Doing "Secure Documents" in Fedora

Robert Moskowitz rgm at htt-consult.com
Sun Sep 14 23:23:43 UTC 2014 

On 09/15/2014 01:02 AM, Chris Murphy wrote:
> On Sep 14, 2014, at 2:02 PM, Chris Murphy <lists at colorremedies.com> wrote:
>
>> On Sep 13, 2014, at 12:27 PM, Mickey <binarynut at comcast.net> wrote:
>>
>>> I
>>> On 09/13/2014 01:39 PM, Steven Stern wrote:
>>>> On 09/13/2014 11:56 AM, Mickey wrote:
>>>>> Fedora 20/KDE
>>>>>
>>>>> How do you use Secure Documents in Fedora ?
>>>>>
>>>>> Secure Documents like someone that wants to send you MONEY
>>>> is that some sort of brand name or product (because you capitalized it)
>>>> or are you talking about transferring securely encrypted files?
>>>>
>>> I'm not sure, my Sister on her Fedora 20 box said she had gotten a Secure Document of someone sending her Money and she said she couldn't read it.
>>> Until I can see what she is talking about tomorrow, I will get back to you on it, I would imagine it has something to do with encrypted files.
>> I would sooner imagine it's a phishing attack. People don't just randomly send other people money by email without first agreeing on the method of exchange: Google Wallet, PayPal, Bitcoin, etc. And none of those send encrypted emails as confirmations. (They probably ought to sign those emails, but that's a different problem.)
> This is cute:
> http://www.bravaviewer.com/secure-document-viewer
>
> "Content Sealed Format (CSF) is our proprietary encrypted neutral format that is ideal for secure, convenient file sharing. Similar to PDF and TIFF, CSF is an accurate, encrypted rendition of the source document file.
>
> "CSF Secure document files can't be modified.
>
> "Unlike PDF or TIFF, CSF is not an open format so no third party translators, editors or conversion tools exist to compromise content security."
>
> I'm glad they have a free reader, but this is an egregious lie.

In crypto, you have to prove it to parties that are trusted at large by 
others to attest to your security.

I was asked to certify one product and when I asked them what mode of 
operation they were using with AES, they responded "that is proprietary" 
(we had to sign an NDA to even get to this step). There is NOTHING 
proprietary about AES modes of operation, unless you are using the wrong 
one!  I responded that the evaluation ends here and it failed.

Another time, I broke a password scheme with a two urn probablity 
attack. then proposed a different scheme that the vendor incorporated.  
We signed off on the product.

I am just one of many that do this work.  NEVER use a security product 
unless you are able to determine who is behind it and who reviewed it.

More information about the users mailing list