PGP flaw found by Czech firm allows dig sig to be forged

[Ray Dillinger]

>BO, trojans, http tunelling and similar are really not rocket science
>these days. 99% of sheeple machines are vulnerable. This is perfectly
>valid and real attack. Not on my machines and probably not on yours -
>that does not make any difference.
>
>This is just another data point supporting secure devices insulated
>from microshit OS, java and wintels in general. Running PGP in the
>environment where attachment execution and/or java and/or activex are
>tolerated does not make any sense.

I want a laptop where someone could take out the disk platters, 
scan them with a STM, do every "reconstruction" trick known to 
humankind, and still not be able to tell basic things like how 
much of the drive is in use or what operating system is installed.
 
To use it, you would have to enter the correct passphrase on 
bootup (256 characters would be about the shortest maximum 
passphrase length that would be worthwhile) for the BIOS to 
make into a key to encrypt the drive writes and decrypt the 
drive reads.  

The drive encryption would have to be handled purely in 
hardware on the HD controller, specifically so that there 
is NO WAY for software running on the box to get around it. 
Every write and Every read.  

And finally, it would have to have some kind of tamperproof 
keyboard -- noplace to install hardware key loggers.

I think that's about the bare minimum for a theft-secure 
machine. (A machine which can be stolen without you having 
to worry about someone else getting the data on it). 

Network security, if you hook it up to a network, is a separate 
and more complex problem, but I think that it *is* possible to 
make a theft-secure machine.

			Bear