From: “Ed Carp [khijol SysAdmin]” <khijol!erc@cygnus.com>
To: khijol!clark.net!cme@cygnus.com (Carl Ellison)
Message Hash: a0b4e21876d81b7a5c0b4f7ff3a099e943c699066da112f8747bf05b7c5b107a
Message ID: <199511232157.PAA21597@khijol>
Reply To: <199511231945.OAA03659@clark.net>
UTC Datetime: 1995-11-23 22:13:43 UTC
Raw Date: Fri, 24 Nov 1995 06:13:43 +0800
From: "Ed Carp [khijol SysAdmin]" <khijol!erc@cygnus.com>
Date: Fri, 24 Nov 1995 06:13:43 +0800
To: khijol!clark.net!cme@cygnus.com (Carl Ellison)
Subject: Re: crypto for porno users
In-Reply-To: <199511231945.OAA03659@clark.net>
Message-ID: <199511232157.PAA21597@khijol>
MIME-Version: 1.0
Content-Type: text
-----BEGIN PGP SIGNED MESSAGE-----
> Strong authentication via crypto does not create a trusted group. Trust is
> a human:human decision -- subject to severe flaws, none of which are solved
> by crypto. [Can you devise a crypto protocol which will prevent or even
> just detect adultery, for example?] With each additional person, there is
> a probability of deception. For this informal network of yours, deception
> by any one participant constitutes a security failure. If you want to
> avoid that, therefore, you need to keep the group *very small*. If it's
> that small, then it's not that interesting a target for LE.
Very true. Authentication, whether strong or weak, merely says that you are who you say you are -
totally different from this "web of trust" I keep hearing about - and that is *it*. Do you trust me
any more now than before I started signing my postings?
> Ah -- but that's the point I was making. Crypto gives the appearance of
> security -- whether it's in the informal network or with file storage.
> It's often a bank vault door on a cardboard house. For much of what people
> do, especially if there's a large net, it's not rational to expect to
> achieve security. But -- if people have done something to achieve
> security, they're likely to be fooled into trusting it to be adequate.
>
> Meanwhile, if *everything* on the perp's machine is encrypted, you're
> probably in good shape. That means he'll be required to type passwords too
> often -- so he'll either pick a small one or have some machinery which
> stores the password. Both give cryptanalytic advantages.
It's well-known that most revelations of encrypted information come from "humint", not from
mathematical finesse with the encryption scheme. I especially love Oracle's idea of security - when
submitting SQL to the Oracle back-end, to automate the process, you feed it your user ID and
password IN THE CLEAR, ON THE COMMAND LINE. Any weenie can run "ps -ef/ps -ax" and pipe it to
grep. The fact that Larry Ellison wont do anything about it seems to me to be idiocy of the first
order, and that Oracle doesn't know what it's doing. It's not even a good database product. Deity
only knows why people keep buying it, although that's rather off-topic ;)
- --
Ed Carp, N7EKG Ed.Carp@linux.org, ecarp@netcom.com
214/993-3935 voicemail/pager
Finger ecarp@netcom.com for PGP 2.5 public key an88744@anon.penet.fi
Q. What's the trouble with writing an MS-DOS program to emulate Clinton?
A. Figuring out what to do with the other 639K of memory.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMLTuOyS9AwzY9LDxAQEuWAP9EU0LgHHAFQgpR+h2D/u9oZmNR3I2z7Cm
qsEZr0Iy84Cu7fH5vIvy5waDx3OZC+Gc1Z2kFydebxl09rTrY88rYIj0Ezp3Mqjk
25oqSlKoDMJNYC2W6cfhVAx6VBDnuExMi4H/R/8pTUepNSBMyc9z0nG0ivkCbTBz
AQd1jcI3lPU=
=Fvaf
-----END PGP SIGNATURE-----
Return to November 1995
Return to “Moroni <moroni@scranton.com>”