Henry Hertz Hobbit hhhobbit at securemecca.net
Tue May 22 20:17:52 CEST 2007

Zeljko Vrba <zvrba at globalnet.hr> writes:

> "Jim Berland" <berland at gmail.com> writes:
>> There are other flaws in the computer system that would have
>> to be addressed (a secretary has root access to the server to
>> let her start the daily backup process after work), but I'm
>> not in charge of that.
> Huh?  That requires only a single suid-root command.

You said "root" so I assume Unix.  Better yet, that requires
nobody at all unless you need somebody to change the media.
Just use cron to do automated backups.  For Fedora / RedHat /
OpenSuse / Novell the default crond chkconfig setting enables
it (I can't speak for other versions of Linux or Macs):

crond  0:off   1:off   2:on    3:on    4:on    5:on    6:off

On older style Unix systems, they MUST have cron running.  That is
what is used to trim the logs, etc.  For MS Windows you also have
software to do backups for you in an automated fashion.  Your
"not in charge" makes me worry about the politics of what you are

>> Since I'm going through the trouble of setting everything up and
>> teaching our employees, though, it would be great to also use GPG
>> with business partners. I don't think it's really going to happen,
>> but
> If you want secure communication with your partners, you might
> have better luck with X.509 certificates.  They "just work"
> under windows.  The only needed initial setup is import of the
> root certificate.  Free certificates are available from
> www.cacert.org ...

All of the things Zeljko said here (why repeat it?) are true. More
to the point, X.509 are what most other MS Windows oriented companies
will be using. They may not be using the free certificates though.
Everybody I have heard wants a middle company doing some sort of
investigation of both parties. It gives them that warm fuzzy feeling.
It's not that the companies don't trust the OpenPGP WOT model;
they don't even know about it. There are cases where other
companies will specify OpenPGP, and there is one case in the
GnuPG archives for you to look at.  The posters were using a Sun
Solaris system on their end but I can't remember what the people
on the other end were using other than it was also a Unix system.

Look around your shop.  If it is almost all Microsoft Windows then
lean towards X.509.  If it is all Linux, then lean towards OpenPGP.

But when it comes to other companies other than your own, ASK
THEM.  Ask all the other companies you deal with what they want
you to use.  Zimmerman made the statement to the effect that it
isn't so much "big brother" that will be doing the spying as it
is other companies that will be spying on your company to gain
a competitive advantage.  You have already alluded to the loss
of confidential information. In other words, you need SOME sort
of encryption.  But more to the point, you need the blessing of
those that are in charge to implement it, at least on a trial
basis in those areas where your company is having problems.
Since you have already had cases of stolen information, that
should be an easy sell.  But sometimes it isn't.  There an awful
lot of Paris Hilton's out there (people that don't secure their
data). Worse, they don't see any reason for securing their data


More information about the Gnupg-users mailing list