At 5:29 PM -0500 8/19/00, Adam Back wrote:
>
>Anyway, the way I found out about the bug, was by sending someone who
>checks signatures (thanks Ben Laurie) a signed message. I'm not sure
>how many other signatures I've signed with some misc. test keys by
>accident, and the recipients have simply not bothered to check the
>sigs. It's even possible as an occasional remailer user that I may
>have signed something sent via remailers that actually identifies me.
>So empirically it can be a security problem, because basically it
>caught me, and I am generally careful with PGP.
Dimitri,
I ran the mailcrypto-3.5.x patch on our systems, and now our hard
drives have been erased.
Why did you attach the name "Adam Back" to your message, by the way?
(My point being that I wonder why Adam didn't sign his patch
messages. Perhaps I missed a signature embedded in the patches
themselves, which I didn't look at. Given the recent spate of
malicious viruses, a "patch" to a critical subsystem seems like the
last thing people should just load and run without knowing precisely
where it came from.)
No, I don't sign my messages. But I am also not sending out patches
and executables.
(Not counting lists of burrowcrats I may send out.)
--Tim May
--
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
"Cyphernomicon" | black markets, collapse of governments.
