From: Johnathan Corgan <jcorgan@netcom.com>
Date: Tue, 29 Nov 94 02:16:59 PST
To: cypherpunks@toad.com
Subject: SecureDevice/X-Windows
Message-ID: <Chameleon.4.00.941129021617.jcorgan@>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Okay, so I'm signing my messages now.  At least your proposed sign-or-delay
rule has had its intended effect on one user here :)

My question is:  What is the group's opinion on the use of SecureDevice to 
store sensitive data as an encrypted volume under DOS on a PC? (I am assuming
here that enough people know what I'm referring to not to explain.)

I've moved all my email, sensitive data files, and PGP keyrings over to this new 
volume.  Given all that I've read on the IDEA encryption method, I feel comfortable 
that the data is essentially secure from everything but a brute force attack on the 
key, or carelessness on my part.  I'm sure that the magnetic fingerprint of the 
original data files still remains scattered over the rest of the hard disk, but I'm 
not as worried about this (yet--the more I read this list, more paranoid I seem to 
get :)

Someone posted about using CFS under Linux to store his PGP secret keyring, without a 
keyring pass phrase.  The idea here was that when the system was powered off, CFS 
provided sufficient security to protect the secret keyring.  This would allow the 
user to automate the use of PGP with scripts to send and receive encrypted mail, 
without the need to deal with piping in or otherwise supplying a pass phrase.

Would anyone consider this foolish?  I can take the same argument here with 
SecureDevice--I only 'login' to the drive with my passphrase when I am using it, and 
when the machine is off, the encrypted volume protects the secret keyring by default. 
 The weakness here is that should I step away from my machine and carelessly forget 
to 'logout' of the secured drive, my secret key is wide open for someone to steal.

On an entirely different note:

I use MS-Windows on the PC platform for my internet access due to the variety and 
relative availability of Windows Sockets based software.  Call me a traitor to the 
cause, all Microsoft bashing aside, but I really do prefer the GUI interface to mail, 
FTP, telnet, and WWW than the Unix command line oriented tools to do the same.

I also have Linux installed on a different machine, and am slowly learning all the 
neat and wonderful things one can do with it.  I haven't quite gotten X Windows 
configured properly, but I wonder if all the same internet access tools I mentioned 
exist as X apps.  This would allow me to get all the benefits of Unix, while 
retaining the ease-of-use benefits of a GUI environment.  Forgive me if these are 
naive questions--I'm a lowly DOS/Windows user just now starting to see the light of 
Unix :)

Another question:  How feasible would it be to build a system under Linux/X Windows 
to automate PGP encryption and signatures in a transparent way, using an X windows 
mail reader?  People have done this with Pine/Elm, so I assume the same techniques 
would work under X.

Gosh, really showing my ignorance here :)

- -----------------------------------------------------------------------
Johnathan Corgan       "Violence is the last refuge of the incompetent"
jcorgan@netcom.com                       -Isaac Asimov
PGP Public Key:        http://www-swiss.ai.mit.edu/~bal/pks-toplev.html
Or send email to:      pgp-public-keys@pgp.ai.mit.edu Subj: GET jcorgan
- -----------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBLtr+6E1Diok8GKihAQFGLgP/e2BN0W+QOpRwnj7JmIVUgl0cQaNeXpTS
tvSmarhiSSQy6+6uC7XdOHWlJJ8qavbwr8LguMTcFIU8LFSp0jCiQcUj5Jxt9oSV
evpeZXucwXsT/kh3m97MRiwqOxkjFED1h7zjKbJrHxdI/TkGPUXUmP815Am6eVqB
qwY9W3lqeSs=
=n+Df
-----END PGP SIGNATURE-----