Re: all xterms
On Wed, 3 Nov 1999, Tomasz Wegrzanowski wrote:
> On Wed, Nov 03, 1999 at 12:55:40PM -0500, Daniel Burrows wrote:
> > Uh, yes you can check signatures. Just tell it where to look.
>
> Sorry for this example, but my soul is dark and full of criminal ideas.
> Example:
>
> 1)
> *EVIL CRACKER* does
> `which pgp'
> `which gpg'
> `cat /etc/Muttrc|grep p?gpg?'
> and a few tests more
> now he knows what to do now
>
> 2)
> admin have someone's key and uses mutt
>
> 3)
> *EVIL CRACKER* sends him a mail from someone admin knows good
> with faken info. This mail is signed with *A WRONG KEY*
>
> 4)
> there is >50% chance than admin wont bother to check mail by
> pgp from command line. Most of them have motto of
> 'I will fix it tommorow'(here:it = mutt) and believe that if someone
> signed mail it is validly signed
NO.
The admin has the correct path to pgp or gpg in his .muttrc. So it gives
him the 'bad key' error.
>
> 5)
> he uses the wrong info and makes security hole
>
> 6)
> *EVIL CRACKER* exploits this hole
>
> This will need a good expert on social engeenering and some luck
> but it is a *little* security hole
I disagree
/----------------+-------------------------------+---------------------\
| Jelibean aka | jules@jellybean.co.uk | 6 Evelyn Rd |
| Jules aka | jules@debian.org | Richmond, Surrey |
| Julian Bean | jmlb2@hermes.cam.ac.uk | TW9 2TF *UK* |
+----------------+-------------------------------+---------------------+
| War doesn't demonstrate who's right... just who's left. |
| When privacy is outlawed... only the outlaws have privacy. |
\----------------------------------------------------------------------/
Reply to: