Anyone know what became of the Gaim-E Project?
Robert J. Hansen
rjh at sixdemonbag.org
Mon Nov 3 18:34:50 CET 2008
> Where I have a difference is in the I love you example. Clearly you
> could send the unsealed data (plaintext, whatever) to someone else
> and end up in trouble, but the reasonable thing to do would be to
> send the document sealed by the original sender, as you received it,
> same as when you forward an e-mail the headers are on top indicating
> it does not come from you, so the example is, I think, a bit
> contrived and inapplicable.
To turn the "I love you" example into an attack, consider this: Alice
sends Bob a message saying "Remember, you need to deliver the product
at midnight." Bob, who doesn't want responsibility for delivering the
product, cuts-and-pastes Alice's message and sends it on to Charlie,
forging it as being from Alice. Charlie receives a message that seems
to be from Alice, has a meaningful message, and has a valid signature
from a trusted key. Charlie delivers the product at midnight. The
next day Alice sees the product was delivered, and sends Bob a message
saying "thank you for delivering the product, the check is in the mail."
Presto, Bob gets paid for Charlie's work.
Yes, attacks like these have been spotted in the wild. Schneier's
blog covered one of them recently, an outfit that used attacks like
these in connection with long distance trucking companies.
Fascinating work, really.
More information about the Gnupg-users