From: John Nieder Area: Public Key Encryption To: Christopher Baker 24 Sep 94 17:33:04 Subject: Securemail UpdReq -=> Quoting Christopher Baker to John Nieder <=- CB> please advise your friend to find the nearest SecureMail Routing Host CB> and send all his encrypted traffic there. it will be routed without CB> further incident. CB> freq SECUREML.ZIP for the SecureMail Routing docs and topography map. I got this file, but I see nothing of any use to a user. It merely explains how Securemail works from a technical (participating sysop's) standpoint. If I were to post from a non-securemail BBS (1:222/333) to a user at another BBS (1:444/555), I do not understand how I am to route this mail through a Securemail node (1:666/777). As far as I can see, nothing in the file addresses this problem from a user standpoint. The only solution I see is to blow off trying to post from 1:222/333 and get an account on the Securemail BBS, 1:666/777 - assuming it's a BBS at all and not just a mail gate, will give me access and is not long distance. Is this the "solution" you suggest in the first paragraph? When you say "send all his encrypted traffic there," do you actually mean "send all his encrypted traffic FROM there"? I'm lost. The other possibility would be to get the actual BBS in question here, 1:125/217 to route its mail to 1:125/33, or run PGP-TOSS to redirect PGPed netmail to that address. This is not up to me or my friend, unfortunately. Back to Square One and the redoubtable Mr. Ashworth. Comments? 201434369420143436942014343694201434369420143436942014343694718 From: jason carr Area: Public Key Encryption To: all 24 Sep 94 12:24:10 Subject: Re: PGP Signatures UpdReq --> Note: Reply to a message in MODERATOR. > I suggested to one PGP-booster that they should put the > signature in kludge lines. If they did that, most readers > would never see it and I would have no objection. However, > it appears that PGP is pretty inflexible about the format of > the signature, so this wasn't possible. What do you guys think about this idea? jason ... My message above. Your response here ____________. 201434369420143436942014343694201434369420143436942014343694718 From: John Schofield Area: Public Key Encryption To: Gary Mirkin 22 Sep 94 22:58:14 Subject: New To Pgp UpdReq -----BEGIN PGP SIGNED MESSAGE----- --====-- JS>I use EZ-PGP a program I wrote to allow signing and/or encrypting of JS>e-mail, posting of keys, etc. It seems quite popular, but it does JS>not support decrypting or checking signatures. GM> Do you have any plans to add decrypting, etc. to the program? BTW, is GM> it available on CompuServe? I have not the slightest idea whether or not it is on Compuserve. If anyone finds out, I would appreciate knowing. If it helps you look for it, the file name of the latest version is "EZPGP107.ZIP," for version 1.07. I understand that CompuServe can't handle a full eight-character file-name, so I don't know what it would be called there. No current mail-reader that I know of supports a decrypt function--there is no simple way to implement it. Programs like PGPBLUE get around this by having you reply to a message, which starts PGPBLUE up. That way, whether or not you actually intend to reply to a message, you need to tell your mail reader you are going to reply. I don't want to put that kind of kludge in EZ-PGP. It just seems like it would create more problems than it's worth. Especially since no special command-lines are necessary to check a signature, decrypt a message, or add a key. Just save the message to a file, and run "PGP FILENAME." Simple. Once a mail-reader supports this, I will immediately add this capability to EZ-PGP. I agree with you that this feature is necessary--but I put in a LOT of work to make EZ-PGP as simple to use as possible. I don't want to put in the effort when by the very nature of the method, it will not be simple. JMS JMS -----BEGIN PGP SIGNATURE----- Version: 2.7 Comment: Call 818-345-8640 voice for info on Keep Out magazine. iQCVAwUBLoJuHWj9fvT+ukJdAQFvggQAg1mXcdfSXnjPWXx2P2ST0hRLEhjq4C+l 8vUV/MZTJZxjDzI9YZuPiplakR/uQnHt9+bpd6VehEW716UJNhMjjNcqnJtYg17j s8lRzcReHi3i0VhWoqBeYxI8MAJ4RHoI4BwNW9ZJIo2rCAqatAs/mMK+/98olMkU EuBJ98Uovbk= =HDu0 -----END PGP SIGNATURE----- **EZ-PGP v1.07 ... A day without sunshine is like night. 201434369420143436942014343694201434369420143436942014343694718 From: Richard Walker Area: Public Key Encryption To: Wes Landaker 24 Sep 94 10:53:06 Subject: Re: New to PGP UpdReq RW>> I don't even provide echomail to my users. No way will I open RW>> the pandora's box to netmail!!! Now there are a *few* folks with RW>> access to echomail, but they are people I've known face-to-face RW>> for years not related to computers or bbs'. Basically, I don't RW>> allow anyone to access the dangerous stuff (echomail) unless I'd RW>> also trust them to belay me or go hunting with me. WL> Why do you even run a BBS, if you aren't going to let anyone use your WL> echomail? WL> That's what it's there for, you know--for _BBS users._ You might as well WL> be a WL> point, or use BlueWave or something if you are _that_ scared of all this WL> liability. You somehow think all BBS's are run for the same reason. That doesn't make much sense if you ask me. I run a bbs for my own reasons, not for yours, and not for anyone elses. My reasons: rec.guns archive online for any caller to download. Basically 50+ meg of firearms technical discussions (non political) useful for getting opinions on a gun purchase, etc... Also good for entertaining Glock vs SIG vs Beretta debates. rec.backcountry archive, under construction. Basically backpacking and other outdoorsy kind of things. software distribution, I am the author of several pieces of software including a mail handler for GT on fidonet. I also have several proprietary pieces of software that I distribute that only the appropriate individual has access to. Freeware stuff is also availabe via FREQ. software support, I get quite a bit of netmail both GT and FIDO based, asking for technical support, which I provide via netmail. WL> Well if the carrier (BBS) is not self-assuming liability, then that WL> would be the user's problem when the FBI showed up, wouldn't it? Doubt you'd be able to convince the FBI of that. RW>> Correct, which is why I can be an advocate for the opposition RW>> without any risk at all, even from a frivolous lawsuit. Simply RW>> because no one out there can physically construct a situation on RW>> purpose that would get me in trouble. I understand system RW>> security, and am quite simply, good at it. WL> Let me ask you something: do you run a pay BBS, or accept payment or WL> donations in any form? Nope. There is no address or any other notice that would even allow someone to mail me a check. I accept neither donation nor payment for BBS services, and never have. RW>> If you logged on as a user you would be physically unable to send RW>> a message to another user, private or public. WL> Then, pardon the "inflamitive" language, what the hell is your BBS for, WL> if not to send and receive messages? =) See above. My BBS is *NOT* a message oriented board. I'm sorry if you believe everyone ought to run exactly the same sort of system; but as it is *MY* equipment, and *MY* time, I will run the type of BBS that *I* want. WL> I suppose you have _no_ expired, unregistered shareware? What if someone WL> uploads some? Are you responsible for that? No one can upload diddle. I have no significant amount of shareware period, and that which I use, I have registered. I use commercial programs, all of which I have purchased. Sitting on my right side here, I have close to $5,000 worth of commercial software. Some people spend money on cars, I spend money on software. I think cars are a waste of money. I own a single car, a Toyota Tercel, which I intend to put 500k miles on before I even think about getting a new one. (I already got 120k on it.) I make plenty of money, and could afford a stupid $20k+ car, but I tend to believe that that is the most stupid use of money imaginable. On the other hand, I think buying Corel Draw and Adobe Illustrator to play with is a perfectly intelligent thing to do. I also own copies of both Lotus 123 and Excel. Amipro and WinWord, Borland C++ and Visual C professional, Greenleaf Commlib and SaxComm, Win NT, Win 3.1, OS/2, Accusoft Image Library, Easy Tax, Turbo Tax, Arago Quicksilver, WinFax, GT Power, HyperComm, Major BBS & Development tools, and on and on and on and on!!! WL> chip, and transistor on your computer hardware works, then, to take sure WL> responsibility. :) Don't need that. Though I do know a significant amount of digital logic, and can put together a little TTL stuff if coerced. WL> (Didn't you know that DOS's format command writes binary data to an WL> unused WL> portion of the hard drive that, if read by the correct program, displays WL> pornography? ;) Buzzz. That is incorrect. RW>> I take adequate defensive measures that ensure that nothing becomes RW>> available on my system that I have not been able to review. As I WL> But . . . wait, Richard; in your last message you said: "Your Honor, I WL> neither WL> read, nor censor, any mail; PERIOD." Isn't this contradictary? :) Nope. You are again falling back on your assumption that all bbs are message and chat boards. I censor no mail because their is no mail not addressed to me or originated from me on my system. WL> I still fail to see what your system offers, then. Only local, public, WL> message No message areas what so ever. Zilch. Nadda. Zero. WL> areas, censored by you 24 hours a day? (Heaven forbid that two people WL> log on an WL> exchange a message before you can review it, right?) Two people can't exchange a message, PERIOD. There are several hundred other places in Houston where they can do that. And only one in Houston where they can do what they can with mine, and that is MINE. RW>> I wrote it, but have little if any time to fix bugs. WL> If I was the procecuting attorney, I would have brought in ten or twenty WL> examples of other avalible software that could be used with your system WL> very Name them. I use GT Power and Binkley 2.50. Name a mail handling software for GT that works as quickly as mine that is not mine. There is one that is close but it hangs periodically, basically whenever a grunged message makes it through the distribution channel. In over two years of continuous operation, mine has never hung. RW>> I disagree, and until there is a successful felony prosecution RW>> for this, I will continue to be completely confident that my RW>> position is the correct position. WL> It's my understanding that there have already _been_ convictions on this WL> type WL> of thing, Richard--I've seen that quoted to you over and over by other WL> people in this echo. Nope. There has not. Give me the fidonet address of the sysop who was convicted for bouncing fidonet messages. I'd also like a case number, so that I might review the actual facts as opposed to what some PGP activist would like the facts to be. WL> Besides, if the federal government passed a law saying "no chewing WL> bubble gum." WL> Would you waltz out onto the streets poping your bubbles saying, "well, WL> there hasn't been any convictions yet, so I _MUST_ be right!"? Unfortunatly for your side of the argument, there is no parallel. I've read the ECPA, and it don't say diddle about bouncing fidonet messages. I understand that you disagree. However, I remain unconvinced that bouncing a routed fidonet netmail message violates the ECPA. 201434369420143436942014343694201434369420143436942014343694718 From: Richard Walker Area: Public Key Encryption To: Wes Landaker 24 Sep 94 11:27:34 Subject: Re: Net 106 still at it? UpdReq WL> I never said it was illegal to not route it. It's illegal to read it. WL> And if WL> they can tell if it's encrypted or not, then they're LOOKING at it. :) I disagree completely. WL> with worrying so much about liablity on your system? :) Financial liability, not criminal. I feel quite secure from any criminal liability. OTOH, when a lady gets big bucks for spilling coffee on herself, I think I have adequate reason to be concerned about financial liability. Not that I have a lot of money or insurance, but a successful nuisance suit certainly would be annoying to just about anyone. RW>> I have stated before that I disagree with this particular method. RW>> I think its dumb. I think they should route these offensive RW>> messages into the twilight zone never to be seen or heard from RW>> again by anyone, ever. Eventually, I hope they'll terminate RW>> routed netmail entirely. That will end the self-righteous RW>> leaching off of a freely offered service, and make yall put your RW>> $$$ where your mouth is, or start sending your mail direct. WL> I'm very glad that you are not part of the routed-netmail system, WL> Richard, as WL> obviously you haven't much of a grasp on it's concept. Why do you want WL> to destroy routed netmail so much? Oh, I understand the technical details quite well, thank you very much. You may believe there is some special "philosophy" about what routed netmail is about, I don't. I feel that routed netmail within fidonet is a really bad idea because of the fact that a netmail message is typically unpacked into a systems mail directory and then scanned back out. I don't have a similar argument with networks that do not do this, GT and most sites on the internet don't do it like that, instead, using a spool directory for the process which can be and often is cleared completely after each mail handling event. My argument about routing *encrypted* mail is that it is using someone elses hardware and phone service to accomplish a task which they have explicitly stated that they do not consent to do. WL> So, you're saying that if I slander you here on the echo (this is WL> hypothetical, you know), I don't need to worry about any liability on my WL> part because I can just say that you created it yourself? :) Signed with WL> my PGP key? Hey, I can just say you made that key, and denouce that I WL> _use_ PGP, or even that I know who you are. But what are the chances WL> that this sort of story is going to stand? I'd bet good money if I tried to sue you, your lawyer might well suggest exactly that tact, and I'd bet more good money that you'd win. Besides, why would you slander me? We certainly disagree about certain things, and I want to end a service which you don't pay for anyway; but that seems hardly worth the effort it would take to have even a minimal impact on my life. I have been, what you might call, "slandered" many times, but its never had any impact on my life. The only people I give a flip about are ones that trust me implicitly, and I make it a rule to never depend on anyone for anything if I would not feel perfectly comfortable putting my life completely in their hands. 201434369420143436942014343694201434369420143436942014343694718 From: Richard Walker Area: Public Key Encryption To: Ross Lonstein 24 Sep 94 12:03:30 Subject: RE: Net 106 (Richard Walker vs. As a courtesy to the rest of us could you move the thread (Net 106...) RL> aka Richard Walker vs. RL> to private email or another echo? The thread started out interesting but RL> has burned itself out with 'I'm right, you're wrong' volleys. I respect privacy quite well. I do not respect your "right" to route netmail. The specifics of how I operate my own system allow me to counter the arguments in this echo without being personally exposed to even a nuisance suit. As someone who absolutely supports the distributors position on this, yet is completely unaffected by it either way, I can present a reasonably pure argument that is not effected by my own operational situation. That said, I would be perfectly content to let the thread die if folks would stop with the "Net 106 is so oppressive/evil/whatever threads". Just face the fact that you have to use a securemail site to route encrypted mail into Net 106, and be content. I don't understand this concept of trying to force someone to use his/her/its computer to do your task when they have explicity stated that they do not consent to do it. If yall want to use this echo to abuse Net 106, then I feel I must at least make the counter arguments present here also. 201434369420143436942014343694201434369420143436942014343694718 From: Dan Wilson Area: Public Key Encryption To: Shawn McMahon 24 Sep 94 18:19:42 Subject: Need recommendations UpdReq SM> Secondary security will be a CMOS password, which will SM> of course just slow the intruder down while he hunts SM> for a screwdriver. While you are correct that the CMOS password can be easily defeated, it cannot be easily defeated without leaving evidence - ie, the password will be gone. I would assume that your client would be able to take some action against the person in question if he found such evidence of hacking. Do the methods you are proposing prevent a hacker from making a backup copy of the encrypted drive/files and taking the backup with him, leaving him then at leisure to play with the copy off-site? Dan. 201434369420143436942014343694201434369420143436942014343694718 From: Peter Bradie Area: Public Key Encryption To: Shawn Mcmahon 22 Sep 94 21:59:00 Subject: New indecency rules propo UpdReq -=> Quoting Shawn Mcmahon to Peter Bradie <=- SM> Only if such screening is necessary for proper system maintenance, for SM> technical reasons. Content reasons aren't allowed, Peter. Neither is SM> deletion of the message. Both statements are true, Shawn. But I rather doubt any sysop with a degree of snap would state that they screened the private message because they wanted to see what was in it... or having deleted it, state that the message was deleted because they disapproved of the contents. Sort of, "Ooops, it was an accident while I was doing a disk write, so the message was not recoverable..." would do. SM> Indeed. But that doesn't mean we shouldn't fight laws that try it SM> anyway, because it's gonna be a real expensive fight for the poor SM> schlub who tests it in court. That's the sort of law the ACLU is pretty good at fighting. And doing it cheerfully. SM> Odds are that he won't get all his equipment back intact, either, and SM> that he'll be crucified in the local press. It's going to happen, Shawn. The only way to fight it is by electing congresscritter at the state and national level that have some respect for the constitution, and an inherent distrust of large bureaucracies. ... The most obnoxious conduct is justified in the name of morality. ... Blue Wave/QWK v2.10 201434369420143436942014343694201434369420143436942014343694718 From: Raymond Paquin Area: Public Key Encryption To: Shawn McMahon 23 Sep 94 23:55:34 Subject: RSA Broken UpdReq RP> Um ... not quite. But you are right: there is such a thing as a RP> weak prime number: i.e. not all prime numbers are created RP> equal.Unfortunately, PGP does not check for weak prime RP> numbers. Pity ... SM> PGP relies upon the fact that the odds of actually SM> generating a weak prime with it's algorithm are SM> significantly less than the odds of getting hit by SM> a meteor while generating your key. :-) Then I must conclude that the odds of getting hit by a meteor are quite high...(g). In order to find a 'strong' *pair* of prime numbers, one has to generate about 600 (!!!) prime numbers, about 70% of which are rejected because they are weak (singly) and about 29.999% of which are rejected because the second prime number found, although strong singly, is not 'compatible' with the first. You can check that for yourself: an 'old' version of the source-code for PGP (I don't remember which) has commented-out code to do the extra checking. Uncomment it, re-compile the program and see for yourself. The program will take MUCH longer in spite of the fact that the extra checking is NOT as complete as it should or can be. Ciao... 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Alan Pugh 25 Sep 94 16:51:28 Subject: Key Revocation UpdReq Despite the stern warnings of the tribal elders, Alan Pugh said this to Tim Devore: AP> next time you create a key pair, copy your keyrings to alternate AP> files, then create a revocation certificate and copy the pgp AP> directory to a floppy and write protect it. (make two copies if AP> you believe in murphy as much as i do.) If you have you secret key on a floppy, an attacker who gets the floppy has to either try brute-force search of the keyspace, or know a way to crack MD5. (Which might be possible; one of it's design goals was avoiding collisions, and it now appears that it has them. I don't know of any proof yet that there is an easier way to crack it than brute force, however.) If you have a revocation certificate on a floppy, an attacker who gets that floppy can just revoke your key. Just send that certificate out far and wide, and generate his own phony replacement. And there's not a lot you can do about it, because you "signed" that revocation when you created the certificate. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Richard Godbee 25 Sep 94 16:34:34 Subject: Signing Messages and Other 'Newbie' Questions...UpdReq Despite the stern warnings of the tribal elders, Richard Godbee said this to All: RG> Okay, I think this is how most of you here sign all of your RG> messages, but (I'm probably wrong here; I just want to make RG> sure) would this give away your secret key? Why not sign it RG> with your public key? If you encrypt something with your private key, it can only be decrypted with your secret key; thus, somebody would need your secret key to check the signature if you did that. If you encrypt it with your secret key, it can only be decrypted with your public key. Thus, it's not really encrypted; it's signed. (Some twits will tell you that, since they need your public key and they might not have it, it's encrypted. You need a key to decrypt ASCII, too; it's just that everybody has the key.) 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Scott Redd 25 Sep 94 16:37:16 Subject: Need recommendations UpdReq Despite the stern warnings of the tribal elders, Scott Redd said this to Shawn McMahon: SR> It sounds to me like you, or your client, already know who this SR> person is. Suspicion, not certainty. SR> Why not simply get rid of him or subject him to severe SR> disciplinary action if he persists after a warning? They haven't caught him in the act, and there're interdepartmental questions involved in just confronting him with it. If they catch him, they'll fire him and charge him under various statutes, depending upon circumstances. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Edwin Teh 25 Sep 94 16:38:50 Subject: Need Recommendations UpdReq Despite the stern warnings of the tribal elders, Edwin Teh said this to Shawn Mcmahon: ET> You forget to mention the most important : How is this intrusion ET> going to take place? ET> Over a network? Over the Internet? Direct physical access? ET> Perhaps blackmail, or kidnapping the owner of the terminal, ET> and forcing him to reveal his passwords? Direct physical access, probably over the weekend when nobody's there. No threats likely, but then there's not a blessed thing I could do to the data to secure it against that short of actual physical destruction. :-) 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Leroy Ang 25 Sep 94 16:42:06 Subject: New To Pgp UpdReq Despite the stern warnings of the tribal elders, Leroy Ang said this to Bill Bishop: LA> Only those who have FidoNet addr. can FREQ files right? LA> Well i don't have one so *Boom!* :( Anybody with a program capable of meeting the proper protocols can do a FREQ. That means a Fidonet mailer, or the Terminate terminal program. If you're not a member of Fidonet, some BBSes won't let you FREQ. Then again, Fidonet can't stop you from using a phony address. Please don't use mine. :-) LA> There was once i left codes in the lab and the next few LA> days, LA> it spread like hell in school! I know exactly how you feel, Leroy. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Carl Hudkins 25 Sep 94 16:45:14 Subject: Getting Started w/PGP UpdReq Despite the stern warnings of the tribal elders, Carl Hudkins said this to Christopher Baker: CH> FREQs?) and it found three =secret= keys in there! One was CH> from a Steve Jackson. Yikes. That's probably Steve Jackson of the landmark Steve Jackson Games case. Carl, send me a copy of that key, would you? I'll forward it to Steve so he can verify the problem. He might not even know it's out; his BBS has become a big commercial Internet site, and somebody might have snared it. Or he might have just messed up. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: John Nieder 25 Sep 94 16:50:16 Subject: Who's This Ashworth? UpdReq Despite the stern warnings of the tribal elders, John Nieder said this to Shawn McMahon: JN> Yes, I know. Unfortunately, the ECPA isn't worth the paper it's JN> printed on as far as I can tell - at least not as regards the JN> conduct of Fidonet operators. Only because nobody's filed charges under it yet. Every law goes through that stage, John; doesn't mean it isn't law until it's reviewed by a judge. Just means nobody's ruled on it yet. JN> between Fidonet policy and Federal law. Fidonet sysops JN> still screw around with non-public mail with complete JN> impunity, as though the ECPA doesn't exist. Yep; and that's going to continue until somebody files charges and/or a suit. In the meantime, the Justice Department is teaching it's personnel that the ECPA does indeed apply to Fidonet mail. It's already been proven that it indeed applies to Internet mail, and there are cases pending that will (if taken to the Supreme Court) show that it applies to Fidonet mail. One of these is likely to make it to the Supreme Court, and another is probably going to get settled at the state level (in California) without an appeal by the state. IMO, of course. And I'm not a lawyer. 201434369420143436942014343694201434369420143436942014343694718