How did the NSA hack our emails? (Numberphile videos)

[Atom Smasher]

How did the NSA hack our emails?
https://www.youtube.com/watch?v=ulg_AHBOIQU

NSA Surveillance (an extra bit)
http://www.youtube.com/watch?v=1O69uBL22nY


--
...atom

 
 http://atom.smasher.org/
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -

"[Commercial radio] is owned by one or two corporations now, and
 they're not in the music business. They're in the advertising
 business. So let's not kid ourselves. If you want to hear music,
 go buy a guitar."
-- Elvis Costello


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using sound of CPU to extract RSA Key

[Jerry]

On Sun, 22 Dec 2013 22:38:43 +0100, Werner Koch stated:

> On Sun, 22 Dec 2013 19:56, je...@seibercom.net said:
> > Has anyone seen this? It seems interesting, but is it accurate?
> 
> Sure.  Haven't you see my announcement for 1.4.16 ?  Really cool
> side-channel attack.

No, I don't remember seeing any announcement, but then I don't read
every email from the list as carefully as I should I guess.

--
Jerry

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Possible to combine smartcard PIN with key password?

[NdK]

Il 22/12/2013 04:13, adrelanos ha scritto:

> Or in other words, is it possible to store an already encrypted
> (password protected) gpg private keys on a smartcard? So the smartcard
> never gets to see the plain key?
That would be really useless: smartcardneeds the key to *do* crypto ops!
It's not a limited USB stick!
Since the smartcard is a really controlled execution environment, "we"
can say it's a "trusted environment".

> I've learned the hard way (by buying the equipment even with external
> PIN pad), that when "keytocard" has been used, that only the PIN has to
> be entered. No password. Unfortunately.
Luckily. Smartcards are used to avoid exposing key material to an
untrusted environment, like a PC.

> The smartcard has been bought by me to improve security. Not to
> substitute one security mechanism with another. I believe gpg's software
> encryption is more trustworthy than a card I got by snail mail. I
> haven't heard that any cards have been compromised yet, but how do I
> know if I really received an original (untampered) card in the first place.
You have to trust the supplier. If you ordered 'em in significant
quantities, you could ask to have 'em with special keys so that every
step can be checked.
Or. more easily, you can buy blank java cards from diffetent
manufacturers, then compile an upload your carefully checked applet.

> In my opinion both attempts, password protection and smartcards, on
> security are worthwhile. When using smartcards I am trusting hardware, a
> small group of card designers, producers, post office... And when using
> gpg's software key encryption, I am trusting the software producers and
> the programmers actually looking at the code.
You can do many checks yourself: there are various OpenPGP Java
implementations around.

> The idea was to take my chances. If smartcards work, that's great. The
> key can be abused when a malware infection happened, but at least the
> key can not be extracted. On the other hand, if I loose my smartcard and
> smartcards don't do what they promise (i.e. someone ever comes up with
> some exploit to extract the key), I fall back to gpg's software key
> encryption.
And how do you think the card could perform crypto ops on encrypted
keys? If you lose your card, it could be way easier to revoke the keys
on card. And that's why many people keep their master key offline, using
cards/tokens just to safely transport their keys.

> I am ignorant about the technical details. Maybe there is a technical
> reason why it's not worthwhile to combine these things? Or are
> smartcards just too limited at this stage of development to support that?
No. It's simply impossible to do what you're asking. Unless you replace
the secret key with a *masked* version, leaving the unmasking key on the
PC, encrypted by PGP. But that would prevent checking on-card various
possible attacks, actually weakening the whole system.

BYtE,
 Diego.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using sound of CPU to extract RSA Key

[Werner Koch]

On Sun, 22 Dec 2013 19:56, je...@seibercom.net said:
> Has anyone seen this? It seems interesting, but is it accurate?

Sure.  Haven't you see my announcement for 1.4.16 ?  Really cool
side-channel attack.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Using sound of CPU to extract RSA Key

[Jerry]

Has anyone seen this? It seems interesting, but is it accurate?

http://it.slashdot.org/story/13/12/18/216/scientists-extract-rsa-key-from-gnupg-using-sound-of-cpu?sdsrc=popbyskid

-- 
Jerry

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

(OT) Mail-Followup-To or not? (was Re: 2.x)

[Peter Lebbing]

On 22/12/13 19:36, Jens Lechtenboerger wrote:
> Moreover, with MFT I know whether you would like to receive a separate
> copy for replies or not.

You could also interpret the absence of any headers indicating otherwise that
the person might not care enough about that to set headers.

My 2 cents,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.x

[Jens Lechtenboerger]

On So, Dez 22 2013, Uwe Brauer wrote:

> "Jens" == Jens Lechtenboerger
>> P.S. Do you know Mail-Followup-To (MFT)?
>
> hm, I am reading this group via gmane (and news) I use simply 
> gnus-summary-followup-with-original which results in a mail 
> to  Newsgroups: gmane.comp.encryption.gpg.user

I don’t know about that.

> Do you find this annoying?

MFT has benefits: If I reply to a message with MFT, the To header is
automatically directed to the list (instead of the From e-mail address).
A small joy ;)
Moreover, with MFT I know whether you would like to receive a separate
copy for replies or not.

Best wishes
Jens

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.x

[Uwe Brauer]

>> "Tristan" == Tristan Santore  writes:

   > On 22/12/13 17:24, Uwe Brauer wrote:
    "K" == K Raven  writes:

   > You being German has nothing to do with the fact you can read it. I am
   > British, I can also read it.
   > ;-p

Correct, but, being German :-D, it would  have been very odd, if I were
not able to read it.. 


PS
And I presume my  name is most likely be an unique German name (it exists
in Scandinavian countries but with different spellings.)


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.x

[Tristan Santore]

On 22/12/13 17:24, Uwe Brauer wrote:
>>> "K" == K Raven  writes:
>> Hi,
>
>> I'm using Kubuntu (13.10) too and because many packets depend on gnupg,
>> i use the Alternatives system to leave gnupg1 installed and use gnupg2
>> in parallel. You can see that on
>>  (in German, but
>> the commandos are readable). Sure, you must repeat the steps after gnupg
>> updates. Alternatively (at the end of the chapter), you can rename the
>> gnupg1 binaries and make symlinks to gnupg2, but i don't like that.
>
> Thanks, since I am German, I can read this document :-D 
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
You being German has nothing to do with the fact you can read it. I am
British, I can also read it.
;-p

Regards,

Tristan

-- 

Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
tristan.sant...@internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
tsant...@fedoraproject.org

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.x

[Uwe Brauer]

>> "K" == K Raven  writes:

   > Hi,

   > I'm using Kubuntu (13.10) too and because many packets depend on gnupg,
   > i use the Alternatives system to leave gnupg1 installed and use gnupg2
   > in parallel. You can see that on
   >  (in German, but
   > the commandos are readable). Sure, you must repeat the steps after gnupg
   > updates. Alternatively (at the end of the chapter), you can rename the
   > gnupg1 binaries and make symlinks to gnupg2, but i don't like that.

Thanks, since I am German, I can read this document :-D 


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.x

[Uwe Brauer]

>> "Jens" == Jens Lechtenboerger
>>  writes: 

   > On Sa, Dez 21 2013, Uwe Brauer wrote:

   >> I am on Kubuntu 10.04 and I have both gnupg and gnupg2
   >> installed. Now since 2.x is not affected by the problem mentioned
   >> I prefer to use it. However how can I be sure that gnupg2 is used
   >> for my email correspondence for which I use pgp-mime and not
   >> gnupg? (I am using Xemacs+gnus)

   > You can uninstall or update gnupg :-)

well, no, because then apt-get tells me to uninstall 
roughly 36 package, some of them look pretty much like core programs.

   > Alternatively, for EasyPG you can customize epg-gpg-program.  (The
   > configuration code tries gpg first, gpg2 second.  So uninstall
   > should really help.)

Ok this was the variable I was looking for. I looked up gpg, epa but not
epg! thanks


   > Best wishes
   > Jens


Uwe 
   > P.S. Do you know Mail-Followup-To (MFT)?
   > If you customized message-subscribed-addresses, my reply would
   > automatically get the correct recipient headers, see:
   > 
https://www.gnu.org/software/emacs/manual/html_node/message/Mailing-Lists.html

hm, I am reading this group via gmane (and news) I use simply 
gnus-summary-followup-with-original which results in a mail 
to  Newsgroups: gmane.comp.encryption.gpg.user
Do you find this annoying?


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.x

[K. Raven]

Hi,

> On Sa, Dez 21 2013, Uwe Brauer wrote:
> 
>> I am on Kubuntu 10.04 and I have both gnupg and gnupg2 installed.
>> Now since 2.x is not affected by the problem mentioned I prefer to
>> use it. However how can I be sure that gnupg2 is used for my email 
>> correspondence for which I use pgp-mime and not gnupg? (I am using 
>> Xemacs+gnus)
> 
> You can uninstall or update gnupg :-)

I'm using Kubuntu (13.10) too and because many packets depend on gnupg,
i use the Alternatives system to leave gnupg1 installed and use gnupg2
in parallel. You can see that on
 (in German, but
the commandos are readable). Sure, you must repeat the steps after gnupg
updates. Alternatively (at the end of the chapter), you can rename the
gnupg1 binaries and make symlinks to gnupg2, but i don't like that.

-- 
Ciao
Kai

http://kairaven.de/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 2.x

[Jens Lechtenboerger]

On Sa, Dez 21 2013, Uwe Brauer wrote:

> I am on Kubuntu 10.04 and I have both gnupg and gnupg2 installed. Now
> since 2.x is not affected by the problem mentioned I prefer to use
> it. However how can I be sure that gnupg2 is used for my email
> correspondence for which I use pgp-mime and not gnupg? (I am using
> Xemacs+gnus)

You can uninstall or update gnupg :-)

Alternatively, for EasyPG you can customize epg-gpg-program.  (The
configuration code tries gpg first, gpg2 second.  So uninstall
should really help.)

Best wishes
Jens

P.S. Do you know Mail-Followup-To (MFT)?
If you customized message-subscribed-addresses, my reply would
automatically get the correct recipient headers, see:
https://www.gnu.org/software/emacs/manual/html_node/message/Mailing-Lists.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users