Re: all xterms
On Wed, Nov 03, 1999 at 08:12:11PM +0000, Jules Bean wrote:
> On Wed, 3 Nov 1999, Tomasz Wegrzanowski wrote:
>
> > On Wed, Nov 03, 1999 at 12:55:40PM -0500, Daniel Burrows wrote:
> > > Uh, yes you can check signatures. Just tell it where to look.
> >
> > Sorry for this example, but my soul is dark and full of criminal ideas.
> > Example:
> >
> > 1)
> > *EVIL CRACKER* does
> > `which pgp'
> > `which gpg'
> > `cat /etc/Muttrc|grep p?gpg?'
> > and a few tests more
> > now he knows what to do now
> >
> > 2)
> > admin have someone's key and uses mutt
> >
> > 3)
> > *EVIL CRACKER* sends him a mail from someone admin knows good
> > with faken info. This mail is signed with *A WRONG KEY*
> >
> > 4)
> > there is >50% chance than admin wont bother to check mail by
> > pgp from command line. Most of them have motto of
> > 'I will fix it tommorow'(here:it = mutt) and believe that if someone
> > signed mail it is validly signed
>
> NO.
>
> The admin has the correct path to pgp or gpg in his .muttrc. So it gives
> him the 'bad key' error.
So there is a HUGE hole between admins in poland and in your country.
Here the majority of admins ...(fill blanks yourselves, cause I dont want to flame)
> >
> > 5)
> > he uses the wrong info and makes security hole
> >
> > 6)
> > *EVIL CRACKER* exploits this hole
> >
> > This will need a good expert on social engeenering and some luck
> > but it is a *little* security hole
>
> I disagree
Ok, sorry, but I'm sure there are crackers using similar methods
(two programs that doesnt cooperate well plus admin's laziness)
Reply to: