-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
With all of the password hacking that has been occurring, the issue of re-sysopping users is being discussed on WP:ANI.
For admins with PGP/GPG keys, one suggested method for confirming that the admin him or herself has regained control of the account (or is behind the new e-mail) is to use that key to verify the person.
Of course, this only works if the verification occurred before any hack attempts.
I know a number of you have encryption keys (all those pesky attachments and such) so in parallel with the discussion here: http://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Inciden... may not be a poor idea for some of us to either meet in person with out fingerprints, or at the very least perform encrypted challenge-responses with each other, to create a baseline for identification purposes.
Just a thought.
Avi
On 5/8/07, Avi avi.wiki@gmail.com wrote: http://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Inciden...
may not be a poor idea for some of us to either meet in person with out fingerprints, or at the very least perform encrypted challenge-responses with each other, to create a baseline for identification purposes.
I don't see how your encrypted challenge response isn't vulnerable to a MITM attack. ;)
I.e. I claim to be cyde and give you a key I control but which says 'cyde', then I got to cyde and give him a key claiming to be you.. then I proxy communication between you two. :)
The standard behavior for PGP web of trust is a verified identity exchange, i.e. person to person with a shown ID.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Gregory Maxwell stated for the record:
On 5/8/07, Avi avi.wiki@gmail.com wrote: http://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Inciden...
may not be a poor idea for some of us to either meet in person with out fingerprints, or at the very least perform encrypted challenge-responses with each other, to create a baseline for identification purposes.
I don't see how your encrypted challenge response isn't vulnerable to a MITM attack. ;)
I.e. I claim to be cyde and give you a key I control but which says 'cyde', then I got to cyde and give him a key claiming to be you.. then I proxy communication between you two. :)
The standard behavior for PGP web of trust is a verified identity exchange, i.e. person to person with a shown ID.
I've been signing messages to this list for some years now. Either I hacked this account a long time ago and have not yet made use of its privileges except to post the occasional snide remark, or I'm the same person who was appointed to the ArbComm.
If anyone wants to drop by to see me, and swap keys, just ask. But paranoia is not sufficient reason to get me to traveling more than a few li.
- -- Sean Barrett | What if the hokey pokey is sean@epoptic.com | really what it's all about?
On 5/9/07, Sean Barrett sean@epoptic.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
...
I've been signing messages to this list for some years now. Either I
...
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGQLEi/SVOiq2uhHMRAtPjAKCir6gsuwg/51u/giz416E1wFbenwCfUnnw zZah+eZEYqvKvTUNGD2Ckzw= =xoWo -----END PGP SIGNATURE-----
Yes, you add 10 lines of spam to every message you send. What's the benefit? How does this help us? Sorry, but I've been meaning to ask the PGP'ers for a while now. Is there such a great risk that someone will impersonate you and we will fall for it? It seems to me that signing your message lets you prove that you indeed were the author of a message. But it doesn't help an unsuspecting person know that you weren't the author of a message.
Steve
Steve Bennett wrote:
On 5/9/07, Sean Barrett sean@epoptic.com wrote: Yes, you add 10 lines of spam to every message you send. What's the benefit? How does this help us? Sorry, but I've been meaning to ask the PGP'ers for a while now. Is there such a great risk that someone will impersonate you and we will fall for it? It seems to me that signing your message lets you prove that you indeed were the author of a message. But it doesn't help an unsuspecting person know that you weren't the author of a message.
If someone is using a sane OpenPGP-compatible mail client the signatures will show up as attachments, such as mine. (If the signature to this message is displayed inline then I suggest you find a user-agent that Has A Clue.)
I usually sign all my mail, no matter who it gets sent to, but I always ALWAYS sign mail I send to a mailing list. Spoofing the sender address is just too easy, and few people bother to check. I'm not saying anyone would want to spoof email from me, but you don't know until it happens, eh? It's more of a way for me to say, in that event, "no, I didn't send that message" than it is of saying "yeah, I sent this message."
Spoofing aside, it's a lot easier to compromise an email account on some server than to get a key off my Linux fortress *and* break the passphrase.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Steve Bennett stated for the record:
Yes, you add 10 lines of spam to every message you send.
No, I don't. I add an information-dense attachment that no modern mail client displays inline.
Wikimedia's various servers add numerous "Received" lines to every message to the list. Why aren't you complaining about them? Probably because your client handles them properly.
- -- Sean Barrett | Hey! That's not haiku sean@epoptic.com | You're just counting syllables | Stop that this instant!
Sean Barrett wrote:
No, I don't. I add an information-dense attachment that no modern mail client displays inline.
Except you actually don't. If you look at the source of your email you'll see that it's being sent inline, not as an attachment. I suggest you look for some option to enable PGP/MIME, as that will turn the signature into an attachment.
David Gerard wrote:
On 11/05/07, Sean Barrett sean@epoptic.com wrote:
No, I don't. I add an information-dense attachment that no modern mail client displays inline.
Except, of course, Gmail ...
Maybe he should have used "sane" instead of "modern." My views on gmail are mostly unprintable, so I'll just leave it at that.
On 12/05/07, Chris Howie cdhowie@nerdshack.com wrote:
David Gerard wrote:
On 11/05/07, Sean Barrett sean@epoptic.com wrote:
No, I don't. I add an information-dense attachment that no modern mail client displays inline.
Except, of course, Gmail ...
Maybe he should have used "sane" instead of "modern." My views on gmail are mostly unprintable, so I'll just leave it at that.
For me the killer features of Gmail are: 1. Searching the entire mail bucket. 2. One page per thread. So stupid mailing list threads are *one* skimmable page.
Everything else sucks. So I want the above in Thunderbird and I'll go back to it.
- d.
On 5/12/07, David Gerard dgerard@gmail.com wrote:
For me the killer features of Gmail are:
- Searching the entire mail bucket.
- One page per thread. So stupid mailing list threads are *one* skimmable page.
- what sucks about 2 is that you can't distinguish between individual messages in a thread that are read or not read. So you end up missing whole threads because you read a few messages and skipped the rest, and they all got marked read.
3. All the mail I've received in the last 3 years searchable wherever I am, even on my phone. Incredibly useful. 4. Nice filtering/hiding of repeated strings (quoted paragraphs, signatures).
Ultimately it was 3 that made me abandon having a local mail client. I could download all the mail onto my computer with a client, but there just doesn't seem to be much point.
Steve
David Gerard wrote:
On 12/05/07, Chris Howie cdhowie@nerdshack.com wrote:
Maybe he should have used "sane" instead of "modern." My views on gmail are mostly unprintable, so I'll just leave it at that.
For me the killer features of Gmail are:
- Searching the entire mail bucket.
- One page per thread. So stupid mailing list threads are *one* skimmable page.
Everything else sucks. So I want the above in Thunderbird and I'll go back to it.
I'm using Icedove 1.5.0 (Debian's rebranded Thunderbird) and it has had 1. for a while, and for 2. you don't get one page per thread, but it can display any message folder in a threaded view, and whole threads are sorted by the time the last message in that thread was received. So I can click on my wikien-l folder and scroll up a few pages to review threads with newly received messages.
On 12/05/07, Chris Howie cdhowie@nerdshack.com wrote:
David Gerard wrote:
For me the killer features of Gmail are:
- Searching the entire mail bucket.
- One page per thread. So stupid mailing list threads are *one* skimmable page.
Everything else sucks. So I want the above in Thunderbird and I'll go back to it.
I'm using Icedove 1.5.0 (Debian's rebranded Thunderbird) and it has had 1. for a while, and for 2. you don't get one page per thread, but it can display any message folder in a threaded view, and whole threads are sorted by the time the last message in that thread was received. So I can click on my wikien-l folder and scroll up a few pages to review threads with newly received messages.
It only has these features in the "ticking off the list of features" sense. I am quite familiar with Thunderbird, and it really does much worse at these two than Gmail.
- d.
On 12/05/07, David Gerard dgerard@gmail.com wrote:
It only has these features in the "ticking off the list of features" sense. I am quite familiar with Thunderbird, and it really does much worse at these two than Gmail.
This may ameliorate the situation a little for Thunderbird users: http://www.longshot.com/~kmixter/gmailui.html
Doesn't implement the page-per-thread view, though.
Another good thing about Gmail is that it interleaves your sent messages in a thread, which makes a lot of sense.
G'day Sean,
Steve Bennett stated for the record:
Yes, you add 10 lines of spam to every message you send.
No, I don't. I add an information-dense attachment that no modern mail client displays inline.
On the assumption that Mozilla Thunderbird counts as a "modern mail client": bzzzt!
My mail client handles PGP keys appropriately (at least, to my limited level of understanding, it does), and no other poster to this list seems to "add 10 lines of spam to every message" except you. This includes those who use PGP. I think the problem may well be at your end.
(In any case, as someone once said, PGP doesn't guarantee that you are the sender of the message: it just means that, if you aren't, nobody will believe you.)
<snip/>
(In any case, as someone once said, PGP doesn't guarantee that you are the sender of the message: it just means that, if you aren't, nobody will believe you.)
Oh, that "someone" was Matt Brown, in this very thread.
Ahem.
(What's that word, starting with M, that means feeling very small and red?)
On 5/13/07, Mark Gallagher m.g.gallagher@student.canberra.edu.au wrote:
G'day Sean,
Steve Bennett stated for the record:
Yes, you add 10 lines of spam to every message you send.
No, I don't. I add an information-dense attachment that no modern mail client displays inline.
On the assumption that Mozilla Thunderbird counts as a "modern mail client": bzzzt!
My mail client handles PGP keys appropriately (at least, to my limited level of understanding, it does), and no other poster to this list seems to "add 10 lines of spam to every message" except you. This includes those who use PGP. I think the problem may well be at your end.
Yeah, I see others' PGP keys handled as attachments in Gmail. It's only Sean's PGP key that shows up inline.
Johnleemk
John Lee stated for the record:
Yeah, I see others' PGP keys handled as attachments in Gmail. It's only Sean's PGP key that shows up inline.
Johnleemk
That is a useful comment. Looking through the Preferences for Enigmail, I see that I had PGP/MIME set to "allow" instead of "always." Is this an improvement?
Sean Barrett wrote:
John Lee stated for the record:
Yeah, I see others' PGP keys handled as attachments in Gmail. It's only Sean's PGP key that shows up inline.
Johnleemk
That is a useful comment. Looking through the Preferences for Enigmail, I see that I had PGP/MIME set to "allow" instead of "always." Is this an improvement?
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
It's showing correctly as an attachment in gmail now. Do you have your most recent public key on a keyserver, though? I can't find it off of any of the standard ones.
Todd Allen stated for the record:
It's showing correctly as an attachment in gmail now. Do you have your most recent public key on a keyserver, though? I can't find it off of any of the standard ones.
http://keyserver.noreply.org/pks/lookup?op=get&search=0xFD254E8AADAE8473