Re: Introducing newbies to encryption (was: Re: anonymous credit)

[frantz@netcom.com (William S. Frantz)]

> It's absolutely true that nothing on a centralized Unix machine is truly 
> secure.  However, is abandoning all pretenses of crypto and security in 
> favor of holding out for a utopian ideal really the best solution?  Does 
> using encryption for email on multiuser machines actually hurt the cause 
> of the security community in the long run?
> 
> (I'm not asking rhetorical questions here -- I'm truly looking for some 
> thoughts on this.)

Since security is not binary (i.e. talking of secure and insecure is
nonsense.  You must talk of more or less secure.), you have to look at the
threats.  If you are sending email from a multi-user Unix machine, encrypting
it removes some threats (e.g. wiretaping) without adding any new threats.
(There are still the continuing parade of UNIX holes based on the C string
model.)

I would say that if users don't think they are safe, just think they are
a bit safer, then encrypting on a multi-user machine is a good thing because
it is more secure than not encrypting.  It is still less secure than a 
single-user system with Tempest shielding.

-----------------------------------------------------------------
Bill Frantz                   Periwinkle  --  Computer Consulting
(408)356-8506                 16345 Englewood Ave.
frantz@netcom.com             Los Gatos, CA 95032, USA