Anyone know what became of the Gaim-E Project?

Robert J. Hansen rjh at
Mon Nov 3 18:34:50 CET 2008

> Where I have a difference is in the I love you example. Clearly you  
> could send the unsealed data (plaintext, whatever) to someone else  
> and end up in trouble, but the reasonable thing to do would be to  
> send the document sealed by the original sender, as you received it,  
> same as when you forward an e-mail the headers are on top indicating  
> it does not come from you, so the example is, I think, a bit  
> contrived and inapplicable.

To turn the "I love you" example into an attack, consider this: Alice  
sends Bob a message saying "Remember, you need to deliver the product  
at midnight."  Bob, who doesn't want responsibility for delivering the  
product, cuts-and-pastes Alice's message and sends it on to Charlie,  
forging it as being from Alice.  Charlie receives a message that seems  
to be from Alice, has a meaningful message, and has a valid signature  
from a trusted key.  Charlie delivers the product at midnight.  The  
next day Alice sees the product was delivered, and sends Bob a message  
saying "thank you for delivering the product, the check is in the mail."

Presto, Bob gets paid for Charlie's work.

Yes, attacks like these have been spotted in the wild.  Schneier's  
blog covered one of them recently, an outfit that used attacks like  
these in connection with long distance trucking companies.   
Fascinating work, really.

More information about the Gnupg-users mailing list