PGP Signature and Melissa Stuff

[John Thompson]

On Tue, 27 Apr 1999 01:12:27 -0400, Ralph Cohen wrote:

>>About encrypting making sense in business only :
>>If only such mail is envelpoed, the wrong people might get nosy and try to
>>setup a trojan at your computer to catch the secret key file. Cracking
>>that is possible, so from then on, they read your enc. stuff cause it is
>>important (It gotta be, after all, its encrypted).
>>
>>Ohh, this trojan already exists in different versions out in the net.

>If encrypting certain groups of messages could cause attention to be
>paid to them by the "wrong people" who might set up a trojan, etc. to
>grab your secret key file, then why would encrypting all your messages
>make you less of a target?  I would imagine that in most cases, the
>targets of email interception are chosen before consideration is given
>to what if any encryption they may use.  As you pointed out, even if
>encryption is encountered there are ways around it.

I think this is the "security through obscurity" approach.  As long as
only a few people are using encryption only for specific purposes, anybody
monitoring such use will be able to target those people for cracking their
secret keys.  OTOH, if everybody used encryption regardless of the message
content, then those people whose encrypted messages carry "interesting"
information will be harder to target for cracking since there's no way of
distinguishing an "interesting" message from an uninteresting one without
decrypting each and every message.  Which puts it in the category of "too
much work."

John (john.thompson@ibm.net)