OnPoint by Keith Ng

Read Post

OnPoint: Ich bin ein Cyberpunk

94 Responses

First ←Older Page 1 2 3 4 Newer→ Last

  • Jon J.,

    Spectacular. :-)

    Wellington • Since Aug 2013 • 3 posts Report Reply

  • Rich of Observationz,

    Key distribution, that's the hard part. Ensuring that you have the public keys of everyone you want to contact and that these haven't been tampered with.

    It's a hard problem, partly because of the risk of the man-in-the-middle attack (where somebody intercepts your traffic, substitutes the key and encrypts/recrypts your mail). I think the community got a bit hung up on this though - it should be possible to build an infrastructure that's strong enough and tamper-evident enough to make systematic monitoring very difficult.

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Amanda Wreckonwith,

    Good work.
    People like us need people like you.
    Sod the others - will you stand for Labour Party leader?

    Since Sep 2012 • 171 posts Report Reply

  • Nicola Rowe,

    Thank you! I've been looking for this.

    Christchurch • Since Jul 2012 • 5 posts Report Reply

  • Moz, in reply to Rich of Observationz,

    it should be possible to build an infrastructure that’s strong enough and tamper-evident enough to make systematic monitoring very difficult.

    The standard way is to use an outside channel. The simple(ish) way is just to put the hash of your public key in visible places - an image on your website for example. That's hard to mechanically detect and change, but easy to verify.

    Sydney, West Island • Since Nov 2006 • 1233 posts Report Reply

  • Jeremy Andrew,

    Cypherpunk, surely?

    Hamiltron - City of the F… • Since Nov 2006 • 900 posts Report Reply

  • HamishFraser,

    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.4.12 (MingW32)

    hQEMA4M1NX6HbamyAQf8CFd6lN4au27J1PSYjlaLnHpQFyrrrhYyPyZcceiLZKWd
    sehQX8+wNzNgqkJ13cS1ouMhmL7hFqLOgZUSGqe8kWNvAUf0JlNaFtQ91VPqraU7
    uP2YQKwicg/Q7BadcSwB6Cht39P+jX1uJOa5KZoprxSg3E/uM4nSuueFNNIuUCzq
    vw/t1e9MCU0ohJ6Wh5vpteMAwnw5GiILZ/WU/AzCy1vPAdRcPXAV//V8qWP8kW6N
    tYRERiGFtRYaemvAgu3s/90zvK3sUr84Kd47U1TGihC1NJr/i4bpkzbZ01/IIPw7
    ViePKjeIB1DRp56eOv3NaJ6x80BxJGdkuniCtl8Y/tKdAcXYWF68AI909N6rswZR
    xAHByw2Qu0PFyTWHQoQra0558sqpvQytVQMAKiz0AUQJmeowvaIQTtWWpUm4gqrl
    XP90ZrrTv2fBjw/rOraC5N/PgQ9Hj5lHYodfuRFe+KH1GiuxzJnUWNStRspxdJpy
    cvQe8IzxgFXyAYa0uwzcjKXmEV81adv0fZvyHDXOwqkyG8CY9340EYeX0ZOqSw==
    =vpAb
    -----END PGP MESSAGE-----

    Since Mar 2012 • 5 posts Report Reply

  • Keith Ng, in reply to HamishFraser,

    Huzzah! It worked. I'd reply in an encrypted message, but I don't have your public key.

    Auckland • Since Nov 2006 • 543 posts Report Reply

  • Keith Ng, in reply to Moz,

    Moz & Rich: Yes, will get to that in the next part...

    Auckland • Since Nov 2006 • 543 posts Report Reply

  • HamishFraser,

    Which is the answer to the question I was now asking myself, I wrote a link to my public key in my message and then must have sent an earlier attempt which I have no copy of. In other words - to much focus on the process, not enough on the content.

    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.4.12 (MingW32)

    hQEMA4M1NX6HbamyAQf/Q3rmHsXrIham2JWXaGwYT47OjXfyZ0c6wj28wyhN2Sc4
    /V+R/cQjwN0bNojiaY72kTb6TFL2f+KoPn+4tLMQsvPG45AfHdPb40cGnxuGlaFT
    FACw/Z3Ov+RNkuCJ1KgnSw2+RTwNtYZC1YKUidDQfP3u4Nk1OzFcitF3pthNGMB6
    aO74vvRpNUKwh/hb1un2XdxhW7BJIcSxCbq+FwL6ayJGdOuUUzPiPtj2WDnFzai0
    zDDv6ZqjOU/Kkiysf8mOhOIekKX+Lro1SZUjojgS9iCTdnbKz1+gcdDrbvmNzYCv
    JJN+SGp3yOHLqu6HL/WILBuod9/WIQJ9XSVvh6cRHNLAhgG2Z70EXpsISXZgF0pG
    rjLrsXOo2iSiCDxe48u8OAWL2MJi1aNJGykiLBsgPxy2oreOhu4Oup7RSNRPGDbU
    9b1WYPhbalWTBxsDa+Bi+iR7MCOisvu0VckJWm8Eg0ttFopB6oRR9MRPKq0h8q8Y
    JpyP83CA+ZnmO4KlDNWU4eACavg53vsVOfQj/TOV94yadZNpknEk3Fp4UQAd2ZkZ
    /FMXZaL9m0x3xKQBrbqiui+BCjUujUluH7luqqyXcKtfFcr3pKCGUEWq9Ca2Wiv6
    +YRYaAb42PDRrZx1DLpdtNOWWUzeAT0kBxiZYGRSmh3KJbmZ5KPNuAi6qnMJlfnM
    D9J79CZtc7ldH0UolTWjb+aN87PV0LvhngNorz2tv9DYtgYvC3edQlPhndbRMhpx
    EriyEalV/q5J7x2gn7S21UB2gYUqPgNu
    =g6Fq
    -----END PGP MESSAGE-----

    Since Mar 2012 • 5 posts Report Reply

  • Sacha, in reply to Jeremy Andrew,

    zing

    Ak • Since May 2008 • 19745 posts Report Reply

  • nzlemming,

    Thanks for connecting those dots. I downloaded the docs but haven't got round to reading them yet.

    Waikanae • Since Nov 2006 • 2937 posts Report Reply

  • Brent Jackson,

    Is this build into any email clients ? If not, why not ?

    Auckland • Since Nov 2006 • 620 posts Report Reply

  • Martin Lindberg,

    There was a pretty good how-to on Ars Technica a couple of months ago. See Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?.

    Apart from showing the steps, it also talks about why the process is pretty annoying unless you have a group of friends or colleagues you regularly email and you are all in this together.

    Stockholm • Since Jul 2009 • 802 posts Report Reply

  • Adam Shand,

    I reached the same conclusions a week ago and decided to write up a tutorial on how to make encrypting email as easy as possible.

    For those that might be interested, here is a (hopefully extremely easy to follow) tutorial on how to get email encryption working on a Mac running Mountain Lion:

    https://medium.com/open-source/7151e454ed93

    For those that want secure instant messaging the answer is much simpler and better. Get a client that supports OTR (Off The Record), on the Mac that's Adium. So long as you've clicked the "generate key" and both people have OTR installed, messages are encrypted.

    Peka Peka • Since Aug 2013 • 1 posts Report Reply

  • Ian Dalziel, in reply to HamishFraser,

    —–BEGIN PGP MESSAGE—–
    Version: GnuPG v1.4.12 (MingW32)
    hQEMA4M1NX6Hba...EriyEalV/q5J7x2gn7S21UB2gYUqPgNu
    =g6Fq
    —–END PGP MESSAGE—–

    Hello 'Not-So-Public Address'...

    Christchurch • Since Dec 2006 • 7953 posts Report Reply

  • HamishFraser,

    There is a certain glee in posting in broad daylight for a single individual. I am intrigued/lazy to know with a key size of 2048 and the RSA algorithm, how much time that would take to crack based on Edward Snowdens suggestion to Laura:

    "Assume that your adversary is capable of a trillion guesses per second"

    The program suggested a 5 year expiry date...

    Since Mar 2012 • 5 posts Report Reply

  • TracyMac,

    For your webmail services like Gmail and Outlook.com, there's Mailvelope: http://www.mailvelope.com/

    Comes in a Chrome app only so far, although they do apparently have a Firefox plugin in development.

    Canberra, West Island • Since Nov 2006 • 701 posts Report Reply

  • TracyMac, in reply to Brent Jackson,

    There's a list of mail clients here that natively support PGP and many others you can get plugins/addons for: http://www.vanheusden.com/pgp.php

    Canberra, West Island • Since Nov 2006 • 701 posts Report Reply

  • TracyMac,

    For more food for thought, these days I'd probably prefer to use S/MIME over PGP. Integration isn't a problem with most modern mail clients (http://email.about.com/od/smimesoftware/S_MIMEEnabled_Email_Software.htm) - it's built-in with no addons needed. It's a slight PITA having to get the cert installed and configured in the mail client, but it's a download > install rather than generating and installing. Hint to Windows users, download a cert in IE even if you normally use Firefox - Firefox has its own certificate cache and it's annoying to have to export it from there and install it into the OS cache. (ETA: if you follow the link to install the Comodo cert from their email, it looks like it installs it correctly even if you're in Firefox.)

    You need a third-party-signed certificate, but there are free providers: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html

    This is a basic guide for installing in Outlook, but just google "[mail client] smime" for instructions for most products: http://www.marknoble.com/tutorial/smime/smime.aspx. I would not recommend using Thawte certs as specified in this article - they require ID to "verify" who you are.

    There are Gmail S/MIME addons - one's a Firefox addon, and another is called Penango (ironically used by the US Air Force).

    Canberra, West Island • Since Nov 2006 • 701 posts Report Reply

  • Idiot Savant,

    GPG4USB: advantages: mobile, can be used to encrypt webmail and throwaways. Disadvantages: will teach you bad habits about encrypting only stuff which is worth the hassle, so it basicly signals people about content.

    Still, better than nothing. And given my email useage patterns, probably a good match.

    Palmerston North • Since Nov 2006 • 1717 posts Report Reply

  • TonyWebb,

    Great post Keith.

    It's worth remembering that encryption done badly can be worse than not using it all. I'd urge people who want to use encryption to read and understand as much as they can when using encryption as there are many pitfalls. Key security is a biggy - the only cases of LE breaking encryption that are known to have occurred has been by obtaining private keys and passphrases. The use of open source security software is very important too in my opinion. You just don't know what proprietry software is doing when it comes to encryption.

    However, the more people that do use encryption the better - I'm reminded of a comment from Phil Zimmerman about unencrypted email being similar to sending a postcard, encrypted mail being analogous to a letter in an envelope. Both can be intercepted and read, but a lot more effort needs to be expended to read the letter. The NSA will keep encrypted communications indefinitely, and they will be able to retrospectively "steam them open" in the future. Perhaps you could include PFS and OTR in your upcoming posts on this subject.

    It would also be great to see some information on anonymous browsing via Tor (this is now fairly easy to set up - I posted this via Tor) and darknets such as I2P if you have the time or inclination.

    Wellington • Since Aug 2013 • 2 posts Report Reply

  • TonyWebb,

    Thunderbird Email with the Enigmail plugin (uses GPG) and is an easy to use, cross platform key management solution.

    Wellington • Since Aug 2013 • 2 posts Report Reply

  • TracyMac, in reply to TracyMac,

    One thing I didn't highlight about the advantages of S/MIME (beyond not having to download and run key-generation and mail client add-ons) is that public certificate distribution is easy - just send someone a digitally signed email (you need to ensure the option to include the cert is selected).

    On receiving the signed message, all the recipient needs to do (in Outlook) is click on the signature prompt and select "add to contacts".

    Since the key exchange is a bit "backwards" compared to PGP, they can now send you encrypted messages. You'd need to receive a digitally-signed message from them (it can be encrypted as well) to encrypt email back.

    Canberra, West Island • Since Nov 2006 • 701 posts Report Reply

  • Brent Jackson,

    Hmm. I'm not sure that trusting Outlook or Gmail with Certificates and keys is any advantage - the NSA is already likely to have them in their pocket.

    Auckland • Since Nov 2006 • 620 posts Report Reply

First ←Older Page 1 2 3 4 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.