On Thu, 10 Jul 2014, Ted Mittelstaedt wrote:
On 7/10/2014 8:26 AM, David F. Skoll wrote:
On Wed, 9 Jul 2014 17:44:26 -0700 (PDT)
John Hardin<jhar...@impsec.org> wrote:
> I'm not excusing their approach, but I'm saying there are a lot of
> sources of real-world friction that lead to suboptimal solutions like
> this. I expect the desire to avoid requiring installation (and
> maintenance!) of PGP/GPG by their (assumed non-technical) customers
> is the primary reason they are doing it this way.
Yes.
Symantec is the real culprit here. It is actively encouraging the
compromising of computers with the workflow of its product.
The proper approach would have been to make freely available a
"Symantec Encrypted Archive" viewer, similar to how Adobe makes PDF
readers freely available.
By using PGP they are using an open source encryption algorithm. If they
supply their own encrypted viewer then almost certainly it would be
closed source and there's no way to know if the NSA or some other malevolent
agency inserted a back door - like was done with RSA.
Agreed. It would be better if there was an open-source PGP/GPG archive
viewer application. However...
SO I think that using PGP was the right course of action here.
PGP is a red herring here.
Fundamentally the problem as i see it is lack of verification. You pointed
that out yourself.
Um, no, the problem is that this Symantec tool is training people to
rename and run executable email attachments. The misnamed-executable
practice is to bypass security policies that dictate email messages shall
not have executable attachments in order to avoid malware.
As you properly pointed out - this is a lack of verification problem, NOT a
lack of encryption problem.
That too, but when you've trained users to not view "rename and run this
file" with immediate suspicion, you've drastically lowered the bar for
malware.
If Symantec replaces PGP with their own custom thing now your not only
introducing the lack of verification your also introducing unreliability of
encryption, too. Use of PGP is actually the proper thing to do.
Again, PGP is a red herring here.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
There is no better measure of the unthinking contempt of the
environmentalist movement for civilization than their call to
turn off the lights and sit in the dark. -- Sultan Knish
-----------------------------------------------------------------------
10 days until the 45th anniversary of Apollo 11 landing on the Moon