1993-08-28 - Physical security lapses will getcha every time.

Header Data

From: fergp@sytex.com (Paul Ferguson)
To: cypherpunks@toad.com
Message Hash: fbd3ccb64fcb14a6a7e6ccf716bf2ad6e20c6df85c2b90074149ba103e9b6f5c
Message ID: <ym8u9B4w165w@sytex.com>
Reply To: N/A
UTC Datetime: 1993-08-28 01:43:27 UTC
Raw Date: Fri, 27 Aug 93 18:43:27 PDT

Raw message

From: fergp@sytex.com (Paul Ferguson)
Date: Fri, 27 Aug 93 18:43:27 PDT
To: cypherpunks@toad.com
Subject: Physical security lapses will getcha every time.
Message-ID: <ym8u9B4w165w@sytex.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----
 
On Fri, 27 Aug 1993 01:46:57 -0400 (EDT),
 Mike Ingle <uunet!delphi.com!MIKEINGLE> wrote -
 
> The most likely place for a bug would be in the randomness.
> I suppose it is possible that a one-line bug somewhere could
> leave out most of the randomness, making the keys still look
> random but actually be predictable. Random number generation
> is hard to verify. How has that in PGP been checked? The PGP
> source is so big and spread out, it's hard to check. I don't
> think there is a bug, but it would be nice if PGP were
> carefully examined and attacked. Where are these rumors
> coming from? They are bad for the cause.
 
Let's be realistic, Mike.
 
The biggest threat to any security, on any basis, is the threat of
human nature. The chances of someone factoring your PGP encoded
message is somewhere in the range of slim-to-none, but the chances
of someone (you) -physically- compromising their key is much, much
higher.
 
In fact, I'd venture to say that it's much higher than even you or I
imagine, given the fact that some folks ignore what most of us would
deem common sense and use PGP on a multi-user system (such as a SUN
server, any other UNIX-flavored workstation, or even a Netware
server).
 
Fact Two: That's why you won't see messages from me either (a.)
signed with PGP, or (b.) encrypted with PGP from any of my other
e-mail accounts. All are UNIX (open) environments and I don't like
the implications of the possibilities of my secret key being exposed,
even if I do trust the folks I work with. Call me a schizoid.
 
Cheers,
 
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
 
iQCVAgUBLH6FrJRLcZSdHMBNAQEs1AP8D3ve8oRYIT4/Lne3LYY9xZWkghZFQyhH
CcCdFhHfAyXeAnz6puIpSN+9zior4/W9pcgxK/EdcCt72hMOzTYQvWtFZVIE0nQA
Fn+a5FkUwCLhvfiIqCSPvBjG8UvBt2RTuv7GN0IiIfMwzCeAkB9MTkoNQut48DGU
thDLDXfnRxs=
=0v11
-----END PGP SIGNATURE-----

Paul Ferguson               |  "Government, even in its best state,
Network Integrator          |   is but a necessary evil; in its worst
Centreville, Virginia USA   |   state, an intolerable one."
fergp@sytex.com             |      - Thomas Paine, Common Sense
 
Type bits/keyID   Date       User ID
pub  1024/1CC04D 1993/03/15  Paul Ferguson <fergp@sytex.com>
  Key fingerprint =  EE D2 93 7D 04 6D C6 05  AC 36 AD 9D 8E 4F 41 58





Thread