Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:I dont see the need for this feature... (Score 1) 95

by Eythian (#49280195) Attached to: Facebook Introduces Payment System

Similar deal in NZ, but it may take a few hours, and it costs nothing. It's a pretty standard way of paying someone if you can't be bothered messing about with cash. Ours doesn't use email though, just bank account numbers (and increasingly phone numbers, but I haven't explored how that works.)

Comment: If I create the image... (Score 3, Interesting) 564

by spywhere (#49171935) Attached to: Why We Should Stop Hiding File-Name Extensions
When I did Windows XP images for clients, I always set the Default User profile to display extensions.
I did this without asking, without any discussion beforehand, and only had to defend the decision once near the end of the design project... my defense was, "This is the right way to do it, so that's what we're doing." End of discussion.

Comment: Re:I use GnuPG (Score 1) 309

by Eythian (#49134123) Attached to: Moxie Marlinspike: GPG Has Run Its Course

No, that's not true. Trite, but still false. Additionally, in your case, it's neither automatic, nor trustworthy.

Thing is, there is a mechanism to make doing it this way trustworthy. By opting out of that mechanism, you put the burden onto everyone else for no reason. The result is that you remove your key from the set able to be considered trustworthy without effort.

Comment: Re:I use GnuPG (Score 1) 309

by Eythian (#49133789) Attached to: Moxie Marlinspike: GPG Has Run Its Course

You can retain a copy of my public key on your compter. Then you can trust any signed message from me to be from the same source as the previous signed message from me.

No, I can't. That's the point. Not without jumping through manual hoops.

"get it to me somehow, and I would have no choice but to accept it"? You allow random strangers to update your hard disk? I don't.

It's not an uncommon configuration to have email clients automatically fetch the keys for signed messages in order to check them. This is generally a sensible configuration, too. However you not using the normal ways of validating trust means that the normal ways don't work in your single case. So trust of your emails can't be verified. Essentially, participating in the web of trust and uploading to keyservers resolves this issue. But because you don't, there is no possible trust path.

There is an argument for trust continuance (i.e. if I trust your key once, why not do it in the future), but your methods make that very annoying to implement, requiring manual checking.

It feels like you either have a misunderstanding of how the WoT is supposed to work that leads you to false conclusions on how best to use it, or you're attempting to subvert it for some reason, however only succeeding in making it too annoying for other people to be bothered working with it.

Comment: Re:I use GnuPG (Score 1) 309

by Eythian (#49133425) Attached to: Moxie Marlinspike: GPG Has Run Its Course

Wrong. You can retain a copy of my public key on your compter. Then you can trust any signed message from me to be from the same source as the previous signed message from me.

Someone could make a key with the same details, get it to me somehow, and I would have no choice but to accept it, or:

  • manually compare the fingerprint (not just the key ID, the whole fingerprint) with that of your previous messages.
  • locally sign it.

These are all things that don't normally have to be done. By eschewing the trust mechanisms, you're reducing the amount of trust I would have that messages to/from you couldn't be compromised.

Comment: Re:People are dumb, and don't care (Score 1) 309

by Eythian (#49132335) Attached to: Moxie Marlinspike: GPG Has Run Its Course

I've only ever bothered for Slackware, for which I believe the ISO images are signed with the official Slackware key.

If you use Ubuntu or Debian, then you are using it every time you do an apt-get update to verify the resulting software lists (which includes the hashes of the software itself.)

Comment: Re:I use GnuPG (Score 1) 309

by Eythian (#49132255) Attached to: Moxie Marlinspike: GPG Has Run Its Course

It is not on any "KeyServer"

Not true:
$ gpg --search "73D9A8A4"
gpg: zoeken naar '73D9A8A4' van de hkps server hkps.pool.sks-keyservers.net
(1) Andy Canfield
            2048 bit RSA key 73D9A8A4, aangemaakt: 2014-08-03

However, it's not associated with your email address, so no mail client can understand it to use it.

Later, you say:

and the public key you get from my web site should confirm the signature.

But I can't trust your site, because it's not HTTPS (which isn't perfect, but is better.) You can get free SSL certs. And I can't trust your key because it's not in the web of trust.

Basically, you have a PGP key, but it's useless for many cases because you haven't done some simple steps to make it useable. I could never trust any signed message to actually be for you, and I can't trust the information I have to encrypt something to you.

Also, yes keyservers can be subverted by the NSA etc. They can also be subverted by me. They're insecure by design, and so that makes them safer.

Comment: Re:Yes. It will. (Score 1) 146

The average slashdot reader doesn't watch television or play video games.

Most slashdotters are either engineers, attorneys, or other high-esteemed professionals; usually with their skills transcending other fields.

Your average slashdot commenter has created algorithms that have revolutionized computing, practiced law in the highest of the courts, had their works published in the journals that hold the highest esteem, filed patents only to give them to the world to use, donated large amounts of their wealth to charities, and works out four times a day to satisfy their wife from Maxim Magazine.

There is no need for a slashdot reader to indulge themselves in fantasy video games and television programs when reality is so sweet.

At the source of every error which is blamed on the computer you will find at least two human errors, including the error of blaming it on the computer.

Working...