What Good is PGP?

Discussion in 'Computer Security' started by Anonymous, Sep 10, 2003.

  1. Anonymous

    Anonymous Guest

    I'm kind of new to the whole PGP thing so maybe I'm just not understanding
    things properly.
    But it seems to me that there is a huge hole in the whole PGP scheme. The
    manual that
    came with the program (PGP freeware 6.58) described how earlier in history
    there was a
    problem with the secure distribution of keys as you could never be
    absolutely sure that no 'wrong' person
    has gotten the hold of the key. The manual also claims that PGP has solved
    the problem.
    But it seems to me that it really hasn't. Public key could be forged and
    therefore you can never
    be 100% sure that you are sending the data to the right person. Certificate
    Authority could
    be tampered with by govt or malicious person etc. So it seems to be that the
    problem of
    distribution wasn't solved at all as there still exist a problem with
    distribution of public
    keyrings (or rather obtaining of public keyrings). So am I really
    misunderstanding something
    or is PGP is no more secure than earlier methods of secure data
    transmission.
     
    Anonymous, Sep 10, 2003
    #1
    1. Advertisements


  2. "how secure" PGP is, is based on the conspiratorial thought patterns of
    the person analyzing it's security.

    there's very few things that can be authenticated as well as PGP.
    certificate authorities *could be* compromised, of course, my computer
    *could be* infected with a backdoor that's undetectable and unknown to
    anyone in the computer security industry.

    when producing a pgp key pair, you automatically produce a key
    signature. to verify your key, you copy this signature down to paper,
    take it to a local official, a post master, a lawyer, a banker.... you
    give the name of the person you gave it to and their place of employment
    to the person you wish to exchange pgp encrypted messages with. this
    person looks up the telephone number through publicly available
    telephone books, calls the person with your signature and verifies the
    signature against the one that's shown in the properties of your public
    key in pgp tools.

    you hand deliver the signature to the person you wish to exchange pgp
    messages with. for that matter, you hand deliver your public key to the
    person you wish to exchange pgp messages with.

    sure, it's complicated, however, give me a scenario that I can't poke
    holes in.... you can't provide a more secure way than either of the
    above.

    "complications" determine the need or vice-versa. if you NEED explicit
    security in your communications, you WILL take the necessary steps to
    ensure proper security. "slacking" isn't in the vocabulary of the
    security conscience person.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Sep 10, 2003
    #2
    1. Advertisements

  3. Anonymous

    Anonymous Guest

    but that's what im talking about. Unless you get some meta-organization
    involved sucha s governemnt agency that can for sure verify your identity
    there is no secure way to exchange public keys other than hand-to-hand.
    What if governmetn is corrupt and tries to do malicious things what is there
    to stop it. I thought one of the great things about pgp was that it allows
    people to do their business in private without getting govt involved and
    that's why FBI was getting so nervous.
     
    Anonymous, Sep 10, 2003
    #3
  4. Anonymous

    Jim Watt Guest

    yes. RTFM
     
    Jim Watt, Sep 10, 2003
    #4
  5. Anonymous

    Chopper Guest

    I'm not an affiliate of the publisher or author but there is some
    interesting discussion on this in a book called 'Secrets and Lies' by Bruce
    Schneier.
     
    Chopper, Sep 10, 2003
    #5

  6. As explained, it's not "easy" to do, but it's completely "secure" to
    hand deliver keys.

    There's no guarantee that ANY government or third party vendor isn't
    corrupt, ever. Therefore, the hand-delivering of PGP keys is 100%
    secure.

    I could go one step further and theorize that you are of course, like
    the millions of other inept computer users and want everything handed to
    you on a silver platter, one click away from a complete solution.

    There's no "holy grail" when it comes to security and privacy. It takes
    dedication and vigilance to achieve adequate protection.



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Sep 10, 2003
    #6
  7. Colonel Flagg, Sep 10, 2003
    #7
  8. Anonymous

    [ Doc Jeff ] Guest

    security conscious person. :)
     
    [ Doc Jeff ], Sep 11, 2003
    #8

  9. oops, and as usual, I stopped mentally spell checking myself ;p




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Sep 11, 2003
    #9
  10. I'm totally amazed here, after reading the thread that runs below this
    post. The entire lot of it is so much gobbledy-gook! None of you,
    apparently, were around in 1991 when Phil Zimmerman first released PGP V1.0,
    were you? I knew this would happen, though, once MIT and PGP Associates
    managed to steal Zimmerman's work right out from under him and flood the
    market with 'buggy' systems like from V5.5 on upward. And no, the last PGP
    version that's really worth a damn is Version 2.6rg, which I still use on
    those rare occasions my best buddy & I need to discuss things that no one
    else needs to know about. The only problem my buddy has with it is that it's
    a DOS version!! Yet even at that, he knows that our e-mails can't ever be
    'broken' and read by anyone but ourselves. Period.
    I knew when MIT got involved in the U.S. patent suits AGAINST Phil
    Zimmerman that PGP's future was doomed. And this NG is proving it! You
    people have no clue of HOW the software or the 'public-key' system even
    works!! The version I still use can produce Keys up to 4096-bit strength
    using a Windows 'front-end' that eases the interface, yet to this day cannot
    be 'broken' into by any computer system yet known. The proof of this is the
    fact that I still have a copy of the SOURCE CODE of this version so I can
    check it for "back doors", "traps", etc., that I believe will be found in
    literally every WINDOZE version of PGP! If you can't check (or have a
    programmer check) the source code of your version of PGP, then it's
    definitely not secure!!
    As for "What Good is PGP?", the answer is "totally secure e-mail." Then,
    not now, it seems.

    Wes Martin... PGP Key available upon request.
     
    Wesley C. Martin, Sep 14, 2003
    #10


  11. Sure, I was around. In the Navy using real Crypto.

    As for the rest of your drivel, you go on and on about how you're "old
    sk00l" and "been there, done that." However, you didn't even attempt to
    answer this persons question to any detail worth mentioning. Seems to
    me, "old sk00l" may need to learn how to help someone, or at least
    attempt to do so.

    Your "old sk00l" ass may now go sit in the corner and STFU.

    You do know what "STFU" is don't you? I doubt it's "old sk00l" but
    something tells me you may be smart enough to figure it out.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Sep 14, 2003
    #11
  12. Anonymous

    Jim Watt Guest

    Why? the responses are tailored to the level of the question;
    the merits of PGP are well known and discussed so why
    repeat them to everyone who discovers it.

    I was amused to be told by a snotty American child that
    I could not possibly be using PGP because it was not
    exported or computers in the sixties because they were
    not invented then.

    IMHO the main features of the system is that its a well thought
    out implementation of crypto and its there. Mostly I use it for
    authenticating plain text messages where its needed, or
    for commercial messages of a nature that merit the effort.
     
    Jim Watt, Sep 14, 2003
    #12
  13. Anonymous

    Jim Watt Guest

    read the source code.
    but you are a waste of space.
     
    Jim Watt, Sep 27, 2003
    #13
  14. Anonymous

    mchiper Guest

    In alt.computer.security, Msg ID: <>
    Now I have to read the source code for an application
    That I get to provide me security..
    Before I can find out what it's doing...
    That will let (maybe you) mess with my security?

    I think YOU are a total waste of protein.
     
    mchiper, Sep 29, 2003
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.