[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Running PGP on Netcom (an

Subject: Running PGP on Netcom (and Similar)

From: [email protected] (Timothy C. May)
Subject: Running PGP on Netcom (and Similar)
To: [email protected]
Cc: [email protected] (Timothy C. May)

>> Not that had Mr. De Payne been using PGP on Netcom, with his secret
>> key stored there, the cops would have it. (The passphrase maybe not,
>> depending on whether he stored _that_ there, too. And whether Netcom
>> had logs of keystrokes entered, which strikes me as something they
>> would probably have--we really need a "zero knowledge" kind of
>> "reach-back" for remotely-run PGP.)

Never mind the keystroke logs, if his line was wiretapped they have all
of the keystrokes coming in and going out. Get his secret keyring from
Netcom and they could monitor his communications with out a problem.

>> I just don't think the dangers are worth it. All the theoretical hot
>> air about whether keystroke timings are "random enough" is moot if
>> Netcom is turning over records to investigators.
>> It creates a dangerous illusion of security.

What illusion of security? If I have my secret keyring residing someplace
where I can't physically control who has access to it, no way is this
keyring secure!! It goes against the definition of a secret. Once you tell
someone a secret, It no longer is a secret. In effect this person has told
Netcom his secret, therefore it no longer is a secret. Just because you're
paranoid, doesn't mean they're not out to get you. Be paranoid!!

>> (For those with no home machines, and perhaps those who mainly use
>> campus services, work stations, etc., I'm not faulting you; people use
>> what they have to use. Longer term, though, PGP needs to run on secure
>> hardware. Secure meaning not easily grabbed by the authorities without
>> even one's knowledge!!)

This just goes to prove that no matter how secure the crypto system is, if
it is implemented in an insecure way, the whole system is compromised. If
you are using a "One Time Pad" to communicate with someone and you make an
extra set of pages and give them to someone that you really don't know and
trust (Netcom), no way can you call this secure. Even though most will
agree that the "One Time Pad" is the most secure crypto system, it is being
implemented in an insecure way hence it is insecure.

Version: 2.6.1

  Fido: Sam Kaplin  1:282/1018           | "...vidi vici veni" - Overheard
  Compuserve: 75240,131                  | outside a Roman brothel.
  [email protected]         |
  75240,[email protected]               | Change is the only constant in the
 For confidential communications use PGP | Universe..."Four quarters, please."

                Processed by WILDUUCP! v1.00  for WILDCAT!