PGP flaw found by Czech firm allows dig sig to be forged
Morlock Elloi
morlockelloi at yahoo.com
Thu Mar 22 21:56:31 PST 2001
>Okay. What was PGP's threat model again? I'd have sworn that this
>was squarely outside it.
>
>As far as I can tell, *NOBODY* offers security tools that offer real
>protection in the event your opponent has physical access to the
>machine.
BO, trojans, http tunelling and similar are really not rocket science
these days. 99% of sheeple machines are vulnerable. This is perfectly
valid and real attack. Not on my machines and probably not on yours -
that does not make any difference.
This is just another data point supporting secure devices insulated
from microshit OS, java and wintels in general. Running PGP in the
environment where attachment execution and/or java and/or activex are
tolerated does not make any sense.
And *THERE ARE* tools that offer real protection. Look up iButtons
running RSA and holding the secret key. If it's not sold in Wallmart
that doesn't mean it doesn't exist.
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
More information about the cypherpunks-legacy
mailing list