Was this a joke or was i ment to acutally take something from that? ...
or was it never leave your subkeys laying around? :P
On Wed, 2008-06-11 at 16:24 -0400, Scott Lambdin wrote:
> Good example of why you need subkeys.
>
> http://www.wsbtv.com/news/15847652/detail.html
>
>
> On 6/9/08, Sim
Oh, okay. Thank you for clearing that up; I tried searching and found
nothing close to addressing this.
Rick
--
Rick Valenzuela
photographer | reporter
+1 267 694 3642 | www.rickv.com
David Shaw wrote:
On Jun 11, 2008, at 3:38 PM, Rick Valenzuela wrote:
I just created a new primary key and
On Jun 11, 2008, at 3:38 PM, Rick Valenzuela wrote:
I just created a new primary key and subkeys, and uploaded them to
keyservers. Then I exported my public key in ascii-armor, and copied
that file to my website. I noticed that the very last few characters
were different from what the keyservers
On Wed, Jun 11, 2008 at 08:11:36PM -0400, Faramir wrote:
> michael graffam escribió:
>
> >> Or turn on typescript by default.
> >
> >
> > Doesn't save GPG passphrases.
>
> Is typescrit some sort of keylogger? If it is, I don't see any reason
> why a keylogger can't catch the gpg passphras
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
michael graffam escribió:
>> Or turn on typescript by default.
>
>
> Doesn't save GPG passphrases.
Is typescrit some sort of keylogger? If it is, I don't see any reason
why a keylogger can't catch the gpg passphrase (warning: there may be a
v
Dear GnuPG users,
I have some questions regarding use of the tsign command; please don't feel
you have to answer all of them at once, just one will do, although I'd like
to point out that the one most important to me is #1. I’ve been doing some
reading and experimentation with tsign and I think I
On Wed, Jun 11, 2008 at 04:31:45PM -0400, michael graffam wrote:
> On Wed, Jun 11, 2008 at 3:56 PM, David Shaw <[EMAIL PROTECTED]> wrote:
>
> > If the attacker had access to your machine to implement the LD_PRELOAD
> > attack, there are literally dozens of ways they can similarly steal
> > whateve
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
(forwarded this message)
michael graffam schrieb:
> It's easy to solve the problem: all you need is a trusted strcmp() (i.e
> one linked directly w/ main() )..
>
> Before you do anything else, main() checks the environment pointer with
> the trusted s
On Wed, Jun 11, 2008 at 04:31:45PM -0400, michael graffam wrote:
> On Wed, Jun 11, 2008 at 3:56 PM, David Shaw <[EMAIL PROTECTED]> wrote:
>
> > If the attacker had access to your machine to implement the LD_PRELOAD
> > attack, there are literally dozens of ways they can similarly steal
> > whateve
I can not seem to figure out how to use gpg2 to create
signatures in RFC3156 PGP/MIME format; rather than
the inline OpenPGP format.
I'm prepared to do all the necessary MIME encapsulation
and canonicalization of the first part of the multiple/signed
component, but then want to use gpg to produce
Good example of why you need subkeys.
http://www.wsbtv.com/news/15847652/detail.html
On 6/9/08, Simon Dwyer <[EMAIL PROTECTED]> wrote:
>
> Hi everyone,
>
> I am new to all this and have been alot of reading.
>
> One thing i cant get my head around is subkeys. I have generated a sub
> key with
On Wed, Jun 11, 2008 at 3:56 PM, David Shaw <[EMAIL PROTECTED]> wrote:
> If the attacker had access to your machine to implement the LD_PRELOAD
> attack, there are literally dozens of ways they can similarly steal
> whatever data they are trying to steal. Why do a very complex attack
> involving
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I'm now confused about creating a separate subkey for encrypting, as
opposed to creating one keypair that signs and encrypts. The example
I've seen around is that if you're set up the subkey way and the police
demand the private part of your key, yo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I just created a new primary key and subkeys, and uploaded them to
keyservers. Then I exported my public key in ascii-armor, and copied
that file to my website. I noticed that the very last few characters
were different from what the keyservers had.
On Wed, Jun 11, 2008 at 10:43:02AM -0400, michael graffam wrote:
> Has anyone read the article in the most recent 2600 regarding using
> LD_PRELOAD to eavesdrop on gnupg?
I read the article. For those who didn't see it, the basic summary is
that by using LD_PRELOAD to replace various functions (m
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
michael graffam schrieb:
> Not a real solution, because if LD_PRELOAD is already set, then the
> shell you type unset into might be overloaded as we'll, already.
OK, that was new to me. I checked it with some simple tests [1] and
you're absolutely rig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris De Young escribió:
>> it must be defined at the moment of creating the key. And that is the
>> reason to use "key pairs", because a singe key can't do both functions.
>
> "Key pair" in most contexts actually refers to the set of
> public key + p
How does "physical security" have anything to do with env vars?
I'm not asking for gnupg programmers to try and thwart hardware keyloggers.
But just like we ask our software to do the Right Thing with respect
to say, defeating buffer overflows, it would be nice to do the Right
Thing and check env
michael graffam wrote:
> Has anyone read the article in the most recent 2600 regarding using
> LD_PRELOAD to eavesdrop on gnupg?
My reaction to it has been to yawn.
If you don't have physical security on your machine, you don't have any
electronic security worth talking about. We've known this f
Hey,
Question for you guys, new gnupg user here, great software..
I was thinking of maybe encrypting files in PGP that many people will
require access to, since i dont know PGP inside and out I was wondering
what would be the best method, as sometimes I will have to remove access
for some users
Not a real solution, because if LD_PRELOAD is already set, then the
shell you type unset into might be overloaded as we'll, already.
You can't trust strcmp() or getenv() either, since the preloaded lib
could be hooking them on you.
I've was able to write a stealthed lib which successfully hides i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
michael graffam schrieb:
> Not a real solution, because if LD_PRELOAD is already set, then the
> shell you type unset into might be overloaded as we'll, already.
Now that's very true; but still my opinion is that if you can't trust
the system on which
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
michael graffam schrieb:
> Thoughts?
Run "unset LD_PRELOAD" before running gnupg if you don't trust the system?
It's an inherent feature of the loader. Compiling everthing statically
only works around this inherent feature/problem, however you call i
Has anyone read the article in the most recent 2600 regarding using
LD_PRELOAD to eavesdrop on gnupg?
I realize that the actual recovery of a passphrase by this means is no
better than keylogger --
But what concerns me more (and isn't explicitely covered in the
article) is the ability to inject f
24 matches
Mail list logo
