lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040923192139.GM12669@immunix.com>
Date: Thu, 23 Sep 2004 12:21:40 -0700
From: Seth Arnold <sarnold@...unix.com>
To: bugtraq@...urityfocus.com
Subject: Re: New whitepaper "The Phishing Guide"

On Thu, Sep 23, 2004 at 09:57:03AM -0500, Aleksandar Milivojevic wrote:
> Sometimes it's unbelivable how long it takes organizations to discover 
> that email can be signed.  Especially nowdays when all major mail 
> readers have support for at least S/MIME (and the really good ones have 
> support for at least PGP ;-) ).

DE09D78D
888D09A3
18C4ED82
DA081DD1
4CE06F00
CC3D9213
23BDC6F9

Methinks PGP is good for talking within friends, but perhaps trusting
communications from J. Random Corporation with PGP as your best means of
verification is a stretch. The Web Of Trust idea only takes you so far
in combating these problems -- I've heard anecdotal evidence that
someone has replicated the entire "Web Of Trust" graph with identical
uids on keys of EFF members. If one starts the search from the desired
key and searches until finding a plausible name, one is doomed. One must
return to one's own key -- AND have faith that everyone in the middle
played fairly.

http://www.internetnews.com/dev-news/article.php/721571

Even the best-known X.509 Certification Agency has made screwups
regarding one of the best-known publicly traded corporations. How hard
do you think it would be to get certificates for something that sounds
plausibly like a bank? Credit card company?

Cryptography is good at solving many problems. But it is not a magical
problem solver. End users still need to be educated. Your guess is as
good as mine if we'll make progress on the "don't give information to
people who ask for it" front. :)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ