RE: P1619: Errors happen
Serge,
> Did you notice that you have published e-mail addresses of other people
No, I did not (I only noticed the huge increase of spam sent to me, not
the spam sent to other people). I assumed (wrongly) that addresses are
blinded in quoted email headers in the reflector, because most bulletin
board software does that for a long time now. Addresses outside of email
headers are mostly left unchanged, and we ought to be careful. It is not
the person to be blamed, but the mail archive program, what I asked to
be enhanced with a mail blinding filter.
> There is no need to insult members of the group.
It was not my intension, but to show that errors do happen, and not only
when the system was "architected by people who don't know what they are
doing." I am not suggesting that the mail archive was architected by
this kind of people. Knowing that I constantly make mistakes, makes it
desirable for me to architect systems, which are less susceptible to
human errors.
> we will not be able to prevent misuse of the standard
Nobody seems to get my point. Of course, you can misuse the standard. I
have been worried about innocent user mistakes. If we don't do
anything, which prevents grandma storing her keys on the encrypted disk
with a simple applet or script; or the OS swaps the memory to disk, when
she looks at her keys; she will be an innocent victim. These can be
trivially thwarted, so why don't we do it? You could argue, that there
are infinitely many other innocent mistakes, we cannot possibly prevent
them all. I don't know about many other mistakes, which are not
preventable by common sense (like posting the keys on a website). I
would accept this position, if you show me a large number of uncommon
sense mistakes.
Laszlo
> -------- Original Message --------
> Subject: RE: P1619: Errors happen
> From: "Serge Plotkin"
> Date: Mon, May 29, 2006 1:37 pm
>
> Laszlo,
>
> Did you notice that you have published e-mail addresses of other people
> to the list yourself ? Example: you message on Wed, 24 May 2006 12:36:26
> -0400,
> Also your message from 26 May 2006 19:16:05 -0700.
> I bet I can find more...
>
> There is no need to insult members of the group.
>
> By the way, Shai's claim that we will not be able to prevent misuse of
> the standard is a perfectly valid one. All we can do is to add warnings.
> As I have mentioned many times before, it is very easy to architect a
> system that will conform to a standard but will be totally not secure.
>
> -serge
>
>
> > -----Original Message-----
> > Sent: Monday, May 29, 2006 9:46 AM
> > To: SISWG
> >
> > Jim,
> >
> > Could you please, once again, let someone edit the archived emails in
> > the reflector? In the messages msg00887, msg00880, msg00876 Shai
> > spelled out my full email address. Since these posts I received
> > hundreds of junk email, making my email account almost unusable.
> > Publishing email addresses looks like a cheap way to silence someone
> in
> > the reflector: the spammers do the dirty work for free.
> >
> > One would think, that such a stupid mistake (as Shai wrote for storing
> > keys on disk) 'does not arise in "real world systems" (unless they
> were
> > architected by people who don't know what they are doing)'. It proves
> my
> > point (classified as red herring): mistakes do happen, and even
> > information security professionals make errors of serious
> consequences.
> >
> > Would it be possible to install a filter, which automatically blinds
> > email addresses in messages posted to the reflector?
> >
> > Laszlo