Recommendations for handling (multiple) user IDs - personal and company ones
Henry Hertz Hobbit
hhhobbit at securemecca.net
Mon Jun 10 08:23:52 CEST 2013
On 06/10/2013 03:14 AM, Hauke Laging wrote:
<SNIP>
What a mouthful. I shortened it to those things most relevant
to me. My keys are NOT part of the WoT due mostly to nobody
around my home having OpenPGP keys. I would say that I have
a higher option that you do of the Wot when contrasted with
one SSL licensing authority after another being compromised
very badly.
>> The end result? decades of cleartext e-mail, long after we had
>> the tools to do better :(
I don't know quite what you mean by the tools. But I would love the
requirement of some sort of secure token from an SMTP server trying
to attach to another SMTP server. That would slow PeskySpammer from
filling my email box with messages where the sending SMTP server is
running on a hacked Windows PC. Actually it would stop it altogether
until PeskySpammer figured out a work-around. Yes, I know, we have tons
of hacked SSL certs on web-sites. But it would at least slow things
down a little bit. But the big problem isn't technical. It is as
expressed by one Unix / Linux Admin that I trust "not worth the effort."
There is a massive sense of futility that we cannot solve the problem
and thus no new RFC on email. Trust me on this one. My other POP email
account can no longer send except through the web-mail account (maybe
that has gone down too) because it is being blocked by something that
has gone wrong. That something that has gone wrong may be the NSA or
the FBI after my comment in the Washington Post on Prism. Can it be
fixed? Yes if it is my current POP / IWSP that is causing the problem.
But it can be done only by moving from my current IWSP to a new smaller
IWSP that will accept input and be able to hack a temporary fix. But
what is needed is a complete revamping on how email works including
a new RFC and some way to reduce spam to a trickle and nobody but me
wants it. You did see the spam in our mail chutes yesterday morning
didn't you? They also sent it to the wireshark group and several
others. I will be blocking not the host in the message but the host
that it led to that had whois information that was bogus.
> The reason hardly anybody uses crypto is not that its usage was
> complicated (I know, I a minute Rob will post his usability study
> link and ask for my sources...). It isn't. Not the basic operations
> if you have a working configuration. And for the rest the users can
> ask for help.
>
> The reason that most people do not use crypto is the most trivial
> one: They don't think they need it.
That isn't it at all. One of the people commenting on the Prism
article at the Washignton Post said OpenPGP IS too complicated.
It certainly isn't very easy for most people and I have even
observed engineers struggling to use OpenPGP. I had a person
that stupidly thought they could email me bad host names through
their Yahoo web-mail account. Yahoo blocked their send. I have
even run tests where I am the only person that had a particular
hostname in their block-list and Yahoo even blocked those messages.
That would be admirable if I got my names from email. I didn't.
I got them from stabbed in links on vulnerable web servers. Even
after I tried to get him to zip them with 7-Zip using the AES-128
encryption cipher he just wouldn't do it. A current person is
using WinRAR exe installers and dumbly thought he could just send
the EXE file as an attachment in email. He finally encrypted it
with rar's simple cipher. Sure, you and others could decipher it
easily but that was enough to get an email's virus-scanner to
leave it alone. At least he listened to me and didn't use zip
which was banned because of the ever-expanding zips. Now he has
the problem of false detects due to using the WinRAR installer.
I told him to shift to using Inno Setup. You do that and the
problems go away, especially with a "Legal Copyright" string.
The problem is more serious than whether they think they need any
encryption or not. THEY HATE THE IDEA OF USING ENCRYPTION! My
sig says it all and is attached manually because it really does
show what the real problem is now. People including even the
Computer Scientists are totally unable to think any more.
Even the knowledge that PRISM is snooping into everything
won't cause them to change. Why not? They are using Facebook,
Twitter and other social services to broadcast everything they
do now anyway. That is a sure sign that enciphering is not wanted.
But encryption isn't just enciphering. It also includes signing.
I would love for them to send me messages that are signed,
especially if we exchanged the keys by hand. So why do they
hate using encryption? It takes too much work. Unless they are
forced to use encryption by somebody else, than dammit all to
hell they are NOT GOING TO USE IT. They also trust the privacy of
their email messages implicitly despite the fact that they use
web-mail. Me? I am rather suspicious but I had a half-sister
(blessed) that worked at Arlington Hall. The latest for me was
an email message from somebody that used the Latin name for his
eail account that was the equivalent of "one man army"
(exercitussolus - two words contracted together) and his sig was
even more entertaining: "Fortuna audaces adiuvat -- hos solos ?"
Roughly translated that is "Fortune favors the bold - only these?"
OOPS. I am now condemned for thinking and will be taken out and
summarily shot.
HHH
---
Gnome 3, Ubuntu Unity, Windows 8 - poor iPhone GUI on Desktop
Thinking has been suspended indefinitely.
Anybody caught thinking will be immediately shot!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130610/1f6895b8/attachment.sig>
More information about the Gnupg-users
mailing list