[ale] Revised GPG Howto

Jim Kinney jim.kinney at gmail.com
Wed Jan 5 17:56:08 EST 2022 

Letsencrypt is an easy to use, moderately easy to set up process that will auto update an ssl cert provided you can add a text entry into your dns to prove ownership. Highly recommend!

On January 5, 2022 3:20:15 PM EST, Charles Shapiro via Ale <ale at ale.org> wrote:
>Okay, I (and most people on this list I expect) know where we stand on
>the
>politics of Strong encryption.  I am most interested in making sure
>that
>the howtos which I have published are 1) Accurate and 2)
>Comprehensible.
>Extra credit if I don't accidentally tick people off in them.
>
>As you can see, I am still struggling to take my own site from http: to
>https:.    Routine encryption of all electronic communication would be
>great.  Until the world can achieve that laudable goal, it's vital to
>spread understanding of the tools which are available here and now. 
>That's
>what I am trying to achieve.
>
>-- CHS
>
>On Wed, Jan 5, 2022 at 8:47 AM jon.maddog.hall--- via Ale <ale at ale.org>
>wrote:
>
>> Hi Alex,
>>
>> >Having had the opportunity to meet people in that community
>>
>> I have had the "opportunity to meet people in that community" too,
>and my
>> people say that what Snowden reported is more than accurate.
>>
>> Snowden never said that they swept up *everything* that *everyone*
>said,
>> emailed, cat-pictured, etc.   What he did say is that they were
>capturing
>> and looking at things which they had no legal right to look at, and
>(to
>> spice up the news story) some of these included what John Oliver
>calls
>> "dick pics".   I found it amusing that the mainstream people on the
>street
>> (literally) were mostly concerned about the "dick pics".
>>
>> >"am I really important enough that someone wants to waste a lot of
>> >resources to pay attention to me?"
>>
>> No, what you should be thinking about is whether or not a rouge agent
>or
>> agency might use some information that they illegally obtained
>against you
>> in the future.   The rogue agents have the resources "to waste"
>because it
>> is not *their* resources that they are wasting.   It is *our*
>resources,
>> that *we* paid for.
>>
>> People also think that they are "not important enough" for ransomware
>> attacks, "not important enough" to have people break into their
>accounts....
>>
>> >We're slowly getting there but there's still a lot of work to do.
>>
>> Agreed, and we have been slowly getting there since Phil Zimmermann
>pushed
>> the envelope in the early 1990s.   By that time I was well aware of
>the
>> Arms Export Control Act and how it almost blocked DEC shipping
>Ultrix-32
>> V1.0 because we had (gasp) encryption in it.
>>
>> Yes, the BSD 4.1c version of code had the crypt command and library
>which
>> produced a very weak encryption and was also used in the login
>process and
>> for storing encrypted passwords in the /etc/password file (as you
>probably
>> remember).  So we had to stop distribution, remove the libraries to a
>> separately shipped package (shipped only to Proud Boys* and other
>domestic
>> terrorists) and prove to the government that the encryption used in
>the
>> password file was one-way only.
>>
>> Never mind that BSD had already shipped all over the world.   Never
>mind
>> that the principles behind encryption at a much stronger level was
>taught
>> to schoolchildren in China and Russia.  Never mind that the USA was
>losing
>> our best cryptographic specialists to Canada (because they could then
>sell
>> their services around the world and also to the USA).
>>
>> That was my first four page letter.
>>
>> > The idea of backdoors to encryption pop up over and over again so
>>it's
>> nothing really new.
>>
>> You are right, but the rest of what you write only seems to support
>what I
>> said.  We can not trust the companies like Apple and Microsoft to
>protect
>> us.  And even if they could use lawyers to fight against unlawful
>> surveillance the "powers that be" could simply go to a judge and get
>a
>> court order to gather the information.
>>
>> If you really want to be paranoid, you might think about an agency
>> creating a chip whose microcode has the trap door built into it, that
>they
>> could turn on and off anytime they wanted to do that.   Then placing
>that
>> chip in a board and making sure that board is the one you bought. 
>"But
>> maddog...doing that would cost millions, or even billions of
>dollars".
>>  Yes, and that is how much money we are talking about.
>>
>> Now let's pretend that we are not US citizens.  Or that we are not US
>> citizens talking to another US citizen, and it is legal for them to
>spy on
>> us because we might be foreign terrorists.   They have "justified"
>the
>> development expense, now they only have the expense of deployment.
>>
>> This is why RISC-V is so interesting to me.   A RISC architecture so
>> simple you could actually fabricate yourself.  With Free Software
>that you
>> can look at it and see what it is doing.
>>
>> While it is true that most of us do not have the expertise or energy
>to do
>> this, as a combined group we might.
>>
>> And in the end, with Free Software and Open Hardware we could have at
>> least the ability to encrypt our own messages, and make it harder for
>them
>> to do illegal, undetected spying.
>>
>> Warmest regards,
>>
>> maddog
>>
>> *I was only kidding about the Proud Boys...modern domestic terrorists
>were
>> just getting underway in the early 1990s and they were probably still
>using
>> DOS.
>>
>> > On 01/05/2022 2:01 AM Alex Carver via Ale <ale at ale.org> wrote:
>> >
>> >
>> > I wouldn't drag Snowden into a conversation about encryption.
>There's
>> > likely a mix of truth and falsehoods in his narratives about what
>he
>> > states was going on. Having had the opportunity to meet people in
>that
>> > community, it becomes readily apparent that we most certainly don't
>have
>> > the whole story.  Another way to view it would be to say "am I
>really
>> > important enough that someone wants to waste a lot of resources to
>pay
>> > attention to me?" because the work those agencies do is very
>resource
>> > intensive. Vacuuming up every single conversation by every single
>person
>> > inside and outside the country every minute of every day looking
>for
>> > anything is beyond monumental even if it wasn't encrypted. The
>story
>> > makes for great television ratings but the actual details are
>tossed
>> aside.
>> >
>> > Where the use of encryption and signatures would become useful is
>> > combating all of the crime happening online. Phishing, DNS
>spoofing,
>> > MITM, data at rest, and more. We're slowly getting there but
>there's
>> > still a lot of work to do.
>> >
>> > The idea of backdoors to encryption pop up over and over again so
>it's
>> > nothing really new. The politicians drop it only when there's a new
>> > soundbite that is far more appealing to voters and/or donors
>(mainly
>> > donors).
>> >
>> > Here's a way to think about that one: at one point early on it was
>easy
>> > and not prohibited to listen to cell phone calls (this during the
>AMPS
>> > days). Many people complained but nothing happened to change
>> > that...until someone eavesdropped on some politicians (specifically
>a
>> > call between Newt Gingrich and John Boehner plus a few others in a
>> > conference call) and suddenly it was illegal to own a scanner or
>other
>> > device that could tune into the cellular frequencies.
>> >
>> > So if someone were to put in a backdoor, the keys would be found
>and the
>> > high and mighty that also need to use that encryption will have
>their
>> > data plastered everywhere. One might say "Well they could just use
>> > encryption for themselves and make the rest of us use backdoored
>> > encryption" which, on its face is true, but the reality of the
>Internet,
>> > cellular data networks, and others is that it just won't be
>feasible to
>> > do that. Politicians still shop online, use personal phones, go to
>> > restaurants and shops that utilize POS networks, and walk or drive
>past
>> > hundreds of thousands of security cameras public and private. There
>> > would be no way to establish a complete secondary private network
>for
>> > their exclusive use immune to attack and would be forced to give up
>all
>> > their creature comforts. If they tried to create that shadow
>network,
>> > word would leak out, they'd become even bigger targets and the
>entire
>> > world would descend on it with relentless attacks to break into it.
>> >
>> > That same story line plays out over and over in smaller ways
>throughout
>> > digital history. The Clipper chip, DRM in games, many companies
>storing
>> > credit card data in their servers using weak encryption and
>probably
>> > thousands of events we didn't hear about because they were small
>potatos.
>> >
>> > On 2022-01-04 16:11, jon.maddog.hall--- via Ale wrote:
>> > > Another reason for increasing the use of GPG and other
>encryption....
>> > >
>> > > One of the main drivers of the US Revolutionary War was the
>practice
>> of the British government of breaking into the homes of citizens and
>> searching these homes at any time for any reason.
>> > >
>> > > It was out of this that the Constitution protects us from
>searches
>> without cause, and without a legally issued search warrant granted by
>a
>> judge based on evidence that your home should be searched.....and
>evidence
>> of other crimes not mentioned in the search warrant should be
>ignored.
>> > >
>> > > Eventually this was extended to communications which should be
>> considered to be private unless there is some type of evidence that
>it is
>> for illegal things, and only when there is a search warrant issued
>should
>> agencies know what we are communicating.
>> > >
>> > > The Patriot Act put a hole in this protection due to the threat
>of
>> terrorism.   Then Edward Snowden showed us that federal agencies were
>not
>> respecting even these protections.
>> > >
>> > > Some people (correctly) say that with enough CPU power you can
>break
>> any encryption, and in the long run that is true, and weak encryption
>is
>> particularly vulnerable to newer technologies coming out.
>> > >
>> > > However, what if everyone encrypted everything all the time?  
>Even
>> things like lunch menus, love letters, instruction letters to your
>> children.   Now there are so many encrypted documents that even
>powerful
>> agencies with powerful computers will not know what to decrypt.  
>They will
>> have to go back to the way they did it before, getting other evidence
>> pointing to some heinous act, then either focusing their decryption
>> techniques on *some* communications, or actually showing up at your
>house
>> and asking you do decrypt the communications.....at least allowing
>you to
>> know that your email or documents have been under suspicion.
>> > >
>> > > Every so often (the mid 1980s and again right after 9/11) I had
>to
>> write four or five page letters to various lawmakers explaining to
>them how
>> trying to limit encryption was both useless and stupid (and yes, I
>> literally used those terms), how good encryption was the basis of
>good
>> authentication, and if you can not tell who you are actually talking
>to.....
>> > >
>> > > Fortunately they listened to me (or I think they did) because
>several
>> days after I sent the letter they dropped their efforts to limit
>> encryption....
>> > >
>> > > md
>> > >
>> > >
>> > >
>> > >>      On 01/04/2022 9:13 AM Charles Shapiro via Ale <ale at ale.org>
>> wrote:
>> > >>
>> > >>
>> > >>      I have posted my revised GnuPG Howto at
>> http://tomshiro.org/gpghowto
>> > >>
>> > >>      -- CHS
>> > >>
>> > >>      _______________________________________________
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > https://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>

-- 
Computers amplify human error
Super computers are really cool
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20220105/b8fbb424/attachment.htm>

More information about the Ale mailing list