It is currently Mon Feb 24, 2020 12:30 am

All times are UTC [ DST ]




 Page 1 of 1 [ 6 posts ] 
Author Message
 Post subject: Suggestion: About using GPG Keys on CService emails
PostPosted: Thu Oct 05, 2006 6:41 am 
User avatar

Joined: Thu Jul 20, 2006 5:40 am
Posts: 13
Location: /usr/portage/asia-ph/
Good day,

This is just a suggestion. I posted it here so anyone could also suggest/share/post an idea about this and came open for discussion. I emailed CService about this last July; I dont know what's the status 'till now. Now, its open for idea whether it is helpful/good or just a waste of time. Btw, please move this Topic if this is not the proper Forum to be posted about this.

I just noticed that CService Emails doesn't have GPG keys as an option for some users to send secured messages. But since lots of Users (with usernames) send their private data to any of CService Emails (specially X@Undernet.org) just to change some settings of their Account, it is possible to read/modify those Data/contents while on Transit by some Attackers before it reach its destination (cservice emails).

Example, One User want to change an email or revert back temp manager changes, so he will also send his Username, Verification question/answer, channel name, etc. And he will send it X@Undernet.org. Since the contents are not encrypted with the GPG of x@undernet.org email (coz it doesnt have yet a GPG key for encryption) and the User is in the Compromise Network, it is possible to read/modify those Contents on Transit by an Attacker.

So I suggest to have a GPG keys for each of CService emails. If one User send his Private data to any of CService emails and encrypted it with CService Public key of the email, even the User is on a Compromise Network, its impossible to decipher those Contents by an Attacker since only the CService has the Private Key to unlock its Contents. Thus, the User is sure that his data is Sent and reached its Destination securely.

Generating a GPG keys for each emails is so fast and easy, and one thing it's free. Once you've generated it, you only have to Post the public keys of those Emails on the website, and you are the one to keep the Private keys secure or in safe place for deciphering encrypted emails.

Contact emails of most Open Source projects used GPG keys for their emails. Specially companies and government agencies for secure communications. I hope it will minimize stealing of Usernames and registered Channel takeovers.

Anyways, hope you understand what I mean... and I'm sorry in advanced for my grammars and spellings... :)

Thanks a lot, good luck and God bless!!!

- araw1 (nick/username)



_________________
If it moves, compile it!
USE="gentoo linux"
http://www.gentoo.org
Offline
 Profile  
 
 Post subject:
PostPosted: Thu Oct 05, 2006 12:55 pm 
Senior Cservice Admin
User avatar

Joined: Sun Jul 06, 2003 2:47 am
Posts: 564
Location: Hamilton, New Zealand
"I hope it will minimize stealing of Usernames and registered Channel takeovers"

Well your idea would, if that was how they did it. But sad to say, most of the time they actually hack the user's computer, kinda defeats the GPG stuff if they can see the message before it gets encrypted doesn't it?

I have no problem making it optional, but as a requirement, do you wanna handle teaching a million people how to use it...

The real issue is user security, a better suggestion is a new group to teach users on how to better secure themselves and there computers.



_________________
xplora @ undernet.org
Past Co-ordinator
Undernet Channel Services Committee
Offline
 Profile  
 
 Post subject:
PostPosted: Fri Oct 06, 2006 3:42 am 
User avatar

Joined: Thu Jul 20, 2006 5:40 am
Posts: 13
Location: /usr/portage/asia-ph/
xplora wrote:
But sad to say, most of the time they actually hack the user's computer, kinda defeats the GPG stuff if they can see the message before it gets encrypted doesn't it?


Well Im sure lots of users knows how to secure their computers. Based on my experience, most hackers are more on Networks than hacking an individual computers just to get the Info they want. Hackers can't easily hack into Users computer unless it is vulnerable or infected with malware of the hacker.

xplora wrote:
I have no problem making it optional, but as a requirement, do you wanna handle teaching a million people how to use it...


We are not the one who will teach those Million people how to use it (anyway, they can always join #help for assistance). But they are the ONE who will learn how to used that very SIMPLE tool if they really want to secure their emails as well as their other information. I also said before as an "Option" for some users who knows how to used it.

Windows users may used this: http://www.gpg4win.org/

Don't worry, it is GUI means friendly even to newbies... :)

Always remember the "Internet Superhighway" isn't secure anymore as what you Thought....



_________________
If it moves, compile it!
USE="gentoo linux"
http://www.gentoo.org
Offline
 Profile  
 
 Post subject:
PostPosted: Sat Oct 07, 2006 11:35 am 
User avatar

Joined: Thu Jul 20, 2006 5:40 am
Posts: 13
Location: /usr/portage/asia-ph/
I forgot to Quote this one... :)

xplora wrote:
The real issue is user security.....


Even lets say a User is using a Highly secured computer. A hardened Linux box (anyway, I can't say a Windows can be a Highly secured computer, even how many proprietary softwares you put on it, Zone Alarms/Anti-virus/Anti-spywares/etc/. We can even accused it w/ a Built-in Backdoors since it is Closed Source :) ).
A highly secured Linux box w/ expertly configured (NSA's SELinux/RSBAC/Pax/Grsecurity/etc...)

Now, data that comes out or transferred from a Secured box, can't be say Secured too or securely delivered unless it is Encrypted. The user's box is secured, but he/she can't say the Data that comes out from His secured box is secured too its because we can't say the Network or the entire Internet itself is secured.

That's why Encryption systems invented (SSL, PGP, etc... )



_________________
If it moves, compile it!
USE="gentoo linux"
http://www.gentoo.org
Offline
 Profile  
 
 Post subject:
PostPosted: Sat Oct 07, 2006 11:05 pm 
Senior Cservice Admin
User avatar

Joined: Sun Jul 06, 2003 2:47 am
Posts: 564
Location: Hamilton, New Zealand
Things to remember...

This is IRC (well actually this is a forum, but it's about an IRC network), it's supposed to be fun.
Fun needs to be easy, Security not matter what the form isn't easy, the trick is finding the right balance, for IRC fun is (sad to say) more important, that means overkilling the security is a waste of time and effort.

Remember, Undernet is entirely volunteered by people that also came to IRC to have fun. So, as much as I like your idea, I just do not see it happening.



_________________
xplora @ undernet.org
Past Co-ordinator
Undernet Channel Services Committee
Offline
 Profile  
 
 Post subject:
PostPosted: Sun Oct 08, 2006 7:50 am 
User avatar

Joined: Thu Jul 20, 2006 5:40 am
Posts: 13
Location: /usr/portage/asia-ph/
Well you are right that IRC is supposed to be for fun... But we are talking here about Confidential data as what I stated on my first post.... The replies from CService people doesn't need to be encrypted since most replies doesn't contain confidential data as what a User do.

Aren't you aware for the security of your own CService Account? Me, being just an ordinary user/volunteer here at Undernet, I'm aware of the security of my own CService account, and Im sure the Others too specially the IRCops and CService Officials and Help Volunteers.

I'm not suggesting to implement SSL on IRC Undernet Network for security since we are all here for Fun. But we are talking here about security of CService Accounts; I actually don't care if the other users aware of the security of their own accounts, but I suggest this as an Option for some users who doubt that they are on a Compromise Network and know how to encypt their data for confidence.

I'm sure lots of users here on this Network are always Open for New Ideas specially about this matter, for their own security. They can use this knowledge not just for securing their CService Accounts but in lots of things and in the Future....



_________________
If it moves, compile it!
USE="gentoo linux"
http://www.gentoo.org
Offline
 Profile  
 
Display posts from previous:  Sort by  
 Page 1 of 1 [ 6 posts ] 

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

cron