PGP SDA security flaw question

Discussion:

(too old to reply)

PGPee

2010-02-12 02:59:47 UTC

Does anyone know the truth on the "alleged" security flaw in PGP SDA? The
hackers say it can be broken, but PGP says what the hackers found is
something that can be expected and is not a security risk. So what's the
deal?

David W. Hodgins

2010-02-12 03:12:30 UTC

Permalink

Post by PGPee
Does anyone know the truth on the "alleged" security flaw in PGP SDA? The
hackers say it can be broken, but PGP says what the hackers found is
something that can be expected and is not a security risk. So what's the
deal?

If you're referring to
http://homepage.mac.com/adonismac/Advisory/pgp/PGPcrack.html

You need update access to replace an sda with one you've created.

This only matters for authentication issues. Anyone can write
a program that looks like an sda, and puts out similar output
to what a real sda would. If you don't trust the source of
the files you've gotten, don't run them.

For the Virtual disk, it allows anyone with write access to the
raw device to format it. So what! They can do that anyway.

I don't see how this is a flaw.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

David E. Ross

2010-02-12 03:35:11 UTC

Permalink

This is a very old story, reported as far back as 2006 if not earlier.
I cannot find any reference to this in any authoritative source (e.g.,
Mitre Corporation's Common Vulnerabilities and Exposures, Carnegie
Mellon's CERT, Department of Homeland Security's US-CERT).

I did find several items via Google that seem to refute the claims about
the flaw. See for example
<http://www.mail-archive.com/***@metzdowd.com/msg06530.html>.

--
David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation. © 1997