[ale] Revised GPG Howto

jon.maddog.hall@gmail.com jonhall80 at comcast.net
Wed Jan 5 08:46:52 EST 2022


Hi Alex,

>Having had the opportunity to meet people in that community

I have had the "opportunity to meet people in that community" too, and my people say that what Snowden reported is more than accurate.

Snowden never said that they swept up *everything* that *everyone* said, emailed, cat-pictured, etc.   What he did say is that they were capturing and looking at things which they had no legal right to look at, and (to spice up the news story) some of these included what John Oliver calls "dick pics".   I found it amusing that the mainstream people on the street (literally) were mostly concerned about the "dick pics".

>"am I really important enough that someone wants to waste a lot of >resources to pay attention to me?"

No, what you should be thinking about is whether or not a rouge agent or agency might use some information that they illegally obtained against you in the future.   The rogue agents have the resources "to waste" because it is not *their* resources that they are wasting.   It is *our* resources, that *we* paid for.

People also think that they are "not important enough" for ransomware attacks, "not important enough" to have people break into their accounts....

>We're slowly getting there but there's still a lot of work to do.

Agreed, and we have been slowly getting there since Phil Zimmermann pushed the envelope in the early 1990s.   By that time I was well aware of the Arms Export Control Act and how it almost blocked DEC shipping Ultrix-32 V1.0 because we had (gasp) encryption in it.

Yes, the BSD 4.1c version of code had the crypt command and library which produced a very weak encryption and was also used in the login process and for storing encrypted passwords in the /etc/password file (as you probably remember).  So we had to stop distribution, remove the libraries to a separately shipped package (shipped only to Proud Boys* and other domestic terrorists) and prove to the government that the encryption used in the password file was one-way only.

Never mind that BSD had already shipped all over the world.   Never mind that the principles behind encryption at a much stronger level was taught to schoolchildren in China and Russia.  Never mind that the USA was losing our best cryptographic specialists to Canada (because they could then sell their services around the world and also to the USA).

That was my first four page letter.

> The idea of backdoors to encryption pop up over and over again so >it's nothing really new.

You are right, but the rest of what you write only seems to support what I said.  We can not trust the companies like Apple and Microsoft to protect us.  And even if they could use lawyers to fight against unlawful surveillance the "powers that be" could simply go to a judge and get a court order to gather the information.

If you really want to be paranoid, you might think about an agency creating a chip whose microcode has the trap door built into it, that they could turn on and off anytime they wanted to do that.   Then placing that chip in a board and making sure that board is the one you bought.  "But maddog...doing that would cost millions, or even billions of dollars".   Yes, and that is how much money we are talking about.

Now let's pretend that we are not US citizens.  Or that we are not US citizens talking to another US citizen, and it is legal for them to spy on us because we might be foreign terrorists.   They have "justified" the development expense, now they only have the expense of deployment.

This is why RISC-V is so interesting to me.   A RISC architecture so simple you could actually fabricate yourself.  With Free Software that you can look at it and see what it is doing.

While it is true that most of us do not have the expertise or energy to do this, as a combined group we might.

And in the end, with Free Software and Open Hardware we could have at least the ability to encrypt our own messages, and make it harder for them to do illegal, undetected spying.

Warmest regards,

maddog

*I was only kidding about the Proud Boys...modern domestic terrorists were just getting underway in the early 1990s and they were probably still using DOS.

> On 01/05/2022 2:01 AM Alex Carver via Ale <ale at ale.org> wrote:
> 
>  
> I wouldn't drag Snowden into a conversation about encryption. There's 
> likely a mix of truth and falsehoods in his narratives about what he 
> states was going on. Having had the opportunity to meet people in that 
> community, it becomes readily apparent that we most certainly don't have 
> the whole story.  Another way to view it would be to say "am I really 
> important enough that someone wants to waste a lot of resources to pay 
> attention to me?" because the work those agencies do is very resource 
> intensive. Vacuuming up every single conversation by every single person 
> inside and outside the country every minute of every day looking for 
> anything is beyond monumental even if it wasn't encrypted. The story 
> makes for great television ratings but the actual details are tossed aside.
> 
> Where the use of encryption and signatures would become useful is 
> combating all of the crime happening online. Phishing, DNS spoofing, 
> MITM, data at rest, and more. We're slowly getting there but there's 
> still a lot of work to do.
> 
> The idea of backdoors to encryption pop up over and over again so it's 
> nothing really new. The politicians drop it only when there's a new 
> soundbite that is far more appealing to voters and/or donors (mainly 
> donors).
> 
> Here's a way to think about that one: at one point early on it was easy 
> and not prohibited to listen to cell phone calls (this during the AMPS 
> days). Many people complained but nothing happened to change 
> that...until someone eavesdropped on some politicians (specifically a 
> call between Newt Gingrich and John Boehner plus a few others in a 
> conference call) and suddenly it was illegal to own a scanner or other 
> device that could tune into the cellular frequencies.
> 
> So if someone were to put in a backdoor, the keys would be found and the 
> high and mighty that also need to use that encryption will have their 
> data plastered everywhere. One might say "Well they could just use 
> encryption for themselves and make the rest of us use backdoored 
> encryption" which, on its face is true, but the reality of the Internet, 
> cellular data networks, and others is that it just won't be feasible to 
> do that. Politicians still shop online, use personal phones, go to 
> restaurants and shops that utilize POS networks, and walk or drive past 
> hundreds of thousands of security cameras public and private. There 
> would be no way to establish a complete secondary private network for 
> their exclusive use immune to attack and would be forced to give up all 
> their creature comforts. If they tried to create that shadow network, 
> word would leak out, they'd become even bigger targets and the entire 
> world would descend on it with relentless attacks to break into it.
> 
> That same story line plays out over and over in smaller ways throughout 
> digital history. The Clipper chip, DRM in games, many companies storing 
> credit card data in their servers using weak encryption and probably 
> thousands of events we didn't hear about because they were small potatos.
> 
> On 2022-01-04 16:11, jon.maddog.hall--- via Ale wrote:
> > Another reason for increasing the use of GPG and other encryption....
> > 
> > One of the main drivers of the US Revolutionary War was the practice of the British government of breaking into the homes of citizens and searching these homes at any time for any reason.
> > 
> > It was out of this that the Constitution protects us from searches without cause, and without a legally issued search warrant granted by a judge based on evidence that your home should be searched.....and evidence of other crimes not mentioned in the search warrant should be ignored.
> > 
> > Eventually this was extended to communications which should be considered to be private unless there is some type of evidence that it is for illegal things, and only when there is a search warrant issued should agencies know what we are communicating.
> > 
> > The Patriot Act put a hole in this protection due to the threat of terrorism.   Then Edward Snowden showed us that federal agencies were not respecting even these protections.
> > 
> > Some people (correctly) say that with enough CPU power you can break any encryption, and in the long run that is true, and weak encryption is particularly vulnerable to newer technologies coming out.
> > 
> > However, what if everyone encrypted everything all the time?   Even things like lunch menus, love letters, instruction letters to your children.   Now there are so many encrypted documents that even powerful agencies with powerful computers will not know what to decrypt.   They will have to go back to the way they did it before, getting other evidence pointing to some heinous act, then either focusing their decryption techniques on *some* communications, or actually showing up at your house and asking you do decrypt the communications.....at least allowing you to know that your email or documents have been under suspicion.
> > 
> > Every so often (the mid 1980s and again right after 9/11) I had to write four or five page letters to various lawmakers explaining to them how trying to limit encryption was both useless and stupid (and yes, I literally used those terms), how good encryption was the basis of good authentication, and if you can not tell who you are actually talking to.....
> > 
> > Fortunately they listened to me (or I think they did) because several days after I sent the letter they dropped their efforts to limit encryption....
> > 
> > md
> > 
> > 
> > 
> >>      On 01/04/2022 9:13 AM Charles Shapiro via Ale <ale at ale.org> wrote:
> >>
> >>
> >>      I have posted my revised GnuPG Howto at http://tomshiro.org/gpghowto
> >>
> >>      -- CHS
> >>
> >>      _______________________________________________
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


More information about the Ale mailing list