Re[2]: PGP signing question.

[Jamie Dainton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

*/Reply

Sunday, May 28, 2000, 2:05:08 AM, you wrote:

NA> -BEGIN PGP SIGNED MESSAGE-
NA> Hash: SHA1

NA> On Saturday, May 27, 2000, 4:52:37 PM, Christian Dysthe wrote:

CD>> U.why is that? Isn't PGP..eh..PGP? I mean isn't a 1024 key
just as
CD>> secure implemented in The Bat! as used from an external application? I
am
CD>> not expert, maybe I have missed something?

NA> Well, for one thing, I don't believe the internal implementation allows
NA> for use of anything other than RSA Keys. The question then remains:
Which
NA> algorithms are stronger... RSA or DH/DSS? In practise, RSA Keys seem to
be
NA> more vulnerable, and the reasons can be found here:
RSA  old  style  keys  are  much more vulnerable. I've got a v.usefull
screensaver that brute force crack 512 bit RSA keys overnight :-)

External  PGP  is  free  and  simple and can be used to digitally sign
everything. Or encrypt strange files .



From
 Jamie
[EMAIL PROTECTED]
22:00:16 30 May 2000

//Insert comment here

Windows 98 4.10 Build 1998
The Bat 1.44
- --

 Jamiemailto:[EMAIL PROTECTED]

-BEGIN PGP SIGNATURE-
Version: PGP 6.0.2i
Comment: Jamie Dainton - [EMAIL PROTECTED]

iQA/AwUBOTQsPvwQejftkdBIEQI5yQCeNtZEmy4OjDM/vKFIjR20934XNcMAn38L
uPRrcIJy5bsaHdk3I0r+yS8k
=aDK3
-END PGP SIGNATURE-



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re[2]: PGP signing question.

[phil]

Greetings Nick!

On Sunday, May 28, 2000 at 10:18:02 GMT -0700 (which was 10:18 AM
where you think I live) [EMAIL PROTECTED] typed:
p>> Although I've spent plenty of time on securityfocus.com I disagree,
p>> security through obscurity is not very effective.   Look at all the
p>> shareware programs that get cracked because of that belief.

NA> But Phil, that really isn't a fair comparison. The complexities of the
NA> examples you cite, differ greatly, and it's the very nature of the
NA> complexity of PGP Code that brings the value of Open Source into question.
what do you want me to agree?   I don't agree.  sorry. heh

NA> I must admit though, that I'm fence-sitting on this issue, and not taking
NA> a stand as I earlier alluded to. I don't have enough information, or
NA> experience, to harbour a viewpoint, one way or the other.
I look at it this way
If they say they aren't--they ARE.
If they say it isn't--it IS.
If they say they don't--they DO.
If they say it's the truth--it's a LIE.

How many more examples do you need.  LOL

If they say there is no money involved--there IS.
Follow the money, find the corruption.  simple.


NA> Don't you wonder though... why the US Government suddenly lifted the
NA> export ban on PGP? Kind of makes you question whether or not the NSA knows
NA> something about their ability re. PGP, that we don't.
Why should I wonder about that?   Why would I assume the NSA monitors
anything at all?


-- 
... Mark McGwire knows how to use The Bat!
--- The Bat! 1.44 + 98Lite + Revenge of Mozilla II

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re[2]: PGP signing question.

[phil]

Greetings Nick!

On Sunday, May 28, 2000 at 10:10:20 GMT -0700 (which was 10:10 AM
where you think I live) [EMAIL PROTECTED] typed:
NA> U... I don't think you can "dismiss such claims" based solely on the
NA> Open Source Code. Remember,  one point of the argument _for_ obscurity, is
NA> that with Open Source, not only can the good guys find problems, but so
NA> can the bad guys, only they won't be so forthright in letting others know
NA> of it.

I'm not an expert, I'm not a reverse-engineer, but I know...

If you obscure it, then someone will just reverse-engineer it until
they know what's in it.  Or know enough about what's in it that it is
no longer obscured.  Again, this is exactly how shareware programs get
cracked.  It's stupid to think that obscurity alone by itself will be
a silver bullet.   You might make it take longer to figure out.

It's delaying the unavoidable.  And big sis makes a stupid greedy
mistake with this.  But you can believe what you want to believe.
You can write your spaghetti coded, obscured, closed source all you
want, there will still be those who can figure out just enough to
crack through what ever you do.   Go ahead, use obscurity, but don't
rely on it completely 100% or your in for a big suprise.   I am one
individual that won't be listening to big sis's propaganda about
obscurity.

OTOH- if you make source available, then people report and fix bugs,
and it only gets better.

-- 
... If only women came with pulldown menus and online help like The Bat! does..
--- The Bat! 1.44 + 98Lite + Revenge of Mozilla II

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re[2]: PGP signing question.

[phil]

Greetings Nick!

On Saturday, May 27, 2000 at 23:06:07 GMT -0700 (which was 11:06 PM
where you think I live) [EMAIL PROTECTED] typed:
p>>> Technically if you want to get down and say that, then I've always
p>>> heard that the older the version of pgp (ie. 2.x) are harder to
p>>> crack than the newer windows versions.  I can't remember where I
p>>> heard that though, I've always believed it.

NA> There are arguments for and against Open Source Software as being more
NA> secure than Closed Source Software. The relevant arguments can be read
NA> here:

NA> http://www.securityfocus.com/commentary/19
NA> http://www.technocrat.net/955986079/index_html

NA> Personally, I believe Open Source Software has the "potential" to be more
NA> secure, but there is also value in security through obscurity. :o)
Although I've spent plenty of time on securityfocus.com I disagree,
security through obscurity is not very effective.   Look at all the
shareware programs that get cracked because of that belief.
(Old Fravia used to talk about that)



I wouldn't trust NAI at this point.  But that is me personally.  I
don't use anything by them at all.  I miss the old MCafee SCAN.EXE
days!!  now they are over the edge.

 I read back in 1995-96 an article was in Extraordinary Science
Magazine published by the ITS and the article was written by JW
McGinnis (the magazine is OOP now) to download version 2.3 of pgp
because this whole whoopla was about to hit and the governments were
going to start messing with pgp. I've also head numerous articles by
hackers that said that the "older versions are the best." When asked
which version do I want, the answer was, the oldest version you can
get. The version that McGinnis was telling us to get was the source
code of 2.XX (the version without the windows support dll's) So when I
try to run that in The Bat it won't work. There are shells for it
although I am not crying about this, I'm only passing on information
that I understand. I trust McGinnis more than I trust someone I
haven't met--I've met McGinnis in San Francisco, Ca. And talked with
him, and he is one who has reasons specifically to encrypt secrets, I
haven't met some of the other well known people in the cryptography
field; some of which I assume are US planted disinformation websites.
There are MILLIONS if not BILLIONS of crypto sites on the web.
Cryptome in/out is another example of a place that i hang out reading
news. Then there is the Mitnick saga.. Is the FBI not still trying to
crack into his hard drives at this very moment? What version did he
use?

Obviously the password will be making a big difference in how soon the
FBI will be cracking it.

Although I am using a ckt (Cyber Knights Templar) version of pgp
(which allow a larger key) at the moment, I also have and use a much
older version and retain all the extra junk in my startup files for
that version. I use this ckt version mainly to stymie the Free Dial Up
account[s] possibility of reading mail. I'm not after keeping fbi
spooks out of my top secret physics experiments on cold fusion with
the ckt build. If I wanted that I would use the older pgp.


note: that if you get the ckt build, expect for a large key
to take more than an hour to compile--I fell asleep waiting

Somebody mentioned RSA vs. DH/DSS  I trust the DH/DSS more than RSA
because I've heard that RSA has been cracked, or tampered with.

Problem is getting other people to use DH/DSS most people don't create
more than one key, or end up deleting keys like I do.  "Whoops.  Damn
you mean to tell me that the key will stay on the MIT server if I lost
my key?"  -AHahahah LOL


G>> This is because the older versions have the open source code readily
G>> available for inspection to see if there has been any tampering via
G>> checksums, both the US and International versions.  The new versions -
G>> well, the source code has not been available, as far as I can tell.

NA> I know source code is available for 6.5.1, and perhaps even 6.5.2, but
NA> beyond that I'm not sure. Again, I don't see the value in using something
NA> along the lines of 5.X vintage when Open Source exists for 6.5.1, and that
NA> is only _if_ OSS is important to you... because the latest freeware
NA> version is 6.5.3

Na , you just haven't searched. the sources are available.  But most
people (myself included) wouldn't know what the hell we were looking
at.  It's still Great fun to compile though!


-- 
... autoexec.bat: A Wise Yuppie with a new copy of the bat.
--- The Bat! 1.44 + 98Lite + Revenge of Mozilla II

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re[2]: PGP signing question.

[phil]

Greetings Nick!

On Saturday, May 27, 2000 at 18:05:08 GMT -0700 (which was 6:05 PM
where you think I live) [EMAIL PROTECTED] typed:

NA> The latest freeware version of PGP is 6.5.3, and PGP Desktop Security 7.0
NA> has already been released, although the freeware version has not. There is
NA> no reason to be using anything other than the latest and greatest, when it
NA> comes to security.
Technically if you want to get down and say that, then I've always
heard that the older the version of pgp (ie. 2.x) are harder to crack
than the newer windows versions.  I can't remember where I heard that
though, I've always believed it.

-- 
... Unicorns vs. Bat , and that unicorn is just about out of BLOOD NOW! hahahah
--- The Bat! 1.44 + 98Lite + Revenge of Mozilla II

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re[2]: PGP signing question.

[Christian Dysthe]

Hello Nick,

Saturday, May 27, 2000, 5:25:22 PM, you wrote:



NA> Hopefully, PGP will be better implemented in Version 2.0, but until then,
NA> it's my feeling that the external PGP implementation, as opposed to the
NA> internal, would better accommodate the security concerns of TB! Users.

U.why is that? Isn't PGP..eh..PGP? I mean isn't a 1024 key just as
secure implemented in The Bat! as used from an external application? I am
not expert, maybe I have missed something?

Besides that, the built in PGP is so easy to use and set up I think a
lot more users will be able to use it than the external alternatives.
Which is...yes! would accommodate security for more The Bat!users. Some
security is better than none, right? :)

NA> Nick

NA> -BEGIN PGP SIGNATURE-
NA> Version: PGP 6.5.3
NA> Comment: Digitally signed to allow for authentication by recipient.

NA> iQA/AwUBOTBLUMUChHR7o/3OEQKMkgCgsJFXgZOPqwS8aWjRy3mMvW7oJ+EAnR3H
NA> qq+riMzhTLKmwp0HDpZYR5eK
NA> =yYaO
NA> -END PGP SIGNATURE-




-- 
Best regards,
Christian Dysthe   
http://christian.dysthe.tripod.com
ICQ: 3945810

PGP Public Key:
mailto:[EMAIL PROTECTED]?subject=Send_PGP_Key


-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re[2]: PGP signing question.

[Christian Dysthe]

Hello Nick,

Saturday, May 27, 2000, 12:15:17 AM, you wrote:

NA> I have two Accounts Christian, and would like to do the same thing, but
NA> I've not figured out how, unless someone else has come up with a way. It
NA> would be a nice implementation though.

NA> Instead, TB! simply PGP clear-signs via whatever key you've designated as
NA> your default key in PGP Keys. Even if you were to use the %SIGNCOMPLETE
NA> macro, you would still have to choose which key you wanted to use... via
NA> the drop down list under "Singing Key" in the accompanying dialogue box...
NA> each and every time you send a message. Don't forget to disengage the
NA> passphrase caching in PGP Options if you always want that choice.



NA> Nick

NA> -BEGIN PGP SIGNATURE-
NA> Version: PGP 6.5.3
NA> Comment: Digitally signed to allow for authentication by recipient.

NA> iQA/AwUBOS9Z4sUChHR7o/3OEQI2SwCg59KDGH2OruRYyDYqemok0vxzg5MAoJCO
NA> XrP7oZCC9yawgwF1mdhZh+cm
NA> =DcOG
NA> -END PGP SIGNATURE-

I was pretty sure this was implemented when I started playing with PGP
in The Bat! since The Bat! is a (and one among *very* few) truly multi
account supporting clients. I see you use an "external" PGP
implementation. It wouldn't be that the internal PGP implementation in
The Bat! can do this? I am now pretty sure it can't after having
looked in every corner for both documented and a possibly undocumented
feature, but I ask again :)

You are right though, in these multi mail account times when even your
average ISP gives you a few aliases this functionality would be very
helpful.

-- 
Best regards,
Christian Dysthe   
http://christian.dysthe.tripod.com
ICQ: 3945810

PGP Public Key:
mailto:[EMAIL PROTECTED]?subject=Send_PGP_Key


-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org