Mailing List Archive

Is it possible to link the original source material (Snowden's speech or interview or whatever) rather than this video which could, for example, be a montage of several different speeches or interviews?

Sincerely,

Chiraag
--
?????? ??????
Pronouns: he/him/his

07/08/20 13:35 ?????, Stefan Claas <sac@300baud.de> ??????:
>
> ... you may like to check out Mr. Snowden's YouTube video:
>
> https://www.youtube.com/watch?v=wltrint1JrA
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

?????? ?????? via Gnupg-users wrote:

> Is it possible to link the original source material (Snowden's speech or interview or whatever) rather than this video which
> could, for example, be a montage of several different speeches or interviews?
>
> Sincerely,
>
> Chiraag

Apologies, I currently have no other sources, wish I had.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> ?????? ?????? via Gnupg-users wrote:
>
> > Is it possible to link the original source material (Snowden's speech or interview or whatever) rather than this video which
> > could, for example, be a montage of several different speeches or interviews?
> >
> > Sincerely,
> >
> > Chiraag
>
> Apologies, I currently have no other sources, wish I had.

P.S. I also send a message to Mr Snowden via Twitter, but
I doubt he will see this, because of his over 4 Million
followers, which might write him too.

And yesterday I wrote an email to NSO group, asking if
their latest release of Pegasus is capable of doing
this. But no reply yet ...

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group

Sincerely,

Chiraag
--
?????? ??????
Pronouns: he/him/his

07/08/20 16:12 ?????, Stefan Claas <sac@300baud.de> ??????:
>
> Stefan Claas wrote:
>
> > ?????? ?????? via Gnupg-users wrote:
> >
> > > Is it possible to link the original source material (Snowden's speech or interview or whatever) rather than this video which
> > > could, for example, be a montage of several different speeches or interviews?
> > >
> > > Sincerely,
> > >
> > > Chiraag
> >
> > Apologies, I currently have no other sources, wish I had.
>
> P.S. I also send a message to Mr Snowden via Twitter, but
> I doubt he will see this, because of his over 4 Million
> followers, which might write him too.
>
> And yesterday I wrote an email to NSO group, asking if
> their latest release of Pegasus is capable of doing
> this. But no reply yet ...
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

?????? ?????? via Gnupg-users wrote:

> Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group

Yes, as understood. I think it really doesn't matter where Pegasus does come from.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> ?????? ?????? via Gnupg-users wrote:
>
> > Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group
>
> Yes, as understood. I think it really doesn't matter where Pegasus does come from.

This article showed up today, when I did a Google search again:

<https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>

Trustworthy source.

Regards
Stefan
--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Stefan Claas wrote:
>
> > ?????? ?????? via Gnupg-users wrote:
> >
> > > Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group
> >
> > Yes, as understood. I think it really doesn't matter where Pegasus does come from.
>
> This article showed up today, when I did a Google search again:
>
> <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>
>
> Trustworthy source.

Mmmhhh, it is getting 'better and better' for smartphone users.

https://www.androidauthority.com/government-tracking-apps-1145989/

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

El día domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribió:

> > This article showed up today, when I did a Google search again:
> >
> > <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>
> >
> > Trustworthy source.
>
> Mmmhhh, it is getting 'better and better' for smartphone users.
>
> https://www.androidauthority.com/government-tracking-apps-1145989/
>

One can use a Linux mobile phone running UBports.com (as I and all my family do)
or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).

Stop whining, stand up and fight and protect yourself.

matthias


--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
May, 9: ???????? ????????????! Thank you very much, Russian liberators!

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Matthias Apitz wrote:

> El d?a domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribi?:
>
> > > This article showed up today, when I did a Google search again:
> > >
> > > <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>
> > >
> > > Trustworthy source.
> >
> > Mmmhhh, it is getting 'better and better' for smartphone users.
> >
> > https://www.androidauthority.com/government-tracking-apps-1145989/
> >
>
> One can use a Linux mobile phone running UBports.com (as I and all my family do)
> or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).

Yes, people gave me already (not from here of course) good advise for other OSs
which one can use. The question is how long will those OSs been unaffected ...

> Stop whining, stand up and fight and protect yourself.

I am not whining ... I only wanted to let the people know. Also very
interesting that only one person in this thread replied, besides you ...

Regards
Stefan


--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

10/08/20 09:07 ?????, Stefan Claas <sac@300baud.de> ??????:
>
> Matthias Apitz wrote:
>
> > El día domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribió:
> >
> > > > This article showed up today, when I did a Google search again:
> > > >
> > > > <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>
> > > >
> > > > Trustworthy source.
> > >
> > > Mmmhhh, it is getting 'better and better' for smartphone users.
> > >
> > > https://www.androidauthority.com/government-tracking-apps-1145989/
> > >
> >
> > One can use a Linux mobile phone running UBports.com (as I and all my family do)
> > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
>
> Yes, people gave me already (not from here of course) good advise for other OSs
> which one can use. The question is how long will those OSs been unaffected ...
>
> > Stop whining, stand up and fight and protect yourself.
>
> I am not whining ... I only wanted to let the people know. Also very
> interesting that only one person in this thread replied, besides you ...

I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would presumably be much easier...).

Just another way to mitigate the risk of stuff like this.

Sincerely,

Chiraag

Dear Chiraag,

I've been thinking of a similar setup with my GPG keys on a smart card
to encrypt/decrypt data on my android phone.
Could be more specific about your setup?

thank you
Dmitry

On 10.08.2020 17:27, ?????? ?????? via Gnupg-users wrote:
> 10/08/20 09:07 ?????, Stefan Claas <sac@300baud.de> ??????:
>>
>> Matthias Apitz wrote:
>>
>>> El día domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribió:
>>>
>>>>> This article showed up today, when I did a Google search again:
>>>>>
>>>>> <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>
>>>>>
>>>>> Trustworthy source.
>>>>
>>>> Mmmhhh, it is getting 'better and better' for smartphone users.
>>>>
>>>> https://www.androidauthority.com/government-tracking-apps-1145989/
>>>>
>>>
>>> One can use a Linux mobile phone running UBports.com (as I and all my family do)
>>> or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
>>
>> Yes, people gave me already (not from here of course) good advise for other OSs
>> which one can use. The question is how long will those OSs been unaffected ...
>>
>>> Stop whining, stand up and fight and protect yourself.
>>
>> I am not whining ... I only wanted to let the people know. Also very
>> interesting that only one person in this thread replied, besides you ...
>
> I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would presumably be much easier...).
>
> Just another way to mitigate the risk of stuff like this.
>
> Sincerely,
>
> Chiraag
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

?????? ?????? via Gnupg-users wrote:

> 10/08/20 09:07 ?????, Stefan Claas <sac@300baud.de> ??????:
> >
> > Matthias Apitz wrote:
> >
> > > El día domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribió:
> > >
> > > > > This article showed up today, when I did a Google search again:
> > > > >
> > > > > <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>
> > > > >
> > > > > Trustworthy source.
> > > >
> > > > Mmmhhh, it is getting 'better and better' for smartphone users.
> > > >
> > > > https://www.androidauthority.com/government-tracking-apps-1145989/
> > > >
> > >
> > > One can use a Linux mobile phone running UBports.com (as I and all my family do)
> > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
> >
> > Yes, people gave me already (not from here of course) good advise for other OSs
> > which one can use. The question is how long will those OSs been unaffected ...
> >
> > > Stop whining, stand up and fight and protect yourself.
> >
> > I am not whining ... I only wanted to let the people know. Also very
> > interesting that only one person in this thread replied, besides you ...
>
> I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey
> and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the
> Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the
> Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would
> presumably be much easier...).
>
> Just another way to mitigate the risk of stuff like this.

Well, I do have YubiKeys and a Nitrokey too, but I would say while they can't obtain your private key they will for sure
know the passphrase (PIN) used and the content you encrypted/decrypted on your smartphone.

I came up yesterday with the idea to use an additional offline laptop[1] connected to my smartphone via a USB OTG cable
and an FTDI USB to USB cable, costs for both less then 20 USD. When both devices are connected one uses on the laptop
CoolTerm (cross-platform) and on the Android device serial usb terminal, available on the PlayStore.

As of my understanding (please someone proofs me wrong) an attacker would have a hard time to know the encrypted content
created on the offline laptop.

[1]I have to check out if they are mobile and inexpensive Raspberry Pi solutions available for purchase.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

10/08/20 18:05 ?????, bereska <bereska@hotmail.com> ??????:
> Dear Chiraag,
>
> I've been thinking of a similar setup with my GPG keys on a smart card
> to encrypt/decrypt data on my android phone.
> Could be more specific about your setup?
>
> thank you
> Dmitry

Hi Dmitry,

I created a tutorial a while back on my website for setting this stuff up: https://chiraag.me/passwords/index.php

Let me know if you have questions or if anything's unclear!

Best,

Chiraag

On Mon, 2020-08-10 at 17:14 +0200, Stefan Claas wrote:
> ?????? ?????? via Gnupg-users wrote:
>
> > 10/08/20 09:07 ?????, Stefan Claas <sac@300baud.de> ??????:
> > > Matthias Apitz wrote:
> > >
> > > > El día domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribió:
> > > >
> > > > > > This article showed up today, when I did a Google search again:
> > > > > >
> > > > > > <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>
> > > > > >
> > > > > > Trustworthy source.
> > > > >
> > > > > Mmmhhh, it is getting 'better and better' for smartphone users.
> > > > >
> > > > > https://www.androidauthority.com/government-tracking-apps-1145989/
> > > > >
> > > >
> > > > One can use a Linux mobile phone running UBports.com (as I and all my family do)
> > > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
> > >
> > > Yes, people gave me already (not from here of course) good advise for other OSs
> > > which one can use. The question is how long will those OSs been unaffected ...
> > >
> > > > Stop whining, stand up and fight and protect yourself.
> > >
> > > I am not whining ... I only wanted to let the people know. Also very
> > > interesting that only one person in this thread replied, besides you ...
> >
> > I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey
> > and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the
> > Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the
> > Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would
> > presumably be much easier...).
> >
> > Just another way to mitigate the risk of stuff like this.
>
> Well, I do have YubiKeys and a Nitrokey too, but I would say while they can't obtain your private key they will for sure
> know the passphrase (PIN) used and the content you encrypted/decrypted on your smartphone.
>
> I came up yesterday with the idea to use an additional offline laptop[1] connected to my smartphone via a USB OTG cable
> and an FTDI USB to USB cable, costs for both less then 20 USD. When both devices are connected one uses on the laptop
> CoolTerm (cross-platform) and on the Android device serial usb terminal, available on the PlayStore.
>
> As of my understanding (please someone proofs me wrong) an attacker would have a hard time to know the encrypted content
> created on the offline laptop.
>

Why use PGP on your phone if you carry a whole laptop with you anyway?

--
Best regards,
Micha? Górny

Micha? Górny wrote:

[...]

> Why use PGP on your phone if you carry a whole laptop with you anyway?

Good question. There is software for Andoid available called OpenKeyChain,
which as understood is the defacto standard for Android smartphone users,
in combination with a MUA for Android.

The question IMHO now is what should mobile device users do now? I showed
a solution, assuming those users have an offline laptop too, which then
would allow them to comfortably and securely create their messages.

Not all people can purchase now a new smartphone with a more secure OpenSource
OS and new SIM, I assume.

I also do not know if it is common if people use an (compromised?) online
laptop, as a smartphone, when on the road.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I was thinking about getting an app called iPGMail for iPhone/iPad to
use PGP on them. From my very limited experience it looks like it might
be a good choice as well.

On 8/10/2020 8:49 AM, Stefan Claas wrote:
> Micha? Górny wrote:
>
> [...]
>
>> Why use PGP on your phone if you carry a whole laptop with you anyway?
> Good question. There is software for Andoid available called OpenKeyChain,
> which as understood is the defacto standard for Android smartphone users,
> in combination with a MUA for Android.
>
> The question IMHO now is what should mobile device users do now? I showed
> a solution, assuming those users have an offline laptop too, which then
> would allow them to comfortably and securely create their messages.
>
> Not all people can purchase now a new smartphone with a more secure OpenSource
> OS and new SIM, I assume.
>
> I also do not know if it is common if people use an (compromised?) online
> laptop, as a smartphone, when on the road.
>
> Regards
> Stefan
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

El día Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribió:

> > One can use a Linux mobile phone running UBports.com (as I and all my family do)
> > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
>
> Yes, people gave me already (not from here of course) good advise for other OSs
> which one can use. The question is how long will those OSs been unaffected ...

The kernel and all apps are OpenSource i.e. people can (and do) read the
sources. It's impossible to build in backdoors. The attack could come
through the firmware in the chips (which are not OpenSource). For this
the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to
poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS).

The authorities can not track you. See:

https://puri.sm/products/librem-5/

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
May, 9: ???????? ????????????! Thank you very much, Russian liberators!

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Matthias Apitz wrote:

> El d?a Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribi?:
>
> > > One can use a Linux mobile phone running UBports.com (as I and all my family do)
> > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
> >
> > Yes, people gave me already (not from here of course) good advise for other OSs
> > which one can use. The question is how long will those OSs been unaffected ...
>
> The kernel and all apps are OpenSource i.e. people can (and do) read the
> sources. It's impossible to build in backdoors. The attack could come
> through the firmware in the chips (which are not OpenSource). For this
> the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to
> poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS).
>
> The authorities can not track you. See:
>
> https://puri.sm/products/librem-5/

Thanks for the information! While it is a nice product, according to their web site,
they say they run Gnu/Linux. Do you think that Gnu/Linux can't be hacked? Or better
said, should we all (those who use encryption software often) still use it directly
on online devices?

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mark wrote:

> I was thinking about getting an app called iPGMail for iPhone/iPad to
> use PGP on them. From my very limited experience it looks like it might
> be a good choice as well.

For me it looks like that encryption al? OpenPGP, whether iOS or Android
is unfortunately dead, after I have seen Mr Snowden's YouTube Video.

Based on my proposal, I would like to see in the future (OpenSource)
*hardware* based encryption products, for at least voice comms, which
is affordable for the majority of us and easy to use, so that people
do not need to use good old email encryption for important things,
on a mobile device.

https://www.securstar.com/en/phonecrypt-voice.html

Regards
Stefan


--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 11-08-2020 11:39, Stefan Claas wrote:

> Based on my proposal, I would like to see in the future (OpenSource)
> *hardware* based encryption products, for at least voice comms, which
> is affordable for the majority of us and easy to use, so that people
> do not need to use good old email encryption for important things,
> on a mobile device.

Why hardware? If a bug is found you can't upgrade it easily.

On mobile, encrypted messengers are the norm. WhatsApp is the biggest,
and it uses Signal's encryption algorithm which is excellent.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Johan Wevers wrote:

> On 11-08-2020 11:39, Stefan Claas wrote:
>
> > Based on my proposal, I would like to see in the future (OpenSource)
> > *hardware* based encryption products, for at least voice comms, which
> > is affordable for the majority of us and easy to use, so that people
> > do not need to use good old email encryption for important things,
> > on a mobile device.
>
> Why hardware? If a bug is found you can't upgrade it easily.

Because hardware can't be tampered with like software.

> On mobile, encrypted messengers are the norm. WhatsApp is the biggest,
> and it uses Signal's encryption algorithm which is excellent.

And you think that continuing with those is a good practice since
Mr Snowden's YouTube Video was released?

You may like to read an older brochure of Pegasus and then tell us
your thoughts.

https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html

or Google for zero-click attacks/exploits.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

11/08/20 17:18 ?????, Stefan Claas <sac@300baud.de> ??????:
>
> And you think that continuing with those is a good practice since
> Mr Snowden's YouTube Video was released?

I mean, don't you think it's odd that you can't find a single other source for those statements coming from Snowden? And don't you find it odd that Pegasus is claimed to be a Russian group, when in fact they're Israeli (showing a basic lack of care regarding factual statements that are easily verified or debunked)? I don't think Snowden would make that sort of mistake, and I would think we'd see a lot more articles or videos or whatever about this.

Is Pegasus dangerous? Absolutely. Do I take the claims in the video at face value? Not really, no. And I doubt that Snowden actually said all of those things as one coherent statement (although they might be various statements taken from various different interviews or speeches or whatever).

The whole veracity of the video rests on Snowden's authority, and I suspect the people who made the video are banking on people trusting it because it seems to come from Snowden.

Sincerely,

Chiraag

?????? ?????? via Gnupg-users wrote:

>
> 11/08/20 17:18 ?????, Stefan Claas <sac@300baud.de> ??????:
> >
> > And you think that continuing with those is a good practice since
> > Mr Snowden's YouTube Video was released?
>
> I mean, don't you think it's odd that you can't find a single other source for those statements coming from Snowden? And
> don't you find it odd that Pegasus is claimed to be a Russian group, when in fact they're Israeli (showing a basic lack of
> care regarding factual statements that are easily verified or debunked)? I don't think Snowden would make that sort of
> mistake, and I would think we'd see a lot more articles or videos or whatever about this.
>
> Is Pegasus dangerous? Absolutely. Do I take the claims in the video at face value? Not really, no. And I doubt that Snowden
> actually said all of those things as one coherent statement (although they might be various statements taken from various
> different interviews or speeches or whatever).
>
> The whole veracity of the video rests on Snowden's authority, and I suspect the people who made the video are banking on
> people trusting it because it seems to come from Snowden.

Please ask native U.S. citizens if this is a video with a faked voice from Mr. Snowden, not me.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

It matters little whether these statements were made by Snowden. Whether a particular piece of software exists or not, and whether it is owned by the Russians or the Israelis or the Americans, is beside the point. In principle, it can exist and similar pieces of software have existed in the past, so we can safely assume that something like it will always exist in some form or another.

If someone roots your phone, or your laptop, it is Game Over. It does not matter if you are using Signal, or WhatsApp, or PGP. If the Bad Guys have rooted your phone you are helpless against them. The solution is not to let them root your phone in the first place (i.e. update regularly and don’t click on anything unsolicited), and don’t use your phone for anything that would endanger your life if you were rooted.

Andrew Gallagher

> On 11 Aug 2020, at 17:18, Stefan Claas <sac@300baud.de> wrote:
>
> Please ask native U.S. citizens if this is a video with a faked voice from Mr. Snowden, not me.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Andrew Gallagher wrote:

> It matters little whether these statements were made by Snowden. Whether a particular piece of software exists or not, and
> whether it is owned by the Russians or the Israelis or the Americans, is beside the point. In principle, it can exist and
> similar pieces of software have existed in the past, so we can safely assume that something like it will always exist in some
> form or another.

Fully agree!

> If someone roots your phone, or your laptop, it is Game Over. It does not matter if you are using Signal, or WhatsApp, or
> PGP. If the Bad Guys have rooted your phone you are helpless against them. The solution is not to let them root your phone in
> the first place (i.e. update regularly and don’t click on anything unsolicited), and don’t use your phone for anything that
> would endanger your life if you were rooted.

I must admit that I only use a smartphone for a couple of months now, because I wanted to see what things I can do with it.
Besides that I must also say that I am no fan of smartphone technology.

You say that we must be careful that not someone roots our smartphone. As understood a Pegasus operator can do what ever
he likes to do remotely, anonymously with our (Android/iOS) smartphone, without that we know that this happens. And then
some people may also have problems with their Desktop computer, in case FinFisher and friends allows zero-clicks too, which
we don't know.

So, to sum it up (I know you prefer Tails) would you agree that sooner or later the community should develop strategies,
in form of a best practice FAQ (cross-platform), to no longer use encryption software on online devices and work out
strategies to use offline devices and how to handle this data securely over to an online device, until proper and affordable
hardware encryption devices for online usage are available?

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I suppose, you're right. I'm wary of blindly believing videos, especially when faking them has become relatively easy at this point.

I think one thing both Android and iOS get wrong is that the user isn't really in control of the device. So many manufacturer ROMs have built-in bloatware and various apps you'll never use, and there's no way to get rid of it. There are different classes of apps with differing levels of access to the internals of the OS, and there isn't much you can do about it. And on iOS, you're at the mercy of Apple as to whether your device remains supported and whether e.g. bugs in WebKit (the only renderer available on iOS) get fixed for your device. While custom ROMs solve some of these issues, most phones are bought with a locked bootloader (since most people aren't rich enough to buy their smartphones outright and end up leasing them through the service provider), which sort of renders that argument moot for *most* people.

Fundamentally, while a Linux phone may not necessarily have all of the hardening or whatever that many Android phones come with today, I'd argue that the privacy aspects, and the fact that the user truly _owns_ their device, more than make up for those (current) deficiencies. It will be easier, I think, to defend against what you're talking about in terms of malware, shady links, and so on because you have the opportunity to control literally *everything* running on your device.

Once I get my PinePhone, one of the first things I will be doing is playing around with things like firejail to see if I can get seamless sandboxing for most programs (I already heavily utilize firejail on my laptop). And I suspect that level of control (and ability to keep receiving updates, no matter how old the phone) will put Linux phones over the top in terms of security.

Sincerely,

Chiraag
--
?????? ??????
Pronouns: he/him/his

11/08/20 19:32 ?????, Andrew Gallagher <andrewg@andrewg.com> ??????:
>
> It matters little whether these statements were made by Snowden. Whether a particular piece of software exists or not, and whether it is owned by the Russians or the Israelis or the Americans, is beside the point. In principle, it can exist and similar pieces of software have existed in the past, so we can safely assume that something like it will always exist in some form or another.
>
> If someone roots your phone, or your laptop, it is Game Over. It does not matter if you are using Signal, or WhatsApp, or PGP. If the Bad Guys have rooted your phone you are helpless against them. The solution is not to let them root your phone in the first place (i.e. update regularly and don’t click on anything unsolicited), and don’t use your phone for anything that would endanger your life if you were rooted.
>
> Andrew Gallagher
>
> > On 11 Aug 2020, at 17:18, Stefan Claas <sac@300baud.de> wrote:
> >
> > Please ask native U.S. citizens if this is a video with a faked voice from Mr. Snowden, not me.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 11-08-2020 17:18, Stefan Claas wrote:

>> Why hardware? If a bug is found you can't upgrade it easily.
>
> Because hardware can't be tampered with like software.

If a hardware bug is found you're still lost. Even Apple has found out
the hard way.

>> On mobile, encrypted messengers are the norm. WhatsApp is the biggest,
>> and it uses Signal's encryption algorithm which is excellent.
>
> And you think that continuing with those is a good practice since
> Mr Snowden's YouTube Video was released?

It is a risk, but not a bigger risk than someone taking over your pc or
laptop. Signal and GnuPG are both defenseless against that.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 8/11/2020 at 3:00 PM, "Stefan Claas" <sac@300baud.de> wrote:

...

>As understood a Pegasus operator can do what ever
>he likes to do remotely, anonymously with our (Android/iOS)
>smartphone, without that we know that this happens.

...

>in form of a best practice FAQ (cross-platform), to no longer use
>encryption software on online devices and work out
>strategies to use offline devices and how to handle this data
>securely over to an online device, until proper and affordable
>hardware encryption devices for online usage are available?

=====

There is already a simple existing solution.

[1] Encrypt and decrypt on a computer that has internet hardware disabled.

[2] Use an Orbic Journey V phone that gets and sends *only text*

[3] Use a microsd expansion card on the orbis phone

[4] set up the phone to save encrypted texts on the microsd 'storage' card

[5] Take out the microsd card and use a card reader in the computer in [1] transfer text only (encrypted or decrypted)

Any file can be sent as encrypted text by using the armor option -a on the GnuPG command line.
(this includes audio, video .jpg, .png, pdf, etc. literally any and all possible file types.)

Even if the Orbic uses the *unknown* system, if your are encrypting and decrypting on a separate air-gapped computer, and transferring only text to a microsd, it is hard to see how it can be compromised.
(Yes *Anything* can happen, but without evidence, there is no end to paranoia)

It is not the place of the FAQ to solve the transmission issues of an already perfectly formed GnuPG encrypted .asc file.

The manual and/or FAQ, tells how to use GnuPG to encrypt or decrypt the file, and armor it.

The rest is up to the User's threat model.

(btw,
There is, [afaik], no protection available in GnuPG
against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer,
and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message
by flicking a wand at it, and using the simple charm 'Revelato' )

but not really in my threat model 8^))))


vedaal


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Johan Wevers wrote:

> On 11-08-2020 17:18, Stefan Claas wrote:
>
> >> Why hardware? If a bug is found you can't upgrade it easily.
> >
> > Because hardware can't be tampered with like software.
>
> If a hardware bug is found you're still lost. Even Apple has found out
> the hard way.

Yes, you are right. While I am no programmer I would assume that designers
of such little hardware devices, same as YubiKey or Nitrokey for example,
do not have to deal with a boatload of large software components, burned
into ROMS.

> >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest,
> >> and it uses Signal's encryption algorithm which is excellent.
> >
> > And you think that continuing with those is a good practice since
> > Mr Snowden's YouTube Video was released?
>
> It is a risk, but not a bigger risk than someone taking over your pc or
> laptop. Signal and GnuPG are both defenseless against that.

Yes, a risk, but at what price? I could imagine that many people do not
care to much if it hurts journalists or activists from foreign countries.

But how about cybercrimes in general?

https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Yubikey dealt with a mass recall only last year due to a bug in their firmware: https://www.engadget.com/2019-06-13-yubico-recalls-government-grade-security-keys-due-to-bug.html
--
?????? ??????
Pronouns: he/him/his

11/08/20 22:10 ?????, Stefan Claas <sac@300baud.de> ??????:
>
> Johan Wevers wrote:
>
> > On 11-08-2020 17:18, Stefan Claas wrote:
> >
> > >> Why hardware? If a bug is found you can't upgrade it easily.
> > >
> > > Because hardware can't be tampered with like software.
> >
> > If a hardware bug is found you're still lost. Even Apple has found out
> > the hard way.
>
> Yes, you are right. While I am no programmer I would assume that designers
> of such little hardware devices, same as YubiKey or Nitrokey for example,
> do not have to deal with a boatload of large software components, burned
> into ROMS.
>
> > >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest,
> > >> and it uses Signal's encryption algorithm which is excellent.
> > >
> > > And you think that continuing with those is a good practice since
> > > Mr Snowden's YouTube Video was released?
> >
> > It is a risk, but not a bigger risk than someone taking over your pc or
> > laptop. Signal and GnuPG are both defenseless against that.
>
> Yes, a risk, but at what price? I could imagine that many people do not
> care to much if it hurts journalists or activists from foreign countries.
>
> But how about cybercrimes in general?
>
> https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 11-08-2020 21:49, vedaal via Gnupg-users wrote:

> There is already a simple existing solution.

Simple is not how I see this.

> [1] Encrypt and decrypt on a computer that has internet hardware disabled.
> [2] Use an Orbic Journey V phone that gets and sends *only text*
> [3] Use a microsd expansion card on the orbis phone

The Iranians though this too. And then someone invents Stuxnet-like
attack software.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

?????? ?????? via Gnupg-users wrote:

> Yubikey dealt with a mass recall only last year due to a bug in their firmware:
> https://www.engadget.com/2019-06-13-yubico-recalls-government-grade-security-keys-due-to-bug.html

Quote: Fortunately, any affected customers will receive a replacement key.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal@nym.hush.com wrote:

> There is already a simple existing solution.
>
> [1] Encrypt and decrypt on a computer that has internet hardware disabled.
>
> [2] Use an Orbic Journey V phone that gets and sends *only text*
>
> [3] Use a microsd expansion card on the orbis phone
>
> [4] set up the phone to save encrypted texts on the microsd 'storage' card
>
> [5] Take out the microsd card and use a card reader in the computer in [1] transfer text only (encrypted or decrypted)
>
> Any file can be sent as encrypted text by using the armor option -a on the GnuPG command line.
> (this includes audio, video .jpg, .png, pdf, etc. literally any and all possible file types.)
>
> Even if the Orbic uses the *unknown* system, if your are encrypting and decrypting on a separate air-gapped computer, and
> transferring only text to a microsd, it is hard to see how it can be compromised. (Yes *Anything* can happen, but without
> evidence, there is no end to paranoia)

(I only replied to you and not the list)

Thanks for the detailed description, much appreciated!

> It is not the place of the FAQ to solve the transmission issues of an already perfectly formed GnuPG encrypted .asc file.
>
> The manual and/or FAQ, tells how to use GnuPG to encrypt or decrypt the file, and armor it.
>
> The rest is up to the User's threat model.

Well, yes and no. It should be a least discussed and if to many people write from old FAQs new tutorials then
new users will never know these dangers, when using online devices.

> (btw,
> There is, [afaik], no protection available in GnuPG
> against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer,
> and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message
> by flicking a wand at it, and using the simple charm 'Revelato' )

I think I know what you mean. But I think it does not scale well for the masses due to manpower shortage.

> but not really in my threat model 8^))))

Mine neither. :-)

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2020-08-11T21:18:24+0200 Johan Wevers <johanw@vulcan.xs4all.nl> wrote 0.9K bytes:

> On 11-08-2020 17:18, Stefan Claas wrote:
>
> >> Why hardware? If a bug is found you can't upgrade it easily.
> >
> > Because hardware can't be tampered with like software.
>
> If a hardware bug is found you're still lost. Even Apple has found out
> the hard way.

A hardware smartcard is meant to be a closed system, and you can enumerate all (or fuzz most) of the possible inputs.

If you have a Nest thermostat, why bother with an alcohol thermometer? Perhaps there is a bug with your Nest and it reports in Farenheit instead of Celcius. Google can issue an update, and send out an email apologizing profusely. If your alcohol thermometer is inaccurate, your homeostasis is surely doomed.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 11/08/2020 19:57, Stefan Claas wrote:
> So, to sum it up (I know you prefer Tails) would you agree that
> sooner or later the community should develop strategies, in form of a
> best practice FAQ (cross-platform), to no longer use encryption
> software on online devices and work out strategies to use offline
> devices and how to handle this data securely over to an online
> device, until proper and affordable hardware encryption devices for
> online usage are available?

The problem with best practices is that they are context-dependent. Any
FAQ that steps outside the purely technical domain into operational
security will be misleading at best, and outright dangerous at worst. I
am a Tails user, but I only use it for specific things - I don't boot it
up for my everyday work (that would be insane, given my job). But my
threat model is very different to that of others, so I would never
presume to tell them that my best practice should be theirs.

Hardware encryption devices are already plentiful. The problem is that
secure hardware comes at a huge cost in flexibility, meaning that only a
small part of our computing landscape will ever be "secure hardware".
That's why we have Yubikeys, smartcards, HSMs, Nitrokeys, etc. A small,
limited-functionality device is much more likely to be secure because it
is much easier to audit. Anything with the breadth of functionality of a
general-purpose computer will never be fully trustworthy. Your CPU is an
entire GP computer, buried in another computer. Same with your SSD
drive. A USB-C *cable* now has more computing power than the Apollo moon
mission. It's software all the way down.

No, you should not stop using encryption software on online devices.
That would be insane. We should be adding more encryption at multiple
levels, so that compromise of one layer of encryption does not mean a
compromise of the entire system. Defence in depth is the only long-term
sustainable strategy.

--
Andrew Gallagher

Andrew Gallagher wrote:

> On 11/08/2020 19:57, Stefan Claas wrote:
> > So, to sum it up (I know you prefer Tails) would you agree that
> > sooner or later the community should develop strategies, in form of a
> > best practice FAQ (cross-platform), to no longer use encryption
> > software on online devices and work out strategies to use offline
> > devices and how to handle this data securely over to an online
> > device, until proper and affordable hardware encryption devices for
> > online usage are available?
>
> The problem with best practices is that they are context-dependent. Any
> FAQ that steps outside the purely technical domain into operational
> security will be misleading at best, and outright dangerous at worst. I
> am a Tails user, but I only use it for specific things - I don't boot it
> up for my everyday work (that would be insane, given my job). But my
> threat model is very different to that of others, so I would never
> presume to tell them that my best practice should be theirs.
>
> Hardware encryption devices are already plentiful. The problem is that
> secure hardware comes at a huge cost in flexibility, meaning that only a
> small part of our computing landscape will ever be "secure hardware".
> That's why we have Yubikeys, smartcards, HSMs, Nitrokeys, etc. A small,
> limited-functionality device is much more likely to be secure because it
> is much easier to audit. Anything with the breadth of functionality of a
> general-purpose computer will never be fully trustworthy. Your CPU is an
> entire GP computer, buried in another computer. Same with your SSD
> drive. A USB-C *cable* now has more computing power than the Apollo moon
> mission. It's software all the way down.

Thank you very much for your reply, much appreciated!

> No, you should not stop using encryption software on online devices.
> That would be insane. We should be adding more encryption at multiple
> levels, so that compromise of one layer of encryption does not mean a
> compromise of the entire system. Defence in depth is the only long-term
> sustainable strategy.

While I personally stopped using online encryption, long ago, after my
Linux system was hacked, I like to mention (in case people do not know)
that YubiKeys and Nitrokeys allow also login-in protection via 2FA and
that than sudo usage requires also tapping on the YubiKey, besides pw
usage. Not sure if it is the same procedure with a Nitrokey.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Just adding my 2 cents to this discussion.

I think it doesn't matter what sort of spyware potentially exists
somewhere out there for some phone, what matters is whether it is on
your phone.

This isn't really about the security of OpenPGP either but about a
fundamental trust in the things we use both hardware and software.

I can recommend this video from 36C3 that talks about hardware security
(spoilers: its absolutely non trivial and nigh impossible to verify):

https://www.youtube.com/watch?v=Hzb37RyagCQ

It's also about threat models that you as the user of software (that you
trust does its job correctly) are trying to protect against.

If an attacker having root access to your device is part of a threat you
want to defend against your only choice is to use a (hopefully) known
good device that performs the encryption/decryption for you.

If you are only interested in end to end encryption where the message
might be intercepted in transit or verification of signatures then
OpenPGP does its job pretty damn well still.

There is not a single encryption algorithm that can't be defeated by
simply having full access to the device it is running on.

Now we can talk about mitigations that exist for the threat model where
the device you are using to read/send messages is compromised and I
think the recommendations in this thread are pretty sound.

I personally have been using OpenKeychain and a Yubikey via NFC. That
means that while any message that I have decrypted might be compromised
the keys used to decrypt are still secure (under the assumption that
Yubikeys are as secure as advertised, see the video above).

For me this is secure enough. For you it might not be.

I think that in general users of software should be aware that the
environment their software is running in is a threat vector, if you do
not trust it or you only trust it so far then only keep information you
can afford to get compromised in it.

If you are a person under close government watch, live in an
authoritarian regime or are a dissident I would of course recommend to
use an airgapped device.

If you are working for a company with important trade secrets you
hopefully don't have access to those on your phone anyway.

If you are a normal person not defending against any sort of advanced
persistent threat I think a smartphone still offers decent (enough)
security in day to day use for non-sensitive information.

And then there is of course still:

https://xkcd.com/538/

In the end it all comes down to: How much effort is the attacker going
to spend on you?

That determines how much effort you need to spend to protect yourself
against them.






_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I guess the real question is: what are people using PGP for on mobile
devices?  If it's for communication, that's silly.  There are at least a
half dozen far, far, far better ways to securely communicate on a
smartphone. 

Also -- unless you are steeped in the security industry and run a
hardened OS, your laptop is likely as vulnerable if not more vulnerable
to the kinds of state level actors deploying this kind of mobile
malware.  The best mobile devices are far less vulnerable than typically
configured PCs.  An iPad is likely orders of magnitude more secure than
using a laptop with a typical consumer OS (Windows, Ubuntu, etc).  Both
can be compromised but the iPad, if kept up to date, is going to be a
much more expensive target. 

The people of the world with Snowden-level paranoia (at least the ones
not tied to some nation's security service) are using air-gapped
internet-virgin hardware to communicate.  For everyone else, a locked
down (location services off, iCloud account off, always-on VPN, kept in
faraday bag when not in use) iPhone/iPad is as close as they're going to
get to real privacy/security. 

On 8/10/20 10:49 AM, Stefan Claas wrote:
> Micha? Górny wrote:
>
> [...]
>
>> Why use PGP on your phone if you carry a whole laptop with you anyway?
> Good question. There is software for Andoid available called OpenKeyChain,
> which as understood is the defacto standard for Android smartphone users,
> in combination with a MUA for Android.
>
> The question IMHO now is what should mobile device users do now? I showed
> a solution, assuming those users have an offline laptop too, which then
> would allow them to comfortably and securely create their messages.
>
> Not all people can purchase now a new smartphone with a more secure OpenSource
> OS and new SIM, I assume.
>
> I also do not know if it is common if people use an (compromised?) online
> laptop, as a smartphone, when on the road.
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

If you don't want to be location tracked on a mobile device you just
power it off and put it in a Faraday bag when not in use. 
https://silent-pocket.com/

If you want to deep dive into this sort of thing (it's a really deep
lake), give this book a read: 

https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0


On 8/11/20 3:32 AM, Stefan Claas wrote:
> Matthias Apitz wrote:
>
>> El día Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribió:
>>
>>>> One can use a Linux mobile phone running UBports.com (as I and all my family do)
>>>> or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
>>> Yes, people gave me already (not from here of course) good advise for other OSs
>>> which one can use. The question is how long will those OSs been unaffected ...
>> The kernel and all apps are OpenSource i.e. people can (and do) read the
>> sources. It's impossible to build in backdoors. The attack could come
>> through the firmware in the chips (which are not OpenSource). For this
>> the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to
>> poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS).
>>
>> The authorities can not track you. See:
>>
>> https://puri.sm/products/librem-5/
> Thanks for the information! While it is a nice product, according to their web site,
> they say they run Gnu/Linux. Do you think that Gnu/Linux can't be hacked? Or better
> said, should we all (those who use encryption software often) still use it directly
> on online devices?
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Felix wrote:

[...]

apologies for not quoting each paragraph from you!

No doubt that a system tool (like Werner says) like GnuPG or any others for
that matter, which are free and OpenSource, are good tools people rely on.

We all know that threats for online devices exist and mostly bugs or security
holes are more or less quickly discovered and fixed.

I believe that users interested in security and privacy always try to strive
for the best solutions available, regardless of their threat model, i.e. what
is good for activists or journalist in oppressed regimes etc. (which received
advice and how-to's from professionals) may also be good for us, when trying
to protect things we are doing online.

My concern however, with the advancement of these powerful tools is that this
is already a 'Russian roulette' while there is currently no defense AFAIK against
them or guarantees that these tools are not been misused by third parties.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I presume the goal of people (who know what they are doing) going
through all these inconvenient steps isn't to build the perfect
impenetrable fortress of security (which doesn't exist) but rather to
make it more difficult or expensive to circumvent from the threat
actor's perspective, hopefully to the point where it's not worth it.  An
iOS 0day used to run over a million buckaroos on the open market (it's
cheaper now, Apple's security has flagged a bit in recent years) so it's
not something Script-Kiddie McHighshoolKid  is going to use to try to
get at your filthy nudes.  But I wouldn't run the SCADA control
interface of my highly controversial uranium centrifuge farm on my
iPhone, because spending a million buckaroos is like dropping a penny in
a pond for the kinds of actors who'd be interested in that sort of thing. 

If you're trying to defeat the amorous advances of the NSA and you don't
have the support and training of an entire nation's intelligence agency
behind you, just accept that you've already lost.  Also, don't post
here, anyone the NSA is actively interested in lives a life way too
interesting to be self-owning any kind of OSINT about themselves in
public. 

For the average bloke, owning an iPhone with a strong passcode and using
Signal or Wire to communicate is going to give them some of the best
hardware and communications security money can buy. 
 
On 8/11/20 3:58 PM, Johan Wevers wrote:
> On 11-08-2020 21:49, vedaal via Gnupg-users wrote:
>
>> There is already a simple existing solution.
> Simple is not how I see this.
>
>> [1] Encrypt and decrypt on a computer that has internet hardware disabled.
>> [2] Use an Orbic Journey V phone that gets and sends *only text*
>> [3] Use a microsd expansion card on the orbis phone
> The Iranians though this too. And then someone invents Stuxnet-like
> attack software.
>
> --
> ir. J.C.A. Wevers
> PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Ryan McGinnis via Gnupg-users wrote:

> I guess the real question is: what are people using PGP for on mobile
> devices?? If it's for communication, that's silly.? There are at least a
> half dozen far, far, far better ways to securely communicate on a
> smartphone.?

Well, it is listed by the OpenPGP experts:

https://www.openpgp.org/software/openkeychain/

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices?  If it's for communication, that's silly.  There are at least a
>> half dozen far, far, far better ways to securely communicate on a
>> smartphone. 
> Well, it is listed by the OpenPGP experts:
>
> https://www.openpgp.org/software/openkeychain/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Ryan McGinnis via Gnupg-users wrote:

> If you don't want to be location tracked on a mobile device you just
> power it off and put it in a Faraday bag when not in use.?
> https://silent-pocket.com/

Yup, still waiting for my Faraday bags, which I won from the Nym project giveaway.
>
> If you want to deep dive into this sort of thing (it's a really deep
> lake), give this book a read:?
>
> https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0

Thanks for the info! According to the Amazon info he teaches celebrities.

I read an article yesterday that a lot of celebrities prefer dump phones over smartphones.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices?  If it's for communication, that's silly.  There are at least a
>> half dozen far, far, far better ways to securely communicate on a
>> smartphone. 
> Well, it is listed by the OpenPGP experts:
>
> https://www.openpgp.org/software/openkeychain/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Ryan McGinnis via Gnupg-users wrote:

> Well yes I realize that it exists, what I'm saying is why would anyone
> use it for secure communications on a smartphone when there are
> solutions orders of magnitude more secure and simple to use.? It'd be
> like buying a helicopter but deciding you'd still fly only 2 feet off
> the ground and stick to paved roads.?

Maybe there was a demand from PGP users and the author fulfilled their
wish or it is maybe hip among the young smartphone generation, who grew
up with smartphones, to have OpenPGP on a smartphone, because they
trust only OpenPGP based software. I don't know.

Regards
Stefan
--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Ryan McGinnis via Gnupg-users wrote:
>
> > Well yes I realize that it exists, what I'm saying is why would anyone
> > use it for secure communications on a smartphone when there are
> > solutions orders of magnitude more secure and simple to use.? It'd be
> > like buying a helicopter but deciding you'd still fly only 2 feet off
> > the ground and stick to paved roads.?
>
> Maybe there was a demand from PGP users and the author fulfilled their
> wish or it is maybe hip among the young smartphone generation, who grew
> up with smartphones, to have OpenPGP on a smartphone, because they
> trust only OpenPGP based software. I don't know.

P.S. and it can be used with a smardcard.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I'm not sure that there are solutions orders of magnitude more secure
that are available readily.

Also people tend to get emails on the go as well that might be
encrypted. It's convenient to decrypt emails on a smartphone and not
really that insecure if you're using an external device for actual
keystorage (such as a Yubikey).

I don't actually see what's so silly about the whole thing.

On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
> Well yes I realize that it exists, what I'm saying is why would anyone
> use it for secure communications on a smartphone when there are
> solutions orders of magnitude more secure and simple to use.  It'd be
> like buying a helicopter but deciding you'd still fly only 2 feet off
> the ground and stick to paved roads. 
>
>
>
> On 8/12/20 11:46 AM, Stefan Claas wrote:
>> Ryan McGinnis via Gnupg-users wrote:
>>
>>> I guess the real question is: what are people using PGP for on mobile
>>> devices?  If it's for communication, that's silly.  There are at least a
>>> half dozen far, far, far better ways to securely communicate on a
>>> smartphone. 
>> Well, it is listed by the OpenPGP experts:
>>
>> https://www.openpgp.org/software/openkeychain/
>>
>> Regards
>> Stefan
>>
>> --
>> my 'hidden' service gopherhole:
>> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Well, more like celebrities (and other types) hire him to keep their personal lives and information from being easily found. He also helps stalking victims disappear. I believe he’s former FBI.
He prefers the old iPhone SE. At one time you used to be able to buy them anonymously with cash, which made them pretty hard to trace. I think he prefers a secure smartphone because he feels one should never use your real phone number for anything, which means using a VOIP app for all calls and texts. For mobile service he goes with Mint mobile. Which, BTW you can buy cheap 2 week “trial” SIM cards from with cash that will work as a non-VoIP 2FA account verification method. Meaning you can sign up for sites and services without disclosing any personally identifying information whatsoever.
-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD


Sent from ProtonMail Mobile

On Wed, Aug 12, 2020 at 11:57, Stefan Claas <sac@300baud.de> wrote:

Ryan McGinnis via Gnupg-users wrote:

> If you don't want to be location tracked on a mobile device you just
> power it off and put it in a Faraday bag when not in use.
> https://silent-pocket.com/

Yup, still waiting for my Faraday bags, which I won from the Nym project giveaway.
>
> If you want to deep dive into this sort of thing (it's a really deep
> lake), give this book a read:
>
> https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0

Thanks for the info! According to the Amazon info he teaches celebrities.

I read an article yesterday that a lot of celebrities prefer dump phones over smartphones.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

The reasons to abandon PGP for secure communications have been accepted in the security community for years. Here’s one security researcher explaining why (there are many others out there with similar sentiments):
https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/"]https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/
-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD


Sent from ProtonMail Mobile

On Wed, Aug 12, 2020 at 13:07, Felix <felix@audiofair.de> wrote:

I'm not sure that there are solutions orders of magnitude more secure that are available readily.

Also people tend to get emails on the go as well that might be encrypted. It's convenient to decrypt emails on a smartphone and not really that insecure if you're using an external device for actual keystorage (such as a Yubikey).

I don't actually see what's so silly about the whole thing.
On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:

Well yes I realize that it exists, what I'm saying is why would anyone use it for secure communications on a smartphone when there are solutions orders of magnitude more secure and simple to use. It'd be like buying a helicopter but deciding you'd still fly only 2 feet off the ground and stick to paved roads. On 8/12/20 11:46 AM, Stefan Claas wrote:

Ryan McGinnis via Gnupg-users wrote:

I guess the real question is: what are people using PGP for on mobile devices? If it's for communication, that's silly. There are at least a half dozen far, far, far better ways to securely communicate on a smartphone.

Well, it is listed by the OpenPGP experts: https://www.openpgp.org/software/openkeychain/"]https://www.openpgp.org/software/openkeychain/ Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion

_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users"]http://lists.gnupg.org/mailman/listinfo/gnupg-users

Ryan McGinnis via Gnupg-users wrote:

> The reasons to abandon PGP for secure communications have been accepted in the security community for years.  Here’s one
> security researcher explaining why (there are many others out there with similar sentiments): 
>
> https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/

He is working at Google and IIRC responsible for Golang crypto libs. Can you do me a favor, in case you have a Twitter
account? If so, please ask him what are his thoughts as a Signal user about Pegasus and if a factory reset and new SIM
card would be good enough?

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

For example, in this message from Ryan, Enigmail says it has a bad
signature. I think that could be an issue too with it's adoption.

On 8/12/2020 11:29 AM, Ryan McGinnis via Gnupg-users wrote:
> The reasons to abandon PGP for secure communications have been
> accepted in the security community for years.  Here’s one security
> researcher explaining why (there are many others out there with
> similar sentiments): 
>
> https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/
>
> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
>
>
> Sent from ProtonMail Mobile
>
>
> On Wed, Aug 12, 2020 at 13:07, Felix <felix@audiofair.de
> <mailto:felix@audiofair.de>> wrote:
>>
>> I'm not sure that there are solutions orders of magnitude more secure
>> that are available readily.
>>
>> Also people tend to get emails on the go as well that might be
>> encrypted. It's convenient to decrypt emails on a smartphone and not
>> really that insecure if you're using an external device for actual
>> keystorage (such as a Yubikey).
>>
>> I don't actually see what's so silly about the whole thing.
>>
>> On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
>>> Well yes I realize that it exists, what I'm saying is why would anyone
>>> use it for secure communications on a smartphone when there are
>>> solutions orders of magnitude more secure and simple to use.  It'd be
>>> like buying a helicopter but deciding you'd still fly only 2 feet off
>>> the ground and stick to paved roads. 
>>>
>>>
>>>
>>> On 8/12/20 11:46 AM, Stefan Claas wrote:
>>>> Ryan McGinnis via Gnupg-users wrote:
>>>>
>>>>> I guess the real question is: what are people using PGP for on mobile
>>>>> devices?  If it's for communication, that's silly.  There are at least a
>>>>> half dozen far, far, far better ways to securely communicate on a
>>>>> smartphone. 
>>>> Well, it is listed by the OpenPGP experts:
>>>>
>>>> https://www.openpgp.org/software/openkeychain/
>>>>
>>>> Regards
>>>> Stefan
>>>>
>>>> --
>>>> my 'hidden' service gopherhole:
>>>> gopher://iria2xobffovwr6h.onion
>>>
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

That's a good article and I think it makes a lot of sense in the
context. I still think PGP is valid for sending encrypted emails if you
exchange public keys beforehand (as he also states he still uses it in
that manner). The web of trust also never did anything for me sadly.

On 12/08/2020 20:29, Ryan McGinnis via Gnupg-users wrote:
> The reasons to abandon PGP for secure communications have been
> accepted in the security community for years.  Here’s one security
> researcher explaining why (there are many others out there with
> similar sentiments): 
>
> https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/
>
> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
>
>
> Sent from ProtonMail Mobile
>
>
> On Wed, Aug 12, 2020 at 13:07, Felix <felix@audiofair.de
> <mailto:felix@audiofair.de>> wrote:
>>
>> I'm not sure that there are solutions orders of magnitude more secure
>> that are available readily.
>>
>> Also people tend to get emails on the go as well that might be
>> encrypted. It's convenient to decrypt emails on a smartphone and not
>> really that insecure if you're using an external device for actual
>> keystorage (such as a Yubikey).
>>
>> I don't actually see what's so silly about the whole thing.
>>
>> On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
>>> Well yes I realize that it exists, what I'm saying is why would anyone
>>> use it for secure communications on a smartphone when there are
>>> solutions orders of magnitude more secure and simple to use.  It'd be
>>> like buying a helicopter but deciding you'd still fly only 2 feet off
>>> the ground and stick to paved roads. 
>>>
>>>
>>>
>>> On 8/12/20 11:46 AM, Stefan Claas wrote:
>>>> Ryan McGinnis via Gnupg-users wrote:
>>>>
>>>>> I guess the real question is: what are people using PGP for on mobile
>>>>> devices?  If it's for communication, that's silly.  There are at least a
>>>>> half dozen far, far, far better ways to securely communicate on a
>>>>> smartphone. 
>>>> Well, it is listed by the OpenPGP experts:
>>>>
>>>> https://www.openpgp.org/software/openkeychain/
>>>>
>>>> Regards
>>>> Stefan
>>>>
>>>> --
>>>> my 'hidden' service gopherhole:
>>>> gopher://iria2xobffovwr6h.onion
>>>
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal@nym.hush.com wrote:

>
>
> On 8/11/2020 at 3:00 PM, "Stefan Claas" <sac@300baud.de> wrote:
>
> ...
>
> >As understood a Pegasus operator can do what ever
> >he likes to do remotely, anonymously with our (Android/iOS)
> >smartphone, without that we know that this happens.
>
> ...
>
> >in form of a best practice FAQ (cross-platform), to no longer use
> >encryption software on online devices and work out
> >strategies to use offline devices and how to handle this data
> >securely over to an online device, until proper and affordable
> >hardware encryption devices for online usage are available?
>
> =====
>
> There is already a simple existing solution.
>
> [1] Encrypt and decrypt on a computer that has internet hardware disabled.

I am thinking about this mobile one, once it hits the market.

https://pocket.popcorncomputer.com/#products

> [2] Use an Orbic Journey V phone that gets and sends *only text*

Seems not to be available in Germany, so I must look for a similar one.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Andrew Gallagher wrote:

> > No, you should not stop using encryption software on online devices.
> > That would be insane. We should be adding more encryption at multiple
> > levels, so that compromise of one layer of encryption does not mean a
> > compromise of the entire system. Defence in depth is the only long-term
> > sustainable strategy.
>
> While I personally stopped using online encryption, long ago, after my
> Linux system was hacked, I like to mention (in case people do not know)
> that YubiKeys and Nitrokeys allow also login-in protection via 2FA and
> that than sudo usage requires also tapping on the YubiKey, besides pw
> usage. Not sure if it is the same procedure with a Nitrokey.

Hacking Tool to break into Linux computers.

<https://www.reuters.com/article/us-usa-cyber-russia/nsa-fbi-expose-russian-intelligence-hacking-tool-report-idUSKCN2592HY>

Regards
Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> vedaal@nym.hush.com wrote:
>
> >
> >
> > On 8/11/2020 at 3:00 PM, "Stefan Claas" <sac@300baud.de> wrote:
> >
> > ...
> >
> > >As understood a Pegasus operator can do what ever
> > >he likes to do remotely, anonymously with our (Android/iOS)
> > >smartphone, without that we know that this happens.
> >
> > ...
> >
> > >in form of a best practice FAQ (cross-platform), to no longer use
> > >encryption software on online devices and work out
> > >strategies to use offline devices and how to handle this data
> > >securely over to an online device, until proper and affordable
> > >hardware encryption devices for online usage are available?
> >
> > =====
> >
> > There is already a simple existing solution.
> >
> > [1] Encrypt and decrypt on a computer that has internet hardware disabled.
>
> I am thinking about this mobile one, once it hits the market.
>
> https://pocket.popcorncomputer.com/#products
>
> > [2] Use an Orbic Journey V phone that gets and sends *only text*
>
> Seems not to be available in Germany, so I must look for a similar one.

I did a bit research and purchased today the IMHO beautiful Doro Primo 413
dumb phone (for elderly people) and it includes a USB C to USB charger/data
cable, which then can be connected to an offline Notebook.

Once my batteries are charged, later today, I will try out the following:

Preparing a PGP message, converting it to JAB-Code and then transfer the
.png image( less than 300 KB, due to German Telefon Carrier specs.) to the
dumb phone.

Finally I will prepare an MMS and load the image and send the message for a
test to my smartphone, for later retrival, to see if everything went well.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> I did a bit research and purchased today the IMHO beautiful Doro Primo 413
> dumb phone (for elderly people) and it includes a USB C to USB charger/data
> cable, which then can be connected to an offline Notebook.
>
> Once my batteries are charged, later today, I will try out the following:
>
> Preparing a PGP message, converting it to JAB-Code and then transfer the
> .png image( less than 300 KB, due to German Telefon Carrier specs.) to the
> dumb phone.
>
> Finally I will prepare an MMS and load the image and send the message for a
> test to my smartphone, for later retrival, to see if everything went well.

Ok, worked! :-) SHA256 hashes matched from both devices.

Only thing I have to do is purchasing an sd memory card, because the regular
memory is to low.

Regards
Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 8/15/2020 at 1:02 PM, "Stefan Claas" <sac@300baud.de> wrote:

>Ok, worked! :-) SHA256 hashes matched from both devices.
=====
Great to hear!
-----

>Only thing I have to do is purchasing an sd memory card, because
>the regular memory is to low.
=====
If you can afford it, there are 1 TB microsd cards available:

https://www.amazon.com/SanDisk-Extreme-microSDXC-Memory-Adapter/dp/B07P9W5HJV/ref=sr_1_2?crid=LIUTHCJU5JEA&dchild=1&keywords=1tb+sandisk+micro+sd+card&qid=1597692282&sprefix=1+tb+sandisk%2Caps%2C507&sr=8-2:

I have the 1tb sandisk microsd for the phone (my smartphone is a sony xperia z2 premium. I'm in love with the camera and optics, and watch all my videos and amazon prime on the phone). Point is, official specs says it only accommodates a 250 gb microsd. This is not true. Even older galaxy androids that officially say accommodates a 64 gb card, also accommodated a sandisk 400 gb card. As long as there is a microsd slot, it accommodates any size.

*BUT*

The vast majority of 1 TB cards, are COUNTERFEIT, and don't ho;d more than a nominal minimal amount!
Even the Kingston ones, unless you get them from Kingston itself, are very convincingly appearing fakes.

I have been using sandisk since 64gb, then 128, then 400, and now 1 tb. and all of them worked, and got them all on Amazon.

If you know from people who actually used them, of other brands on Amazon that are trustworthy, maybe you can get a good card for less.

Even If you don't need more than 64gb, I would still recommend a Sandisk newer 64gb card, because of the much faster transfer rates.


vedaal


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal@nym.hush.com wrote:

>
>
> On 8/15/2020 at 1:02 PM, "Stefan Claas" <sac@300baud.de> wrote:
>
> >Ok, worked! :-) SHA256 hashes matched from both devices.
> =====
> Great to hear!

Thanks. :-)

> >Only thing I have to do is purchasing an sd memory card, because
> >the regular memory is to low.
> =====
> If you can afford it, there are 1 TB microsd cards available:
>
> https://www.amazon.com/SanDisk-Extreme-microSDXC-Memory-Adapter/dp/B07P9W5HJV/ref=sr_1_2?crid=LIUTHCJU5JEA&dchild=1&keywords=1tb+sandisk+micro+sd+card&qid=1597692282&sprefix=1+tb+sandisk%2Caps%2C507&sr=8-2:

No, can't afford it. I already purchased a 32GB card, wich is more than enough for me.

Regards
Stefan



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> ?????? ?????? via Gnupg-users wrote:
>
> > Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group
>
> Yes, as understood. I think it really doesn't matter where Pegasus does come from.

Sorry for being now probably completely off-topic, but when it comes to informations we find
on the Internet and/or are discussing if videos or informations are faked, or some people
like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's
'Shadow Gate' documentary, which was released a couple of days ago and is already banned
on YouTube and Facebook.

https://banned.video/watch?id=5f37fcc2df77c4044ee2eb03

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

* Stefan Claas <sac@300baud.de> Aug 19, 16:31:
>
>videos or informations are faked, or some people like to guide us in wrong directions,

Oh, the irony...

>I would highly recommend to watch Millie Weaver's 'Shadow Gate' documentary, which was released a couple of days ago and is already banned on YouTube and Facebook.
No, it is not banned. Anyone with access to a web browser can see that.
It's a conspiracy theory produced by the well known misinformation and conspiracy website Infowars.
--
// Marcus

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> Sorry for being now probably completely off-topic, but when it comes to informations we find
> on the Internet and/or are discussing if videos or informations are faked, or some people
> like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's
> 'Shadow Gate' documentary, which was released a couple of days ago and is already banned
> on YouTube and Facebook.

Stefan, I'm not a list moderator and I have absolutely zero authority to
say this, but I'm going to say it anyway:

Please take this stuff elsewhere.

You're linking to a conspiracy theory video alleging a... look, I'm not
going to give these people credibility even by *summarizing* it. It
should be enough to say that InfoWars is backing it.

It has no connection to fact or even reality, and even less than no
connection to GnuPG or communications security.

Please, I'm begging you: take it elsewhere. It doesn't belong here.

https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Mittwoch, 19. August 2020 20:10:29 CEST Robert J. Hansen wrote:
> You're linking to a conspiracy theory video alleging a... look, I'm not
> going to give these people credibility even by *summarizing* it. It
> should be enough to say that InfoWars is backing it.

We need to stop calling such rubbish "theories". Better call it "conspiracy
myths" or "conspiracy tales" or "conspiracy stories" or anything else that
makes it clear that (unlike scientific theories) it is not supported by facts.

Sorry, for adding to this off-topic thread.

Regards,
Ingo

On 19-08-2020 23:28, Ingo Kl?cker wrote:

> We need to stop calling such rubbish "theories". Better call it "conspiracy
> myths" or "conspiracy tales" or "conspiracy stories" or anything else that
> makes it clear that (unlike scientific theories) it is not supported by facts.

You mean like the conspiracy myth that the NSA was eavesdropping on
everyone, whether they were allowed to or not? Yes, that was not
supported by facts (before the Snowden revelations) so it must have been
utter rubbish.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Thu, 20 Aug 2020 00:36, Johan Wevers said:

> You mean like the conspiracy myth that the NSA was eavesdropping on
> everyone, whether they were allowed to or not? Yes, that was not
> supported by facts (before the Snowden revelations) so it must have been

There have been technical facts around for a long time. Examples are
the Interception Report 2000 to the European Parliament and later a
testimony from an AT&T employee. Checkout cryptome.org ;-)
Snowden then provided internal NSA documents as final evidence.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Robert J. Hansen wrote:

> > Sorry for being now probably completely off-topic, but when it comes to informations we find
> > on the Internet and/or are discussing if videos or informations are faked, or some people
> > like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's
> > 'Shadow Gate' documentary, which was released a couple of days ago and is already banned
> > on YouTube and Facebook.
>
> Stefan, I'm not a list moderator and I have absolutely zero authority to
> say this, but I'm going to say it anyway:
>
> Please take this stuff elsewhere.
>
> You're linking to a conspiracy theory video alleging a... look, I'm not
> going to give these people credibility even by *summarizing* it. It
> should be enough to say that InfoWars is backing it.
>
> It has no connection to fact or even reality, and even less than no
> connection to GnuPG or communications security.
>
> Please, I'm begging you: take it elsewhere. It doesn't belong here.
>
> https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/

Hi Robert,

at least you may agree that Millie's documentary shows viewers that since a long time private contractors
play an important role for Intelligence Agencies.

<https://www.seattletimes.com/nation-world/private-contractors-play-key-role-in-us-intelligence-work/>

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> at least you may agree that Millie's documentary shows viewers that
> since a long time private contractors play an important role for
> Intelligence Agencies.

Yes. Obviously. As everyone has known since the day the CIA was
established. There's even a website for contractors with security
clearances: https://www.clearancejobs.com. This nonsense video of
conspiracy delusions revealed nothing factual.

Please, I'm begging you: stop hyping this madness. At the very least,
do it elsewhere.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Robert J. Hansen wrote:

> > at least you may agree that Millie's documentary shows viewers that
> > since a long time private contractors play an important role for
> > Intelligence Agencies.
>
> Yes. Obviously. As everyone has known since the day the CIA was
> established. There's even a website for contractors with security
> clearances: https://www.clearancejobs.com. This nonsense video of
> conspiracy delusions revealed nothing factual.
>
> Please, I'm begging you: stop hyping this madness. At the very least,
> do it elsewhere.

As you wish, I will now no longer reply to this part of this thread.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Generally when something is "banned from Youtube" and the reason for the
ban wasn't that it was outright pornography, copyrighted content, or
illegal content, you can rest assured that the "banned video" is some
Grade A Prime Whackadoo McCrazy Bullshit and that you will become dumber
if you watch it. 

On 8/19/20 9:31 AM, Stefan Claas wrote:
> Stefan Claas wrote:
>
>> ?????? ?????? via Gnupg-users wrote:
>>
>>> Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group
>> Yes, as understood. I think it really doesn't matter where Pegasus does come from.
> Sorry for being now probably completely off-topic, but when it comes to informations we find
> on the Internet and/or are discussing if videos or informations are faked, or some people
> like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's
> 'Shadow Gate' documentary, which was released a couple of days ago and is already banned
> on YouTube and Facebook.
>
> https://banned.video/watch?id=5f37fcc2df77c4044ee2eb03
>
> Regards
> Stefan
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Calling that a documentary is like me tattooing angel wings on my back
and trying to pass as an attack helicopter.

On 8/20/20 10:23 AM, Stefan Claas wrote:
> Robert J. Hansen wrote:
>
>>> Sorry for being now probably completely off-topic, but when it comes to informations we find
>>> on the Internet and/or are discussing if videos or informations are faked, or some people
>>> like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's
>>> 'Shadow Gate' documentary, which was released a couple of days ago and is already banned
>>> on YouTube and Facebook.
>> Stefan, I'm not a list moderator and I have absolutely zero authority to
>> say this, but I'm going to say it anyway:
>>
>> Please take this stuff elsewhere.
>>
>> You're linking to a conspiracy theory video alleging a... look, I'm not
>> going to give these people credibility even by *summarizing* it. It
>> should be enough to say that InfoWars is backing it.
>>
>> It has no connection to fact or even reality, and even less than no
>> connection to GnuPG or communications security.
>>
>> Please, I'm begging you: take it elsewhere. It doesn't belong here.
>>
>> https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/
> Hi Robert,
>
> at least you may agree that Millie's documentary shows viewers that since a long time private contractors
> play an important role for Intelligence Agencies.
>
> <https://www.seattletimes.com/nation-world/private-contractors-play-key-role-in-us-intelligence-work/>
>
> Regards
> Stefan
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Stefan Claas wrote:

> vedaal@nym.hush.com wrote:
>
> >
> >
> > On 8/11/2020 at 3:00 PM, "Stefan Claas" <sac@300baud.de> wrote:
> >
> > ...
> >
> > >As understood a Pegasus operator can do what ever
> > >he likes to do remotely, anonymously with our (Android/iOS)
> > >smartphone, without that we know that this happens.
> >
> > ...
> >
> > >in form of a best practice FAQ (cross-platform), to no longer use
> > >encryption software on online devices and work out
> > >strategies to use offline devices and how to handle this data
> > >securely over to an online device, until proper and affordable
> > >hardware encryption devices for online usage are available?
> >
> > =====
> >
> > There is already a simple existing solution.
> >
> > [1] Encrypt and decrypt on a computer that has internet hardware disabled.
>
> I am thinking about this mobile one, once it hits the market.
>
> https://pocket.popcorncomputer.com/#products
>
> > [2] Use an Orbic Journey V phone that gets and sends *only text*
>
> Seems not to be available in Germany, so I must look for a similar one.

Thinking about another option smart phone users can try (I currently
have no second smart phone).

Since I am new to smart phone usage, I figured out that one can use
a second smart phone without a SIM-Card and with WiFi disabled. :-)

This means to me, regardless if people would use Android with Termux
and GnuPG or a Linux smart phone that they simply create the messages
on the IMHO not (so easy?!) compromisable second offline smart phone and
then transfer securely the encrypted messages to the compromised online
usage smart phone.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

[...]

> > (btw,
> > There is, [afaik], no protection available in GnuPG
> > against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer,
> > and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message
> > by flicking a wand at it, and using the simple charm 'Revelato' )
>
> I think I know what you mean. But I think it does not scale well for the masses due to manpower shortage.
>
> > but not really in my threat model 8^))))
>
> Mine neither. :-)

I think I sell my smart phone and recommend not to keep it one the same room with an offline computer.

<https://cyber.bgu.ac.il/advanced-cyber/airgap>

Regards
Stefan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Stefan Claas wrote:
>
> [...]
>
> > > (btw,
> > > There is, [afaik], no protection available in GnuPG
> > > against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer,
> > > and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message
> > > by flicking a wand at it, and using the simple charm 'Revelato' )
> >
> > I think I know what you mean. But I think it does not scale well for the masses due to manpower shortage.
> >
> > > but not really in my threat model 8^))))
> >
> > Mine neither. :-)
>
> I think I sell my smart phone and recommend not to keep it one the same room with an offline computer.
>
> <https://cyber.bgu.ac.il/advanced-cyber/airgap>

Sold it. Now I can take my tinfoil hat off, in regards to smart phone usage. :-D

Regards
Stefan



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> While I personally stopped using online encryption, long ago, after my
> Linux system was hacked, [...]

https://thehackernews.com/2020/10/finfisher-spyware-raid.html

Regards
Stefan

--
NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675
The computer helps us to solve problems, we did not have without him.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users