-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Robert
On Sunday 14 March 2010 at 7:49:05 AM, you wrote:
This is a keysigning party. It is in everyone's best interests to
accept all good IDs. If I see an ID that I believe is false, then it is
in my own best interests to bring it to
The reason I think that it's still difficult is because even immigration
officials get duped all the time.
Cites, please. Show me studies showing how often immigration officials get
duped, and how often they correctly flag false passports.
When verifying an identity document, the null
On Sat, Mar 13, 2010 at 1:00 PM, Robert J. Hansen r...@sixdemonbag.orgwrote:
I'm a little confused as to how does that make it any different from
using the Pidgin OTR method.
It's a question of degree, not kind.
I simply open up an OTR session, ask my friend a question the answer to
On Sat, Mar 13, 2010 at 1:14 PM, Robert J. Hansen r...@sixdemonbag.orgwrote:
Even then — so what? Let's say the Type II rate is 25%. That's a very
high Type II rate; most people would think that failing to recognize one set
of fake IDs per four is a really bad error rate. Yet, if you're at
On Saturday 13 March 2010, erythrocyte wrote:
On Sat, Mar 13, 2010 at 1:14 PM, Robert J. Hansen
r...@sixdemonbag.orgwrote:
Even then — so what? Let's say the Type II rate is 25%. That's a
very high Type II rate; most people would think that failing to
recognize one set of fake IDs per
2010/3/13 Ingo Klöcker kloec...@kde.org
Sorry, but your calculation is wrong. If the calculation was correct
then with 5 encounters the probability would be 1.25 which is an
impossibility. Probability is never negative and never 1. (People say
all the time that they are 110 % sure that
On Mar 13, 2010, at 7:08 AM, erythrocyte wrote:
However, the combined probability that at least one of the encounters would
result in accepting a fake ID would be 1/4 + 1/4 + 1/4 + 1/4 = 1 .
99.6%; a little different. The binomial theorem gives us the correct numbers.
0 failures: 31.6%
1
But all that aside, I'm pretty sure news reports, etc. of human traffickers,
smugglers, spies, etc. all confirm the fact that national IDs such as
passports can be forged and do in fact slip by immigration authorities pretty
commonly.
Only because the news doesn't report on people who get
Robert J. Hansen wrote:
But all that aside, I'm pretty sure news reports, etc. of human
traffickers, smugglers, spies, etc. all confirm the fact that
national IDs such as passports can be forged and do in fact slip by
immigration authorities pretty commonly.
Only because the news doesn't
On Sat, Mar 13, 2010 at 10:04 PM, Robert J. Hansen r...@sixdemonbag.org wrote:
99.6%; a little different. The binomial theorem gives us the correct numbers.
0 failures: 31.6%
1 failure: 42.2%
2 failures: 21.1%
3 failures: 4.7%
4 failures: 0.4%
Alrighty... :-) . So the combined
On 3/13/10 8:06 PM, erythrocyte wrote:
Umm.. if I understand the nature of the probability tests or
calculations just mentioned above
You don't.
If person A and person B disagree on whether something is fake, the
operating assumption is that it's fake. The burden is on the person
claiming
On Sun, Mar 14, 2010 at 8:08 AM, Robert J. Hansen r...@sixdemonbag.org wrote:
On 3/13/10 8:06 PM, erythrocyte wrote:
Umm.. if I understand the nature of the probability tests or
calculations just mentioned above, the results have to be accepted as
they are. They either got it wrong or right.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
erythrocyte escribió:
...
The combined probability that all individuals would accept a fake ID
would be 1/4 * 1/4 * 1/4 * 1/4 = 0.00390625 .
However, the combined probability that at least one of the encounters
would result in accepting a fake
On 3/14/10 1:52 AM, erythrocyte wrote:
From my understanding, the probabilities calculated give you
random error. That is given a population of 4 people, there is a
68.4% chance that there would =1 failures purely by random effects
regardless of what actions they may or may not take to
I don't think OTR technology can claim to solve the gun-to-the-head
scenario. Although it claims to give users the benefit of
perfect-forward-secrecy and repudiation, I think such things matter
little in a court of law. People get convicted either wrongly or
rightly, based on spoofed emails
On 3/12/2010 5:33 PM, Robert J. Hansen wrote:
I don't think OTR technology can claim to solve the gun-to-the-head
scenario. Although it claims to give users the benefit of
perfect-forward-secrecy and repudiation, I think such things matter
little in a court of law. People get convicted either
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi erythrocyte
On Friday 12 March 2010 at 12:46:28 PM, you wrote:
a typical browser such as Firefox will have almost 200 root
certificates from various CAs.
208 here, using Firefox 3.5.8
Each of these adds a given amount of risk, that
you live. If you belong to a minority people susceptible to persecution
by a state agency, then yea sure there are many records of wrongful
detention and arbitrary human rights abuses based on false pretenses.
Sure. But the problem here isn't spoofed emails. The problem here is living
in an
On 3/11/2010 11:36 PM, erythrocyte wrote:
On 3/12/2010 10:54 AM, Doug Barton wrote:
Secure in this context is a relative term. (Note, I'm a long time user
of pidgin+OTR and a longer-time user of PGP, so I'm actually familiar
with what you're proposing.) If you know the person you're IM'ing
Hi erythrocyte
On Friday 12 March 2010 at 12:46:28 PM, you wrote:
If you really think about it, when you look at people who've gotten
convicted and/or framed based on plain text unsigned email, then it
goes to show that there's no point in inventing a technology that
specifically provides
On 3/13/2010 2:14 AM, Doug Barton wrote:
You posited a scenario where you are using OTR communications to verify
a PGP key. My assumption (and pardon me if it was incorrect) was that
you had a security-related purpose in mind for the verified key.
Yes :-) .
--
erythrocyte
On 3/13/2010 1:01 AM, Robert J. Hansen wrote:
Sure. But the problem here isn't spoofed emails. The problem here is living
in an area where basic human rights aren't respected. The spoofed emails
didn't get them convicted: the spoofed emails were cooked up to provide
political cover for a
On 3/13/2010 1:10 AM, MFPA wrote:
Each of these adds a given amount of risk, that really should be
made transparent to end-users IMHO.
I think you might mean the risk should be made *clear* to end-users?
Security is already *transparent* to end users visiting a secure website
whose root
On 3/12/2010 5:33 PM, Robert J. Hansen wrote:
The question isn't whether you can. The question is whether it's wise. The
principle of using one credential to authorize the use of another credential
is about as old as the hills. The ways to exploit this are about as old as
the hills, too.
On Sat, Mar 13, 2010 at 2:44 AM, MFPA expires2...@ymail.com wrote:
I would question whether the defence solicitor was fit to practice if
he didn't produce expert witnesses who could explain this sufficiently
clearly for the jury to understand.
LOL ...Easier said than done, IMHO :-) :-P .
I guess what I'm trying to say here is that because regular people don't
understand what spoofing actually is, that by itself is a security hole.
Semantics. A security hole is a way by which the security policy may be
violated. Most people don't bother to think about policy in the first
You have an existing credential - a passport.
You then use that credential to verify another - a PGP key.
The passport isn't used to verify the OpenPGP key. The passport is used to
verify *identity*. The key fingerprint is used to verify the OpenPGP key.
A signature is a statement of I
On Sat, Mar 13, 2010 at 11:40 AM, Robert J. Hansen r...@sixdemonbag.orgwrote:
You have an existing credential - a passport.
You then use that credential to verify another - a PGP key.
The passport isn't used to verify the OpenPGP key. The passport is used to
verify *identity*. The key
On Sat, Mar 13, 2010 at 11:30 AM, Robert J. Hansen r...@sixdemonbag.orgwrote:
There's no way I could be trained enough to
recognize spoofing of the latter kind even at a keysigning party.
A serious question here -- have you considered writing Immigration and
Customs Enforcement or the
I'm a little confused as to how does that make it any different from using
the Pidgin OTR method.
It's a question of degree, not kind.
I simply open up an OTR session, ask my friend a question the answer to which
is secret (only known to him)
How do you know the secret is known only to
I'm a user of Pidgin with the off-the-record plugin:
http://www.cypherpunks.ca/otr/help/3.2.0/levels.php?lang=en
http://www.cypherpunks.ca/otr/help/3.2.0/authenticate.php?lang=en
In order to use GPG based email encryption properly, it's important for
users to authenticate with each other
On 3/11/2010 12:20 AM, erythrocyte wrote:
But what if there was no way to meet in person, make a phone call or a
VoIP call. I was wondering if using Pidgin with the OTR plugin (and
authenticating the OTR session using the QA method; see above link)
could be considered a secure channel to
On 3/12/2010 10:54 AM, Doug Barton wrote:
Secure in this context is a relative term. (Note, I'm a long time user
of pidgin+OTR and a longer-time user of PGP, so I'm actually familiar
with what you're proposing.) If you know the person you're IM'ing well
enough, you can do a pretty good job of
33 matches
Mail list logo