Ah, it's nice to know that as time inexorably marches forward and Usenet
becomes AOL becomes TikTok, as keyboards transition to phone screens transition
to VR sensors, that some things, some things -- some things never change.
-Ryan McGinnis
r...@digicana.com
https://bigstormpicture.com
GPG:
li Kon via Gnupg-users
wrote:
> On 2021-09-10 8:00 p.m., Ryan McGinnis via Gnupg-users -
>
> gnupg-users@gnupg.org wrote:
>
> > Years ago, I think Canon offered some kind of in-camera file format
> >
> > that supposedly could prove that the file had not been tamp
Years ago, I think Canon offered some kind of in-camera file format that
supposedly could prove that the file had not been tampered with. Eventually
exploits were found that rendered it unreliable.
For what it's worth if you're gung-ho about our heroine using a public library
computer or something and you can't stego some info into an image for one of
the image boards because you don't have any tech of your own in that country,
then using a OTP to publicly post something to a pastebin
Protonmail only requires a phone number to send a verification “are you a real
human” SMS if the IP you are registering from is a source of previous abuse.
So, like, don’t use a VPN when you do it.
Or if you’re worried about it, make the account back in your safe country
before you travel to
Alice is an idiot if she’s trying to defeat nation-state adversaries and be a
thrifty shopper at the same time, but even so, in most places a laptop isn’t
going to be cheaper than a cheap mobile phone.
You really want Alice to use some public library computer for some reason, but
I am going
Sounds like you're having to trust some kind of tech from the country you're
going to, so with that in mind:
Buy burner phone and SIM with cash from some place where normal people buy
phones and SIMs with cash. Install Signal. Done
For identification, have some code word that will be the
Why does GPG continue to be developed with email uses in mind even though it's
now widely accepted that GPG is a terrible way to securely communicate with
another person and that a number of much more secure, much more robust, much
less complicated (from the end user perspective) solutions
Hah, these look like they’re probably aimed at the pentesting market, they are indeed tiny as hell!Sent from ProtonMail Mobile On Sat, Nov 28, 2020 at 1:59 AM, Stefan Claas via Gnupg-users wrote: Hi all,some of you may remember the recent thread from me about OpenPGP
CIA Agent 1: Swap out that NFC tag with the malicious one.
CIA Agent 2: But he put a little sticker on it!
CIA Agent 1: My God, all hope is lost
On 10/14/20 2:09 AM, Stefan Claas wrote:
> Ángel wrote:
>
>> On 2020-10-11 at 17:41 +0200, Stefan Claas wrote:
>>> I had not set a password, so that the
Probably a bit outside the scope of the list, but in my experience most
users underestimate the risks involved in running their own servers.
Probably not anyone reading a GPG mailing list, but I only mention it
because of the discussion of no-ip and DDNS stuff -- usually only tools
used by
. A 1,000 by 1,000 file would make a nice 3x3 inch sticker or back of a postcard. -Ryan McGinnishttp://www.bigstormpicture.comPGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD On Tue, Oct 6, 2020 at 17:43, Stefan Claas <s...@300baud.de> wrote: Ryan McGinnis via Gnupg-users
Yeah, though if you wanted to be sneaky-do you could encrypt a message,
put it on a QR sticker, slap the sticker on some traffic pole as a dead
drop, and let it hide in plain sight until your intended recipient came
by and snapped a shot of it. My guess is that if the world ever gets to
the crazy
Perhaps just use QR codes? Easily scanned and imported by a digital
device. Message size is limited, but probably enough. If not, you can
maybe use multiple QR codes. This reply, encrypted to you, is contained
in the linked QR below:
https://imgur.com/a/JoPjgGH
On 10/5/20 10:37 AM, Stefan
Wonder if someone saw this email and uploaded it -- it shows up when I search!
:)
Best,
-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
‐‐‐ Original Message ‐‐‐
On Thursday, September 17, 2020 10:25 AM, Martin wrote:
(BTW -- not to be pedantic, but if by "a few" words you mean "three", then you
don't have a good passphrase -- six words is kinda minimum with diceware to get
a decent amount of entropy)
-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E
Unless you live in North Korea or something there are always ways around SIM
registration laws, though they get expensive depending on where you live. If
you have a trusted US contact you can just have them grab you a bunch of Mint
Mobile SIMs and have them cooperate with sending you the OTP
A. Yes, you can still anonymously register for almost anything. It's not
straightforward and requires a bit of forethought and jumping through hoops.
No, it probably won't defeat the NSA, but if they're your adversary what in
blue blazes are you doing using any kind of electronic device let
Calling that a documentary is like me tattooing angel wings on my back
and trying to pass as an attack helicopter.
On 8/20/20 10:23 AM, Stefan Claas wrote:
> Robert J. Hansen wrote:
>
>>> Sorry for being now probably completely off-topic, but when it comes to
>>> informations we find
>>> on the
Generally when something is "banned from Youtube" and the reason for the
ban wasn't that it was outright pornography, copyrighted content, or
illegal content, you can rest assured that the "banned video" is some
Grade A Prime Whackadoo McCrazy Bullshit and that you will become dumber
if you watch
ly see what's so silly about the whole thing.
On 2020-08-12 18:57, Ryan McGinnis via
Gnupg-users wrote:
Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitud
3FA3 486E D7AD Sent from ProtonMail Mobile On Wed, Aug 12, 2020 at 11:57, Stefan Claas <s...@300baud.de> wrote: Ryan McGinnis via Gnupg-users wrote:> If you don't want to be location tracked on a mobile device you just> power it off and put it in a Faraday bag when not in use. >
to paved roads.
On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices? If it's for communication, that's silly. There are at least a
>> half dozen far, far, far
to paved roads.
On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices? If it's for communication, that's silly. There are at least a
>> half dozen far, far, far
I presume the goal of people (who know what they are doing) going
through all these inconvenient steps isn't to build the perfect
impenetrable fortress of security (which doesn't exist) but rather to
make it more difficult or expensive to circumvent from the threat
actor's perspective, hopefully
If you don't want to be location tracked on a mobile device you just
power it off and put it in a Faraday bag when not in use.
https://silent-pocket.com/
If you want to deep dive into this sort of thing (it's a really deep
lake), give this book a read:
I guess the real question is: what are people using PGP for on mobile
devices? If it's for communication, that's silly. There are at least a
half dozen far, far, far better ways to securely communicate on a
smartphone.
Also -- unless you are steeped in the security industry and run a
hardened
Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
> > Went to a security seminar where I asked a random FBI agent after a
> > presentation about passwords; he said just to get into
> > their personal terminals it was something like 17 characters minimum and
>
‐‐‐
On Wednesday, July 8, 2020 11:36 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
> > Six years ago Snowden said to assume the NSA can try roughly 1 Trillion
> > passwords per second. I imagine it's significantly
> > more by now.
>
> Holy
Six years ago Snowden said to assume the NSA can try roughly 1 Trillion
passwords per second. I imagine it's significantly more by now.
-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail
‐‐‐ Original Message ‐‐‐
On Wednesday, July 8, 2020 6:33 AM, Stefan Claas
Interestingly enough, this breaks the Thunderbird/Protonmail integration, so
your message just shows up as the raw PGP blob that Protonmail is pushing to
the Protonmail client. It returns the error
" Decryption error
Decryption of this message's encrypted content failed.
openpgp:
I might be missing something really obvious here but... what is this
trying to protect against? It's not protecting against interception in
transit, since the message already transits the internet either in
cleartext or encrypted via TLS that your email service provider can
definitely read. So
Yes, ironically, this proof of concept is the responsible way to demonstrate the issue (after a sufficient waiting period following a private disclosure to the developers), rather than, say, demonstrating the issue by spitefully poisoning the keys of a few prominent people in the GPG community.
nnis
https://bigstormpicture.com
https://keybase.io/digicana
Sent via ProtonMail
‐‐‐ Original Message ‐‐‐
On Wednesday, July 31, 2019 11:40 AM, Maksim Fomin via Gnupg-users
wrote:
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, 31 July 2019 г., 17:36, Ryan McGinnis via Gnupg
Kicking the can down to the endpoints -- but really, haven't you always had to
trust your app / OS? Unless you coded or audited it yourself from top to bottom
and built your own hardware (hah), there is always a level of trust required in
the code/device. Trusting Facebook seems... unwise.
ption-key-in-plain-sight/
>
> I don't think PGP does THIS !
>
> Elwin
>
> Sent using Hushmail
>
> On 7/22/2019 at 7:53 PM, "Ryan McGinnis via Gnupg-users"
> wrote:
>
> > I’m not so sure that it does. I think that’s the point security
&g
://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7ADSent with ProtonMail Sent from ProtonMail Mobile On Mon, Jul 22, 2019 at 15:00, Mark H. Wood via Gnupg-users <gnupg-users@gnupg.org> wrote: On Mon, Jul 22, 2019 at 03:46:18PM +, Ryan McGinnis via Gnupg-users wrote:>
ke Bruce Schneier suddenly popped up and said "we have a problem" and dumped his PK, I may take notice... Then again that's my opinion, why should you believe me :)
Cheers
Craig
From: Gnupg-users on behalf of Ryan McGinnis via Gnupg-users
Sent: 17 July 2019 15:28
To: Konstantin Boya
Is that to send them a message or an attachment?
You might look into Firefox Send -- not sure if this satisfies the legal
requirements, but it is very robust end to end encryption.
https://send.firefox.com/
-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA
> - And finally: “don’t encrypt email”? Yes, well. Email is not going away.
> Just like passwords, its death has been long anticipated, yet never arrives.
> So what do we do in the meantime?
I think what the author is saying is stop trying to ever think of email as a
secure form of
More than a bit critical, but a good read all the same. Found on HN.
https://latacora.micro.blog/2019/07/16/the-pgp-problem.html
HN comment thread here: https://news.ycombinator.com/item?id=20455780
-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E
, Jul 6, 2019 at 17:18, David wrote:
> On 06/07/2019 12:50, Ryan McGinnis via Gnupg-users wrote:
>> Someone brought it to my attention that my key is now one of the
>> affected keys; I think from this we can probably surmise that whoever(s)
>> is doing this probably reads th
Someone brought it to my attention that my key is now one of the affected keys;
I think from this we can probably surmise that whoever(s) is doing this
probably reads this list as this email address doesn’t see heavy circulation.
-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58
To be fair, that bookshelf got pointed out like a decade ago. It’s just that
resources to build a new one never materialized.
While pointing out a problem by doing a targeted demonstration attack is about
as aggressively black hat as it gets, it’s hard to not expect it. Even big
white hat boys
To be fair, that bookshelf got pointed out like a decade ago. It’s just that
resources to build a new one never materialized.
While pointing out a problem by doing a targeted demonstration attack is about
as aggressively black hat as it gets, it’s hard to not expect it. Even big
white
Not sure why the phone number thing bothers people -- having a phone at all in
the first place means you are easily tracked. What Signal (and any encryption
system, really) does is try to prevent in-transit interception and surveillance
of the actual data content. It can't hide the metadata
This is quite cool (I have mine set up the same way), but somewhat ironic
considering, well... they're Facebook. I mean of all the big dog internet
companies out there that you'd expect to give you extreme measures protect
in-transit personal user data... Facebook?!
-Ryan McGinnis
That is true that I am probably being unfair - my focus on GPG for email is
more a nostalgic sadness that secure (beyond TLS transport) email never really
became ubiquitous. In the end the protocol of email itself couldn’t keep up
with way people needed to communicate, so email is now a bit of
AM, Peter Lebbing pe...@digitalbrains.com wrote:
>
> > On 01/07/2019 23:55, Ryan McGinnis via Gnupg-users wrote:
> >
> > > Null modem transfer of your messages? Yikes. To me that’s the issue
> > > with PGP in general as it relates to secure communications
&g
it to communicate.
-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail
‐‐‐ Original Message ‐‐‐
On Tuesday, July 2, 2019 3:06 AM, Peter Lebbing wrote:
> On 01/07/2019 23:55, Ryan McGinnis via Gnupg-users wrote:
>
> >
Null modem transfer of your messages? Yikes. To me that’s the issue with PGP
in general as it relates to secure communications - the nerds and the criminals
and the spies know how to work it, but your average end user doesn’t need their
step one to be “go to a Goodwill in a city you don’t
It’s not so much that nothing better has come along, it’s that no single one of
those things does all the things PGP sets out to do. For secure communications
there are much better options than PGP - some of them in very heavy use by
actual normal, non tech people. For symmetric encryption
I can’t speak for others, but I wasn’t suggesting you were personally
responsible for where things are right now, only making observations about the
utility of continuing to use the product going forward, and what the targeted
end users likely expect from the software.
-Ryan McGinnis
I guess that’s one way to look at it, but if your end users are dissidents and
journalists communicating in happy fun places or developers signing critical
software, then surely you’d want the product to be resilient against 10 year
old trivial attacks from your users’ adversaries. I do
What would have prevented a state level actor from activating this exploit on a
wide level during a time when it would have been most effective for them? I
have to believe that the fine folks who can put an APT in your air-gapped
computer’s video card bios have been aware of this attack for
Interesting discussion thread on this over at HN:
https://news.ycombinator.com/item?id=20312826
-Ryan McGinnis
http://bigstormpicture.com
PGP: 486ED7AD
Sent with ProtonMail Secure Email
On Sat, Jun 29, 2019 at 12:51, Ryan McGinnis wrote:
>
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
-Ryan McGinnis
http://bigstormpicture.com
PGP: 486ED7AD
Sent with ProtonMail Secure Email___
Gnupg-users mailing list
Gnupg-users@gnupg.org
57 matches
Mail list logo