PGP flaw found by Czech firm allows dig sig to be forged

[Lutz Donnerhacke]

* Morlock Elloi wrote:
>BO, trojans, http tunelling and similar are really not rocket science
>these days. 99% of sheeple machines are vulnerable. This is perfectly
>valid and real attack. Not on my machines and probably not on yours -
>that does not make any difference.

Exactly. Furthermore overclocked customer maschines make it just more likely
to attack a PGP key using failture analysis ("Bellcore attack" in German
smartcard hacking lingo). So urge the implementors to protect against
computing errors as well.

IMNSHO the PGP paradigma to expect locally written data to be unmodified on
later read was attacked. Phil can not be sued for this paradigma because he
developed for DOS. PHP Inc might be sueable because they extended the model
to other OS. I can be sued because I forget it as well while adapting the
source to PKI needs.

PGP2.6.3(i)n has the necessary fixes.