Re: Challenge-response mail filters considered harmful
> From kirk@strauser.com Mon Aug 4 12:45:09 2003
>
>
>
> At 2003-08-04T17:41:37Z, Alan Connor <alanc@kanga.honeypot.net> writes:
>
> Hello, alanc@kanga. ;-)
>
:-)
> > Funny. I know someone who has 2 of those PGP signatures things, neither of
> > which use his real name or stats.
>
> What makes you think that my real name is Kirk Strauser?
>
Don't know and don't care. I assess you by the quality of your posts. If
I NEEDED to verify your identity, I would hire a multi-national personal
investigation firm.
> > He can prove that he is someone he isn't.
>
> That's kind of irrelevant. What he *can* prove with certainty is that all
> of his posts originate from the same entity.
The same interface? The same machine? The same geographical location?
What does "entity" mean?
This fellow is more than a little paranoid ( sorry, Mr. X :-) and I'm pretty
sure the NSA would have to work hard at finding him. Radio links are involved.
.......Yeh. I think it's cool to say that.
In the same way, I could be
> Becky Smith using an alias. Regardless of my real identity, you know that
> any post with my signature was written by *me*.
That has no meaning to me. What if I were to just copy all of that garbage
on your posts? Wouldn't people then think I was you?
If you trust this
> representation, do you really care if there's an exact correlation to a
> real-world identity?
>
Don't trust it for one second. Don't believe that corporations and the
government can't decode PGP.
Am inclined to think that anyone using PGP signatures is in fact someone else.
*I* wouldn't even consider using PGP signatures.
My friend posts here under two different identities. So what is the point?
> > This fellow isn't even a particularly skilled hacker.
>
> No hacking (of either definition) required. :)
>
> > He posts on THIS list, which is the source of my amusement.
>
> Do you know how easy it is, Alan, to create a new persona? Particularly if
> you have control over a mailserver so that you can create an infinite number
> of real-looking accounts?
>
I exchange encoded mails with a couple of people. We use complex one-time
pads with the originals delivered by hand and kept VERY well hidden. The
en/de-coding is done in a ramdisk on a computer that is never con-
nected to the internet and sits in a tiny shielded room. (go Debian)
( this is commercial/proprietary stuff ).
I KNOW that those communications are secure.
PGP is a farce, in my opinion. I think the government and the corporations,
(as if there was a difference....) have a lot of people fooled.
And I STILL think those signatures are good for nothing but making your
posts hard to read and wasting bandwidth.
Alan
--
For Linux/Bash users: Eliminate spam with the Mailbox-Sentry-Program.
See: http://tinyurl.com/inpd for the scripts and docs.
Reply to: