From: Jerry Kreps Date: Sun, 3 Dec 2000 08:21:27 -0600 Message-Id: <00120308212700.25314@JLKreps> Subject: Re: [SLE] A very interesting paper by Ken Thompson.. On Sunday 03 December 2000 08:01, zentara wrote:

Jerry Kreps wrote:

...

http://www.acm.org/classics/sep95/

"Moral

detect. A well installed microcode bug will be almost impossible to detect. "

Watch out, they will be recruiting you at the NSA to work on C compilers.

Not me! I'm an old windows programmer.... I'm still learning C++ 8>) <p><p> -- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.

Message-ID: <3A2C0E6D.127F97A9@gypsyfarm.com> Date: Mon, 04 Dec 2000 16:36:45 -0500 From: zentara Subject: Re: [SLE] A very interesting paper by Ken Thompson.. peter hollings wrote:

Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.

I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)

...

peter hollings wrote:

...

Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.

I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)

It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or

Message-ID: <00f001c05ec3$f3fdbce0$0f601f18@atl.mediaone.net> From: "peter hollings" Date: Tue, 5 Dec 2000 09:02:05 -0500 Subject: Re: [SLE] A very interesting paper by Ken Thompson.. It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure? Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm . For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list. Regards, Peter Hollings <p>----- Original Message ----- From: "Jerry Kreps" To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson.. <p>> On Monday 04 December 2000 15:36, zentara wrote: proven wrong, by experiment.

Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq

Message-ID: <3A2D0198.42FD91A4@gypsyfarm.com> Date: Tue, 05 Dec 2000 09:54:16 -0500 From: zentara Subject: Re: [SLE] A very interesting paper by Ken Thompson.. peter hollings wrote:

It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?

Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .

For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.

Well the security of linux c compilers and assemblers should be of interest to the list, and every linux user. That said, the general wisdom is that if it goes out on the net, it can eventually be part of the public record, whether you encrypt it or not. Encryption is only part of the security picture. If you do a web search for "Tempest", you will find what standards the government requires of it's "secret computers". You will learn that each computer is basically a miniature transmitter, sending out a weak signal, of everything occuring inside of it. The Tempest standards require "Faraday Cages" around sensitive computers, which block electromagnetic radiatition from penetrating it. This basically is a very fine wire mesh, or solid metal cage, which is grounded. I have heard, but cannot state as fact, that it is illegal in the US to have a computer in a Faraday Cage. That tells you that the "big brother element" in the Government are using these techniques to spy on those they choose to monitor. So even if you encrypt, your secret passphrase can be detected by equipment in a nearby location, like a parked van. This is highly sophisticated, and it is more likely that government's (and private detectives) use simple "computer bugs" which transmit your keystrokes to a recorder. These computer bugs are in the early stages, like audio bugs were in the 50's. But you can be sure they exist, and it probably won't be long before hobbbyist magazines start advertising them. The will get around privacy laws by advertising them as a way to monitor your "children's computer usage". They probably will end up in those little sealed plastic power cubes that power modems and audio speakers. But they may end up in video cards, broadcasting an exact replica of your monitor. That said, the question is how much should we worry about encryption security? Knowledgable people can get your secret key and password, with a little effort. To be really secure, you can't use any technology. But if you just want to hide data from a competitor, (or wife), then encryption is still useful. It will be a useful tool in online voting, e-commerce, etc. But it is not secure for secret messaging unless you apply some various serious measures. The paper by Ken Thompson just gives a glimpse into how a dedicated team of programmers can infiltrate your security, hiding it from you even if you look at every line of source code in your machine. It is no surprise that the Chineese government refused Bill Gate's attempt to push Windows into China. They are not dumb.

From: Jerry Kreps Date: Tue, 5 Dec 2000 17:39:37 -0600 Message-Id: <0012051739370F.03376@JLKreps> Subject: Re: [SLE] A very interesting paper by Ken Thompson.. I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor. http://www.cert.org/advisories/CA-2000-18.html JLK <p>On Tuesday 05 December 2000 08:02, peter hollings wrote:

It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?

Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .

For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.

Regards,

Peter Hollings

----- Original Message ----- From: "Jerry Kreps" To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson..

...

On Monday 04 December 2000 15:36, zentara wrote:

...

peter hollings wrote:

...

Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.

I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)

It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or

proven wrong, by experiment.

...

Unscientific theories -Marxist dialectical history and Freudian psychology

were Popper's favorites-

...

are formed in such a way that they cannot be falsified by data.

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.

Date: Wed, 6 Dec 2000 14:17:05 -0600 (CST) From: Michael Message-ID: Subject: Re: [SLE] A very interesting paper by Ken Thompson.. Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :) *^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein On Wed, 6 Dec 2000, Cliff Sarginson wrote:

On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:

...

I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.

http://www.cert.org/advisories/CA-2000-18.html

JLK

On Tuesday 05 December 2000 08:02, peter hollings wrote:

...

It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?

Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .

For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.

I would think anyone on this list concerned with security would be well advised to take an interest in this !

(just when you thought it was safe to go into the water...)

Cliff

...

...

Regards,

Peter Hollings

----- Original Message ----- From: "Jerry Kreps" To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson..

...

On Monday 04 December 2000 15:36, zentara wrote:

...

peter hollings wrote:

...

Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.

I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)

It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or

proven wrong, by experiment.

...

Unscientific theories -Marxist dialectical history and Freudian psychology

were Popper's favorites-

...

are formed in such a way that they cannot be falsified by data.

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq

Date: Thu, 7 Dec 2000 00:40:09 +0100 From: Cliff Sarginson Message-ID: <20001207004009.B5779@buffy.local> Subject: Re: [SLE] A very interesting paper by Ken Thompson.. On Wed, Dec 06, 2000 at 04:56:57PM -0600, Jerry Kreps wrote:

On Wednesday 06 December 2000 14:17, Michael wrote:

...

Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)

Mmm. I hate to say this but a little bit of C coding is not going to teach you enough to find holes in a program of even moderate complexity, let alone in a compiler or complex network program. For encryption programs a pretty deep knowledge of algorithms and mathematics may also be required. Futhermore to understand the output of the compiler code generator you will need to be a red-hot assembly language programmer. And even then it would be a nightmare in optimised code. The point about open-source is that you can compile it yourself, so you are not accepting blindly a binary file from somewhere. You have to trust the origin of the source of course. Cliff

Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK

...

*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein

On Wed, 6 Dec 2000, Cliff Sarginson wrote:

...

On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:

...

I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.

http://www.cert.org/advisories/CA-2000-18.html

JLK

On Tuesday 05 December 2000 08:02, peter hollings wrote:

...

It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?

Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .

For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.

I would think anyone on this list concerned with security would be well advised to take an interest in this !

(just when you thought it was safe to go into the water...)

Cliff

...

...

Regards,

Peter Hollings

----- Original Message ----- From: "Jerry Kreps" To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson..

...

On Monday 04 December 2000 15:36, zentara wrote: > peter hollings wrote: > > Yes, the NSA is a possibility, but I'd be more > > concerned about the ill effects on society that could > > be brought about via a widely distributed, closed, > > proprietary system such as Windows. It's another reason > > for using Linux. > > I'm an old windows basher, but as the article stated, no > OS is immune to the microcode attack. > I was discussing a while back whether pgp and other > encryption programs had "backdoors" in them, the answer > was "if it exists, it's in our c compilers", controlled > by very high level people. I have a paranoid streak. :-)

It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or

proven wrong, by experiment.

...

Unscientific theories -Marxist dialectical history and Freudian psychology

were Popper's favorites-

...

are formed in such a way that they cannot be falsified by data.

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.

From: Jerry Kreps Date: Wed, 6 Dec 2000 21:22:41 -0600 Message-Id: <00120621224101.08141@JLKreps> Subject: Re: [SLE] A very interesting paper by Ken Thompson.. On Wednesday 06 December 2000 17:40, Cliff Sarginson wrote:

On Wed, Dec 06, 2000 at 04:56:57PM -0600, Jerry Kreps wrote:

...

On Wednesday 06 December 2000 14:17, Michael wrote:

...

Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)

Mmm. I hate to say this but a little bit of C coding is not going to teach you enough to find holes in a program of even moderate complexity, let alone in a compiler or complex network program. For encryption programs a pretty deep knowledge of algorithms and mathematics may also be required.

My MS in Math and Physics and Biochemistry (professional student) taught me that

Futhermore to understand the output of the compiler code generator you will need to be a red-hot assembly language programmer. And even then it would be a nightmare in optimised code.

You're making my point !

The point about open-source is that you can compile it yourself, so you are not accepting blindly a binary file from somewhere. You have to trust the origin of the source of course.

Here is where you missed my point. Compiling the source code for an application is worthless protection against microcode already planted in the compiler itself, and your points above reinforce my argument that providing an absolutely guaranteed uncompromised compiler is a task only the best of the best could accomplish. Ergo, how can you be sure that the gc++ compiler has not already been compromised? You can't.. That was Ken Thompson's conclusion. JLK <p><p>>

Cliff

...

Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK

...

*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein

On Wed, 6 Dec 2000, Cliff Sarginson wrote:

...

On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:

...

I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.

http://www.cert.org/advisories/CA-2000-18.html

JLK

On Tuesday 05 December 2000 08:02, peter hollings wrote:

...

It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?

Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .

For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.

I would think anyone on this list concerned with security would be well advised to take an interest in this !

(just when you thought it was safe to go into the water...)

Cliff

...

...

Regards,

Peter Hollings

----- Original Message ----- From: "Jerry Kreps" To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson..

> On Monday 04 December 2000 15:36, zentara wrote: > > peter hollings wrote: > > > Yes, the NSA is a possibility, but I'd be more > > > concerned about the ill effects on society that > > > could be brought about via a widely distributed, > > > closed, proprietary system such as Windows. It's > > > another reason for using Linux. > > > > I'm an old windows basher, but as the article stated, > > no OS is immune to the microcode attack. > > I was discussing a while back whether pgp and other > > encryption programs had "backdoors" in them, the > > answer was "if it exists, it's in our c compilers", > > controlled by very high level people. I have a > > paranoid streak. :-) > > It's not paranoia if it true, and with regards to pgp > it is true. The NSA backdoor to version 6.x of pgp (I > don't remember if 5.x has the backdoor) is verified. > That is why there was a recent mass movement from pgp > to gpg > > -- > Scientific theories, according to Sir Karl Popper, can > be "falsified," or

proven wrong, by experiment.

> Unscientific theories -Marxist dialectical history and > Freudian psychology

were Popper's favorites-

> are formed in such a way that they cannot be falsified > by data. > > > > -- > To unsubscribe send e-mail to > suse-linux-e-unsubscribe@suse.com For additional > commands send e-mail to suse-linux-e-help@suse.com Also > check the FAQ at http://www.suse.com/support/faq

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.

From: Jerry Kreps Date: Thu, 7 Dec 2000 07:03:23 -0600 Message-Id: <00120707032301.09373@JLKreps> Subject: Re: [SLE] A very interesting paper by Ken Thompson.. That is the most absurd analogy I've ever been handed. Anal has nothing to do with anything. On Wednesday 06 December 2000 22:20, Michael wrote:

I suppose you could write a C compiler from scratch and check to make sure but it seems a bit anal. If you can't trust the FSF when it comes to software there isn't anybody you are likely to be able to trust. You could just as easily say you can't trust your house not to spy on you because someone else cut the boards.

*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein

On Wed, 6 Dec 2000, Jerry Kreps wrote:

...

On Wednesday 06 December 2000 17:40, Cliff Sarginson wrote:

...

On Wed, Dec 06, 2000 at 04:56:57PM -0600, Jerry Kreps wrote:

...

On Wednesday 06 December 2000 14:17, Michael wrote:

...

Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)

Mmm. I hate to say this but a little bit of C coding is not going to teach you enough to find holes in a program of even moderate complexity, let alone in a compiler or complex network program. For encryption programs a pretty deep knowledge of algorithms and mathematics may also be required.

My MS in Math and Physics and Biochemistry (professional student) taught me that

...

Futhermore to understand the output of the compiler code generator you will need to be a red-hot assembly language programmer. And even then it would be a nightmare in optimised code.

You're making my point !

...

The point about open-source is that you can compile it yourself, so you are not accepting blindly a binary file from somewhere. You have to trust the origin of the source of course.

Here is where you missed my point. Compiling the source code for an application is worthless protection against microcode already planted in the compiler itself, and your points above reinforce my argument that providing an absolutely guaranteed uncompromised compiler is a task only the best of the best could accomplish.

Ergo, how can you be sure that the gc++ compiler has not already been compromised? You can't.. That was Ken Thompson's conclusion. JLK

...

Cliff

...

Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK

...

*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein

On Wed, 6 Dec 2000, Cliff Sarginson wrote:

...

On Wednesday 06 December 2000 00:39, Jerry Kreps wrote: > I don't know if my email from work made it through the > firewall so I am resending the source for the pgp > backdoor. > > http://www.cert.org/advisories/CA-2000-18.html > > JLK > > On Tuesday 05 December 2000 08:02, peter hollings wrote: > > It's interesting (from a civil liberties perspective) > > that there is a backdoor into PGP. Can you tell me > > more? How did this come about? Was it publicized? > > Does encryption technology without backdoors exist? > > If so, how can we be sure? > > > > Also, of potential interest is the FBI's "Carnivore" > > system. Carnivore basically automates the > > surveillance process on the Internet. If one > > combines backdoors with surveillance, one has quite a > > capability. For a recent study on Carnivore see: > > http://www.usdoj.gov/jmd/publications/carniv_entry.ht > >m . > > > > For SuSE this may be off-topic. If we hear any > > objection, I propose that we move it off the list.

I would think anyone on this list concerned with security would be well advised to take an interest in this !

(just when you thought it was safe to go into the water...)

Cliff

> > Regards, > > > > Peter Hollings > > > > > > ----- Original Message ----- > > From: "Jerry Kreps" > > To: "zentara" ; "peter > > hollings" > > Cc: ; ; > > "suse-linux-e" > > Sent: Monday, December 04, 2000 5:28 PM > > Subject: Re: [SLE] A very interesting paper by Ken > > Thompson.. > > > > > On Monday 04 December 2000 15:36, zentara wrote: > > > > peter hollings wrote: > > > > > Yes, the NSA is a possibility, but I'd be more > > > > > concerned about the ill effects on society that > > > > > could be brought about via a widely > > > > > distributed, closed, proprietary system such as > > > > > Windows. It's another reason for using Linux. > > > > > > > > I'm an old windows basher, but as the article > > > > stated, no OS is immune to the microcode attack. > > > > I was discussing a while back whether pgp and > > > > other encryption programs had "backdoors" in > > > > them, the answer was "if it exists, it's in our c > > > > compilers", controlled by very high level people. > > > > I have a paranoid streak. :-) > > > > > > It's not paranoia if it true, and with regards to > > > pgp it is true. The NSA backdoor to version 6.x of > > > pgp (I don't remember if 5.x has the backdoor) is > > > verified. That is why there was a recent mass > > > movement from pgp to gpg > > > > > > -- > > > Scientific theories, according to Sir Karl Popper, > > > can be "falsified," or > > > > proven wrong, by experiment. > > > > > Unscientific theories -Marxist dialectical history > > > and Freudian psychology > > > > were Popper's favorites- > > > > > are formed in such a way that they cannot be > > > falsified by data. > > > > > > > > > > > > -- > > > To unsubscribe send e-mail to > > > suse-linux-e-unsubscribe@suse.com For additional > > > commands send e-mail to suse-linux-e-help@suse.com > > > Also check the FAQ at > > > http://www.suse.com/support/faq

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.

-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.

Message-ID: <3A2EB2E1.86619CE4@gypsyfarm.com> Date: Wed, 06 Dec 2000 16:42:57 -0500 From: zentara Subject: Re: [SLE] Pop 3 Server Michael wrote:

What pop 3 server does SuSE use? I've never set up Pop3 under Linux. Any good sites for doing it under SuSE? Thanks.

From usr/doc/packages/pop/pop3d is the foolowing info on

pop3d which is the suse default. ################# This is the source code for a POP3 server running under 4.3BSD. This server was written at the University of California at Davis. The server implements the minimal POP3 command list, plus two ex. tension commands. You can get a copy of this distribution with anonymous FTP at: ftp.ucadavis.edu:/pub/pop3d.tar ################ You can get a nice package called qpopper, which supports pop and APOP, and install it easily.

Message-Id: <5.0.2.1.0.20001206172932.025e3ec8@claborn.net> Date: Wed, 06 Dec 2000 17:30:01 -0600 From: wilson@claborn.net (Jonathan Wilson) Subject: Re: [SLE] Pop 3 Server I like GNU-pop3d. For one thing, it have virtual user support, which is very important to me. JW At 04:06 PM 12/6/2000 -0600, you wrote:

Any pros and cons for using pop3d rather than popper? I seem to have both installed on my box (but neither running yet).

*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein

On Wed, 6 Dec 2000, zentara wrote:

...

Michael wrote:

...

What pop 3 server does SuSE use? I've never set up Pop3 under Linux. Any good sites for doing it under SuSE? Thanks.

...

From usr/doc/packages/pop/pop3d is the foolowing info on pop3d which is the suse default. ################# This is the source code for a POP3 server running under 4.3BSD. This server was written at the University of California at Davis. The server implements the minimal POP3 command list, plus two ex. tension commands. You can get a copy of this distribution with anonymous FTP at: ftp.ucadavis.edu:/pub/pop3d.tar ################

You can get a nice package called qpopper, which supports pop and APOP, and install it easily.

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq

Date: Thu, 7 Dec 2000 08:54:42 -0600 (CST) From: Michael Message-ID: Subject: Re: [SLE] Pop 3 Server I actually do need to force all our users to use some form of encryption on their passwords as I'm forced to put the mail server on a highly critical e-commerce server we have and I don't want any user accounts being hacked. We do however have some users that use Netscape and Mozilla mail. Is there any form of password encryption that one of those will use? *^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein On Thu, 7 Dec 2000, zentara wrote:

Michael wrote:

...

Any pros and cons for using pop3d rather than popper? I seem to have both installed on my box (but neither running yet).

Well popper lets you use apop, which encrypts mail passwords and stores them in a database. It also allows you to have a different mail and login password. This can be important since most user's popmail passwords are their login passwords.

The drawback is netscape dosn't support apop, so you need to use a mail client that does, I use Xfmail.

I have run both together. Running pop3d on port 110 for netscape users, and assigning qpopper to port 109, for apop users. It works OK that way.

Message-Id: <4.3.2.7.2.20001207112317.00b099b0@192.168.1.2> Date: Thu, 07 Dec 2000 11:25:29 -0600 From: Geordon VanTassle Subject: Re: [SLE] Pop 3 Server Have you considered using some sort of SSL-encrypted Web-mail reader? I know that there are several out there that might fill the bill. Granted, it's not an ideal situation, but then again, neither is having user accounts on a critical server. HTH, Geordon <p>At 08:54 AM 12/7/00, Michael wrote:

I actually do need to force all our users to use some form of encryption on their passwords as I'm forced to put the mail server on a highly critical e-commerce server we have and I don't want any user accounts being hacked. We do however have some users that use Netscape and Mozilla mail. Is there any form of password encryption that one of those will use?

*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein