North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Evil PGP sigs thread must die. was Re: Stop it with putting your e-mail body in my MUA OT

  • From: Andy Dills
  • Date: Mon Jul 15 14:58:16 2002

On Mon, 15 Jul 2002, Brad Knowles wrote:

> >                                                            So, does EVERY
> >  email need to be pgp signed?
>
> 	Do you need to use ssh every time you access a server remotely?

Every time the device runs ssh and I have to type a password, yes.

> Surely you know when your line is being tapped or when your packets
> are being sniffed, and you choose only those times to use ssh, and
> otherwise you use telnet?

There's some degree of truth to this. For instance, most of my routers do
not run ssh. However, I control the network between here and there, so I
am comfortable that nobody is capable of sniffing the session, so I am
comfortable using telnet and not going through an OOB connection.

>  Same goes for actually using passwords to
> login -- surely you know when it's a legitimate user that is trying
> to login and when it's someone trying to gain illicit access to your
> system, and you require them to use passwords accordingly?

Of course not. In the previous two situations, a human is making
decisions, "judgement calls". This situation, you're asking a computer to
do so. Bad analogy.

> >  When was the last time somebody on this list bothered to check the
> >  validity of a pgp signed message which they received via nanog?
>
> 	When was the last time anyone on this list bothered to check the
> validity of any message they received via any channel?  I mean, if
> you're going to use probability to support your argument, you might
> as well widen the discussion to a much broader sample group.

So why is it that people are bothering to sign their posts to nanog if
nobody cares if the people are who they say they are?

> >  I mean, if John Sidgmore posted to that from now on, Worldcom's official
> >  pricing is $100/meg with a 3 meg commit, I wouldn't believe it for a
> >  second unless it was signed and I verified it.
>
> 	Not everything is black and white.  At what level would you
> choose to validate a message like this?

"Not everything is black and white." Does that mean you agree with me that
not everything needs to be signed? Or does that mean you agree with me in
that a judgement call must be made?

Andy

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills                              301-682-9972
Xecunet, LLC                            www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access