I’ve been trying to figure out “practical encryption” (AKA “PGP”) for many years. As far as I can tell, this is not fundamentally flawed:
- I know Joe’s e-mail address: firstname.lastname@example.org.
- I have a Gmail e-mail address: email@example.com.
- I have GPG installed on my PC.
- I send a new e-mail to Joe consisting of the “PGP PUBLIC KEY BLOCK” extracted from GPG.
- Joe received it and can now encrypt a text using that “PGP PUBLIC KEY BLOCK” of mine, reply to my e-mail, and I can then decrypt it and read his message. Inside this message, Joe has included his own such PGP public key block.
- I use Joe’s PGP public key block to reply to his message, and from this point on, we only send the actual messages (no key) encrypted with each other’s keys, which we have stored on our PCs.
Is there anything fundamentally wrong/insecure about this? Some concerns:
- By simply operating the e-mail service, Google knows my public key (but not Joe’s, since that is embedded inside the encrypted blob). This doesn’t actually matter, though, does it? They can’t do anything with my public key? The only thing it can be used for is to encrypt text one-way which only I can decrypt, because only I have the private key on my computer?
- If they decide to manipulate my initial e-mail message, changing the key I sent to Joe, then Joe’s reply will be unreadable by me, since it’s no longer encrypted using my public key, but Google’s intercepted key. That means Joe and I won’t be having any conversation beyond that initial e-mail from me and the first reply by him (which Google can read), but after that, nothing happens since I can’t read/decrypt his reply?
Am I really understanding things correctly if I claim that:
- If an USB stick/device is inserted into a PC running Windows, currently in “lock screen” mode (that is, somebody has pressed WinKey + L), it will auto-mount it behind the scenes?
- If an USB stick/device is inserted into a PC running Windows, currently NOT in “lock screen” mode, it will auto-mount it by default?
- In both cases above, will it ever run any kind of executable found on it by default? (Like which I believe used to be the case for setup.exe on CD-ROMs back in the day.)
- Regardless of all of the above, will Windows ever auto-install DRIVERS found on the device itself when inserted into the PC (with or without lock screen)? Or is just the “device id” grabbed from the stick/device and then the appropriate drivers are downloaded from Microsoft’s secure, curated servers based on the device id?
- Why exactly are “drivers” needed whatsoever? Isn’t it using the USB standard? And also the “mass storage” standard? I don’t understand why it would ever need special “drivers” for a standard device…?
- Is the idea that sticking a USB stick/device into a PC is insecure in itself complete nonsense? Is not the truth that the user would have to actively select “Yes, please install the drivers from this random unknown device” or “Yes, please run this untrusted EXE found on this stick you just inserted and which I auto-mounted for you but would never run anything on without your active consent”? I get the same feeling as when people claim to get “hacked” constantly, but then it turns out they ran some binary e-mail attachment or clicked a big red box saying: “WARNING! Do you really want to run this EXE from sketchy-hack-toolz-4-u.ru?”… but nothing would surprise me at this point, frankly.
I wonder this both for the current Windows 10 and also for all previous versions of Windows.
I am using a private lake subdivision name as my domain name. The lake’s name is not trademarked. It is run by a property owner’s association. I have no links to the POA. I don’t mention them at all. It is just for use of service providers inside and outside of the lake. The POA’s domain is just the initials of the lake followed by POA.
I just received a Cease and Desist letter form them. Can they tell me I can’t use the name of the lake in my domain or do you think it’s a scare tactic?
all expert GSA
When i’m restart or reboot my GSA Captcha Breaker & GSA Indexer, i have some notice error like this picture.
Anyone can help me to solve my issues? because i’m newbie about this.
Let’s say that ACME, Inc. is making closed-source software. It’s closed for a reason (they don’t want it leaving their building other than in compiled form). Now, they are hiring some company/person to audit the code for them. How exactly is this done?
If I were ACME, Inc., I would want the audit person (or persons) to come to my physical location, get literally locked into a room with no Internet access, carefully frisked for any USB sticks or any other electronics both when they enter and leave. With cameras recording the screen and the auditor’s face/hands 100% of the time he/she spends in there, which is carefully looked at by my own employees as it happens and/or afterwards.
However, this sounds both demeaning for the person doing the audit, and also unrealistic for anything but the biggest and richest companies. (And with a security-conscious/paranoid CEO.)
I cannot imagine that they just ZIP up their source code tree and e-mail it to the auditor or something similar. Even with encryption and whatnot, this just feels horribly insecure. I would feel as if the second the source code is sent to the auditor remotely, it’s “left the building” and become “potentially public”.
How is this done in practice? Do companies really trust the security of the audit companies? As I type this, I realize how silly that sounds, since they are after all paying them to find flaws in their own code, but still, something about not controlling the whole process just sounds horribly insecure.
I wouldn’t be surprised if you answered that most companies these days just have a “private GitHub repo” to which they grant the auditor access in some GUI. But I would never, ever do that myself…
The Net’s description states:
A creature can use its action to make a DC 10 Strength check, freeing itself or another creature within its reach on a success.
Every way I have found of increasing your reach only increases it for attacks that you make: Reach weapons, monster attacks, bugbear’s long-limbed, the Battle Master Fighter’s Reaching Attack Maneuver, and the Four Elements Monk’s Fangs of the Fire Snake feature.
Is there a way to increase your reach used when helping somebody escape from a net?
Say somebody says “I’m going to use a spell to charm you, and make you walk around the room,” for a bet or something. You know it’s coming, you know your goals, but what effect does this have on saving throws? What does the charm do to your thought process? Might you have advantage on the saving throw if you’re mentally prepared? Or does it simply mean that while charmed you still might not do as they say? How does this apply to more powerful charms?
It’s clear that we should roll insight versus deception (I guess) , but what should be rolled against persuasion or intimidation checks ? Is the answer to this question different for NPCs and PCs?