Re: [Enigmail] BCC issues 1.7.2
If I am understanding this issue correctly, a plausible real world scenario for bcc'ing encrypted recipients is one I ran into last week: I am working on a project that requires interaction with 3 different stakeholder teams. All use encrypted email, but do not interact with one another directly, and that is by design. It was a simple enough task to copy/paste the original message into new messages for the other teams. But it would have been convenient to be able to BCC the whole group at one time. I use myself as the To recipient. My personal preference is to see the same encryption behavior everywhere - where there are recipients w/o a key combined w/recipients that do have a key, warn that the message will be unencrypted. A prompt before send may be better than a status icon imho. On 1/6/2015 11:24 AM, Phil Stracchino wrote: On 01/06/15 11:23, Patrick Brunschwig wrote: If you think this should be changed, then you're invited to discuss this here. I never use BCC recipients in conjunction with encryption, so I can't really estimate how to proceed here. I tend to agree; I have a little difficulty imagining a plausible real-world scenario in which you would want to send Alice an encrypted message and bcc: Bob on it. ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] General Opinion and unverified bug
Just wanted to say...I'm so sorry you are exposed to and abused by demented people like this: http://sixdemonbag.org/threat.xhtml 3. It is embarrassing to be a member of the same crowd as people like this - users who are paranoid :) Be well, and many blessings to you and all those others who give so much to the world without compensation or expectation of return. You restore me. On 1/1/2015 11:34 AM, Robert J. Hansen wrote: I don't think this is very well reasoned or rational. That’s correct, and that’s why I won’t touch the code: because users *aren’t* rational. The Peace Corps and the CIA have a mutual understanding: if you’ve ever in your life worked for one, you’re forever barred from working for the other. They do this so the Peace Corps can be trusted to be purely humanitarian and have no ties to US intelligence. This rule has been in place for 25 years or more, and *still* Peace Corps volunteers get accused regularly of working for US intelligence. I’ve had people email me accusations of being an FBI mole and even send me death threats for having some government affiliations and being active in the community. I’m not kidding. You can see one example at http://sixdemonbag.org/threat.xhtml . There have been several others over the years. Users *aren’t* rational, and there’s a very vocal segment of the community that screams bloody murder and conspiracy at every opportunity. For that reason, I don’t touch the code. I'm convinced it's harder to implement backdoors and vulnerabilities in code, if it has less lines, is clean and well-documented. This is likely true, but... Why that's the case? I just looked at the code for some minutes, and I wanted to know, what happens before sending an email, and what happens after sending an encrypted and signed email. I didn't spend much time, but not chance for me. I'm not a code reviewer. I wouldn't know, where to begin, to study Enigmail. … this makes me doubt your qualifications to make such a statement. ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] General Opinion and unverified bug
HAHAHAHAHA! That is the *best* laugh I've had in a long time! The ILLUMINATIlmao. I used to get followers on twitter who wanted me to research them - instantly blocked. I only use tinfoil where appropriate. LOL that is too funny. 3 On 1/5/2015 11:15 AM, Robert J. Hansen wrote: Just wanted to say...I'm so sorry you are exposed to and abused by demented people like this: http://sixdemonbag.org/threat.xhtml 3. It is embarrassing to be a member of the same crowd as people like this - users who are paranoid :) Well, thank you. :) I should say, though, that the vast majority of our users are nice people whom I’d happily buy a beer. But there’s a small fraction of the userbase that keeps life very interesting. In 2005, I think it was, while I was in graduate school, I was approached by a group who wanted me to deliver a speech on communications security and the effective use of cryptography. The conditions the organizer put on it were pretty weird: I wasn’t to ask anyone their names, I’d get paid in cash, etcetera. The speech was to be in Chicago, which is a considerable distance away, so I asked for $100 in advance against my speaking fee just to cover my driving expenses. I received a single $100 bill in the mail a few days later, with no return address. This concerned me, because this group was now both (a) deeply paranoid and (b) serious about hiring me. Shortly before driving to Chicago I sent the organizer (through an anonymous remailer: I never learned his or her real name) a concerned note about, “listen, I don’t know what I’m getting into here: for all I know you’re a criminal enterprise, and I’m not going to get tangled in that.” The organizer sent me back a note saying that they had a discussion and yes, they decided I had a right to know what I was getting into. They were a support group for people on the run from the Illuminati. My next email to them was a simple, “Wait, you’re telling me you’re a support group for people on the run from the Bavarian Illuminati? Is that what you just … I don’t understand.” No, no, they told me, the *Illuminati*. The Bavarian Illuminati is just one small branch. The rest of their email was filled with a detailed breakdown of the structure of the Illuminati and what they had been able to discern of its internal power struggles, and why the Bavarian branch was currently not in good favor with the Illuminati as a whole. They had discovered this from interviewing a very small number of people who had survived the Illuminati and were now in hiding, and their group was devoted to trying to keep these people alive. I bowed out, telling them I wasn’t willing to sign up for that. The organizer understood, and suggested that I donate the $100 to a local charity. It was simply too dangerous to give me a postal address to return the money to, you see. I wrote a check to a local food bank for $100. The single $100 bill I received from the support group for people on the run from the Illuminati got framed. I keep it above my office desk, as proof positive that I have been employed to fight the dark conspiracy that shapes our world. Yes, folks. Every single word I’ve written here is true. Like I said. A small fraction of the userbase keeps life very, very interesting. :) ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Video of my privacy enigmail talk at NDC conference available
Errr...that's not the first time I've done that! The center is real - did you search for it? http://www.forbes.com/sites/kashmirhill/2013/10/17/nsas-utah-data-center-suffers-new-round-of-electrical-problems/ On 6/9/2014 6:14 PM, Robert J. Hansen wrote: On 6/9/2014 6:13 PM, afreewoman wrote: No, we don't. Response: http://nsa.gov1.info/utah-data-center/ Err -- check the bottom of that page, please. This is a parody of nsa.gov and has not been approved, endorsed, or authorized by the National Security Agency or by any other U.S. Government agency. The bit from the page about Our Current Target: 128-bit AES should also have been a dead giveaway. Do you really think that if *any* government was closing in on the ability to break AES-128 that they'd publish it on a webpage? Or the [o]ur classified NSA Oak Ridge facility... A classified facility would not be published on a webpage, as that would mean the facility was no longer secret, and thus no longer eligible for classification. Or the, In recent months, numerous TS documents have been leaked to the media relating to surveillance activities carried out by our Intelligence Community. In an effort to increase transparency, a new website called 'IC OFF THE RECORD' was created to provide the American People immediate, ongoing and direct access to these unauthorized leaks. Well, congratulations: if that site's authentic, then whoever's behind it has just committed so many violations of the Espionage Act that it would require scientific notation just to count them. I mean ... seriously. As far as parody goes it's pretty funny, but any one paragraph, by itself, is chock-full of evidence that it's completely fake. The *real* NSA public affairs website, incidentally, is: http://www.nsa.gov/public_info/ ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Video of my privacy enigmail talk at NDC conference available
As a user-only of these tools, I have found the casual attitude around the varying ways in which encryption has been subverted by insert wealthy government here and see 5 Eyes/14 eyes/locations of US intel stations in MENA, etc intelligence actors around the world very disturbing. We have processors bugged during delivery intercepts, at least one facility here in the US (if we don't count Google) with enough computing power and resources to pull off decrypting SHA512 without breaking a sweat, etc. etc. - and little information about how pervasive their use of cryptographic hacking technology is. http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security Enigmails plugin is recommended to activists around the world - most recently by ResetTheNet.org https://pack.resetthenet.org/. Though it may be useful to think of rewriting Enigmail code to include an upgrade cryptography solution, I'm not sure why anyone would consider SHA512 up to the task of protecting activists. If the NSA can break 1024 bit encryption, they have almost certainly already hacked SHA512. Another option is that the NSA has built dedicated hardware capable of factoring 1024-bit numbers. There's quite a lot of RSA-1024 out there, so that would be a fruitful project. So, maybe. https://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html I have neither the time nor the energy to go into all the exhaustive articles out there on the NSA's assault, using private corporate partners as well as government facilities, on privacy around the globe. My question for you is: Why would you want to add encryption that is good enough to a product that already contains this ability? Why would you NOT want to include the strongest, most secure encryption possible by default? Thank-you for your time and patience with a non-coding, technical support person :) On 6/9/2014 5:45 AM, Suspekt wrote: Am 09.06.2014 12:18, schrieb Nicolai Josuttis (enigmail): -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Suspekt, thanks for the feedback. the cryptographic experts warn strongly about using SHA1. See for example Minute 31:30 of the following talk (in German): http://media.ccc.de/browse/congress/2013/30C3_-_5337_-_de_-_saal_2_-_201312271715_-_kryptographie_nach_snowden_-_ruedi.html The essence is SHA1 is broken. See also by the same author http://www.cryptolabs.org/hash/WeisCccDsHash05.html The author offered the following bet in 2005(!): I would prefer to bet for Britney Spears being a virgin over the safety of SHA1 ;-) Without being an expert, that's seriously enough strong warnings by experts I trust. Best Nico OK, let me also throw in some references ;) https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html A collision attack is therefore well within the range of what an organized crime syndicate can practically budget by 2018, and a university research project by 2021. So, yes lets switch, but don't panic. I've read on some mailinglist the nice paraphrase let's retreat instead of run away. To clarify this: Using SHA512 as a default is probably a good thing ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Video of my privacy enigmail talk at NDC conference available
No, we don't. Response: http://nsa.gov1.info/utah-data-center/ On 6/9/2014 12:09 PM, Robert J. Hansen wrote: disturbing. We have processors bugged during delivery intercepts, at least one facility here in the US (if we don't count Google) with enough computing power and resources to pull off decrypting SHA512 without breaking a sweat, etc. etc. No, we don't. At present, the best way to attack SHA512 is to do a birthday attack of complexity roughly 2**256. There are a lot of laws of physics that compellingly argue that doing a computation of that complexity would require more energy than the Sun will put out over its entire lifetime. You may want to consider having a little more skepticism in your sources. At least on this particular count, your source is one hundred percent wrong. to the task of protecting activists. If the NSA can break 1024 bit encryption, they have almost certainly already hacked SHA512. Breaking RSA-1024 is considered equivalent to an attack of complexity 2**80. That's *a lot*. A few years ago a group of enthusiasts used a large distributed network and over a year of processing time to mount an attack of complexity 2**64. 2**80 is a factor of 64,000 times harder. No one knows whether RSA-1024 has been broken: all that we know is it's time is limited, and if it hasn't yet been broken it's a question of when and not if. But SHA512, even for a pure birthday collision (which is pretty much useless in terms of how OpenPGP gets used), is at best a 2**256 attack. That's a factor of 2**176 harder. In plain English, that's a factor of 100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 harder. That's a *lot*. ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Jan 28th Data Protection Day?
Gee thanks, Phil. I just visited your site and it ran code on my machine from a DOS command. wtf? On 1/29/2014 1:22 PM, Phil Stracchino wrote: On 01/29/14 14:15, AFreeWoman wrote: Council of Europe designated it: The aim of Data Protection Day, which is marked on 28 January each year, is to give citizens an opportunity to understand what kind of data about them is collected and processed, why this is done, and what rights they have in respect of such processing. It is also an opportunity for them to become more aware of the inherent risks associated with the unlawful use or clandestine processing of their personal data. http://hub.coe.int/event-files/our-events/28-january-data-protection-day Whereas here in the US, we are informed... ...[crickets] --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] Enigmail 1.3.5 incompatible with Thunderbird v22
Am now subscribed so this question should be available for answering? Rec'd an automated reply that it was held by moderator because I was not a member. Pls advise. Original Message Subject:Enigmail 1.3.5 incompatible with Thunderbird v22 Date: Sat, 22 Jun 2013 14:17:12 -0500 From: afreewoman afreewo...@riseup.net To: enigmail-users@enigmail.net Hi. I'm receiving the error noted in the subject line when I install your add-on from within Thunderbird/Tools/Add-Ons. Do I have to revert to Thunderbird v17 to use Enigmail for encryption, or do you have a workaround for this scenario? TYVM. ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail 1.3.5 incompatible with Thunderbird v22
THANK-YOU so much, Kosuke! Will download, install and update if I still have problems. On 6/22/2013 2:55 PM, Kosuke Kaizuka wrote: Hi, On Sat, 22 Jun 2013 14:23:02 -0500, afreewoman wrote: Am now subscribed so this question should be available for answering? Rec'd an automated reply that it was held by moderator because I was not a member. Pls advise. Original Message Subject:Enigmail 1.3.5 incompatible with Thunderbird v22 Date: Sat, 22 Jun 2013 14:17:12 -0500 From: afreewoman afreewo...@riseup.net To: enigmail-users@enigmail.net Hi. I'm receiving the error noted in the subject line when I install your add-on from within Thunderbird/Tools/Add-Ons. Do I have to revert to Thunderbird v17 to use Enigmail for encryption, or do you have a workaround for this scenario? TYVM. Enigmail 1.3.5 is too too old (around 1.5 years ago). Enigmail 1.5.1 is the latest compatible version for Thunderbird 17. You should use Enigmail nightly build for Thunderbird 22 Beta. http://www.enigmail.net/download/nightly.php ___ enigmail-users mailing list enigmail-users@enigmail.net https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
