[freenet-support] Re: Getting rid of the last central point of failure
Date: Mon, 18 Nov 2002 08:51:05 -0800 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] You can, of course, revoke signatures with GPG without a problem and then sign the distributions with it (at least as a detached signature). The installer could offer to check that signature by calling GPG but this is highly insecure (as anyone who replaced the binary would forge the call). What you really want is for people to check the signature themselves (with GPG/PGP). Yes thats excellent from a corporate perspective since the more areas you leave for the l'users your customers to fuckup the less liability you have. However in an open for the most part volunteer project such liability and profit concerns do not arise so for that reason the developers can afford to design systems to protect the l'user from their own incompetence and are necessary if one cares to attempt to offer security and anonymity rather than create opportunities to destroy it. Your complete lack of grammar and ability to express yourself coherently is somewhat distressing but I'll reply nonetheless. My comment had nothing to do with liability and in fact I do security consulting for individuals and businesses; I am not a lawyer, and do not care about liability issues in this type of arena. The problem that arises with digitally signed binaries is that the signature checking system _must not_ be distributed with the binaries to be checked and the signatures or signator keys _must_ be available out of band. If the binaries are signed and come with a detached signature, any user can double-click the signature file and receive a PGP/GPG message asking if they wish to check the signature. The installer can easily come with the instructions to check the signatures, as well as a short commentary on why this important for the security of their file store and the project as a whole. The binaries, however, must be assumed to be untrusted and untrustable for the sake of such a discussion and as such, only the method I described keeps the user from receiving a message such as 'signature checks out' when in fact the image they received was either tainted or damaged. Feel free to reply with a full discussion / reasoning behind your wanting to do things any differently for this (preferably technical) and I'll listen. There is no reason _not_ to distribute detached signatures for each of the installer and/or JAR images. Signed JAR files are also possible and checkable with IE or Mozilla for that matter. Please do some research ... -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ ___ support mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support
Re: [freenet-support] Re: Getting rid of the last central point of failure
On Fri, Nov 22, 2002 at 08:42:29AM -0500, Michael T. Babcock wrote: Date: Mon, 18 Nov 2002 08:51:05 -0800 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] You can, of course, revoke signatures with GPG without a problem and then sign the distributions with it (at least as a detached signature). The installer could offer to check that signature by calling GPG but this is highly insecure (as anyone who replaced the binary would forge the call). What you really want is for people to check the signature themselves (with GPG/PGP). Yes thats excellent from a corporate perspective since the more areas you leave for the l'users your customers to fuckup the less liability you have. However in an open for the most part volunteer project such liability and profit concerns do not arise so for that reason the developers can afford to design systems to protect the l'user from their own incompetence and are necessary if one cares to attempt to offer security and anonymity rather than create opportunities to destroy it. Your complete lack of grammar and ability to express yourself coherently is somewhat distressing but I'll reply nonetheless. My comment had nothing to do with liability and in fact I do security consulting for individuals and businesses; I am not a lawyer, and do not care about liability issues in this type of arena. The problem that arises with digitally signed binaries is that the signature checking system _must not_ be distributed with the binaries to be checked and the signatures or signator keys _must_ be available out of band. Signatures require a) somebody checks THE WHOLE SOURCE for trojans. This will take weeks and therefore will never happen. b) that we can keep the private key secure. This is unlikely. If the binaries are signed and come with a detached signature, any user can double-click the signature file and receive a PGP/GPG message asking if they wish to check the signature. The installer can easily come with the instructions to check the signatures, as well as a short commentary on why this important for the security of their file store and the project as a whole. The binaries, however, must be assumed to be untrusted and untrustable for the sake of such a discussion and as such, only the method I described keeps the user from receiving a message such as 'signature checks out' when in fact the image they received was either tainted or damaged. Feel free to reply with a full discussion / reasoning behind your wanting to do things any differently for this (preferably technical) and I'll listen. There is no reason _not_ to distribute detached signatures for each of the installer and/or JAR images. Signed JAR files are also possible and checkable with IE or Mozilla for that matter. Please do some research ... Signed JAR files go through verisign. That is not good. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ -- Matthew Toseland [EMAIL PROTECTED] [EMAIL PROTECTED] Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/ msg02220/pgp0.pgp Description: PGP signature
Re: [freenet-support] Re: Getting rid of the last central point of failure
-BEGIN PGP SIGNED MESSAGE- On Fri, 22 Nov 2002 06:41:59 -0800 Matthew Toseland [EMAIL PROTECTED] wrote: On Fri, Nov 22, 2002 at 08:42:29AM -0500, Michael T. Babcock wrote: Date: Mon, 18 Nov 2002 08:51:05 -0800 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] You can, of course, revoke signatures with GPG without a problem and then sign the distributions with it (at least as a detached signature). The installer could offer to check that signature by calling GPG but this is highly insecure (as anyone who replaced the binary would forge the call). What you really want is for people to check the signature themselves (with GPG/PGP). Yes thats excellent from a corporate perspective since the more areas you leave for the l'users your customers to fuckup the less liability you have. However in an open for the most part volunteer project such liability and profit concerns do not arise so for that reason the developers can afford to design systems to protect the l'user from their own incompetence and are necessary if one cares to attempt to offer security and anonymity rather than create opportunities to destroy it. Your complete lack of grammar and ability to express yourself coherently dear dear, I bullshit for a living but have arrived at a point i do what ever i find fun and entertaining, but specialze in teen-parent psych so i only spell check when im paid to. is somewhat distressing but I'll reply nonetheless. yes its also effective bait for the anal rententive My comment had nothing to do with liability and in fact I do security consulting for individuals and businesses; I am not a lawyer, and do not care about liability issues in this type of arena. Its not the point, rats running corporate mazes or any maze soon foget the walls form their behavior, but from a usablilty perspective freenet right now hase enough ways in configurable options to really screw yourself up and perhaps the nodes around you. The most common really dumb thing I've seen and MS walks then right into it, is people putting everything they ever see or touch on their desktop. Condsider how bad the computer literate user really is offering a another realy great way to screw themselves isnt a good idea. The level freenet requires now is, if you can rebuild a carburator without a manual you can run freenet, the ideal is more like press play than crash courses in encrption technology and techniques. Fine if its to remain a protocol for motivated unix geeks, chinese dissidents terrorists theives and pornographers with technical experinece thats laudible alone, but with the recent p/r it was found people couldnt determine their own ip. So the objection was the general direction, let the experts hammer out the hows and why. However if ure having problems with ure teens i'll be glad to take to take 60 to 100 grand off ya. My favorite trick to gain confidence is tell'em they're fine they're parents are fucked and here's the papers to involunatily commit them to the nearest county facility. Never failed yet to make them feel comfotable and empowered. The problem that arises with digitally signed binaries is that the signature checking system _must not_ be distributed with the binaries to be checked and the signatures or signator keys _must_ be available out of band. Signatures require a) somebody checks THE WHOLE SOURCE for trojans. This will take weeks and therefore will never happen. b) that we can keep the private key secure. This is unlikely. If the binaries are signed and come with a detached signature, any user can double-click the signature file and receive a PGP/GPG message asking if they wish to check the signature. The installer can easily come with the instructions to check the signatures, as well as a short commentary on why this important for the security of their file store and the project as a whole. The binaries, however, must be assumed to be untrusted and untrustable for the sake of such a discussion and as such, only the method I described keeps the user from receiving a message such as 'signature checks out' when in fact the image they received was either tainted or damaged. Feel free to reply with a full discussion / reasoning behind your wanting to do things any differently for this (preferably technical) and I'll listen. There is no reason _not_ to distribute detached signatures for each of the installer and/or JAR images. Signed JAR files are also possible and checkable with IE or Mozilla for that matter. Please do some research ... Signed JAR files go through verisign. That is not good. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ -- Matthew Toseland [EMAIL PROTECTED] [EMAIL PROTECTED] Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/