Re: all xterms
On Wed, Nov 03, 1999 at 12:55:40PM -0500, Daniel Burrows wrote:
> > > [2] Yes, if you have a small path (/bin:/usr/bin:/usr/local/bin) this isn't `
> > > likely to be a problem, but hardcoding the path will be equally secure on
> > > all setups including those with unholy default paths ;-).
> >
> > It wont be secure cause I wont be able to check signature's validity
> > if I install pgp to /usr/local/ or /opt/ or any else place in the $PATH
> > This is bad for security.
>
> Uh, yes you can check signatures. Just tell it where to look.
Sorry for this example, but my soul is dark and full of criminal ideas.
Example:
1)
*EVIL CRACKER* does
`which pgp'
`which gpg'
`cat /etc/Muttrc|grep p?gpg?'
and a few tests more
now he knows what to do now
2)
admin have someone's key and uses mutt
3)
*EVIL CRACKER* sends him a mail from someone admin knows good
with faken info. This mail is signed with *A WRONG KEY*
4)
there is >50% chance than admin wont bother to check mail by
pgp from command line. Most of them have motto of
'I will fix it tommorow'(here:it = mutt) and believe that if someone
signed mail it is validly signed
5)
he uses the wrong info and makes security hole
6)
*EVIL CRACKER* exploits this hole
This will need a good expert on social engeenering and some luck
but it is a *little* security hole
Reply to: