1994-08-24 - Re: Using PGP on Insecure Machines

Header Data

From: cactus@bb.com (L. Todd Masco)
To: cypherpunks@toad.com
Message Hash: f23707e528aff8fbeffb9378d680dbc2c4beeca83929cff2476acb6fe36a2e8b
Message ID: <33f44u$8av@bb.com>
Reply To: <199408240630.XAA26030@netcom4.netcom.com>
UTC Datetime: 1994-08-24 09:29:54 UTC
Raw Date: Wed, 24 Aug 94 02:29:54 PDT

Raw message

From: cactus@bb.com (L. Todd Masco)
Date: Wed, 24 Aug 94 02:29:54 PDT
To: cypherpunks@toad.com
Subject: Re: Using PGP on Insecure Machines
In-Reply-To: <199408240630.XAA26030@netcom4.netcom.com>
Message-ID: <33f44u$8av@bb.com>
MIME-Version: 1.0
Content-Type: text/plain

In article <199408240630.XAA26030@netcom4.netcom.com>,
Timothy C. May <tcmay@netcom.netcom.com> wrote:
>L. Todd Masco writes:
>> Well... Either that, or they have their own UNIX boxes (an increasing
>>  trend in this world of Linux boxes...) or other personal machines
>>  that run an MTA and emacs.
>Precisely! In fact, I think I cited the Linux phenomenon just a day or
>so ago...(in a mention of cheap Pentium boxes). When many more
>locally-controlled boxes are on the Net, conveniently, then things
>should start to really get going.
>Until the "Internet-in-a-box" or TIA-type products are more
>widespread, many people will be connecting home or office machines to
>other systems they don't control.

Actually, I expected to get jumped on in a major way for saying that.

Linux boxes run X11, with all its security problems.  Add to that the
 increasing frequency of popularity of UNIX and UNIX-alikes, with all
 their security problems, and you get a picture that's terrifyingly

I can just picture in three years: Job Bob Public sitting at his Linux
 box, connected by TC/IPng over the local cable IP provider -- scared
 by a mailing he's recently gotten from the Oregon Driver's Privacy
 Initiative with information of where his daughter had his lojack-ng
 equipped car was three days ago when she was supposed to be at football
 practice -- decides to set up Microsoft PGP 5.7us on his machine (and
 to wire up the optional personal lojack-ng tracking feature, of
 course -- brought to you by AT&T).

He writes a message that he believes secure -- Of course, he's got his X11R8
 server xhost +'d, so that his friend Suzy EveryCheese can send windows
 to him (she's much too smart to allows other clients to attach to *her*
 server).  He types his passphrase in and his son, Bubba Public, snarfs
 it from his PC-SeptiumJr.  It never hurts to be able to see what the
 Old Man might be writing.

Of course, the entire thing falls apart when the Morris Worm Mk 3 chomps
 down through the least-secure encryption methods specified in IPng's
 security specs (they salvaged the old AFS "xor 'flamingo'"
 "optimization"), but that's another matter.

The point?  I'm actually not very sure... but it has something to do with
 there never being an easy way to be secure, especially for the plug-n-
 players.  It also has to do with the way things are going to be extremely
 unstable when everybody is networked on machines with an OS and windowing
 environment that evolved to play XTrek efficiently and to support Xeyes
 with motif. 

Knowledge and/or effort -- not to mention a good dose of paranoia -- are de
 riguer, and I doubt that we'll see anything different in the near future
 (even if technically possible: the rise of MS Windows and UNIX/X11 have
 me pretty down on the economics of quality these days).

>It reeks of fanaticism.

Fanaticism's fine.  It's clueless, dogmatic fanaticism that's a problem.
L. Todd Masco  | "Large prime numbers imply arrest."  - Previously meaningless
cactus@bb.com  |   grammatically correct sentence.  Now...