A very interesting paper by Ken Thompson..
From: Jerry Kreps
Message-ID: <3A2A5254.87818877@gypsyfarm.com>
Date: Sun, 03 Dec 2000 09:01:56 -0500
From: zentara
http://www.acm.org/classics/sep95/
"Moral
detect. A well installed microcode bug will be almost impossible to detect. "
Watch out, they will be recruiting you at the NSA to work on C compilers.
From: Jerry Kreps
Jerry Kreps wrote:
http://www.acm.org/classics/sep95/
"Moral
detect. A well installed microcode bug will be almost impossible to detect. "
Watch out, they will be recruiting you at the NSA to work on C compilers.
Not me! I'm an old windows programmer.... I'm still learning C++ 8>) <p><p> -- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
Jerry Kreps wrote:
http://www.acm.org/classics/sep95/
"Moral
detect. A well installed microcode bug will be almost impossible to detect. "
Watch out, they will be recruiting you at the NSA to work on C compilers.
Not me! I'm an old windows programmer.... I'm still learning C++ 8>)
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or
Message-ID: <000901c05d97$9e73adc0$3a601f18@atl.mediaone.net>
From: "peter hollings"
Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
Message-ID: <3A2C0E6D.127F97A9@gypsyfarm.com>
Date: Mon, 04 Dec 2000 16:36:45 -0500
From: zentara
Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.
I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)
From: Jerry Kreps
peter hollings wrote:
Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.
I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)
It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg -- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
peter hollings wrote:
Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.
I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)
It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or
Message-ID: <00f001c05ec3$f3fdbce0$0f601f18@atl.mediaone.net>
From: "peter hollings"
Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
From: Guy Van Sanden
>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 05/12/2000, 15:02:05, "peter hollings"
backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
Regards,
Peter Hollings
<p>> ----- Original Message -----
From: "Jerry Kreps"
To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson..
peter hollings wrote:
Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.
I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)
It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian
<p>> > On Monday 04 December 2000 15:36, zentara wrote: psychology
were Popper's favorites-
are formed in such a way that they cannot be falsified by data.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
<p>> --
To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
Message-ID: <3A2D0198.42FD91A4@gypsyfarm.com>
Date: Tue, 05 Dec 2000 09:54:16 -0500
From: zentara
It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
Well the security of linux c compilers and assemblers should be of interest to the list, and every linux user. That said, the general wisdom is that if it goes out on the net, it can eventually be part of the public record, whether you encrypt it or not. Encryption is only part of the security picture. If you do a web search for "Tempest", you will find what standards the government requires of it's "secret computers". You will learn that each computer is basically a miniature transmitter, sending out a weak signal, of everything occuring inside of it. The Tempest standards require "Faraday Cages" around sensitive computers, which block electromagnetic radiatition from penetrating it. This basically is a very fine wire mesh, or solid metal cage, which is grounded. I have heard, but cannot state as fact, that it is illegal in the US to have a computer in a Faraday Cage. That tells you that the "big brother element" in the Government are using these techniques to spy on those they choose to monitor. So even if you encrypt, your secret passphrase can be detected by equipment in a nearby location, like a parked van. This is highly sophisticated, and it is more likely that government's (and private detectives) use simple "computer bugs" which transmit your keystrokes to a recorder. These computer bugs are in the early stages, like audio bugs were in the 50's. But you can be sure they exist, and it probably won't be long before hobbbyist magazines start advertising them. The will get around privacy laws by advertising them as a way to monitor your "children's computer usage". They probably will end up in those little sealed plastic power cubes that power modems and audio speakers. But they may end up in video cards, broadcasting an exact replica of your monitor. That said, the question is how much should we worry about encryption security? Knowledgable people can get your secret key and password, with a little effort. To be really secure, you can't use any technology. But if you just want to hide data from a competitor, (or wife), then encryption is still useful. It will be a useful tool in online voting, e-commerce, etc. But it is not secure for secret messaging unless you apply some various serious measures. The paper by Ken Thompson just gives a glimpse into how a dedicated team of programmers can infiltrate your security, hiding it from you even if you look at every line of source code in your machine. It is no surprise that the Chineese government refused Bill Gate's attempt to push Windows into China. They are not dumb.
From: Alex Daniloff
peter hollings wrote:
Encryption is only part of the security picture. If you do a web search for "Tempest", you will find what standards the government requires of it's "secret computers". You will learn that each computer is basically a miniature transmitter, sending out a weak signal, of everything occuring inside of it.
Each computer exposes specter of frequencies in analog diapason that carries information about all data transmissions inside the computer. HD --> Bus --> CPU --> RAM --> CPU --> Bus --> IO ports e.t.a. All you need to get this information is to filter out so called information harmonic and suppress parasitic harmonics so called "pink noise". The closest analogy is a cable TV. For example you can watch cable TV for free without opening cable TV box or something connecting physically to it or to the cable. All you need to do is to create inductance filter to filter out TV signal out of parasitic frequency range generated by the coaxial cable. There is a simplified formula to calculate primitive inductance filter: Rfcable = 2 x 3.14 x TVfrequency x Liductance Rfcable = 68 Ohm (American standard) Liductance = 6.28 x TVfrequency / 68 = 0.0923 x TVfrequency (micro Henry) How you have to make this inductance filter out of copper wire (2.5 mm wire diameter, about 3.5 wraps, 10 mm diameter of coil) locate it near the cable and connect two inputs of this coil to your TV or amplifier and TV. In the second case you can locate your coil much farer from the cable. Happy cable TV watching. Exactly the same can be done distantly to your computer by the government agencies. That is why all mainframes and Computer centers are installed in electrically shielded rooms and white noise frequency generators connected to that shielding.
The Tempest standards require "Faraday Cages" around sensitive computers, which block electromagnetic radiatition from penetrating it. This basically is a very fine wire mesh, or solid metal cage, which is grounded. I have heard, but cannot state as fact, that it is illegal in the US to have a computer in a Faraday Cage. That tells you that the "big brother element" in the Government are using these techniques to spy on those they choose to monitor.
Your can easily convert your Monitor and PC chassis to so called Faraday Cage to secure your information. Connect your PC chassis to the white noise generator. Instead of white noise generator you can use radio receiver tuned to white noise (Sh......Sh.......) or rock misic for Big Brother on SW diapasone to mask all your computer inner transactions. Use back side shielding of your monitor and antiglare filter connected to the white noise generator (radio).
So even if you encrypt, your secret passphrase can be detected by equipment in a nearby location, like a parked van. This is highly sophisticated, and it is more likely that government's (and private detectives) use simple "computer bugs" which transmit your keystrokes to a recorder. These computer bugs are in the early stages, like audio bugs were in the 50's. But you can be sure they exist, and it probably won't be long before hobbbyist magazines start advertising them. The will get around privacy laws by advertising them as a way to monitor your "children's computer usage". They probably will end up in those little sealed plastic power cubes that power modems and audio speakers. But they may end up in video cards, broadcasting an exact replica of your monitor.
Yes it's advisable to open and inspect external power supplies came with you devices. If you suspect something you can wrap it in a copper foil and well ground it or connect to the white noise generator (radio).
That said, the question is how much should we worry about encryption security? Knowledgable people can get your secret key and password, with a little effort.
To be really secure, you can't use any technology.
No, you can and you must use technology to protect yourself. You can't fight with a stick against the tank.
It is no surprise that the Chineese government refused Bill Gate's attempt to push Windows into China. They are not dumb.
It's because they inherited an old good USSR concept of data protection. Thanks. Alex
From: Jerry Kreps
It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
Regards,
Peter Hollings
----- Original Message ----- From: "Jerry Kreps"
To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson.. On Monday 04 December 2000 15:36, zentara wrote:
peter hollings wrote:
Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.
I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)
It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or
proven wrong, by experiment.
Unscientific theories -Marxist dialectical history and Freudian psychology
were Popper's favorites-
are formed in such a way that they cannot be falsified by data.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
From: Cliff Sarginson
I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.
http://www.cert.org/advisories/CA-2000-18.html
JLK
On Tuesday 05 December 2000 08:02, peter hollings wrote:
It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
I would think anyone on this list concerned with security would be well advised to take an interest in this !
(just when you thought it was safe to go into the water...) Cliff
Regards,
Peter Hollings
----- Original Message ----- From: "Jerry Kreps"
To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson.. On Monday 04 December 2000 15:36, zentara wrote:
peter hollings wrote:
Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.
I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)
It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or
proven wrong, by experiment.
Unscientific theories -Marxist dialectical history and Freudian psychology
were Popper's favorites-
are formed in such a way that they cannot be falsified by data.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
Date: Wed, 6 Dec 2000 14:17:05 -0600 (CST)
From: Michael
On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:
I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.
http://www.cert.org/advisories/CA-2000-18.html
JLK
On Tuesday 05 December 2000 08:02, peter hollings wrote:
It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
I would think anyone on this list concerned with security would be well advised to take an interest in this !
(just when you thought it was safe to go into the water...)
Cliff
Regards,
Peter Hollings
----- Original Message ----- From: "Jerry Kreps"
To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson.. On Monday 04 December 2000 15:36, zentara wrote:
peter hollings wrote:
Yes, the NSA is a possibility, but I'd be more concerned about the ill effects on society that could be brought about via a widely distributed, closed, proprietary system such as Windows. It's another reason for using Linux.
I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)
It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or
proven wrong, by experiment.
Unscientific theories -Marxist dialectical history and Freudian psychology
were Popper's favorites-
are formed in such a way that they cannot be falsified by data.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
From: Jerry Kreps
Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)
Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
On Wed, 6 Dec 2000, Cliff Sarginson wrote:
On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:
I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.
http://www.cert.org/advisories/CA-2000-18.html
JLK
On Tuesday 05 December 2000 08:02, peter hollings wrote:
It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
I would think anyone on this list concerned with security would be well advised to take an interest in this !
(just when you thought it was safe to go into the water...)
Cliff
Regards,
Peter Hollings
----- Original Message ----- From: "Jerry Kreps"
To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson.. On Monday 04 December 2000 15:36, zentara wrote:
peter hollings wrote: > Yes, the NSA is a possibility, but I'd be more > concerned about the ill effects on society that could > be brought about via a widely distributed, closed, > proprietary system such as Windows. It's another reason > for using Linux.
I'm an old windows basher, but as the article stated, no OS is immune to the microcode attack. I was discussing a while back whether pgp and other encryption programs had "backdoors" in them, the answer was "if it exists, it's in our c compilers", controlled by very high level people. I have a paranoid streak. :-)
It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or
proven wrong, by experiment.
Unscientific theories -Marxist dialectical history and Freudian psychology
were Popper's favorites-
are formed in such a way that they cannot be falsified by data.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
Date: Thu, 7 Dec 2000 00:40:09 +0100
From: Cliff Sarginson
On Wednesday 06 December 2000 14:17, Michael wrote:
Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)
Mmm. I hate to say this but a little bit of C coding is not going to teach you enough to find holes in a program of even moderate complexity, let alone in a compiler or complex network program. For encryption programs a pretty deep knowledge of algorithms and mathematics may also be required. Futhermore to understand the output of the compiler code generator you will need to be a red-hot assembly language programmer. And even then it would be a nightmare in optimised code. The point about open-source is that you can compile it yourself, so you are not accepting blindly a binary file from somewhere. You have to trust the origin of the source of course. Cliff
Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
On Wed, 6 Dec 2000, Cliff Sarginson wrote:
On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:
I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.
http://www.cert.org/advisories/CA-2000-18.html
JLK
On Tuesday 05 December 2000 08:02, peter hollings wrote:
It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
I would think anyone on this list concerned with security would be well advised to take an interest in this !
(just when you thought it was safe to go into the water...)
Cliff
Regards,
Peter Hollings
----- Original Message ----- From: "Jerry Kreps"
To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson.. On Monday 04 December 2000 15:36, zentara wrote: > peter hollings wrote: > > Yes, the NSA is a possibility, but I'd be more > > concerned about the ill effects on society that could > > be brought about via a widely distributed, closed, > > proprietary system such as Windows. It's another reason > > for using Linux. > > I'm an old windows basher, but as the article stated, no > OS is immune to the microcode attack. > I was discussing a while back whether pgp and other > encryption programs had "backdoors" in them, the answer > was "if it exists, it's in our c compilers", controlled > by very high level people. I have a paranoid streak. :-)
It's not paranoia if it true, and with regards to pgp it is true. The NSA backdoor to version 6.x of pgp (I don't remember if 5.x has the backdoor) is verified. That is why there was a recent mass movement from pgp to gpg
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or
proven wrong, by experiment.
Unscientific theories -Marxist dialectical history and Freudian psychology
were Popper's favorites-
are formed in such a way that they cannot be falsified by data.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
Date: Wed, 6 Dec 2000 18:09:39 -0600 (CST)
From: Michael
On Wed, Dec 06, 2000 at 04:56:57PM -0600, Jerry Kreps wrote:
On Wednesday 06 December 2000 14:17, Michael wrote:
Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)
Mmm. I hate to say this but a little bit of C coding is not going to teach you enough to find holes in a program of even moderate complexity, let alone in a compiler or complex network program. For encryption programs a pretty deep knowledge of algorithms and mathematics may also be required. Futhermore to understand the output of the compiler code generator you will need to be a red-hot assembly language programmer. And even then it would be a nightmare in optimised code. The point about open-source is that you can compile it yourself, so you are not accepting blindly a binary file from somewhere. You have to trust the origin of the source of course.
Cliff
Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
On Wed, 6 Dec 2000, Cliff Sarginson wrote:
On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:
I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.
http://www.cert.org/advisories/CA-2000-18.html
JLK
On Tuesday 05 December 2000 08:02, peter hollings wrote:
It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
I would think anyone on this list concerned with security would be well advised to take an interest in this !
(just when you thought it was safe to go into the water...)
Cliff
Regards,
Peter Hollings
----- Original Message ----- From: "Jerry Kreps"
To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson.. > On Monday 04 December 2000 15:36, zentara wrote: > > peter hollings wrote: > > > Yes, the NSA is a possibility, but I'd be more > > > concerned about the ill effects on society that could > > > be brought about via a widely distributed, closed, > > > proprietary system such as Windows. It's another reason > > > for using Linux. > > > > I'm an old windows basher, but as the article stated, no > > OS is immune to the microcode attack. > > I was discussing a while back whether pgp and other > > encryption programs had "backdoors" in them, the answer > > was "if it exists, it's in our c compilers", controlled > > by very high level people. I have a paranoid streak. :-) > > It's not paranoia if it true, and with regards to pgp it is > true. The NSA backdoor to version 6.x of pgp (I don't > remember if 5.x has the backdoor) is verified. That is why > there was a recent mass movement from pgp to gpg > > -- > Scientific theories, according to Sir Karl Popper, can be > "falsified," or
proven wrong, by experiment.
> Unscientific theories -Marxist dialectical history and > Freudian psychology
were Popper's favorites-
> are formed in such a way that they cannot be falsified by > data. > > > > -- > To unsubscribe send e-mail to > suse-linux-e-unsubscribe@suse.com For additional commands > send e-mail to suse-linux-e-help@suse.com Also check the > FAQ at http://www.suse.com/support/faq
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
From: Jerry Kreps
On Wed, Dec 06, 2000 at 04:56:57PM -0600, Jerry Kreps wrote:
On Wednesday 06 December 2000 14:17, Michael wrote:
Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)
Mmm. I hate to say this but a little bit of C coding is not going to teach you enough to find holes in a program of even moderate complexity, let alone in a compiler or complex network program. For encryption programs a pretty deep knowledge of algorithms and mathematics may also be required.
My MS in Math and Physics and Biochemistry (professional student) taught me that
Futhermore to understand the output of the compiler code generator you will need to be a red-hot assembly language programmer. And even then it would be a nightmare in optimised code.
You're making my point !
The point about open-source is that you can compile it yourself, so you are not accepting blindly a binary file from somewhere. You have to trust the origin of the source of course.
Here is where you missed my point. Compiling the source code for an application is worthless protection against microcode already planted in the compiler itself, and your points above reinforce my argument that providing an absolutely guaranteed uncompromised compiler is a task only the best of the best could accomplish. Ergo, how can you be sure that the gc++ compiler has not already been compromised? You can't.. That was Ken Thompson's conclusion. JLK <p><p>>
Cliff
Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
On Wed, 6 Dec 2000, Cliff Sarginson wrote:
On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:
I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.
http://www.cert.org/advisories/CA-2000-18.html
JLK
On Tuesday 05 December 2000 08:02, peter hollings wrote:
It's interesting (from a civil liberties perspective) that there is a backdoor into PGP. Can you tell me more? How did this come about? Was it publicized? Does encryption technology without backdoors exist? If so, how can we be sure?
Also, of potential interest is the FBI's "Carnivore" system. Carnivore basically automates the surveillance process on the Internet. If one combines backdoors with surveillance, one has quite a capability. For a recent study on Carnivore see: http://www.usdoj.gov/jmd/publications/carniv_entry.htm .
For SuSE this may be off-topic. If we hear any objection, I propose that we move it off the list.
I would think anyone on this list concerned with security would be well advised to take an interest in this !
(just when you thought it was safe to go into the water...)
Cliff
Regards,
Peter Hollings
----- Original Message ----- From: "Jerry Kreps"
To: "zentara" ; "peter hollings" Cc: ; ; "suse-linux-e" Sent: Monday, December 04, 2000 5:28 PM Subject: Re: [SLE] A very interesting paper by Ken Thompson.. > On Monday 04 December 2000 15:36, zentara wrote: > > peter hollings wrote: > > > Yes, the NSA is a possibility, but I'd be more > > > concerned about the ill effects on society that > > > could be brought about via a widely distributed, > > > closed, proprietary system such as Windows. It's > > > another reason for using Linux. > > > > I'm an old windows basher, but as the article stated, > > no OS is immune to the microcode attack. > > I was discussing a while back whether pgp and other > > encryption programs had "backdoors" in them, the > > answer was "if it exists, it's in our c compilers", > > controlled by very high level people. I have a > > paranoid streak. :-) > > It's not paranoia if it true, and with regards to pgp > it is true. The NSA backdoor to version 6.x of pgp (I > don't remember if 5.x has the backdoor) is verified. > That is why there was a recent mass movement from pgp > to gpg > > -- > Scientific theories, according to Sir Karl Popper, can > be "falsified," or
proven wrong, by experiment.
> Unscientific theories -Marxist dialectical history and > Freudian psychology
were Popper's favorites-
> are formed in such a way that they cannot be falsified > by data. > > > > -- > To unsubscribe send e-mail to > suse-linux-e-unsubscribe@suse.com For additional > commands send e-mail to suse-linux-e-help@suse.com Also > check the FAQ at http://www.suse.com/support/faq
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
Date: Wed, 6 Dec 2000 22:20:16 -0600 (CST)
From: Michael
On Wednesday 06 December 2000 17:40, Cliff Sarginson wrote:
On Wed, Dec 06, 2000 at 04:56:57PM -0600, Jerry Kreps wrote:
On Wednesday 06 December 2000 14:17, Michael wrote:
Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)
Mmm. I hate to say this but a little bit of C coding is not going to teach you enough to find holes in a program of even moderate complexity, let alone in a compiler or complex network program. For encryption programs a pretty deep knowledge of algorithms and mathematics may also be required.
My MS in Math and Physics and Biochemistry (professional student) taught me that
Futhermore to understand the output of the compiler code generator you will need to be a red-hot assembly language programmer. And even then it would be a nightmare in optimised code.
You're making my point !
The point about open-source is that you can compile it yourself, so you are not accepting blindly a binary file from somewhere. You have to trust the origin of the source of course.
Here is where you missed my point. Compiling the source code for an application is worthless protection against microcode already planted in the compiler itself, and your points above reinforce my argument that providing an absolutely guaranteed uncompromised compiler is a task only the best of the best could accomplish.
Ergo, how can you be sure that the gc++ compiler has not already been compromised? You can't.. That was Ken Thompson's conclusion. JLK
Cliff
Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
On Wed, 6 Dec 2000, Cliff Sarginson wrote:
On Wednesday 06 December 2000 00:39, Jerry Kreps wrote:
I don't know if my email from work made it through the firewall so I am resending the source for the pgp backdoor.
http://www.cert.org/advisories/CA-2000-18.html
JLK
On Tuesday 05 December 2000 08:02, peter hollings wrote: > It's interesting (from a civil liberties perspective) > that there is a backdoor into PGP. Can you tell me more? > How did this come about? Was it publicized? Does > encryption technology without backdoors exist? If so, > how can we be sure? > > Also, of potential interest is the FBI's "Carnivore" > system. Carnivore basically automates the surveillance > process on the Internet. If one combines backdoors with > surveillance, one has quite a capability. For a recent > study on Carnivore see: > http://www.usdoj.gov/jmd/publications/carniv_entry.htm > . > > For SuSE this may be off-topic. If we hear any > objection, I propose that we move it off the list.
I would think anyone on this list concerned with security would be well advised to take an interest in this !
(just when you thought it was safe to go into the water...)
Cliff
> Regards, > > Peter Hollings > > > ----- Original Message ----- > From: "Jerry Kreps"
> To: "zentara" ; "peter hollings" > > Cc: ; ; > "suse-linux-e" > Sent: Monday, December 04, 2000 5:28 PM > Subject: Re: [SLE] A very interesting paper by Ken > Thompson.. > > > On Monday 04 December 2000 15:36, zentara wrote: > > > peter hollings wrote: > > > > Yes, the NSA is a possibility, but I'd be more > > > > concerned about the ill effects on society that > > > > could be brought about via a widely distributed, > > > > closed, proprietary system such as Windows. It's > > > > another reason for using Linux. > > > > > > I'm an old windows basher, but as the article stated, > > > no OS is immune to the microcode attack. > > > I was discussing a while back whether pgp and other > > > encryption programs had "backdoors" in them, the > > > answer was "if it exists, it's in our c compilers", > > > controlled by very high level people. I have a > > > paranoid streak. :-) > > > > It's not paranoia if it true, and with regards to pgp > > it is true. The NSA backdoor to version 6.x of pgp (I > > don't remember if 5.x has the backdoor) is verified. > > That is why there was a recent mass movement from pgp > > to gpg > > > > -- > > Scientific theories, according to Sir Karl Popper, can > > be "falsified," or > > proven wrong, by experiment. > > > Unscientific theories -Marxist dialectical history and > > Freudian psychology > > were Popper's favorites- > > > are formed in such a way that they cannot be falsified > > by data. > > > > > > > > -- > > To unsubscribe send e-mail to > > suse-linux-e-unsubscribe@suse.com For additional > > commands send e-mail to suse-linux-e-help@suse.com Also > > check the FAQ at http://www.suse.com/support/faq -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
From: Jerry Kreps
I suppose you could write a C compiler from scratch and check to make sure but it seems a bit anal. If you can't trust the FSF when it comes to software there isn't anybody you are likely to be able to trust. You could just as easily say you can't trust your house not to spy on you because someone else cut the boards.
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
On Wed, 6 Dec 2000, Jerry Kreps wrote:
On Wednesday 06 December 2000 17:40, Cliff Sarginson wrote:
On Wed, Dec 06, 2000 at 04:56:57PM -0600, Jerry Kreps wrote:
On Wednesday 06 December 2000 14:17, Michael wrote:
Never trust anything that isn't opensource. Learn to code at least enough to look for obvious holes. Is the only way to be safe. :)
Mmm. I hate to say this but a little bit of C coding is not going to teach you enough to find holes in a program of even moderate complexity, let alone in a compiler or complex network program. For encryption programs a pretty deep knowledge of algorithms and mathematics may also be required.
My MS in Math and Physics and Biochemistry (professional student) taught me that
Futhermore to understand the output of the compiler code generator you will need to be a red-hot assembly language programmer. And even then it would be a nightmare in optimised code.
You're making my point !
The point about open-source is that you can compile it yourself, so you are not accepting blindly a binary file from somewhere. You have to trust the origin of the source of course.
Here is where you missed my point. Compiling the source code for an application is worthless protection against microcode already planted in the compiler itself, and your points above reinforce my argument that providing an absolutely guaranteed uncompromised compiler is a task only the best of the best could accomplish.
Ergo, how can you be sure that the gc++ compiler has not already been compromised? You can't.. That was Ken Thompson's conclusion. JLK
Cliff
Not true! Take the gcc compiler, for example. How do you compile your compiler without using your compiler? Unless you hand assemble assembler code from keystrokes, you are using something that could have embedded microcode in it. JLK
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
On Wed, 6 Dec 2000, Cliff Sarginson wrote:
On Wednesday 06 December 2000 00:39, Jerry Kreps wrote: > I don't know if my email from work made it through the > firewall so I am resending the source for the pgp > backdoor. > > http://www.cert.org/advisories/CA-2000-18.html > > JLK > > On Tuesday 05 December 2000 08:02, peter hollings wrote: > > It's interesting (from a civil liberties perspective) > > that there is a backdoor into PGP. Can you tell me > > more? How did this come about? Was it publicized? > > Does encryption technology without backdoors exist? > > If so, how can we be sure? > > > > Also, of potential interest is the FBI's "Carnivore" > > system. Carnivore basically automates the > > surveillance process on the Internet. If one > > combines backdoors with surveillance, one has quite a > > capability. For a recent study on Carnivore see: > > http://www.usdoj.gov/jmd/publications/carniv_entry.ht > >m . > > > > For SuSE this may be off-topic. If we hear any > > objection, I propose that we move it off the list.
I would think anyone on this list concerned with security would be well advised to take an interest in this !
(just when you thought it was safe to go into the water...)
Cliff
> > Regards, > > > > Peter Hollings > > > > > > ----- Original Message ----- > > From: "Jerry Kreps"
> > To: "zentara" ; "peter > > hollings" > > Cc: ; ; > > "suse-linux-e" > > Sent: Monday, December 04, 2000 5:28 PM > > Subject: Re: [SLE] A very interesting paper by Ken > > Thompson.. > > > > > On Monday 04 December 2000 15:36, zentara wrote: > > > > peter hollings wrote: > > > > > Yes, the NSA is a possibility, but I'd be more > > > > > concerned about the ill effects on society that > > > > > could be brought about via a widely > > > > > distributed, closed, proprietary system such as > > > > > Windows. It's another reason for using Linux. > > > > > > > > I'm an old windows basher, but as the article > > > > stated, no OS is immune to the microcode attack. > > > > I was discussing a while back whether pgp and > > > > other encryption programs had "backdoors" in > > > > them, the answer was "if it exists, it's in our c > > > > compilers", controlled by very high level people. > > > > I have a paranoid streak. :-) > > > > > > It's not paranoia if it true, and with regards to > > > pgp it is true. The NSA backdoor to version 6.x of > > > pgp (I don't remember if 5.x has the backdoor) is > > > verified. That is why there was a recent mass > > > movement from pgp to gpg > > > > > > -- > > > Scientific theories, according to Sir Karl Popper, > > > can be "falsified," or > > > > proven wrong, by experiment. > > > > > Unscientific theories -Marxist dialectical history > > > and Freudian psychology > > > > were Popper's favorites- > > > > > are formed in such a way that they cannot be > > > falsified by data. > > > > > > > > > > > > -- > > > To unsubscribe send e-mail to > > > suse-linux-e-unsubscribe@suse.com For additional > > > commands send e-mail to suse-linux-e-help@suse.com > > > Also check the FAQ at > > > http://www.suse.com/support/faq -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.
Date: Wed, 6 Dec 2000 14:18:14 -0600 (CST)
From: Michael
Message-ID: <3A2EB2E1.86619CE4@gypsyfarm.com>
Date: Wed, 06 Dec 2000 16:42:57 -0500
From: zentara
What pop 3 server does SuSE use? I've never set up Pop3 under Linux. Any good sites for doing it under SuSE? Thanks.
From usr/doc/packages/pop/pop3d is the foolowing info on
pop3d which is the suse default. ################# This is the source code for a POP3 server running under 4.3BSD. This server was written at the University of California at Davis. The server implements the minimal POP3 command list, plus two ex. tension commands. You can get a copy of this distribution with anonymous FTP at: ftp.ucadavis.edu:/pub/pop3d.tar ################ You can get a nice package called qpopper, which supports pop and APOP, and install it easily.
Date: Wed, 6 Dec 2000 16:06:56 -0600 (CST)
From: Michael
Michael wrote:
What pop 3 server does SuSE use? I've never set up Pop3 under Linux. Any good sites for doing it under SuSE? Thanks.
From usr/doc/packages/pop/pop3d is the foolowing info on pop3d which is the suse default. ################# This is the source code for a POP3 server running under 4.3BSD. This server was written at the University of California at Davis. The server implements the minimal POP3 command list, plus two ex. tension commands. You can get a copy of this distribution with anonymous FTP at: ftp.ucadavis.edu:/pub/pop3d.tar ################
You can get a nice package called qpopper, which supports pop and APOP, and install it easily.
Message-Id: <5.0.2.1.0.20001206172932.025e3ec8@claborn.net> Date: Wed, 06 Dec 2000 17:30:01 -0600 From: wilson@claborn.net (Jonathan Wilson) Subject: Re: [SLE] Pop 3 Server I like GNU-pop3d. For one thing, it have virtual user support, which is very important to me. JW At 04:06 PM 12/6/2000 -0600, you wrote:
Any pros and cons for using pop3d rather than popper? I seem to have both installed on my box (but neither running yet).
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
On Wed, 6 Dec 2000, zentara wrote:
Michael wrote:
What pop 3 server does SuSE use? I've never set up Pop3 under Linux. Any good sites for doing it under SuSE? Thanks.
From usr/doc/packages/pop/pop3d is the foolowing info on pop3d which is the suse default. ################# This is the source code for a POP3 server running under 4.3BSD. This server was written at the University of California at Davis. The server implements the minimal POP3 command list, plus two ex. tension commands. You can get a copy of this distribution with anonymous FTP at: ftp.ucadavis.edu:/pub/pop3d.tar ################
You can get a nice package called qpopper, which supports pop and APOP, and install it easily.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
Message-ID: <3A2FA267.69732DDC@gypsyfarm.com>
Date: Thu, 07 Dec 2000 09:44:55 -0500
From: zentara
Any pros and cons for using pop3d rather than popper? I seem to have both installed on my box (but neither running yet).
Well popper lets you use apop, which encrypts mail passwords and stores them in a database. It also allows you to have a different mail and login password. This can be important since most user's popmail passwords are their login passwords. The drawback is netscape dosn't support apop, so you need to use a mail client that does, I use Xfmail. I have run both together. Running pop3d on port 110 for netscape users, and assigning qpopper to port 109, for apop users. It works OK that way.
Date: Thu, 7 Dec 2000 08:54:42 -0600 (CST)
From: Michael
Michael wrote:
Any pros and cons for using pop3d rather than popper? I seem to have both installed on my box (but neither running yet).
Well popper lets you use apop, which encrypts mail passwords and stores them in a database. It also allows you to have a different mail and login password. This can be important since most user's popmail passwords are their login passwords.
The drawback is netscape dosn't support apop, so you need to use a mail client that does, I use Xfmail.
I have run both together. Running pop3d on port 110 for netscape users, and assigning qpopper to port 109, for apop users. It works OK that way.
Message-ID: <3A2FA689.42004626@gypsyfarm.com>
Date: Thu, 07 Dec 2000 10:02:33 -0500
From: zentara
I actually do need to force all our users to use some form of encryption on their passwords as I'm forced to put the mail server on a highly critical e-commerce server we have and I don't want any user accounts being hacked. We do however have some users that use Netscape and Mozilla mail. Is there any form of password encryption that one of those will use?
Netscape also supports IMAP, but I don't know if IMAP supports encryption.
Message-Id: <4.3.2.7.2.20001207112317.00b099b0@192.168.1.2>
Date: Thu, 07 Dec 2000 11:25:29 -0600
From: Geordon VanTassle
I actually do need to force all our users to use some form of encryption on their passwords as I'm forced to put the mail server on a highly critical e-commerce server we have and I don't want any user accounts being hacked. We do however have some users that use Netscape and Mozilla mail. Is there any form of password encryption that one of those will use?
*^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein
Date: Thu, 7 Dec 2000 11:36:00 -0600 (CST)
From: Michael
Have you considered using some sort of SSL-encrypted Web-mail reader? I know that there are several out there that might fill the bill. Granted, it's not an ideal situation, but then again, neither is having user accounts on a critical server.
At 08:54 AM 12/7/00, Michael wrote:
I actually do need to force all our users to use some form of encryption on their passwords as I'm forced to put the mail server on a highly critical e-commerce server we have and I don't want any user accounts being hacked. We do however have some users that use Netscape and Mozilla mail. Is there any form of password encryption that one of those will use?
participants (9)
-
alex@daniloff.com
-
cliff@raggedclown.net
-
gvantass@thecoventree.com
-
jerrykreps@jlkreps.net
-
mogmios@mlug.missouri.edu
-
phollings@atl.mediaone.net
-
sienix@crosswinds.net
-
wilson@claborn.net
-
zentara@gypsyfarm.com