help

Asheesh Kwatra asheesh.kwatra@dcmtech.co.in
Mon Nov 19 12:27:01 2001


-----Original Message-----
From: gnupg-users-request@gnupg.org
[mailto:gnupg-users-request@gnupg.org]
Sent: Monday, November 19, 2001 4:36 PM
To: gnupg-users@gnupg.org
Subject: Gnupg-users digest, Vol 1 #399 - 14 msgs


Send Gnupg-users mailing list submissions to
	gnupg-users@gnupg.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.gnupg.org/mailman/listinfo/gnupg-users
or, via email, send a message with subject or body 'help' to
	gnupg-users-request@gnupg.org

You can reach the person managing the list at
	gnupg-users-admin@gnupg.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Gnupg-users digest..."


Today's Topics:

   1. Re: Frontends for Windows (Mark Brown)
   2. Re: Frontends for Windows (Andrew McDonald)
   3. Re: Frontends for Windows (Silviu Cojocaru)
   4. Re: Frontends for Windows (Ingo =?iso-8859-1?q?Kl=F6cker?=)
   5. Re: Frontends for Windows (Silviu Cojocaru)
   6. Re: Frontends for Windows (Justin R. Miller)
   7. Re: Frontends for Windows (Mark Brown)
   8. Re: Frontends for Windows (Alexander Skwar)
   9. Re: Frontends for Windows (Ingo =?iso-8859-15?q?Kl=F6cker?=)
  10. Re: Frontends for Windows (Ingo =?iso-8859-1?q?Kl=F6cker?=)
  11. Re: Frontends for Windows (Martin Christensen)
  12. Re: Frontends for Windows (Lars Hecking)
  13. Re: Frontends for Windows (Nick Andriash)
  14. Frontends for Windows (Roger Sondermann)

--__--__--

Message: 1
Date: Sun, 18 Nov 2001 16:46:56 +0000
From: Mark Brown <broonie@sirena.org.uk>
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows

On Sun, Nov 18, 2001 at 04:18:27PM +0100, Arild Bjork wrote:

> After what I've picked up GPGshell doesn't do en-/decrypting. It's only an
> excellent user friendly shell for GPG that are doing the hard work. I
can't
> see you point.

A front end is perfectly placed to do data capture or change the
configuration of the encryption engine in an undesirable fashion -
passphrase capture, for example.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."


--__--__--

Message: 2
Date: Sun, 18 Nov 2001 16:47:38 +0000
From: Andrew McDonald <andrew@mcdonald.org.uk>
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows

On Sun, Nov 18, 2001 at 04:15:51PM +0100, Arild Bjork wrote:
> 
> It's sad but there might be other excellent frontends out there.
> GnuPG developers are hiding their excistense, just because they don't
> conform with Free Software.

I can't see that anybody is hiding it. You are suggesting that the
GnuPG website advertises and promotes GPGShell. Clearly, being an
FSF/GNU project it isn't willing to do this because of GPGShell's
license.

-- 
Andrew McDonald
E-mail: andrew@mcdonald.org.uk
http://www.mcdonald.org.uk/andrew/


--__--__--

Message: 3
Date: Sun, 18 Nov 2001 19:08:32 +0200
From: Silviu Cojocaru <silviucj@yahoo.com>
Organization: E-mailaholics International
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sunday, November 18, 2001 at 7:06:03 PM ,
Ingo Kl=F6cker wrote the following
on the "Frontends for Windows" thread:

IK> Does it ask you for your passphrase=3F

IK> As I don't know this program I really don't know the answer to this
IK> question. But if the answer is yes then how can you be sure the program
IK> doesn't leak the passphrase somehow, be it intentional (because of
IK> malicious code) or unintentional (because of buggy code).

How can you be sure that the front end is really the *only* to
get your password anyway =3F

It as the same chance as any other soft to catch it. Input can
be captured in multiple way,the front end does not need to leak,
I don't see this as an issue.

- --
Beware of anti-viruses, viruses are less harmful!
______________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: Member of the PGP-Basics, Encryption Help Team

iD8DBQE79+sS8WBGNj3ut+0RAuL2AJ9rkzA3rUvimNNmTVD2k/Wm4JvreQCeKImY
E9RACVKPnRVy+HyI9VD4UHg=3D
=3DkNzi
-----END PGP SIGNATURE-----



--__--__--

Message: 4
From: Ingo =?iso-8859-1?q?Kl=F6cker?= <ingo.kloecker@epost.de>
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows
Date: Sun, 18 Nov 2001 20:06:19 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 18 November 2001 18:08, Silviu Cojocaru wrote:
> Sunday, November 18, 2001 at 7:06:03 PM ,
> Ingo Kl=F6cker wrote the following
> on the "Frontends for Windows" thread:
>
> IK> Does it ask you for your passphrase?
>
> IK> As I don't know this program I really don't know the answer to
> this IK> question. But if the answer is yes then how can you be sure
> the program IK> doesn't leak the passphrase somehow, be it
> intentional (because of IK> malicious code) or unintentional (because
> of buggy code).
>
> How can you be sure that the front end is really the *only* to
> get your password anyway ?
>
> It as the same chance as any other soft to catch it. Input can
> be captured in multiple way,the front end does not need to leak,
> I don't see this as an issue.

Maybe you should.

Of course there are many ways to catch a passphrase (on Windows systems=20
it's probably much easier than on Unix systems). But why shouldn't I=20
try to minimize the risk by not using any software which I can't check=20
due to the lack of it's source code?

BTW, I doubt that GPGshell is a trojan horse. But unfortunately I can't=20
be sure and that's why I would never use it.

Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7+AayGnR+RTDgudgRAnzNAKCF5P+eeqCBiLPVh5yCLv+wBvqKZACeJZHM
vNavfeqIxnPj+cfY6xs/uks=3D
=3D7I55
-----END PGP SIGNATURE-----


--__--__--

Message: 5
Date: Sun, 18 Nov 2001 22:00:25 +0200
From: Silviu Cojocaru <silviucj@yahoo.com>
Organization: E-mailaholics International
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sunday, November 18, 2001 at 9:57:00 PM ,
Ingo Kl=F6cker wrote the following
on the "Frontends for Windows" thread:

IK> BTW, I doubt that GPGshell is a trojan horse. But unfortunately I can't
IK> be sure and that's why I would never use it.

Ok, this got interesting, now how do you think GPGShell would
transmit the "captured" data on a system uses dial-up and it is
*I* that controls when a connection is made and what software is
allowed or not to connect to the outside =3F

Try limiting the answer to non Sci-Fi scenarios...

- --
We care a lot about the Garbage Pail Kids, they never lie...
______________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: Member of the PGP-Basics, Encryption Help Team

iD8DBQE7+BNb8WBGNj3ut+0RAjK5AJ4pdZ+NVOpfOUJI1qpp8xhzTuO0nwCgjo2i
DKaPbbZWzkbbWcz0I8p9yf8=3D
=3DSpI7
-----END PGP SIGNATURE-----



--__--__--

Message: 6
Date: Sun, 18 Nov 2001 16:13:30 -0500
From: "Justin R. Miller" <incanus@codesorcery.net>
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows


--Fba/0zbH8Xs+Fj9o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Thus spake Silviu Cojocaru (silviucj@yahoo.com):

> Ok, this got interesting, now how do you think GPGShell would transmit
> the "captured" data on a system uses dial-up and it is *I* that
> controls when a connection is made and what software is allowed or not
> to connect to the outside ?

1. it copies your passphrase to a file somewhere on the hard disk
2. it attaches some version of your passphrase to outgoing mail for
later
3. it copies your passphrase to non-secure swapped memory

Besides, the possibilities and potential of the program aren't the
point.  The point is that this list and project are for advertising free
software as defined at www.gnu.org.  End of story.  Your own list could
certainly have many discussions about non-free software.=20

--=20
Justin R. Miller <incanus@codesorcery.net>
PGP/GnuPG Key ID 0xC9C40C31 (preferred)

--Fba/0zbH8Xs+Fj9o
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7+CR694d6K8nEDDERAo1xAJ98O6xfxJKhXX62r/KffkIxTFj9FACgiRpT
3n1ZiKxubs1TDQ66wXNZdKY=
=Y4Jo
-----END PGP SIGNATURE-----

--Fba/0zbH8Xs+Fj9o--


--__--__--

Message: 7
Date: Sun, 18 Nov 2001 21:48:59 +0000
From: Mark Brown <broonie@sirena.org.uk>
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows

On Sun, Nov 18, 2001 at 10:00:25PM +0200, Silviu Cojocaru wrote:

> Ok, this got interesting, now how do you think GPGShell would
> transmit the "captured" data on a system uses dial-up and it is
> *I* that controls when a connection is made and what software is
> allowed or not to connect to the outside ?

"Oh, the network connection's come up - time to send those passphrases
and secret keys I've collected.".  People may seem like they are being
extremely paranoid, but that kind of goes with the territory.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."


--__--__--

Message: 8
Date: Sun, 18 Nov 2001 22:57:20 +0100
From: Alexander Skwar <ASkwar@DigitalProjects.com>
To: Arild Bjork <arild@bjork.nu>
Cc: Florian Weimer <fw@deneb.enyo.de>,
	Arild Bjork <abjork@email.com>, gnupg-users@gnupg.org
Subject: Re: Frontends for Windows

So sprach =BBArild Bjork=AB am 2001-11-18 um 16:15:51 +0100 :
> speech. People that would like to be able to communicate securily can't,
> because the software is to difficult to handle.

Now, come on!  In how far is WinPT any more difficult to handle than
PGP?

Alexander Skwar
--=20
How to quote:	http://learn.to/quote (german) http://quote.6x.to (english)
Homepage:	http://www.iso-top.de      |     Jabber: askwar@charente.de
   iso-top.de - Die g=FCnstige Art an Linux Distributionen zu kommen
		Uptime: 2 days 1 hour 48 minutes


--__--__--

Message: 9
From: Ingo =?iso-8859-15?q?Kl=F6cker?= <ingo.kloecker@epost.de>
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows
Date: Sun, 18 Nov 2001 23:22:21 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 18 November 2001 21:31, Lionel Elie Mamane wrote:
> On Sun, Nov 18, 2001 at 05:31:39PM +0100, Ingo Kl=F6cker wrote:
> > It almost certainly uses non-free Windows libraries. Maybe he
> > couldn't publish his software under the GPL for this reason.
>
> No, the GPL permits linking against non-free system libraries.

Thanks for clearing this up, Lionel!

Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7+DSdGnR+RTDgudgRAhOPAKCrsRqcBAguf309OAfDMudUVfhBIwCbBntn
lv4OMMpo76lCUubQS9rNVdQ=3D
=3D21Tr
-----END PGP SIGNATURE-----


--__--__--

Message: 10
From: Ingo =?iso-8859-1?q?Kl=F6cker?= <ingo.kloecker@epost.de>
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows
Date: Sun, 18 Nov 2001 23:21:00 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 18 November 2001 21:00, Silviu Cojocaru wrote:
> Sunday, November 18, 2001 at 9:57:00 PM ,
> Ingo Kl=F6cker wrote the following
> on the "Frontends for Windows" thread:
>
> IK> BTW, I doubt that GPGshell is a trojan horse. But unfortunately I
> can't IK> be sure and that's why I would never use it.
>
> Ok, this got interesting, now how do you think GPGShell would
> transmit the "captured" data on a system uses dial-up and it is
> *I* that controls when a connection is made and what software is
> allowed or not to connect to the outside ?
>
> Try limiting the answer to non Sci-Fi scenarios...

If it's possible to upload/search/download keys to/on/from keyservers=20
with GPGshell (a good shell IMO should provide this functionality) then=20
this program must be able to make connections and exchange data with=20
other servers.

Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7+DRMGnR+RTDgudgRAtWqAJ4wJQy85umkdhsT1jpiyDxyrWnTrwCggnNP
cQvilw9UekmAu8JC1XnY1zo=3D
=3DV+Bu
-----END PGP SIGNATURE-----


--__--__--

Message: 11
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows
From: Martin Christensen <factotum@gvdnet.dk>
Date: Mon, 19 Nov 2001 00:00:32 +0100

--=-=-=
Content-Transfer-Encoding: quoted-printable

>>>>> "Silviu" =3D=3D Silviu Cojocaru <silviucj@yahoo.com> writes:
Silviu> Ok, this got interesting, now how do you think GPGShell would
Silviu> transmit the "captured" data on a system uses dial-up and it
Silviu> is *I* that controls when a connection is made and what
Silviu> software is allowed or not to connect to the outside ?
Silviu> Try limiting the answer to non Sci-Fi scenarios...

How do you think the original Unix guys managed to keep a backdoor
hidden in their OS for many, many years? Sure, the backdoor was there
to ease remote system administration (tech support, actually), but
intentions are irrelevant. The source was available, so they couldn't
hide it there. That meant that they had to hide it in the C
compiler. However, the source for the C compiler was also available
for anyone to scrutinise, so they couldn't hide it there, either. What
they did was make the C compiler aware not only of when it was
compiling the Unix sources, but when it was compiling itself, such
that the mechanism for building the backdoor in Unix was hidden and
would never be seen as source, even though everything was wide open.

There's your sci-fi in real history, and that's almost thirty years
ago.

Windows has a pretty uniform base system. Detecting when it's on-line
is trivial. Making a binary executable self-modifying such that it'll
only send a key and passphrase once (to avoid suspicion) is not
trivial, but it's not exactly difficult either. Just one boolean value
needs to be changed.

I agree with you that there are probably no backdoors in GPGShell, but
trust is much more easily given to things that anybody can verify, and
if the author gives us the source to his programme, then we can see
for ourselves that it's safe. We could, of course, also choose to
trust the author, just as we could choose to trust my ISP, your ISP,
our respective goverments, foreign governments, corporate
organisations with prying eyes and alround nasty individuals to not
spy on us. There's very little chance that anyone will have a
particular interest in keeping an eye on any particular one of us on
this list, but that's not the point. The point is that many want to
protect their privacy, and that's typically not acheived by trusting
anybody and everybody.

Martin

=2D-=20
Homepage:       http://www.cs.auc.dk/~factotum/
GPG public key: http://www.cs.auc.dk/~factotum/gpgkey.txt

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjv4PZsACgkQYu1fMmOQldXL5ACgup0pdNihhss4eg+FwRyMvKFz
xWcAoKjt6ICHtNsMSR4NIaIEzOalMt4p
=j83H
-----END PGP SIGNATURE-----
--=-=-=--


--__--__--

Message: 12
Date: Mon, 19 Nov 2001 03:47:38 +0000
From: Lars Hecking <lhecking@nmrc.ie>
To: gnupg-users@gnupg.org
Subject: Re: Frontends for Windows

Arild Bjork writes:
> 
> Windows is _the_ platform which are used by most of us, and if GnuPG is

 I'm so sorry for all of you. I wish you a nice XPerience.

Ingo Klöcker writes:
> Do you really think M$ would prohibit programmers from publishing their 
> source code just because it's written in Visual Basic?

 Maybe they do. M$ are free to pull all kinds of crap stunts because nobody
 ever reads the small print (or EULA). Software manufacturers seem to enjoy
 all kinds of freedom because Industry Standard warranty regulations to not
 appear to apply to them.

> > In the end it should be my choice to make in other words: I will have

 Absolutely. You have chosen, and you chose Windoze. Good luck, and good
 bye.



--__--__--

Message: 13
Date: Sun, 18 Nov 2001 22:04:05 -0800
From: Nick Andriash <andriash@home.com>
To: GnuPG Users <gnupg-users@gnupg.org>
Subject: Re: Frontends for Windows

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Lars Hecking,

On Sunday, November 18 2001 at 07:47 PM PDT, you wrote:

> Absolutely. You have chosen, and you chose Windoze. Good luck, and
> good bye.

Now what on earth is that supposed to mean? Give me a break!


- -- 
Nick

   -=N.J. Andriash | Courtenay, B.C. Canada=-
Win 98SE | GnuPG v1.06 (MingW32) | Becky v2.00.07
___________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - GPGshell v2.10b18
Comment: Join PGP-Basics: PGP-Basics-subscribe@yahoogroups.com

iD8DBQE7+KDKxQKEdHuj/c4RAth1AJ9Z0/7NEtCteFqHU2LfQE7/r9NA9QCg6+Fw
FQyjdcKkknp4GEyuyDS4pNs=
=58am
-----END PGP SIGNATURE-----



--__--__--

Message: 14
From: "Roger Sondermann" <mail@jumaros.de>
Organization: =?ISO-8859-1?Q?-_ooo_--_=EA=BF=EA_--_ooo_-?=
To: gnupg-users@gnupg.org
Date: Mon, 19 Nov 2001 08:15:33 +0100
Subject: Frontends for Windows

At 18 Nov 2001, 23:40, Ingo Kl=F6cker wrote:

> ...
> 
> If it's possible to upload/search/download keys to/on/from
> keyservers with GPGshell (a good shell IMO should provide this
> functionality) then this program must be able to make connections
> and exchange data with other servers.

This comment is really interesting.

Instead of starting rumours here you should at least try to get the 
basic knowledge about the thing you're talking. The only application 
that connects to the internet when sending or getting keys with 
GPGshell is gpg.exe. This is very easy to detect (if you really 
want).

So you either have no idea what you're talking about or you try to 
spread wrong information. Does your definition of "free" eliminate 
basics like fairness?

:-(

-- 
Roger Sondermann




--__--__--

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


End of Gnupg-users Digest