subject:"Re\: Don't Panic."

Re: Don't Panic.

2018-05-18 Thread MichaelQuigley

"Gnupg-users" <gnupg-users-boun...@gnupg.org> wrote on 05/15/2018 02:45:35 
PM:
> - Message from "Mark H. Wood" <mw...@iupui.edu> on Tue, 15 May 
> 2018 11:06:26 -0400 -
> 
> To:
> 
> gnupg-users@gnupg.org
> 
> Subject:
> 
> Re: Don't Panic.
> 
> On Mon, May 14, 2018 at 04:48:31PM +0100, Mark Rousell wrote:
> > Amongst other things this includes the following paragraph which, as I
> > understand it, is essentially untrue:
> > 
> > "There are currently no reliable fixes for the vulnerability. If 
you
> > use PGP/GPG or S/MIME for very sensitive communication, you should
> > disable it in your email client for now," said Sebastian Schinzel
> > <https://twitter.com/seecurity/status/995906576170053633>, a
> > professor of computer security at the University.
> 
> Heh.  "We've discovered that locks can be picked, so you should remove
> all the locks from your doors right now."
> 
> -- 
> Mark H. Wood
> Lead Technology Analyst

+1

Well said.

Michael Quigley
Computer Services
The Way International___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

2018-05-16 Thread Werner Koch

On Tue, 15 May 2018 17:06, mw...@iupui.edu said:

> Heh.  "We've discovered that locks can be picked, so you should remove
> all the locks from your doors right now."

"There are lot of benefits for members of the Mechanical Frontdoor
 Foundation.  Rely on us for your social engineering tasks.  Become a
 MFF member now.  It is just 5% or your haul."


-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpHIdtTz4VEu.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

2018-05-15 Thread Mark H. Wood

On Mon, May 14, 2018 at 04:48:31PM +0100, Mark Rousell wrote:
> Amongst other things this includes the following paragraph which, as I
> understand it, is essentially untrue:
> 
> "There are currently no reliable fixes for the vulnerability. If you
> use PGP/GPG or S/MIME for very sensitive communication, you should
> disable it in your email client for now," said Sebastian Schinzel
> , a
> professor of computer security at the University.

Heh.  "We've discovered that locks can be picked, so you should remove
all the locks from your doors right now."

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

2018-05-14 Thread Robert J. Hansen

> I'm going to add this to the HN thread. I trust that's OK.

Go for it.  :)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

2018-05-14 Thread Mirimir

On 05/13/2018 08:27 PM, Robert J. Hansen wrote:
> [taps the mike]
> 
> Hi.  I maintain the official GnuPG FAQ.  So let me start off by
> answering a question that is certainly about to be asked a lot: "Should
> we be worried about OpenPGP, GnuPG, or Enigmail?  The EFF's advising us
> to uninstall it!"
> 
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> 
> Werner saw a preprint of this paper some time ago.  I saw it recently.
> Patrick Brunschwig of Enigmail saw it.  None of us are worried.  Out of
> respect for the paper authors I will skip further comment until such
> time as the paper is published.
> 
> It would've been nice if EFF had reached out to us for comment, rather
> than apparently only talking to the paper authors.  We hope they'll
> reach out next time.

Thanks. I didn't know what to think.

I'm going to add this to the HN thread. I trust that's OK.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

2018-05-14 Thread Andrew Gallagher

> On 14 May 2018, at 14:47, Dan Kegel  wrote:
> 
> Anyway, if you have a checkbox for 'automatically decrypt', you might
> consider unticking it.)

This may not be sufficient. It’s not just automatic decryption but any 
decryption at all in the client that can trigger a callback. In the PGP case 
the attack is noisy, so you *may* have a chance to protect yourself before the 
damage is done if manual decryption is required for each attempt. But that 
assumes that a human being can reliably distinguish the attempts, which assumes 
a high level of knowledge of the attack procedure. 

A

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

2018-05-14 Thread Mark Rousell

On 14/05/2018 08:27, Robert J. Hansen wrote:
> Werner saw a preprint of this paper some time ago.  I saw it recently.
> Patrick Brunschwig of Enigmail saw it.  None of us are worried.  Out of
> respect for the paper authors I will skip further comment until such
> time as the paper is published.
>
> It would've been nice if EFF had reached out to us for comment, rather
> than apparently only talking to the paper authors.  We hope they'll
> reach out next time.

I see that the Inquirer is passing on the FUD. May I suggest that
someone authoritative gets in touch with them to correct them.

PGP is leaking your emails in plaintext and there's no known fix

Amongst other things this includes the following paragraph which, as I
understand it, is essentially untrue:

"There are currently no reliable fixes for the vulnerability. If you
use PGP/GPG or S/MIME for very sensitive communication, you should
disable it in your email client for now," said Sebastian Schinzel
, a
professor of computer security at the University.

-- 
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

2018-05-14 Thread Mark Rousell

On 14/05/2018 08:27, Robert J. Hansen wrote:
> Werner saw a preprint of this paper some time ago.  I saw it recently.
> Patrick Brunschwig of Enigmail saw it.  None of us are worried.  Out of
> respect for the paper authors I will skip further comment until such
> time as the paper is published.
>
> It would've been nice if EFF had reached out to us for comment, rather
> than apparently only talking to the paper authors.  We hope they'll
> reach out next time.

I see that the Inquirer is passing on the FUD. May I suggest that
someone authoritative gets in touch with them to correct them.

PGP is leaking your emails in plaintext and there's no known fix

Amongst other things this includes the following paragraph which, as I
understand it, is essentially untrue:

"There are currently no reliable fixes for the vulnerability. If you
use PGP/GPG or S/MIME for very sensitive communication, you should
disable it in your email client for now," said Sebastian Schinzel
, a
professor of computer security at the University.

(Re-sent as my outgoing server got a
"451-xx.xx.xx.xx+is+not+yet+authorized+to+deliver+mail+from" error first
time round.)

-- 
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

2018-05-14 Thread Dan Kegel

Thanks for the heads up!

(The eff alert only suggests disabling tools that *automatically*
decrypt messages,
Stumbling around a bit on the net, this sounds like a rehash of
https://sourceforge.net/p/enigmail/bugs/226/
Anyway, if you have a checkbox for 'automatically decrypt', you might
consider unticking it.)
- Dan

On Mon, May 14, 2018 at 12:27 AM, Robert J. Hansen  wrote:
> [taps the mike]
>
> Hi.  I maintain the official GnuPG FAQ.  So let me start off by
> answering a question that is certainly about to be asked a lot: "Should
> we be worried about OpenPGP, GnuPG, or Enigmail?  The EFF's advising us
> to uninstall it!"
>
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
>
> Werner saw a preprint of this paper some time ago.  I saw it recently.
> Patrick Brunschwig of Enigmail saw it.  None of us are worried.  Out of
> respect for the paper authors I will skip further comment until such
> time as the paper is published.
>
> It would've been nice if EFF had reached out to us for comment, rather
> than apparently only talking to the paper authors.  We hope they'll
> reach out next time.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't Panic.

Re: Don't Panic.

Re: Don't Panic.

Re: Don't Panic.

Re: Don't Panic.

Re: Don't Panic.

Re: Don't Panic.

Re: Don't Panic.

Re: Don't Panic.

9 matches

Site Navigation

Mail list logo

Footer information