Point of view regarding LISA 2002

Anthony E. Greene agreene@pobox.com
Tue Oct 1 19:30:01 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01-Oct-2002/18:11 +0200, markus_kampkoetter <markus_kampkoetter@t-online.de> wrote:
>Michael Tokarev schrieb:
>> Adam Shostack wrote:
>> []
>> > Now, are these GPG's fault?  In most cases, no, they're not.  But
>> > they're problems that we need to address to get say, 10% of the email
>> > on the net to be encrypted.  And if thats a goal, then we need to
>> > examine the things that are preventing us from hitting it.
>>
>> Yeah - learn users to encrypt their emails and there will be
>> many problems with viruses who will try to use encryption too
>> thus making it impossible to detect in-transit...  Oh well... ;)
>>
>> /mjt
>i do not agree with you. at least you will know for sure who sent the
>virus to you ;))) and worms cannot use cryptotechnology easily.
>(one day later)
>or can they? is it possible to write a script that automatically encrypts
>to all the keys on ones keyring and sends itself to the corresponding
>addresses? even if, it never will be able to sign.

How about a worm that does this when run:

 1. Read the userids of the keys on the public keyring. Make note
    of the userid of the first key.

 2. Create a separate secring and pubring using the userid from the
    first key on the original public keyring.

 3. Upload this key to multiple keyservers.

 4. Send itself as an encrypted attachment to each recipient on the
    original pubring. Sign the message with the newly created key.

If the recipient is configured to automatically fetch keys as needed, and
is reading mail online, they may not realize that the key used to verify
the sig was just fetched. People generally do not pay that much attention
to key IDs. Even if they notice the fetching operation, they might not
that that it was significant. The attachment would look legitimate and the
recipient might run the executable, thinking that it is safe because it
was signed and encrypted from someone they know.i


Tony
- -- 
Anthony E. Greene <mailto:agreene@pobox.com>
OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26  C484 A42A 60DD 6C94 239D
AOL/Yahoo Chat: TonyG05      HomePage: <http://www.pobox.com/~agreene/>
Linux: the choice of a GNU Generation. <http://www.linux.org/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Anthony E. Greene 0x6C94239D <agreene@pobox.com>

iD8DBQE9mdvMpCpg3WyUI50RAomAAJ0YcCADCxn+7fuYu4UXnS48H1NejQCfW+sF
WtRsBKZ7p56LZeZlXHDuvhc=
=48of
-----END PGP SIGNATURE-----