lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 15 Mar 2006 16:00:33 -0500
From: <obnoxious@...h.com>
To: <bugtraq@...urityfocus.com>, <mibsoft@...software.com>
Subject: Re: GnuPG weak as one guy with a spare laptop.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is your point exactly? How secure are Verisign, Thawte or
anyone elses servers outside of them just stating "We take X
Precautions". Look at just about all of the top companies,
Microsoft, Sun, Yahoo, Citibank. They've all been hit at some point
because "X" wasn't secure. Right now I could register at
Comodogroup.com for a free signing cert for email. It means
nothing. Servers storing keys mean little since there is no
authority body to verify the validity of a security claim. So your
point is moot.

http://www.schneier.com/paper-pki-ft.txt

On Tue, 14 Mar 2006 12:50:54 -0500 "Forrest J. Cavalier III"
<mibsoft@...software.com> wrote:
>"A chain is only as strong as its weakest link."
>
>When I get the GnuPG distribution from the non-secure
>http://gnupg.org (or a
>https://gnupg.org with a CAcert.org certificate) I get a
>distribution signed by
>Werner Koch's key issued one day after the previous signing key
>expired
>2006-01-01.
>
>The previous expired GnuPG signing key has 160 signatures on the
>MIT keyserver.
>
>The new key is signed by Werner Koch's own certification key, and
>that's it.
>
>How secure is that certification key?  When I finger
>wk@...code.com (another
>insecure protocol) I get a keyblock.  Above the keyblock is some
>text which
>includes this sentence:
>
>    "The primary key is stored at a more or less secure place and
>only used on a
>     spare laptop which is not connected to any network."
>
>Can anyone estimate the incredible value of the communications and

>storage
>relying on software signed by that one guy with a "spare laptop in

>a more or
>less secure place"?
>
>One human being, vulnerable, fallible.  Can he be bought,
>blackmailed, coerced?
>Hit by a bus?
>
>Can this situation be improved?  I say yes.
>
>Maybe your company has never funded volunteer developers.  Maybe
>you asked, and
>found you don't do "donations."  Maybe you are just a single-
>person consulting
>business.
>
>Before last year, I had never paid anyone for all this great free
>beer.
>
>But last year I landed a contract that included the need to do
>secure code
>distribution automatically.  I could never have done it without
>calling OpenSSL
>libraries.  So, I used paypal to pay one of the lead developers of

>OpenSSL to do
>a code review.  We easily settled on a contract amount that gave
>me a great code
>review.  It was well worth it.  Fully tax deductible for me as a
>business expense.
>
>But the community got something too.
>
>As mutually agreed ahead of time, the developer got paid more than

>his straight
>regular consulting rate.  Now he could have kept that as a fat
>contract, and
>moved on.  But from his perspective, he covered his costs, and
>then looked at
>the "extra" as compensation for general OpenSSL improvements to
>benefit the
>whole community.
>
>This may be a way you can convince your company to fund volunteer
>developers
>too.  If a couple of users a week did that, wouldn't Werner Koch
>and colleagues
>put some effort towards making stronger weakest links?  Wouldn't
>all of us benefit?
>
>Now back to this weakest link.  Does Werner Koch and colleagues
>have a Paypal
>account or other verified way of receiving electronic payments
>easily?
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wkYEARECAAYFAkQYgEkACgkQo8cxM8/cskpuoQCfeOoTBVkLLypT/cy+Pp34Zv/pTzQA
oISNgTkqxWmIonkVfjIrkvkHI7An
=j6Gj
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ