[liberationtech] Is the Wall Street Journal intentionally confusing the NSA surveillance issue?
There's an article published Yesterday in the WSJ entitled "Foreign Stakes Shield Two Phone Firms from Sweep". It's currently paywalled, but here's the link: http://online.wsj.com/article/SB10001424127887324049504578543800240266368.html Here's the important bit: The National Security Agency's controversial data program, which seeks to stockpile records on all calls made in the U.S., doesn't collect information directly from T-Mobile USA and Verizon Wireless, in part because of their foreign ownership ties, people familiar with the matter said. The blind spot for U.S. intelligence is relatively small, according to a U.S. official. Officials believe they can still capture information, or metadata, on 99% of U.S. phone traffic because nearly all calls eventually travel over networks owned by U.S. companies that work with the NSA. The title of this article is misleading. This article does not say the NSA does not have access to Verizon Wireless customer call data. It just says they don't get it DIRECTLY from Verizon Wireless. They have other ways of going about getting this data, but that isn't what The Wall Street Journal wants you to be focusing on here. Verizon could request the information from Verizon Wireless, and then pass it onto the NSA, or they could just use any number of SIGINT technologies they have available to pull the information directly from cell towers (obviously this takes more effort and suffers issues when scaling) If you're inclined to disregard this argument consider that the Director of National Intelligence has already lied about it in front of congress. If US government officials are willing to lie about it under oath on television, they're more than happy to play games of semantics with journalists in hopes that one or more of them will run with stories like this one, making it seem like the NSA isn't doing what it's doing. Jason Gulledge @ramdac / twitter-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] An interview with Snowden and more in Der Spiegel
As an activist, this is pretty damned frightening: (excerpt from http://cryptome.org/2013/07/snowden-spiegel-13-0707-en.htm) Question: What happens if the NSA has a user in its sights? Snowden: The target person is completely monitored. An analyst will get a daily report about what has changed in the computer system of the targeted person. There will also be... packages with certain data which the automatic analysis systems have not understood, and so on. The analyst can then decide what he wants to do - the computer of the target person does not belong to them anymore, it then more or less belongs to the U.S. government. This has ominous implications. I worry about the private encryption keys on the computers of people in the "sights" of the NSA. On Jul 8, 2013, at 1:36 PM, Jacob Appelbaum wrote: > Hi, > > What we're seeing in Der Spiegel, The Guardian, Washington Post and > other select publications is the birth of new threat models - not just > for activists but for all of civil society, parliamentarians, companies > and more. This is a threat model that "many have known" and yet at the > same time, there is clearly new stuff. For one - we're seeing > confirmations of things that have been denied in public - we're also > learning the names of things, which now made public, may be FOIA'ed by > name as well as pushing for disclosures. This is where we'll see if > America will shine - when the information comes out, will we be able to > use our democratic process to turn this disaster around? I'd like to > think so - that is why I worked on these pieces - hope is not lost. > Though hope alone is not a strategy. > > I think this may be of interest to people on the list: > > http://www.spiegel.de/spiegel/index-7028.html > > http://www.spiegel.de/politik/deutschland/snowden-enthuellung-verbindung-zur-nsa-bringt-bnd-in-erklaerungsnot-a-909884.html > > http://www.spiegel.de/politik/deutschland/us-lauschangriff-opposition-macht-druck-auf-merkel-a-909871.html > > For non-German speakers I suggest the following English links: > > http://www.spiegel.de/international/topic/whistle_blowers/ > > http://www.spiegel.de/international/world/whistleblower-snowden-claims-german-intelligence-in-bed-with-nsa-a-909904.html > > http://www.spiegel.de/international/world/edward-snowden-accuses-germany-of-aiding-nsa-in-spying-efforts-a-909847.html > > http://www.spiegel.de/international/world/snowden-reveals-how-gchq-in-britain-soaks-up-mass-internet-data-a-909852.htmlv > > My interview with Snowden is available as a leaked pdf on cryptome in > German: > > http://cryptome.org/2013/07/snowden-spiegel-13-0707-en.htm > http://cryptome.org/2013/07/snowden-spiegel-13-0707.pdf > http://cryptome.org/2013/07/snowden-spiegel-13-0707-2.pdf > > The English original will be released this week. > > Last week's article is also very important: > > > http://www.spiegel.de/international/world/secret-documents-nsa-targeted-germany-and-eu-buildings-a-908609.html > > This is also probably of great interest to people on the list: > > > http://oglobo.globo.com/infograficos/volume-rastreamento-governo-americano/ > > http://jaraparilla.blogspot.com/2013/07/nsa-surveillance-of-australia-exposed.html > > http://www.theage.com.au/world/snowden-reveals-australias-links-to-us-spy-web-20130708-2plyg.html > > Welcome to the Grim Meathook Future, Citizens! Lets turn this ship around! > > All the best, > Jacob > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] DecryptoCat
Here are more statistics on TLS modes failing back to less secure modes, and a semi-complete listing of affected browsers, published 2 days ago: http://jbp.io/2013/07/07/tls-downgrade/ Best, Jason Gulledge On Jul 9, 2013, at 4:29 PM, Jacob Appelbaum wrote: > Patrick Mylund Nielsen: >> On Tue, Jul 9, 2013 at 9:22 AM, Eugen Leitl wrote: >> >>> On Tue, Jul 09, 2013 at 09:12:21AM -0400, Patrick Mylund Nielsen wrote: >>>> If it's so easy, go ahead and produce a more secure alternative that >>> people >>> >>> You mean something like http://dee.su/ ? >>> >>> And http://dee.su/cables ? >>> >>> >> No, I mean an alternative to Cryptocat (i.e. an OTR client with multiparty >> communication) that is more secure, and as easy to use. >> > > While Cryptocat has OTR - the multi-party communication is not the OTR > protocol. > > Cables is as easy to use as email. Generally it is used with an email > client. > > If you boot liberte - there is little to no configuration beyond > establishing communication and verifying that you've done so correctly. > Once that is done, you do not need to do it again - a key defense > against active attackers. As I understand things this critical step > (verification and persistence, or merely verification in a usable > manner) cannot be done in CryptoCat at the moment. Active attackers will > win against everyone without verification. The last bug ensured that > *passive* attackers won against everyone on the main server and they > would also win against everyone not using forward secret TLS modes. As I > understand, we do not have numbers on how many users are using the less > secure TLS modes. > > Please read this page: > > https://www.ssllabs.com/ssltest/analyze.html?d=crypto.cat > > On three computers near me, I see it using non-forward secret modes > today - SSL_RSA_WITH_RC4_128_SHA - this isn't good news. > > This also means that if CryptoCat's security may be reduced to SSL, it > is now possible to reduce that to plaintext by forcing disclosure of the > current website's key. This may happen legally or it may happen through > exploitation. I'm not sure why CryptoCat doesn't just exclusively offer > everything with forward secret modes, and encourage everyone else to > upgrade their browser when they use a less secure mode? I suggested this > to Nadim on another mailing list, I'm not sure if he is working on this > already? Perhaps so? I hope so... > > In any case, "more secure than CryptoCat" is not a high bar during the > time of this bug. Any CA could have subverted the very little security > provided the web browser trust model. Also the security provided by > non-forward secret TLS connections is a really serious problem. > > If you mean "as easy to use" as a plugin in a browser and that it can be > as secure as just chatting over HTTPS protected servers without any > other security, I think that the requirement is not proportional. > > Usability is absolutely critical - but we're not looking to build usable > software without any security - if we were, we'd all be using Facetime, > Skype, GChat and so on, without any complaints. > > All the best, > Jacob > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Interesting things in keyservers
Micah, There's uh, this one. http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x25B37ACACC82107B (warning: ascii goatse) They tried again w/ his other key, but.. mostly fail-ish. http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x642AFAB27F6A5517 -Jason Gulledge @ramdac On 7/17/13 7:45 AM, Micah Lee wrote: > I'm working on a talk for OHM2013 about PGP. Can anyone send me examples > of interesting keys in key servers that you know of? > > For example, attempts at XSSing Enigmail (I think one of these is mine > from long ago -- and BTW, Enigmail isn't vulnerable): > > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x6E5D912BBF74A1A6 > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xBDE99D48C65A27EC > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x06AB7A6AA7B3C04D > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xC1BBD7FB306E2139 > > I remember seeing a key once that was full of ASCII art user IDs or > maybe sigs, but I don't remember what to search for. Anything else > interesting? > > > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Fwd: A hacker's guide to Amsterdam
There will be people at OHM on the 27th. Guaranteed. On 7/20/13 9:26 AM, phryk wrote: > Well, I haven't been in Amsterdam ever but a quick look on > hackerspaces.org got me the (apparently only) amsterdam hackerspace: > > https://technologia-incognita.nl/ > > Even if you're not interested in going there, those people might be > able to give a few recommendations. > > Since I'm interested in this as well, I'll ask a few of the other > people from the local hackerspace who'll be at the OHM too if they have > any recommendatons. Thus far I only heard of a trustable coffee shop, > though. :P > > Our initial plan was to go to the OHM venue at the 27th, but apparently > whoever decided that didn't make any effort to find out that the > earliest date for going to the campsite is the 29th… :/ > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Fwd: A hacker's guide to Amsterdam
On 7/20/13 8:25 PM, phryk wrote: > On Sat, 20 Jul 2013 12:38:34 +0200 > Jason Gulledge wrote: > >> There will be people at OHM on the 27th. Guaranteed. > Yes, I was told that the 29th is supposed to be for people who don't > help on setting up the OHM camp and infrastructure later today, too. > > Good to hear it from another source, though. :) > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech > Ah that may be true. The people I know who are going on the 27th are going to help setup. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] [cryptography] a Cypherpunks comeback
It looks like https://cpunks.org/mailman/listinfo/cypherpunks also serves the same purpose. Going to that other one presents with a bad SSL certificate pointed to the above domain name. On 7/22/13 9:41 AM, Adam Back wrote: > Could you please get another domain name, that name is just ridiculous. > > It might tickle your humour but I guarantee it does not 99% of potential > subscribers... > > Unless your hidden objective is to drive away potential subscribers. > > Adam > > On Sun, Jul 21, 2013 at 11:07:26AM +0200, Eugen Leitl wrote: >> - Forwarded message from "Riad S. Wahby" - >> >> Date: Sat, 20 Jul 2013 12:41:25 -0400 >> From: "Riad S. Wahby" >> To: cpunks-recipients-suppres...@proton.jfet.org >> Subject: a Cypherpunks comeback >> User-Agent: Mutt/1.5.21 (2010-09-15) >> >> tl;dr: >> I'm writing to invite you back to the Cypherpunks mailing list. If >> you're interested, you can join via >>https://al-qaeda.net/mailman/listinfo/cypherpunks >> >> Hello, >> >> In the past couple days I've exchanged emails with John Young and >> Eugen Leitl on some brokenness in the Cypherpunks mailing list. This >> discussion brought us to a discussion of attempting to resurrect the >> list's wetware, as it were, in addition to its software. At Eugen's >> request, John dug up a couple Majordomo WHO outputs from about 15 years >> ago; I tidied up the lists, and now I'm writing to you. >> >> So! if you still have an interest in crypto, privacy, and politics, and >> if you want to discuss that interest with a bunch of like-minded weirdos >> from the aether, you can subscribe yourself via the web interface above >> or by sending an email with "subscribe" in the body to >> cypherpunks-requ...@al-qaeda.net. >> >> (I am aware the provocative choice of domain name may discourage you >> somewhat. I can only tell you that I've been running a Cypherpunks list >> of some sort from this domain for a bit over a decade, and I haven't yet >> been spirited away in a black helicopter. Here's hoping for another >> helicopter-free decade.) >> >> Best regards, and welcome back, preemptively, >> >> -=rsw >> on behalf of jya, eugen, and rsw >> >> - End forwarded message - >> -- >> Eugen* Leitl http://leitl.org";>leitl http://leitl.org >> __ >> ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org >> AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 >> ___ >> cryptography mailing list >> cryptogra...@randombit.net >> http://lists.randombit.net/mailman/listinfo/cryptography > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings > at https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
The fog of OHM hasn't yet lifted for me, so I'm sorry if I'm not entirely poetic in thought… Before people jump in and say "the tor network is inherently flawed!" I just want to try to put it in perspective. As I understand it, an .onion got owned, probably by some poorly written or installed software on their site. That happens, and it isn't tor's fault. Once it got owned, it was easy to put an iframe in and target a specific version of the tor browser, an old one for which vulns are well-known. Mozilla posted the advisory on June 25th. https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a TBB update was provided 5 days later: https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released - and uses a version of FF that the advisory says fixes the issue. If you're interested, this is supposed to be the exploit: http://pastebin.com/96htM60z The take home message of the day: keep your shit up to date. The only question I have is -- is there anything more that can be done to warn users their stuff is out of date? We're already visited with a warning that our browser or other tor-related software is out of date upon launching it. Do we need scrolling text? blinky lights? Should it be disabled once it is out of date? Maybe that can be an option set by default. Thoughts? Best, -Jason Gulledge @ramdac On Aug 5, 2013, at 10:15 AM, Nadim Kobeissi wrote: > Forgive me, but I'd like to ask a question here. > > Tor is a tool that is undeniably, directly marketed toward activists in > high-risk environments. Tor's presentations at conferences centre around how > Tor obtains increased usage in Arab Spring countries that matches the > timeline of revolutionary action. It's incredibly direct. Tor's own > spokespeople encourage people in Iran, Egypt and so on to use Tor and only > Tor as the most secure tool for activist anonymity, and privacy. > > Now, we find out that the FBI has been sitting on an exploit since an unknown > amount of time that can compromise the Tor Browser Bundle, which is currently > the main way to download Tor and the only way to download Tor for the average > end-user, and is deploying it en-masse to the visitors of what seems to be > around half of all Tor hidden services, which have also been compromised > > I've gotten quite some flak from certain people at Tor for supposedly > marketing Cryptocat to activists, which is not something I do, but that the > media did last year. We know for a fact that Tor does in fact market to > activists. And yet, I have a feeling that the flak towards Tor, for something > this incredibly huge, will be quite small, on this mailing list and on other > discussion forums, especially compared to the kind of vitriol Cryptocat > receives. > > I would like an explanation as to why this is the case. > > NK > > On 2013-08-04, at 10:56 PM, Griffin Boyce wrote: > >> There are really two separate issues here, and I just want to separate them >> briefly. >> >> 1) Tormail and other sites were hosting malicious js code that attempts to >> break firefox 17. >> >> 2) Freedom Hosting was shut off after its host was arrested. >> >> I will say from personal experience that most hidden services are >> *extremely* permeable. Not because Tor sucks, but because people making them >> aren't very good webmasters. They don't upgrade/patch the software running >> their websites, and that leads to big hacks. Freedom Hosting was itself >> taken down on at least three occasions due to poor maintenance. >> >> It's also not particularly difficult to script up a scanner that tests >> hidden services for vulnerabilities, then launches malicious code. This has >> happened again and again. But this cannot really be Tor's fault anymore than >> it's Apache's fault. People who host hidden services must maintain their >> code just like other websites. >> >> If a hidden service webhost is imperfectly set up, it's possible to upload >> a malicious file and broadcast the IP address of the server. (Again, this >> relies on various configuration issues and 0day, but similar has happened to >> Freedom Hosting before). >> >> What does everyone else think about this? >> >> best, >> Griffin >> >> PS: it seems a little too ambitious to set up your own anonymity network >> without having a solid team of scientists and cryptographers >> >> On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones wrote: >> 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI >> malware specifically targeting the Tor
Re: [liberationtech] New CryptoCat bug
Given that today is world cat day, It's even more important that we take time out to think about the cats. This is important for all of us, not just cats. We're in this together. http://www.panorama.am/en/society/2013/08/08/world-cat-day/ Best, Jason On Aug 8, 2013, at 11:25 AM, Jillian C. York wrote: > Dear LibTech, > > I would like to express my concern that the CatFacts function of CryptoCat is > not operating. This is a Very Important Function to ensure the physical, > mental and spiritual health of cryptocat users and I am deeply, deeply > concerned about its inoperability. > > Perhaps some time at the upcoming hackathon should be spent improving this > function. > > Thanks, > Jillian > > > -- > Note: I am slowly extricating myself from Gmail. Please change your address > books to: jilliancy...@riseup.net or jill...@eff.org. > > US: +1-857-891-4244 | NL: +31-657086088 > site: jilliancyork.com | twitter: @jilliancyork > > "We must not be afraid of dreaming the seemingly impossible if we want the > seemingly impossible to become a reality" - Vaclav Havel > -- > Liberationtech list is public and archives are searchable on Google. Too many > emails? Unsubscribe, change to digest, or change password by emailing > moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] From Snowden's email provider. NSL???
> Also, weren't NSLs ruled unconstitutional recently? > > NK I don't remember that, but I do remember hearing the FISC ruled some of the NSA's activities unconstitutional….in 2011. http://www.ibtimes.com/fisc-will-not-object-release-2011-court-opinion-confirmed-nsas-illegal-surveillance-1305023 The ruling was classified. Funny how that works. -Jason -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] WaPo releases details on US offensive cyber-ops
On Sep 2, 2013, at 11:13 PM, coderman wrote: > On Mon, Sep 2, 2013 at 10:44 AM, Gregory Foster > wrote: >> ... >> The NSA designs most of its own implants, but it devoted $25.1 >> million this year to “additional covert purchases of software >> vulnerabilities” from private malware vendors, a growing >> gray-market industry based largely in Europe. > > > i would love to know how much of the overall market for exploits this > $25.1mm figure represents, and how much was exclusive vs. shared > access... > -- Perhaps just as troubling…. there's no certainty that the companies who deal in cyber-arms (exploits) to governments aren't selling the same exploits to other, adversarial governments. Some companies, like Vupen, attempt to make themselves seem like they're doing humanity a favor by only selling to "NATO members", but when faced with criticism from companies who can't (or won't) outbid governments for access to exploits, Vupen had this to say: “We don’t work as hard as we do to help multibillion-dollar software companies make their code secure,... If we wanted to volunteer, we’d help the homeless.” Many companies against which they develop exploits aren't multi-billion dollar companies, and no one is asking them to volunteer. This company admits it doesn't want to help companies make their code secure. These are cyber arms dealers. source for quote: http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/ Best, Jason Gulledge @ramdac-- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 10 reasons not to start using PGP
Also, the premise of your argument, "10 reasons not to start", presupposes the truth of your argument, essentially begigng the question. Not that it makes your other arguments invalid, but I cringed when I saw the title, and also laughed. - Jason Gulledge On Oct 10, 2013, at 9:40 PM, Jillian C. York wrote: > In my opinion, this makes about as much sense as telling people who are > already having sex not to use condoms. > > Consider mine a critique of why this post makes almost no sense to and won't > convince any member of the public. I'm sure some of the geeks here will have > a field day with it, but some of it is barely in my realm of understanding > (and while I'm admittedly not a 'geek', I've been working in this field for a > long time, which puts me at the top rung of your 'average user' base). > > TL;DR: This may well be a solid argument for convincing developers to > implement better UIs, etc, but it doesn't work for its intended purpose, > which seems to be convincing n00bs not to use PGP. > > (Detailed snark in-line) > > > On Thu, Oct 10, 2013 at 12:23 PM, carlo von lynX > wrote: > We had some debate on this topic at the Circumvention Tech > Summit and I got some requests to publish my six reasons > not to use PGP. Well, I spent a bit more time on it and now > they turned into 10 reasons not to. Some may appear similar > or identical, but actually they are on top of each other. > Corrections and religious flame wars are welcome. YMMV. > > > > -- > TEN REASONS NOT TO START USING PGP > -- >Coloured version at http://secushare.org/PGP > > > >[01]Pretty Good Privacy is better than no encryption at all, and being >[02]end-to-end it is also better than relying on [03]SMTP over [04]TLS >(that is, point-to-point between the mail servers while the message is >unencrypted in-between), but is it still a good choice for the future? >Is it something we should recommend to people who are asking for better >privacy today? > > 1. Downgrade Attack: The risk of using it wrong. > >Modern cryptographic communication tools simply do not provide means to >exchange messages without encryption. With e-mail the risk always >remains that somebody will send you sensitive information in cleartext >- simply because they can, because it is easier, because they don't >have your public key yet and don't bother to find out about it, or just >by mistake. Maybe even because they know they can make you angry that >way - and excuse themselves pretending incompetence. Some people even >manage to reply unencrypted to an encrypted message, although PGP >software should keep them from doing so. > >The way you can simply not use encryption is also the number one >problem with [05]OTR, the off-the-record cryptography method for >instant messaging. > > Okay, I'm not going to argue that PGP isn't hard or that people don't use it > incorrectly at times. But would you say "don't use condoms because they're > ineffective sometimes"? No, you would not. > > This is a reason to improve the UI of PGP/OTR for sure, but not a reason not > to use it. > > > 2. The OpenPGP Format: You might aswell run around the city naked. > >As Stf pointed out at CTS, thanks to its easily detectable [06]OpenPGP >Message Format it is an easy exercise for any manufacturer of [07]Deep >Packet Inspection hardware to offer a detection capability for >PGP-encrypted messages anywhere in the flow of Internet communications, >not only within SMTP. So by using PGP you are making yourself visible. > >Stf has been suggesting to use a non-detectable wrapping format. That's >something, but it doesn't handle all the other problems with PGP. > > Okay, this part requires more explanation for the layman, methinks. It's not > intuitive for a non-tech to understand. > > > 3. Transaction Data: He knows who you are talking to. > >Should Mallory not [08]possess the private keys to your mail provider's >TLS connection yet, he can simply intercept the communication by means >of a [11]man-in-the-middle attack, using a valid fake certificate that >he can make for himself on the fly. It's a bull run, you know? > > You're not going to convince anyone with jargony talk. > >Even if you employ PGP, Mallory can trace who you are talking to, when >and how long. He can guess at what you are talking about, especially >since som
