Re: [OT] Tutanota security/privacy concerns (was: Re: How would you do that ...)
On 2021-08-27 at 18:35 +, Стефан Васильев via Gnupg-users wrote: > Hi, > > I have not checked again, but can tell you from the past that they > check what web browser you are using, because when you use an anti- > fingerprint add on for your browser and it generates a User Agent > string with an (old) unsupported browser Tutanota complains and tells > you to use the latest Browser x,y,z. If they do it any longer or if > they do full fingerprinting I do not know. This is probably unrelated to fingerprinting the user. Most likely they do that in order to check that the browser is able to use certain features they use (rather than using feature detection instead). Or maybe they do that just to force their clients not to use outdated (and thus probably insecure) browsers. In any case, using an User Agent which is not common (such as an old browser, or a made-up one) will actually make you stand out, not conceal you. Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Tutanota security/privacy concerns (was: Re: How would you do that ...)
l0f4r0 wrote: Hi Stefan, all, Oops, I think I wanted to react sooner but didn't visibly... 8 mai 2021, 15:12 de stefan.vasi...@posteo.ru: l0f4r0 wrote: I don't use ProtonMail so I can't say. But otherwise you have Tutanota (no phone number required): https://tutanota.com/blog/posts/anonymous-email/ BTW. Tutanota does (full???) Browser fingerprinting and they where required to 'upgrade' their email service. Thanks for the notice. So are you implying Tutanota does not do browser fingerprinting anymore? Actually, I cannot find any public source about this. Would you have some pointers to share please? Hi, I have not checked again, but can tell you from the past that they check what web browser you are using, because when you use an anti-fingerprint add on for your browser and it generates a User Agent string with an (old) unsupported browser Tutanota complains and tells you to use the latest Browser x,y,z. If they do it any longer or if they do full fingerprinting I do not know. While we are at it, by any chance, do you/people have (other) complaints/concerns about Tutanota from a security or privacy points of view? I guess Tutanota is a fine service, like many others, but I would like to see Monero cryptocurrency support, when one likes to sign up via Tor. (have not checked lately if this is already possible) Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[OT] Tutanota security/privacy concerns (was: Re: How would you do that ...)
Hi Stefan, all, Oops, I think I wanted to react sooner but didn't visibly... 8 mai 2021, 15:12 de stefan.vasi...@posteo.ru: >> l0f4r0 wrote: >> >>> I don't use ProtonMail so I can't say. >>> >>> But otherwise you have Tutanota (no phone number required): >>> https://tutanota.com/blog/posts/anonymous-email/ >>> > BTW. Tutanota does (full???) Browser fingerprinting and they where required > > to 'upgrade' their email service. > Thanks for the notice. So are you implying Tutanota does not do browser fingerprinting anymore? Actually, I cannot find any public source about this. Would you have some pointers to share please? While we are at it, by any chance, do you/people have (other) complaints/concerns about Tutanota from a security or privacy points of view? Thanks in advance :) Best regards, l0f4r0 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Ryan McGinnis wrote: For what it's worth if you're gung-ho about our heroine using a public library computer or something and you can't stego some info into an image for one of the image boards because you don't have any tech of your own in that country, then using a OTP to publicly post something to a pastebin that Bob is actively monitoring is probably the way to go. A OTP doesn't require any kind of tech to pull off and it's about as secure as it can get. This could facilitate two way communications as well, so long as you both know where the messages will be dropped. It's not very subtle, but it'd work. OTPs are superb, agreed! However, our heroine needs to be able to send larger documents, or maybe a photo, on a daily basis. Then there is the problem at airports, which is if properly controlled, that the little booklet can be discovered. This excercise in not meant for spies, but for ordinary citicens, which later must somehow 'survive' a 4th virtual Reich, so to speak. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
For what it's worth if you're gung-ho about our heroine using a public library computer or something and you can't stego some info into an image for one of the image boards because you don't have any tech of your own in that country, then using a OTP to publicly post something to a pastebin that Bob is actively monitoring is probably the way to go. A OTP doesn't require any kind of tech to pull off and it's about as secure as it can get. This could facilitate two way communications as well, so long as you both know where the messages will be dropped. It's not very subtle, but it'd work. -Ryan McGinnis r...@digicana.com http://bigstormpicture.com 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ‐‐‐ Original Message ‐‐‐ On Saturday, May 8th, 2021 at 8:04 AM, Stefan Vasilev via Gnupg-users wrote: > l0f4r0 wrote: > > > Hi, > > > > 8 mai 2021, 00:58 de gnupg-users@gnupg.org: > > > > > Alice is no complete moron, because she can't register a free ProtonMail > > > account > > > > > > without a phone. Or did she missed there an anonymous registration > > > procedure > > > > > > which works? > > > > I don't use ProtonMail so I can't say. > > > > But otherwise you have Tutanota (no phone number required): > > > > https://tutanota.com/blog/posts/anonymous-email/ > > Hi, > > thanks! I already found a solution by using an .onion based email provider, > > with clearnet usage support. Super simple registration, where the user only > > supplies a username and a password. Nothing more. :-) > > Regards > > Stefan > > Gnupg-users mailing list > > Gnupg-users@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users publickey - ryan@digicana.com - 0x5C738727.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
This will work too and doesn't care about the type https://youtu.be/wb3Xa1h_RqM On 5/4/2021 9:47 AM, Robert J. Hansen via Gnupg-users wrote: Modern harddisks don't allow that anymore. Should I assume that "low-level format" in this case means something like dd if=/dev/zero of=/dev/sdX [puts on forensics professional hat] Good question! The tl;dr of it is that the technique to wipe a hard drive will vary according to the kind of technology used in manufacturing the drive, and to a lesser extent the kind of forensics nerdery you're afraid of. This is the origin of the myth of the 30-odd-pass "Gutmann shred". It was always a complete myth that you needed 30-odd passes to wipe a hard drive. The 30+ passes were if you had no knowledge about the underlying technology of the drive and needed to account for antique FM-coded drives all the way up through modern SSDs. If you were thinking of doing a 30+-pass shred, the best thing to do was smack yourself in the face for being so foolish and then go off and read the label on your hard drive. :) For modern SSDs I generally recommend a single pass with random data: dd if=/dev/urandom of=/dev/foo bs=1M (Don't forget the blocksize [bs] parameter; it can improve speed significantly.) This is enough to foil the vast majority of forensic analysis. Yes, yes, SSDs have remapping capabilities which means certain memory cells won't get hit even if you do this, and it's theoretically possible for a good forensics nerd to do all kinds of wild magic to pull off data you didn't even know was there... but that kind of very high-level forensics nerdery costs a lot of money, and few people are worth that kind of investment. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- PGP Key Upon Request ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Maybe for i in {1..9} ; do dd if=/dev/zero of=/dev/sdX ; done just to be careful Or /dev/urandom as if= value On Mon, May 3, 2021, 11:14 Johan Wevers wrote: > On 03-05-2021 15:39, Robert J. Hansen via Gnupg-users wrote: > > > and gave her drives a low-level format. > > I remember from the stone age (end 1980's begin 90's) that you could > low-level format a disk with the DOS command debug by calling some BIOS > routine by assembler routines. > > Modern harddisks don't allow that anymore. Should I assume that > "low-level format" in this case means something like > > dd if=/dev/zero of=/dev/sdX > > -- > ir. J.C.A. Wevers > PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
On 08.05.2021 15:04, Stefan Vasilev via Gnupg-users wrote: Hi, thanks! I already found a solution by using an .onion based email provider, with clearnet usage support. Super simple registration, where the user only supplies a username and a password. Nothing more. :-) Regards Stefan Those already familar with IPFS can also create an encrypted 'diary', where the search term for the 'diary' is a memorizeable 256bit hex key, thus making it not possible to guess the diary name. Thus avoiding any log-in procedures at services and IPFS is used around the world and for example also popular in Russia and China. https://ipjot.herokuapp.com/ Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Am 08.05.2021 um 15:04 schrieb Stefan Vasilev via Gnupg-users: l0f4r0 wrote: Hi, 8 mai 2021, 00:58 de gnupg-users@gnupg.org: Alice is no complete moron, because she can't register a free ProtonMail account without a phone. Or did she missed there an anonymous registration procedure which works? I don't use ProtonMail so I can't say. But otherwise you have Tutanota (no phone number required): https://tutanota.com/blog/posts/anonymous-email/ Hi, thanks! I already found a solution by using an .onion based email provider, with clearnet usage support. Super simple registration, where the user only supplies a username and a password. Nothing more. :-) BTW. Tutanota does (full???) Browser fingerprinting and they where required to 'upgrade' their email service. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
l0f4r0 wrote: Hi, 8 mai 2021, 00:58 de gnupg-users@gnupg.org: Alice is no complete moron, because she can't register a free ProtonMail account without a phone. Or did she missed there an anonymous registration procedure which works? I don't use ProtonMail so I can't say. But otherwise you have Tutanota (no phone number required): https://tutanota.com/blog/posts/anonymous-email/ Hi, thanks! I already found a solution by using an .onion based email provider, with clearnet usage support. Super simple registration, where the user only supplies a username and a password. Nothing more. :-) Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Hi, 8 mai 2021, 00:58 de gnupg-users@gnupg.org: > Alice is no complete moron, because she can't register a free ProtonMail > account > > without a phone. Or did she missed there an anonymous registration procedure > > which works? > I don't use ProtonMail so I can't say. But otherwise you have Tutanota (no phone number required): https://tutanota.com/blog/posts/anonymous-email/ Best regards, l0f4r0 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Protonmail only requires a phone number to send a verification “are you a real human” SMS if the IP you are registering from is a source of previous abuse. So, like, don’t use a VPN when you do it. Or if you’re worried about it, make the account back in your safe country before you travel to Deathistan by using a burner phone SIM or something. These are pretty easily solvable problems that don’t lead to getting your genitals shocked. -Ryan McGinnis r...@digicana.com http://bigstormpicture.com 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > On May 7, 2021, at 5:58 PM, Stefan Vasilev wrote: > > > Ryan McGinnis wrote: > >> Alice is an idiot if she’s trying to defeat nation-state adversaries >> and be a thrifty shopper at the same time, but even so, in most places >> a laptop isn’t going to be cheaper than a cheap mobile phone. >> >> You really want Alice to use some public library computer for some >> reason, but I am going to assume Alice isn’t a complete moron and >> would avoid this, given there are a hundred better options that won’t >> result in her genitals being shocked in some dingy government >> interrogation room. >> >> If you have to use a laptop then, cool, grab an ISO of Debian, install >> it, find the nearest WiFi hotspot, make a free protonmail account, >> send an email. Done. > > > Alice is no complete moron, because she can't register a free ProtonMail > account > > without a phone. Or did she missed there an anonymous registration procedure > > which works? If yes, then she is of course a moron. :-D > > > Regards > > Stefan publickey - ryan@digicana.com - 5c738727.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Ryan McGinnis wrote: Alice is an idiot if she’s trying to defeat nation-state adversaries and be a thrifty shopper at the same time, but even so, in most places a laptop isn’t going to be cheaper than a cheap mobile phone. You really want Alice to use some public library computer for some reason, but I am going to assume Alice isn’t a complete moron and would avoid this, given there are a hundred better options that won’t result in her genitals being shocked in some dingy government interrogation room. If you have to use a laptop then, cool, grab an ISO of Debian, install it, find the nearest WiFi hotspot, make a free protonmail account, send an email. Done. Alice is no complete moron, because she can't register a free ProtonMail account without a phone. Or did she missed there an anonymous registration procedure which works? If yes, then she is of course a moron. :-D Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Alice is an idiot if she’s trying to defeat nation-state adversaries and be a thrifty shopper at the same time, but even so, in most places a laptop isn’t going to be cheaper than a cheap mobile phone. You really want Alice to use some public library computer for some reason, but I am going to assume Alice isn’t a complete moron and would avoid this, given there are a hundred better options that won’t result in her genitals being shocked in some dingy government interrogation room. If you have to use a laptop then, cool, grab an ISO of Debian, install it, find the nearest WiFi hotspot, make a free protonmail account, send an email. Done. -Ryan McGinnis r...@digicana.com http://bigstormpicture.com 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > On May 7, 2021, at 5:36 PM, Stefan Vasilev wrote: > > > Ryan McGinnis wrote: > >> Sounds like you're having to trust some kind of tech from the country you're >> going to, so with that in mind: >> >> Buy burner phone and SIM with cash from some place where normal people buy >> phones and SIMs with cash. Install Signal. Done >> >> For identification, have some code word that will be the first thing you >> send. Maybe even have a duress code word, too. >> >> Now there are some places this won't work. Some places only sell phones >> that are pre-compromised. If you know what you're doing you can probably >> flash it with GrapheneOS, though that would require buying a computer, in >> that country, too. At some point you're probably in the "gonna be taking >> some serious risks no matter what" territory, unless you're working for MI6 >> or something. >> >> > > Alice likes to keep the costs low and would only purchase a laptop > there, to prepare > > data, prior taking it to the Internet Café's (compromised) computer. > Phones, whether > > dumb or smart, she likes to avoid. But thanks for the proposal, much > appreciated. > > > Regards > > Stefan publickey - ryan@digicana.com - 5c738727.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Ryan McGinnis wrote: Sounds like you're having to trust some kind of tech from the country you're going to, so with that in mind: Buy burner phone and SIM with cash from some place where normal people buy phones and SIMs with cash. Install Signal. Done For identification, have some code word that will be the first thing you send. Maybe even have a duress code word, too. Now there are some places this won't work. Some places only sell phones that are pre-compromised. If you know what you're doing you can probably flash it with GrapheneOS, though that would require buying a computer, in that country, too. At some point you're probably in the "gonna be taking some serious risks no matter what" territory, unless you're working for MI6 or something. Alice likes to keep the costs low and would only purchase a laptop there, to prepare data, prior taking it to the Internet Café's (compromised) computer. Phones, whether dumb or smart, she likes to avoid. But thanks for the proposal, much appreciated. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Sounds like you're having to trust some kind of tech from the country you're going to, so with that in mind: Buy burner phone and SIM with cash from some place where normal people buy phones and SIMs with cash. Install Signal. Done For identification, have some code word that will be the first thing you send. Maybe even have a duress code word, too. Now there are some places this won't work. Some places only sell phones that are pre-compromised. If you know what you're doing you can probably flash it with GrapheneOS, though that would require buying a computer, in that country, too. At some point you're probably in the "gonna be taking some serious risks no matter what" territory, unless you're working for MI6 or something. -Ryan McGinnis r...@digicana.com http://bigstormpicture.com 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ‐‐‐ Original Message ‐‐‐ On Monday, May 3rd, 2021 at 4:24 AM, Stefan Vasilev via Gnupg-users wrote: > Hi all, > > here is a little scenario. Alice and Bob needs to find a way to do > > encrypted communications globally. > > The task is the following: Alice needs to travel to a foreign country > > without any devices (laptop, smartphone etc.). > > At arrival she needs to communicate daily (no real time communications) > > with Bob to exchange encrypted documents. > > Alice is not allowed to login in any services, like her Gmail account, > > social media etc. to not reveal her login credentials. > > She can't use Tor, because at her destination Tor is blocked. The only > > option she has is to use Internet Cafés or public libraries etc. > > She is aware that at an Internet Café keyloggers may be installed. Last > > but not least she does not carry any notices on paper with her. > > How would you solve this task? > > Regards > > Stefan > > Gnupg-users mailing list > > Gnupg-users@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users publickey - ryan@digicana.com - 0x5C738727.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
I have literally never in my life seen any meaningful use case for the OTP after about 1974. It's not part of a sensible discussion. :) On May 4, 2021 4:46:31 PM CDT, vedaal via Gnupg-users wrote: >Or, for the really paranoid ;-)you can have random data on a read-only >mini cdrom,and use it as an OTP, and throw it into a garbage >incinerator afterwards. >If you are up against adversaries where this is necessary,this methods >may ultimately not help ... >= > >On 5/4/2021 at 1:19 PM, "Ingo Klöcker" wrote:On Dienstag, 4. Mai >2021 18:47:50 CEST Robert J. Hansen via Gnupg-users wrote: >> For modern SSDs I generally recommend a single pass with random >data: >> >> dd if=/dev/urandom of=/dev/foo bs=1M >> >> (Don't forget the blocksize [bs] parameter; it can improve speed >> significantly.) >> >> This is enough to foil the vast majority of forensic analysis. Yes, >> yes, SSDs have remapping capabilities which means certain memory >cells >> won't get hit even if you do this, and it's theoretically possible >for a >> good forensics nerd to do all kinds of wild magic to pull off data >you >> didn't even know was there... but that kind of very high-level >forensics >> nerdery costs a lot of money, and few people are worth that kind of >> investment. > >I'd always use full disk encryption ideally with the key stored on a >USB >token. Otherwise, with a very good passphrase. > >And, after use, wipe the disk and destroy the token. > >Modern enterprise-level SSDs also have secure erase, but, of course, >you'd >have to trust the hardware manufacturer to implement it properly >without any >backdoors which you probably don't want to do in the above scenario. > >Regards, >Ingo -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Or, for the really paranoid ;-)you can have random data on a read-only mini cdrom,and use it as an OTP, and throw it into a garbage incinerator afterwards. If you are up against adversaries where this is necessary,this methods may ultimately not help ... = On 5/4/2021 at 1:19 PM, "Ingo Klöcker" wrote:On Dienstag, 4. Mai 2021 18:47:50 CEST Robert J. Hansen via Gnupg-users wrote: > For modern SSDs I generally recommend a single pass with random data: > > dd if=/dev/urandom of=/dev/foo bs=1M > > (Don't forget the blocksize [bs] parameter; it can improve speed > significantly.) > > This is enough to foil the vast majority of forensic analysis. Yes, > yes, SSDs have remapping capabilities which means certain memory cells > won't get hit even if you do this, and it's theoretically possible for a > good forensics nerd to do all kinds of wild magic to pull off data you > didn't even know was there... but that kind of very high-level forensics > nerdery costs a lot of money, and few people are worth that kind of > investment. I'd always use full disk encryption ideally with the key stored on a USB token. Otherwise, with a very good passphrase. And, after use, wipe the disk and destroy the token. Modern enterprise-level SSDs also have secure erase, but, of course, you'd have to trust the hardware manufacturer to implement it properly without any backdoors which you probably don't want to do in the above scenario. Regards, Ingo___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
On Dienstag, 4. Mai 2021 18:47:50 CEST Robert J. Hansen via Gnupg-users wrote: > For modern SSDs I generally recommend a single pass with random data: > > dd if=/dev/urandom of=/dev/foo bs=1M > > (Don't forget the blocksize [bs] parameter; it can improve speed > significantly.) > > This is enough to foil the vast majority of forensic analysis. Yes, > yes, SSDs have remapping capabilities which means certain memory cells > won't get hit even if you do this, and it's theoretically possible for a > good forensics nerd to do all kinds of wild magic to pull off data you > didn't even know was there... but that kind of very high-level forensics > nerdery costs a lot of money, and few people are worth that kind of > investment. I'd always use full disk encryption ideally with the key stored on a USB token. Otherwise, with a very good passphrase. And, after use, wipe the disk and destroy the token. Modern enterprise-level SSDs also have secure erase, but, of course, you'd have to trust the hardware manufacturer to implement it properly without any backdoors which you probably don't want to do in the above scenario. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Modern harddisks don't allow that anymore. Should I assume that "low-level format" in this case means something like dd if=/dev/zero of=/dev/sdX [puts on forensics professional hat] Good question! The tl;dr of it is that the technique to wipe a hard drive will vary according to the kind of technology used in manufacturing the drive, and to a lesser extent the kind of forensics nerdery you're afraid of. This is the origin of the myth of the 30-odd-pass "Gutmann shred". It was always a complete myth that you needed 30-odd passes to wipe a hard drive. The 30+ passes were if you had no knowledge about the underlying technology of the drive and needed to account for antique FM-coded drives all the way up through modern SSDs. If you were thinking of doing a 30+-pass shred, the best thing to do was smack yourself in the face for being so foolish and then go off and read the label on your hard drive. :) For modern SSDs I generally recommend a single pass with random data: dd if=/dev/urandom of=/dev/foo bs=1M (Don't forget the blocksize [bs] parameter; it can improve speed significantly.) This is enough to foil the vast majority of forensic analysis. Yes, yes, SSDs have remapping capabilities which means certain memory cells won't get hit even if you do this, and it's theoretically possible for a good forensics nerd to do all kinds of wild magic to pull off data you didn't even know was there... but that kind of very high-level forensics nerdery costs a lot of money, and few people are worth that kind of investment. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Neal Stephenson's novel Cryptonomicon is excellent. I strongly recommend it to anyone who enjoys reading & is interested in crypto. Part of the plot involves a cipher that operates a bit like RC-4, permuting an array, but the array is a deck of cards. https://www.schneier.com/academic/solitaire/ Please don't. Solitaire is not a particularly well-designed cipher, in either the human factors sense or in the cryptographic strength sense. Even Schneier himself says it's mostly of interest only as a curiosity and not for serious purposes. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Sandy Harris wrote: Ralph Seichter via Gnupg-users wrote: * Stefan Vasilev via Gnupg-users: How would you solve this task? With Alice having to rely on cryptography she can do in her head? Some shift cipher and carrier pigeons. :-) Neal Stephenson's novel Cryptonomicon is excellent. I strongly recommend it to anyone who enjoys reading & is interested in crypto. Part of the plot involves a cipher that operates a bit like RC-4, permuting an array, but the array is a deck of cards. https://www.schneier.com/academic/solitaire/ I remember Bruce Schneier's Solitaire. One can also use the Elsie Four (LC4) cipher for that. The task, however, is also communicating (daily) without logging into any services and if required to send larger documents, or even photos. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Ralph Seichter via Gnupg-users wrote: > > * Stefan Vasilev via Gnupg-users: > > > How would you solve this task? > > With Alice having to rely on cryptography she can do in her head? > Some shift cipher and carrier pigeons. :-) Neal Stephenson's novel Cryptonomicon is excellent. I strongly recommend it to anyone who enjoys reading & is interested in crypto. Part of the plot involves a cipher that operates a bit like RC-4, permuting an array, but the array is a deck of cards. https://www.schneier.com/academic/solitaire/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
On 03-05-2021 15:39, Robert J. Hansen via Gnupg-users wrote: > and gave her drives a low-level format. I remember from the stone age (end 1980's begin 90's) that you could low-level format a disk with the DOS command debug by calling some BIOS routine by assembler routines. Modern harddisks don't allow that anymore. Should I assume that "low-level format" in this case means something like dd if=/dev/zero of=/dev/sdX -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
r...@sixdemonbag.org wrote: I have dealt with a similar problem in real life, as a real problem with real people. We created a custom Linux environment, burned it to Blu-Ray, and Alice crossed the border with her Linux environment tucked into her CD player. On the other side she acquired a laptop, Blu-Ray drive, and USB drive locally, booted into this custom environment, then flashed her BIOS and gave her drives a low-level format. Rebooting into Linux (to reduce the likelihood of BIOS-based malware being present in memory) she used her system normally, although never touching the local hard drive. All storage was on USB stick. Prior to departing the country she wiped the laptop hard drive and donated it to a school. The Blu-Ray disc and USB drive were physically destroyed and discreetly dumped. Thanks a lot, this sounds very good! I am not at liberty to say who Alice was, where she was, or why her needs were so extreme. But yes, we actually did this. Sure, I fully understand! Regards Stefan smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
Ralph Seichter wrote: * Stefan Vasilev via Gnupg-users: How would you solve this task? With Alice having to rely on cryptography she can do in her head? Well, so to speak, this would be an option in the future. Some shift cipher and carrier pigeons. :-) Ha ha, but she needs to do that over a long distance and daily. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
I have dealt with a similar problem in real life, as a real problem with real people. We created a custom Linux environment, burned it to Blu-Ray, and Alice crossed the border with her Linux environment tucked into her CD player. On the other side she acquired a laptop, Blu-Ray drive, and USB drive locally, booted into this custom environment, then flashed her BIOS and gave her drives a low-level format. Rebooting into Linux (to reduce the likelihood of BIOS-based malware being present in memory) she used her system normally, although never touching the local hard drive. All storage was on USB stick. Prior to departing the country she wiped the laptop hard drive and donated it to a school. The Blu-Ray disc and USB drive were physically destroyed and discreetly dumped. I am not at liberty to say who Alice was, where she was, or why her needs were so extreme. But yes, we actually did this. On May 3, 2021 4:24:01 AM CDT, Stefan Vasilev via Gnupg-users wrote: >Hi all, > >here is a little scenario. Alice and Bob needs to find a way to do >encrypted communications globally. > >The task is the following: Alice needs to travel to a foreign country >without any devices (laptop, smartphone etc.). > >At arrival she needs to communicate daily (no real time communications) > >with Bob to exchange encrypted documents. > >Alice is not allowed to login in any services, like her Gmail account, >social media etc. to not reveal her login credentials. > >She can't use Tor, because at her destination Tor is blocked. The only >option she has is to use Internet Cafés or public libraries etc. > >She is aware that at an Internet Café keyloggers may be installed. Last > >but not least she does not carry any notices on paper with her. > > >How would you solve this task? > > >Regards > >Stefan > > > > > >___ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How would you do that ...
* Stefan Vasilev via Gnupg-users: > How would you solve this task? With Alice having to rely on cryptography she can do in her head? Some shift cipher and carrier pigeons. :-) -Ralph ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users