Re: Gnupg-users Digest, Vol 220, Issue 11

[Ryan McGinnis via Gnupg-users]

Ah, it's nice to know that as time inexorably marches forward and Usenet 
becomes AOL becomes TikTok, as keyboards transition to phone screens transition 
to VR sensors, that some things, some things -- some things never change.


-Ryan McGinnis
r...@digicana.com
https://bigstormpicture.com
GPG: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐

On Monday, January 10th, 2022 at 12:48 PM, Chris Taylor 
 wrote:

> Hello,
> 

> Please unsubscribe me from this list.
> 

> Chris
> 

> On 10/01/2022 15:08, gnupg-users-requ...@gnupg.org wrote:
> 

> > Send Gnupg-users mailing list submissions to
> > 

> > gnupg-users@gnupg.org
> > 

> > To subscribe or unsubscribe via the World Wide Web, visit
> > 

> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> > 

> > or, via email, send a message with subject or body 'help' to
> > 

> > gnupg-users-requ...@gnupg.org
> > 

> > You can reach the person managing the list at
> > 

> > gnupg-users-ow...@gnupg.org
> > 

> > When replying, please edit your Subject line so it is more specific
> > 

> > than "Re: Contents of Gnupg-users digest..."
> > 

> > Today's Topics:
> > 

> > 1. AW: GPG key generated on Windows... (Robert Flosbach)
> > 2. Re: AW: GPG key generated on Windows... (Werner Koch)
> > 3. Re: one ecc key-pair for both encryption and signature?
> >(Bernhard Reiter)
> > 4. Re: Yubikeys and GnuPG 2.2/2.3 (Werner Koch)
> > 5. Fwd: gpg: onepass_sig with unknown version 105
> >(Gilberto F. da Silva)
> > 6. Re: one ecc key-pair for both encryption and signature?
> >(Robert J. Hansen)
> > 

> > 

> > Message: 1
> > 

> > Date: Sun, 9 Jan 2022 10:25:39 +0100
> > 

> > From: "Robert Flosbach" r.flosb...@gmx.de
> > 

> > To: gnupg-users@gnupg.org
> > 

> > Subject: AW: GPG key generated on Windows...
> > 

> > Message-ID: 003a01d8053a$de2469c0$9a6d3d40$@gmx.de
> > 

> > Content-Type: text/plain; charset="UTF-8"
> > 

> > Thank you very much for your help!
> > 

> > For future reference and people having the same issue: gpg2.3 introduced a 
> > new packet type 20 which provides authenticated encryption with associated 
> > data (AEAD) [1]. A key generated with gpg2.3 supports this encryption type 
> > and encryption in Windows (using the current Gpg4win 4.0.0) defaults to 
> > AEAD for a key generated with default settings. Since AEAD/type 20 is not 
> > supported yet by version 2.2, decryption on linux distros is not possible 
> > using version 2.2.X from their repositories.
> > 

> > [1] 
> > https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-06.html#rfc.section.5.16
> > 

> > Message: 2
> > 

> > Date: Sun, 09 Jan 2022 12:14:27 +0100
> > 

> > From: Werner Koch w...@gnupg.org
> > 

> > To: Robert Flosbach via Gnupg-users gnupg-users@gnupg.org
> > 

> > Subject: Re: AW: GPG key generated on Windows...
> > 

> > Message-ID: 87h7adtb3g@wheatstone.g10code.de
> > 

> > Content-Type: text/plain; charset="us-ascii"
> > 

> > On Sun, 9 Jan 2022 10:25, Robert Flosbach said:
> > 

> > > For future reference and people having the same issue: gpg2.3
> > > 

> > > introduced a new packet type 20 which provides authenticated
> > > 

> > > encryption with associated data (AEAD) [1]. A key generated with
> > > 

> > > gpg2.3 supports this encryption type and encryption in Windows (using
> > > 

> > > the current Gpg4win 4.0.0) defaults to AEAD for a key generated with
> > > 

> > > There are two ways to change this: the first is to change the
> > > 

> > > preferences on your key (using 2.3's --edit-key) and the second is to
> > > 

> > > put
> > 

> > --8<---cut here---start->8---
> > 

> > ignore-invalid-option personal-aead-preferences
> > 

> > personal-aead-preferences none
> > 

> > --8<---cut here---end--->8---
> > 

> > into gpg.conf . From the man page:
> > 

> > --personal-aead-preferences string
> > 

> >  Set the list of personal AEAD preferences to string.  Use gpg
> >  --version to get a list of available algorithms, and use none to set
> >  no preference at all.  This allows the user to safely override the
> >  algorithm chosen by the recipient key preferences, as GPG will only
> >  select an algorithm that is usable by all recipients.  The most
> >  highly ranked cipher in this list is also used for the --symmetric
> >  encryption command.
> > 

> > 

> > (the ignore-invalid-option line allows to use the same gpg.conf
> > 

> > also with gpg 2.2)
> > 

> > Shalom-Salam,
> > 

> > Werner
> > 

> 

> Gnupg-users mailing list
> 

> Gnupg-users@gnupg.org
> 

> http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Off-topic: standards for embedded signing of digital images?

[Ryan McGinnis via Gnupg-users]

No, I think what Canon and Nikon attempted to implement was something that, 
when paired with a validation software, would say with certainty "this is 
exactly what the camera wrote to the card".  It wasn't saying anything about 
whether what was being photographed was real or faked, merely that after the 
image file was written it wasn't tampered with.  It's a chain of custody thing. 
 Sorta like signing software -- the signature doesn't mean the software isn't a 
Trojan, it just means that the software has been signed by whatever key it was 
signed by, and you decide what that signature means to you.

Unfortunately they never really got the standard down, which is kinda funny 
since it's the kind of thing that can almost certainly be done.  I guess there 
just wasn't much of a market for it.  (Probably because altering photos 
undetectably is very hard to do -- you don't need digital signatures to see 
that the DA used the clone tool to put the gun in the killer's hand)

-Ryan McGinnis

r...@digicana.com

http://bigstormpicture.com

5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐

On Saturday, September 11th, 2021 at 2:53 PM, Oli Kon via Gnupg-users 
 wrote:

> On 2021-09-10 8:00 p.m., Ryan McGinnis via Gnupg-users -
> 

> gnupg-users@gnupg.org wrote:
> 

> > Years ago, I think Canon offered some kind of in-camera file format
> > 

> > that supposedly could prove that the file had not been tampered with.
> 

> We appear to be talking about two different things here. Both Nikon
> 

> and Canon had developed a system which, purportedly, guaranteed that
> 

> an image file represented "a reality, as the camera has seen it".
> 

> This is no more possible than constructing a ~perpetum mobile~, for
> 

> no matter what the in-camera software and hardware did, the lens
> 

> could be simply pointed to a synthetic image that is a faked reality,
> 

> and camera would be none the wiser. By that naive logic, we could
> 

> point the lens at the Botticelli's painting and camera would produce
> 

> a cryptgraphically signed file that guaranteed that the photographer
> 

> was present when Venus was born. Both Nikon and Canon quickly
> 

> realized the error of their ways and quietly dropped the whole idea.
> 

> Is is a completely different thing for an owner of a private
> 

> cryptographic key to sign a file, and clearly state what it is that
> 

> he or she guarantees. That is a trivial process but it requires
> 

> three things: a clear statement of what is it that the file signer
> 

> guarantees, a secure conveyance of matching public key into the hands
> 

> of the image user and a detached or "baked-into-file" signature.
> 

> Since all three things are required, I see no significant advantage
> 

> of an in-file (as opposed to a detached) signature.
> 

> Gnupg-users mailing list
> 

> Gnupg-users@gnupg.org
> 

> http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Off-topic: standards for embedded signing of digital images?

[Ryan McGinnis via Gnupg-users]

Years ago, I think Canon offered some kind of in-camera file format that 
supposedly could prove that the file had not been tampered with.  Eventually 
exploits were found that rendered it unreliable.  
https://hk.canon/en/support/to-users-of-the-original-data-security-kit-osk-e3-original-data-verification-kit-dvk-e1-or-dvk-e2-accessories-for-digital-slr-cameras/notice
   I suppose if you were going to engineer a spec like that today you'd have 
each camera have it's own key that it used (maybe alongside a baked-in 
manufacturer key) to sign the relevant guts of RAW files of each shot it took.  
But this would really only be useful in a true forensics type situation, as 
most photographers end up editing and altering photos with programs like 
Lightroom before they call them "done".   


As it is, most of the time people look for image tampering not through 
signatures but rather by looking for telltale signs of the artifacts left 
behind by common forms of tampering.  https://belkasoft.com/forgery-detection

-Ryan McGinnis

r...@digicana.com

http://bigstormpicture.com

5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐

On Thursday, September 9th, 2021 at 5:43 AM, Oli Kon via Gnupg-users 
 wrote:

> On 2021-09-08 4:53 p.m., Mark H. Wood via Gnupg-users -
> 

> gnupg-users@gnupg.org wrote:
> 

> > I didn't know where else to turn, for folks who might be able to point
> > 

> > me at standards for or discussion of embedding crypto signatures in
> > 

> > image formats, to detect tampering with the image.
> 

> There are no standards that I have ever heard about that would
> 

> be specific to ~image~ files; so I would ask this:
> 

> Which particular image file type are you interested in (.jpg,
> 

> .tiff, .png, .bmp, .psd...) are you interested in, and why is it
> 

> not appropriate to simply consider such file as another binary
> 

> file that someone needs to digitally sign?
> 

> Gnupg-users mailing list
> 

> Gnupg-users@gnupg.org
> 

> http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How would you do that ...

[Ryan McGinnis via Gnupg-users]

For what it's worth if you're gung-ho about our heroine using a public library 
computer or something and you can't stego some info into an image for one of 
the image boards because you don't have any tech of your own in that country, 
then using a OTP to publicly post something to a pastebin that Bob is actively 
monitoring is probably the way to go.  A OTP doesn't require any kind of tech 
to pull off and it's about as secure as it can get.  This could facilitate two 
way communications as well, so long as you both know where the messages will be 
dropped.  It's not very subtle, but it'd work.  


-Ryan McGinnis

r...@digicana.com

http://bigstormpicture.com

5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐

On Saturday, May 8th, 2021 at 8:04 AM, Stefan Vasilev via Gnupg-users 
 wrote:

> l0f4r0 wrote:
> 

> > Hi,
> > 

> > 8 mai 2021, 00:58 de gnupg-users@gnupg.org:
> > 

> > > Alice is no complete moron, because she can't register a free ProtonMail 
> > > account
> > > 

> > > without a phone. Or did she missed there an anonymous registration 
> > > procedure
> > > 

> > > which works?
> > 

> > I don't use ProtonMail so I can't say.
> > 

> > But otherwise you have Tutanota (no phone number required):
> > 

> > https://tutanota.com/blog/posts/anonymous-email/
> 

> Hi,
> 

> thanks! I already found a solution by using an .onion based email provider,
> 

> with clearnet usage support. Super simple registration, where the user only
> 

> supplies a username and a password. Nothing more. :-)
> 

> Regards
> 

> Stefan
> 

> Gnupg-users mailing list
> 

> Gnupg-users@gnupg.org
> 

> http://lists.gnupg.org/mailman/listinfo/gnupg-users

publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How would you do that ...

[Ryan McGinnis via Gnupg-users]

Protonmail only requires a phone number to send a verification “are you a real 
human” SMS if the IP you are registering from is a source of previous abuse.

So, like, don’t use a VPN when you do it.  

Or if you’re worried about it, make the account back in your safe country 
before you travel to Deathistan by using a burner phone SIM or something.  
These are pretty easily solvable problems that don’t lead to getting your 
genitals shocked.

-Ryan McGinnis
r...@digicana.com
http://bigstormpicture.com
5C73 8727 EE58 786A 777C  4F1D B5AA 3FA3 486E D7AD



> On May 7, 2021, at 5:58 PM, Stefan Vasilev  wrote:
> 
> 
> Ryan McGinnis wrote:
> 
>> Alice is an idiot if she’s trying to defeat nation-state adversaries
>> and be a thrifty shopper at the same time, but even so, in most places
>> a laptop isn’t going to be cheaper than a cheap mobile phone.
>> 
>> You really want Alice to use some public library computer for some
>> reason, but I am going to assume Alice isn’t a complete moron and
>> would avoid this, given there are a hundred better options that won’t
>> result in her genitals being shocked in some dingy government
>> interrogation room.
>> 
>> If you have to use a laptop then, cool, grab an ISO of Debian, install
>> it, find the nearest WiFi hotspot, make a free protonmail account,
>> send an email.  Done.
> 
> 
> Alice is no complete moron, because she can't register a free ProtonMail
> account
> 
> without a phone. Or did she missed there an anonymous registration procedure
> 
> which works? If yes, then she is of course a moron. :-D
> 
> 
> Regards
> 
> Stefan



publickey - ryan@digicana.com - 5c738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How would you do that ...

[Ryan McGinnis via Gnupg-users]

Alice is an idiot if she’s trying to defeat nation-state adversaries and be a 
thrifty shopper at the same time, but even so, in most places a laptop isn’t 
going to be cheaper than a cheap mobile phone.  

You really want Alice to use some public library computer for some reason, but 
I am going to assume Alice isn’t a complete moron and would avoid this, given 
there are a hundred better options that won’t result in her genitals being 
shocked in some dingy government interrogation room.  

If you have to use a laptop then, cool, grab an ISO of Debian, install it, find 
the nearest WiFi hotspot, make a free protonmail account, send an email.  Done.

-Ryan McGinnis
r...@digicana.com
http://bigstormpicture.com
5C73 8727 EE58 786A 777C  4F1D B5AA 3FA3 486E D7AD



> On May 7, 2021, at 5:36 PM, Stefan Vasilev  wrote:
> 
> 
> Ryan McGinnis wrote:
> 
>> Sounds like you're having to trust some kind of tech from the country you're 
>> going to, so with that in mind:
>> 
>> Buy burner phone and SIM with cash from some place where normal people buy 
>> phones and SIMs with cash.  Install Signal.  Done
>> 
>> For identification, have some code word that will be the first thing you 
>> send.  Maybe even have a duress code word, too.
>> 
>> Now there are some places this won't work.  Some places only sell phones 
>> that are pre-compromised.  If you know what you're doing you can probably 
>> flash it with GrapheneOS, though that would require buying a computer, in 
>> that country, too.  At some point you're probably in the "gonna be taking 
>> some serious risks no matter what" territory, unless you're working for MI6 
>> or something.
>> 
>> 
> 
> Alice likes to keep the costs low and would only purchase a laptop
> there, to prepare
> 
> data, prior taking it to the Internet Café's (compromised) computer.
> Phones, whether
> 
> dumb or smart, she likes to avoid. But thanks for the proposal, much
> appreciated.
> 
> 
> Regards
> 
> Stefan



publickey - ryan@digicana.com - 5c738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How would you do that ...

[Ryan McGinnis via Gnupg-users]

Sounds like you're having to trust some kind of tech from the country you're 
going to, so with that in mind:

Buy burner phone and SIM with cash from some place where normal people buy 
phones and SIMs with cash.  Install Signal.  Done

For identification, have some code word that will be the first thing you send.  
Maybe even have a duress code word, too.

Now there are some places this won't work.  Some places only sell phones that 
are pre-compromised.  If you know what you're doing you can probably flash it 
with GrapheneOS, though that would require buying a computer, in that country, 
too.  At some point you're probably in the "gonna be taking some serious risks 
no matter what" territory, unless you're working for MI6 or something.  


-Ryan McGinnis

r...@digicana.com

http://bigstormpicture.com

5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐

On Monday, May 3rd, 2021 at 4:24 AM, Stefan Vasilev via Gnupg-users 
 wrote:

> Hi all,
> 

> here is a little scenario. Alice and Bob needs to find a way to do
> 

> encrypted communications globally.
> 

> The task is the following: Alice needs to travel to a foreign country
> 

> without any devices (laptop, smartphone etc.).
> 

> At arrival she needs to communicate daily (no real time communications)
> 

> with Bob to exchange encrypted documents.
> 

> Alice is not allowed to login in any services, like her Gmail account,
> 

> social media etc. to not reveal her login credentials.
> 

> She can't use Tor, because at her destination Tor is blocked. The only
> 

> option she has is to use Internet Cafés or public libraries etc.
> 

> She is aware that at an Internet Café keyloggers may be installed. Last
> 

> but not least she does not carry any notices on paper with her.
> 

> How would you solve this task?
> 

> Regards
> 

> Stefan
> 

> Gnupg-users mailing list
> 

> Gnupg-users@gnupg.org
> 

> http://lists.gnupg.org/mailman/listinfo/gnupg-users

publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Plan B - Who carries the torch?

[Ryan McGinnis via Gnupg-users]

Why does GPG continue to be developed with email uses in mind even though it's 
now widely accepted that GPG is a terrible way to securely communicate with 
another person and that a number of much more secure, much more robust, much 
less complicated (from the end user perspective) solutions exist?  I'm guessing 
it's the same reason.

-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐

On Tuesday, January 5th, 2021 at 9:46 AM, Stefan Claas via Gnupg-users 
 wrote:

> On Tue, Jan 5, 2021 at 3:44 PM Werner Koch via Gnupg-users
> 

> gnupg-users@gnupg.org wrote:
> 

> > On Tue, 5 Jan 2021 07:27, Jean-David Beyer said:
> > 

> > > Building a web of trust is so hopeless, from my point of view, that I
> > > 

> > > have abandonned gnupg. I have made keys for myself, obtained enigmail
> > 

> > Virtually nobody uses the WoT. What people use are direct key
> > 

> > signatures. That is you verify a key's owner and then sign that key.
> > 

> > Usually not even exportable. Verification is often done by trust on
> > 

> > first use. And that is okay for the majority of use cases.
> 

> Not sure I understand you correctly, but why are then SKS key servers
> 

> still in operation, which allows third parties to look up who signed
> 

> who's key and with what trust level and GnuPG's WoT support, compared
> 

> to sq and Hagrid?
> 

> Regards
> 

> Stefan
> 

> Gnupg-users mailing list
> 

> Gnupg-users@gnupg.org
> 

> http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Mobile mini computers for GnuPG/OpenPGP usage instead of smartphone usage

[Ryan McGinnis via Gnupg-users]

   Hah, these look like they’re probably aimed at the pentesting market, they are indeed tiny as hell!Sent from ProtonMail Mobile On Sat, Nov 28, 2020 at 1:59 AM, Stefan Claas via Gnupg-users  wrote:  Hi all,some of you may remember the recent thread from me about OpenPGP usagewith smartphones. Since I sold my Android smartphone a while ago I thoughtwhy not look for other mobile devices, which are smaller than regular notebooksand which are maybe better suited (for me) than pure Linux smartphones.This would also have the advantage that one can use his preferred MUAinstead of the once available for Android/iOS.After googling a bit I found these IMHO super mini PCs, which looked veryattractive to me and I purchased one (should be delivered in a couple of days).https://www.gpd.hk/gpdmicropcand for fans of MacBook designs:https://www.gpd.hk/gpdpocket2Hope you find this info useful!P.S. I purchased the GPD MicroPC with Ubuntu Mate instead of Microsoft Windows.P.P.S. These little computers are mostly sold out when looking around, but I hadluck to find a German reseller who still has some in stock.RegardsStefan___Gnupg-users mailing listGnupg-users@gnupg.orghttp://lists.gnupg.org/mailman/listinfo/gnupg-users




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Five volunteers needed (EU .... Are you sure that this is really advantageous?

[Ryan McGinnis via Gnupg-users]

CIA Agent 1: Swap out that NFC tag with the malicious one.
CIA Agent 2: But he put a little sticker on it!
CIA Agent 1: My God, all hope is lost

On 10/14/20 2:09 AM, Stefan Claas wrote:
> Ángel wrote:
>
>> On 2020-10-11 at 17:41 +0200, Stefan Claas wrote:
>>> I had not set a password, so that the recipients can play with it.
>>> With a password set the NFC tag can not be written to.
>>>
>> Bob may be expecting to receive the safe, read-only NFC tag from Alice,
>> but Eve might have replaced it with a malicious one.
> Alice can purchase tamper proof NFC stickers which when stripped off get
> destroyed. :-)
>
> Regards
> Stefan
>
> --
> NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675
>   The computer helps us to solve problems, we did not have without him.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Five volunteers needed (EU .... Are you sure that this is really advantageous?

[Ryan McGinnis via Gnupg-users]

Probably a bit outside the scope of the list, but in my experience most
users underestimate the risks involved in running their own servers. 
Probably not anyone reading a GPG mailing list, but I only mention it
because of the discussion of no-ip and DDNS stuff -- usually only tools
used by non-commercial, non professional entities.  I run into this a
lot with people who buy cheap camera systems for their homes, put it on
the same LAN as everything else in the house,  open up port 80 right
into their NVR, give the default NVR user an easy password, and then
proceed to run that thing for years without ever patching the NVR server.

There are so many IP6 addresses available that everyone in the world
could be given a trillion of them to use and it wouldn't make an
appreciable dent in the total left available.  I suspect in the future
your NAT gateway will live in the cloud and every device will have it's
own static IP. 

On 10/11/20 2:56 AM, John A. Leuenhagen via Gnupg-users wrote:
> On Sun, Oct 11, 2020 at 09:48:37AM +0200, Stefan Claas wrote:
>> John A. Leuenhagen via Gnupg-users wrote:
>>
>>> On Thu, Oct 08, 2020 at 12:27:24AM +0200, Stefan Claas wrote:
 Regarding the Internet as of today and Al Gores vision and the Internet
 commerce etc.

 I always wondered why it is not possible for me and probably many other
 people to not get a *static* IPv6 address additionally when you sign up
 as private individual at an ISP of your choice?

 People could use as usual still common IPv4 for their regular surfing etc.
 but had then the ability, with a static IPv6 address to run their own
 email server and other services from home with a little Raspberry Pi etc.,
 without purchasing a VPS plan, thus one would only need to register a
 domain of choice and the records management could also bee done a) with
 the Domain Registrar or your local ISP, instead of the VPS hosting 
 provider.
>>> Certainly it would be preferable to have a static IPv6 address for that
>>> sort of thing, but it's still quite simple to run services from home by
>>> using dynamic DNS. I'm able to have ddclient run on my router, which
>>> will inform my DNS provider (Cloudflare) of any changes to my dynamic
>>> IPv4 address. Sure, during the occasional change to my address, my
>>> services might go down for a minute or two. For me at least, that's not
>>> the end of the world.
>> Well, yes and no. I run many years ago with a dynamic IP address services
>> too and had a domain with no-ip.com. But nowadays if you like to run a mail
>> server you will need a static IP address, because if it would be dynamic
>> your are considered as spammer, due to black listing of dynamic IP address
>> ranges.
> That is true, you definitely need a static IP address to run a mail
> server. For many other things though, I've managed to get by with a
> dynamic address.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Five volunteers needed (EU only please)

[Ryan McGinnis via Gnupg-users]

  Sure, but you gotta admit that you’re an extreme edge case of a group of users that are already kinda edge cases.  Most people have QR readers and just don’t realize it.  Very few people would need this kind of offline method anyhow, and those that would probably have much better spycraft than we can dream up here, stuff far beyond putting RFIDs on postcards or QR codes on traffic poles.  The size BTW is arbitrary and can be changed within reason in software, but you want fairly high resolution if you plan to print it.  300 ppi at 2K res would give you around 6 inches size printed.   A 1,000 by 1,000 file would make a nice 3x3 inch sticker or back of a postcard.  -Ryan McGinnishttp://www.bigstormpicture.comPGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD  On Tue, Oct 6, 2020 at 17:43, Stefan Claas <s...@300baud.de> wrote:  Ryan McGinnis via Gnupg-users wrote:> Perhaps just use QR codes?  Easily scanned and imported by a digital> device.  Message size is limited, but probably enough.  If not, you can> maybe use multiple QR codes.  This reply, encrypted to you, is contained> in the linked QR below:Well, I currently have no QR-Code Software installed and I need to do thensome test with your fairly large image (2000x2000 pixels in size, 72 dpi).RegardsStefan--NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675  The computer helps us to solve problems, we did not have without him.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Five volunteers needed (EU only please)

[Ryan McGinnis via Gnupg-users]

Yeah, though if you wanted to be sneaky-do you could encrypt a message,
put it on a QR sticker, slap the sticker on some traffic pole as a dead
drop, and let it hide in plain sight until your intended recipient came
by and snapped a shot of it.  My guess is that if the world ever gets to
the crazy point where people feel they need to send GPG messages through
non-electronic means, you're just as likely to get the rubber hose and
time-out-in-the-little-box treatment for sending paper mail to someone
with GPG'd QR codes or RFID tags as you are for sending GPG'd emails.

Some of this stuff is just silly, of course, we're nerds not spies, but
if you're going to dial the paranoia to 11 you may as well be consistent
about it. 

On 10/6/20 10:27 AM, Juergen Christoffel wrote:
> On Tue, Oct 06, 2020 at 04:49:15PM +0200, Stefan Claas wrote:
>
> Finally: using password protected NFC tags to carry encrypted content seems
> a bit of overkill or over engineering too. But one could read a tag without
> opening the letter that would be used to ship it, which obviously would be
> a bit harder with QR codes ...
>
>   --jc
>
> P.S. Last but not least, we could send QR codes via email! ;-0
>
> --
>   Never underestimate the bandwidth of a station wagon full of tapes hurtling 
> down
>   the highway.-- Andrew S. Tanenbaum
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Five volunteers needed (EU only please)

[Ryan McGinnis via Gnupg-users]

Perhaps just use QR codes?  Easily scanned and imported by a digital
device.  Message size is limited, but probably enough.  If not, you can
maybe use multiple QR codes.  This reply, encrypted to you, is contained
in the linked QR below:

https://imgur.com/a/JoPjgGH


On 10/5/20 10:37 AM, Stefan Claas wrote:
> Hi all,
>
> while I did some JAB-Code experiments with MMS, to send GnuPG messages with a 
> dumb
> phone, I came up now with a new idea. :-)
>
> For that I need five people who are willing to share with me their postal 
> address.
> You can send me your address GnuPG encrypted. I will not store your address 
> on my
> computer and will delete your email, once I received it.
>
> My new idea is to send encrypted postcards or letters, with an NFC tag 
> attached,
> containing a GnuPG clearsigned test message. I like to see if the postcards 
> will
> arrive in proper condition, so that the NFC tags are still readable.
>
> What you will get from me:
>
> A postcard with Berlin photos on, an address sticker from me, containing the 
> MacPGP
> 2.6.2 icon with the little secret agent and a valid international postal 
> stamp with
> a photo from me on. If you are a stamp/postcard collector, you will agree 
> that this
> is IMHO a collectors item. :-)
>
> Why I came up with this idea? Well I thought of a way to send private content 
> digitally,
> without Internet usage, so that 3rd parties outside the EU have it difficult 
> to intercept
> such messages, in order to protect EU businesses and to show the young 
> generation that
> local postal services should be supported, in favor of a globally surveilled 
> Internet.
>
> A standard NFC tag can't store that much data, but there are different types 
> available
> and one can use also modern encryption software which gives you more 
> encrypted payload.
>
> Once I received your address (first come first serve) I will prepare the 
> postcards
> (hopefully tomorrow) and send them to you. It would be nice if participants 
> would share
> their experience, so that other GnuPG users could learn from it.
>
> Please note, NFC tags can be used multiple times, so that for example Alice 
> and Bob use
> only on NFC tag with their letters, they exchange and those NFC tags can also 
> be destroyed
> with special* hardware devices or bought in a form that they get destroyed if 
> someone tries
> to take them off, from the carrier medium.
>
> *https://nfckill.com/
>
> The consumer hardware device I purchased:
>
> https://www.nfc-tag-shop.de/en/nfc-hardware/147/acr1252u-nfc-forum-certified-reader/writer
>
> Software one can use on their Desktop:
>
> https://www.wakdev.com/en/apps/nfc-tools-pc-mac.html
>
> and for people, living in Germany, regarding postal stamps with photos:
>
> 
>
> Regards
> Stefan
>
> NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675
>   The computer helps us to solve problems, we did not have without him.

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to suppress new "insecure passphrase" warning

[Ryan McGinnis via Gnupg-users]

Wonder if someone saw this email and uploaded it -- it shows up when I search!  
:)

Best,

-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐
On Thursday, September 17, 2020 10:25 AM, Martin  wrote:

> Hello Ryan,
> 

> Thursday, September 17, 2020, 4:42:24 PM, you wrote:
> 

> > -Ryan McGinnis
> > http://www.bigstormpicture.com
> > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
> 

> BTW your public key is not onkeys.openpgp.org
> 

> 
> 

> Best regards,
> Martin



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to suppress new "insecure passphrase" warning

[Ryan McGinnis via Gnupg-users]

(BTW -- not to be pedantic, but if by "a few" words you mean "three", then you 
don't have a good passphrase -- six words is kinda minimum with diceware to get 
a decent amount of entropy)

-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐
On Wednesday, September 16, 2020 5:03 PM, Alan Bram via Gnupg-users 
 wrote:

> I have been using gnupg for a few years now, with no change in the way I 
> invoke it. Recently (I guess my package manager updated to a new version: 
> 2.2.23) it started injecting a warning about "insecure passphrase" and 
> suggesting that I ought to include a digit or special character.
> 

> I don't want to do that. I have a strong passphrase that was generated via 
> Diceware. It's simply a few words made of plain letters; but it's long 
> enough, and totally random. Stronger than a short, lame password that someone 
> simply appends a "1" to.
> 

> Is there a way to suppress the annoying warning?

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: On Becky! Internet Mail's GnuPG Plugin

[Ryan McGinnis via Gnupg-users]

Unless you live in North Korea or something there are always ways around SIM 
registration laws, though they get expensive depending on where you live.  If 
you have a trusted US contact you can just have them grab you a bunch of Mint 
Mobile SIMs and have them cooperate with sending you the OTP codes during 
signups, for example.  Or if you are a man of many quatloos, you can fly to the 
U.S. and do the trick here yourself and then fly back home and use the 
accounts.  Once you sign up you change the OTP recovery phone number to a VOIP 
number you control (you'd need to purchase this VOIP number anonymously too, 
there are plenty of ways to do that like MySudo, Twillio, etc).   But unless 
you're doing some really hinky-dinky stuff like investigating organized 
criminals or sending the Guardian classified videos of drone strikes on baby 
kittens, this is mega overkill.  

Using XP is madness, IMO.  If you're that into rolling your own system why in 
the heck wouldn't you be petting the penguin?  I mean, why would you use a 
fully configurable open source OS or a fully audited secure distro based on 
said open source OS when you could instead use an obsolete proprietary OS 
that's had no security patches in over half a decade?  I wouldn't even trust XP 
for airgapping.  If the baddies were really after you I'm sure they'd find 
whatever you've done to harden your XP boxen super amusing.   They might even 
send each other screenshots of your setup over Signal while making funny 
comments.  


-Original Message-
From: Gnupg-users  On Behalf Of Dieter Frye
Sent: Tuesday, September 8, 2020 3:33 PM
To: gnupg-users@gnupg.org
Subject: On Becky! Internet Mail's GnuPG Plugin


> A.  Yes, you can still anonymously register for almost anything.  It's 
> not straightforward and requires a bit of forethought and jumping 
> through hoops.
>
Not even close. Only a prepaid phone will do, which are not available where I 
live, and even if they were, I'd still be required to show some form of ID in 
order to get it, which defeats the whole purpose of getting one in the first 
place.

> No, it probably won't defeat the NSA, but if they're your adversary 
> what in blue blazes are you doing using any kind of electronic device 
> let alone posting here.
>
In the world we live in right now, a comment someone pretends to be offended by 
will get you jail time. It's that bad. I'm not being singled out by the NSA or 
anything, and that in part due to the fact that there's absolutely not a trace 
of anything on the internet that can be linked back to my real identity. I 
arduously cultivated my anonymity from the get go so to be able to operate 
freely in the shadows, and it's now paying off in the form of relative 
tranquility as I stand untouched in the midst of this cruel, worldwide 
socialist takeover.

> B. The Shadowgate documentary isn’t.  This is Coo-Coo for CocoaPuffs 
> territory.  If you want to believe that stuff that's cool, just 
> thought I'd make sure to stick the tinfoil tag on this one since you 
> speak of it like it's a legit thing.
> https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-sh
> adowgate-spreads-misinformation-major-events/5601742002/
>
There's nothing in that article that even begins to disprove anything the 
ShadowGate documentary addressed; literally not one thing. Just a bunch of 
NPC's running their mouths spewing the same old tired lies and slander, which's 
standard practice for fake news socialist outlets anyways.

Just don't let others do the thinking for you.

> C.  Replying to person you were replying to -- how pants on head 
> stupid does one have to be to use Tor browser (or any type of security 
> critical
> software) on XP?  If you think that's a good idea then you shouldn't 
> be using Tor.
>
The TOR Browser is an accident waiting to happen irrespective of the system 
it's running on. XP is secure to the extent that you know how to make it 
secure, and that goes for any operating system flexible enough for the task.

> D: If you really need secure anonymous email, fire up TAILS on a 
> bootable DVD
>
There's no value in doing that since there's nothing I need to perform securely 
that XP will not cooperate with, and besides all this, you do NOT want to 
blindly capitulate your security to any AIO "solution" like Tails, specially in 
light of it's flaws. You're much better off acquiring an adequate understanding 
of whatever OS you're running and make the necessary changes as you go.

Of course there's a limit to that, and certain OS' are plainly and simply way 
too compromised and stiff for any privacy-related work, but XP is far from 
being one of them.

>, sign up for a free Protonmail account over Tor, use a burner prepaid 
>phone number to authenticate to Protonmail (Protonmail correctly gets 
>worried about Tor signups), access Protonmail only over Tor (they have 
>a  hidden service).
>
Not possible as explained above, and quite frankly Protonmail is one 

RE: On Becky! Internet Mail's GnuPG Plugin

[Ryan McGinnis via Gnupg-users]

A.  Yes, you can still anonymously register for almost anything.  It's not 
straightforward and requires a bit of forethought and jumping through hoops.  
No, it probably won't defeat the NSA, but if they're your adversary what in 
blue blazes are you doing using any kind of electronic device let alone posting 
here.  

B. The Shadowgate documentary isn’t.  This is Coo-Coo for CocoaPuffs territory. 
 If you want to believe that stuff that's cool, just thought I'd make sure to 
stick the tinfoil tag on this one since you speak of it like it's a legit 
thing.  
https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/

C.  Replying to person you were replying to -- how pants on head stupid does 
one have to be to use Tor browser (or any type of security critical software) 
on XP?  If you think that's a good idea then you shouldn't be using Tor.  
Either you don't need Tor and using Tor is silly for you, or you do need Tor 
and you're going to hurt yourself bad by having not the slightest clue how to 
use Tor safely.   

D: If you really need secure anonymous email, fire up TAILS on a bootable DVD, 
sign up for a free Protonmail account over Tor, use a burner prepaid phone 
number to authenticate to Protonmail (Protonmail correctly gets worried about 
Tor signups), access Protonmail only over Tor (they have a hidden service).  If 
that's not good enough to circumvent your adversaries, again, you should 
probably just move up into the remote Alaskan wilderness and live off wild 
animals and shrubbery for the rest of your life and hope the bad men never find 
you.  

-Original Message-
From: Gnupg-users  On Behalf Of Dieter Frye
Sent: Monday, September 7, 2020 6:58 AM
To: gnupg-users@gnupg.org
Subject: On Becky! Internet Mail's GnuPG Plugin


> Hi,

> curious as I am, If I understand it right, you use Windows XP with 
> Becky as MUA for GnuPG or would like to use it with the lastest 
> version of GnuPG?

Howdy.

So yes, I'm using Becky! as a MUA + an outdated GnuPG plugin on Windows XP, but 
functionality is somewhat crippled for anything other than GnuPG v1.4.

> Your posting is done via secmail.pro, a Tor email provider, which 
> requires AFAIK Tor Browser Bundle to access the service.

> My question, if you don't mind, does the lastest Tor Browser Bundle 
> still supports Windows XP and how do you use Becky with secmail.pro?

Nope, they dropped support for XP (specifically the browser part) a while ago, 
which thing never really affected me since I use a third party browser which I 
interface with the "expert bundle" exe that they continue to distribute. Of 
course, that's an gross oversimplification of what's actually going on this 
computer, but you catch my drift.

As far as secmail.pro is concerned, it's not possible to use it with Becky! 
because there's no server-side support for SMTP, POP3 or IMAP, so I'm writing 
directly from semail's web interface.

Unfortunately since practically every single internet service in existence (be 
it mail, fora or otherwise) has been in bed with the worldwide private data 
collection operation going on right now (lookup PRISM and the ShadowGate 
documentary) it's no longer possible (and so it's been for nearly a decade now) 
to anonymously register any type of account anywhere, meaning I'm technically 
shunned from the Internet and it's nothing short of a miracle that I'm able to 
post here at all. I'm actually shocked this place hasn't been hijacked by 
vpn-hating cloudflare and the google captcha nazis because that's true 
everywhere else.

Currently I use another free, anonymous e-mail service called TorBox which does 
have SMTP/POP3 support for everyday communications, though that's only viable 
for people operating within the TOR network as it's got no clearweb support 
unlike secmail itself, which at the end of the day is kind of a useless thing 
anyways given it's blacklisted status (and that completely without 
justification) among most every big and small e-mail provider out there.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Ryan McGinnis via Gnupg-users]

Calling that a documentary is like me tattooing angel wings on my back
and trying to pass as an attack helicopter.

On 8/20/20 10:23 AM, Stefan Claas wrote:
> Robert J. Hansen wrote:
>
>>> Sorry for being now probably completely off-topic, but when it comes to 
>>> informations we find
>>> on the Internet and/or are discussing if videos or informations are faked, 
>>> or some people
>>> like to guide us in wrong directions, I would highly recommend to watch 
>>> Millie Weaver's
>>> 'Shadow Gate' documentary, which was released a couple of days ago and is 
>>> already banned
>>> on YouTube and Facebook.
>> Stefan, I'm not a list moderator and I have absolutely zero authority to
>> say this, but I'm going to say it anyway:
>>
>> Please take this stuff elsewhere.
>>
>> You're linking to a conspiracy theory video alleging a... look, I'm not
>> going to give these people credibility even by *summarizing* it.  It
>> should be enough to say that InfoWars is backing it.
>>
>> It has no connection to fact or even reality, and even less than no
>> connection to GnuPG or communications security.
>>
>> Please, I'm begging you: take it elsewhere.  It doesn't belong here.
>>
>> https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/
> Hi Robert,
>
> at least you may agree that Millie's documentary shows viewers that since a 
> long time private contractors
> play an important role for Intelligence Agencies.
>
> 
>
> Regards
> Stefan
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Ryan McGinnis via Gnupg-users]

Generally when something is "banned from Youtube" and the reason for the
ban wasn't that it was outright pornography, copyrighted content, or
illegal content, you can rest assured that the "banned video" is some
Grade A Prime Whackadoo McCrazy Bullshit and that you will become dumber
if you watch it. 

On 8/19/20 9:31 AM, Stefan Claas wrote:
> Stefan Claas wrote:
>
>> ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users wrote:
>>
>>> Isn't the NSO group Israeli, not Russian as claimed in the video? 
>>> https://en.wikipedia.org/wiki/NSO_Group
>> Yes, as understood. I think it really doesn't matter where Pegasus does come 
>> from.
> Sorry for being now probably completely off-topic, but when it comes to 
> informations we find
> on the Internet and/or are discussing if videos or informations are faked, or 
> some people
> like to guide us in wrong directions, I would highly recommend to watch 
> Millie Weaver's
> 'Shadow Gate' documentary, which was released a couple of days ago and is 
> already banned
> on YouTube and Facebook.
>
> https://banned.video/watch?id=5f37fcc2df77c4044ee2eb03
>
> Regards
> Stefan
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Ryan McGinnis via Gnupg-users]

  The reasons to abandon PGP for secure communications have been accepted in the security community for years.  Here’s one security researcher explaining why (there are many others out there with similar sentiments): https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/-Ryan McGinnishttp://www.bigstormpicture.comPGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD Sent from ProtonMail Mobile On Wed, Aug 12, 2020 at 13:07, Felix <fe...@audiofair.de> wrote:I'm not sure that there are solutions orders of magnitude more
  secure that are available readily.
Also people tend to get emails on the go as well that might be
  encrypted. It's convenient to decrypt emails on a smartphone and
  not really that insecure if you're using an external device for
  actual keystorage (such as a Yubikey).
I don't actually see what's so silly about the whole thing.
    
On 2020-08-12 18:57, Ryan McGinnis via
  Gnupg-users wrote:


  Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:

  
Ryan McGinnis via Gnupg-users wrote:



  I guess the real question is: what are people using PGP for on mobile
devices?  If it's for communication, that's silly.  There are at least a
half dozen far, far, far better ways to securely communicate on a
smartphone. 


Well, it is listed by the OpenPGP experts:

https://www.openpgp.org/software/openkeychain/

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

  
  
  
  
  ___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

  





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Ryan McGinnis via Gnupg-users]

  Well, more like celebrities (and other types) hire him to keep their personal lives and information from being easily found.  He also helps stalking victims disappear.  I believe he’s former FBI. He prefers the old iPhone SE. At one time you used to be able to buy them anonymously with cash, which made them pretty hard to trace. I think he prefers a secure smartphone because he feels one should never use your real phone number for anything, which means using a VOIP app for all calls and texts.  For mobile service he goes with Mint mobile.  Which, BTW you can buy cheap 2 week “trial” SIM cards from with cash that will work as a non-VoIP 2FA account verification method.  Meaning you can sign up for sites and services without disclosing any personally identifying information whatsoever.   -Ryan McGinnishttp://www.bigstormpicture.comPGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD Sent from ProtonMail Mobile On Wed, Aug 12, 2020 at 11:57, Stefan Claas <s...@300baud.de> wrote:  Ryan McGinnis via Gnupg-users wrote:> If you don't want to be location tracked on a mobile device you just> power it off and put it in a Faraday bag when not in use. > https://silent-pocket.com/Yup, still waiting for my Faraday bags, which I won from the Nym project giveaway.>> If you want to deep dive into this sort of thing (it's a really deep> lake), give this book a read: >> https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0Thanks for the info! According to the Amazon info he teaches celebrities.I read an article yesterday that a lot of celebrities prefer dump phones over smartphones.RegardsStefan--my 'hidden' service gopherhole:gopher://iria2xobffovwr6h.onion




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Ryan McGinnis via Gnupg-users]

Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices?  If it's for communication, that's silly.  There are at least a
>> half dozen far, far, far better ways to securely communicate on a
>> smartphone. 
> Well, it is listed by the OpenPGP experts:
>
> https://www.openpgp.org/software/openkeychain/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Ryan McGinnis via Gnupg-users]

Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices?  If it's for communication, that's silly.  There are at least a
>> half dozen far, far, far better ways to securely communicate on a
>> smartphone. 
> Well, it is listed by the OpenPGP experts:
>
> https://www.openpgp.org/software/openkeychain/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Ryan McGinnis via Gnupg-users]

I presume the goal of people (who know what they are doing) going
through all these inconvenient steps isn't to build the perfect
impenetrable fortress of security (which doesn't exist) but rather to
make it more difficult or expensive to circumvent from the threat
actor's perspective, hopefully to the point where it's not worth it.  An
iOS 0day used to run over a million buckaroos on the open market (it's
cheaper now, Apple's security has flagged a bit in recent years) so it's
not something Script-Kiddie McHighshoolKid  is going to use to try to
get at your filthy nudes.  But I wouldn't run the SCADA control
interface of my highly controversial uranium centrifuge farm on my
iPhone, because spending a million buckaroos is like dropping a penny in
a pond for the kinds of actors who'd be interested in that sort of thing. 

If you're trying to defeat the amorous advances of the NSA and you don't
have the support and training of an entire nation's intelligence agency
behind you, just accept that you've already lost.  Also, don't post
here, anyone the NSA is actively interested in lives a life way too
interesting to be self-owning any kind of OSINT about themselves in
public. 

For the average bloke, owning an iPhone with a strong passcode and using
Signal or Wire to communicate is going to give them some of the best
hardware and communications security money can buy. 
 
On 8/11/20 3:58 PM, Johan Wevers wrote:
> On 11-08-2020 21:49, vedaal via Gnupg-users wrote:
>
>> There is already a simple existing solution.
> Simple is not how I see this.
>
>> [1]  Encrypt and decrypt on a computer that has internet hardware disabled.
>> [2] Use an Orbic Journey V  phone that gets and sends *only text*
>> [3] Use a microsd expansion card on the orbis phone
> The Iranians though this too. And then someone invents Stuxnet-like
> attack software.
>
> --
> ir. J.C.A. Wevers
> PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Ryan McGinnis via Gnupg-users]

If you don't want to be location tracked on a mobile device you just
power it off and put it in a Faraday bag when not in use. 
https://silent-pocket.com/

If you want to deep dive into this sort of thing (it's a really deep
lake), give this book a read: 

https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0


On 8/11/20 3:32 AM, Stefan Claas wrote:
> Matthias Apitz wrote:
>
>> El día Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribió:
>>
 One can use a Linux mobile phone running UBports.com (as I and all my 
 family do)
 or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
>>> Yes, people gave me already (not from here of course) good advise for other 
>>> OSs
>>> which one can use. The question is how long will those OSs been unaffected 
>>> ...
>> The kernel and all apps are OpenSource i.e. people can (and do) read the
>> sources. It's impossible to build in backdoors. The attack could come
>> through the firmware in the chips (which are not OpenSource). For this
>> the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to
>> poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS).
>>
>> The authorities can not track you. See:
>>
>> https://puri.sm/products/librem-5/
> Thanks for the information! While it is a nice product, according to their 
> web site,
> they say they run Gnu/Linux. Do you think that Gnu/Linux can't be hacked? Or 
> better
> said, should we all (those who use encryption software often) still use it 
> directly
> on online devices?
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

[Ryan McGinnis via Gnupg-users]

I guess the real question is: what are people using PGP for on mobile
devices?  If it's for communication, that's silly.  There are at least a
half dozen far, far, far better ways to securely communicate on a
smartphone. 

Also -- unless you are steeped in the security industry and run a
hardened OS, your laptop is likely as vulnerable if not more vulnerable
to the kinds of state level actors deploying this kind of mobile
malware.  The best mobile devices are far less vulnerable than typically
configured PCs.  An iPad is likely orders of magnitude more secure than
using a laptop with a typical consumer OS (Windows, Ubuntu, etc).  Both
can be compromised but the iPad, if kept up to date, is going to be a
much more expensive target. 

The people of the world with Snowden-level paranoia (at least the ones
not tied to some nation's security service) are using air-gapped
internet-virgin hardware to communicate.  For everyone else, a locked
down (location services off, iCloud account off, always-on VPN, kept in
faraday bag when not in use) iPhone/iPad is as close as they're going to
get to real privacy/security. 

On 8/10/20 10:49 AM, Stefan Claas wrote:
> Michał Górny wrote:
>
> [...]
>
>> Why use PGP on your phone if you carry a whole laptop with you anyway?
> Good question. There is software for Andoid available called OpenKeyChain,
> which as understood is the defacto standard for Android smartphone users,
> in combination with a MUA for Android.
>
> The question IMHO now is what should mobile device users do now? I showed
> a solution, assuming those users have an offline laptop too, which then
> would allow them to comfortably and securely create their messages.
>
> Not all people can purchase now a new smartphone with a more secure OpenSource
> OS and new SIM, I assume.
>
> I also do not know if it is common if people use an (compromised?) online
> laptop, as a smartphone, when on the road.
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

[Ryan McGinnis via Gnupg-users]

The thing is, if you can't remember a string of random words, are you likely to 
remember a string 20 random letters, numbers, and characters?  Generally, if 
your non-randomly-generated password is easy for you to remember, it's also 
easy for a computer to guess.  Diceware is the attempt to make something easy 
as possible to remember while still being truly high-entropy.  If you're really 
paranoid you don't use the javascript program to generator your random phrases, 
you buy an EFF book and roll some casino dice.  The entropy comes from the dice 
and so is verifiable.  


Probably the best PGP key passphrase would be to have some sort of high 
security locally stored password manager like KeepassXC, encrypt that password 
database with a good long diceware passphrase that you train yourself to 
remember, and then have that program generate some random 30 or 40 character 
gibberish passwords to copypasta into PGP when it asks.  While you're at it, 
use that to create different random passwords for every site and service you 
use.


-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 8, 2020 2:40 PM, Stefan Claas  wrote:

> Ryan McGinnis via Gnupg-users wrote:
> 

> > Went to a security seminar where I asked a random FBI agent after a 
> > presentation about passwords; he said just to get into
> > their personal terminals it was something like 17 characters minimum and 
> > that the passwords were randomly generated letters
> > and numbers and symbols and that they were changed fairly often. If you're 
> > trying to protect something from offline brute
> > forcing and the password is the weak point, you're probably best off coming 
> > up with a really long randomly generated diceware
> > phrase (7 words ought to be safe) https://www.rempe.us/diceware/#eff.
> 

> Thanks for the info! Regarding diceware, I looked into it long ago, but must 
> admit I am not good at remembering many word
> sequences, for many strong passwords, even if diceware words are easy once.
> 

> Regards
> Stefan
> 

> 
> 

> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

[Ryan McGinnis via Gnupg-users]

Went to a security seminar where I asked a random FBI agent after a 
presentation about passwords; he said just to get into their personal terminals 
it was something like 17 characters minimum and that the passwords were 
randomly generated letters and numbers and symbols and that they were changed 
fairly often.  If you're trying to protect something from offline brute forcing 
and the password is the weak point, you're probably best off coming up with a 
really long randomly generated diceware phrase (7 words ought to be safe) 
https://www.rempe.us/diceware/#eff.

I always figure that if you upset a nation-state enough that they're willing to 
throw their supercomputers at you to get at your goodies, they'll likely just 
tie you up and brute force your body until they get what they need.

-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 8, 2020 11:36 AM, Stefan Claas  wrote:

> Ryan McGinnis via Gnupg-users wrote:
> 

> > Six years ago Snowden said to assume the NSA can try roughly 1 Trillion 
> > passwords per second. I imagine it's significantly
> > more by now.
> 

> Holy cow! That raises then probably one more question, i.e. the required 
> minimum length for a strong password nowadays.
> 

> Regards
> Stefan
> 

> --
> 

> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

[Ryan McGinnis via Gnupg-users]

Six years ago Snowden said to assume the NSA can try roughly 1 Trillion 
passwords per second.  I imagine it's significantly more by now.  



-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 8, 2020 6:33 AM, Stefan Claas  wrote:

> Andrew Gallagher wrote:

> Do they store the information, like I do with my humble approach? I have read 
> years ago that for example
> the NSA is capable of searching for seven billion passwords per second.


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Comparison of RSA vs elliptical keys

[Ryan McGinnis via Gnupg-users]

Interestingly enough, this breaks the Thunderbird/Protonmail integration, so 
your message just shows up as the raw PGP blob that Protonmail is pushing to 
the Protonmail client.  It returns the error 


" Decryption error
Decryption of this message's encrypted content failed.

openpgp: unsupported feature: nested signatures
"


-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, May 20, 2020 12:18 PM, MFPA via Gnupg-users 
 wrote:

> Hi
> 

> On Saturday 16 May 2020 at 9:49:55 PM, in
> mid:20200516224955.5826@300baud.de, Stefan Claas wrote:-
> 

> > out of curiosity, you signed the reply with two sub
> > keys,
> 

> The RSA signature is for the benefit of recipients who can't handle
> ECC keys/signatures. Probably not needed anymore.
> 

> > the hash algo
> > used?
> 

> I'm hopefully using SHA512.
> 

> --
> 

> Best regards
> 

> MFPA mailto:2017-r3sgs86x8e-lists-gro...@riseup.net
> 

> Ballerinas are always on their toes. We need taller ballerinas!



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to improve our GUIs (was: We have GOT TO make things simpler)

[Ryan McGinnis via Gnupg-users]

I might be missing something really obvious here but... what is this
trying to protect against?  It's not protecting against interception in
transit, since the message already transits the internet either in
cleartext or encrypted via TLS that your email service provider can
definitely read.  So if your goal is to protect the privacy of your
email in transit, then this doesn't seem to do anything; if your goal is
to protect the privacy of your email from your service provider snooping
it, then this doesn't seem to do anything.  Your service provider can
certainly (and probably does certainly) retain archive or backup copies
of all emails that enter into and exit your account, so encrypting them
after reception only means that the copy you are accessing is encrypted
and non-accessible to the provider, but the copy that they archived or
backed up is just as plaintext as always (or is, more likely, encrypted
with a key that only they know). 

The only time encrypting your email storage with a key only you have
makes sense is if your provider pinkie promises to not store or archive
anything on their servers other than what you see live in your email
inbox.  Or, for example, if it's something like Protonmail does, which
is never store anything on their servers that isn't encrypted with the
user's private key that they don't have, so even their backups are
something they can't access the plaintext from.  And even then you are
relying on their pinke-promise that they are doing this, it is not E2E
unless you are sending messages to and from Protonmail users or you are
PGP encrypting messages before they leave or arrive at the service.  
And E2E is really the only solution that keeps your email provably
private from all parties concerned other than the recipients. 

On 10/29/2019 7:33 PM, raf via Gnupg-users wrote:
> Hi,
>
> Sorry if this was mentioned before but I've just come
> across a novel approach to email encryption that
> doesn't do end-to-end encryption, but rather it
> encrypts email upon receipt so that an individual can
> encrypt the email that is stored in their IMAP account
> as it arrives without the need for every sender to
> encrypt and without the need for any service provider's
> involvement (you just need an IMAP account), and it
> supports reading email from multiple devices, each with
> their own local private key. Most importantly, it
> doesn't require the user to know anything about
> encryption except that they want some.
>
> It might not address all threats but it certainly seems
> to solve some very real threats, mainly the threat of
> someone hacking into your IMAP account and accessing
> every email you ever received.
>
>   Making It Easier to Encrypt Your Emails
>   Authors: John S. Koh, Steven M. Bellovin, and Jason Nieh
>   https://www.usenix.org/publications/login/fall2019/koh [paywall, usenix]
>
>   Why Joanie Can Encrypt: Easy Email Encryption with Easy Key Management
>   EuroSys '19 Proceedings of the Fourteenth EuroSys Conference 2019
>   Authors: John S. Koh, Steven M. Bellovin, Jason Nieh
>   https://doi.org/10.1145/3302424.3303980 [paywall, acm]
>   http://nieh.net/pubs/eurosys2019_e3.pdf [free]
>
>   Easy Email Encryption with Easy Key Management
>   Authors: John S. Koh, Steven M. Bellovin, Jason Nieh
>   https://mice.cs.columbia.edu/getTechreport.php?techreportID=1639 [free]
>
>   Automatically and invisibly encrypt email as soon as it is received on any 
> trusted device
>   https://www.helpnetsecurity.com/2019/04/01/easy-email-encryption/ [free]
>
> I know this doesn't help with the discussion of
> improving GUIs to make it easier to encrypt emails that
> you want to send, but it looks like a promising
> improvement in privacy that could help many more people
> than just those that want to encrypt emails that they
> send. And it's still relevant. I expect that those that
> want to encrypt any emails that they send might also
> like all the emails that they receive to be encrypted
> as well.
>
> cheers,
> raf
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
https://bigstormpicture.com
Sent via ProtonMail



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP Key Poisoner

[Ryan McGinnis via Gnupg-users]

Yes, ironically, this proof of concept is the responsible way to demonstrate the issue (after a sufficient waiting period following a private disclosure to the developers), rather than, say, demonstrating the issue by spitefully poisoning the keys of a few prominent people in the GPG community.   The “if nobody talks about it and it remains obscure then it is not an issue” is something you would expect from a Mickey Mouse outfit that has no real understanding of security, not from a software development community that is essentially creating platforms focused on gold-standard security applications that underpin a lot of development infrastructure.  Just my two cents *ploink ploink*-Ryan McGinnishttps://bigstormpicture.com https://keybase.io/digicanaSent via ProtonMail  On Mon, Aug 12, 2019 at 09:54, Stefan Claas  wrote:  Juergen Bruckner via Gnupg-users wrote:> Thats pretty interesting, but the author also says he did this as showcase.> Nontheless, its not really good to have such a tool "in the wild", and> even on a plattform like GitHubAFAIK it is common pratice to publish PoCs to help program authors to improveor quickly fix their open source security software. Otherwise long standingissues may have been never fixed.RegardsStefan--box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)___Gnupg-users mailing listGnupg-users@gnupg.orghttp://lists.gnupg.org/mailman/listinfo/gnupg-users


c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="publicKey - r...@digicana.com - 
5c738727ee58786a777c4f1db5aa3fa3486ed7ad.as=
c"

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IFBt
Y3J5cHRvIEdvbGFuZyAwLjAuMSAoZGRhY2ViZTApCkNvbW1lbnQ6IGh0dHBzOi8v
cHJvdG9ubWFpbC5jb20KCnhzRk5CRm95d3BvQkVBQ0dsQ0x6dUl4UHR1VDYwQld3
K1luQ0V3NS9HbFhJeDVYNmwzTkpnRGlUL1FydjZtM0MKWDROSkVIY21VT3J1SWhS
L2JJMFdrdnVXVjRSZnh2MEJLUWpwN0puTVdSRE9ZNU54SWNrdk1KR3BsTFRoY3lS
agpLcUF2aXhTcnVrc3h0M3YzQTViNzdLeXcxZXlCMytlQzNZbzBnMjh5aGhmbG4x
Z2V4enNVc3V6U1crRml4eGd6ClMyS2RKMjZhWjhTYjNnanZmSEx2L01LaFhsdVN3
WWdYSURLTWlVT2liMGlEVmRXUGZGWENwVmJIM28xOFZueFQKZEMzVUkzdlZtbEph
clI0TzV4SXA2RndkbVFWdGo3M1pNSGRnWW5RY2VHWWN3b2I4dGFPMGRLZlUrMzEv
Ymp1dQpNYU9qeTJ1S25DeDlsZWVLNEgxM0pjYkl5R1NLN2pyQWVRUk53RTU4VXpC
SlpVQnMxSURjZFlZN1l2MW9iOWlNClljZmtaaHF6enREaksxUVAzSWJlM0FHMDJY
K3JVWExjdmxoOEVjY0RiL1c1MElBK2VqRHk3eUZRYjZTSys0U3AKSXJaSEdQamYx
eUQ0eGtraHpORlBKMm1ZR040aENDcm5XckRnL2hDM3J4U3dDcEkzUEV4bFo4T0Y5
ank5alR0cQpJUngvelhTUUtnSmNBRHM0dHNOSGZ6UHJuRXk0MWJzbWNkSTBOcm5j
UGNmMjVqRnZhUFR3QkhBQ3lIbG1GWDJ6Ci9HdUNoZW9wYXhtaVZKRnVWbGVxcnR4
ZVRCTjR2NzlMaHhCR3RDVWRZSDlHcmVuRnZ6QTl2OFZNQTZyOWQ3YVcKQ2I3bDBK
SEw4d3pEQk9sRENiSk1adlQ3dER4eWwyTUl2MTFMUWVJSW5SbEk2SkJ4TENGWnVo
WVB6d0FSQVFBQgp6U1Z5ZVdGdVFHUnBaMmxqWVc1aExtTnZiU0E4Y25saGJrQmth
V2RwWTJGdVlTNWpiMjArd3NGMUJCQUJDQUFwCkJRSmFNc0tnQmdzSkJ3Z0RBZ2tR
dGFvL28waHUxNjBFRlFnS0FnTVdBZ0VDR1FFQ0d3TUNIZ0VBQUp5TEQvMFQKZUdG
YmJ1TnlQZmxUb3NkbW1LQUM2Wnl1RHdKeExqdkwzWW5IQVVQa1RPL2E2eFR0RVoy
QjQxL21PeDJPVGN5aApKaGh3dEIwL2xzU043cjVyWEh6VVc0VmU2R1NTOFBFSTNq
MUl5TS93ZWN2MytnYjM4ZmZkRkVKQTFiVW45K2YvCnV5aFFJRmFMd0ZwcThVUUd4
RFJKOTFRWGNYRnJQemFsc3Y5S0tOY3QxdFJDbGZWblFSNzdCemtoZklKczJnUWkK
eVQxbCtWRnF6WEFoVmlpdXpSZGxKTWFUTGIyMzZVa2VPeC9leU5WRWNpdlZZb3V5
MkJ6TC9kVzI4V0RQUHRkVgpIT2NWbVY0S2ZhWUpwSDRtQkhCL0tQK0pOUXk1c3BW
Zk1MTWZDMDhyNWEwRUZFM0J5ZWJsdDNPTlBtKzJ5bXpDClJvdEl0ejhUN3Njd3U0
eFRtSXc1V1dSY0lpM21iRFcvbWVmbzd3aGJYM283TmlkUEJDK1pxSnNxTG9Obm8v
YUQKUFlYbnBUekFiczRVVFNxcDZQNDlNSFZXTkY0L24vYVhVM1ZoQnZaeDBoMU5O
TmJPMVB6Ui84U3I3ZmVkRDlVQwpuaUpOSmdmYUtodDFpMTlQYytCRjUrc2duYlJa
ZUlmU3hIV2ZYRCtrcklXR1ptUkJhQnBHelIzSnIzQUF3Q2NECnVKVmVDWHhJZTE3
WlRIeXdxVlpsb1hGWEVSSkJUZm1KK0FEbjIrc0ZNanBkV0Jhd3NsNXhYLzlmZmlP
WWY4aTAKbEdoNnZraWtCbkdaem5YSVp4Y3YvSVZpSHVnYlY3M3FwdktUaVpiME5o
WDlhd3kybGJqcWRxZzR4UHhuMlJJbwpwaEY5VTNpYmxhcDRqSnJZMFo2NmdNUEhB
b2VVWlVJa1crWjYzT1BJbE03QlRRUmFNc0thQVJBQWlSblptNHVjClBLc0ZEUG5N
SjVWcUVkeE9LcVRhbGsxRDM3NzEyemovWjcwNjlaRkV6QnY5UkVUcU9qdmFCQ1ZU
dExrWmpVS3UKQXQ5QVF3S0prcUhNbXpHVGdsVGt5cThEM0Z3cDExeVVoQm12M3lP
ciswVjVNZUU2OUhNdXFpdHBPNWdYbW9NMQoyQ1VBUERzcWV0OEY4THN0RUpNYlJo
cHh2T3NnbU1SV2dGbTVMNzRjeXFPVDQ0K01vOCt1THdldlBIMXBDN2JFCi9rTEVQ
ZXdjQUUvNjBwUTBZZ1ZQMkxlNngyaHQ4Q3pEWjdwOGNTSGtYbEJhOXlIa1haUkV0
VStMMFdJSU0rM28KRjBycnhMeENpcmJjU2hOM1pFeHgra0xuTTJ6YjN4bUVRd1k2
YndsVXRIa25ub1ZwSmtaWFBjM21OSlFLYzA4NAorWEdnSWNQYXEwNTN2cElaa093
ZlFib292azZ4cG9sWkdmU254c1FTVnNCTFQ3WFlKR2UydjRTdExuS1UzRzFXCk1J
aHk4TitzK1ArUHRPYytZRU9sNS82cmhiZUk2UkFsS21wcisvMGhFWG9lK0Z4USt0
Njc5TS9kR2ptRmM1YlIKVFl0b1k2YlpuaGpHYnZ0dWY0K3pmUFNudmFMOFFtd2Rj
bjZYSFExVndCQmFVWXlqYUxJTCtOam1LSjdSWGhrawoyeUs0SU1iZDVYMFl1TDVm
dVpnTXE5OUJTbkVtZ1B0QUhwQW9rci9sWXV0VW82NmhIUEQ5OWlBSUwxYUI5aU5l
CmpqU0FjdWI1QThQMENaYWJNTWVsdmw5QnRXRGVHZ0d6K3lFQmlJN09MOHdaOUxn
NjM0RTZRNjVIUmZBcUFiU2cKc0pyRmRHc0tKM3NuUXRhbGJ6UzJBaldVUnZWOW5T
aHpuV3NBRVFFQUFjTEJYd1FZQVFnQUV3VUNXakxDb3drUQp0YW8vbzBodTE2MENH
d3dBQU5qSkQvNDFRTmpkSkQ3VzNZR0Rk

Re: Forbes article: The Encryption Debate Is Over - Dead At The Hands Of Facebook

[Ryan McGinnis via Gnupg-users]

In my personal opinion, Facebook has earned their reputation.  Their stance 
towards privacy has always publicly been "Uhh, what?  Privacy?  Uh, yeah... 
we love privacy!" while they fill their platform with dark patterns and extract 
every last bit of usable data you give them into something they can monetize.  
They were selling the 2FA phone numbers people would supply for increased login 
security to advertisers for Pete's sake.  Sometimes that giant space station 
that looks like a moon with that thing that looks suspiciously like a janky 
planet-busting laser slapped to the side of it really is something to worry 
about.

I do agree you can say this about any platform, but I don't agree that they're 
all equally suspicious.  Apple *could* be secretly building a data empire out 
of their users, but they way they've structured their business plans, the way 
they market, the way they continually design their devices with security and 
privacy not just in mind but as a top priority... it's doubtful that they're 
secretly the bad guys.  Possible, sure, but if you're going to pick a closed 
source hardware/software platform, you could do waaay worse.  

-Ryan McGinnis
https://bigstormpicture.com
https://keybase.io/digicana
Sent via ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 31, 2019 11:40 AM, Maksim Fomin via Gnupg-users 
 wrote:

> ‐‐‐ Original Message ‐‐‐
> On Wednesday, 31 July 2019 г., 17:36, Ryan McGinnis via Gnupg-users 
>  wrote:
> 

> > Kicking the can down to the endpoints -- but really, haven't you always had 
> > to trust your app / OS? Unless you coded or audited it yourself from top to 
> > bottom and built your own hardware (hah), there is always a level of trust 
> > required in the code/device.  Trusting Facebook seems... unwise.  But not 
> > everyone is churning out industrial grade evil like Facebook.
> > 

> > https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/#55ac36aa5362
> > 

> > -Ryan McGinnis
> > https://bigstormpicture.com
> > PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
> > https://keybase.io/digicana
> > Sent via ProtonMail
> 

> Facebook receives disproportionally high criticism in recent years not 
> because of technical reasons but because of politics. The wave of attacks on 
> Facebook began after 2016 US election. Initially it was like "fake news in 
> facebook helped one candidate to win" and the idea was to allow journalists 
> of big media companies to mark information in facebook as "fake" and probably 
> delete. Later the attack has spread in all directions. Nowadays everyone 
> tries to punch Facebook in order to look smart. 
> 

> Regarding techincal reasons. The author argues that if devices are 
> compromised, then encrypted communication between them is too. But this is 
> not a surprise, it has always been. July 2019 in this aspect is not different 
> from January 2019, or 2017, or 2007. In addition, not only Facebook, but 
> other big tech firms (Microsoft, Apple, Twitter and so on) can download 
> unencrypted  data from user device for analysis before encryption. As an 
> exercise, one can replace "Facebook" in that article with "Apple", the bias 
> will be more evident.

publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Forbes article: The Encryption Debate Is Over - Dead At The Hands Of Facebook

[Ryan McGinnis via Gnupg-users]

Kicking the can down to the endpoints -- but really, haven't you always had to 
trust your app / OS? Unless you coded or audited it yourself from top to bottom 
and built your own hardware (hah), there is always a level of trust required in 
the code/device.  Trusting Facebook seems... unwise.  But not everyone is 
churning out industrial grade evil like Facebook.

https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/#55ac36aa5362

-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
https://keybase.io/digicana
Sent via ProtonMail

publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

[Ryan McGinnis via Gnupg-users]

It seems kinda cheeky to find one (fixed) bug in the least secure 
implementation of the program and act like that disqualifies it.  All programs 
have bugs.  Most implementations of GPG have had some pretty bad bugs over the 
years.  No programs are going to be free of security flows - the question is 
whether the app or platform was built with security as a priority and what 
happens when those flaws are discovered.  I'd argue Signal was built with 
security it mind and that they're pretty swift at fixing issues as they arise. 

Also, not that it makes the bug any less impactful, but I know very few people 
who make regular use of the desktop implementation of Signal; it's mostly meant 
for mobile devices. 

-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

‐‐‐ Original Message ‐‐‐
On Tuesday, July 23, 2019 3:32 AM,  wrote:

> Again, Signal is touted as better than PGP.
> Why?
> Look at this problem with signal. Looks really serious.
> 

> Signal Desktop Leaves Message Decryption Key in Plain Sight
> https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/
> 

> I don't think PGP does THIS !
> 

> Elwin
> 

> Sent using Hushmail
> 

> On 7/22/2019 at 7:53 PM, "Ryan McGinnis via Gnupg-users" 
>  wrote:
> 

> > I’m not so sure that it does.  I think that’s the point security 
> > researchers like Schneier have been trying to make: it is easy for all 
> > people — from grandparents who still think they need AOL to chipheads who 
> > can install Arch without watching a YouTube tutorial — to screw up 
> > encrypted email in a way that exposes the cleartext.   Encrypted email is 
> > fundamentally unsafe as it currently exists.  It’s really hard to screw up 
> > some of the new E2E encrypted messengers.  Sure, if your method for secure 
> > communications is dropping stego’d memes with encrypted payloads on imgur, 
> > then simple tools like Signal and WhatsApp won’t do.  But if you’re trying 
> > to securely communicate like a normal person who is not pretending to be 
> > Mister Robot, then PGP for email is one of the least adopted, least safe 
> > ways to do so and Signal/iMessage/WhatsApp are decent solutions.  
> > 

> > -Ryan McGinnis
> > https://bigstormpicture.com
> > PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
> > Sent with ProtonMail
> > 

> > Sent from ProtonMail Mobile
> > 

> > On Mon, Jul 22, 2019 at 15:00, Mark H. Wood via Gnupg-users 
> >  wrote:
> > 

> > > On Mon, Jul 22, 2019 at 03:46:18PM +, Ryan McGinnis via Gnupg-users 
> > > wrote:
> > > > [1]https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html
> > > >
> > > > 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and
> > > > easily encrypting e-mail is an insurmountably hard problem for reasons
> > > > having nothing to do with today's announcement. If you need to
> > > > communicate securely, use Signal. If having Signal on your phone will
> > > > arouse suspicion, use WhatsApp.
> > > 

> > > Depends on your threat model. For mine, reliably and easily
> > > encrypting email is almost absurdly simple:
> > > 

> > > 1) Use PGP
> > > 2) Don't send secrets to people I don't trust to keep them.
> > > 

> > > Anyway, 99% of my PGP use is for the opposite of secrecy: I sign my
> > > emails so that (if you care enough to install PGP) you can be highly
> > > assured that they're from me.
> > > 

> > > --
> > > Mark H. Wood
> > > Lead Technology Analyst
> > > 

> > > University Library
> > > Indiana University - Purdue University Indianapolis
> > > 755 W. Michigan Street
> > > Indianapolis, IN 46202
> > > 317-274-0749
> > > www.ulib.iupui.edu
> > > ___
> > > Gnupg-users mailing list
> > > Gnupg-users@gnupg.org
> > > http://lists.gnupg.org/mailman/listinfo/gnupg-users

publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

[Ryan McGinnis via Gnupg-users]

  I’m not so sure that it does.  I think that’s the point security researchers like Schneier have been trying to make: it is easy for all people — from grandparents who still think they need AOL to chipheads who can install Arch without watching a YouTube tutorial — to screw up encrypted email in a way that exposes the cleartext.   Encrypted email is fundamentally unsafe as it currently exists.  It’s really hard to screw up some of the new E2E encrypted messengers.  Sure, if your method for secure communications is dropping stego’d memes with encrypted payloads on imgur, then simple tools like Signal and WhatsApp won’t do.  But if you’re trying to securely communicate like a normal person who is not pretending to be Mister Robot, then PGP for email is one of the least adopted, least safe ways to do so and Signal/iMessage/WhatsApp are decent solutions.  -Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7ADSent with ProtonMail Sent from ProtonMail Mobile On Mon, Jul 22, 2019 at 15:00, Mark H. Wood via Gnupg-users <gnupg-users@gnupg.org> wrote:  On Mon, Jul 22, 2019 at 03:46:18PM +, Ryan McGinnis via Gnupg-users wrote:>[1]https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html>> 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and>easily encrypting e-mail is an insurmountably hard problem for reasons>having nothing to do with today's announcement. If you need to>communicate securely, use Signal. If having Signal on your phone will>arouse suspicion, use WhatsApp.Depends on your threat model.  For mine, reliably and easilyencrypting email is almost absurdly simple:1) Use PGP2) Don't send secrets to people I don't trust to keep them.Anyway, 99% of my PGP use is for the opposite of secrecy: I sign myemails so that (if you care enough to install PGP) you can be highlyassured that they're from me.--Mark H. WoodLead Technology AnalystUniversity LibraryIndiana University - Purdue University Indianapolis755 W. Michigan StreetIndianapolis, IN 46202317-274-0749www.ulib.iupui.edu___Gnupg-users mailing listGnupg-users@gnupg.orghttp://lists.gnupg.org/mailman/listinfo/gnupg-users


c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="publicKey - r...@digicana.com - 
5c738727ee58786a777c4f1db5aa3fa3486ed7ad.as=
c"

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IFBt
Y3J5cHRvIEdvbGFuZyAwLjAuMSAoZGRhY2ViZTApCkNvbW1lbnQ6IGh0dHBzOi8v
cHJvdG9ubWFpbC5jb20KCnhzRk5CRm95d3BvQkVBQ0dsQ0x6dUl4UHR1VDYwQld3
K1luQ0V3NS9HbFhJeDVYNmwzTkpnRGlUL1FydjZtM0MKWDROSkVIY21VT3J1SWhS
L2JJMFdrdnVXVjRSZnh2MEJLUWpwN0puTVdSRE9ZNU54SWNrdk1KR3BsTFRoY3lS
agpLcUF2aXhTcnVrc3h0M3YzQTViNzdLeXcxZXlCMytlQzNZbzBnMjh5aGhmbG4x
Z2V4enNVc3V6U1crRml4eGd6ClMyS2RKMjZhWjhTYjNnanZmSEx2L01LaFhsdVN3
WWdYSURLTWlVT2liMGlEVmRXUGZGWENwVmJIM28xOFZueFQKZEMzVUkzdlZtbEph
clI0TzV4SXA2RndkbVFWdGo3M1pNSGRnWW5RY2VHWWN3b2I4dGFPMGRLZlUrMzEv
Ymp1dQpNYU9qeTJ1S25DeDlsZWVLNEgxM0pjYkl5R1NLN2pyQWVRUk53RTU4VXpC
SlpVQnMxSURjZFlZN1l2MW9iOWlNClljZmtaaHF6enREaksxUVAzSWJlM0FHMDJY
K3JVWExjdmxoOEVjY0RiL1c1MElBK2VqRHk3eUZRYjZTSys0U3AKSXJaSEdQamYx
eUQ0eGtraHpORlBKMm1ZR040aENDcm5XckRnL2hDM3J4U3dDcEkzUEV4bFo4T0Y5
ank5alR0cQpJUngvelhTUUtnSmNBRHM0dHNOSGZ6UHJuRXk0MWJzbWNkSTBOcm5j
UGNmMjVqRnZhUFR3QkhBQ3lIbG1GWDJ6Ci9HdUNoZW9wYXhtaVZKRnVWbGVxcnR4
ZVRCTjR2NzlMaHhCR3RDVWRZSDlHcmVuRnZ6QTl2OFZNQTZyOWQ3YVcKQ2I3bDBK
SEw4d3pEQk9sRENiSk1adlQ3dER4eWwyTUl2MTFMUWVJSW5SbEk2SkJ4TENGWnVo
WVB6d0FSQVFBQgp6U1Z5ZVdGdVFHUnBaMmxqWVc1aExtTnZiU0E4Y25saGJrQmth
V2RwWTJGdVlTNWpiMjArd3NGMUJCQUJDQUFwCkJRSmFNc0tnQmdzSkJ3Z0RBZ2tR
dGFvL28waHUxNjBFRlFnS0FnTVdBZ0VDR1FFQ0d3TUNIZ0VBQUp5TEQvMFQKZUdG
YmJ1TnlQZmxUb3NkbW1LQUM2Wnl1RHdKeExqdkwzWW5IQVVQa1RPL2E2eFR0RVoy
QjQxL21PeDJPVGN5aApKaGh3dEIwL2xzU043cjVyWEh6VVc0VmU2R1NTOFBFSTNq
MUl5TS93ZWN2MytnYjM4ZmZkRkVKQTFiVW45K2YvCnV5aFFJRmFMd0ZwcThVUUd4
RFJKOTFRWGNYRnJQemFsc3Y5S0tOY3QxdFJDbGZWblFSNzdCemtoZklKczJnUWkK
eVQxbCtWRnF6WEFoVmlpdXpSZGxKTWFUTGIyMzZVa2VPeC9leU5WRWNpdlZZb3V5
MkJ6TC9kVzI4V0RQUHRkVgpIT2NWbVY0S2ZhWUpwSDRtQkhCL0tQK0pOUXk1c3BW
Zk1MTWZDMDhyNWEwRUZFM0J5ZWJsdDNPTlBtKzJ5bXpDClJvdEl0ejhUN3Njd3U0
eFRtSXc1V1dSY0lpM21iRFcvbWVmbzd3aGJYM283TmlkUEJDK1pxSnNxTG9Obm8v
YUQKUFlYbnBUekFiczRVVFNxcDZQNDlNSFZXTkY0L24vYVhVM1ZoQnZaeDBoMU5O
TmJPMVB6Ui84U3I3ZmVkRDlVQwpuaUpOSmdmYUtodDFpMTlQYytCRjUrc2duYlJa
ZUlmU3hIV2ZYRCtrcklXR1ptUkJhQnBHelIzSnIzQUF3Q2NECnVKVmVDWHhJZTE3
WlRIeXdxVlpsb1hGWEVSSkJUZm1KK0FEbjIrc0ZNanBkV0Jhd3NsNXhYLzlmZmlP
WWY4aTAKbEdoNnZraWtCbkdaem5YSVp4Y3YvSVZpSHVnYlY3M3FwdktUaVpiME5o
WDlhd3kybGJqcWRxZzR4UHhuMlJJbwpwaEY5VTNpYmxhcDRqSnJZMFo2NmdNUEhB
b2VVWlVJa1crWjYzT1BJbE03QlRRUmFNc0thQVJBQWlSblptNHVjClBLc0ZEUG5N
SjVWcUVkeE9LcVRhbGsxRDM3NzEyemovWjcwNjlaRkV6QnY5UkVUcU9qdmFCQ1ZU
dExrWmpVS3UKQXQ5QVF3S0prcUhNbXpHVGdsVGt5cThEM0Z3cDExeVVoQm12M3lP
ciswVjVNZUU2OUhNdXFpdHBPNWdYbW9NMQoyQ1VBUERzcWV0OEY4THN0RUpNYlJo
cH

Re: Essay on PGP as it is used today

[Ryan McGinnis via Gnupg-users]

  https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html“ 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and easily encrypting e-mail is an insurmountably hard problem for reasons having nothing to do with today's announcement. If you need to communicate securely, use Signal. If having Signal on your phone will arouse suspicion, use WhatsApp.”-Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7ADSent with ProtonMail Sent from ProtonMail Mobile On Mon, Jul 22, 2019 at 03:28, Craig T via Gnupg-users <gnupg-users@gnupg.org> wrote:







Hey Ryan thanks for posting... and this response is not a poke at you, so dont take it personally!



but ... groan... honestly who the fck are "latacora", and all the others who sprout shite they read somewhere and regurgitate elsewhere...

Yeah I have been seeing posts like this pop up and with variations of content. Today everyone is cool kid security consultant, it's a badge of upper crust 007 techno ability.

Show me actual facts and figures, opinions are not fact.

Like anything worthwhile, sometimes you need to study and actually apply a bit of effort to do something properly.

GPG is no different...  The "instant gratification" and simple systems don't enforce good security workflows. Just because Uncle Bob likes and says you should use signal/whatsapp etc etc and shouldn't use whatever, doesn't mean you should follow.


If folks like Bruce Schneier suddenly popped up and said "we have a problem" and dumped his PK, I may take notice... Then again that's my opinion, why should you believe me :)

Cheers

Craig







From: Gnupg-users  on behalf of Ryan McGinnis via Gnupg-users 
Sent: 17 July 2019 15:28
To: Konstantin Boyandin via Gnupg-users 
Subject: Essay on PGP as it is used today
 


More than a bit critical, but a good read all the same.  Found on HN. 


https://latacora.micro.blog/2019/07/16/the-pgp-problem.html



HN comment thread here:  https://news.ycombinator.com/item?id=20455780







-Ryan McGinnis 

https://bigstormpicture.com 

PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Sent with ProtonMail















c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="publicKey - r...@digicana.com - 
5c738727ee58786a777c4f1db5aa3fa3486ed7ad.as=
c"

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tClZlcnNpb246IFBt
Y3J5cHRvIEdvbGFuZyAwLjAuMSAoZGRhY2ViZTApCkNvbW1lbnQ6IGh0dHBzOi8v
cHJvdG9ubWFpbC5jb20KCnhzRk5CRm95d3BvQkVBQ0dsQ0x6dUl4UHR1VDYwQld3
K1luQ0V3NS9HbFhJeDVYNmwzTkpnRGlUL1FydjZtM0MKWDROSkVIY21VT3J1SWhS
L2JJMFdrdnVXVjRSZnh2MEJLUWpwN0puTVdSRE9ZNU54SWNrdk1KR3BsTFRoY3lS
agpLcUF2aXhTcnVrc3h0M3YzQTViNzdLeXcxZXlCMytlQzNZbzBnMjh5aGhmbG4x
Z2V4enNVc3V6U1crRml4eGd6ClMyS2RKMjZhWjhTYjNnanZmSEx2L01LaFhsdVN3
WWdYSURLTWlVT2liMGlEVmRXUGZGWENwVmJIM28xOFZueFQKZEMzVUkzdlZtbEph
clI0TzV4SXA2RndkbVFWdGo3M1pNSGRnWW5RY2VHWWN3b2I4dGFPMGRLZlUrMzEv
Ymp1dQpNYU9qeTJ1S25DeDlsZWVLNEgxM0pjYkl5R1NLN2pyQWVRUk53RTU4VXpC
SlpVQnMxSURjZFlZN1l2MW9iOWlNClljZmtaaHF6enREaksxUVAzSWJlM0FHMDJY
K3JVWExjdmxoOEVjY0RiL1c1MElBK2VqRHk3eUZRYjZTSys0U3AKSXJaSEdQamYx
eUQ0eGtraHpORlBKMm1ZR040aENDcm5XckRnL2hDM3J4U3dDcEkzUEV4bFo4T0Y5
ank5alR0cQpJUngvelhTUUtnSmNBRHM0dHNOSGZ6UHJuRXk0MWJzbWNkSTBOcm5j
UGNmMjVqRnZhUFR3QkhBQ3lIbG1GWDJ6Ci9HdUNoZW9wYXhtaVZKRnVWbGVxcnR4
ZVRCTjR2NzlMaHhCR3RDVWRZSDlHcmVuRnZ6QTl2OFZNQTZyOWQ3YVcKQ2I3bDBK
SEw4d3pEQk9sRENiSk1adlQ3dER4eWwyTUl2MTFMUWVJSW5SbEk2SkJ4TENGWnVo
WVB6d0FSQVFBQgp6U1Z5ZVdGdVFHUnBaMmxqWVc1aExtTnZiU0E4Y25saGJrQmth
V2RwWTJGdVlTNWpiMjArd3NGMUJCQUJDQUFwCkJRSmFNc0tnQmdzSkJ3Z0RBZ2tR
dGFvL28waHUxNjBFRlFnS0FnTVdBZ0VDR1FFQ0d3TUNIZ0VBQUp5TEQvMFQKZUdG
YmJ1TnlQZmxUb3NkbW1LQUM2Wnl1RHdKeExqdkwzWW5IQVVQa1RPL2E2eFR0RVoy
QjQxL21PeDJPVGN5aApKaGh3dEIwL2xzU043cjVyWEh6VVc0VmU2R1NTOFBFSTNq
MUl5TS93ZWN2MytnYjM4ZmZkRkVKQTFiVW45K2YvCnV5aFFJRmFMd0ZwcThVUUd4
RFJKOTFRWGNYRnJQemFsc3Y5S0tOY3QxdFJDbGZWblFSNzdCemtoZklKczJnUWkK
eVQxbCtWRnF6WEFoVmlpdXpSZGxKTWFUTGIyMzZVa2VPeC9leU5WRWNpdlZZb3V5
MkJ6TC9kVzI4V0RQUHRkVgpIT2NWbVY0S2ZhWUpwSDRtQkhCL0tQK0pOUXk1c3BW
Zk1MTWZDMDhyNWEwRUZFM0J5ZWJsdDNPTlBtKzJ5bXpDClJvdEl0ejhUN3Njd3U0
eFRtSXc1V1dSY0lpM21iRFcvbWVmbzd3aGJYM283TmlkUEJDK1pxSnNxTG9Obm8v
YUQKUFlYbnBUekFiczRVVFNxcDZQNDlNSFZXTkY0L24vYVhVM1ZoQnZaeDBoMU5O
TmJPMVB6Ui84U3I3ZmVkRDlVQwpuaUpOSmdmYUtodDFpMTlQYytCRjUrc2duYlJa
ZUlmU3hIV2ZYRCtrcklXR1ptUkJhQnBHelIzSnIzQUF3Q2NECnVKVmVDWHhJZTE3
WlRIeXdxVlpsb1hGWEVSSkJUZm1KK0FEbjIrc0ZNanBkV0Jhd3NsNXhYLzlmZmlP
WWY4aTAKbEdoNnZraWtCbkdaem5YSVp4Y3YvSVZpSHVnYlY3M3FwdktUaVpiME5o
WDlhd3kybGJqcWRxZzR4UHhuMlJJbwpwaEY5VTNpYmxhcDRqSnJZMFo2NmdNUEhB
b2VVWlVJa1crWjYzT1BJbE03QlRRUmFNc0thQVJBQWlSblptNHVjClBLc0ZEUG5N
SjVWcUVkeE9LcVRhbGsxRDM3NzEyemovWjcwNjlaRkV6QnY5UkVUcU9qdmFCQ1ZU
dExrWmpVS3UKQXQ5QVF3S0prcUhNbXpHVGdsVGt5cThEM0Z3cDExeVVoQm12M3lP
ciswVjVNZUU2OUhNdXFpdHBPNWdYbW9NMQoyQ1VBUERzcWV0OEY4THN0RUpNYlJo
cHh2T3NnbU1SV2dGbTVMNzRjeXFPVDQ0K01vOCt1THdldlBI

Re: Essay on PGP as it is used today

[Ryan McGinnis via Gnupg-users]

Is that to send them a message or an attachment?

You might look into Firefox Send -- not sure if this satisfies the legal 
requirements, but it is very robust end to end encryption.  
https://send.firefox.com/


-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 17, 2019 9:13 PM, raf via Gnupg-users 
 wrote:

> Stefan Claas via Gnupg-users wrote:
> 

> > Andrew Gallagher wrote:
> > 

> > > -   And finally: “don’t encrypt email”? Yes, well. Email is not going 
> > > away.
> > > Just like passwords, its death has been long anticipated, yet never 
> > > arrives.
> > > So what do we do in the meantime?
> > > 

> > 

> > I think the biggest problems is how can PGP or GnuPG users tell other users,
> > not familar with email encyrption yet, what else to use ...
> 

> At work, when a client insists on email, and I (or the law)
> insist on encryption, I provide them with instructions for
> installing 7-zip and send them an AES-256 encrypted zip or 7z
> file as an attachment. It's the simplest thing I could think
> of that I thought most people could cope with.
> 

> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Essay on PGP as it is used today

[Ryan McGinnis via Gnupg-users]

> -   And finally: “don’t encrypt email”? Yes, well. Email is not going away. 
> Just like passwords, its death has been long anticipated, yet never arrives. 
> So what do we do in the meantime?

I think what the author is saying is stop trying to ever think of email as a 
secure form of communications, no matter what you layer on top of it, full 
stop.  Which given how email encrpytion options have performed over the past 
couple decades, makes sense to me.  


You might say that PGP over email is better than nothing over email, but is it? 
 If you expect a non-secure channel and don't disclose secure information, 
that's one thing -- but if you expect a secure channel and send private 
information and through user error or clunky software implementation you end up 
sending cleartext, you're worse off than if you'd just assumed a non-secure 
channel.  Email has a habit of having this happen.  It's actually quite easy to 
mess up and send cleartext. 


IF there were no other options, then maybe it'd be worth rolling the dice.  But 
there are quite a few extremely capable free solutions out there that will 
establish a secure channel of communications with relative ease.  


Frankly, the only way you'll ever get secure comms over email is if the big 
boys (Microsoft, the Goog, and to a lesser extent Yahoo and 
grandpa^H^H^H^H^H^H^H AOL decice to shake hands and come up with a standard and 
force it down all other provider's throat.  Either that or roll their own 
secure (though not E2E since it relies on TLS) modes like Outlook 365 and 
Google/GSuite do and give users an option to send messages that force TLS by 
making the recepient go to a https email viewing page if you access the message 
from any outside provider.  


-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 17, 2019 1:52 AM, Andrew Gallagher  
wrote:

> On 17 Jul 2019, at 05:05, Robert J. Hansen r...@sixdemonbag.org wrote:
> 

> > But all in all? It's a good criticism.
> 

> Indeed. Backwards compatibility with the 1990s is an albatross. Anyone still 
> using obsolete ciphers is screwed anyway, so why encourage it?
> 

> Some nitpicking:
> 

> -   Modern PGP does encrypt subjects (although not other metadata).
> -   Magic wormhole is an excellent toy, but it’s written in python, so 
> literally the first person I tested it with got his dependency stack 
> shredded. I think he’s forgiven me but he hasn’t used it since. The line 
> about rewriting wormhole in a decent language may look throwaway but it’s not.
> -   Similarly, the alternative archiving software suggested is still a work 
> in progress. It’s all very well criticising PGP for being a clumsy jack of 
> all trades, but “modern crypto” has had twenty years to replace it and still 
> hasn’t fully succeeded. This isn’t just on PGP.
> -   And finally: “don’t encrypt email”? Yes, well. Email is not going away. 
> Just like passwords, its death has been long anticipated, yet never arrives. 
> So what do we do in the meantime?
> 

> But yes.
> 

> A
> 

> 

> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Essay on PGP as it is used today

[Ryan McGinnis via Gnupg-users]

More than a bit critical, but a good read all the same.  Found on HN. 

https://latacora.micro.blog/2019/07/16/the-pgp-problem.html

HN comment thread here:  https://news.ycombinator.com/item?id=20455780

-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS and GnuPG related issues and possible workarounds

[Ryan McGinnis via Gnupg-users]

I believe this list is web accessible to non-subscribers, so being subscribed 
here or not subscribed here doesn’t mean much.  Just that if you post here 
someone who is willing to do this attack (maybe not even the original someone - 
this is an attack literally anyone can do) is reading what you write.

*waves at someone*

At any rate, this just underscores what I suspect the original attacker was 
trying to make clear: stick a fork in SKS servers, they’re dead.

-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

On Sat, Jul 6, 2019 at 17:18, David  wrote:

> On 06/07/2019 12:50, Ryan McGinnis via Gnupg-users wrote:
>> Someone brought it to my attention that my key is now one of the
>> affected keys; I think from this we can probably surmise that whoever(s)
>> is doing this probably reads this list as this email address doesn’t see
>> heavy circulation.
> If in deed that's the case - that person can download any public key
> insert malicious code and upload to any key server. I am not updating
> any keys and no sks key servers.
>
> Who's new to the mailing list? Now we have a web of distrust :(
>
> David
>
> --
> People Should Not Be Afraid Of Their Government - Their Government
> Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION
> Becomes A DUTY! Join the Rebellion Today! https://gbenet.com
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users-BEGIN PGP PUBLIC KEY BLOCK-
Version: Pmcrypto Golang 0.0.1 (ddacebe0)
Comment: https://protonmail.com

xsFNBFoywpoBEACGlCLzuIxPtuT60BWw+YnCEw5/GlXIx5X6l3NJgDiT/Qrv6m3C
X4NJEHcmUOruIhR/bI0WkvuWV4Rfxv0BKQjp7JnMWRDOY5NxIckvMJGplLThcyRj
KqAvixSruksxt3v3A5b77Kyw1eyB3+eC3Yo0g28yhhfln1gexzsUsuzSW+Fixxgz
S2KdJ26aZ8Sb3gjvfHLv/MKhXluSwYgXIDKMiUOib0iDVdWPfFXCpVbH3o18VnxT
dC3UI3vVmlJarR4O5xIp6FwdmQVtj73ZMHdgYnQceGYcwob8taO0dKfU+31/bjuu
MaOjy2uKnCx9leeK4H13JcbIyGSK7jrAeQRNwE58UzBJZUBs1IDcdYY7Yv1ob9iM
YcfkZhqzztDjK1QP3Ibe3AG02X+rUXLcvlh8EccDb/W50IA+ejDy7yFQb6SK+4Sp
IrZHGPjf1yD4xkkhzNFPJ2mYGN4hCCrnWrDg/hC3rxSwCpI3PExlZ8OF9jy9jTtq
IRx/zXSQKgJcADs4tsNHfzPrnEy41bsmcdI0NrncPcf25jFvaPTwBHACyHlmFX2z
/GuCheopaxmiVJFuVleqrtxeTBN4v79LhxBGtCUdYH9GrenFvzA9v8VMA6r9d7aW
Cb7l0JHL8wzDBOlDCbJMZvT7tDxyl2MIv11LQeIInRlI6JBxLCFZuhYPzwARAQAB
zSVyeWFuQGRpZ2ljYW5hLmNvbSA8cnlhbkBkaWdpY2FuYS5jb20+wsF1BBABCAAp
BQJaMsKgBgsJBwgDAgkQtao/o0hu160EFQgKAgMWAgECGQECGwMCHgEAAJyLD/0T
eGFbbuNyPflTosdmmKAC6ZyuDwJxLjvL3YnHAUPkTO/a6xTtEZ2B41/mOx2OTcyh
JhhwtB0/lsSN7r5rXHzUW4Ve6GSS8PEI3j1IyM/wecv3+gb38ffdFEJA1bUn9+f/
uyhQIFaLwFpq8UQGxDRJ91QXcXFrPzalsv9KKNct1tRClfVnQR77BzkhfIJs2gQi
yT1l+VFqzXAhViiuzRdlJMaTLb236UkeOx/eyNVEcivVYouy2BzL/dW28WDPPtdV
HOcVmV4KfaYJpH4mBHB/KP+JNQy5spVfMLMfC08r5a0EFE3Byeblt3ONPm+2ymzC
RotItz8T7scwu4xTmIw5WWRcIi3mbDW/mefo7whbX3o7NidPBC+ZqJsqLoNno/aD
PYXnpTzAbs4UTSqp6P49MHVWNF4/n/aXU3VhBvZx0h1NNNbO1PzR/8Sr7fedD9UC
niJNJgfaKht1i19Pc+BF5+sgnbRZeIfSxHWfXD+krIWGZmRBaBpGzR3Jr3AAwCcD
uJVeCXxIe17ZTHywqVZloXFXERJBTfmJ+ADn2+sFMjpdWBawsl5xX/9ffiOYf8i0
lGh6vkikBnGZznXIZxcv/IViHugbV73qpvKTiZb0NhX9awy2lbjqdqg4xPxn2RIo
phF9U3iblap4jJrY0Z66gMPHAoeUZUIkW+Z63OPIlM7BTQRaMsKaARAAiRnZm4uc
PKsFDPnMJ5VqEdxOKqTalk1D37712zj/Z7069ZFEzBv9RETqOjvaBCVTtLkZjUKu
At9AQwKJkqHMmzGTglTkyq8D3Fwp11yUhBmv3yOr+0V5MeE69HMuqitpO5gXmoM1
2CUAPDsqet8F8LstEJMbRhpxvOsgmMRWgFm5L74cyqOT44+Mo8+uLwevPH1pC7bE
/kLEPewcAE/60pQ0YgVP2Le6x2ht8CzDZ7p8cSHkXlBa9yHkXZREtU+L0WIIM+3o
F0rrxLxCirbcShN3ZExx+kLnM2zb3xmEQwY6bwlUtHknnoVpJkZXPc3mNJQKc084
+XGgIcPaq053vpIZkOwfQboovk6xpolZGfSnxsQSVsBLT7XYJGe2v4StLnKU3G1W
MIhy8N+s+P+PtOc+YEOl5/6rhbeI6RAlKmpr+/0hEXoe+FxQ+t679M/dGjmFc5bR
TYtoY6bZnhjGbvtuf4+zfPSnvaL8Qmwdcn6XHQ1VwBBaUYyjaLIL+NjmKJ7RXhkk
2yK4IMbd5X0YuL5fuZgMq99BSnEmgPtAHpAokr/lYutUo66hHPD99iAIL1aB9iNe
jjSAcub5A8P0CZabMMelvl9BtWDeGgGz+yEBiI7OL8wZ9Lg634E6Q65HRfAqAbSg
sJrFdGsKJ3snQtalbzS2AjWURvV9nShznWsAEQEAAcLBXwQYAQgAEwUCWjLCowkQ
tao/o0hu160CGwwAANjJD/41QNjdJD7W3YGDdF7zIyN1nE0OVLIlhhyXvx2NBS9E
8O338WWins3zLIe7Bzqr6HSJgPeLrDIIZ/+CoZIoZfnvpB6nYlmgP0O3uFnJsPc+
N5gsQ4p13dAxBWV1SAJbm07rguSES379itwOManIOJMSPNxDLr8aLKcjJWKj5dgN
o0LuyaXJ7H9M61c+3+TWnYucAjFCCk7I7+FWmXvv8H3TpAxAz+qObYJD4RP1Z/tR
7maRrANMjUYcIgyTvG9l41vdmcGMed3xm77U/XzOzfUClEDmaK39bmOG4Auc5R8y
62+2HII/xra9WeeiIOesqMEM50y6AcQERVp2t42f1nrWyiMJ2DzqS2RVp0vb5clD
H+nWQILlln7UAwON4roizPfnsy4A8gbM/JqyLk05VyxZQ3YCTeBIqRfju2RwH3Iv
4ndPaipHRF7GwNdGJX2Ebbx/Xr0pKmLw+KJkmudEnSEjaBSxV0riu7wGPvzQQa/p
Y2+6isX81ySblYjjEpT+3x5/vas071/wMvQZZbksoQOwodlYHqGzYF99WlZ20rrJ
g/QxGePKlQSMcAiXjXWS28nF1clUdteRSW3BClrllg24YM5dY/VBD8sejyhDMUB8
p75CBkRCO6xRZ3rryApjA34Bre6wt6RNOP9WUSc1gnhOiI9+q5kz1sBGZoUEtMNk
gQ==
=IvWa
-END PGP PUBLIC KEY BLOCK-___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS and GnuPG related issues and possible workarounds

[Ryan McGinnis via Gnupg-users]

Someone brought it to my attention that my key is now one of the affected keys; 
I think from this we can probably surmise that whoever(s) is doing this 
probably reads this list as this email address doesn’t see heavy circulation.

-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

On Sat, Jul 6, 2019 at 00:33, Teemu Likonen via Gnupg-users 
 wrote:

> Konstantin Boyandin via Gnupg-users [2019-07-05T20:45:59-04:00] wrote:
>
>> ATM, none of systems I use GnuPG in has been hit with the signature
>> flood disaster. If I might miss that point - is it possible to get,
>> somehow, the list of flooded keys IDs (if anyone keeps the stats)?
>
> I don't maintain a list and such a list can be always outdated anyway.
> Better option is to set protective settings right now in gpg.conf file.
>
> keyserver-options import-clean
> # maybe also:
> import-options import-clean
>
> With option "import-clean" key import operations accept only key
> signatures from already known keys. With poisoned keys the import
> operation can take time but at least your local keyring is protected
> from importing them.
>
> The gpg(1) manual page for version 2.1.18 (Debian) is misleading,
> though.
>
> import-clean
> After import, compact (remove all signatures except the
> self-signature) any user IDs from the new key that are
> not usable. Then, remove any signatures from the new
> key that are not usable. This includes signatures that
> were issued by keys that are not present on the
> keyring. This option is the same as running the --edit-
> key command "clean" after import. Defaults to no.
>
> It says "After import" but according to Werner Koch[1] it actually
> strips unknown key signatures _before_ importing them to the local
> keyring. The manual also says that "This option is the same as running
> the --edit-key command 'clean' after import." This is also wrong or
> misleading because it may lead user thinking that in import oprations
> first all keys and key signatures are imported to local keyring and then
> they are cleaned.
>
> -
> 1. https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062239.html
>
> --
> /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
> // https://keys.openpgp.org/search?q=tliko...@iki.fi
> / https://keybase.io/tlikonen https://github.com/tlikonen
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users-BEGIN PGP PUBLIC KEY BLOCK-
Version: Pmcrypto Golang 0.0.1 (ddacebe0)
Comment: https://protonmail.com

xsFNBFoywpoBEACGlCLzuIxPtuT60BWw+YnCEw5/GlXIx5X6l3NJgDiT/Qrv6m3C
X4NJEHcmUOruIhR/bI0WkvuWV4Rfxv0BKQjp7JnMWRDOY5NxIckvMJGplLThcyRj
KqAvixSruksxt3v3A5b77Kyw1eyB3+eC3Yo0g28yhhfln1gexzsUsuzSW+Fixxgz
S2KdJ26aZ8Sb3gjvfHLv/MKhXluSwYgXIDKMiUOib0iDVdWPfFXCpVbH3o18VnxT
dC3UI3vVmlJarR4O5xIp6FwdmQVtj73ZMHdgYnQceGYcwob8taO0dKfU+31/bjuu
MaOjy2uKnCx9leeK4H13JcbIyGSK7jrAeQRNwE58UzBJZUBs1IDcdYY7Yv1ob9iM
YcfkZhqzztDjK1QP3Ibe3AG02X+rUXLcvlh8EccDb/W50IA+ejDy7yFQb6SK+4Sp
IrZHGPjf1yD4xkkhzNFPJ2mYGN4hCCrnWrDg/hC3rxSwCpI3PExlZ8OF9jy9jTtq
IRx/zXSQKgJcADs4tsNHfzPrnEy41bsmcdI0NrncPcf25jFvaPTwBHACyHlmFX2z
/GuCheopaxmiVJFuVleqrtxeTBN4v79LhxBGtCUdYH9GrenFvzA9v8VMA6r9d7aW
Cb7l0JHL8wzDBOlDCbJMZvT7tDxyl2MIv11LQeIInRlI6JBxLCFZuhYPzwARAQAB
zSVyeWFuQGRpZ2ljYW5hLmNvbSA8cnlhbkBkaWdpY2FuYS5jb20+wsF1BBABCAAp
BQJaMsKgBgsJBwgDAgkQtao/o0hu160EFQgKAgMWAgECGQECGwMCHgEAAJyLD/0T
eGFbbuNyPflTosdmmKAC6ZyuDwJxLjvL3YnHAUPkTO/a6xTtEZ2B41/mOx2OTcyh
JhhwtB0/lsSN7r5rXHzUW4Ve6GSS8PEI3j1IyM/wecv3+gb38ffdFEJA1bUn9+f/
uyhQIFaLwFpq8UQGxDRJ91QXcXFrPzalsv9KKNct1tRClfVnQR77BzkhfIJs2gQi
yT1l+VFqzXAhViiuzRdlJMaTLb236UkeOx/eyNVEcivVYouy2BzL/dW28WDPPtdV
HOcVmV4KfaYJpH4mBHB/KP+JNQy5spVfMLMfC08r5a0EFE3Byeblt3ONPm+2ymzC
RotItz8T7scwu4xTmIw5WWRcIi3mbDW/mefo7whbX3o7NidPBC+ZqJsqLoNno/aD
PYXnpTzAbs4UTSqp6P49MHVWNF4/n/aXU3VhBvZx0h1NNNbO1PzR/8Sr7fedD9UC
niJNJgfaKht1i19Pc+BF5+sgnbRZeIfSxHWfXD+krIWGZmRBaBpGzR3Jr3AAwCcD
uJVeCXxIe17ZTHywqVZloXFXERJBTfmJ+ADn2+sFMjpdWBawsl5xX/9ffiOYf8i0
lGh6vkikBnGZznXIZxcv/IViHugbV73qpvKTiZb0NhX9awy2lbjqdqg4xPxn2RIo
phF9U3iblap4jJrY0Z66gMPHAoeUZUIkW+Z63OPIlM7BTQRaMsKaARAAiRnZm4uc
PKsFDPnMJ5VqEdxOKqTalk1D37712zj/Z7069ZFEzBv9RETqOjvaBCVTtLkZjUKu
At9AQwKJkqHMmzGTglTkyq8D3Fwp11yUhBmv3yOr+0V5MeE69HMuqitpO5gXmoM1
2CUAPDsqet8F8LstEJMbRhpxvOsgmMRWgFm5L74cyqOT44+Mo8+uLwevPH1pC7bE
/kLEPewcAE/60pQ0YgVP2Le6x2ht8CzDZ7p8cSHkXlBa9yHkXZREtU+L0WIIM+3o
F0rrxLxCirbcShN3ZExx+kLnM2zb3xmEQwY6bwlUtHknnoVpJkZXPc3mNJQKc084
+XGgIcPaq053vpIZkOwfQboovk6xpolZGfSnxsQSVsBLT7XYJGe2v4StLnKU3G1W
MIhy8N+s+P+PtOc+YEOl5/6rhbeI6RAlKmpr+/0hEXoe+FxQ+t679M/dGjmFc5bR
TYtoY6bZnhjGbvtuf4+zfPSnvaL8Qmwdcn6XHQ1VwBBaUYyjaLIL+NjmKJ7RXhkk
2yK4IMbd5X0YuL5fuZgMq99BSnEmgPtAHpAokr/lYutUo66hHPD99iAIL1aB9iNe
jjSAcub5A8P0CZabMMelvl9BtWDeGgGz+yEBiI7OL8wZ9Lg634E6Q65HRfAqAbSg
sJrFdGsKJ3snQtalbzS2AjWURvV9nShznWsAEQEAAcLBXwQYAQgAEwUCWjLCowkQ
tao/o0hu160CGwwAANjJD/41QNjdJD7W3YGDdF7zIyN1nE0OVLIlhhyXvx2NBS9E
8O338WWins3zLIe7Bzqr6HS

Re: SKS and GnuPG related issues and possible workarounds

[Ryan McGinnis via Gnupg-users]

To be fair, that bookshelf got pointed out like a decade ago. It’s just that 
resources to build a new one never materialized.

While pointing out a problem by doing a targeted demonstration attack is about 
as aggressively black hat as it gets, it’s hard to not expect it. Even big 
white hat boys like Project Zero give 90 days to fix an issue before publishing 
(and once published, you can assume the exploit will be used in the wild.) 
Pining for a simpler time when people didn’t try to exploit other people and 
systems is silly because those times never existed - it’s just that there 
didn’t use to be such significant value attached to software systems so the 
only people who carried out attacks were nerds doing it for the lulz. (Well, 
the ROTFLs back then, I guess.) Sure, nobody could anticipate contemporary 
attacks a decade ago, but that seems more a cautionary tale against allowing 
non-serviceable abandonware to run critical systems. If any 15 year old script 
kiddie can easily bring your whole global heavily relied-upon system down, then 
having someone pull back the curtain on the wizard seems like an understandable 
choice, even if it’s a bit of a jerk move.

But yeah, that said — don’t kick the bookshelf over. :) Just hope that in the 
meantime nobody figures out a way to profit or benefit somehow from doing so.

-Ryan McGinnis
[https://bigstormpicture.com](https://bigstormpicture.com/)
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

On Wed, Jul 3, 2019 at 09:18, Andrew Gallagher  wrote:

> On 03/07/2019 15:00, Stefan Claas via Gnupg-users wrote:
>> If I had time and money I would hire a lawyer, would formulate a letter
>> for SKS operators stating that I request the removal of my pub key data
>> and would as EU citizen refer in this letter to our GDPR.
>>
>> Maybe, if time allows, I may check with EFF and their lawyers ...
>
> Would you mind waiting for the replacement system to be fully tested and
> migrated before setting fire to the old one?
>
> There's a scene in the classic comedy Father Ted, where a visitor to the
> parochial house starts complaining about the build quality of the
> bookshelves, and to prove his point he pulls them to pieces. "Look at
> that, it's falling apart!" [1]
>
> Just because something is broken does not mean you are obliged to kick
> it over to prove the point.
>
> [1] https://vimeo.com/108169770
>
> --
> Andrew Gallagher
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users-BEGIN PGP PUBLIC KEY BLOCK-
Version: Pmcrypto Golang 0.0.1 (ddacebe0)
Comment: https://protonmail.com

xsFNBFoywpoBEACGlCLzuIxPtuT60BWw+YnCEw5/GlXIx5X6l3NJgDiT/Qrv6m3C
X4NJEHcmUOruIhR/bI0WkvuWV4Rfxv0BKQjp7JnMWRDOY5NxIckvMJGplLThcyRj
KqAvixSruksxt3v3A5b77Kyw1eyB3+eC3Yo0g28yhhfln1gexzsUsuzSW+Fixxgz
S2KdJ26aZ8Sb3gjvfHLv/MKhXluSwYgXIDKMiUOib0iDVdWPfFXCpVbH3o18VnxT
dC3UI3vVmlJarR4O5xIp6FwdmQVtj73ZMHdgYnQceGYcwob8taO0dKfU+31/bjuu
MaOjy2uKnCx9leeK4H13JcbIyGSK7jrAeQRNwE58UzBJZUBs1IDcdYY7Yv1ob9iM
YcfkZhqzztDjK1QP3Ibe3AG02X+rUXLcvlh8EccDb/W50IA+ejDy7yFQb6SK+4Sp
IrZHGPjf1yD4xkkhzNFPJ2mYGN4hCCrnWrDg/hC3rxSwCpI3PExlZ8OF9jy9jTtq
IRx/zXSQKgJcADs4tsNHfzPrnEy41bsmcdI0NrncPcf25jFvaPTwBHACyHlmFX2z
/GuCheopaxmiVJFuVleqrtxeTBN4v79LhxBGtCUdYH9GrenFvzA9v8VMA6r9d7aW
Cb7l0JHL8wzDBOlDCbJMZvT7tDxyl2MIv11LQeIInRlI6JBxLCFZuhYPzwARAQAB
zSVyeWFuQGRpZ2ljYW5hLmNvbSA8cnlhbkBkaWdpY2FuYS5jb20+wsF1BBABCAAp
BQJaMsKgBgsJBwgDAgkQtao/o0hu160EFQgKAgMWAgECGQECGwMCHgEAAJyLD/0T
eGFbbuNyPflTosdmmKAC6ZyuDwJxLjvL3YnHAUPkTO/a6xTtEZ2B41/mOx2OTcyh
JhhwtB0/lsSN7r5rXHzUW4Ve6GSS8PEI3j1IyM/wecv3+gb38ffdFEJA1bUn9+f/
uyhQIFaLwFpq8UQGxDRJ91QXcXFrPzalsv9KKNct1tRClfVnQR77BzkhfIJs2gQi
yT1l+VFqzXAhViiuzRdlJMaTLb236UkeOx/eyNVEcivVYouy2BzL/dW28WDPPtdV
HOcVmV4KfaYJpH4mBHB/KP+JNQy5spVfMLMfC08r5a0EFE3Byeblt3ONPm+2ymzC
RotItz8T7scwu4xTmIw5WWRcIi3mbDW/mefo7whbX3o7NidPBC+ZqJsqLoNno/aD
PYXnpTzAbs4UTSqp6P49MHVWNF4/n/aXU3VhBvZx0h1NNNbO1PzR/8Sr7fedD9UC
niJNJgfaKht1i19Pc+BF5+sgnbRZeIfSxHWfXD+krIWGZmRBaBpGzR3Jr3AAwCcD
uJVeCXxIe17ZTHywqVZloXFXERJBTfmJ+ADn2+sFMjpdWBawsl5xX/9ffiOYf8i0
lGh6vkikBnGZznXIZxcv/IViHugbV73qpvKTiZb0NhX9awy2lbjqdqg4xPxn2RIo
phF9U3iblap4jJrY0Z66gMPHAoeUZUIkW+Z63OPIlM7BTQRaMsKaARAAiRnZm4uc
PKsFDPnMJ5VqEdxOKqTalk1D37712zj/Z7069ZFEzBv9RETqOjvaBCVTtLkZjUKu
At9AQwKJkqHMmzGTglTkyq8D3Fwp11yUhBmv3yOr+0V5MeE69HMuqitpO5gXmoM1
2CUAPDsqet8F8LstEJMbRhpxvOsgmMRWgFm5L74cyqOT44+Mo8+uLwevPH1pC7bE
/kLEPewcAE/60pQ0YgVP2Le6x2ht8CzDZ7p8cSHkXlBa9yHkXZREtU+L0WIIM+3o
F0rrxLxCirbcShN3ZExx+kLnM2zb3xmEQwY6bwlUtHknnoVpJkZXPc3mNJQKc084
+XGgIcPaq053vpIZkOwfQboovk6xpolZGfSnxsQSVsBLT7XYJGe2v4StLnKU3G1W
MIhy8N+s+P+PtOc+YEOl5/6rhbeI6RAlKmpr+/0hEXoe+FxQ+t679M/dGjmFc5bR
TYtoY6bZnhjGbvtuf4+zfPSnvaL8Qmwdcn6XHQ1VwBBaUYyjaLIL+NjmKJ7RXhkk
2yK4IMbd5X0YuL5fuZgMq99BSnEmgPtAHpAokr/lYutUo66hHPD99iAIL1aB9iNe
jjSAcub5A8P0CZabMMelvl9BtWDeGgGz+yEBiI7OL8wZ9Lg634E6Q65HRfAqAbSg
sJrFdGsKJ3snQtalbzS2AjWURvV9nShznWsAEQEAAcLBXwQYAQgAEwUCWjLCowkQ
tao/o0hu160CGwwAAN

Re: SKS and GnuPG related issues and possible workarounds

[Ryan McGinnis via Gnupg-users]

To be fair, that bookshelf got pointed out like a decade ago.  It’s just that 
resources to build a new one never materialized.  


While pointing out a problem by doing a targeted demonstration attack is about 
as aggressively black hat as it gets, it’s hard to not expect it.  Even big 
white hat boys like Project Zero give 90 days to fix an issue before publishing 
(and once published, you can assume the exploit will be used in the wild.)  
Pining for a simpler time when people didn’t try to exploit other people and 
systems is silly because those times never existed - it’s just that there 
didn’t use to be such significant value attached to software systems so the 
only people who carried out attacks were nerds doing it for the lulz. (Well, 
the ROTFLs back then, I guess.)  Sure, nobody could anticipate contemporary 
attacks a decade ago, but that seems more a cautionary tale against allowing 
non-serviceable abandonware to run critical systems.  If any 15 year old script 
kiddie can easily bring your whole heavily relied-upon system down, then having 
someone pull back the curtain on the wizard seems like an understandable 
choice, even if it’s a bit of a jerk move.  


But yeah, that said — don’t kick the bookshelf over.  :)  Just hope that in the 
meantime nobody figures out a way to profit or benefit somehow from doing so.  


-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 3, 2019 9:18 AM, Andrew Gallagher  
wrote:

> On 03/07/2019 15:00, Stefan Claas via Gnupg-users wrote:
> 

> > If I had time and money I would hire a lawyer, would formulate a letter
> > for SKS operators stating that I request the removal of my pub key data
> > and would as EU citizen refer in this letter to our GDPR.
> > Maybe, if time allows, I may check with EFF and their lawyers ...
> 

> Would you mind waiting for the replacement system to be fully tested and
> migrated before setting fire to the old one?
> 

> There's a scene in the classic comedy Father Ted, where a visitor to the
> parochial house starts complaining about the build quality of the
> bookshelves, and to prove his point he pulls them to pieces. "Look at
> that, it's falling apart!" [1]
> 

> Just because something is broken does not mean you are obliged to kick
> it over to prove the point.
> 

> [1] https://vimeo.com/108169770
> 

> --
> 

> Andrew Gallagher
> 

> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

To 


publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Your Thoughts

[Ryan McGinnis via Gnupg-users]

Not sure why the phone number thing bothers people -- having a phone at all in 
the first place means you are easily tracked.  What Signal (and any encryption 
system, really) does is try to prevent in-transit interception and surveillance 
of the actual data content.  It can't hide the metadata associated with a layer 
well above the application layer.  Openwhisper can be picked up at the firewall 
level, but then so can Tor and VPN spinups, and all of these things are 
metadata that make you score more interesting to the mass-data-scoop 
algorithms.  If you don't want to be easily geo-locationally tracked, don't use 
a device with a cellular modem, full stop.  


What Signal (or any other E2E encrypted messaging system) does is give people 
the ability to communicate with each other privately.  People can still see 
that they are talking and are trying to hide what they are saying.  Yeah, that 
makes those people targets in some countries, but it also greatly increases the 
cost in manpower and resources needed to peek into those communications.  Now 
you're looking at burning 0days to install APTs and sending human resources to 
deal with individuals when this could previously be handled on a global level 
en masse with some fiber splitters and a big ol' datacenter.  If enough people 
use it can have a disruptive effect on mass surveillance and state control.  



-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

‐‐‐ Original Message ‐‐‐
On Tuesday, July 2, 2019 10:20 PM, Mirimir via Gnupg-users 
 wrote:

> On 07/02/2019 05:18 AM, Robert J. Hansen wrote:
> 

> > > Signal went the other way. Build a verifiably secure communications 
> > > platform so easy that literally anyone can figure it out.
> > 

> > I think this is a misunderstanding of Signal.
> 

> 
> 

> > Signal is, by its very nature, tightly tied to one specific
> > communications platform -- that of the smartphone. It's not likely to
> > break out of its home.
> 

> And not only that, it's tied to one of the least privacy-friendly
> aspects of smartphones: the phone number.[0]
> 

> | Requirements
> |
> | Signal uses your existing phone number.
> |
> | The number must be able to receive an SMS or phone call.
> 

> Sure, it's not necessarily the number of the phone that you're using
> Signal on. But it's gotta be a number that you can use, and which others
> can't use. So what do you do, to avoid geolocation?
> 

> You can't use one of those shared SMS services. So what, lease a SIM
> from some SIM farm in wherever, and hope that they're honest?
> 

> There's also the issue of actually using Signal while preventing
> geolocation. You can't just use Tor, which itself is nontrivial on
> smartphones, because Signal needs UDP. So you're stuck with VPNs, where
> you must trust providers.
> 

> It's frightening how popular Signal has become. Especially for people
> whose lives are threatened by geolocation. If I were paranoid, I'd say
> that it was a honeypot. But whatever. Something using Tor onion services
> is probably the best option. Unless Tor is also a honeypot.
> 

> 
> 

> 0)
> https://support.signal.org/hc/en-us/articles/360007318691-Register-a-phone-number
> 

> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: Some thoughts on the future of OpenPGP and GnuPG

[Ryan McGinnis via Gnupg-users]

This is quite cool (I have mine set up the same way), but somewhat ironic 
considering, well... they're Facebook.  I mean of all the big dog internet 
companies out there that you'd expect to give you extreme measures protect 
in-transit personal user data... Facebook?!

-Ryan McGinnis 
https://bigstormpicture.com 
PGP fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

-Original Message-
From: Gnupg-users  On Behalf Of Andrew Gallagher
Sent: Tuesday, July 2, 2019 9:28 AM
To: gnupg-users@gnupg.org
Subject: Re: Some thoughts on the future of OpenPGP and GnuPG

On 02/07/2019 15:03, Stefan Claas via Gnupg-users wrote:
> P.S. to me it is still unknown why exactly Facebook is an anual donor.

Facebook are a *serious* user of OpenPGP. Every email they send me is encrypted 
to my PGP key. In this respect they are decades ahead of 99.9% of the other big 
IT companies.

--
Andrew Gallagher

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



publickey - ryan@digicana.com.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Your Thoughts

[Ryan McGinnis via Gnupg-users]

That is true that I am probably being unfair - my focus on GPG for email is 
more a nostalgic sadness that secure (beyond TLS transport) email never really 
became ubiquitous.  In the end the protocol of email itself couldn’t keep up 
with way people needed to communicate, so email is now a bit of a niche thing - 
 used for business and as a repository for “unimportant and lacking urgency, 
but still desired” types of communications.  As a run of the mill IT fire 
putter outer it seems nuts that I run across institutions still using fax 
machines (just regular old unencrypted data turned to audio over POTS lines) 
because they are somehow still compliant with data protection laws, and they 
see encrypted email as less viable as it much more expensive to set up with 
much more overhead.

But I also agree - it certainly does make sense to focus development on what 
the users primarily use it for.

Sent from ProtonMail Mobile

On Tue, Jul 2, 2019 at 07:18, Robert J. Hansen  wrote:

>> Signal went the other way. Build a verifiably secure communications platform 
>> so easy that literally anyone can figure it out.
>
> I think this is a misunderstanding of Signal.
>
> OpenPGP is, by its very nature, agnostic to ... well, just about
> everything. It was originally intended for email but spread to become
> just about everywhere. It's used for package verification mostly
> nowadays. That is the genuine 99% use case, and that's where our
> attention really should be focused on. Email is a niche, and even
> moreso nowadays as email _itself_ is becoming a niche. OpenPGP in email
> is a niche within a niche.
>
> Signal is, by its very nature, tightly tied to one specific
> communications platform -- that of the smartphone. It's not likely to
> break out of its home.
>
> It's true that Signal has had more impact than OpenPGP in email -- but I
> think that's an unfair statement to make, as you're cherrypicking the
> one niche where OpenPGP has had the *least* adoption. Anything looks
> like a failure if you only look at where it's failed.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users-BEGIN PGP PUBLIC KEY BLOCK-
Version: Pmcrypto Golang 0.0.1 (ddacebe0)
Comment: https://protonmail.com

xsFNBFoywpoBEACGlCLzuIxPtuT60BWw+YnCEw5/GlXIx5X6l3NJgDiT/Qrv6m3C
X4NJEHcmUOruIhR/bI0WkvuWV4Rfxv0BKQjp7JnMWRDOY5NxIckvMJGplLThcyRj
KqAvixSruksxt3v3A5b77Kyw1eyB3+eC3Yo0g28yhhfln1gexzsUsuzSW+Fixxgz
S2KdJ26aZ8Sb3gjvfHLv/MKhXluSwYgXIDKMiUOib0iDVdWPfFXCpVbH3o18VnxT
dC3UI3vVmlJarR4O5xIp6FwdmQVtj73ZMHdgYnQceGYcwob8taO0dKfU+31/bjuu
MaOjy2uKnCx9leeK4H13JcbIyGSK7jrAeQRNwE58UzBJZUBs1IDcdYY7Yv1ob9iM
YcfkZhqzztDjK1QP3Ibe3AG02X+rUXLcvlh8EccDb/W50IA+ejDy7yFQb6SK+4Sp
IrZHGPjf1yD4xkkhzNFPJ2mYGN4hCCrnWrDg/hC3rxSwCpI3PExlZ8OF9jy9jTtq
IRx/zXSQKgJcADs4tsNHfzPrnEy41bsmcdI0NrncPcf25jFvaPTwBHACyHlmFX2z
/GuCheopaxmiVJFuVleqrtxeTBN4v79LhxBGtCUdYH9GrenFvzA9v8VMA6r9d7aW
Cb7l0JHL8wzDBOlDCbJMZvT7tDxyl2MIv11LQeIInRlI6JBxLCFZuhYPzwARAQAB
zSVyeWFuQGRpZ2ljYW5hLmNvbSA8cnlhbkBkaWdpY2FuYS5jb20+wsF1BBABCAAp
BQJaMsKgBgsJBwgDAgkQtao/o0hu160EFQgKAgMWAgECGQECGwMCHgEAAJyLD/0T
eGFbbuNyPflTosdmmKAC6ZyuDwJxLjvL3YnHAUPkTO/a6xTtEZ2B41/mOx2OTcyh
JhhwtB0/lsSN7r5rXHzUW4Ve6GSS8PEI3j1IyM/wecv3+gb38ffdFEJA1bUn9+f/
uyhQIFaLwFpq8UQGxDRJ91QXcXFrPzalsv9KKNct1tRClfVnQR77BzkhfIJs2gQi
yT1l+VFqzXAhViiuzRdlJMaTLb236UkeOx/eyNVEcivVYouy2BzL/dW28WDPPtdV
HOcVmV4KfaYJpH4mBHB/KP+JNQy5spVfMLMfC08r5a0EFE3Byeblt3ONPm+2ymzC
RotItz8T7scwu4xTmIw5WWRcIi3mbDW/mefo7whbX3o7NidPBC+ZqJsqLoNno/aD
PYXnpTzAbs4UTSqp6P49MHVWNF4/n/aXU3VhBvZx0h1NNNbO1PzR/8Sr7fedD9UC
niJNJgfaKht1i19Pc+BF5+sgnbRZeIfSxHWfXD+krIWGZmRBaBpGzR3Jr3AAwCcD
uJVeCXxIe17ZTHywqVZloXFXERJBTfmJ+ADn2+sFMjpdWBawsl5xX/9ffiOYf8i0
lGh6vkikBnGZznXIZxcv/IViHugbV73qpvKTiZb0NhX9awy2lbjqdqg4xPxn2RIo
phF9U3iblap4jJrY0Z66gMPHAoeUZUIkW+Z63OPIlM7BTQRaMsKaARAAiRnZm4uc
PKsFDPnMJ5VqEdxOKqTalk1D37712zj/Z7069ZFEzBv9RETqOjvaBCVTtLkZjUKu
At9AQwKJkqHMmzGTglTkyq8D3Fwp11yUhBmv3yOr+0V5MeE69HMuqitpO5gXmoM1
2CUAPDsqet8F8LstEJMbRhpxvOsgmMRWgFm5L74cyqOT44+Mo8+uLwevPH1pC7bE
/kLEPewcAE/60pQ0YgVP2Le6x2ht8CzDZ7p8cSHkXlBa9yHkXZREtU+L0WIIM+3o
F0rrxLxCirbcShN3ZExx+kLnM2zb3xmEQwY6bwlUtHknnoVpJkZXPc3mNJQKc084
+XGgIcPaq053vpIZkOwfQboovk6xpolZGfSnxsQSVsBLT7XYJGe2v4StLnKU3G1W
MIhy8N+s+P+PtOc+YEOl5/6rhbeI6RAlKmpr+/0hEXoe+FxQ+t679M/dGjmFc5bR
TYtoY6bZnhjGbvtuf4+zfPSnvaL8Qmwdcn6XHQ1VwBBaUYyjaLIL+NjmKJ7RXhkk
2yK4IMbd5X0YuL5fuZgMq99BSnEmgPtAHpAokr/lYutUo66hHPD99iAIL1aB9iNe
jjSAcub5A8P0CZabMMelvl9BtWDeGgGz+yEBiI7OL8wZ9Lg634E6Q65HRfAqAbSg
sJrFdGsKJ3snQtalbzS2AjWURvV9nShznWsAEQEAAcLBXwQYAQgAEwUCWjLCowkQ
tao/o0hu160CGwwAANjJD/41QNjdJD7W3YGDdF7zIyN1nE0OVLIlhhyXvx2NBS9E
8O338WWins3zLIe7Bzqr6HSJgPeLrDIIZ/+CoZIoZfnvpB6nYlmgP0O3uFnJsPc+
N5gsQ4p13dAxBWV1SAJbm07rguSES379itwOManIOJMSPNxDLr8aLKcjJWKj5dgN
o0LuyaXJ7H9M61c+3+TWnYucAjFCCk7I7+FWmXvv8H3TpAxAz+qObYJD4RP1Z/tR
7maRrANMjUYcIgyTvG9l41vdmcGMed3xm77U/XzOzfUClEDmaK39bmOG4Auc5R8y
62+2HII/xra9WeeiIOesqMEM50y6AcQERVp2t42f1nrWyiMJ2DzqS2RVp0vb5clD
H+nWQI

Fw: Re: Your Thoughts

[Ryan McGinnis via Gnupg-users]

By the way, I just *love* my iPhone’s desire to help me with words it thinks 
I’ve misspelled.  :)

-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

‐‐‐ Original Message ‐‐‐
On Tuesday, July 2, 2019 7:10 AM, Ryan McGinnis  wrote:

> Right, I probably wasn’t being very clear with what I meant. What I’m saying 
> is that people who use PGP at the moment are rather tech savvy, lady over 
> from the legacy of the fact that for most of PGP’s existence a user had to be 
> tech savvy to even get PGP backed out of the metaphorical garage. Because of 
> this, applications that use PGP all seem designed to make that crowd happy. 
> But making that crowd happy necessarily excludes the much larger crowd that 
> would never need, consider, or even understand aid-gapping.
> 

> Signal went the other way. Build a verifiably secure communications platform 
> so easy that literally anyone can figure it out. Make it hard to impossible 
> to screw up. Most of the people who implemented secure whisper adopted this 
> philosophy. No, it’s not federated, but in terms of real-world impact it 
> actually has one because people actually use it to communicate.
> 

> -Ryan McGinnis
> https://bigstormpicture.com
> PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
> Sent with ProtonMail
> 

> ‐‐‐ Original Message ‐‐‐
> On Tuesday, July 2, 2019 3:06 AM, Peter Lebbing pe...@digitalbrains.com wrote:
> 

> > On 01/07/2019 23:55, Ryan McGinnis via Gnupg-users wrote:
> > 

> > > Null modem transfer of your messages? Yikes. To me that’s the issue
> > > with PGP in general as it relates to secure communications
> > 

> > None of any of the alternatives to OpenPGP you mention solve the issue
> > that a secure offline system sets out to solve. They are orthogonal
> > issues.
> > Alternatives to OpenPGP have the same need or lack of need of a secure
> > offline system as OpenPGP itself. The only difference I can think of
> > would be in the number of messages disclosed or the range of signatures
> > that could be faked by a compromise, not the base premise of disclosure
> > and impersonation.
> > You might well reasonably object to the UX of OpenPGP. Just not on the
> > ground that there are people who think about offline secure systems,
> > that makes no sense to me. The two are unrelated. The only relation I
> > can think of is that people who think about deploying offline secure
> > systems probably aren't quickly scared off by an overly complicated
> > system ;-).
> > Cheers,
> > Peter.
> > 

> > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> > You can send me encrypted mail if you want some privacy.
> > My key is available at http://digitalbrains.com/2012/openpgp-key-peter



publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Your Thoughts

[Ryan McGinnis via Gnupg-users]

Right, I probably wasn’t being very clear with what I meant.  What I’m saying 
is that people who use PGP at the moment are rather tech savvy, lady over from 
the legacy of the fact that for most of PGP’s existence a user *had* to be tech 
savvy to even get PGP backed out of the metaphorical garage.  Because of this, 
applications that use PGP all seem designed to make that crowd happy.  But 
making that crowd happy necessarily excludes the much larger crowd that would 
never need, consider, or even understand aid-gapping.

Signal went the other way.  Build a verifiably secure communications platform 
so easy that literally anyone can figure it out.  Make it hard to impossible to 
screw up.  Most of the people who implemented secure whisper adopted this 
philosophy.  No, it’s not federated, but in terms of real-world impact it 
actually has one because people actually use it to communicate.

-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

‐‐‐ Original Message ‐‐‐
On Tuesday, July 2, 2019 3:06 AM, Peter Lebbing  wrote:

> On 01/07/2019 23:55, Ryan McGinnis via Gnupg-users wrote:
> 

> > Null modem transfer of your messages? Yikes. To me that’s the issue
> > with PGP in general as it relates to secure communications
> 

> None of any of the alternatives to OpenPGP you mention solve the issue
> that a secure offline system sets out to solve. They are orthogonal
> issues.
> 

> Alternatives to OpenPGP have the same need or lack of need of a secure
> offline system as OpenPGP itself. The only difference I can think of
> would be in the number of messages disclosed or the range of signatures
> that could be faked by a compromise, not the base premise of disclosure
> and impersonation.
> 

> You might well reasonably object to the UX of OpenPGP. Just not on the
> ground that there are people who think about offline secure systems,
> that makes no sense to me. The two are unrelated. The only relation I
> can think of is that people who think about deploying offline secure
> systems probably aren't quickly scared off by an overly complicated
> system ;-).
> 

> Cheers,
> 

> Peter.
> 

> --
> 

> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at http://digitalbrains.com/2012/openpgp-key-peter



publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Your Thoughts

[Ryan McGinnis via Gnupg-users]

Null modem transfer of your messages?  Yikes.  To me that’s the issue with PGP 
in general as it relates to secure communications - the nerds and the criminals 
and the spies know how to work it, but your average end user doesn’t need their 
step one to be “go to a Goodwill in a city you don’t live in wearing a disguise 
and buy a laptop with cash”, they need PGP to almost be automatic.  Think of 
how easy it is to bootstrap Signal and how hard you’d have to try to 
accidentally send something cleartext over that application.  Linking your key 
to a new device is as easy as scanning QR code. Perfect forward secrecy, rich 
media, voice and video synchronous communications upgrades, you name it.  And 
my grandma could probably set it up without help.  I guarantee most big data 
scooping intelligence services are a lot more worried about OpenWhisper 
protocol than PGP because *people actually use it*.  Just being caught with 
WhatApp in China can get you sent to a camp, depending on your ethnicity.


-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

‐‐‐ Original Message ‐‐‐
On Monday, July 1, 2019 10:26 AM, Stefan Claas via Gnupg-users 
 wrote:

> Andrew Gallagher wrote:
> 

> > On 2019/07/01 15:13, Stefan Claas via Gnupg-users wrote:
> > 

> > > I agree with Professor Green. Maybe he and his students can
> > > program a POC something more simple, preferably in Golang and
> > > while using the NaCl* library.
> > 

> > Golang? Not Rust? :-P
> 

> He he, I have tried to compile sequoia-pgp under Windows 10
> and failed miserably, do to the "excellent" compile instructions
> for Windows. I played with Rust in the past, under macOS, and
> never had problems.
> 

> What I would like to do is to create a binary of sequoia-pgp under
> Windows 10 and then use the binary under Windows 7, offline.
> 

> With Golang it would be no big deal, because that is super easy,
> but as understood the openpgp libs for Golang are not so good
> as the Rust ones.
> 

> > Who wants to copy and paste messages? That's s 1995.
> 

> Me for example :-) Why? I use encryption toolsoffline
> on my Notebook and then copy/paste the encrypted messages
> into CoolTerm to transfer them then via my USB to USB Nullmodem
> cable to my online computer. :-)
> 

> > > A real "modern" GnuPG should be IMHO the same as PGP was GUI based
> > > back then. The GUI could be also cross-platform QT based, for
> > > example.
> > 

> > You can't script a GUI, but you can GUI a CLI - and there is no shortage
> > of decent GUI interfaces for GnuPG.
> 

> I am aware of that, but I do have (Golang) tools which work as cli
> tools and they can be used with an extra written GUI program, if
> someone likes to do so. Very handy!
> 

> Regards
> Stefan
> 

> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

 communications

publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Your Thoughts

[Ryan McGinnis via Gnupg-users]

It’s not so much that nothing better has come along, it’s that no single one of 
those things does all the things PGP sets out to do.  For secure communications 
there are much better options than PGP - some of them in very heavy use by 
actual normal, non tech people.  For symmetric encryption of files there much 
better options out there.  For signing files there are other options (though 
perhaps not better).  


Does anyone know what PGP’s peak adoption rate was?  I always loved it in 
concept but very very rarely saw people actually trying to use it in the wild, 
outside of the types of people who read this list.  


-Ryan McGinnis
https://bigstormpicture.com
PGP: 486ED7AD
Sent with ProtonMail

‐‐‐ Original Message ‐‐‐
On Sunday, June 30, 2019 3:01 PM, Ralph Seichter  wrote:

> * da...@gbenet.com:
> 

> > Your Thoughts :)
> 

> I think the article is five years old, has not aged well (e.g. MUA
> integration has improved), and that nothing better than PGP has come
> along in the meantime.
> 

> Next. ;-)
> 

> -Ralph
> 

> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


publickey - ryan@digicana.com - 0x5C738727.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver Network Under Attack

[Ryan McGinnis via Gnupg-users]

I can’t speak for others, but I wasn’t suggesting you were personally 
responsible for where things are right now, only making observations about the 
utility of continuing to use the product going forward, and what the targeted 
end users likely expect from the software.

-Ryan McGinnis
http://bigstormpicture.com
PGP: 486ED7AD
Sent with ProtonMail Secure Email

On Sun, Jun 30, 2019 at 08:50, Robert J. Hansen  wrote:

>> I guess that’s one way to look at it, but if your end users are
>> dissidents and journalists communicating in happy fun places or
>> developers signing critical software, then surely you’d want the
>> product to be resilient against 10 year old trivial attacks from your
>> users’ adversaries.
>
> I feel like I am screaming into the void here. I'm going to be quite
> blunt because the message is just not getting through:
>
> I don't get to decide these things. Stop implying that I do. Stop
> blaming me for other people's decisions. And stop thinking that I have
> *anything whatsoever to do with the keyservers*. I don't. I understand
> them but I am not a developer on them. I don't even run a keyserver.
> And if you knew the first thing about the keyservers you would know this
> without needing me to tell you.
>
> So please forgive me for not wanting to have a conversation with you. I
> am getting very tired of people confusing "Rob understands the current
> mess" with "so I'm going to impugn his competence".
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver Network Under Attack

[Ryan McGinnis via Gnupg-users]

I guess that’s one way to look at it, but if your end users are dissidents and 
journalists communicating in happy fun places or developers signing critical 
software, then surely you’d want the product to be resilient against 10 year 
old trivial attacks from your users’ adversaries.  I do understand the “with 
what resources” argument; I imagine there is no way of getting around that.  
But if that is the end response to stuff like this then it seems more an 
argument that people should not be using this software system for important, 
serious applications.  For the secure communications functionality I suspect 
this has been the target end users’ perception for quite some time, and a whole 
slew of arguably better secure communications systems have risen to fill that 
need - but GPG is still used heavily in signing important files.

-Ryan McGinnis
http://bigstormpicture.com
PGP: 486ED7AD
Sent with ProtonMail Secure Email

On Sun, Jun 30, 2019 at 07:44, Robert J. Hansen  wrote:

>> What would have prevented a state level actor from activating this
>> exploit on a wide level during a time when it would have been most
>> effective for them?
>
> A nation-state with a professional intelligence service probably isn't
> very interested in taking down the keyserver network. Why should they
> take down something that's not a big priority for them, especially if
> it'll cost them a lot of international goodwill if it gets attributed to
> them?
>
> This has all the hallmarks of a child playing with matches and clapping
> with glee as the house catches fire.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver Network Under Attack

[Ryan McGinnis via Gnupg-users]

What would have prevented a state level actor from activating this exploit on a 
wide level during a time when it would have been most effective for them?  I 
have to believe that the fine folks who can put an APT in your air-gapped 
computer’s video card bios have been aware of this attack for quite some time 
and probably have an entire laundry list of other similarly devastating attacks.

-Ryan McGinnis
http://bigstormpicture.com
PGP: 486ED7AD
Sent with ProtonMail Secure Email

On Sun, Jun 30, 2019 at 03:19, Robert J. Hansen  wrote:

>> How bad could this get?
>
> (I am sputteringly angry over this entire thing: please understand this
> and give a charitable read to what I write. I appreciate it.)
>
> Hard to say.
>
> One of the big problems we have is the size of the existing codebase.
> Once people have GnuPG installed people overwhelmingly like to leave it
> alone. We still get people coming onto this list asking for support
> with GnuPG *1.2*. So for these installations, these "we're going to
> install it and forget it"s?
>
> They're screwed. Sooner or later they'll import a poisoned certificate,
> GnuPG will get wedged, and it will appear as if GnuPG just stopped
> working. It might happen tomorrow or it might happen in five years. We
> don't know, but it will happen.
>
> There are other groups that run human networks in dangerous places.
> (There are many of them: Medicins Sans Frontiers, Reuters, and more.)
> The people who are running around Syria treating casualties or doing
> political news reporting from Gaza are overwhelmingly not computer
> nerds. They know they're supposed to run "gpg --refresh-keys" from time
> to time to get the latest revocations. They do it this time, and GnuPG
> breaks horribly. Odds are good they'll say "sod this, I can't trust
> this crap" and throw it away.
>
> There are a ton of tiny little poorly-maintained systems in
> out-of-the-way places that get completely overlooked until things break.
> Those, too, have good odds of getting wedged the first time they
> encounter a poisoned certificate.
>
> The next version of Enigmail will no longer use the SKS network by
> default. Great! But what about existing Enigmail users? They'll see a
> signature, click "Import Key", and ... bam. They're likely not going to
> think that someone's performing a malicious attack by poisoning
> certificates: they're going to think "this is crap" and walk away.
>
> Right now only three certificates are known to be affected: mine, dkg's,
> and Kristian's. I expect that number to rise, either due to the
> original jerk figuring this is fun, or due to copycats getting in on the
> action.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SKS Keyserver Network Under Attack

[Ryan McGinnis via Gnupg-users]

Interesting discussion thread on this over at HN:

https://news.ycombinator.com/item?id=20312826

-Ryan McGinnis
http://bigstormpicture.com
PGP: 486ED7AD
Sent with ProtonMail Secure Email

On Sat, Jun 29, 2019 at 12:51, Ryan McGinnis  wrote:

> https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
>
> -Ryan McGinnis
> http://bigstormpicture.com
> PGP: 486ED7AD
> Sent with ProtonMail Secure Email___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

SKS Keyserver Network Under Attack

[Ryan McGinnis via Gnupg-users]

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

-Ryan McGinnis
http://bigstormpicture.com
PGP: 486ED7AD
Sent with ProtonMail Secure Email___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users