[ale] Revised GPG Howto

Alex Carver agcarver+ale at acarver.net
Wed Jan 5 02:01:17 EST 2022 

I wouldn't drag Snowden into a conversation about encryption. There's 
likely a mix of truth and falsehoods in his narratives about what he 
states was going on. Having had the opportunity to meet people in that 
community, it becomes readily apparent that we most certainly don't have 
the whole story.  Another way to view it would be to say "am I really 
important enough that someone wants to waste a lot of resources to pay 
attention to me?" because the work those agencies do is very resource 
intensive. Vacuuming up every single conversation by every single person 
inside and outside the country every minute of every day looking for 
anything is beyond monumental even if it wasn't encrypted. The story 
makes for great television ratings but the actual details are tossed aside.

Where the use of encryption and signatures would become useful is 
combating all of the crime happening online. Phishing, DNS spoofing, 
MITM, data at rest, and more. We're slowly getting there but there's 
still a lot of work to do.

The idea of backdoors to encryption pop up over and over again so it's 
nothing really new. The politicians drop it only when there's a new 
soundbite that is far more appealing to voters and/or donors (mainly 
donors).

Here's a way to think about that one: at one point early on it was easy 
and not prohibited to listen to cell phone calls (this during the AMPS 
days). Many people complained but nothing happened to change 
that...until someone eavesdropped on some politicians (specifically a 
call between Newt Gingrich and John Boehner plus a few others in a 
conference call) and suddenly it was illegal to own a scanner or other 
device that could tune into the cellular frequencies.

So if someone were to put in a backdoor, the keys would be found and the 
high and mighty that also need to use that encryption will have their 
data plastered everywhere. One might say "Well they could just use 
encryption for themselves and make the rest of us use backdoored 
encryption" which, on its face is true, but the reality of the Internet, 
cellular data networks, and others is that it just won't be feasible to 
do that. Politicians still shop online, use personal phones, go to 
restaurants and shops that utilize POS networks, and walk or drive past 
hundreds of thousands of security cameras public and private. There 
would be no way to establish a complete secondary private network for 
their exclusive use immune to attack and would be forced to give up all 
their creature comforts. If they tried to create that shadow network, 
word would leak out, they'd become even bigger targets and the entire 
world would descend on it with relentless attacks to break into it.

That same story line plays out over and over in smaller ways throughout 
digital history. The Clipper chip, DRM in games, many companies storing 
credit card data in their servers using weak encryption and probably 
thousands of events we didn't hear about because they were small potatos.

On 2022-01-04 16:11, jon.maddog.hall--- via Ale wrote:
> Another reason for increasing the use of GPG and other encryption....
> 
> One of the main drivers of the US Revolutionary War was the practice of the British government of breaking into the homes of citizens and searching these homes at any time for any reason.
> 
> It was out of this that the Constitution protects us from searches without cause, and without a legally issued search warrant granted by a judge based on evidence that your home should be searched.....and evidence of other crimes not mentioned in the search warrant should be ignored.
> 
> Eventually this was extended to communications which should be considered to be private unless there is some type of evidence that it is for illegal things, and only when there is a search warrant issued should agencies know what we are communicating.
> 
> The Patriot Act put a hole in this protection due to the threat of terrorism.   Then Edward Snowden showed us that federal agencies were not respecting even these protections.
> 
> Some people (correctly) say that with enough CPU power you can break any encryption, and in the long run that is true, and weak encryption is particularly vulnerable to newer technologies coming out.
> 
> However, what if everyone encrypted everything all the time?   Even things like lunch menus, love letters, instruction letters to your children.   Now there are so many encrypted documents that even powerful agencies with powerful computers will not know what to decrypt.   They will have to go back to the way they did it before, getting other evidence pointing to some heinous act, then either focusing their decryption techniques on *some* communications, or actually showing up at your house and asking you do decrypt the communications.....at least allowing you to know that your email or documents have been under suspicion.
> 
> Every so often (the mid 1980s and again right after 9/11) I had to write four or five page letters to various lawmakers explaining to them how trying to limit encryption was both useless and stupid (and yes, I literally used those terms), how good encryption was the basis of good authentication, and if you can not tell who you are actually talking to.....
> 
> Fortunately they listened to me (or I think they did) because several days after I sent the letter they dropped their efforts to limit encryption....
> 
> md
> 
> 
> 
>>      On 01/04/2022 9:13 AM Charles Shapiro via Ale <ale at ale.org> wrote:
>>
>>
>>      I have posted my revised GnuPG Howto at http://tomshiro.org/gpghowto
>>
>>      -- CHS
>>
>>      _______________________________________________

More information about the Ale mailing list