Re: Gnupg-users Digest, Vol 220, Issue 11

Ah, it's nice to know that as time inexorably marches forward and Usenet becomes AOL becomes TikTok, as keyboards transition to phone screens transition to VR sensors, that some things, some things -- some things never change. -Ryan McGinnis r...@digicana.com https://bigstormpicture.com GPG:

Re: Off-topic: standards for embedded signing of digital images?

li Kon via Gnupg-users wrote: > On 2021-09-10 8:00 p.m., Ryan McGinnis via Gnupg-users - > > gnupg-users@gnupg.org wrote: > > > Years ago, I think Canon offered some kind of in-camera file format > > > > that supposedly could prove that the file had not been tamp

Re: Off-topic: standards for embedded signing of digital images?

Years ago, I think Canon offered some kind of in-camera file format that supposedly could prove that the file had not been tampered with. Eventually exploits were found that rendered it unreliable.

Re: How would you do that ...

For what it's worth if you're gung-ho about our heroine using a public library computer or something and you can't stego some info into an image for one of the image boards because you don't have any tech of your own in that country, then using a OTP to publicly post something to a pastebin

Re: How would you do that ...

Protonmail only requires a phone number to send a verification “are you a real human” SMS if the IP you are registering from is a source of previous abuse. So, like, don’t use a VPN when you do it. Or if you’re worried about it, make the account back in your safe country before you travel to

Re: How would you do that ...

Alice is an idiot if she’s trying to defeat nation-state adversaries and be a thrifty shopper at the same time, but even so, in most places a laptop isn’t going to be cheaper than a cheap mobile phone. You really want Alice to use some public library computer for some reason, but I am going

Re: How would you do that ...

Sounds like you're having to trust some kind of tech from the country you're going to, so with that in mind: Buy burner phone and SIM with cash from some place where normal people buy phones and SIMs with cash. Install Signal. Done For identification, have some code word that will be the

Re: Plan B - Who carries the torch?

Why does GPG continue to be developed with email uses in mind even though it's now widely accepted that GPG is a terrible way to securely communicate with another person and that a number of much more secure, much more robust, much less complicated (from the end user perspective) solutions

Re: Mobile mini computers for GnuPG/OpenPGP usage instead of smartphone usage

Hah, these look like they’re probably aimed at the pentesting market, they are indeed tiny as hell!Sent from ProtonMail Mobile On Sat, Nov 28, 2020 at 1:59 AM, Stefan Claas via Gnupg-users wrote: Hi all,some of you may remember the recent thread from me about OpenPGP

Re: Five volunteers needed (EU .... Are you sure that this is really advantageous?

CIA Agent 1: Swap out that NFC tag with the malicious one. CIA Agent 2: But he put a little sticker on it! CIA Agent 1: My God, all hope is lost On 10/14/20 2:09 AM, Stefan Claas wrote: > Ángel wrote: > >> On 2020-10-11 at 17:41 +0200, Stefan Claas wrote: >>> I had not set a password, so that the

Re: Five volunteers needed (EU .... Are you sure that this is really advantageous?

Probably a bit outside the scope of the list, but in my experience most users underestimate the risks involved in running their own servers.  Probably not anyone reading a GPG mailing list, but I only mention it because of the discussion of no-ip and DDNS stuff -- usually only tools used by

Re: Five volunteers needed (EU only please)

.   A 1,000 by 1,000 file would make a nice 3x3 inch sticker or back of a postcard.  -Ryan McGinnishttp://www.bigstormpicture.comPGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD On Tue, Oct 6, 2020 at 17:43, Stefan Claas <s...@300baud.de> wrote: Ryan McGinnis via Gnupg-users

Re: Five volunteers needed (EU only please)

Yeah, though if you wanted to be sneaky-do you could encrypt a message, put it on a QR sticker, slap the sticker on some traffic pole as a dead drop, and let it hide in plain sight until your intended recipient came by and snapped a shot of it.  My guess is that if the world ever gets to the crazy

Re: Five volunteers needed (EU only please)

Perhaps just use QR codes?  Easily scanned and imported by a digital device.  Message size is limited, but probably enough.  If not, you can maybe use multiple QR codes.  This reply, encrypted to you, is contained in the linked QR below: https://imgur.com/a/JoPjgGH On 10/5/20 10:37 AM, Stefan

Re: how to suppress new "insecure passphrase" warning

Wonder if someone saw this email and uploaded it -- it shows up when I search! :) Best, -Ryan McGinnis http://www.bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ‐‐‐ Original Message ‐‐‐ On Thursday, September 17, 2020 10:25 AM, Martin wrote:

Re: how to suppress new "insecure passphrase" warning

(BTW -- not to be pedantic, but if by "a few" words you mean "three", then you don't have a good passphrase -- six words is kinda minimum with diceware to get a decent amount of entropy) -Ryan McGinnis http://www.bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E

RE: On Becky! Internet Mail's GnuPG Plugin

Unless you live in North Korea or something there are always ways around SIM registration laws, though they get expensive depending on where you live. If you have a trusted US contact you can just have them grab you a bunch of Mint Mobile SIMs and have them cooperate with sending you the OTP

RE: On Becky! Internet Mail's GnuPG Plugin

A. Yes, you can still anonymously register for almost anything. It's not straightforward and requires a bit of forethought and jumping through hoops. No, it probably won't defeat the NSA, but if they're your adversary what in blue blazes are you doing using any kind of electronic device let

Re: In case you use OpenPGP on a smartphone ...

Calling that a documentary is like me tattooing angel wings on my back and trying to pass as an attack helicopter. On 8/20/20 10:23 AM, Stefan Claas wrote: > Robert J. Hansen wrote: > >>> Sorry for being now probably completely off-topic, but when it comes to >>> informations we find >>> on the

Re: In case you use OpenPGP on a smartphone ...

Generally when something is "banned from Youtube" and the reason for the ban wasn't that it was outright pornography, copyrighted content, or illegal content, you can rest assured that the "banned video" is some Grade A Prime Whackadoo McCrazy Bullshit and that you will become dumber if you watch

Re: In case you use OpenPGP on a smartphone ...

ly see what's so silly about the whole thing. On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote: Well yes I realize that it exists, what I'm saying is why would anyone use it for secure communications on a smartphone when there are solutions orders of magnitud

Re: In case you use OpenPGP on a smartphone ...

3FA3 486E D7AD Sent from ProtonMail Mobile On Wed, Aug 12, 2020 at 11:57, Stefan Claas <s...@300baud.de> wrote: Ryan McGinnis via Gnupg-users wrote:> If you don't want to be location tracked on a mobile device you just> power it off and put it in a Faraday bag when not in use. >

Re: In case you use OpenPGP on a smartphone ...

to paved roads.  On 8/12/20 11:46 AM, Stefan Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > >> I guess the real question is: what are people using PGP for on mobile >> devices?  If it's for communication, that's silly.  There are at least a >> half dozen far, far, far

Re: In case you use OpenPGP on a smartphone ...

to paved roads.  On 8/12/20 11:46 AM, Stefan Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > >> I guess the real question is: what are people using PGP for on mobile >> devices?  If it's for communication, that's silly.  There are at least a >> half dozen far, far, far

Re: In case you use OpenPGP on a smartphone ...

I presume the goal of people (who know what they are doing) going through all these inconvenient steps isn't to build the perfect impenetrable fortress of security (which doesn't exist) but rather to make it more difficult or expensive to circumvent from the threat actor's perspective, hopefully

Re: In case you use OpenPGP on a smartphone ...

If you don't want to be location tracked on a mobile device you just power it off and put it in a Faraday bag when not in use.  https://silent-pocket.com/ If you want to deep dive into this sort of thing (it's a really deep lake), give this book a read: 

Re: In case you use OpenPGP on a smartphone ...

I guess the real question is: what are people using PGP for on mobile devices?  If it's for communication, that's silly.  There are at least a half dozen far, far, far better ways to securely communicate on a smartphone.  Also -- unless you are steeped in the security industry and run a hardened

Re: Traveling without a secret key

Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > > > Went to a security seminar where I asked a random FBI agent after a > > presentation about passwords; he said just to get into > > their personal terminals it was something like 17 characters minimum and >

Re: Traveling without a secret key

‐‐‐ On Wednesday, July 8, 2020 11:36 AM, Stefan Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > > > Six years ago Snowden said to assume the NSA can try roughly 1 Trillion > > passwords per second. I imagine it's significantly > > more by now. > > Holy

Re: Traveling without a secret key

Six years ago Snowden said to assume the NSA can try roughly 1 Trillion passwords per second. I imagine it's significantly more by now. -Ryan McGinnis http://www.bigstormpicture.com Sent via ProtonMail ‐‐‐ Original Message ‐‐‐ On Wednesday, July 8, 2020 6:33 AM, Stefan Claas

Re: Comparison of RSA vs elliptical keys

Interestingly enough, this breaks the Thunderbird/Protonmail integration, so your message just shows up as the raw PGP blob that Protonmail is pushing to the Protonmail client. It returns the error " Decryption error Decryption of this message's encrypted content failed. openpgp:

Re: How to improve our GUIs (was: We have GOT TO make things simpler)

I might be missing something really obvious here but... what is this trying to protect against?  It's not protecting against interception in transit, since the message already transits the internet either in cleartext or encrypted via TLS that your email service provider can definitely read.  So

Re: PGP Key Poisoner

Yes, ironically, this proof of concept is the responsible way to demonstrate the issue (after a sufficient waiting period following a private disclosure to the developers), rather than, say, demonstrating the issue by spitefully poisoning the keys of a few prominent people in the GPG community.  

Re: Forbes article: The Encryption Debate Is Over - Dead At The Hands Of Facebook

nnis https://bigstormpicture.com https://keybase.io/digicana Sent via ProtonMail ‐‐‐ Original Message ‐‐‐ On Wednesday, July 31, 2019 11:40 AM, Maksim Fomin via Gnupg-users wrote: > ‐‐‐ Original Message ‐‐‐ > On Wednesday, 31 July 2019 г., 17:36, Ryan McGinnis via Gnupg

Forbes article: The Encryption Debate Is Over - Dead At The Hands Of Facebook

Kicking the can down to the endpoints -- but really, haven't you always had to trust your app / OS? Unless you coded or audited it yourself from top to bottom and built your own hardware (hah), there is always a level of trust required in the code/device.  Trusting Facebook seems... unwise. 

Re: Essay on PGP as it is used today

ption-key-in-plain-sight/ > > I don't think PGP does THIS ! > > Elwin > > Sent using Hushmail > > On 7/22/2019 at 7:53 PM, "Ryan McGinnis via Gnupg-users" > wrote: > > > I’m not so sure that it does.  I think that’s the point security &g

Re: Essay on PGP as it is used today

://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7ADSent with ProtonMail Sent from ProtonMail Mobile On Mon, Jul 22, 2019 at 15:00, Mark H. Wood via Gnupg-users <gnupg-users@gnupg.org> wrote: On Mon, Jul 22, 2019 at 03:46:18PM +, Ryan McGinnis via Gnupg-users wrote:>

Re: Essay on PGP as it is used today

ke Bruce Schneier suddenly popped up and said "we have a problem" and dumped his PK, I may take notice... Then again that's my opinion, why should you believe me :) Cheers Craig From: Gnupg-users on behalf of Ryan McGinnis via Gnupg-users Sent: 17 July 2019 15:28 To: Konstantin Boya

Re: Essay on PGP as it is used today

Is that to send them a message or an attachment? You might look into Firefox Send -- not sure if this satisfies the legal requirements, but it is very robust end to end encryption. https://send.firefox.com/ -Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA

Re: Essay on PGP as it is used today

> - And finally: “don’t encrypt email”? Yes, well. Email is not going away. > Just like passwords, its death has been long anticipated, yet never arrives. > So what do we do in the meantime? I think what the author is saying is stop trying to ever think of email as a secure form of

Essay on PGP as it is used today

More than a bit critical, but a good read all the same.  Found on HN.  https://latacora.micro.blog/2019/07/16/the-pgp-problem.html HN comment thread here:  https://news.ycombinator.com/item?id=20455780 -Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E

Re: SKS and GnuPG related issues and possible workarounds

, Jul 6, 2019 at 17:18, David wrote: > On 06/07/2019 12:50, Ryan McGinnis via Gnupg-users wrote: >> Someone brought it to my attention that my key is now one of the >> affected keys; I think from this we can probably surmise that whoever(s) >> is doing this probably reads th

Re: SKS and GnuPG related issues and possible workarounds

Someone brought it to my attention that my key is now one of the affected keys; I think from this we can probably surmise that whoever(s) is doing this probably reads this list as this email address doesn’t see heavy circulation. -Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58

Re: SKS and GnuPG related issues and possible workarounds

To be fair, that bookshelf got pointed out like a decade ago. It’s just that resources to build a new one never materialized. While pointing out a problem by doing a targeted demonstration attack is about as aggressively black hat as it gets, it’s hard to not expect it. Even big white hat boys

Re: SKS and GnuPG related issues and possible workarounds

To be fair, that bookshelf got pointed out like a decade ago. It’s just that resources to build a new one never materialized. While pointing out a problem by doing a targeted demonstration attack is about as aggressively black hat as it gets, it’s hard to not expect it. Even big white

Re: Your Thoughts

Not sure why the phone number thing bothers people -- having a phone at all in the first place means you are easily tracked. What Signal (and any encryption system, really) does is try to prevent in-transit interception and surveillance of the actual data content. It can't hide the metadata

RE: Some thoughts on the future of OpenPGP and GnuPG

This is quite cool (I have mine set up the same way), but somewhat ironic considering, well... they're Facebook. I mean of all the big dog internet companies out there that you'd expect to give you extreme measures protect in-transit personal user data... Facebook?! -Ryan McGinnis

Re: Your Thoughts

That is true that I am probably being unfair - my focus on GPG for email is more a nostalgic sadness that secure (beyond TLS transport) email never really became ubiquitous. In the end the protocol of email itself couldn’t keep up with way people needed to communicate, so email is now a bit of

Fw: Re: Your Thoughts

AM, Peter Lebbing pe...@digitalbrains.com wrote: > > > On 01/07/2019 23:55, Ryan McGinnis via Gnupg-users wrote: > > > > > Null modem transfer of your messages? Yikes. To me that’s the issue > > > with PGP in general as it relates to secure communications &g

Re: Your Thoughts

it to communicate. -Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD Sent with ProtonMail ‐‐‐ Original Message ‐‐‐ On Tuesday, July 2, 2019 3:06 AM, Peter Lebbing wrote: > On 01/07/2019 23:55, Ryan McGinnis via Gnupg-users wrote: > > >

Re: Your Thoughts

Null modem transfer of your messages? Yikes. To me that’s the issue with PGP in general as it relates to secure communications - the nerds and the criminals and the spies know how to work it, but your average end user doesn’t need their step one to be “go to a Goodwill in a city you don’t

Re: Your Thoughts

It’s not so much that nothing better has come along, it’s that no single one of those things does all the things PGP sets out to do. For secure communications there are much better options than PGP - some of them in very heavy use by actual normal, non tech people. For symmetric encryption

Re: SKS Keyserver Network Under Attack

I can’t speak for others, but I wasn’t suggesting you were personally responsible for where things are right now, only making observations about the utility of continuing to use the product going forward, and what the targeted end users likely expect from the software. -Ryan McGinnis

Re: SKS Keyserver Network Under Attack

I guess that’s one way to look at it, but if your end users are dissidents and journalists communicating in happy fun places or developers signing critical software, then surely you’d want the product to be resilient against 10 year old trivial attacks from your users’ adversaries. I do

Re: SKS Keyserver Network Under Attack

What would have prevented a state level actor from activating this exploit on a wide level during a time when it would have been most effective for them? I have to believe that the fine folks who can put an APT in your air-gapped computer’s video card bios have been aware of this attack for

Re: SKS Keyserver Network Under Attack

Interesting discussion thread on this over at HN: https://news.ycombinator.com/item?id=20312826 -Ryan McGinnis http://bigstormpicture.com PGP: 486ED7AD Sent with ProtonMail Secure Email On Sat, Jun 29, 2019 at 12:51, Ryan McGinnis wrote: >

SKS Keyserver Network Under Attack

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f -Ryan McGinnis http://bigstormpicture.com PGP: 486ED7AD Sent with ProtonMail Secure Email___ Gnupg-users mailing list Gnupg-users@gnupg.org