=
×

Julian Cope presents Head Heritage

Head To Head
Log In
Register
U-Know! Forum »
Calling Grufty Jim (& the rest of you 2)
Log In to post a reply
60 messages
Topic View: Flat | Threaded
grufty jim
grufty jim
1978 posts

Re: when used correctly & securely
Nov 12, 2002, 15:28
When you talk about having a PGP passphrase / key "coerced" from someone, you completely mystify me. PGP isn't designed to be an anti-coercion device. It effectively secures digital communications. That's what it's designed to do. To criticise it because it can't prevent information being beaten out of someone (or coaxed out of them with threats of incarceration) is like criticising it for not making you toast in the morning.

PGP allows secure communication. That is all it does. Yes, it can becompromised if the person you are communicating with has been bought off, or threatened effectively. But so what? If one member of a trusted communications system has been compromised, then the method of communication is irrelevant - and why coerce the PGP out of them? Why not just coerce the information you're looking for?

And yet, despite that; PGP does try to make dealing with a compromised key as easy as possible (within reason). Because public keys are distributed on open key-servers which synchronise with one another constantly; it's possible for someone - who knows their key is compromised - to 'revoke' it, and within hours at most have it removed from the system.

What's more - although someone can't 'revoke' someone else's key (for obvious reasons :) if you found out, say, that my key was compromised; you could list it as 'untrusted' on your key - that would then cascade to everyone else who has your key in their keyring file. They could then decide whether to trust your 'untrusted' decision or not.

So no, the system isn't perfect (in the sense that any information contained in a human brain can theoretically be coaxed out of that brain by a determined interrogator); but as a means of sending digital information securely (which is all it claims to be), it's - for all practical purposes - secure.

Keystroke-logging software is a separate issue (though it is one way that a PGP key could be compromised). Pretty much any half-decent tech-head could unearth such a trojan on a machine and remove it. Of course, not everyone is a tech-head, but a clean install of the OS is probably overkill unless you don't know any geeks and have reason to believe that someone has had access to your system (remember, even a bog-standard firewall or real-time virus monitor will prevent such software being installed remotely).

On the subject of shielding your computer. In my opinion the security services in this country do not have the resourcs to carry out that form of high-tech, low-level surveillance on more than a handful of people. On the other hand, this is probably changing - and certainly in the States it's becoming more of an issue.

I'm not sure if you're aware of the technology that allows that kind of surveillance, however. It's basically EMR scanners (or related technology), and lining your room with lead is (a) very silly and (b) possibly toxic, when all you need is a home-made Faraday Cage made out of tin-foil. I once considered building one - but realised *just* how paranoid i must be to consider such a thing, and resolved to sort my head out instead (a project i'm still working on, needless to say).
In reply to:
WHEN USED CORRECTLY AND SECURELY (YerArseInParsley)		 Replies:
Doesn't make toast? (FourWinds)
Re: when used correctly & securely (YerArseInParsley)
Re: when used correctly & securely (YerArseInParsley)
Topic Outline:
U-Know! Forum Index