[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful

> From kirk@strauser.com Mon Aug  4 12:45:09 2003
> At 2003-08-04T17:41:37Z, Alan Connor <alanc@kanga.honeypot.net> writes:
> Hello, alanc@kanga.  ;-)


> > Funny. I know someone who has 2 of those PGP signatures things, neither of
> > which use his real name or stats.
> What makes you think that my real name is Kirk Strauser?

Don't know and don't care. I assess you by the quality of your posts. If
I NEEDED to verify your identity, I would hire a multi-national personal
investigation firm.

> > He can prove that he is someone he isn't.
> That's kind of irrelevant.  What he *can* prove with certainty is that all
> of his posts originate from the same entity. 

The same interface? The same machine? The same geographical location?

What does "entity" mean?

This fellow is more than a little paranoid ( sorry, Mr. X :-) and I'm pretty
sure the NSA would have to work hard at finding him. Radio links are involved.
.......Yeh. I think it's cool to say that.

 In the same way, I could be
> Becky Smith using an alias.  Regardless of my real identity, you know that
> any post with my signature was written by *me*.

That has no meaning to me. What if I were to just copy all of that garbage
on your posts? Wouldn't people then think I was you?

  If you trust this
> representation, do you really care if there's an exact correlation to a
> real-world identity?

Don't trust it for one second. Don't believe that corporations and the 
government can't decode PGP.

Am inclined to think that anyone using PGP signatures is in fact someone else.

*I* wouldn't even consider using PGP signatures.

My friend posts here under two different identities. So what is the point?

> > This fellow isn't even a particularly skilled hacker.
> No hacking (of either definition) required.  :)
> > He posts on THIS list, which is the source of my amusement.
> Do you know how easy it is, Alan, to create a new persona?  Particularly if
> you have control over a mailserver so that you can create an infinite number
> of real-looking accounts?

I exchange encoded mails with a couple of people. We use  complex one-time 
pads with the originals delivered by hand and kept VERY well hidden. The 
en/de-coding is done in a ramdisk on a computer that is never con-
nected to the internet and sits in a tiny shielded room. (go Debian)
( this is commercial/proprietary stuff ). 

I KNOW that those communications are secure.

PGP  is a farce, in my opinion. I think the government and the corporations,
(as if there was a difference....) have a lot of people fooled.

And I STILL think those signatures are good for nothing but making your
posts hard to read and wasting bandwidth.


      For Linux/Bash users: Eliminate spam with the Mailbox-Sentry-Program. 
         See: http://tinyurl.com/inpd  for the scripts and docs.

Reply to: