Re: Plan B - Who carries the torch?
On 1/5/21 8:24 AM, Konstantin Ryabitsev wrote: On Tue, Jan 05, 2021 at 07:27:14AM -0500, Jean-David Beyer via Gnupg-users wrote: Building a web of trust is so hopeless, from my point of view, that I have abandonned gnupg. I have made keys for myself, obtained enigmail for my Firefox browser, etc. But those with whom I correspond by e-mail has diminished to almost the vanishing point. They use text messages on their cell phones, Facebook messages, etc. While a few worry about the "CIA" snooping on them, none will consider gnupg and enigmail. So for me, it is pointless. -- .~. Jean-David Beyer /V\ Shrewsbury, New Jersey /( )\ Red Hat Enterprise Linux ^^-^^ up 4 days, 13 hours, 37 minutes I noticed your signature, so I must point out that RHEL and the Linux Kernel development process rely heavily on GnuPG and the web of trust. Every time you update packages on your system, large parts of the supply chain were verified using GnuPG, relying on the integrity of the trust store shipped with RHEL. So, you may not see it in your person-to-person communication, but you use GnuPG every day. -K I sit corrected: $ rpm -qf /usr/bin/gpg gnupg2-2.2.9-1.el8.x86_64 I posted, not so much to criticize GnuPG as to criticize my associates who talk security paranoia, but refuse to do anything about it. When all is said and done, more is said than done. At least, with my associates. -- .~. Jean-David Beyer /V\ Shrewsbury, New Jersey /( )\ Red Hat Enterprise Linux ^^-^^ up 4 days, 15 hours, 2 minutes ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Plan B - Who carries the torch?
On 1/4/21 9:31 PM, ï¿œngel wrote: Finally, every user will need to discard their now-useless keys, generate new ones and rebuild the chain of turst from the ground up. Building a web of trust is so hopeless, from my point of view, that I have abandonned gnupg. I have made keys for myself, obtained enigmail for my Firefox browser, etc. But those with whom I correspond by e-mail has diminished to almost the vanishing point. They use text messages on their cell phones, Facebook messages, etc. While a few worry about the "CIA" snooping on them, none will consider gnupg and enigmail. So for me, it is pointless. -- .~. Jean-David Beyer /V\ Shrewsbury, New Jersey /( )\ Red Hat Enterprise Linux ^^-^^ up 4 days, 13 hours, 37 minutes ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: We have GOT TO make things simpler
On 10/7/19 9:32 AM, Phillip Susi wrote: > Bingo! And as long as the user is not interested in it, and won't learn > how to properly use it, all they will get is the veneer of privacy and > learn the hard way that they really aren't secure. You just can't make > security idiot proof. I had a realistic uncle who used to say, "You can always design a system to be fool-proof; but if you do, a damned-fool will come along. -- .~. Jean-David Beyer /V\ PGP-Key:166D840A 0C610C8B /( )\ Shrewsbury, New Jersey ^^-^^ 15:45:01 up 13 days, 21:19, 2 users, load average: 4.39, 4.72, 4.87 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generating revocation certificate
On 4/6/19 12:32 PM, Markus Reichelt wrote: > i'm using on slackware64-current (if you are using windows, all hands > are off) > > gpg --version > gpg (GnuPG) 2.2.15 > libgcrypt 1.8.4 Mine's bigger than yours (older, too): $ gpg --version gpg (GnuPG) 2.0.14 libgcrypt 1.4.5 Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 -- .~. Jean-David Beyer /V\ PGP-Key:166D840A 0C610C8B /( )\ Shrewsbury, New Jersey ^^-^^ 12:45:01 up 22:44, 2 users, load average: 4.26, 4.55, 4.53 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020)
/documentation/manuals/gnupg.pdf . >> >> The chapters on gpg-agent, gpg and gpgsm include information on how to >> set up the whole thing. You may also want to search the GnuPG mailing >> list archives or ask on the gnupg-users mailing list for advise on how >> to solve problems. Most of the new features are around for several >> years and thus enough public experience is available. >> >> Please consult the archive of the gnupg-users mailing list before >> reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>. >> We suggest to send bug reports for a new release to this list in favor >> of filing a bug at <https://bugs.gnupg.org>. If you need commercial >> support check out <https://gnupg.org/service.html>. >> >> If you are a developer and you need a certain feature for your project, >> please do not hesitate to bring it to the gnupg-devel mailing list for >> discussion. >> >> >> Thanks >> == >> >> Maintenance and development of GnuPG is mostly financed by donations. >> The GnuPG project currently employs one full-time developer and one >> contractor. Both work exclusively on GnuPG and closely related software >> like Libgcrypt, GPGME, and GPA. We are planning to extend our team >> again and to help developers to improve integration of crypto in their >> applications. >> >> We have to thank all the people who helped the GnuPG project, be it >> testing, coding, translating, suggesting, auditing, administering the >> servers, spreading the word, and answering questions on the mailing >> lists. >> >> Many thanks to our numerous financial supporters, both corporate and >> individuals. Without you it would not be possible to keep GnuPG in a >> good shape and address all the small and larger requests made by our >> users. Thanks. >> >> >> Happy hacking, >> >>Your GnuPG hackers >> >> >> >> p.s. >> This is an announcement only mailing list. Please send replies only to >> the gnupg-users'at'gnupg.org mailing list. >> >> p.p.s >> List of Release Signing Keys: >> >> To guarantee that a downloaded GnuPG version has not been tampered by >> malicious entities we provide signature files for all tarballs and >> binary versions. The keys are also signed by the long term keys of >> their respective owners. Current releases are signed by one or more >> of these four keys: >> >> rsa2048 2011-01-12 [expires: 2019-12-31] >> Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >> Werner Koch (dist sig) >> >> rsa2048 2014-10-29 [expires: 2019-12-31] >> Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 >> David Shaw (GnuPG Release Signing Key) >> >> rsa2048 2014-10-29 [expires: 2020-10-30] >> Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 >> NIIBE Yutaka (GnuPG Release Key) >> >> rsa3072 2017-03-17 [expires: 2027-03-15] >> Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 >> Andre Heinecke (Release Signing Key) >> >> The keys are available at <https://gnupg.org/signature_key.html> and >> in any recently released GnuPG tarball in the file g10/distsigkey.gpg . >> Note that this mail has been signed by a different key. >> === >> >> [1] If you want to test whether you are affected by this bug, remove the >> indentation from the following block >> >> -BEGIN PGP MESSAGE- >> >> jA0EBwMC1pW2pqoYvbXl0p4Bo5z/v7PXy7T1BY/KQxWaE9uTBRbf4no64/+5YYzX >> +BVNqP+82aBFYXEsD9x1vGuYwofQ4m/q/WcQDEPXhRyzU+4yiT3EOuG7sTTaQR3b >> 8xAn2Qtpyq5tO7k9CN6dasaXKSduXVmFUqzgU+W9WaTLOKNDFw6FYV3lnOoPtFcX >> rzhh2opkX9Oh/5DUkZ6YmUIX3j/A0z+59/qNO1i2hQ== >> =zswl >> -END PGP MESSAGE- >> >> and pass to this pipeline >> >> gpg --no-options -vd 2>&1 | grep '^\[GNUPG:] INJECTED' >> >> If you get some output you are using a non-fixed version. >> >> >> >> ___ >> Gnupg-announce mailing list >> gnupg-annou...@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-announce >> >> >> >> ___ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > It says part of your message to me was encrypted and prompted me for my passphrase, but it must not have been encrypted with my public key. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 16:45:01 up 19 days, 21:28, 2 users, load average: 6.09, 5.31, 4.80 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Break backwards compatibility already: it’s time. Ignore the haters. I trust you.
On 05/20/2018 08:51 PM, Jeremy Davis wrote: > I just read the awesome article "Efail: A Postmortem" by Robert Hansen. > > Thanks for this Robert. Great work! > > As suggested by Robert, I've signed up to say: > > Break backwards compatibility already: it’s time. Ignore the haters. I > trust you! :) > One of the problems with Windows is that they preserved the backwards compatibility for far too long, so they could never clean it up enough to make it any good. I admit that Windows 7 is better than Windows XP that was much better than Windows 95. I wonder just how much complexity there is in my FiOS box to convert the fiber-optic to plain old telephone service that must still be compatible with my old rotary dial telephone that requires 90 volt 20 cycle power to ring the bell. And all my electronic telephones with electronic ringers that must be protected from that 90 volt ringing current. Can you imagine the redesign that would be required so I could start the gasoline engine in my Prius with a hand crank in the front? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 23:05:01 up 4 days, 6:55, 1 user, load average: 4.04, 4.05, 4.07 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Efail or OpenPGP is safer than S/MIME
On 05/19/2018 09:00 AM, Patrick Brunschwig wrote: > On 19.05.18 14:15, Werner Koch wrote: >> On Fri, 18 May 2018 12:18, patr...@enigmail.net said: >> >>> How far back will that solution work? I.e. is this supported by all >>> 2.0.x and 2.2.x versions of gpg? >> >> 2.0.19 (2012) was the first to introduce DECRYPTION_INFO In any case >> 2.0 is end-of-life. In theory we could backport that to 1.4 but I don't >> think that makes sense. > > Enigmail runs on many long-term Linux distributions that still ship > older, presumably patched, versions of GnuPG. For example, Red Hat EL > 6.9/Centos 6.9 contains GnuPG 2.0.14, but current versions of Thunderbird. > > GnuPG 2.0.x will therefore still be relevant for me for many years to come. > Me too! Red Hat Enterprise Linux Server release 6.9 (Santiago) thunderbird-52.7.0-1.el6_9.x86_64 gnupg2-2.0.14-8.el6.x86_64 Enigmail 2.0.4 -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 09:40:01 up 2 days, 17:30, 2 users, load average: 4.15, 4.27, 4.46 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: your message could not,be delivered to one or more recipients.
On 11/17/2017 03:09 AM, Werner Koch wrote: > On Thu, 16 Nov 2017 17:56, w...@uter.be said: > >> Alternatively, AOL might be trying to send the mail from a different > > Very likely - greylistd comes with a list of whitelisted AOL server > pools. 204.29.186.0/24 is not yet in this list - I added it to the > local installations. > > > Salam-Shalom, > >Werner > Thank you. I used to use Verizon as my SMTP provider, but when they bought AOL, they discontinued serving e-mail and transferred everything to AOL's servers. I usually have no trouble posting to gnupg-users@gnupg.org but that one did not go through. Yesterday, I did a whois on 204.29.186.9 and it came up as AOL, but AOL for the .ru area (it came up with other areas where presumably AOL serves). But today there seems to be only the main entry in Dulles, VA. If someone had been messing with the DNS, no wonder gnupg.org would be suspicious. Right now everything looks OK. $ dig -x 204.29.186.9 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 204.29.186.9 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;9.186.29.204.in-addr.arpa. IN PTR ;; ANSWER SECTION: 9.186.29.204.in-addr.arpa. 300 IN PTR omr-m007e.mx.aol.com. ;; AUTHORITY SECTION: 186.29.204.in-addr.arpa. 3600 IN NS dns-07.ns.aol.com. 186.29.204.in-addr.arpa. 3600 IN NS dns-02.ns.aol.com. 186.29.204.in-addr.arpa. 3600 IN NS dns-01.ns.aol.com. 186.29.204.in-addr.arpa. 3600 IN NS dns-06.ns.aol.com. ;; ADDITIONAL SECTION: dns-01.ns.aol.com. 126866 IN A 64.12.51.132 dns-02.ns.aol.com. 126866 IN A 205.188.157.232 dns-07.ns.aol.com. 126866 IN A 64.236.1.107 dns-06.ns.aol.com. 126866 IN A 207.200.73.80 ;; Query time: 123 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Nov 17 08:53:27 2017 ;; MSG SIZE rcvd: 228 -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 08:35:01 up 2 days, 15:50, 2 users, load average: 4.42, 4.27, 4.14 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
your message could not,be delivered to one or more recipients.
This is the mail system at host omr-m007e.mx.aol.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <gnupg-users@gnupg.org>: host kerckhoffs.g10code.com[217.69.77.222] said: 451-204.29.186.9 is not yet authorized to deliver mail from 451 <jeandav...@verizon.net> to <gnupg-users@gnupg.org>. Please try later. (in reply to RCPT TO command) _ Reporting-MTA: dns; omr-m007e.mx.aol.com X-Outbound-Mail-Relay-Queue-ID: 58F77380004C X-Outbound-Mail-Relay-Sender: rfc822; jeandav...@verizon.net Arrival-Date: Wed, 15 Nov 2017 09:01:43 -0500 (EST) Final-Recipient: rfc822; gnupg-users@gnupg.org Original-Recipient: rfc822;gnupg-users@gnupg.org Action: failed Status: 4.0.0 Remote-MTA: dns; kerckhoffs.g10code.com Diagnostic-Code: smtp; 451-204.29.186.9 is not yet authorized to deliver mail from 451 <jeandav...@verizon.net> to <gnupg-users@gnupg.org>. Please try later. __ >From where does it get port 451? My SMTP port is 465 204.29.186.9 is my ISP for e-mail: AOL. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 08:40:01 up 1 day, 15:55, 2 users, load average: 4.81, 4.90, 4.72 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Counterarguments Supporting GnuPG over Off The Record (OTR)
On 01/19/2017 04:06 AM, Stephan Beck wrote: > 15-20 years from now, OpenPGP will have expired and be a case of study > for computer historians. > I agree. 20 years from now, we will all be using telepathy, and the telephone and Internet will be redundant. Without electromagnetic communication, and without paper communication, we will be unable to encrypt anything. Will there be an equivalent to OpenPGP that works with telepathy? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 11:10:01 up 8 days, 19:55, 3 users, load average: 5.18, 4.96, 4.87 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/25/2015 12:50 PM, Ingo Klöcker wrote: > On Thursday 24 December 2015 17:02:54 Matthias Apitz wrote: >> Hello, >> >> I do not fully understand why some 4 random words like >> >> Correct, horse! Battery staple! >> >> is a better passphrase like, for example >> >> Und allein dieser Mangel und nichts anderes führte zum Tod. >> >> i.e. some phrasing which could be memorized better? > > The second sentence is found by search engines (2 hits in > DuckDuckGo). Don't use it or any other phrase that's has been > published on the internet. A phrase of 4 random words has a high > probability that it has not been published on the internet (or > anywhere else). The tricky part is that you must never put your > 4-random-words phrase into a search engine to check this. > > Instead of using a 4-random-words phrase you can use a proper > sentence with equivalent entropy provided that you do not use a > sentence that has been published anywhere. Come up with your own > sentence. Ideally come up with a sentence that doesn't make any > sense like "The horse was correct. You cannot staple batteries." > This phrase might be easier to remember and has a similar entropy > as the above mentioned 4-random-words phrase. > > A favorite of mine, not usable then, and even less so now, is the following: At Night We Walk in Circles and Are Consumed by Fire In Latin, that is a palindrome. It is now the name of a musical composition, and has a group of its own on Facebook. https://www.wnyc.org/radio/#/ondemand/510001 - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 10:35:01 up 1 day, 11:08, 2 users, load average: 4.16, 4.24, 4.19 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iQEcBAEBAgAGBQJWfrg0AAoJEBZthAoMYQyLcOMH/3q0mmnai7E49VontTna/2gf yZD9FHbiVE7tQl2OZmjNa16AzVMwpTlJxpS82/n3/8ljVxWbyd0JzdStAyq4xONV hdYN05SL6A43L8dobaO0IQLMB7ZdzJYawQW8wLfKQzevXMMXMiGg5BLMVdhNMqWo TPOLu8GFPfDGqC1P6EzKplCremb2NsMvrxw1RpxQcNwIksz1S3XO+YZWAYegUmsC fUCVH3qgTNrlaiG/FFGqBols0RJYS9EsWC/0EWSOZN0TCqzfoWbwPSse76HolV9Y lkXklPCxaqwan09jtkGwwSye1sTTHjmHA6t1YtK8yRxNc5k/zQKiY3mvLtt23Nc= =2AOW -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can it be made even easier!?
On 10/04/2015 10:30 AM, Don Saklad wrote: > How can it be made even easier!? > > Trying to encourage M.D.'s to use it is met with complaints about not > having time to learn about it. Set up is a too complicated sequence of > steps that aren't entirely clear. The steps can get hampered where there > aren't instructions that cover what to do when one of the steps goes > awry! > Not just doctors. My lawyer has the same problem. She really needs signed e-mails and encrypted e-mails, but has not the time to learn all about how to install and use it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 17:30:01 up 18 days, 4:32, 3 users, load average: 5.27, 5.59, 5.68 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Random Seed for Generating PGP Keys
On 05/24/2015 05:11 PM, kendrick eastes wrote: On Sun, May 24, 2015 at 10:35 AM, George Lee geo...@cmtytech.org mailto:geo...@cmtytech.org wrote: Hello, I'm interested in seeing if rather than relying on the built-in software to generate randomness when creating a PGP key, if it is possible to configure GnuPG to use a manually entered random seed. That way I could generate a seed using coins, dice, my magic cauldron, etc. Is this possible to do? How much entropy in a seed would I need? I also imagine that folks might say the software is very good at generating random numbers. Feel free to share more details why, e.g. how many bits of entropy are provided and how to make sure they're truly random. But it would still be helpful to know if the above customization is possible. Thank you! - George would it not be more reliable and simpler to use a HWRNG to generate entropy? In theory, no software random number generator can generate truly random numbers, since they will repeat. They function they generate is cyclic, just as sin(t) is cyclic, though their period is much greater. But once you use an algorithm to generate random numbers, you have sinned. If you used a good HwRNG. https://en.wikipedia.org/wiki/Comparison_of_hardware_random_number_generators has a list of commercially available generators, and i know i have seen at least 2 homebrew designs that had source and HW schematics released. This article would have been more useful if the author had subjected these random number generator to the usual mathematical tests for randomness. Here is what was, at the time it was written, a very good paper on software random number generators. Almost 50 years old now. I have not kept up with the field, so I do not know how much progress, if any, has been made since. https://dl.acm.org/citation.cfm?id=321379 I remember in the past when I needed a random number generator, I made plots on a crt where one random number was used as the x-coordinate and the next one was used as the y-coordinate of a plotted point. I expected to see a mess of noise, but there were, instead, stripes. Turns out there was a bug in the RNG I was using. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 07:35:01 up 23 days, 15:26, 2 users, load average: 4.22, 4.37, 4.69 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple instances of gpg-agent
On 05/21/2015 05:30 AM, Werner Koch wrote: On Thu, 21 May 2015 04:37, jeandav...@verizon.net said: --write-env-file $@{HOME@}/.gpg-agent-info I tried this and it would not work. No such file or directory. I removed the @ signs and then that part worked. Sorry, I copied it from the texinfo source and missed these escape sequences. No harm done. It did not take long to figure it out. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 19:45:01 up 20 days, 3:36, 2 users, load average: 5.35, 4.96, 4.73 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: generating revocation certs non-interactively
On 05/19/2015 06:51 AM, Michelle Gmail wrote: U cheated, u lied, u manipulated me, u destroyed my credit the apartment , my life ur beautiful daughter that's so happy and just loves for us all to be together, ur stepson now can not get a birthday gift because I do not know how I will be able to pay rent or other bills or food , we can not even afford another apartment, what U have done was so cold as if we just all met, then u lied repeatedly too u were blue in the face denying u had a girlfriend and denied that all those things I said weren't true BUT THEY WERE. The planning u did the roll u played was as if u believed ur own lies and no one I mean no one would ever understand what u did to me and the kids. It wasn't something that a normal adult would do. Well let's go on then u developed a pretty dependent habit but u were after years later still not wanting to do anything for urself but u expected and wanted whenever u asked. U took took took u ran me dry then u moved on as if we didn't exsist but the crazy thing is u played a role as if u were this nice guy that did so much for me and with the kids but in fact u did not u verbally tortured me for hours with name calling and ur gossip talk about ur co workers ALL OF THEN I did so much more than what u have me credit for, and the blaming all ur mistakes on me daily cuz jason Boyer does no wrong. I'm gonna say I was warned my many people in which some had proof about ur problem. But I said he was young and gave u the benefit of doubt haha And then wow I mean WOW what I just lived more do past few months since u met girlfriend was by far the strangest behavior I have ever seen, I seen on jerry springer and all but never did I ever think that an individual would do something like this to his girl and family intentional. Oh yes hard to believe but believe it cuz he won't stop trying to destroye as if I was the one cheating but I wasn't but he's treating his family mostly myself as if I committed this horrible horrible crime that affected him in a way that he is so messed up now. But no everyone that indeed is not true ither this is the strangest behavior I have ever witness. He played the role of the good guy and the one who loved me sooo much and did everything w kids and his family but no no None of that is true especially since he met his sugar mama it was total ignore the kids day after day as well as the verbal abuse got worse and worse It looks something like plain text, but I cannot figure out how to decrypt it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 21:25:01 up 19 days, 5:16, 2 users, load average: 4.31, 4.49, 4.82 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple instances of gpg-agent
On 05/19/2015 12:11 PM, Werner Koch wrote: On Mon, 18 May 2015 14:38, jeandav...@verizon.net said: I run Red Hat Enterprise Linux 6 and I get lots of them too. I just kill them once in a while, but surely that is not ideal. The man pages gives hints on how to avoid starting several instances of gpg-agent. You should start it in your ~/.xsession script: gpg-agent --daemon --enable-ssh-support \ --write-env-file $@{HOME@}/.gpg-agent-info I tried this and it would not work. No such file or directory. I removed the @ signs and then that part worked. and for each login shell you run this: if [ -f ${HOME}/.gpg-agent-info ]; then . ${HOME}/.gpg-agent-info export GPG_AGENT_INFO export SSH_AUTH_SOCK fi I put that into .bashrc and it seems to work. Thank you. However it is easier to put use-standard-socket into ~/.gnupg/gpg-agent.conf and let gpg start gpg-agent as needed. This is the same procedure as used by 2.1 and which has always used with 2.0 on Windows (where use-standard-socket is the default). Salam-Shalom, Werner -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 22:35:01 up 19 days, 6:26, 2 users, load average: 4.61, 4.47, 4.34 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple instances of gpg-agent
On 05/17/2015 09:02 PM, MFPA wrote: I have read several times that multiple instances of gpg-agent is not good. But I regularly see six or seven listings of gpg-agent.exe in Task Manager or Process Explorer. If I don't re-boot in the meantime (or kill the gpg-agent.exe processes with Task Manager) they can hang around for at least a day after last use. Is this likely to cause any problems? I am currently running GnuPG version 2.1.4 under Windows XP. GnuPG is used by my email client, by a GUI key manager, occasional commandline use, and by Mike Ingle's Confidant Mail. I run Red Hat Enterprise Linux 6 and I get lots of them too. I just kill them once in a while, but surely that is not ideal. I tried the following script in my .bash_profile that I thought would work, but it does not. SOCKET=S.gpg-agent PIDOF=`pidof gpg-agent` declare -x PIDOF #RETVAL=$? kill -s SIGHUP $PIDOF 2/dev/null rm $HOME/.gnupg/$SOCKET rm -fr /tmp/gpg-* eval $(gpg-agent --daemon) GPG_SOCKET_FILE=`find /tmp/gpg-* -name $SOCKET` 2/dev/null ln -s $GPG_SOCKET_FILE $HOME/.gnupg #echo .bash_profile ran `/bin/date +%Y%b%d%R ` $GPG_SOCKET_FILE /home/jeandavid8/XprofileLog.txt -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 08:15:01 up 16 days, 16:06, 2 users, load average: 5.37, 5.13, 4. 87 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Anything that just works easily for folks?... without knowing this stuff.
On 03/09/2015 01:19 AM, Don Warner Saklad wrote: It's too complicated to setup, a too complicated learning curve to setup... How to make it easier needs to be a greater priority. Albert Einstein is credited with saying: Everything should be made as simple as possible: BUT NO SIMPLER. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 09:40:01 up 8 days, 16:48, 2 users, load average: 5.03, 4.93, 4.78 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg in a cybercafé
On 03/06/2015 05:05 AM, Werner Koch wrote: On Fri, 6 Mar 2015 09:12, htd...@fritha.org said: In case you're allowed to boot from an external medium, this still won't be secure. Because you have no control over the hardware built into the computer, Does not even need to be hardware: A (remotely) modified firmware might first boot you into a virtual machine and only then boot the OS from disk or USB. I built a virtual machine once. I had a computer with no memory management hardware. And I had a FORTRAN compiler for it that worked pretty well, but if I wrote too many EQUIVALENCE statements, the computer crashed. A FORTRAN compiler is pretty big and inspecting all its code was out of the question. I wrote a program for a virtual machine that had all the same instructions as the real hardware did, so that was trivial: took less than a day to write it. But it had a little extra feature: memory management. The virtual machine ran as its input, the binary instructions of the programs that would normally run on the real machine. Like the OS, the compilers, etc. The easiest way to tell if the real machine was running or the virtual machine was that the virtual machine ran about 20x slower. I loaded the virtual machine and started it up. Then I invoked the FORTRAN compiler and presented it with a program with a lot of EQUIVALENCE statements, and saw that it was over-writing the interrupt vectors at the bottom of RAM, and further, what the offending instruction was. The original compiler had a bug were an index register needed to be specified, and it was omitted. Pretty simple. Now a black hat could easily put any old virtual machine on that machine, so doing nasty things would have been pretty easy. I suppose it is a little more difficult at a cyber cafe or public library. But not if I owned the cafe or worked in the library. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net ^^-^^ 14:25:01 up 6 days, 22:33, 2 users, load average: 4.02, 4.07, 4.11 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/04/2013 04:29 PM, MFPA wrote: That's phenomenal: isn't everybody in the world separated by an average of just six hops? I tried to check that out, and I have never needed more than about three hops. Three hops to former president Richard Nixon. Two hops from me to Mikhail Gorbachev, Albert Einstein. One hop from me to Margaret Leng Tan, Maurice Wilkes, Phyllis Chen, Claire Chase, David Wagner (I met him when he was a baby), Eric Lamb, Ronald Coase, Sylvia Milo, Nathan Davis. Some of these are very famous, and some are famous in their own fields. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:00:01 up 19:21, 2 users, load average: 4.77, 4.67, 4.52 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSeB2QAAoJEBZthAoMYQyLbTgIAKn1VLcsgXEAUgwacr/fU09Q teXaJ6JnUNfVmEH/hdwlyfwTlBkbV8SmFQ3aN8LZjz5b2osI659P9tNA3LXEi7Jz +H0wa0aE/HBy/neumxv24Bu0s5bdeI3CU+FYqPBYtYjx1Q0Qeoug6VZqqI4TbJZo lcby5oWvXldwFunS9jvAbmtpl5G9uchzDSP+Y2hI3XEmT4OISb3jZPP0LHt8sPYc kv1qAedpg67GrANlPOJqsZaPbfm/hJnNm0z2qGbc+l5tl/hoXM6M30pFrNFoB6n4 ZFqPrwHjxgGfoaHD+sO9ZEWjLg8bKz70dmdQmtoKANQY9PuXSplkfBWsD4aH2y8= =IzJe -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
On 11/04/2013 05:40 PM, Robert J. Hansen wrote: I tried to check that out, and I have never needed more than about three hops. Sure, but then again you're trying to hit people with *extremely* large networks, and whose first-order networks are themselves *extremely* well-connected. Even the exotic ones like Ronald Coase -- he co-authored a ton of papers and attended a lot of conferences and advised a lot of Ph.D. candidates and taught a lot of courses. If you can map out a line to my great-uncle Ormo Rasmussen in three hops without using me as a link, I'll be impressed. ;) I would not even know how to go about it. In my little list, I did not pick these people and see how to link to them; they were people I new directly (the one-hop ones), Or I knew someone who knew them (my piano teacher: Gorgbachev, my grandfather: Albert Einstein). Getting to Richard Nixon was a bit harder. A friend of mine knew his mother. I am actually surprised and impressed by my list. Not that anyone else should care. And on this list, David Wagner was easy since I worked with his mother at Bell Labs and met him not long after he was born. He surely has no recollection of me. Speaking of Bell Labs, kind of a name-dropping switchboard. My grandfather worked there, so I am a two handshakes away from Clinton Davisson. And I worked there and knew Doug McIlroy, and knew Ken Thompson and Dennis Ritchie very slightly. Also Bela Julesz. And Vic Vyssotsky was the most compulsive cigarette smokers I ever met, but a uniquely brilliant computer scientist. Jean Felker, who lead the TRADIC project (possibly the first transistorized electronic computer) interviewed me when I first tried, as a high school student, to get a summer job there. We talked about round-off problems when using fixed-length and fixed-point arithmetic. Oh! Well! Memories. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:55:01 up 20:16, 2 users, load average: 4.74, 4.61, 4.54 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Recommended key size for life long key
On 09/08/2013 04:02 PM, Filip M. Nowak wrote: [snip] Breakthroughs in factoring have occurred regularly over the past several decades, allowing us to break ever-larger public keys. Much of the public-key cryptography we use today involves elliptic curves, something that is even more ripe for mathematical breakthroughs. It is not unreasonable to assume that the NSA has some techniques in this area that we in the academic world do not. Certainly the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily.** I would think the NSA would have two teams, that might work together at times. One is interested in breaking the encryption of those they deem to be enemies. The other is making encryption mechanisms that are as difficult to break as they know how, for the use of our own secret services, state department, and so on. So perhaps the snooping division is pushing elliptic curve technology because they have a technique for breaking those that they have not published and that has not yet been leaked. But the other division is developing some superior technique, such as hyperbolic curves (I made that name up; it has nothing to do with reality) that is at least an order of magnitude more difficult to break. For use by any government agency that has secrets to keep but must communicate from place to place, or from time to time. Some might need public key encryption methods, some might manage with symmetric key methods. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:55:01 up 10 days, 23:40, 3 users, load average: 4.76, 4.43, 4.30 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: need help for GPG 1.2.1 binary for REHL 5.8
On 08/20/2013 03:43 PM, Peter Lebbing wrote: we are searching for binary for GPG 1.2.1 version for Red Hat Enterprise Linux 5.8 You're trying to install a version released in 2002 on an OS released in 2012. True, but Red Hat support their major releases for 10 years, so implying that the O.P.'s release is obsolete is a bit extreme. We are not talking about Fedora releases now. I'm not surprised you can't find binaries! Why do you want to do this? 1.2.1 has known issues and should not be used these days. It's more than a decade old! I think your effort is much better spent on changing your workflow to use the latest 1.4 release. Again, why do you want to install 1.2.1? HTH, Peter. I have CentOS 5.9. similar to RHEL5.9 that, as far as I know, is the current release for RHEL5. I run RHEL 6 on my main machine. The 5.9 has gnupg2-2.0.10-3.el5.1.i386 as its current release and that requires the following libraries: libksba-1.0.5-2.el5 pinentry-0.7.3-3.el5 pth-2.0.7-6.el5. As Peter asks, why do you want to install 1.2.1? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:30:01 up 8 days, 21:55, 2 users, load average: 4.01, 4.24, 4.27 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#JYM-378-41570]: Re: Why trust any software?
On 08/06/2013 02:32 PM, MFPA wrote: Hi On Tuesday 6 August 2013 at 3:28:55 AM, in mid:52005f67.1020...@securemecca.net, Henry Hertz Hobbit wrote: I received no comment from TeamSpeak's technical person so I am going to be blocking ALL of their hosts in my blocking hosts file. I have no other choice. You don't listen to your attorney saying to not say anything if you are the victime. You cure the problem. They didn't reply so I have no choice. Definitely something wrong when messages to ab...@teamspeakusa.com get returned 550 Recipient unknown. Is the address ab...@teamspeakusa.com actually required? I know postmas...@teamspeakusa.com is required and it must go to a real person, but is any other? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:45:01 up 4 days, 10 min, 2 users, load average: 4.31, 4.37, 4.40 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#JYM-378-41570]: Re: Why trust any software?
On 08/05/2013 09:09 PM, Robin Kipp wrote: Hi Jean, no, I think you can be fairly certain that you never contacted any piracy department. If you look back through the last messages that have been going over the lest you'll find this has been going on for a while now, also for others posting to this list. Seems like their contact address got on this list somehow, hence a new ticket gets created each time someone on this list starts a new discussion. So, looks like their Piracy Department is getting lots of work for no reason :-) HTH! Robin Oh! Good! I was afraid it was something I did. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 06:50:01 up 2 days, 22:15, 2 users, load average: 4.22, 4.39, 4.43 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust any software?
On 08/05/2013 06:31 AM, kardan wrote: Hi, I would like to widen the view of this thread as the question not only apply to windows software in my eyes. On Thu, 25 Jul 2013 21:17:43 + atair atai...@googlemail.com wrote: This basically means, that everyone(!) can access, modify and redistribute the source code of the program (see [2] if you're interested). There are lots of people (usually volunteers from all over the wold) who do peer reviews on the sources (and if you start with [2], _you_ can be another one). Therefore, changes that look like back doors are VERY unlikely to find their way in a release, because hundreds of people are looking how the software evolves and will reject such a patch. This is heard very often. How can I check if this is true for a particular piece of software? For the kernel reviews can be tracked via LKML but not every code is so popular. How to see how many people really read and approved a patch for example? Also the number may not be that relevant than if experienced developers did. On Fri, 26 Jul 2013 09:22:32 -0400 Mark H. Wood mw...@iupui.edu wrote: But it takes only one person who can and does do this inspection, to reveal the evil deed. And that person could be anywhere. He very likely won't be identified until he announces his presence by announcing his discovery of the attack. I would love this person even showing up to approve if there is no attack - just for me feeling better. On Fri, 26 Jul 2013 00:14:08 +0200 Julian H. Stacey j...@berklix.com wrote: However you missed the point that many MS users are not programmers, will not be compiling their own binaries, so any malign entity could regularly hack their nasty extras in, compile issue binaries that dont match published source [...] Also many linux users look strange at me if I say I do compile parts of my debian system. If somehow you trust the Linux kernel you are using, that is already a big assumption. That would assure you that the Kernel source was used to compile the kernel. And if all was properly signed, and you have somehow obtained the fingerprint of the signing key in some reliable way, that would give high assurance. But how about the compiler that was used. It could have been sabotaged too, to insert a back door into any code it compiled, or only code for files with names that exist in the compiler and a kernel, perhaps. So not only need you trust the people who examined the source code for the kernel, you need to trust the people who support the kernel to have done the same thing for the compiler they use. And the compiler they used for compiling that compiler. To really trust (or not trust), you have to take all that C-code for the first compiler and compile it by hand to binary (not assembly level). Then use that to make the assembler that has been similarly verified, then the C compiler you really want to use, and so on. I am not sufficiently paranoid to do this, and I would not live long enough to do it even were I motivated to do it. Maybe Ken Thompson or Dennis Ritchie could do it, but I bet he would not. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:10:01 up 1 day, 23:35, 2 users, load average: 4.49, 4.43, 4.56 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#JYM-378-41570]: Re: Why trust any software?
On 08/05/2013 09:23 AM, TeamSpeak Piracy wrote: Jean-David Beyer, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. *Ticket ID: *JYM-378-41570 *Subject: *Re: Why trust any software? *Department: *Piracy [English] *Type: *Issue *Status: *Open You can check the status of or reply to this ticket online at: https://support.teamspeakusa.com/index.php?/Tickets/Ticket/View/JYM-378-41570 Kind regards, TeamSpeak USA, Inc. TeamSpeak Piracy e-Mail: pir...@teamspeakusa.com mailto:pir...@teamspeakusa.com Visit: http://www.TeamSpeak.com Knowledgebase: http://support.TeamSpeakUSA.com Hours of operation for this department are Monday - Friday, 9AM to 5PM Pacific Time (UTC-8). We are committed to responding to your inquiry within 48 hours, and typically will reply within 24 hours, excluding weekends and holidays. I thought I posted to gnupg-users list. I was making a remark to a previous post. I was not filing a trouble report, and do not think I was even addressing the issue of piracy. Hence I am very confused that I seem to have been issued a trouble ticket and getting two e-mails about this. Is something wrong with a server? Or an autoresponder? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:40:01 up 2 days, 12:05, 2 users, load average: 4.34, 4.52, 4.52 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG weakness
On 07/25/2013 08:59 AM, Manu García wrote: Are devs taking some measures to make GPG really secure? I am not an encryption expert, but if I were going to store a lot of stuff in the cloud, I would not use GPG or any other public (assymetric) key encryption system. I would use a simpler symmetric key, since no one other than I would need to know the key. The scheme outlined in the article is by no means new. It has been known at least 10 years and probably even more. It is of theoretical interest only, IMAO. As for the part of your post shown above, measures to make GPG really secure from what threats? Because the answer to that question really matters. I bet they cannot make it secure from my posting my private key on Facebook, for example, or from some black hat torturing my passphrase out of me, or from the FBI putting a keylogger on my machine, or even more easy, from my sending an encrypted e-mail to a friend of mine who then forwards it unencrypted to someone else. The developers of GPG cannot do anything to protect against these threats. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:20:01 up 44 days, 18:06, 2 users, load average: 4.22, 4.50, 4.72 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why OpenPGP is not wanted - stupid is in vogue right now
On 06/11/2013 12:23 AM, Robert J. Hansen wrote: On 6/10/2013 11:37 PM, Jean-David Beyer wrote: Of course he did not seriously propose the idea as a real course of action. But it is interesting to think about. I drive a Mustang GT with enough engine work to make it genuinely dangerous to unprepared drivers. When I was taking a couple of advanced driving classes (because I don't want to be a hazard on the road behind such a vehicle), one of my instructors -- a police driving instructor -- told me about a collision he recently saw with a tricked-out Mustang GT like mine. I had been driving Alfa Romeo Giulietta Spiders for a while, and one Giulia (same car, 1600 cc engine). Then I bought a Lotus 26. I had driven my current Alfa to NYC (the nearest Lotus dealer to Buffalo NY where I was living). I had already bought and paid for the car, but it needed preparation so I could not take delivery until the next day. Nevertheless, the owner of the dealership took me to dinner at a fancy French Restaurant on his bill. He started by buying me a Martini. I drank it, but did not like it much. He then bought me another. I nursed it along, but finished it. He then ordered me a third. I told him I did not want it, that two were enough. He insisted. I took one sip to be polite, but I was not going to drink any more. He surprised me, though. He took the drink from my hand and smashed it to the floor. He then pointed out the old saw about martinis were like breasts on a woman: one is not enough, but three are too many. His point, as he explained, was that the Lotus 26 was not like the Alfa Romeos that I was accustomed to, and if I drove the Lotus the same way, I would kill myself. He then explained some of the fine points of a car that normally understeered but under the right circumstances, could oversteer, and that I better go to a large vacant parking lot and learn to handle that. Which I did. Luckily, in Buffalo at the time, there were blue laws that prohibited shopping malls from being open on Sundays so even if I spun out the car, other than a little excitement, I could not really hurt anything. The Lotus 26 was not like the 300 SL or the W-186 in switching from under to oversteer, but it could do it. It saved my life once or twice when driving on snow with glare ice (that I did not know was there) underneath it. But it takes nerve, when the front end is losing it to shift down a gear and floor it, when instinct and reflexes make you want to hit the brakes. But none of that will work on my Prius. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why OpenPGP is not wanted - stupid is in vogue right now
On 06/11/2013 12:23 AM, Robert J. Hansen wrote: On 6/10/2013 11:37 PM, Jean-David Beyer wrote: Of course he did not seriously propose the idea as a real course of action. But it is interesting to think about. I drive a Mustang GT with enough engine work to make it genuinely dangerous to unprepared drivers. When I was taking a couple of advanced driving classes (because I don't want to be a hazard on the road behind such a vehicle), one of my instructors -- a police driving instructor -- told me about a collision he recently saw with a tricked-out Mustang GT like mine. Come to think of it, I had a friend who drove a Griffith (or some name like that) which was basically a TVR designed with an 1800 cc British engine in it. To make it into a Griffith, you swap out that little engine and put in a Ford 275 (or so) cubic inch one. I think the clutch and transmission get replaced too, but I do not remember (or care). this must have been in the early 1960s. Well, when he took the thing to the inspection station, you sometimes get an inspector who fancies himself a race car driver. But do not actually have the knowledge or skill for it. Well this one takes it to the brake testing machine, which here is a long instrumented track. The drill is to take the car up to some modest speed, and hit the brakes. The machine measures the braking forces of all four wheels, etc. Well this clown revs up the engine and pops the clutch. If I remember correctly, that car would do 0 to 60 in something like 4 seconds. It would not handle worth a damn, but it sure would accelerate. By the time he got his foot off the gas and onto the brake, he had run past the end of the machine and almost hit the car ahead (it did have good brakes). Since he missed the car ahead, he gave my friend a pass on that test. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: Re: Why OpenPGP is not wanted - stupid is in vogue right now
Sorry, I sent it privately by mistake... Original Message Subject: Re: Why OpenPGP is not wanted - stupid is in vogue right now Date: Mon, 10 Jun 2013 06:59:59 -0400 From: Jean-David Beyer jeandav...@verizon.net Organization: Institute for Regimented Whimsey To: Johan Wevers joh...@vulcan.xs4all.nl On 06/10/2013 06:40 AM, Johan Wevers wrote: On 10-06-2013 10:46, Henry Hertz Hobbit wrote: Nobody but me uses my signatures on the stuff I deliver. It isn't because my keys aren't part of the WOT. It is because for what ever reason they want to complain like mad about Prism but then go to Facebook and broadcast their personal lives to the entire world. I was just at a discussion of this by people wringing their hands, helpless as deer staring at the headlights of moving automobiles. But they absolutely will not consider sending and receiving encrypted e-mail for their communications. In fact, most no longer use e-mail, but Facebook, Twitter, and so on. They protest that encryption is too technical and complicated, but never actually learned anything about it (and I do not even mean that they do not know how encryption works, what public key encryption is). They do not know that enigmail is a simple to use add-on to Thunderbird because they do not use Thunderbird, but some web-browser interface to Google or something like that. They do not complain that automobiles and television sets are too technical. That microwave ovens and their cell phones are too technical. So they run around like chickens with their heads cut off, but refuse to do anything about it. Privacy has much more to do with encryption than with signing. On the contrary, when I sign a message it is much easier to prove, or at the very least make it probable, that I wrote it, thus reducing my privacy. My correspondents hate it when I even sign something because they think the signature is some kind of error message that they do not understand, and they ignore stuff they do not understand (like messages to update their virus scanner, etc.). When I want privacy from government agencies I would use encryption for sensitive or 1 to 1 messages. Signing will not help, when some 3-letter agancy starts sending messages in my name that is easily detected by me. When I want privacy, I wring my hands in despair because only one person I know even has a copy of gnupg and runs an enigmail interface to it. Very few use Linux. And as far as I know, he uses it only because it is interesting technically, and when he gets bored with it, because I am the only one he knows who has the capability of using it, he will probably stop using it too. So when I want privacy, I cannot use it anyway because none of my correspondents will use it. And even if they did, they would decrypt what I said, and then forward it clear text to others. So in my view it is useless except in very small communities of committed users, and I am in no such community. For email this is easy, I'm now figuring out how to set up myn own encrypted VOIP server for secure phone conversations within a group. This proves much more complicated, most private VOIP services either don't support encryption, support it in an unsafe way (unencrypted key exchange, who the ^$*#E%#% invented that?) or assume you're using fixed phones instead of mobiles over 3G. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why OpenPGP is not wanted - stupid is in vogue right now
On 06/10/2013 03:39 PM, Mark Rousell wrote: I just wanted to say that you have neatly encapsulated my feelings on the subject: Stupid is in vogue. My concern is that it will be for a long time to come. It is ironic that technology is, to a considerable extent, what has made it possible. So much is taken care of by technology that it is simple and easy to be stupid. You can get away with it. That suits the data miners of this world just fine. In 1962, Consumers Union hosted a conference entitled Passenger Car Design and Highway Safety. Lots of engineers, etc., were there and presented papers. One was a guy named John Fitch who designed and drove race cars. While it was not the main point of his presentation, at one point he mused that perhaps all cars should be designed like race cars. In particular, 6 speed non-synchromesh manual transmissions, grabbing clutches, no power steering, no power brakes, no radios, etc. He said the added complexity would have two benefits: 1.) Some really stupid people would not be able to drive them because they would be stalled out most of the time. 2.) Those who could get them to move would have to pay a higher level of attention to what they were doing than the average driver. Of course he did not seriously propose the idea as a real course of action. But it is interesting to think about. https://en.wikipedia.org/wiki/John_Fitch_%28racing_driver%29 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: WARNING: unsafe ownership on homedir
On 06/04/2013 03:22 PM, ira.kirsch...@sungard.com wrote: I am running on Red Hat Linux 6.4.6 What release is that? I have support from Red Hat that is up to date as of today, and it claims to be: $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.4 (Santiago) Nothing about a third level of releases. It is running this kernel: vmlinuz-2.6.32-358.6.2.el6.x86_64 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Why are you using the GPG / PGP keys?
On 05/28/2013 03:28 PM, Werner Koch wrote: On Tue, 28 May 2013 18:17, forlasa...@gmail.com said: crazy and doesn't function correctly, the house is half wood and half brick, and/Jack forgot to put locks on the doors./ Well, the mailbox at my door has no lock either and it suffers from the spam problem too. The solution is not to remove the mailbox and do without snail mail. Instead I sort spam out and almost all useful or important mail arrives just fine; well as long as such mail comes in a nice and ads free envelope with a real stamp on it. I demand a return address on it as well, including the name of the sender. Lacking that, I assume they are ashamed of themselves and are afraid I would not open it if I knew who it was from. So I do not open them. Return addresses like Suite 12345 123 Frammis Avenue Washington, D.C. 98765 go into the trash too. No name, no open. Of course, some senders also go straight into the trash, too. This would not be as useful with e-mail, since I can put any address I want into the From: field. Of course, people could do that with their envelopes, too, but they seem to do it less often. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Why are you using the GPG / PGP keys?
On 05/26/2013 06:50 AM, Zece Anonimescu wrote: Zece Anonimescu: Robert J. Hansen: Email is dying and has been for years. Ask a college student today[...] I don't like the mass media estimates: the next big thing, the yesterday thing, the dying thing. I thought for a good ten minutes and I could not find ONE single thing that was how predicted. According to Technology Review [1] some 154 billion emails are sent each day. So much for a dying technology. I rest my case. Last I heard, and it seems to me to be true, something like 95% of e-mails are spam. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]
On 04/06/2013 01:10 PM, Ryan Sawhill wrote: I wouldn't have to work at Red Hat to find your imagining of all this hilarious. No offense meant. I am not offended; just ignorant of some of the details of this. What makes the most sense: that all packages are built on a handful of central build servers (individual maintainers building packages? seriously?) on a private network and that as part of that automated build process, the packages are signed. And then of course yes, some sort of manual process to push packages out to publicly-accessible servers for customers. I guess we agree here. Perhaps not on the details. So that part must not be hilarious, is it? Also, for the record, you're wrong about with extremely few exceptions, they do not do enhancements: those are delayed until the next major release up to 18 months later. Most packages will stay at the same upstream version for the life of a RHEL major release, Right. but feature-enhancements still happen all the time with minor releases (every 6 months) and sometimes even sooner. Well, the bug and security fixes can come out several times a day (though that is not usual), and new RHEL kernels seem to be coming out every month or so these days. But those are bug fixes and security fixes. When I read their release notes on those things, they do not describe enhancements on the kernel. Similarly for things like postgresql, they may backport bug fixes but they do not put in enhancements as far as I can tell. Perhaps they enhanced Firefox, but that is not the usual thing. I notice no enhancements for GnuCash that is quite a ways behind what other distributions are using. They try to keep up with Java, but that is to hope to keep up with the security failures in that. (Also, new major releases don't happen every 18 months.) I know major releases do not happen exactly every 18 month. IIRC, they said that was their goal. I know it was over two years for one of them to come out. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]
On 04/05/2013 11:39 AM, Stan Tobias wrote: The problem we're trying to solve here is how to ascertain originality of a software development line, IOW how to authenticate it. What I do is get my OS (a Linux distribution from Red Hat) on a DVD directly from them. It contains, along with everything else, their public key that I do not validate by any other means; I assume that it is authentic. And they sign all the software they download to me from their site. So unless a man in the middle, working for the Post Office or UPS or FedEx (I forget which) substitutes DVDs ... . But as long as Mr. Red and Ms. Hat can be trusted, I do not care if they are the two individuals, a corporation, or what. SO * I am not protected from any black hats subversively working for Red Hat. * I am not protected if their site is highjacked by black hats until they discover it and correct it. But unless they also hijack the computer not connected to the Internet (see below), this will not be enough. * I am not protected if the DNS is damaged somewhere and when my update software tries to get updates from Red Hat, some other site that has Red Hat's private key signs whatever they choose to download to my machine. I suppose bribery or physical violence might get that key faster than exhaustive search... . Probably the software Red Hat supplies is kept on a machine that is not on the Internet and it is all signed on that machine. At which point, the signed software is placed on an Internet-connected machine for downloading (seems like a good idea to me). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg for pseudonymous users [was: Re: gpg for anonymous users - Alternative to the web of trust?]
On 04/05/2013 04:27 PM, Peter Lebbing wrote: I have no idea how Red Hat does this, but it seems unlikely to me. It's not connected to the internet, but signs the whole repository, and each individual security update etcetera. Is there a guy who keeps going back and forth with a USB stick between this terminal and another? I do not know how they do it either. I assumed that each major release, that for Red Hat occurs only about every 18 months, they do sign each and every file in the repository. They probably have an automatic way to do that. And then someone sneakernets it over to the Internet-connected machines that do the downloads to the customers. For updates, I assume they do that to each file that has been touched and carry them over to the Internet-connected servers in a batch, say once a day. But maybe they resign and carry over everything in the repository to save the trouble of figuring out which have been touched and which have not. The whole release fits on one DVD. Recall that for Red Hat Enterprise Linux, with extremely few exceptions, they do not do enhancements: those are delayed until the next major release up to 18 months later. They only do bug and security fixes (and that time-zone file change). So once a day (or whenever the regression testing is completed successfully) some clerk can do the carry over at some time, presumably late at night. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How insecure is using /dev/random for entropy generation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/30/2013 10:46 PM, Hauke Laging wrote: [snip] gpg uses /dev/random. That's why key generation usually blocks due to lack of entropy if you do it right and boot a secure medium for key generation. The kernel fills /dev/random from e.g. key strokes, disk accesses, and (if available and configured) internal CPU state (havaged) or a real hardware number generator. The kernel should take care that the entropy in /dev/random is perfect. The amount of available entropy can be seen in /proc/sys/kernel/random/entropy_avail I run RHEL 6. Last reboot (had to run Windows for a little while) was a little over 6 days ago. I tried that and got: $ cat /proc/sys/kernel/random/entropy_avail 1849 Is that a lot or a little? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJRWA/9AAoJEBZthAoMYQyLK2IH/23tmS71RlUq1zlmQozvL4Mn 8N0Wbfj3uLuIOPOt9il0oApkdmZsOseZtp6XsF0OxtMHjuOdU9d83cKb+jzZE8Ee oeno2/eRH09z/xIigUA7bYcS14gYq/WFV18Jnk6eez2BeAK8UsVva6GBI2aFi6QX jphnprCdCfe/52yA9iS89S3zPrtShIMQnW3gL6iZr+bTiGjloEFGVpZv8rc4eAwv aW76WOSck38E9L+mE1OeQ1eHEVWz68sbWQEjN3evOdPT1MvlgSBwvCLBTCJF2LPQ y58tPHgkb3T1/k/K/sIasehniS3GdF+PAsbhDO5oZ5BJU2AUvJZR+gpisXQ/9L8= =hKVy -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: passing information among several users
On 01/21/2013 11:56 AM, Rita wrote: Hello, Here is what I am trying to do in my environment. I have 6 users: maseruser and user{A,B,C,D,E} Masteruser will be generating data and I would like userA and userC be able to decypt the data and others not to. However, in the future I would like to add userE to decrypt the data and remove userA (any old data she has is fine). I was wondering how I can achieve this using gpg Sure you can do this. Or do you want to know how? 1.) get gnupg software. http://gnupg.org/ Install it, generate your keys and your revocation certificate (you never know when you will need ont. 2.) Upload your public key to a keyserver. 3, Have A, and C do the same. 3a.) If you want to anytime, have B and D do it too. 4.) When you want to send data get the public keys for A and C. 5.) Encrypt these data with the public the public keys of A and C. Am I missing something? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how vulnerable is hidden-encrypt-to
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hauke Laging wrote: Am Fr 17.08.2012, 21:05:32 schrieb auto15963931: In the example of yours it appears as though the message was encrypted to two different keys, one of which was hidden and the other not. Is that right? That is right. --hidden-encrypt-to needs other recipients. But you may use ‑‑throw-keyids or --hidden-recipient instead. Incidentally, when I looked at your reply and noticed it was signed, I tried verifying the signature. Why is the signature failing? Thanks. That's a bug in my MUA which is triggered by the email being encoded as ascii: https://bugs.kde.org/show_bug.cgi?id=305171 This bug (or rather: problem) has been discovered here on the list – it occurs almost only in English emails. I have added a non-ASCII char to my text signature thus forcing a charset different from ascii. Thus the signature of this email should be OK. Hey! OpenPGP Security Info UNTRUSTED Good signature from Hauke Laging mailinglis...@hauke-laging.de Key ID: 0x3A403251 / Signed on: 08/17/2012 10:24 PM Key fingerprint: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:3EDBB65E 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 23:10:01 up 30 days, 3:11, 3 users, load average: 4.42, 4.42, 4.43 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFQLwgZPtu2XpovyZoRAiU2AKDVSMsLyT5eg5DfPYLsyFAnpgQP6gCfaHlK dYa2u4OhhM8+1yLfPtM7z48= =ylCp -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
Robert J. Hansen wrote: On 06/24/2012 06:11 PM, Werner Koch wrote: I am telling for more than a decade that PGP 2 should not be used anymore. The list may find my own timeline of MD5 to be worth reading -- it might give some insight into why PGP 2 (in particular the MD5 vulnerabilities) tend to engender such passionate responses. = 1993: Bosselaers and Den Boer present a theoretical break on MD5. 1996: Hans Dobbertin breaks MD5. His results are immediately dismissed as theoretical when they are nothing but. The security of a Merkle-Damgard hash (such as MD5) cannot be greater than the collision resistance of its compression function. Dobbertin is able to break MD5's compression function in *seconds* on desktop hardware. The MD5 death clock begins ticking down: we know (thanks to Dobbertin) that collisions can be generated against the full MD5 in seconds, but we don't yet know how. 1997: As an undergraduate, I read Dobbertin's paper and get shocked. I start advocating migration to SHA-1 and/or RIPEMD160. Nobody listens to me, and maybe rightfully so: after all, I'm just an undergrad. That said, I'm in good company: lots of other very serious cryppies are advocating the same. 1998: Internal debates begin at PGP Security over whether MD5 should be considered deprecated (technically valid, but advised against) or obsolete (no longer valid). (This is according to Len Sassaman.) 2001: People are still using MD5 in applications that need a collision-resistant hash function. I begin to get irritated: we've had five years to do migrations. Some important people within the community at that time (e.g., Imad Faiad) proclaim that MD5 is still secure and the vulnerabilities against it are still only theoretical and may never come to pass. I begin to tell people that if we don't see real MD5 collisions within five years to never again believe anything I say. 2002: I enter graduate school for computer science and begin working in electronic voting. I see systems being developed at that time which rely on the collision-resistance of MD5. I begin to get unhinged. In order to prove the ineffectiveness of MD5, I begin to work on MD5 collisions for my Master's thesis. 2004: Shengdong University publishes the first MD5 collisions. I have a very long and dejected talk with my advisor about my degree plans. I take a Master's without thesis, but I tell my advisor I'm looking on the bright side: no one can claim MD5 is still safe, right? 2004: People continue to say MD5 is still safe, claiming that the Shengdong University attacks are impractical -- they can only produce collisions in random data, which means you can't forge a particular signature on particular data. 2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and the NSA's website. Dan is able to, in realtime, tweak the EFF's website with nondisplaying characters in order to make it look unchanged from the original but have the same MD5 hash as the NSA's website. I was there in the audience and my jaw was on the floor. 2005: People continue to say MD5 is still safe, claiming that... oh, God, I lose track at this point, honestly. At this point my brain shuts down and I begin to believe anyone advocating MD5 where collision resistance is necessary is living in resolute denial of the facts. 2008: The first public disclosure of a forged MD5-based SSL certificate. 2008: US-CERT issues a Vulnerability Notice which says in plain language, Software developers, Certification Authorities, website owners and users should avoid using the MD5 algorithm in any capacity. (Ref: http://www.kb.cert.org/vuls/id/836068 ) 2012: News reports circulate that the Flame virus propagated by forging an MD5-based Microsoft signature. 2012: On this mailing list, 16 years after experts recommended migrating away from MD5 and four years after US-CERT categorically declared MD5 to be a do not use algorithm, we're having a discussion about PGP 2.6, which is deeply married to MD5. After reviewing the past 19 years of results on MD5 and the community's reaction to them, all I can say is ... nothing, really. I used to be able to get a lot of outrage summoned up over this subject, but now I've been reduced to making faint whimpering noises. A new scientific truth does not triumph by convincing opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it. -- Max Planck -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:3EDBB65E 9A2FC99A Registered Machine
Re: Some people say longer keys are silly. I think they should be supported by gpg.
MFPA wrote: Hi On Monday 28 May 2012 at 3:12:24 AM, in mid:4fc2df08.4020...@sixdemonbag.org, Robert J. Hansen wrote: The problem isn't the fraction of the population. The problem is command and control. That will always be a problem if the planting is uncoordinated. As a thought experiment, what happens when all the real protesters have gone on to something else and plants from various agencies make up 100%? My mother once told me that it was easy in the late 1930s and 1940s for Communist Party members to identify the FBI informants. The informants were the only ones who paid their dues. Real communists could not afford it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:40:01 up 1 day, 2:00, 4 users, load average: 1.26, 1.36, 1.35 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
There may be more to security than password length, or even its complexity.
http://2.bp.blogspot.com/-v15Nbl_zG7s/T6BFiQoGDEI/AHs/U5eU7O6MG3o/s1600/security-fail.jpg -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 07:40:01 up 33 days, 1:17, 3 users, load average: 4.45, 4.52, 4.64 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: There may be more to security than password length, or even its complexity.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mustrum wrote: Http://xkcd.com/538 :-) I like that. It may be my passphrase is too long. I want it easier for the black hats to crack my stuff than for them to torture my passphrase out of me. I recently tested a (retired) password to my computer out on a couple of web sites that told my how hard it would be to crack it. One of them said more than 10 million years. I guess that one is good enough, though my current ones have two more characters. Maybe I should shorten them. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:45:01 up 33 days, 14:22, 3 users, load average: 4.61, 4.57, 4.54 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFPvYVKPtu2XpovyZoRAhhLAKDBF0JRi2IErOHUIeIWiRh/f1e6/wCfSehd 4VK5VllC9uXNHKz33TSlowc= =82DQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use (was Re: META)
Jerry wrote: I totally agree. I have never seen or heard any logical excuse for the signing of list traffic. I almost never sign anything unless I suspect the destination can at least ignore the signature. The people with whom I send e-mail (a diminishing population because most have moved to texting on cell phones, or twitter or Facebook) have no interest in security, though they sometimes act in a paranoid fashion about eavesdropping. But they refuse to do anything about it. They cannot deal with MIME signatures (at least those still using AOL), and cannot ignore them either. They hate the inline signatures too. When I do sign, it is just to draw attention to the fact I have a public key and can accept signed and encrypted e-mail. And so far, other than complaints about extraneous text in my emails, that is about it. I really get no use from it. So signing to this list, and an occasional test that my stuff is still working is the only use I get from gnupg and enigmail. The stuff I would really prefer to send encrypted I cannot send that way because those to whom I would send it could not read it (they have no software and no public keys). And if they could, they would probably save it in clear text somewhere, forward it, or whatnot. I think PGP and gnupg are really great ideas, whose time has not yet come. And by the time people realize its usefulness, the snooping community will have made it impossible to use it anymore. People sending encrypted e-mail will be disappeared. The time for that has not yet come. I hope it is postponed until after I can no longer use a computer. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 13:45:01 up 20 days, 21:11, 3 users, load average: 4.78, 4.89, 4.99 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use (was Re: META)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Remco Rijnders wrote: I appreciate signed mails on this list (and any other lists). Most problems these days on the internet are, in my opinion, related to people being completely anonymous. If you stand behind your words, show so by signing your posts. OK. I stand behind this post. But other than amusing myself, does it really make any difference? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:05:01 up 20 days, 21:31, 3 users, load average: 4.52, 4.76, 4.84 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFPKDwqPtu2XpovyZoRAlfyAJ4k3TxXHBy8hSHorl6xowjoUl9vrwCbBuUr ZU51SVdnmQg12VS77wVOpcc= =7Cba -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
d...@geer.org wrote: With respect to your question: what we offer is privacy, but most people do not understand privacy, do not care about privacy, and would not care about privacy even if they understood it. [snip] You got that right, Brother. To be more pointed, how many folks on this list carry a cell phone? --dan I carry one about half the time, but it is usually powered off unless I am expecting a call, or when I need to make one. Also about once every other month to use the GPS navigation feature. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:10:01 up 4 days, 18:16, 3 users, load average: 4.84, 5.14, 5.11 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
Matthias-Christian Ott wrote: What about making everyone their own provider? The efforts in this direction intiated by Eben Moglen that lead to the FreedomBox and other projects seem to go in the right direction. It doesn't seem to me less realistic than requiring cooperation from providers. I was my own provider for many years, and that was easy enough. I got a static IP address from my ISP for $10/month and ran sendmail as my MTA. I used mutt am MUA. But when I switched to Verizon as ISP in order to get FiOS, they wanted $150/month for a static IP address and an additional fee (I forget what it was) to be allowed to run sendmail as a server. Verizon is a great ISP 8-( They discontinued Usenet, so I have to pay a fee to another provider to use Usenet. They did not reduce their fees when the reduced the level of service. Greed and Profit before Service: it is the American way. 8-( -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 10:05:01 up 19:11, 4 users, load average: 4.93, 4.98, 5.11 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert J. Hansen wrote: On 10/11/2011 05:14 PM, Jean-David Beyer wrote: Let us assume you are the bad guy Okay. Unless you have my encrypted keys, you have to access my computer (unless you have already stolen it, in which case there are much easier ways to invade the machine), you will have to try logging in through the Internet (in the case of my machine), and the first thing you will hit is the login program. Hold on a second there. You seem to be making some extremely unwarranted assumptions. Quite possibly. And unwarranted assumptions are especially pernicious because those are typically those I am unaware of making. I am not a security expert anymore. I really was never a security expert, though I was once put in charge of security for 10 VAX machines running UNIX, but this was around 30 years ago almost before the Internet. Some of us were using uucp on dialup, but that was about it. In those days it was almost impossible to get the users to use passwords on their accounts. If I want your secret key material, I'm not going to steal your computer. I'm going to use an exploit to bypass your login, plant a Trojaned version of GnuPG, and laugh all the way to the bank. I realize if you stole my computer that I would notice it. If you broke into my house skillfully enough that I did not notice it, you could install a key logger, or copy my hard drives, steal my backup tapes, ... . But you could also remove all protections by getting in as the root user (on UNIX-Linux). And I might not notice that. The trick is to do that from the Internet. I have some safeguards to protect me, and they may protect me from amateurs, but an expert might be able to defeat me. It seems to me that to do much damage to my machine, you need to get a shell with root access. And to do that, do you not pretty much need the root password? Or hijack a program that is currently running with the root privileges? I never run a web browser as root. But there are demons that run and some have root privileges. Such as the download mechanism to download updates from Red Hat. My nameserver does not run as root. I do not run telnet. ssh will talk only to specified IP addresses on my LAN. My firewall will not accept messages from outside unless in reply to something I sent out, so I believe it would take a man-in-the-middle attack to get past that unless the firewall is defective. I actually have two firewalls; a primitive one in the router that comes with Verizon's FiOS service, and another one using iptables. These, too, could have bugs, especially if I made a mistake in programming the iptables firewall. Modern-day operating systems are frightening -- terrifyingly -- insecure. A while ago Vint Cerf estimated that about one desktop PC in five was already pwn3d. That's a number that keeps me awake at night. At one extreme, the only way to be pretty safe is to have a machine that is not connected to the Internet, and have U.S.Marines to guard the hardware and access to it. I do not choose to defend myself against threats that would reasonably require that. I want my security to be weak enough that the black hats would not resort to torture to get the information they want. The friends of mine that even know what computer security might mean do not even encrypt their e-mails, though they worry about it's being intercepted. Friends complain if I digitally sign my e-mails. I assume if they could accept encrypted e-mails, that they would save them in clear form on their machines anyway. So maybe I am kidding myself. I do not think my machine has been taken over. For one thing, I can pretty much see the Internet traffic from it, and when I am not doing anything, not much goes down the Internet. A friend whose machine was hacked (Windows ME) had lots of Internet traffic and the machine got impossibly slow. The hard drives never stopped clicking. I do not have that, though the hard drives on this machine do not click, but the Xosview program shows that when nothing is going on, nothing except BOINC programs run. The demons do, but they do not use any processor time. If I ran this machine as a server, my problems would surely be worse. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:50:01 up 6 days, 17:23, 4 users, load average: 5.14, 4.93, 4.94 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFOlu/MPtu2XpovyZoRArvUAKC022RLKvUmsbM1XD5shR+xrB06kQCdEDE+ gx/6aDndO7obVhfgZVEMk6o= =yjMn -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why revoke a key?
David Tomaschik wrote (in part): If you value your OpenPGP key, I would not trust it to 24 bits of entropy. My off-card backup of my key is protected by a 32-character passphrase that I believe to be highly resistant to dictionary attack (and contains sufficient special characters that I believe its entropy to be close to the optimal 6.5 bits per symbol). But perhaps I'm delusional. I do not know about delusional. But in a sense, was it not unwise to tell me your passphrase length? I will now set up my hypothetical exhaustive search cracker not to bother with passphrases less than 32 characters or longer than 32 characters. This reduces the size of the search space I must examine. Of coarse, the shorter ones can be tested faster than the longer ones. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:35:01 up 4 days, 18:08, 4 users, load average: 5.13, 5.25, 5.22 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Useful factoid
Robert J. Hansen wrote: Accurate to 6%, there are 2**25 seconds in a year. Worth remembering: it makes certain kinds of computations much easier. (It follows there would be about 2**35 seconds in a thousand years, or 2**45 seconds in a million.) E.g., let's say you want to brute-force an 64-bit key on a CPU that can do a million (2**20) attempts per second. This requires, on average, 2**63 attempts. 2**63 / 2**20 = 2**43 seconds: 2**43 / 2**45 = 2**-2 = a quarter of a million years. Let us assume you are the bad guy and have computing power that can do an arbitrarily large number of key attempts per second. Unless you have my encrypted keys, you have to access my computer (unless you have already stolen it, in which case there are much easier ways to invade the machine), you will have to try logging in through the Internet (in the case of my machine), and the first thing you will hit is the login program. This can probably handle only a few attempts per second, and if I were serious about security, I would have it double the time to reply each time it got a failed login on that connection. In the days of dialup, I would have the machine hang up on the connection with too many failed login attempts. Of course, if you could get into my machine and login as the only user with access to my encrypted password file, you could copy that file to your high speed facility and crack it at your leisure. But if you could do that, you could already do anything you wanted with my machine -- install trojan horse keyloggers, defeat the security in the login program, etc. I don't know why it took me so long to notice that: seems like the sort of thing I should've noticed a decade ago. It makes certain kinds of computations so much easier. Anyway, figured I'd throw it out on the off chance there were others who hadn't noticed it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:05:02 up 5 days, 1:38, 4 users, load average: 4.73, 4.76, 4.82 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: An Invitation to Neuroscientists and Physicists: Singapore Citizen Mr. Teo En Ming (Zhang Enming) Reports First Hand Account of Mind Intrusion and Mind Reading
Andre Amorim wrote: It's Called INCEPTION ! I thought it was callee SPAM ! If I thought the O.P. would even read this, I might suggest he resume his medication. If I believed he was not schizophrenic, I would refer him to this web site: http://www.biomindsuperpowers.com/Pages/intro.html Ingo Swann, whose site it is, is not a kook nor is he a nut. He has been closely involved in scientific investigations of what are usually called psychic phenomena since the early 1970s, if not before. Many of these studies were done at Stanford Research Institute, under the sponsorship of various 3-letter agencies. Studying that web site (there are hundreds of pages) would show that psychic phenomena have been known since at least 400 B.C.E., and have been scientifically investigated since about 1875, or a little earlier, by quite reputable scientists. Mind reading, better known as telepathy has been shown statistically significant, as have remote viewing, and related phenomena. There are dozens of books on these subjects by people, some of whom worked in this area for the U.S.Military. If the O.P. is serious, he could do some research on this on the Internet. But encryption, such as by using gpg, will not be a defense from attacks of this kind. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:50:01 up 31 days, 21:08, 3 users, load average: 5.10, 4.95, 4.87 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Best practice for periodic key change?
Jerome Baum wrote: On Sat, May 7, 2011 at 15:54, MFPA expires2...@ymail.com mailto:expires2...@ymail.com wrote: (snip huge email) Next time can you read the whole email and reply to it as a whole? As for signature checking, I stand by my point: Over here, signing a document today and claiming on the signature that it was signed tomorrow is going to be an offense (if there is a loss to a third party, of course -- a lie isn't fraud until there is damage). The post-dated cheque doesn't say I signed this in the future, but only accept this from that point in the future. That's a big difference. As for the clerk, he's an idiot and probably liable for accepting it. It's not my problem if people don't check the signature timestamp, I can only do my part on making the date accurate -- plus maybe educating my recipient on checking the timestamp. When I was on a grand jury, the prosecutor said that while the words of the law made it illegal to write a post dated check (in this state), that they did not prosecute for this unless there was intent to commit a fraud, and that is difficult to prove. A friend who worked at a bank said they never looked at the dates, but cashed them when presented unless there were insufficient funds to honor them. So there is no use in writing a post dated check unless the person to whom it is presented holds on to it until the date. As treasurer of a tax deductible organization, I use the date on the check as the date of the donation except sometimes I do not. I do not when it is dated something late in December, but postmarked mid January or later. In that case, I use the postmark date. So people writing pre-dated or post-date checks are wasting their time. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 13:10:01 up 21 days, 16:28, 3 users, load average: 4.57, 4.78, 5.01 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keylogers
Mike Acker wrote (in part): this is the only way to certify a system: a running system cannot be used to certify itself. for those who don't understand this an old and common malware trick is to replace the directory list program. when the system owner types dir c:\windows\*.* the modified dir list program simply fails to report the presence of the malware programs, instead adding the space taken by the malware back into the reported free-space. the original dir program is hidden someplace on the c: drive and then reported on the dir list with its orignal directory info. if you dump the program out you get this back-up copy; but when you run it -- the bad copy runs. the system-- has had a bug purposely installed,-- one with produces INCOROUT (incorrect output) ,-- it has been pwn3d. I run Linux and I used to run the tripwire program to certify what ran on it. What it actually did was assume at some point that all your programs were valid, and compute some checksums of each one. Whenever you ran the test, it would make sure the checksums were still valid. http://sourceforge.net/projects/tripwire/ There were some serious problems, it seemed to me, with this. First of all, I would have to install everything from the distribution disks onto a blank machine, and trust the vendor to supply safe software. I thought Red Hat pretty good in this respect, but could not prove it. Trouble is that tripwire did not come with the distributions at that time, so I had to go on line to get it, and that would run the risk of getting my machine infected while I was on line. The second problem is that there are a lot of updates that come down as the system ages, and they all fail the tripwire testing. And how do I know that the downloaded updates are correct? These days, the updates come with checksums and sometimes have digital signatures, so they may be OK. But for every update, I have to reset the signature database, and that got to be so much trouble that I have not used tripwire in several years. There is SELINUX on my machine, but I have never enabled it. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:20:01 up 12 days, 12:38, 3 users, load average: 5.00, 4.67, 4.68 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OFF LIST - Your signed posts.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Acker wrote: thanks for the note i have PGP/MIME set ON so this should not happen (and HTML has to be MIMEd ) from your note it sounds like Thunderbird is sending BOTH .txt and .html formats. I would expect your e/mail client to selecvt one of these -- and either should verify -- which would mean the message has to carry two signatures we might see if anyone on the list has any info on this... -- /MIKE ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users The only info I have, is this: Error - signature verification failed; click on 'Details' button for more information I am running Thunderbird 2.0.0.24 on Linux. It did come with this attachment that looks like a signature. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk25h+8ACgkQS/NNXDZDAccnJAD/Qeck95CG/1feZrnEILzWIMRt kbHn0zSl6mP5lyxW1ZoBAI8/ptcE0jXNH7lRCpnAmLoBXhKj4K0PnNdmBmbYpFqg =TcLe -END PGP SIGNATURE- - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 11:50:01 up 12 days, 15:08, 3 users, load average: 4.66, 4.94, 4.84 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFNuY3aPtu2XpovyZoRAmSBAKDBWkzI/54lgqBfKqIw/5QcipJhUgCeOER3 v3qKKYENi9B0EbC4REJaeQQ= =8HS6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
Robert J. Hansen wrote: In short: don't force a particular strategy on your users. Much better to explain to users the general problem, and then leave it up to them to pick a password. Historically speaking, this has shown not to work. I'll try to dig up the HCI references if people really want, but the gist of it is people don't want to have to learn and understand: they just want to get their work done. The instant you make compliance voluntary and education-based, the vast majority of users say meh and choose password as their login credential. Way back when (1970s, I guess) we had a computer where I worked that was networked to another one many miles away that acted as a server. We used punched cards in those days. Passwords were up to 6 6-bit characters. To run a job, you put a job card ahead of the stuff you wanted to run. We had a whole box of those gang-punched and you took one and used it for your job. The password was PASSWD. Some security. 8-( Later I had to use multiple machines, and some I could log into with a Teletype or similar communication device. Each had a different rule for acceptable passwords. So there was no way I could use the same password on all the machines. Now I now know that it is not a good idea to do that in any case, but we were not supposed to write down our passwords. And some required changing the password every month, so there was no way to remember them all in any case. Even if I could remember them, I could not even remember what login to use on each machine, and which password went with which login so I did write them down and to hell with the management rules. The belief that security problems can be solved by educating users is a common one: it is also a deluded one. It handwaves the very serious problem of most users not wanting to be educated and being actively hostile to it. Why do I have to learn all this propellerheaded geek stuff? I just want to get my work done! I do not think it is entirely not wanting to be educated. But if the education takes several hours a week to keep up with and to administer my own responsibilities in the process( generating new passwords, and different ones on a frequent basis, finding some way to remember them other than writing them on a post-it note on a monitor, keeping up with password rules (Must have letters in both cases, special characters, digits, at least some length, not to exceed some other length, not a simple permutation of the last few used on this system, etc. But some require some or all of these. Some allow only letters and digits, and so on. Who can keep up?), then management would have to budget the time so I could do it, and they will not. There has to be a better way, and I do not know what it is. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:10:01 up 5 days, 12:28, 3 users, load average: 5.32, 4.95, 4.88 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A better way to think about passwords
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MFPA wrote: Hi On Thursday 21 April 2011 at 2:20:51 PM, in mid:4db02f33.5010...@verizon.net, Jean-David Beyer wrote: I do not think it is entirely not wanting to be educated. But if the education takes several hours a week to keep up with and to administer my own responsibilities in the process( generating new passwords, and different ones on a frequent basis, finding some way to remember them other than writing them on a post-it note on a monitor, keeping up with password rules (Must have letters in both cases, special characters, digits, at least some length, not to exceed some other length, not a simple permutation of the last few used on this system, etc. But some require some or all of these. Some allow only letters and digits, and so on. Who can keep up?), then management would have to budget the time so I could do it, and they will not. There has to be a better way, and I do not know what it is. Your employee ID card acting as a hardware ID token, Our ID cards were good enough for military security in the late 1950s. They had no magnetic stripe, no machine readable bar codes, no nothing. Later they got Polaroid cards that had color pictures of us on them. Still nothing machine readable. a single passphrase to log onto your workstation, No workstations in those days. ASR-33 teletypes that you did not log into. Later some electronic junk remote terminals by Teletype Corp. Remember that we were still using punched cards in those days for most work. Only the far-out people got to use dumb terminals, such as ADM-3. It was the computer at the other end, typically a cobbled up version of System/360 TSS for some systems, UNIX for other systems, GECOS for the GE 635s, all different. Some times we had to log into what would now be called a LAN in the building where the server might be first, then dial the number of the server on that LAN, then log into that server. and the administrators of each app taking care of which staff are allowed to use their system. No further passwords/usernames are necessary, just a short timeout feature to lock the workstation if the employee is stupid enough to leave their ID card inserted when they leave their desk. Oh! Yes. Once I got stuck implementing security on a bunch of UNIX servers on a battery of PDP-11/70s and Vaxes. I made it necessary for each user to assign himself a password. I gave them 30 days and cut off those who had not done it. I almost got lynched. I also put slowdowns in the login program. If you got the password wrong, it waited a second before you could try again. If you failed a second time, I doubled it, etc. When it got up to a minute, I had it hang up on them. People then got to leaving their terminals logged in, so I put a timer in there and if they did no input for an hour, I logged them out. They hated that too. That was not enough. Some @$$holes would wander around and change passwords of people who deserted their terminals. I got so many people mad at me that I was relieved of my responsibility for that, thank goodness. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:45:01 up 6 days, 3 min, 4 users, load average: 5.48, 5.18, 5.01 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFNsNLQPtu2XpovyZoRAl64AJ9rzq5xlXPIn1/8/XCL/WLh2+UcTQCeMUmd bRYiBGvBPYYG7IxdhW2R3XI= =pw5h -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Deniability [SIC]
Jerry wrote: On Sun, 3 Apr 2011 11:48:13 +0100 MFPA expires2...@ymail.com articulated: Isn't it a fairly standard maxim that ignorance of the law is no defence? http://en.wikipedia.org/wiki/Ignorantia_juris_non_excusat quote Ignorantia juris non excusat or ignorantia legis neminem excusat (Latin for ignorance of the law does not excuse or ignorance of the law excuses no one) is a legal principle holding that a person who is unaware of a law may not escape liability for violating that law merely because he or she was unaware of its content. In the United States, exceptions to this general rule are found in cases such as Lambert v. California (knowledge of city ordinances) and Cheek v. United States (willfulness requirement in U.S. federal tax crimes). /quote See also: http://en.wikipedia.org/wiki/Plausible_deniability If I remember correctly, the U.S.Criminal Code is a set of volumes that takes about 4 to 5 feet of shelf space at my public library. This probably does not include the collection of Federal Regulations. It is my understanding that for most bills passed by congress, the congressmen and senators never even read the bills, though they sometimes read the summaries prepared by their assistants. One time I got a copy of a bill because I was urged to oppose it. The bill was illegible because it was the form of a set of amendments to the existing law. So there was page after page of stuff of the form change Page xxx, line yy, change will do to will not do So it is useless to even read that without running it through some kind of text processor to do all those changes. My view is the dolts in congress do not even know what they are voting for or against. Then there are state and municipal laws and regulations. While ignorance may be no excuse, there is now way to be informed either. The turkeys that pass the laws do not even know that, and there is no way we could keep up even if we tried. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:05:01 up 31 days, 4:06, 3 users, load average: 5.14, 4.84, 4.74 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This key may be unsafe
Grant Olson wrote: Here's a case where the difference between and = is HUGE. gnupg 1.4 only switched the defaults from 1024 DSA/ElGamal to 2048 RSA/RSA in 1.4.10, which isn't even two years old. I still see plenty of boxes in the wild that only have 1.4.9, and not just those ones that are old and creaky and people are afraid to reboot for fear of an actual hardware failure. Like you said, I would avoid creating one that size now, but even just a year-and-a-half ago, your mantra of use the defaults unless you know what you're doing would have resulted in 1024 bit keys for most users. Meanwhile, warning about keys 1024 bit would be a little more practical, at least until ECC hits the standard. I run Red Hat Enterprise Linux 5.6 (the latest of the RHEL5 series) and they are only up to gnupg-1.4.5-14.el5_5.1, They will probably not move up until RHEL 6 (that I believe has just recently come out). It looks as though that one is: gnupg2-2.0.14-4.el6.i686 (for my 32-bit machines); unless I am confused. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 21:50:01 up 4 days, 6:51, 3 users, load average: 4.73, 4.72, 4.92 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how slow are 4Kbit RSA keys? [was: Re: multiple keys vs multiple identities]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Smith wrote: Daniel Kahn Gillmor wrote: On 09/24/2010 09:54 AM, David Shaw wrote: It won't work with the current generation of OpenPGP smartcards. It also will be dreadfully slow if you (or someone you are communicating with) ever uses the key on a small machine (think smart phone). If you are usually on a full power computer, then they generally have the CPU to spare for this sort of thing, and you'll rarely if ever notice a difference. i'm curious to see some quantitative data about what dreadfully slow means. Not truly quantitative, but I notice a significant difference between encrypting emails to people with 1024-bit keys vs people with 4096-bit keys. I'd say that the difference is in the order 3-6 seconds. I'm running GnuPG 1.4.x on a Sun Ultra10 with a 500 MHz CPU and 1 GB RAM. Yes, I know it's old. :-) We're forced to use 4096-bit keys because some of our customers require it. Am I missing something? I thought the keys were used to encrypt the block containing the session key (that is, IIRC, 512 bits). And it is the session key that is used to encrypt and decrypt the actual message. Since the session key is small, encrypting or decrypting it should not take a lot of time compared with doing an entire message (depends on its length, of course). So unless the time to encrypt or decrypt the session key is large compared with the time to encrypt or decrypt the actual message, is this discussion not about the wrong thing? What is the message size of the messages being used to come up with the numbers on this thread? Are they realistically large (whatever that might be)? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 10:35:01 up 6 days, 2:03, 3 users, load average: 4.96, 4.74, 4.57 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMoK43Ptu2XpovyZoRAu73AJ0dIGF415+emazvMRK7OYEpjzzYVACdFNQu Y4rA9L516xM4TFSkw9T6Ako= =AYQV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Where is FAQ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have what I am sure is a frequently asked question, but I cannot find a FAQ. I can find the archives, but I know no good way to search them. It is the question about the order of signing and encrypting a message. I am pretty sure that is the correct order, but a while ago there was a thread about this and I would like to find it. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:10:01 up 16 days, 1:56, 3 users, load average: 4.67, 4.70, 4.57 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMSgZZPtu2XpovyZoRAkIaAKCKoqHhAl92EVSw8uf2HVq4B97OjQCff6Wi KJb0tNzL42UbRbNl+LlJscM= =FmEw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decryption failed: secret key not available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rahul R wrote: But how to generate a secret key in command mode... i have the public key with me and imported it.. but still not able to decrypt... My guess is that your best bet is to generate a new key-pair and send the public key to a key-server. Then notify whoever sent you the original message of the problem and to send it again with the new key. You might wish to revoke the old key-pair if you have a revocation certificate on your machine. I do not know how you lost your secret key. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:40:01 up 14 days, 1:26, 3 users, load average: 4.84, 4.75, 4.79 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMR1wOPtu2XpovyZoRAiCvAJ9sPuI069kgQRIG2sbkTxxAeeCJLACcDbKT 95wgHVIUeJ2NFYaMvYGNWA0= =JuL2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Locating GnuPG 2.0.16 RH4 binaries...
John Espiro wrote: Greetings... My google skills must not be working lately... Can anyone help point me to the 2.0.16 binary for GnuPG / RHEL4? Thanks, John Is there one? I run RHEL 5.4 that is up-to-date as of this morning, and that binary rpm is gnupg-1.4.5-14.el5_5.1. If I look at CentOS 4, the binary for it is gnupg-1.2.6-9.i386.rpm -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:45:01 up 12 days, 23:31, 3 users, load average: 4.47, 4.64, 4.69 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Locating GnuPG 2.0.16 RH4 binaries...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Breen Mullins wrote: * Jean-David Beyer jeandav...@verizon.net [2010-07-20 14:53 -0400]: John Espiro wrote: Greetings... My google skills must not be working lately... Can anyone help point me to the 2.0.16 binary for GnuPG / RHEL4? Thanks, John Is there one? I run RHEL 5.4 that is up-to-date as of this morning, and that binary rpm is gnupg-1.4.5-14.el5_5.1. If I look at CentOS 4, the binary for it is gnupg-1.2.6-9.i386.rpm On Fedora, and I expect on RHEL too, 2.0.16 would be installed by the gnupg2 rpm. You might look at http://fedoraproject.org/wiki/EPEL which provides ports of Fedora packages to EL. Breen Looks like it is there for RHEL 5, but not for RHEL 4. Probably too many incompatibilities for that older release. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 21:35:01 up 13 days, 6:21, 3 users, load average: 4.65, 4.79, 4.76 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMRlAMPtu2XpovyZoRAmIMAKDEHJbEIy5ZQ+ulpcE6IrEetciA3gCgh0T5 6CxIZAfcWY81yH/GeokvqQg= =UPjt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
Jerry wrote: On Thu, 17 Jun 2010 16:04:41 -0600 I was just stating to a colleague that it had been months since an errant vacation message had been posted on this forum. Well, thanks to Bob, that drought has been quenched. With the summer season now upon us and vacations becoming the norm, I rest assured that more such individuals will be advising us of their schedule. Then again, maybe, just maybe, this might be a good time for all of us to check that we have our mail programs, be them what they may, properly configured so as to not pollute forums with useless OOF/vacation garbage announcements. If I understand correctly, this is done by setting the precedence of the vacation e-mail to bulk instead of something else (list?), and that mailing list programs do not send the stuff marked bulk. Is that not how mailing list programs work? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:20:01 up 42 days, 16:15, 3 users, load average: 4.65, 4.81, 4.56 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
David Smith wrote: Jean-David Beyer wrote: If I understand correctly, this is done by setting the precedence of the vacation e-mail to bulk instead of something else (list?), and that mailing list programs do not send the stuff marked bulk. Is that not how mailing list programs work? Not quite. Mailing lists programs normally send mails with the Precedence: bulk or Precedence: junk header, and then the autoresponder should recognise this and choose not to respond to mails with the bulk or junk precedence header. It is up to the autoresponder to act correctly. Well, the stuff I get from the Gnupg-users@gnupg.org list has precedence: list set. Other lists to which I subscribe use Precedence normal or precedence: bulk. Regular e-mail does not have precedence set at all. It seems to me that mailing lists should get their acts together. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:10:01 up 42 days, 17:05, 3 users, load average: 4.63, 4.80, 4.74 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Test mail to gnupg.user
Ingo Klöcker wrote: On Saturday 12 June 2010, Jerry wrote: On Sat, 12 Jun 2010 16:40:28 -0400 Jean-David Beyer jeandav...@verizon.net articulated: I see no way to do that. I have a Reply button and a Reply All button and no others. There is no such button on that screen that allows diddling buttons. Thunderbird 2.0.0.16, which is the latest for Red Hat Enterprise Linux 5. Unfortunately, it might prove to be academic anyway. Unlike several other lists that I am subscribed to, this mailing list does not use a Reply-To: in the e-mail headers. It would definitely facilitate replying to list mail if the maintainer(s) of this list configured the mailer to insert such a header that pointed to this list. There is such a header: List-Post: mailto:gnupg-users@gnupg.org So there is. Reply-to is intended to be used by the sender to state his preference for replies. If he prefers off-list replies then he should set it to his address and if he prefers on-list replies then he should set it to the mailing list address. (In fact, there's also the Mail-followup-to header which is even better suited for this than the Reply-to header.) IMNSHO, it's not up to the mailing list admins to dictate where replies to my posts should go. Therefore, the mailing list software should not touch the Reply-to header. OK. Conversely, many MUAs support the reply to list function that should work correctly on this list. Perhaps so, but my Thunderbird 2.0.0.24 dies not, and it is the latest version available in .rpm for my distribution (RHEL 5.5). I hear Thunderbird 3 does have something like this. Exactly. It works correctly because those MUAs use the above mentioned standardized (RFC 2369) List-Post header. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 07:00:01 up 37 days, 14:55, 3 users, load average: 5.59, 4.62, 4.33 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Test mail to gnupg.user
Ingo Klöcker wrote: On Sunday 13 June 2010, Jean-David Beyer wrote: Ingo Klöcker wrote: On Saturday 12 June 2010, Jerry wrote: Conversely, many MUAs support the reply to list function that should work correctly on this list. Perhaps so, but my Thunderbird 2.0.0.24 dies not, and it is the latest version available in .rpm for my distribution (RHEL 5.5). I hear Thunderbird 3 does have something like this. https://addons.mozilla.org/en-US/thunderbird/addon/4455/ Regards, Ingo Thank you. It works. I used it on this e-mail. It takes time, though. When I pressed Reply-List, it first put your personal e-mail address in the To: field and only later did it change it to the list itself. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:10:01 up 37 days, 16:05, 4 users, load average: 4.46, 4.63, 4.85 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver spam example
MFPA wrote: The Spamhaus PBL might very well list you. 76.185.38.113 is listed in the PBL Mailservers using this blocklist would probably block mail from you. Of course, even Spamhaus's own website says the PBL is not a blacklist and that you can remove your IP address from their list if you are running a legitimate mail server, but only if it's a static Ip address. They provide no definition (that I can find) of what constitutes a legitimate mail server Obtaining a static IP is easily done so I don't know why someone would want to risk using a dynamic IP. My current ISP (Verizon) wants US$100/month more for a static IP address than for a dynamic one. In addition, I am not permitted to use my own MTA (in my case, sendmail) unless I have a commercial account instead of a home owner's account. Most ISPs I have seen charge considerably more for a static IP address; generally, commercial prices rather than home-user or small-business prices. Unless you have relatively high bandwidth requirements there is no point. It is *definitely* not worth the expense just just to avoid an occasional over-zealous mailserver admin spuriously binning one of your perfectly valid email messages. Even if you are hosting a website or an incoming mail server, there are plenty of dynamic DNS services available for many times less cost than having a static IP address. My sister lives in France. I believe her ISP is the French Post Office. While I can receive e-mail from her, she cannot receive e-mail from me, even though I use Verizon as my ISP. My home has a dynamic IP address, but I assume Verizon have static IP addresses. We have worked on this for several years, but I cannot send to that sister. I have another sister in Canada. She has no trouble sending e-mail to her sister in France. Someone in France does seem to be blocking Verizon. At least, they are blocking me, and I cannot imagine it is just me. In any case, a very large percentage of SPAM originates from dynamic IPs, which is why I routinely block them. A large percentage of spam originates from the USA. It would be just as rational to block mail from all IP addresses that are listed as being there. (-; Maybe France is blocking all of USA, or all of Verizon. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 06:50:01 up 36 days, 14:45, 3 users, load average: 5.01, 4.73, 4.49 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver spam example
Jerry wrote: On Sat, 12 Jun 2010 06:22:47 -0500 Sonja Michelle Lina Thomas sonjamiche...@gmail.com articulated: I use gmail for my SMTP needs. I have accounts on a couple of unix machines, yahoo, gmail, aim, my business hosted via godaddy and I choose gmail as the default SMTP server for all of them. Works like a charm. http://lifehacker.com/66/how-to-use-gmail-as-your-smtp-server Give them a try. Gmail is free and it can be a good account to pass to sites that you feel may be spam generators. Gmail has web/pop/imap access and has fairly decent spam filters. I would not trust Google with your data, far less mine. They have all ready been accused of illegally pilfering through user data and mining for user wireless information. I avoid them like the plague whenever possible. What I would like to know is if the OP tried using the ISP's SMTP server, often referred to as smarthost feature in several MTAs. Yes, I did. They will not accept anything from my MTA even when I use the smarthost feature. I can use either their web site server (that I detest) or Firefox, but they will not allow sendmail even with smarthost. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:35:01 up 36 days, 16:30, 3 users, load average: 4.62, 4.51, 4.56 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Test mail to gnupg.user
Sonja Michelle Lina Thomas wrote: my e-mailer honored it automatically (perhaps it does). Because some lists to which I subscribe automatically reply to the lists, and some automatically reply to the original sender, and I cannot remember which is which. I know asking any particular list to change is not worth the trouble; each list has its own policy and unwilling to change. I try to remember which is which. It is sometimes suggested to hit Reply-All, but this results in the original poster's getting two replies. I To handle this issue I added the reply to list button to Thunderbird. Whenever I deal with a list, I hit that button. I added it through the right click customize menu and drug the button to my toolbar. I see no way to do that. I have a Reply button and a Reply All button and no others. There is no such button on that screen that allows diddling buttons. Thunderbird 2.0.0.16, which is the latest for Red Hat Enterprise Linux 5. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 16:35:01 up 37 days, 30 min, 4 users, load average: 4.40, 4.57, 4.59 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Test mail to gnupg.u...@seibercom.net
Jerry wrote (in part): Which reminds me; there is a request at the end of every post I make. Would it be to much of an imposition for you to honor that request? Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. I looked at the headers, and there is no Reply-To header in the e-mail I received from the list. An entire page of headers, but not that one. Even if Reply-To was a header, it would be too much to honor it unless my e-mailer honored it automatically (perhaps it does). Because some lists to which I subscribe automatically reply to the lists, and some automatically reply to the original sender, and I cannot remember which is which. I know asking any particular list to change is not worth the trouble; each list has its own policy and unwilling to change. I try to remember which is which. It is sometimes suggested to hit Reply-All, but this results in the original poster's getting two replies. I particularly hate this method as I then reply to which ever one I get first, usually direct to the author, thinking he wants a private reply since he sent it to me privately. Then a little later I get one from the list, and it is usually too much trouble to send another reply to the list. I wish all lists were set up so a reply to a message from the list went back to the list, but there is no point asking that from a list that does things another way. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:05:01 up 35 days, 16:00, 3 users, load average: 4.46, 4.45, 4.45 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the OTR plugin with Pidgin for verifying GPG public key fingerprints
Robert J. Hansen wrote: But all that aside, I'm pretty sure news reports, etc. of human traffickers, smugglers, spies, etc. all confirm the fact that national IDs such as passports can be forged and do in fact slip by immigration authorities pretty commonly. Only because the news doesn't report on people who get arrested based on false identity documents. By the very nature of journalism, it pays more attention to the extreme and the unusual than it does the mundane and humdrum. If a madman shoots 14 people in a shopping mall in Oconomowoc, that's news: if 1,400 people die of cancer nationwide that day, it doesn't even get a mention. Following the news would lead you to thinking you needed to buy body armor, not that you could stand to lose a few pounds and you should stop smoking. A larger example is that if some madmen flew aircraft into the World Trade Center killing 3000 or so people, that gets a lot of news and a Department of Homeland Security set up, but if we kill 10 times that every year in automobile accidents, do we get highways redesigned, automobiles redesigned, driving tests improved, etc.? Be careful about forming your opinions of normalcy from watching news reports. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 12:05:01 up 52 days, 13:25, 4 users, load average: 4.36, 4.36, 4.64 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark H. Wood wrote: | | Still, it's another technology-intractable problem. If people cared, | they would train themselves to look for trouble indicators, like | scanning the dashboard from time to time for problems with speed, | fuel, temperature, etc. We're trained to operate motor vehicles, but | not to operate browsers or MUAs. (It's intuitive! Not.) I know drivers who have no clue about all those trouble indicators. I was a passenger with a friend and I noticed the engine temperature gauge was too high. I urged her to stop the car until it could cool down and we could see what the trouble was. She said she would do that after lunch, but she did not have time then. I told her to turn the heater on full, and since this was summer, she objected, but did it. When we got to the restaurant, she turned the motor off. After lunch it had cooled down some, so I looked into the radiator where there was no noticeable water. We got some from the restaurant. I forgot what the trouble was (defective radiator hose, loose clamp, etc.), but at least she did not need to get a new engine. People often drive for months with the Check Engine light on. When I ask about this, they say it is nothing: it is always on. They have seen it so long they have gotten used to it. They just do not care. I knew a guy who had a Pontiac station wagon he bought new. He never had it serviced or even checked the oil or the oil pressure light. Well one of those will go about 25,000 miles before seizing up. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 10:05:01 up 4 days, 12:00, 3 users, load average: 4.56, 4.59, 4.68 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFLTJGhPtu2XpovyZoRAoziAKCwQV3ZfYoLK3u/K5UUKMntfo4lpwCeNYcv 2OElW0+lwjTgll0fSK4a/8M= =4tgG -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
New Revocation Certificate...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If I add a subkey to my key (e.g., because the previous one expired), do I have to generate a new revocation certificate, or is the old one still good? I may never need to know the answer, but better before than after the compromise of a key. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 16:40:01 up 10 days, 3:29, 4 users, load average: 4.07, 4.11, 4.18 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKR9Y+Ptu2XpovyZoRAuloAJ0QN3VUnY0JGTs32wMirLmcDykhCgCeI86j 2KgENOCAIzAfSX/RxSOyfzs= =UkMC -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New Revocation Certificate...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel Kahn Gillmor wrote: | On 06/28/2009 04:44 PM, Jean-David Beyer wrote: | If I add a subkey to my key (e.g., because the previous one expired), do I | have to generate a new revocation certificate, or is the old one still | good? | | I'm assuming you're asking about the revocation certificate for your | your entire GnuPG-generated OpenPGP key. | | That revocation certificate is designed to revoke the primary key. | Without a valid primary key, all associated subkeys are considered | invalid. So you should not need to re-generate your revocation | certificate based on a new subkey. | | This is because the action triggered by the publication of the | revocation certificate is the invalidation of the primary key. Make sense? | | Hope this helps, | Fine; it is a nuisance to generate it each time, but I would have hated to find I could not use it. Yes, that is what I meant. If the primary key is compromised, I would wish to revoke it and everything on it. Too bad I would lose all the signatures on it, but since it would be no good, there would be no sense in transferring the signatures to my new key, even if that were possible (and I hope it is not). - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 17:10:01 up 10 days, 3:59, 3 users, load average: 4.84, 4.48, 4.31 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKR92pPtu2XpovyZoRAt3dAKCVERCpnUAcC6gzC22OpP97NgS7DACfel5X 0AoDxHPi87BlpF3P1VHGv9Q= =UzS0 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Security Concern: Unsigned Windows Executable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert J. Hansen wrote: | Insert mandatory reflections on trusting trust reference here. | | The sentiment of I must build it from source if I'm going to trust it | is great, but then you have to ask questions about your compiler, your | system libraries, etc., until you're left hand-hacking Assembly | instructions for a low transistor count CPU you've personally | lithographed yourself from your own personal design. | Let's say I did all that. But do I trust the guy who looked over my shoulder to be sure I did not make a mistake in my own personal design? And if I believe, in principle, in automatically proving programs (or hardware, their equivalent) correct, do I trust the program that does that? And the rules given that program that the program to be verified is to meet? We get into the very problem Rene Descartes was stuck in until he came up with Cogito, ergo sum. Which I do not think was a solution at all. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 08:50:01 up 69 days, 15:04, 3 users, load average: 4.06, 4.24, 4.31 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKJSFOPtu2XpovyZoRAmheAKC7PlUg4LWQsz9HdbP09cXdu/mIHwCcDrYG X15Zb0CWZ1SbmpgFl+JibYs= =NdyX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Someone has harvested my address
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert J. Hansen wrote: | When confronted with the fact many PCs (typically Win32, but there's no | reason to think exclusively so) are compromised without us knowing it, | what then should our response to it be in terms of effective usage of | GnuPG? | | (My answer is 'use OS X and/or Linux, and always suspect the endpoints | are leaky'. Other people's may differ, of course.) | I suspect that Linux and OSX may be more resistant to compromise than Windows systems, but I would not wish to be dogmatic about it (Do not step in the dogma.). I never get e-mail or browse the web when I am root. I run ~ a firewall. The only servers I run do not serve the Internet (ntpd and sendmail and named). So I am pretty safe. But if I desired to prove that my machine were uncompromised, how would I go about it? I imagine it is not so easy. Once I tried to write test programs that pinpointed hardware errors. I wanted them mathematically correct. I could not because I always needed to assume some of the machine was working correctly. Thus, a memory test program assumes, at least, that the processor(s) are working correctly. A processor test assumes the memory is working correctly, and so on. It seems to be a chicken and egg problem both for software and hardware. The original problem is easy: a chicken is an egg's way of reproducing itself. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ~ ^^-^^ 17:40:01 up 33 days, 23:46, 4 users, load average: 5.07, 4.55, 4.31 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIxu8pPtu2XpovyZoRAlPeAKCRvFDkXuujdSW0HK1fY4oEkk7zGACfTseP dgfUMl2hXkvX8uZ/TD/NXi8= =jtBO -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Securely delete files...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shaw wrote (in part): That's exactly the problem - given modern disks, and modern filesystems, there is not a perfect guarantee that you'll hit the same disk blocks that the original file landed on. The disk could invisibly remap a block out from under you at any time (it does this automatically when the disk firmware detects a bad block), the filesystem could be doing journaling games, etc, etc. A program running on the computer the disk is attached to can't really do much about disk block remapping since it doesn't see this. It always asks for (for example) block 100. If the file was written when block 100 pointed to block 100, but by the time the overwrite happens, block 100 has become 12345, then the computer doesn't know it needs to overwrite both 100 and 12345 to get all traces of the file. To make matters worse, block 100 in your example may have already been allocated to another process and it may have already written by that other process, so the computer better not overwrite it multiple times to hide all traces of the older data. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 07:40:01 up 15 days, 13:46, 4 users, load average: 4.54, 4.28, 4.37 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIrqgCPtu2XpovyZoRAjfdAJ4l5Lx5kNZikfe1p+jk1OF8v4UTwACg08rI 7XUxC1ICpb/yJVQe9b8i4kE= =bM+I -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [GnuPG-users] identical files - non-identical encrypted files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kiss Gabor (Bitman) wrote: The password is not random therefore every time you encrypt the same plaintext you got the same cryptfile. No, you won't. All sound encryption schemes use a bit of random to make the resulting ciphertext different. In the easiest case this is called a salt and used to stop dictionary attacks. For example, such a salt has been used for 25 years or so on all Unix systems to protect the login password. (The opposite would cause big problems in a disk encryption system. :-) No. Different ciphertexts may yield the same plaintext. A test speaks for itself: $ cat /etc/passwd | aespipe | md5sum Password: 9220c2e1d5a5a83710d020b04c306c24 - $ cat /etc/passwd | aespipe | md5sum Password: 9220c2e1d5a5a83710d020b04c306c24 - $ ? Apples and Oranges. Consider: $ gpg --output test1.gpg --encrypt --recipient jeandavid8 [at] verizon [dot] net /etc/passwd $ gpg --output test2.gpg --encrypt --recipient jeandavid8 [at] verizon [dot] net /etc/passwd $ od -c test1.gpg | less 000 205 004 016 003 y 037 301 373 022 N 006 c 020 017 376 $ 020 353 } _ W \r - 314 030 B 303 z 226 223 340 S 313 040 375 0 4 $ ) 254 a \0 377 364 / ; 222 ( 315 060 / 006 213 004 221 264 a 255 247 B 275 \a 301 264 Q 100 203 250 . 257 \0 Q 376 232 312 266 3 . 321 022 b 215 120 374 $ 241 ` 256 j D 351 a 246 326 ? 223 313 210 $ 140 321 023 032 244 262 273 246 215 - i b m255 313 160 035 240 337 230 \v B 327 \r 265 362 255 271 ( ? b 202 200 034 332 371 T 250 310 = 223 211 236 304 U 334 206 z ` $ od -c test2.gpg | less 000 205 004 016 003 y 037 301 373 022 N 006 c 020 017 376 8 020 A 217 B R 377 264 b y 361 X 243 \ 316 x 346 246 040 A 016 257 310 Y 032 265022 g 016 327 274 276 364 337 060 ) b 211 354 \f 005 354 002 001 224 251 1 ) S \a 266 100 + 312 004310 315 354 } A 206 p . 242 332 214 305 120 226 T 255 304 d 235 # B 240 \f 020 [ 003 x 023 305 140 210 l H 247 1 334 ( 216 6 257 H 314 A 023 323 363 160 = 361 9 V U ' c 7 s 247 372 9 306 202 342 203 200 l K Y 323 Y z 372 ~ \r \v 270 o J } 272 1 - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:25:01 up 1 day, 17:17, 5 users, load average: 4.04, 4.14, 4.22 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIlfqnPtu2XpovyZoRAo8CAJ9az5lSAAHKT3r1SFAcTow6vu0ACACfeSrU /t2BOHB7rHXejd+5DXK/mCM= =E/Rm -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Starting with gnupg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dwayne wrote: Hey there I've just begun using gnupg, but I have a concern: Lets say I've encrypted a file with my public-key, and uploaded it to somewhere on the net for backup purposes. What will happen, in case my backup-place gets compromised, and the file comes into the wrong hands. Should I be worried that the person has the encrypted file or can I feel safe that the person doesn't have my privatekey+passphrase and therefore cannot decrypt it? He needs more than your public key. He needs your private key as well -- and the easiest way to get that is to get a copy of your secret keyring and your passphrase. But if he somehow got your private key, I do not believe he would need your passphrase. I hope you have _not_ sent your secret keyring anywhere. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:15:01 up 11:07, 4 users, load average: 4.40, 4.39, 4.39 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIlFDjPtu2XpovyZoRAmWvAJ49SgIHVIkPu/anfhAmP7UgeL6vCwCfWTPK PDvyIOVIPc8MFpDH8lsssLE= =hl8B -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Starting with gnupg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John W. Moore III wrote: Jean-David Beyer wrote: But if he somehow got your private key, I do not believe he would need your passphrase. YES! S/He _would_ need the passphrase even if in possession of the Private/Secret Key. The passphrase is the key that unlocks the Secret Key which is why there is so much emphasis placed on making sure Your passphrase is a strong one that cannot easily be guessed or 'Social Engineered'. Should an adversary come into possession of the Secret Key they would then need to brute force attack the passphrase. SIGH You would certainly need the passphrase to get at the contents of secring.gpg. But if I got the secret key from there, would I still need the passphrase? I.e., does the passphrase control access to the _keyring_ or the _key itself_? I suppose I should look it up in the RFC 4880. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:45:01 up 11:37, 4 users, load average: 5.03, 4.38, 4.30 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIlGWVPtu2XpovyZoRAt53AJ905TQ2aYuKONX4hZJP+X+4hVOC+QCfREzT qm9WdAefCFLv4USLvS9gFRs= =sumU -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: so how do you get others to sign your key?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander W. Janssen wrote: reynt0 wrote: On Mon, 21 Jul 2008, kurt c wrote: . . . My name is Lawrence, by the way. I created this email account on a whim to test Enigmail, that's why it has this kurt c stuff on it. And now . . . FWIW, Do you know that, as I understand things, Google saves and records of, and analyzes including for affinity grouping, all the email content and email accounts you communicate with, and so by using gmail you are in some small way compromising the privacy and maybe security of everyone posting on any email list you get email from? No, I do not know that, and I still do not know that. That does not mean it is not true. While it would not prevent google from looking at the envelope (sender's address, etc., receiver's address, etc., Subject...), you could keep them from analyzing the content by encrypting it with gnupg (e.g., with enigmail). This would require your destinations to have pgp or gnupg and use it. This would not work on mailing lists except private ones with only a few users. Says someone without even a real name in his from-line. Why should that be a security problem? What would hinder $evildoer from subscribing themselves? Also, your comment wasn't helpful. Oh man. Do you really want to open this can of worms? One of Murphy's laws goes: When you open a can of worms, to recan them takes a larger size can. Sorry, I had to say this. I'm usually not the flamy type of a person. Alex. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 06:45:01 up 3 days, 11:33, 4 users, load average: 4.42, 4.16, 4.06 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIiF98Ptu2XpovyZoRAuE1AJ9cBeXJVLJGZfyBK/TvqlsZX8LikgCeKKYc fnlM1YftqwConpH1jC3LoQM= =nYvs -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what if they have my sec key?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ramon Loureiro wrote: Hi! I'm using different PCs at work for sending email (and other things, of course...) Are just the PCs at work shared, or are the secret keys at work shared too? Is it possible for these users to hack my secret key? It depends, partly, on the security features of the OS you are running. Can the other users see your key ring? If you run Linux or Unix, for example, and have the permissions of directory containing your key ring set to drwx-- , and the permissions of your secret key ring set to -rw--- you should be pretty safe except from the super-user. If you do not trust the super user, you are in big trouble in any case. It is my understanding that the security features of at least some versions of Windows are much less and that anyone can get at those files. If they have got it, can they use some kind of brute force system to guess my pass phrase? In theory, yes, especially if it is too simple. If you pick a complicated one such as NICqW$Yu1Fg.ZSLawenaP5ZCiDy (now that that one has been displayed on the Internet, it is no longer considered a good one), they are much less likely to guess it even with a dictionary attack. The main trouble with a passphrase like that is that it may take a month or so before you can remember it, and writing it down is not considered a good idea. What will be the best option in this scenario? Having the secret key on my USB drive? ? That is safe as long as the other users of your machine are not running programs on it while you are using it. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 06:55:01 up 6 days, 20:52, 4 users, load average: 4.64, 4.25, 4.11 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFIPo8JPtu2XpovyZoRAg89AJ9Xy5Y9slk2Ibtb7Wmn4cYNg9aygwCcCTas mlgjikdq8E3sCSh3sC+CQHg= =GXaJ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How true can this be?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Janusz A. Urbanowicz wrote: On Sun, Jan 27, 2008 at 04:23:06PM -0500, John W. Moore III wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - Original Message Subject: Re: How true can this be? From: Janusz A. Urbanowicz [EMAIL PROTECTED] To: Raygene [EMAIL PROTECTED] Cc: gnupg-users@gnupg.org Date: Sunday, January 27, 2008 1:39:04 PM if a), then b) would land him in jail, quickly More likely a fatal traffic accident or victim of a street mugging with similar outcome. People communicate in and from Jails. Blabbering about classified stuff is a breach of security procedures and NDA-s, that leads to administrative action, prosecution and usually jail sentence (or a hefty fine). Long ago I had a secret security clearance. The secrets were laughable, but I have never disclosed them. Mine had nothing to do with encryption. When getting the clearance, I had to read some of the laws that pertained. In addition to jail and fines, another punishment option was death. But I imagine it would be done officially. The approach you mention would be probably used on someone who would like to play the game (as in sell the info to another country), not for some random blabberer. Alex - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 12:50:01 up 16 days, 2:36, 2 users, load average: 5.02, 5.03, 4.68 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFHrejkPtu2XpovyZoRAgC9AJ9DknvNBSUr0NU7jxdHUr3PGWHKYACgg2Lo eVMtegDw54+UQDnlz+fGK+8= =YzkQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Which key is used when more than one are valid?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My gnupg file that I get with edit-keys myuid contains, among other things: sub 2048g/48FF0850 created: 2007-02-24 expires: 2008-02-24 sub 4096g/124E0663 created: 2007-06-17 expires: 2009-06-16 How do I know which key is used when sending e-mail? Or is this a Thunderbird question? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:45:01 up 5 days, 19:45, 5 users, load average: 4.13, 4.21, 4.30 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGdYIwPtu2XpovyZoRArhqAKDPQET44cuCxGO1oFYZsUsLJh8fiwCgmetE 6W6u+B98xcLDDy+msrqrsv8= =IuPV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which key is used when more than one are valid?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John W. Moore III wrote: David Shaw wrote: On Sun, Jun 17, 2007 at 02:49:21PM -0400, Jean-David Beyer wrote: My gnupg file that I get with edit-keys myuid contains, among other things: sub 2048g/48FF0850 created: 2007-02-24 expires: 2008-02-24 sub 4096g/124E0663 created: 2007-06-17 expires: 2009-06-16 How do I know which key is used when sending e-mail? Or is this a Thunderbird question? GnuPG picks the subkey for you unless explicitly told which one to use. In the above case, it would pick the second key, as it is more recent. However, 'Account Settings' within Thunderbird does allow You to select which Key to use _if_ Enigmail is also Installed. JOHN ;) Timestamp: Sunday 17 Jun 2007, 18:24 --400 (Eastern Daylight Time) It allows me to pick the key, but not the sub-key, unless I am missing something. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:25:01 up 6 days, 1:25, 3 users, load average: 4.51, 4.29, 4.11 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGddE7Ptu2XpovyZoRAhwLAJsHutIe1FSKiuSfS6AovqvTv897JgCeMFgp ra/GHa7ZEWiq3VQ0k6iUlOU= =zFXY -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Donations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thorsten Haude wrote: Hi, * Werner Koch wrote (2007-01-05 14:58): Shall we start to measure contributions by the number of source code lines [...]? That; would; be; a; really; good; idea!; I can see you are making a point, One with which I agree. People will conform with whatever measuring system is in place. If you get paid in lines of code, they will generate a lot of lines of code, even if a better program can be written with fewer. If they get paid inversely by memory requirements, they will write small programs. If they get paid by fast programs, they will probably write fast ones. It would be more difficult to pay people by reliability of programs, clearness and simplicity of documentation, etc., but those might be worthwhile criteria. All of which reminds me I forgot to send my contribution to FSF last year. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:40:01 up 79 days, 11:13, 3 users, load average: 4.21, 4.13, 4.04 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFokuEPtu2XpovyZoRAkPlAJ0ZXbpotHgiIjoM8W6x7UXIPdehvACgiYT9 2eOI3v2cl9PkDINJ1/JwetQ= =1K8b -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Trouble with enigmail and Thunderbird 1.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have recently switched ISP, but I also upgraded Thunderbird at the same time. Now when I get a gpg signed e-mail, I supposedly can check the pen? and it will offer to download the key, giving me a choice of keyservers. I generally pick random.sks.keyserver.penguin.de But now, when I do that, it just buzzes around and never downloads the key. I looked at my firewall, and it is not blocking it. I tried it manually with gpg --keyserver keyserver.kjsl.com --recv-key 0xF621EDAD for example, and it worked fine. Is this a known problem? Or should I find a Thunderbird newsgroup to ask? And if so, which one? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 12:55:00 up 3 days, 4:21, 5 users, load average: 4.16, 4.19, 4.17 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1Rp0Ptu2XpovyZoRAmLcAJsGQUuAQcG4p7/gOITq4zHpifYtHgCfaQXi ohrBBohLGujQKXu1TlKrD0M= =Ilk3 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Disk Partition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: On Sat, Oct 08, 2005 at 08:01:15PM +0400, lusfert wrote: [EMAIL PROTECTED] wrote: On Sat, Oct 08, 2005 at 04:30:41PM +0400, lusfert wrote: I know 2 cross-platform solutions: CrossCrypt A quote from the CrossCrypt homepage: Denaiablity: You will not be able to tell that this file has been encrypted by filedisk as it looks completely random and can have any extension you wish. IMHO, There is a problem in that the data looks TOO MUCH random, i.e. it has much higher entropy than would result by normal computer usage. Such high entropy is a strong indication that the data is encrypted. Then you should use stenographic programs together with cryptographic. ;) The point is that the statement about deniability is misleading (or maybe I I should say, close to false). In some scenarios (when it comes to e.g. court cases, or even blackmails or life threats), the person using this product in good faith (believing that the encryption really _is_ deniable) would be in a very bad position. Explaining a large quantity of high-entropy data in a plausible manner is extremely hard. The presence of such data gives a strong indication of encryption. If you argue that you used some secure delete program, then you're _again_ in a bad position because it implies that you have to hide something and again raise suspicion. So, instead of teaching me what kind of software should I use, can you please give an example of plausible explanation for large amount of high-entropy data on the disk? And have in mind a very determined, knowledgeable and resourceful adversary while constructing the explanation. Yeah, I see the smiley, but these things should be taken very seriously and not to be joked with. There are cases where people put their freedom (maybe even life!) in the hands (bits?) of some cryptographic SW and if that SW actually fails to deliver what it promises, then it's very bad for the person trusting it. I think all e-mails should be encrypted. Even recipies for cookies, personal letters to casual friends, everything. If everyone did that, the presense of high entropy stuff on a computer would not be the attention-getting phenomenon it now is. But most people are ineffectively paranoid. They worry about eavesdropping, snooping, interception of their e-mail, but they absolutely refuse to do anything about it. I know no one personally that uses encrypted e-mail. Surely, no one with that attitude would encrypt the stuff on their computer hard drives, backup tapes, etc. It is like the weather. Many people talk about it, but no one does anything about it. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 14:00:00 up 8 days, 7:02, 4 users, load average: 4.34, 4.70, 4.51 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDSAqmPtu2XpovyZoRAnY0AJ45Z2MXEIwcfHqZ3xuoMeD/s6He/gCcCn9O +TqA3KCPSt2y41+e0ElOJa0= =tR8r -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
To: Alaric Dailey
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry, Aleric. I cannot click on your link, since it sends to a port my firewall does not allow. I do not wish to reconfigure my firewall just so I can validate myself to your C/R system. Therefore, you will not get my e-mail that said I could not decrypt your e-mail, since you did not use my latest key. It is true that the former key is supposedly good for another week, but the private key disappeared from my private keyring (I have no idea how: everything else is OK there). You will just need to get the one with key: 0x562A3109 which should be good for about another year. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:00:00 up 8 days, 10:02, 5 users, load average: 4.31, 4.27, 4.27 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDSDVfPtu2XpovyZoRAuioAJ9Sf4LiDer7s9ct59uzu6HpiHmjMACdHkbW g5wfycUzsQdyXPcNB4zDHwg= =FSaq -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way to get smaller key sizes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alaric Dailey wrote: considering this https://www.financialcryptography.com/mt/archives/000551.html why would you bother with anything less than 2048 bit keys. In there, it says, in part: If so, that means most intelligence agencies can probably already crunch most common key sizes. It still means that the capability is likely limited to intelligence agencies, which is some comfort for many of us, but not of comfort if you happen to live in a country where civil liberties are not well respected and keys and data are considered to be on loan to citizens - - you be the judge on that call. The trouble with that is that in such countries, using any encryption will probably call attention to you, even if you are only encrypting grocery lists and dentist's appointments, and the penalties can be severe. No point having encryption so secure that the government will find torture to be a cheaper way of getting the information it feels it needs. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 07:35:00 up 105 days, 1:33, 3 users, load average: 4.37, 4.31, 4.27 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDOoG5Ptu2XpovyZoRAlR6AJsEZhtUMq4M93OYMKhnX6xtLIEABwCeN41L v+nrwGNZqZahei/+vaMYbe4= =URBH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way to get smaller key sizes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Barrett wrote: In a nutshell, I'm encrypting data entered via a website and storing it in a database for later retrieval and decryption by real-time user programs. I don't want to give up the value that the PGP brand adds to the product, but I can understand that some of my colleagues have concerns about the storage requirements, even though I have done worst-case analyses which indicate that the storage we need is available at minimal cost. I'm willing to address those concerns with some weakening of the public key security, given that there are other mechanisms in place to protect vital data (SSL for one). I had an occasion to work on a large project that management said had to run IBM IMS/DB (hierarchical model) almost 10 years after the relational model came out. We had lots of problems because the transaction handling provided by IMS did not handle transactions as perceived by the users, so if nothing were done, concurrent updates would be a problem. There were to be something like 5000 clerks entering transactions from all over the country. I figured out a way to provide locks for the transactions the users perceived (which involved several database transactions) to solve this. But it required 8 bytes per record. They argued that the disk space required for the locking procedure was excessive, and that the IO cost would cripple the system. I argued that the indices and the rest of the data in the records was so large that no one would notice the 8 bytes, and the locking procedure required only one more IO per transaction. They said that would double the IO cost, but I counted the IOs required and they went up from 19 to 20, or almost 5%. Management was not convinced, so I took it all out of the code. They said the odds against the concurrent update being a problem were a million to one. I calculated it to be far less than that, but that even using their number, we would have a problem every week or two. They ignored me, and the first problem was detected in only a few days. By then it was too late to change anything as there were hundreds of programs relying on the structure of that database and nothing could be changed. They decided to use manual methods to prevent concurrent updates. I got off that project, fortunately, so I do not know how they figured out how to coordinate 5000 employees scattered all around the country by manual methods. In your case, it might be that the encrypted records will actually be shorter than the unencrypted ones, since gpg compresses the things. But for security, it is difficult to imagine a program enhancement applied after sensitive data has been stolen that will get it back, is it not? I feel pretty cynical about corporate management. Perhaps there are well managed corporations, but they must be in the minority. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 11:10:00 up 105 days, 5:08, 3 users, load average: 4.46, 4.27, 4.13 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDOrWuPtu2XpovyZoRAiNcAKDUhQPq/zN0D+4fT/SCt0zVi9HF7wCfZf27 6QBQySAWB2t3mmO+Rl3WNuM= =mUjM -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transparent keyboards
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Sabino Mullane wrote: Once a computer or other device that needs secure access is sufficiently protected, it becomes cheaper for a large government agency to resort to bribery or torture to get the information it wants. Assuming they do not wish to try bribery, are you sure you want your machine that safe? That's a silly argument. Because they are ways of obtaining your passphrase by force, you shouldn't bother using one or take other protective measures? Last I heard, the government of Finland was not known for torturing its citizens. I do not say you should not take protective measures. I just say to consider that if your protective measures are so effective that using force or torture are cheaper than the alternatives, that you expose yourself to such measures if your information is actually worth it. I am glad Finland is such a country. But what if an agency known to employ torture, or not known do do so but that does, chooses to operate in Finland, most likely withouth the knowledge or consent of the government of Finland... ? I assume you are using gnupg for all your correspondence with everyone. If you encrypt only your sensitive communications, it will be painfully obvious which of your e-mails to decrypt, saving the black hats a lot of trouble. A lot of trouble in what way? Do you know of a black hat agency able to decrypt exi[s]ting gpg-encrypted messages? It is pretty easy once they have the passphrases or private keys. And once a suitable keylogger is in there, they get them very easily. I imagine if the NSA really wanted to decrypt a gpg-encrypted message, they have the resources to do it. It would probably take them a while if they had to use brute force (and perhaps that is what they would do, again, if they felt the information was actually worth it). Probably no one on this newsgroup actually knows how much compute power the NSA has at its disposal. At one time, the budget of the NSA was about 10x the budget of the CIA (to the great annoyance, apparently, of the DCI). I imagine a lot of their budget was spent on computing equipment, general purpose and special purpose. The original poster may want to check out Tinfoil Hat Linux[1] which has some interesting capabilities, including an anti-keylogger measure. A laptop or PDA with its own keyboard could be useful as well. [1] http://tinfoilhat.shmoo.com/ - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:15:00 up 82 days, 2:11, 4 users, load average: 5.23, 5.18, 4.91 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDHDkNPtu2XpovyZoRAiN7AJ91pz9h5uqJ1vsJBeTju61Klda5lwCfU4dL YH5/sZwJd7XqYHRKx6KkjNU= =QRHs -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transparent keyboards
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oskar L. wrote: [EMAIL PROTECTED] wrote: I don't know of any transparent keyboards off-hand (I can check our local computer store tomorrow, since they have one there). Thanks! But, I will say this. There is a keylogger out that goes between the keyboard plug and the case. There are several, see http://www.keyghost.com/ and http://www.amecisco.com/hkstandalone.htm for examples. These are too obvious, and the police most likely will put the keylogger inside the keyboard or inside the case of the computer. So, unless you are able to see through the back of the case, or are so paranoid that you turn the case all different directions before you turn it on, you'll never see it. I have my computer on the floor, and can easily see all sides without turning it. Mounting a small mirror behind the computer might be a good solution to this problem for some. My guess is that if someone serious about this, such as a large government agency, were to do it, they might do something really simple, like replace some board in your machine (modem?) with another one just like it but with the keylogger on it. It would see everything going down the ISA or PCI bus of your machine and do what needs to be done. And if they were _really_ _serious_, the replacement board would look exactly like your present one, but the keylogger would be between something else and the board, or a new chip would be there that did everything it used to do and keylogging besides. Unless you check the board everyday with a large magnifier, for the obvious; or just replacing them all from a private stock hidden from this hypothetical large government agency, you would not stand a chance of finding it. So you better have your machine in a suitably armored steel box, preferably at a secure alternate location, one that locks with an unpickable lock. And, if you're at home, and can't even trust your own family, then anything computer-related is the least of your concerns. I'd be more inclined to be looking up a good psychologist rather then a transparent keyboard. I choose to live alone (for security reasons) so what I worry most about are keyloggers and microphones. Here in Finland the police have a special group investigating us (animal rights activists), and we have caught one infiltrator, so considering this I don't think that it's a sign of paranoia for me to occasionally check for keyloggers. Thank you for clearing up that point. Once a computer or other device that needs secure access is sufficiently protected, it becomes cheaper for a large government agency to resort to bribery or torture to get the information it wants. Assuming they do not wish to try bribery, are you sure you want your machine that safe? I assume you are using gnupg for all your correspondence with everyone. If you encrypt only your sensitive communications, it will be painfully obvious which of your e-mails to decrypt, saving the black hats a lot of trouble. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:10:00 up 81 days, 2:06, 3 users, load average: 4.19, 4.20, 4.13 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGudyPtu2XpovyZoRArdvAKC1pn4BfQPGgk9BWc1jY9NuoGDx9wCghbN9 Q7NxXL9WS2TqvVN4hj7K42w= =Z0ly -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transparent keyboards
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oskar L. wrote: Hi, Can anyone recommend a transparent keyboard, or any kind of keyboard witch makes it easy to check that a keylogger has not been installed inside whilst you were away. I only found this one: http://www.directron.com/kb603cl.html If I were going to put a keylogger in a computer, I would not do it in the keyboard. Why bother. Put in inside the box; have it email a report every time a newline character is typed, or queue it up until next time the machine is on line. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 20:45:00 up 80 days, 14:41, 3 users, load average: 4.09, 4.16, 4.09 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGkRePtu2XpovyZoRAkVwAJ9GEknXpQ8k0BqiTPHLSn10DCpzpgCgsFOS 8IEEwDeVgheni/jHVZWHi1w= =SErb -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --for-your-eyes-only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shaw wrote: On Mon, Jun 27, 2005 at 11:16:47AM +, Charly Avital wrote: when a message processed ... is decrypted using GnuPG (e.g. by command line) the verbose gpg output contains a line reading: gpg: NOTE: sender requested for-your-eyes-only Is this line intended for the recipient's information only, or is there a way the recipient can actually view the decrypted/verified text in a secure viewer mode? I apologize if this a repetition of my previous question. I am a newbie at this, but I do not see how it is possible to impliment this. While I suppose it might be possible to make an e-mail user agent (such as mutt) decrypt GPG | PGP e-mail and display it on a user's screen, and disable any ability to save the decrypted mail with the mail user agent, I do not see how it would be possible to stop the reader (i.e., the person, not the program) from copying and pasting that decrypted email; e.g., by pressing a save-screen button, or by simply copying and pasting with the mouse. In other words, even if the software were trustworthy, you are still at the mercy of the wisdom and intelligence and trustworthyness of the person receiving it. So you really must trust, in addition to the GPG programs, the user, and that is pretty difficult, IMAO, except in certain situations. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 07:20:00 up 13 days, 1:10, 3 users, load average: 4.33, 4.28, 4.13 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwTPbPtu2XpovyZoRAvSfAKDVu+LOOAQrbV26odgAzSkDFYaqWACePBcf d1erwCgMVlLXFyzrg+HsCaU= =MJv/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users