Thank you Faramir! I was so afraid nobody would feed the troll and the archives would split the OP and the answer because of the passing month.
On Fri, Aug 31, 2012, at 04:36, Faramir wrote: > El 29-08-2012 5:28, antispa...@sent.at escribió: > > I'm (for some of you) your worst nightmare. Somebody who does not > > master the fine arts of cryptography, yet has an oppinion about > > cryptography. I might say I enjoy reading the thread on PKI, but I > > wasn't able to read it all. > > I don't think that is anybody's nightmare. After all, many of us are > not "masters of cryptography". A user with an attitude. A newcomer with an idea. Anything that disrupts a pecking order is a potential nighmare as it might imply the subject might be subjected to beak hits in the cranial area for the following days. The reality there are only a few masters of cryptography. The others just translate the math into scripts the best they can. Which means less than optimal. The other reality is that other people don't bother to read and comprehend something unless they see a gain, they can feel a profit, whatever that might be. Which, in the light of the „knowledge”, makes them stupid. Stupid for not thinking the same way as the subject, the self of the idea generator if you like. Thus a pornographer in Islam is far more willing to encrypt his transactions than a highschooler who writes about what „everybody knows”. Only to find out 10 years later that there were people that it would have been better not to know. > > Please understand this is not a flame against Landon, but rather at > > the whole culture of having a debate that puts people into two > > groups: a small one formed by initiated and a huge one with lay > > people. I am using > > Right, but it doesn't require high technological skills or a degree > in computer science to become an initiated. It can be explained in 20 > minutes, while you drink a coffee. Manuals are long and sometimes hard > to understand, because they must cover a lot of information, and list > all these options we will never use (but are still there, because what > I don't use is a must-have for other people). Just stay with us a bit, > and soon you'll find yourself transformed into a GPG initiated. Tech. Skill. Being smart. Being less smart. Being not smart at all. Why all this? The carrot at the end of the rope is enough for an ass. People don't go though 4 years of University to be more educated. They want access to those better paid jobs everybody talks about. Bringing to the table a fake aura of erudition is only a side effect. It's nice, but not good enough. Exaggerated sex and drinking records are far easier to bring to the table for far less effort. Manuals are long and hard to understand because they were produced through the same process: reward. Only a few accidental professors do try to teach students something. Most want to further their academic career. Which is why, each of them, good or bad, chose that particular path in life. In their world a 50 page book made out of a single diagram populated with very basic language is risible. And a 5 000 page compact text is very academic–ish. Read that and that's what you do have on your hands: a very compact typed succession of words. Those words can become meaningful if the student is particularly attracted to the subject and is ready to absorb almost anything in relation. You have to see it in perspective. In 19 century US people were actually punished for teaching dark skinned individuals how to read. It was THE law. Yet, some of those „darkies” went to great lenghts to learn it. The same way a dedicated scientist would read any kind of junk in hopes of finding a gem that would further one's knowledge. Make education available to everyone no matter the color of the skin and some people would still not know how to read. Make it mandatory and some would even rebel against it. The same goes for the sciences. Make a vaccine. Many would ignore it till it's too late and there's an oubreak. Make it compulsory vaccinations and people would develop legends. Against the process, of course. The trick is to make it so simple people won't be able to resist. As long as the alphabet is a dry succesion of signs there would be people who don't know how to read. Make it fun and it would be hard to stand. Make reading fun and people would go from being able to sign their names to being able to actually read. Now, make cryptography simple is bound to make it weak. But I don't mean to make it simple that way. Make it obvious. The computer does the work. If it does the work for the bad guys decrypting messages, why shouldn't it work for the common man as well? After all, we're past the days of Enigma. Today I can't imagine a room filled with people with pens and papers scribbling fast theories of how to break a gpg ascii armoured text. Today it's the day of the dictionary attack. I wonder how would be in the day when I would ask the next search engine: I had a highschool friend that went around calling himself John when his name was actually Sam. He's probably balding by now and must have a huge beer belly as he used to love that drink. And poof! There I have a screen filled with pictures of potential people. Today it's only the dictionary attack. Facebook indexes everything and given the data given by the antourage of a particular user the system can pull him out of the crowd for me or for anybody asking. Recording conversations goes the same way. I want to search anybody who says a particular word. Nothing smart. Actually the very fast process pushed by the future IBM to the National Socialists. So, at least for me, it's hard to see what's smart or inovative to what Google or NSA are doing today. Back to what you have written: just „stay with us” is not enough. The man of the 2001 needs defaults. The ability to further ones knowledge is a nice feature, but less relevant. I think it never was. But that's only speculation. > ... > > I think the argument with the envelope instead of a postcard is > > dated before considering encryption as an electronic envelope. > > Anyway, while > > Well, but it is. It is an almost impossible to open envelope, but > encrypted email still have the recipient's address, and the info of > the sender, at plain sight. So does the envelope. A white envelope, unless dropped in a private meeting, means anybody can feel to be the recipient. So there should be at least a recipient. But, usually it's quite easy to locate the sender too. Centuries back, that could be avoided through means closer to stegranography: send a messenger who would not catch attention directly to the intended target. The envelope example has some shortcomings. The sender was easy to find out. The recipient was obvious. Yet, the text, now, that was a problem. Writing was not for everyone. And people could learn different alphabets. And write gibberish. See Helsinki slang. > ... > > stereotypical nerd living in a basement. The real postman has way > > too much on his hands to waste time with every private message. > > Yet, the message might be delivered into the hands of a servant or > > family member. It's them, the people around, who are the most > > interested to find out the juicy story. > > That is also very true, Eve is probably very close to either the > sender or the recipient. Unless we are talking about NSA, CIA, or Men > in Black, but if that is the case, then using cryptography is only a > small part of the protection measures. Here, you are wrong. There is no unless. Take Soviet Union. Some say they reached the one fifth mark of the population doing the spying on others. The proportion is irelevant. Today, the NKVD siblings have the same purpose, no matter what the charter says. And they are ready to be somehow next to everyone. In a way, that's a very good sign. It's a dumbing down of the organisation. Back in 1960 they had to prioritise. They had to schedule whom to monitor and whom not. Also, in the Politics of Fear if you are not with me than, surely, you are against me. So, it used to be information gathering and bullying the boss' enemies. Today it's personal. It'd ideological. > > I see webmail as far from a barrier. Get one plain text editor > > with encrypt / decrypt abilities. Than just copy and paste the > > armored text. > > Or even better, attach the armored file to the message, and then you > don't even have to worry about html stuff messing it. My provider gives me an option to send plain text so there's no problem here. But your idea is way better as it is more portable. > > What can be simpler? Why do I have to handle a buggy slow beast > > like thunderbird or evolution when I can do it with the balast > > provided by a > > As a thunderbird user, I don't find it buggy or slow. At least, it > didn't use to be slow. As a former pine user I find it a disgusting waste. Kidding. But take a look at its history. Some insecure protocols, yet simple. And badly handled. No privacy in mind. No security in mind. After all, this is the 15th major version and there still are some issues. And it's a mammoth. 100Mb of memory for an IMAP check? Also, enigmail is the fruit of the plugin concept. So the plugin platform gets the merit and not Thunderbird. Thunderbird does not care much about security in the general sense. More about things that can't be shifted to anybody else. > > ... > > everything on a 386. So, instead of having a complicated system > > with problems, just use a web interface and do all the mails > > offline in a folder. Faster, more portable. > > Not sure about the faster part, you have more steps to follow to > send a message. But it still can be done. And as you need to carry > your encryption tools with you, you can also carry a portable install > of Thunderbird+GPG+Enigmail. Well, not sure if GPG2 will run in > portable mode, but for a while we can still use 1.4.x branch For a while. Yes, the PortableApps guys offer the whole pack of three, all portable. > ... > > Why look down at people? Lay people? A concept invented by the > > religious / initiated caste to sepparate themselves from the > > disgusting masses. > > Lol, it is not like that. It is we are talking about encryption and > why except us -the paranoid guys- the other people don't use it. It is > not about education level, intelligence, or anything like that, in > fact, if we were looking down at people, we would be saying "they > aren't capable of using this stuff", instead of that, we are talking > about "why don't they use it? How can we make them use it?". See? You're misusing terms. Living into a large Panopticon and calling another one paranoid, even yourself. > ... > > It's cute to develop bondage though some sort of initiation, say > > Dungeons and Dragons if you like a cliché, but it's still jacking > > off. The world is the thing out, at large, and not some meetings in > > a basement. > > Initiation? I'm lost now... I came here, joined the list, read a > bit, made some questions, tried GPG, left a orphan key... and somehow, > now I'm a GPG user. And to think it all started when a teacher said > "well, this is my public key, your assignment is to send an encrypted > message to me, that is the link to PGP's site". And of course, I > thought "isn't there a free version?" Oh, really? And you've been a registered user of the list since 2011. What does initiation mean to you? Does it have to include severe beatings? Sexual assault from your peers? Does it need incantations and certain uniforms? > By the way, some years ago I went to a CAcert assurer's meeting. It > was on a coffee shop, no basements involved. It can be on the top floor of the tallest building eyes can see. Does it make it less of a Dungeon? > ... > > Even if gpg is easily obtainabe, that is, still, almost nothing. > > Gpg is not a portable app. One must read a few cryptic pages. Even > > if clear, > > It used to be. You can still get the portable version. Of a version that is going to slowly die. In an age where install means being able to control your terminal, which is a no–no. Sure. Somebody who can't even get administrator rights on a system, what can he do? The system, the operating system can spy on you. Just like with enigmail on thunderbird, it can be a particular driver on your OS. I don't know the way out. So I'm glad I'm not a developer of security apps. > > they are boring. Generate a key. What size? The answers are quite > > liberal: it depends on what you need. It should be *2048 or read > > some > > Unfortunately, it really depends on your needs. But there is hope: > the standard answer here is "most people should stick to the > defaults". There are even some straight forward wizards to set it up > and generate your key (like enigmail's wizard). > Options are more complex, but people with unusual needs should know > they have to devote more time reading manuals, after all, they already > devoted some time to discover they have unusual needs. They should be stimulated. They should know is old wives talk: you should know better! Or that's the way it is! Because the complicated part is far from building or installing an app. It's the whole system that is rotten. The TCP/IP is made so anybody can put a third and a fourth man in the middle. HTTP is so visionary and so plain text. Take Yahoo for example. They have put the login page through SSL. Nice. Yahoo Messenger protocol sends it all in plain text. Chat programs store the passwords in plain text. And there are enough holes in that protocol that any feature can be changed. Say one user is „invisible”. Well, whole sites are dedicated to seeking them online. There's one invisible noun. Yet, with Yahoo there are two switches: one for the web and one for the messenger. GPG? GPG is fine. Yet, GPG does not come with a text editor embeded. Which editor? Any! Take your pick. Most are made by people with the IQ of a frozen hamburger. The original text has one copy in memory, one in the temp folder (it used to be directories, no?), maybe one in the journals. All in plain text. Isn't it a bit silly to debate the entropy of a pass phrase? > > ... > > Now, Thunderbird is a pain in the behind. A team is trying hard to > > bring the anonymity of Tor to it. I hope they would be able to do > > it. It's > > Well, but remember email encryption is not about anonymity, it is > about privacy. Pretty Good Privacy, not Pretty Good Anonymity. Sure, > some people wants both, but that is out of our scope. Well, the bad guys still have to match the key fingerprints or IDs. If they are on a key server, that's fine. Anyway, there has to be a WOT in place too. I can generate a new key with your handler and email in no time. And put it on every known keyserver. Does it mean it's you? You can't even kill it, as you can't generate a revocation key. But that leads to deniability which is another can of worms. The Tor interaction with Thunderbird shows bad practices. I'm sure there is a lot more just based on how they develop things. Not connected with Thunderbird, GPG, or any app mentioned here. But there used to be a real problem with buffer overflows. It was simple. It was obvious. Developers knew about the potential. Yet nobody cared less than the developers. They only fixed bugs rated dangerous. The ones writing that junk are the teachers of today Python and PHP hackers. And their software is safe because Python takes care of buffer overflows? It's the same bad practices that reproduce themselves at an amazing rate. Sendmail would have to worry about libc. And they had the decency to generate workarounds for the libc bugs if needed. Thunderbird depends on many packs. The plugin interface is not safe. It was not supposed to be safe. And they are only bothered by the obvious memory leaks. And that's still good. So many projects are happy to shift the blame and say: it's not us, is one of the packs we use and the bug has been filled. All this because I just gave an example of how Thunderbird is broken. Also, you seem to have driven around the point of the message. Anyway, myself I like a good debate. Only that „out of our scope” is a bit too much. Privacy is exemplified as the confidential talk between a patient and a doctor. And the dorks stop here in their analysis. It's already too much. Time for a WoW or something else. The patient is presumed sick with a Cancer. The doctor sends an encrypted message. Nobody can read it. Yet, the patient is gloomy. Do we know the content? Sure. So the pretty good privacy has failed miserably. The patient has a private and confidential chat with a representative of a medical laboratory specialised in blood analysis. Do we know the answer? Yes. We're not sure what particular strain of the virus. But that's less relevant. Or maybe the patient is happy. So the answer is negative or with no important impact in his life. But, is it? Maybe the partener does not know that. A wonderful gesture of protecting the partner can turn into a relationship breaker. Some would not stand to lose the relationship, so they would expose the partener too. Pretty good privacy? Next to nothing. But in the world out there there are not just STDs, terminal illnesses or teen pregnancies. A wistleblower or a political opposition member need privacy too. Yet, they can be torn to bits and their secrets extracted through the wonderful and never dying security concept of the rubberhose hacking. You can argue that they need anonymity too. I say the first implies the latter. One might be gloomy for a number of reasons once the others don't know the sender was from oncology, or even in a medical job. > > ... > > portable. Enigmail is an extension and that makes it rather > > portable. But gpg4win is NOT. > > Until very recent times, GPG branch 1.4.x windows binary was easy to > find, and could be run in portable mode. Probably there will be (or > already are?) packages offering portable Thunderbird+Enigmail+GPG combo. PortableApps.com. Wonderful project. I love them and used them whenever I'm on Windows. > > ... > > Also I think people like you should work more and more on their > > pleasant side. Learn some skills that don't involve machines. > > Relax. Just because other bullied you, you don't have to be a > > bully. > > I think you are following stereotypes a bit too much. You imagine > people here are fit for the "Revenge of the Nerds" movie casting. Actually, I was going for cliché. And I don't imagine. I exagerate. In order to make a point. This list is wonderful. No sarcasm. But some of the energies could flow better, in my oppinion, if directed on a different course. Yes, there is an initiation. Even if that's not quite as dramatic as people imagine things when they read about initiations. Same way as a ritual can be as simple as start walking with the right foot when one's on the way to something important. You don't need the silly costumes and pomp of an Easter Mass or a Royal Wedding. I'm sorry. I'm an asshole. I've seen and ignored bits of messages and today I'm too damn lazy to even search for them. I am also afraid at being told I point fingers. If I point any fingers, are at the keyboard. Myself I used to hoist a booored face when repeatedly asked the same question over again till I understood it's not the same mouth that is asking the question. > > > Or put it this way: what makes you sure your way is the good way? > > Just > ... > > Well, we are the Iluminati, our Order comes from the time lay > people used to live in caves, while we already had cable TV. Bazinga! That should explain it. But beware. A friend was just suspended on Ubuntu forums for pointing out through ridicule the stupidity of a moderator. For the moderator there was no need to have HTTPS support for Ubuntu forums because lots of others don't have it too. And a second moderator pointed out smartly how his skill with Google can show there is no need for SSL because their master, Canonical, does need it. > > > Question: sure, it's nice to see the signature used here, on the > > gpg list. But why do you people use it? Myself, an outsider, see it > > as a geek code. Sure, Werner is the gpg master. And somebody might > > Well, I use it in a vain attempt to make people aware about there is > something called OpenPGP. Also, because the first time I found spam > messages sent... by me to me, I was very worried about how my email > box had been compromised, I changed password, ran every anti-malware > tool I could find, and so on. Then I learned anybody can fake that. No > compromise at all, the spammer just crafted a message that to me, > looked like a message sent from my email box. So I said "fake this, > M.F.!" and started signing my messages. Hahaha. That is a story I enjoy each time I read it. You are probably not aware, but some of the high masters of hexadecimal good and evil in some large multinational corporations didn't know that either. For each it all started with some fake memo sent from the CEO. What's worse is that it has never crossed their minds for a moment that the technique could have been used before in their corporation for smaller names. At this point I raise my hat to the work done by black hats everywhere. But you can sign your mails with „Zzz” without the quotes and have the same effect. You can argue somebody would impersonate you on this list or another and... the chance can be as high as having your key stolen if you are not careful. For that a very important aspect is the handler should become an identity. At that point it's getting harder and harder to impersonate you. But that can take years, and strong key generation is much shorter today. > > By the way, I caught you. You say you are an outsider, yet you know > about GPG, Thunderbird, Enigmail, you know they can be portable, you > know about gpgp4win -and it has its own mailing list, so usually it is > not mentioned here-, you know how easy is to encrypt text on a plain > text editor with encryption capabilities and paste ascii armored text > on the webmail composer. You talked about TOR, and you know the > password strength is related to the entropy it has. You know xkcd > comic. You even know about Allice and you don't think she is a > Twilight character. You don't fool us, your geek coefficient is at > least as high as ours! But I am an outsider of this list. I haven't been involved on this list since the days of the, than, new site when there was a debate between having index.html.en or index.en.html. I am an outsider for Thunderbird too. I hated all Netscape derivates. I'm not saying I was a IE supporter. But bad design is still bad design. I bought the lie of Firefox and dumped it when they started growing bigger and against their own statements just to please Google and other corporate friends. I'm back because NoScript can't fit well on other browsers. But Thunderbird is still just a once in a decade GUI to backup mail accounts. The fact that I know how easy can one use a text editor to encrypt and decript does not make the perspective brighter as all text editors I use are unsafe. Thus, one have to encrypt the whole system and hope the memory modules are cold the time someone touches the box. Not much optimism there. I know password strength is related to the entropy. I fail to see the point in some of the tomes I have read. I can use capitals and numbers. Or lowercase US version of the latin alphabet, as the computers still aren't smart enough to handle other languages without complicated translation libraries, and maybe numbers / digits and a space. Vs having lowercase, uppercase, digits, signs and tremble day and night about the entropy. The way I figgure it's either badly understood by me or badly defined by the others. Because „Cliché” can be cracked even easier than „Jimi Hendrix”, yet having a Hendrix poster behind me won't help with „greatest1guitarist”, but some warning mechanisms against weak passwords will aim for my head for that last one. Dictionary word, no variation, no signs. Heaven forbid I double some letter! Alice is Alice Cooper and I always felt nerds were so nasty to make stories about Alice and Bob (Geldof), and have Charlie and Chuck and Dave and so on. Yet only Eve is the passive attacker. As for having the geek as the good guy, I'm against. There's nothing worth praise in beeing a geek. Thus the use of the uglier nerd. There's an article about this written by a guy with much better command of the English language: http://th-rough.eu/writers/campagna-eng/night-living-geeks. Cheers! _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
