, block 100 in your example may have already been allocated to another process and it may have already written by that other process, so the computer better not overwrite it multiple times to hide all traces of the older data. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 07:40:01 up 15 days, 13:46, 4 users, load average: 4.54, 4.28, 4.37 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIrqgCPtu2XpovyZoRAjfdAJ4l5Lx5kNZikfe1p+jk1OF8v4UTwACg08rI 7XUxC1ICpb/yJVQe9b8i4kE= =bM+I -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [GnuPG-users] identical files -> non-identical encrypted files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kiss Gabor (Bitman) wrote: >>> The password is not random therefore every time you encrypt the same >>> plaintext you got the same cryptfile. >> No, you won't. All sound encryption schemes use a bit of random to >> make the resulting ciphertext different. In the easiest case this is >> called a salt and used to stop dictionary attacks. For example, such a >> salt has been used for 25 years or so on all Unix systems to protect >> the login password. >> >>> (The opposite would cause big problems in a disk encryption system. >>> :-) >> No. Different ciphertexts may yield the same plaintext. > > A test speaks for itself: > > $ cat /etc/passwd | aespipe | md5sum Password: > 9220c2e1d5a5a83710d020b04c306c24 - $ cat /etc/passwd | aespipe | md5sum > Password: 9220c2e1d5a5a83710d020b04c306c24 - $ > ? Apples and Oranges. Consider: $ gpg --output test1.gpg --encrypt --recipient jeandavid8 [at] verizon [dot] net /etc/passwd $ gpg --output test2.gpg --encrypt --recipient jeandavid8 [at] verizon [dot] net /etc/passwd $ od -c test1.gpg | less 000 205 004 016 003 y 037 301 373 022 N 006 c 020 017 376 $ 020 353 } _ W \r - 314 030 B 303 z 226 223 340 S 313 040 375 0 4 $ ) 254 a \0 377 364 / < ; 222 ( 315 060 / 006 213 004 221 264 < a 255 247 B 275 \a 301 264 Q 100 203 250 . 257 \0 Q 376 232 312 266 3 . 321 022 b 215 120 374 $ 241 ` 256 j D 351 a 246 326 ? 223 313 210 $ 140 321 023 032 244 262 273 246 215 - i b > m " 255 313 160 035 240 337 230 \v B 327 \r 265 362 255 271 ( ? b 202 200 034 332 371 T 250 310 = 223 211 236 304 U 334 206 z ` $ od -c test2.gpg | less 000 205 004 016 003 y 037 301 373 022 N 006 c 020 017 376 8 020 A 217 B R 377 264 b y 361 X 243 \ 316 x 346 246 040 A 016 257 310 Y 032 265 & 022 g 016 327 274 276 364 337 060 ) b 211 354 \f 005 354 002 001 224 251 1 ) S \a 266 100 + 312 004 " 310 315 354 } A 206 p . 242 332 214 305 120 226 T 255 304 d 235 # B 240 \f 020 [ 003 x 023 305 140 210 l H 247 1 334 ( 216 6 257 H 314 A 023 323 363 160 = 361 9 V U ' c 7 s 247 372 9 306 202 342 203 200 l K Y 323 Y z 372 ~ \r \v 270 o J } 272 1 - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:25:01 up 1 day, 17:17, 5 users, load average: 4.04, 4.14, 4.22 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIlfqnPtu2XpovyZoRAo8CAJ9az5lSAAHKT3r1SFAcTow6vu0ACACfeSrU /t2BOHB7rHXejd+5DXK/mCM= =E/Rm -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Starting with gnupg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John W. Moore III wrote: > Jean-David Beyer wrote: > > >> But if he somehow got your private key, I do not believe he >> would need your passphrase. > > YES! S/He _would_ need the passphrase even if in possession of the > Private/Secret Key. The passphrase is the "key" that unlocks the Secret > Key which is why there is so much emphasis placed on making sure Your > passphrase is a strong one that cannot easily be guessed or 'Social > Engineered'. > > Should an adversary come into possession of the Secret Key they would > then need to brute force attack the passphrase. > You would certainly need the passphrase to get at the contents of secring.gpg. But if I got the secret key from there, would I still need the passphrase? I.e., does the passphrase control access to the _keyring_ or the _key itself_? I suppose I should look it up in the RFC 4880. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:45:01 up 11:37, 4 users, load average: 5.03, 4.38, 4.30 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIlGWVPtu2XpovyZoRAt53AJ905TQ2aYuKONX4hZJP+X+4hVOC+QCfREzT qm9WdAefCFLv4USLvS9gFRs= =sumU -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Starting with gnupg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dwayne wrote: > Hey there > > I've just begun using gnupg, but I have a concern: > > Lets say I've encrypted a file with my public-key, and uploaded it to > somewhere on the net for backup purposes. What will happen, in case my > backup-place gets compromised, and the file comes into the "wrong > hands". Should I be worried that the person has the encrypted file or > can I feel "safe" that the person doesn't have my privatekey+passphrase > and therefore cannot decrypt it? > He needs more than your public key. He needs your private key as well -- and the easiest way to get that is to get a copy of your secret keyring and your passphrase. But if he somehow got your private key, I do not believe he would need your passphrase. I hope you have _not_ sent your secret keyring anywhere. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:15:01 up 11:07, 4 users, load average: 4.40, 4.39, 4.39 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIlFDjPtu2XpovyZoRAmWvAJ49SgIHVIkPu/anfhAmP7UgeL6vCwCfWTPK PDvyIOVIPc8MFpDH8lsssLE= =hl8B -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: so how do you get others to sign your key?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander W. Janssen wrote: > reynt0 wrote: >> On Mon, 21 Jul 2008, kurt c wrote: >> . . . >>> My name is Lawrence, by the way. I created this email account on a whim >>> to test Enigmail, that's why it has this kurt c stuff on it. And now >> . . . >> >> FWIW, >> Do you know that, as I understand things, Google saves >> and records of, and analyzes including for affinity >> grouping, all the email content and email accounts you >> communicate with, and so by using gmail you are in some >> small way compromising the privacy and maybe security of >> everyone posting on any email list you get email from? No, I do not know that, and I still do not know that. That does not mean it is not true. While it would not prevent google from looking at the envelope (sender's address, etc., receiver's address, etc., Subject...), you could keep them from analyzing the content by encrypting it with gnupg (e.g., with enigmail). This would require your destinations to have pgp or gnupg and use it. This would not work on mailing lists except private ones with only a few users. > > Says someone without even a real name in his from-line. > > Why should that be a security problem? What would hinder $evildoer from > subscribing themselves? > Also, your comment wasn't helpful. > > Oh man. Do you really want to open this can of worms? One of Murphy's laws goes: When you open a can of worms, to recan them takes a larger size can. > > Sorry, I had to say this. I'm usually not the flamy type of a person. > Alex. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 06:45:01 up 3 days, 11:33, 4 users, load average: 4.42, 4.16, 4.06 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIiF98Ptu2XpovyZoRAuE1AJ9cBeXJVLJGZfyBK/TvqlsZX8LikgCeKKYc fnlM1YftqwConpH1jC3LoQM= =nYvs -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what if they have my sec key?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ramon Loureiro wrote: > Hi! > > I'm using different PCs at work for sending email (and other things, of > course...) > Are just the PCs at work shared, or are the secret keys at work shared too? > > Is it possible for these users to hack my secret key? It depends, partly, on the security features of the OS you are running. Can the other users see your key ring? If you run Linux or Unix, for example, and have the permissions of directory containing your key ring set to drwx-- , and the permissions of your secret key ring set to -rw--- you should be pretty safe except from the super-user. If you do not trust the super user, you are in big trouble in any case. It is my understanding that the security features of at least some versions of Windows are much less and that anyone can get at those files. > If they have got it, can they use some kind of brute force system to > guess my pass phrase? In theory, yes, especially if it is too simple. If you pick a complicated one such as NICqW$Yu1Fg.ZSLawenaP5ZCiDy (now that that one has been displayed on the Internet, it is no longer considered a good one), they are much less likely to guess it even with a dictionary attack. The main trouble with a passphrase like that is that it may take a month or so before you can remember it, and writing it down is not considered a good idea. > > What will be the best option in this scenario? > Having the secret key on my USB drive? > ? > That is safe as long as the other users of your machine are not running programs on it while you are using it. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 06:55:01 up 6 days, 20:52, 4 users, load average: 4.64, 4.25, 4.11 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIPo8JPtu2XpovyZoRAg89AJ9Xy5Y9slk2Ibtb7Wmn4cYNg9aygwCcCTas mlgjikdq8E3sCSh3sC+CQHg= =GXaJ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How true can this be?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Janusz A. Urbanowicz wrote: > On Sun, Jan 27, 2008 at 04:23:06PM -0500, John W. Moore III wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> - Original Message >> Subject: Re: How true can this be? >> From: Janusz A. Urbanowicz <[EMAIL PROTECTED]> >> To: Raygene <[EMAIL PROTECTED]> >> Cc: gnupg-users@gnupg.org >> Date: Sunday, January 27, 2008 1:39:04 PM >> >> >>> if a), then b) would land him in jail, quickly >> More likely a fatal traffic accident or victim of a street mugging with >> similar outcome. People communicate in and from Jails. > > Blabbering about classified stuff is a breach of security procedures and > NDA-s, that leads to administrative action, prosecution and usually jail > sentence (or a hefty fine). Long ago I had a secret security clearance. The secrets were laughable, but I have never disclosed them. Mine had nothing to do with encryption. When getting the clearance, I had to read some of the laws that pertained. In addition to jail and fines, another punishment option was death. But I imagine it would be done officially. > > The approach you mention would be probably used on someone who would like to > play the game (as in sell the info to another country), not for some random > blabberer. > > Alex - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 12:50:01 up 16 days, 2:36, 2 users, load average: 5.02, 5.03, 4.68 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFHrejkPtu2XpovyZoRAgC9AJ9DknvNBSUr0NU7jxdHUr3PGWHKYACgg2Lo eVMtegDw54+UQDnlz+fGK+8= =YzkQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which key is used when more than one are valid?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John W. Moore III wrote: > David Shaw wrote: >>> On Sun, Jun 17, 2007 at 02:49:21PM -0400, Jean-David Beyer wrote: >>>> My gnupg file that I get with edit-keys myuid >>>> contains, among other things: >>>> >>>> sub 2048g/48FF0850 created: 2007-02-24 expires: 2008-02-24 >>>> sub 4096g/124E0663 created: 2007-06-17 expires: 2009-06-16 >>>> >>>> How do I know which key is used when sending e-mail? >>>> Or is this a Thunderbird question? >>> GnuPG picks the subkey for you unless explicitly told which one to >>> use. In the above case, it would pick the second key, as it is more >>> recent. > > However, 'Account Settings' within Thunderbird does allow You to select > which Key to use _if_ Enigmail is also Installed. > > JOHN ;) > Timestamp: Sunday 17 Jun 2007, 18:24 --400 (Eastern Daylight Time) It allows me to pick the key, but not the sub-key, unless I am missing something. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:25:01 up 6 days, 1:25, 3 users, load average: 4.51, 4.29, 4.11 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGddE7Ptu2XpovyZoRAhwLAJsHutIe1FSKiuSfS6AovqvTv897JgCeMFgp ra/GHa7ZEWiq3VQ0k6iUlOU= =zFXY -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Which key is used when more than one are valid?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My gnupg file that I get with edit-keys myuid contains, among other things: sub 2048g/48FF0850 created: 2007-02-24 expires: 2008-02-24 sub 4096g/124E0663 created: 2007-06-17 expires: 2009-06-16 How do I know which key is used when sending e-mail? Or is this a Thunderbird question? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:45:01 up 5 days, 19:45, 5 users, load average: 4.13, 4.21, 4.30 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGdYIwPtu2XpovyZoRArhqAKDPQET44cuCxGO1oFYZsUsLJh8fiwCgmetE 6W6u+B98xcLDDy+msrqrsv8= =IuPV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Donations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thorsten Haude wrote: > Hi, > > * Werner Koch wrote (2007-01-05 14:58): >> Shall we start to measure contributions by the number of source code >> lines [...]? > > That; > would; > be; > a; > really; > good; > idea!; > I can see you are making a point, One with which I agree. People will conform with whatever measuring system is in place. If you get paid in lines of code, they will generate a lot of lines of code, even if a better program can be written with fewer. If they get paid inversely by memory requirements, they will write small programs. If they get paid by fast programs, they will probably write fast ones. It would be more difficult to pay people by reliability of programs, clearness and simplicity of documentation, etc., but those might be worthwhile criteria. All of which reminds me I forgot to send my contribution to FSF last year. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:40:01 up 79 days, 11:13, 3 users, load average: 4.21, 4.13, 4.04 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFokuEPtu2XpovyZoRAkPlAJ0ZXbpotHgiIjoM8W6x7UXIPdehvACgiYT9 2eOI3v2cl9PkDINJ1/JwetQ= =1K8b -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with revoking my old key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel Löfquist wrote: > Hello everybody, > This is my first post on this mailinglist so please bear with me ;-) > I've had a gnupg-keypair for about 4 years and the public key is published on > several keyservers. Recently however my key has been compromised so yesterday > I > decided to make a new one. First I made a revocation certificate for the old > key > using "gpg --revoke-gen --output revoke_old_key.asc [EMAIL PROTECTED]". > The revocation certificate looks like this: > > -BEGIN PGP PUBLIC KEY BLOCK- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: A revocation certificate should follow > > iGcEIBECACcFAkPYlycgHQNVbnNhdGlzZmFjdG9yeSBudW1iZXIgb2YgYml0cy4A > CgkQYFyEwpQ49PDniwCeKoortWgSt0+G1323SDwQztF3CkYAn0Gy2bNPXwKuSMyp > MQwoa/N8cu2O > =Vzao > -END PGP PUBLIC KEY BLOCK- > > Now I've been trying to upload the revocation certificate to the various > keyservers but none of them wants to accept it. For example, when I try > uploading it to wwwkey.pgp.net I get this as a response: > > Add failed: Malformed Key --- unexpected packet type and/or order of packets > > Am I doing something wrong or why is my key not being accepted by the > keyservers? > > > //Daniel > > I get the same message when I try to import your key. So if it is not you, it is both Thunderbird 1.5 and the keyserver. I would not expect both to be buggy in the same way. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 21:50:00 up 6 days, 13:17, 5 users, load average: 4.22, 4.41, 4.58 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD2YrQPtu2XpovyZoRAtt9AKDJzYJva9KX/HW9MLRW/4QM4nzpVwCgiFIR LDWbGg7zA1Qol3eyXECxX3M= =B8Pg -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Trouble with enigmail and Thunderbird 1.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have recently switched ISP, but I also upgraded Thunderbird at the same time. Now when I get a gpg signed e-mail, I supposedly can check the pen? and it will offer to download the key, giving me a choice of keyservers. I generally pick random.sks.keyserver.penguin.de But now, when I do that, it just buzzes around and never downloads the key. I looked at my firewall, and it is not blocking it. I tried it manually with gpg --keyserver keyserver.kjsl.com --recv-key 0xF621EDAD for example, and it worked fine. Is this a known problem? Or should I find a Thunderbird newsgroup to ask? And if so, which one? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 12:55:00 up 3 days, 4:21, 5 users, load average: 4.16, 4.19, 4.17 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1Rp0Ptu2XpovyZoRAmLcAJsGQUuAQcG4p7/gOITq4zHpifYtHgCfaQXi ohrBBohLGujQKXu1TlKrD0M= =Ilk3 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ECC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 markus reichelt wrote: > * Jean-David Beyer <[EMAIL PROTECTED]> wrote: > > >> markus reichelt wrote (in part): >> >> >>> Mainly, because I think that the guys with the small ... glasses ;-) >>> at NSA can break public key crypto quite easily, >> >> Could you give a basis for this assertion? > > > Well... please understand that it is my personal belief; just like one > might believe in god, or not. Therefore this 'basis' cannot be what you > are looking for :-) > > > >> Is it because you think they have so much computer power at Ft. Meade >> that they can use exhaustive search? Or do you think their >> mathematicians are so much better than the general public (including >> math professors who specialize in this stuff) that they have discovered >> a breakthrough in factoring? Or because you believe they have gotten >> all manufacturers to include trogan horses in their code? > > > I put the speculations aside and stick with the fact that the NSA > recommends ECC for government use. That's enough for _me_. > I guess it depends on how your paranoia works, and about whom you choose to be paranoid. Does the NSA recommend ECC for government use so that another government agency (e.g., the NSA) can read, if necessary or desired by the parties that control that government agency? If so, I would assume they know how to crack ECC. In that case I would not want to use ECC. Or do they know how to crack everything else and have not yet cracked ECC? In that case, I would want to use ECC. Paranoia is a wonderful thing, but it can trap you in dilemmas like this. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 15:10:00 up 26 days, 14:33, 4 users, load average: 4.25, 4.19, 4.12 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDa8G7Ptu2XpovyZoRAppzAKDOmf6vHKBuCIrKL7GhvhhGkMfhRgCfUdKE RYyfkNmiBQJ0xDjXw8JZesY= =vPQC -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ECC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 markus reichelt wrote (in part): > Mainly, because I think that the guys with the small ... glasses > ;-) at NSA can break public key crypto quite easily, Could you give a basis for this assertion? Is it because you think they have so much computer power at Ft. Meade that they can use exhaustive search? Or do you think their mathematicians are so much better than the general public (including math professors who specialize in this stuff) that they have discovered a breakthrough in factoring? Or because you believe they have gotten all manufacturers to include trogan horses in their code? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 11:45:00 up 26 days, 11:08, 4 users, load average: 4.10, 4.12, 4.09 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDa5DvPtu2XpovyZoRAsg9AKCP7Y10kJbWcj6D6lgqMkr3CYA71wCaApwO za94xdfruG+S0JVOvlq/XaI= =QqGy -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
To: Alaric Dailey
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry, Aleric. I cannot click on your link, since it sends to a port my firewall does not allow. I do not wish to reconfigure my firewall just so I can validate myself to your C/R system. Therefore, you will not get my e-mail that said I could not decrypt your e-mail, since you did not use my latest key. It is true that the former key is supposedly good for another week, but the private key disappeared from my private keyring (I have no idea how: everything else is OK there). You will just need to get the one with key: 0x562A3109 which should be good for about another year. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:00:00 up 8 days, 10:02, 5 users, load average: 4.31, 4.27, 4.27 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDSDVfPtu2XpovyZoRAuioAJ9Sf4LiDer7s9ct59uzu6HpiHmjMACdHkbW g5wfycUzsQdyXPcNB4zDHwg= =FSaq -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Disk Partition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: > On Sat, Oct 08, 2005 at 08:01:15PM +0400, lusfert wrote: > >>[EMAIL PROTECTED] wrote: >> >>>On Sat, Oct 08, 2005 at 04:30:41PM +0400, lusfert wrote: >>> >>> >>>>I know 2 cross-platform solutions: CrossCrypt >>>> >>> >>>A quote from the CrossCrypt homepage: "Denaiablity: You will not be able >>>to tell that this file has been encrypted by filedisk as it looks >>>completely random and can have any extension you wish." >>> >>>IMHO, There is a problem in that the data looks TOO MUCH random, i.e. it has >>>much higher entropy than would result by "normal" computer usage. Such high >>>entropy is a strong indication that the data is encrypted. >> >>Then you should use stenographic programs together with cryptographic. ;) >> > > The point is that the statement about deniability is misleading (or maybe I > I should say, close to false). In some scenarios (when it comes to e.g. > court cases, or even blackmails or life threats), the person using this > product in good faith (believing that the encryption really _is_ deniable) > would be in a very bad position. > > Explaining a large quantity of high-entropy data in a plausible manner is > extremely hard. The presence of such data gives a strong indication of > encryption. If you argue that you used some "secure delete program", > then you're _again_ in a bad position because it implies that you have > to hide something and again raise suspicion. > > So, instead of teaching me what kind of software should I use, can you > please give an example of plausible explanation for large amount of > high-entropy data on the disk? And have in mind a very determined, > knowledgeable and resourceful adversary while constructing the explanation. > > Yeah, I see the smiley, but these things should be taken very seriously > and not to be joked with. There are cases where people put their freedom > (maybe even life!) in the hands (bits?) of some cryptographic SW and if > that SW actually fails to deliver what it promises, then it's very bad > for the person trusting it. > I think all e-mails should be encrypted. Even recipies for cookies, personal letters to casual friends, everything. If everyone did that, the presense of high entropy stuff on a computer would not be the attention-getting phenomenon it now is. But most people are ineffectively paranoid. They worry about eavesdropping, snooping, interception of their e-mail, but they absolutely refuse to do anything about it. I know no one personally that uses encrypted e-mail. Surely, no one with that attitude would encrypt the stuff on their computer hard drives, backup tapes, etc. It is like the weather. Many people talk about it, but no one does anything about it. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:00:00 up 8 days, 7:02, 4 users, load average: 4.34, 4.70, 4.51 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDSAqmPtu2XpovyZoRAnY0AJ45Z2MXEIwcfHqZ3xuoMeD/s6He/gCcCn9O +TqA3KCPSt2y41+e0ElOJa0= =tR8r -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
