| | |
|
|
Trusting sources and securing your privacy (1): Why do David's posts look weird?
#640390 - Mon Dec 08 2008 11:27 AM
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is the first thread in what I hope will be a series, including topics like "How can I verify you really wrote that?", "How do I sign my own writing?", "The importance to innocents of plausible deniability.", and "How to keep your private parts private." The general theme of the series is to provide information on some basic security issues and equip readers with some useful cryptographic tools. One particular goal that I have is to develop a useful written guide to getting started using GPG keypairs and why it's worth doing, for distribution to people not on this forum.
You may have noticed that there's some extra text up at the beginning of my post, and a bunch of extra stuff down at the end that looks rather like http://getfiregpg.org/images/newscreenshots/editor.png and include what ought to look like a random string of characters. What you're seeing is a "PGP signature", and what it means is there's a way of checking if the post you're reading is actually something I wrote or not. To really do that check, you'd also need my public key (the big mess-o-random-characters at the top of my profile at http://www.masterzdm.com/NCD/showprofile.php?User=3152 ) and some software that knew how to deal with such things.
About that software... there are two main parts, one that does all the actual work, and one that provides nice window dressing. An example of the window-dressing software is the FireGPG plugin (http://getfiregpg.org/) for Firefox. Even if you don't have the actual-work software, FireGPG will still clean up pages containing signatures and keys and so forth, to make them look more like http://getfiregpg.org/images/newscreenshots/inlineonapage.128.png instead of what you probably see now. I suggest you try installing it yourself, and then reload this page and my profile and see how nicely things are cleaned up.
Now, assuming you've done that, the question still stands: Why do David's posts look weird? Granted, they don't look quite as messily weird as they did before, but having a box around the message with "PGP Signed Message, Unverified" at the top, "Display original | Verify" at the bottom, and a stylized foxhead in the corner... while less ugly, that still counts as weird.
Well, to start with, you need to know that there are two "keys", my 'public key' (seen in my profile) which is out there for the whole world to see, and my 'private key' which I and I alone have access to (and I darn well better keep it that way!) Unlike normal physical keys, these have some weird properties. Since there are a lot of mnimo out here, or people comfortable/familiar with them, I'm going to make an analogy that uses magic.
Imagine you have two magical keys, one called W and the other called C. You can encase any object in a magical force-field by holding one of the keys in front of it and turning the key once around. Oddly, the C key only can be turned clockwise, and the W key can only be turned counterclockwise. Turning a key twice around sets up two force-fields, turning it thrice gives three, and so forth. Turning one key, then the other, does something quite different, however.
If you turn the C key clockwise to set up a force-field, and then turn the W key counterclockwise, the force-field you set up goes away. Moreover, that's the only way to remove such a C-made force-field (aside from using a dispel-magic ritual that takes thousands of years... if you speed time up a whole bunch). Similarly, if you turn a W key to set up a field, and then a C key, the W-made force field goes away, and that's the only way to make a W-made field go away. If you turned C twice, you'd have to turn W twice. Turning C three times and then turning W four times ends you up with just one W-made force field... the rest of the W and C turns canceled out.
Now, what could you do with a pair of such keys? Well, for one thing, if I kept the W key, and gave you the C key, then if I put a W-made forcefield around a package for you (which I can do, since I have the W-key) the only person who can get through the forcefield to open the package is you, the holder of the C key. Moreover, if you get a fielded package which opens when you turn the C key at it, you know it was sent from the person (me) with the W key. I know you're the only one to see it, and you know I'm the only one who could have sent it.
"But David", you might say, "You didn't give me a magic key, and I can still read your message!" And you'd be right... in part. My post I send where everyone can read it, but that garbage at the bottom comes from compressing down my message and then W-locking that compressed version. If you had the C-key, then you could unlock the garbage and compare the result to what you get if you compress down my message. If they're the same, then you can still conclude that I wrote the message, because I'm the only one who could have sent both versions (readable, and compressed plus W-locked) and had them match up like that. Anyone at all can now read the message, but only people with the C-key can verify I really wrote it.
"That's nice," you might object, "but to use this, I'd have to make a pair of W/C keys for me and you to use, and a pair of W/C keys for me and Karol to use, and a pair of W/C for... argh... EVERYONE I want to talk to. That's too much work." And again, you'd be right! That would be nuts! Fortunately, there's a way around that. You make one W/C pair, you keep the W key, and you give EVERYONE a copy of the same C key. Similarly, I make just one pair (I'll call mine R/U... the U looks like a C on its side) and I'll keep R and give EVERYONE a copy of the U key.
Now, if I want to send you something that only you can open, I use the C key. You may not know who it came from (everyone has a C key) but I know you're the only one who can open it. Now, if I want to send you something that you'll know came from me, I can use my R key. You may not be the only person who can open it (everyone has a U key) but you'll know I'm the only person who could have sent it. Now, if I want to send you something that you'll know came from me and I'll know only you can read, all I have to do is use both the C key (which you gave me and everyone else) and my R key (which I keep hidden), and we get both those guarantees.
Moreover, now that it's not "I have one, you have the other" but "I have one, everyone else has the other", I can use my R key on anything I want, knowing that everyone else has the U key, so everyone else can remove the force-field and read my message... PLUS they'll automatically know the message came from me! Or, I can do what I'm doing with this post: I send my message in plain text, then I send the same message crunched down and locked with my R key. Even if other people don't have a way of un-crunching the crunched version, they can at least unlock it and compare the known-to-be-from-me crunched version with what they get if they crunch the allegedly-from-me plain version.
And that, roughly speaking, is why my posts look weird. I am providing evidence that the text you read is, indeed, the text I wrote.
Please ask questions on anything that's not clear, or on any "yeah, but what about" issues, or if you have a "well if I did X, then how would you know..." idea. Some responses I'll put off to a future post in this series, others I'll reply to in this thread.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkk9dP0ACgkQsMe0o8Utwkfp9gCeILyBalH53dhh+oNH0iPQ6Uxc
wGoAn2RCEjdsocSj+jEfbDJTN/XHfQMd
=FSWV
-----END PGP SIGNATURE-----
|
|
|
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This message is to help people test if they have a functioning GPG installation. If you have FireGPG installed, you should just see a box with "PGP Encrypted Message" above "Display original |Decrypt" and a fox-head in the bottom-left corner. If your GPG installation is working correctly with FireGPG, clicking on the 'Decrypt' link should turn the "PGP Encrypted Message" line into "PGP Encrypted Message, A valid signature was found, with the key ID David Atheos *** gpg: Good signature from "David Atheos ***" (made on Mon Dec 8 14:37:46 2008)".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkk9eCMACgkQsMe0o8UtwkeBwgCeImGOsV/Z1ns05Rk7kAoI3Jlb
oQUAoJqVaMh4IEeAdRxwn3tzMyMIG11x
=1E8y
-----END PGP SIGNATURE-----
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.8 (Darwin)
owE9Ur1rFUEQP19UUAgaxEK0mKR5hfdemqTTIhg/0oqFQhDm9ubulre7c+zuvePs
YiVptNDGQsH0IuJfEAkWAf+P1IK1c+9drJbdmf19zbxbXUlGa99+/Tg6mRw/vnB6
liV799vDB+xKj7ExGDW7sA4vuIGSIkSGQASxIjmVlxdLIWBJ67AToJMuhQ5qzxlm
poNIxkDWLfq1KxgwBFYaI+XQ6liB7aBuMqMVzKhL/wN4QiVFAp6TB+u05YlBlwNZ
1AYUNz5S6IAL2PVTeFgHbdgBe2BH/Wulw6aO47DZVkImIBORMKl6Odop9G5pbArP
RFnJnEP06EKuLbkgFTSwyyoKYIVBvuRaDaKN0a50YrrPApWiOg6qolCNA2REDgqD
ZSn9hSBYSsHijCQW7SI3MaTQezGE80WUFtqKPMHewvuQr53KvZKOFCpuewvpEroV
9YLcs8GGtpJ1TV6yPqdcitEBsIlsxadCI2WLfiZVcRNqtBspBIZaJASCnN1YRutl
TrwNlnNdLEdW6rkQYp77we+wAtJQiGAXoSYWkOmbRxeTtVFy+dKo357k6pXr5yv1
/W3yccVsn366cevJ+M/B7WtbP18/PfxyN/n8/OT3wYejrZv7d15+fXX892x/9f29
fw==
=tJXL
-----END PGP MESSAGE-----
|
|
|
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I won't call this a FAQ, because none of these have been asked frequently yet, but I have heard a few questions already. I'll try to reserve this post space for a condensed, best-answers-so-far space.
Q: How is this "signing" thing supposed to protect the contents of your post? Couldn't anyone still just edit your post (who could edit posts) and /whoom/ it's edited?
A: Signing is not supposed to make something un-editable, just un-forgeable. If I made and signed some text, and then emailed it to you and asked you to post it, you could edit it to your heart's content... but you wouldn't be able to post those edits with a matching "Signed-By-David" block at the bottom. If you didn't post exactly what I'd asked you to post (i.e. attempted at least partial forgery) then anyone who bothered to verify the signature would find that it didn't match.
Q: Couldn't someone just make up their own keys and sign using them?
A: They certainly could... but that wouldn't make the signature match with -MY- keys. It's like if someone stole my check book and signed "Bob Jones" at the bottom. They may claim to be me, but they're not using my 'name' and they're not using my signature.
Q: What if they said "Actually, Bob Jones is one of my (David's) noms de plume, and this is the signature I use for my Bob Jones persona. Really, I -AM- David, and I just used the wrong sig. Sorry."?
A: Such a thing could happen... I am a writer, I do use pen names (though I don't call them noms de plume, in part because I have little patience with pretentious languages) and, indeed, I do keep distinct signatures for some of them. HOWEVER, there is a test that you could, and should, ask of Bob Jones: sure he can sign as if he's got Bob Jones' private key, but can he sign as if he's got David Atheos' private key? If he can, it means he's got my private key, which means he is (as claimed) me. If he can't... if he waffles and says "Just -trust- me, because I don't want any paper trail that could irrefutably connect my nom de plume to my real name"... then I'm either being an ass or it's not me.
Q: How would I know it's not just you, being an ass? It has happened before.
A: That doesn't matter. What matters is that you don't /have/ to believe it's me. If someone can sign something using my private key, either my computer has been raided (eek!) or you ought to believe it's really me. These systems can demonstrate that someone IS who they claim, but they're not geared for demonstrating that someone IS NOT who they claim to be... you can fail to demonstrate that you are me, but that's not quite the same thing as demonstrating that you are not me.
Q: But you could be an ass, right?
A: *Sigh*. Yes.
Q: Wouldn't it be better to, uh, use your public key to 'force-field' the message I send to Bob Jones? Then he couldn't read it unless he really was you... so if he replies to the you-only-readable message, I know he's you, and if he doesn't, he's either a fake or it's you being an ass.
A: Not better, not worse... just different. An advantage of a public "sign this as David" challenge is that other people can see your challenge and, if he passes the test and you post the result publicly, other people can see that he passed as well (of course, you're signing all these challenges yourself, so nobody can undetectably tamper with them, right?). An advantage of the private "Here is random garbage... unless you really are David" challenge is that if you write something that you /know/ I would respond to, and Bob Jones doesn't respond, the chances are much higher that it's not just me being an ass... because ass or not, there are some things I'd still respond to.
Q: If you (using your private key) sign something that says "I, David, swear that Bob Jones it not me", should I accept that as proof?
A: Unfortunately, no. I could, as you said before, just be being an ass. However, if you're willing to accept that I'm probably not doing that, then my signing a "That's not me" statement, together with the results of Bob Jones failing to answer the "Sign this with David's private key" challenge, should be reasonably convincing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkk9f2YACgkQsMe0o8UtwkeWzwCfXCYMyKTeUEVNiDs4Qkg7RZte
fjYAn27Y+WMZr0jwBPhjj0L9HDnlFYiZ
=qpYy
-----END PGP SIGNATURE-----
|
|
|
|
|
|
I'm not intending to steal David's thunder on the subject, but I have a few more notes to contribute. While the terminology in the first post isn't exactly standard, I'll use that for this post so that everyone is on the same page.
An alternate way to download the Firegpg plugin for Firefox is https://addons.mozilla.org/en-US/firefox/addon/4645 . This link is slightly more secure for a couple reasons. The first reason is because it's transferred using a secure version of the HTTP protocol. The second is because the plugin is signed when downloaded from this location. Both the secure version of the HTTP protocol and the signing of the plugin use the same process as described in the main post for this thread.
What makes an HTTPS connection secure is that all communications between your web browser and the web server are encrypted in such a manner that no-one else can read. The way this is accomplished is that the web server is configured with a C/W key pair. Your web browser also generates a C/W pair of its own. The C key that your browser generated is given to the the web server. The web server generates a token which it places two force fields on. The first is the C force field that your web browser generated. The second is the W force field that only it knows. When your browser gets that shielded token, it applies it's W force field, and the server's C force field to get that token. That token is also a key, but it's a more conventional type, where you can twist it both directions, and each twist undoes the other.
The C half of the key pair for the web server is known as a server certificate. If the server has that certificate, you get that nice, nifty padlock icon somewhere in the chrome (user interface) of your browser. That padlock icon doesn't always mean that the connection is secure (for a number of different reasons), but it helps provide the confidence that that is the state of affairs.
One of the key problems with Public-Private key cryptography is the issue known as key distribution. This problem can be summed up as 'How do I get the C key for David's posts'?
One (valid) method of distribution is to post it somewhere, such as in a profile. The problem with this method is that someone else could alter the profile, and therefore the key contained within. However, if this were to be done, all posts with one of those crunched versions would then be invalid, unless the crunched version of each post were to be updated as well. The reason for going through this whole song and dance would be so that you could alter a post, and re-crunch the contents, using the new (known) W key.
Another common way to perform this distribution is to take your C key, and submit it to someone who acts as a caretaker for keys, along with some sort of an identifier (such as an email address). Someone who wished to know what the C key was for that given identifier could then contact that caretaker to obtain the C key for the given identifier. Note that someone else could also generate a C/W key pair for that same identifier, and submit it to the same caretaker. This would then lead to confusion as to which C is the real C for the identifier.
Both of these methods for key distribution have an Achilles heal that can be worked around. That workaround is to retain a copy of that C key that you were given, rather than grabbing a fresh copy of that C key every time you need it.
I don't have time for a longer post at this time, but a few other topics for dissertations are as follows:
* Key revocation
* Key Signing
* How to read an HTTPS certificate.
--Centaur Prime
--------------------
Centaur Prime/M/~25/Theataur
|
|
|
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anyone wanting to see what happens when something is /improperly/ signed can take a look at Cruiser's post at http://www.masterzdm.com/NCD/showthreaded.php?Number=640435 where he (heavily) modified the content of my original post, but left the signature intact. Thanks for the example, Cruiser!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkk+tLQACgkQsMe0o8UtwkdoKwCeP1XZKaHuG0u9wLPulYMIxUp2
8mgAnR5znrXmIKtN9jYpdcRXdf5/Zu5j
=3DI3
-----END PGP SIGNATURE-----
|
|
|
|
|
|
Obviously, given who's posting this, it isn't a question I have, but I can see someone asking.
Simple answer: In order for the forums to automagically sign things with your key, they'd need to have the key to start with. Given I have full control over what happens to any message sent to this forum, it'd be trivial for me to fake things.
Now, granted. Many of you implicitly trust me with not starting sh..tuff. Like with the voting in Kit's thread - it'd have been trivial for me to rig the ballots, but I assure you I haven't.
Anyhow, basics is: as the implied distrust here is in those who can edit the posts, giving those same people access to the key would be a bad thing.
--------------------
They say there's the good twin and the evil twin. Any clue which is which?
|
|
|
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On the same note, in case at someone down the road thinks it would be a good idea to bug Krinele to set up some kind of MZDM public key repository (so, not signing things for people and holding a copy of their private key, but keeping copies of public keys on folks behalfs (behalves?) and being able to automagically /verify/ things they'd signed) a similar security concern would still come up.
If, for example, Centaur Prime tricked Krinele into adding /his/ version of a David Signature to the repository, then whenever someone looked at my properly signed messages, they'd go get the MZDM-hosted key supplied by CP and would find that my signature wasn't verified by the key... and so it would look like all of my real messages were being supplied by someone fake, and the fake messages that CP could craft on my behalf would look like they were from me!
I'll return to this point when I make a thread in this series with a topic like "The Web of Trust" or "Keysigning Parties".
And, to Krinele and Centaur Prime, thank you for your contributions and the segues they'll provide! I have no spotlight/thunder-stealing concerns. My goal is disseminating information in a form that'll work and be persuasive for as many people as possible, and different explanations are all for the good, as is evidence that these are issues that other people have thought about too.
And just why I think those things are important will be the topic of yet another thread in the series 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkk/HqwACgkQsMe0o8UtwkdDdQCeKjm4I6o8ecYpLnUh+SDBoAEx
JoAAnAlDDNdQInZgpK46v6CXFmcbRse0
=DuaW
-----END PGP SIGNATURE-----
|
|
|
|
|
|
There are two topics here.
One is "Nonrepudiation" and the other is "Asynchronous Encryption."
Nonrepudiation is a way of binding an identity to a document or event. In this case you are discussing a digital signature which unequivocably identifies the signer. The term "nonrepudiation," in this case, means that the signer cannot thereafter claim it wasn't s/he who signed it. This is acheived by decrypting the hash with the public key to reveal, "Yes, it was signed by you." This is why digital signatures are becoming the preferred method for contracts and other legal documents, because not only can people claim their otherwise legitimate ink signatures were forged, but digital signatures presently cannot be forged without the private key. The Air Force recently performed its first enlistment contract via digital signature. As far as the DREAM goes, this keeps people from spoofing other posters because if spoofing occurs, we'd be able to see that the spoofed individual did NOT sign the document in question (i.e. there would be no nonrepudiation bound to that individual)
The whole explanation of two separate keys, the private key and the public key, pertains to Asynchronous Encryption. Everyone is familiar with the idea of Synchronous Encryption, where all parties get the exact same key which is used to encrypt and decrypt messages. If you get the key from one party, you have the key to all parties and all messages. On the other hand, Asynchronous Encryption refers to each party (usually each individual) having a unique set of key pairs, with each pair being comprised of a public key and a private key, niether of which can be mathematically computed from the other. If you get the private key from one individual, you can only decrypt that individual's messages and no others, and you can only spoof that one individual, and no others.
--------------------
Defending the truth is tough, you try it!
|
|
|
|
|
|
Pentagon John said:
There are two topics here.
One is "Nonrepudiation" and the other is "Asynchronous Encryption."
Are either recommended for an online role-playing forum such as this (from a security perspective comparable to similar sites) or is David trying to sell us some fancy padlocks?
--------------------
|
|
|
|
|
|
Actually, that's the entire point, Furilius.
While you can argue it isn't 'necessary', and it certainly isn't...
It's not a bad idea to make this sort of encryption more common in general, as to dispell the notion that encryption is only for things that are either illegal or worth a lot of money.
|
|
|
|
|
|
I will, though, point out a few flaws here now that I play with the plugin. Primarily, FireGPG removes markup. Bye-bye forum autolinks, for example!
This does significantly cloud usability, though it's survivable if your focus is more security than anything. I'd rather, myself, run with it turned off for now, though, as I like to be able to click a link.
Amusingly, the encrypted message told me nothing new. But then, David probably already knew that I knew what he included in that content.
Edit: It also hides images, and doesn't interpet the alt text that's carefully crafted by me to copy/paste "exactly" like how you typed it in when on firefox... so it fails miserably with that smiley, David. WinPT by itself parsed it just fine off the clipboard, though I do need to figure out where something went off with an earlier message that FireGPG is giving a "thumbs up" to but WinPT isn't.
Gotta love security attempts on a system that alters your text by itself, no?
|
|
|
|
|
|
Furilius Pitch said:
Are either recommended for an online role-playing forum such as this (from a security perspective comparable to similar sites) or is David trying to sell us some fancy padlocks?
What David is recommending is always an excellent recommendation for an online forum, but as Krinele astutely points out, the implementation details are paramount you want security to compliment the DREAM; you do not want the application to detract from the DREAM).
Naturally you should assess the risk and potential damage of someone impersonating someone else (virtual identity theft) and make a cost/benefit analysis. Also, you might want to consider the potential benefits of implementing nonrepudiation (e.g. require a digital signature to post) to afford certainty that the PG did, in fact, make the post...and remove any potential claim that s/he'd been spoofed.
It would seem to me that niether of these are really paramount concerns today based on DREAM history. There really hasn't been the problematic case load of spam/spoof that other sites have experienced, so your cost/benefit ratio will probably be very high.
Be that as it may, they are good things to have/offer, depending on the implementation.
--------------------
Defending the truth is tough, you try it!
|
|
|
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Furilius:
There's a sense in which your question is very much like the question
"Are handwashing or covering-coughs recommended for a forum such as this or is David trying to sell us some fancy soaps?"
On the one hand, there's nothing about hygiene that makes it intrinsically appropriate for any gathering of people, especially a gathering where no physical contact is made, so no germs get transmitted!
On the other hand, there's something about hygiene that makes it a good thing to do /in general/, whether or not a particular situation is high-risk or not.
For a longer version, I'm forking off part two of this series at http://www.masterzdm.com/NCD/showthreaded.php?Number=640660
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAklFbYgACgkQsMe0o8Utwke90ACcCW2KghxgkDvm1AIrJGHwiDeq
XtMAn3ZQwWZoyBZY3FVzZ5NAthKPGRm+
=x1oz
-----END PGP SIGNATURE-----
|
|
|
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I certainly agree that the interaction between the forums and, for example, FireGPG, certainly leave something to be desired. I also hold the opinion that the desire IS NOT great enough to devote any resources to dedicated support being provided by Krinele (I was going to say 'by the forums', but I think I know where all the work for such a modification would finally land.)
I don't think that everyone should be using these techniques in every post, though I do want to use them on my posts for 'raise curiosity' purposes.
I think that for plain, un-embellished text blocks, the current interaction is sufficient.
I think that for multimedia/marked-up posts, I would recommend either not signing anything, or only signing a critical chunk, rather than trying to sign the whole thing and break the links, pictures, emoticons, and possibly other things.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAklFb0UACgkQsMe0o8Utwkd24wCfbi32mZ1o33SOmJg7MM6Bu45N
b8MAoKslfRL1bBviYfIwDczI6odf07KA
=MxXu
-----END PGP SIGNATURE-----
|
|
|
|
|
|
My primary question would be: what of those of us who access The Dream while at work, or otherwise using a computer on which we cannot download and/or utilize additional software and/or plugins? I don't say that I fall into that category all the time, however I do sometimes, and I'm sure I'm not the only one.
|
|
|
|
|
|
Well, really, as long as somebody YOU trust can verify it; it's not like this trickery really has to be dealt with in a real-time basis.
|
|
|
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Also, "Post now, go back later and edit the post to be a signed post" is perfectly reasonable from the making-posts end of things. And, as Thalamasa said, "Read now, verify later" is just fine from the reading end.
This post edited 1 minute after original (unsigned) posting to be a signed posting.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAklH3b0ACgkQsMe0o8UtwkdgiQCfSmWGAiVto45dMgtH7P8uGzFa
YR4An0Ai+ONIW5cSr2zShlVBwYqKc1FZ
=6cVl
-----END PGP SIGNATURE-----
|
|
|
| | |
|
Reply Main
New Thread
Flat
Threaded
Edit
Quote
