Mailing List Archive

Andrew Gallagher wrote:

> It matters little whether these statements were made by Snowden. Whether a particular piece of software exists or not, and
> whether it is owned by the Russians or the Israelis or the Americans, is beside the point. In principle, it can exist and
> similar pieces of software have existed in the past, so we can safely assume that something like it will always exist in some
> form or another.

Fully agree!

> If someone roots your phone, or your laptop, it is Game Over. It does not matter if you are using Signal, or WhatsApp, or
> PGP. If the Bad Guys have rooted your phone you are helpless against them. The solution is not to let them root your phone in
> the first place (i.e. update regularly and don’t click on anything unsolicited), and don’t use your phone for anything that
> would endanger your life if you were rooted.

I must admit that I only use a smartphone for a couple of months now, because I wanted to see what things I can do with it.
Besides that I must also say that I am no fan of smartphone technology.

You say that we must be careful that not someone roots our smartphone. As understood a Pegasus operator can do what ever
he likes to do remotely, anonymously with our (Android/iOS) smartphone, without that we know that this happens. And then
some people may also have problems with their Desktop computer, in case FinFisher and friends allows zero-clicks too, which
we don't know.

So, to sum it up (I know you prefer Tails) would you agree that sooner or later the community should develop strategies,
in form of a best practice FAQ (cross-platform), to no longer use encryption software on online devices and work out
strategies to use offline devices and how to handle this data securely over to an online device, until proper and affordable
hardware encryption devices for online usage are available?

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I suppose, you're right. I'm wary of blindly believing videos, especially when faking them has become relatively easy at this point.

I think one thing both Android and iOS get wrong is that the user isn't really in control of the device. So many manufacturer ROMs have built-in bloatware and various apps you'll never use, and there's no way to get rid of it. There are different classes of apps with differing levels of access to the internals of the OS, and there isn't much you can do about it. And on iOS, you're at the mercy of Apple as to whether your device remains supported and whether e.g. bugs in WebKit (the only renderer available on iOS) get fixed for your device. While custom ROMs solve some of these issues, most phones are bought with a locked bootloader (since most people aren't rich enough to buy their smartphones outright and end up leasing them through the service provider), which sort of renders that argument moot for *most* people.

Fundamentally, while a Linux phone may not necessarily have all of the hardening or whatever that many Android phones come with today, I'd argue that the privacy aspects, and the fact that the user truly _owns_ their device, more than make up for those (current) deficiencies. It will be easier, I think, to defend against what you're talking about in terms of malware, shady links, and so on because you have the opportunity to control literally *everything* running on your device.

Once I get my PinePhone, one of the first things I will be doing is playing around with things like firejail to see if I can get seamless sandboxing for most programs (I already heavily utilize firejail on my laptop). And I suspect that level of control (and ability to keep receiving updates, no matter how old the phone) will put Linux phones over the top in terms of security.

Sincerely,

Chiraag
--
?????? ??????
Pronouns: he/him/his

11/08/20 19:32 ?????, Andrew Gallagher <andrewg@andrewg.com> ??????:
>
> It matters little whether these statements were made by Snowden. Whether a particular piece of software exists or not, and whether it is owned by the Russians or the Israelis or the Americans, is beside the point. In principle, it can exist and similar pieces of software have existed in the past, so we can safely assume that something like it will always exist in some form or another.
>
> If someone roots your phone, or your laptop, it is Game Over. It does not matter if you are using Signal, or WhatsApp, or PGP. If the Bad Guys have rooted your phone you are helpless against them. The solution is not to let them root your phone in the first place (i.e. update regularly and don’t click on anything unsolicited), and don’t use your phone for anything that would endanger your life if you were rooted.
>
> Andrew Gallagher
>
> > On 11 Aug 2020, at 17:18, Stefan Claas <sac@300baud.de> wrote:
> >
> > Please ask native U.S. citizens if this is a video with a faked voice from Mr. Snowden, not me.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 11-08-2020 17:18, Stefan Claas wrote:

>> Why hardware? If a bug is found you can't upgrade it easily.
>
> Because hardware can't be tampered with like software.

If a hardware bug is found you're still lost. Even Apple has found out
the hard way.

>> On mobile, encrypted messengers are the norm. WhatsApp is the biggest,
>> and it uses Signal's encryption algorithm which is excellent.
>
> And you think that continuing with those is a good practice since
> Mr Snowden's YouTube Video was released?

It is a risk, but not a bigger risk than someone taking over your pc or
laptop. Signal and GnuPG are both defenseless against that.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 8/11/2020 at 3:00 PM, "Stefan Claas" <sac@300baud.de> wrote:

...

>As understood a Pegasus operator can do what ever
>he likes to do remotely, anonymously with our (Android/iOS)
>smartphone, without that we know that this happens.

...

>in form of a best practice FAQ (cross-platform), to no longer use
>encryption software on online devices and work out
>strategies to use offline devices and how to handle this data
>securely over to an online device, until proper and affordable
>hardware encryption devices for online usage are available?

=====

There is already a simple existing solution.

[1] Encrypt and decrypt on a computer that has internet hardware disabled.

[2] Use an Orbic Journey V phone that gets and sends *only text*

[3] Use a microsd expansion card on the orbis phone

[4] set up the phone to save encrypted texts on the microsd 'storage' card

[5] Take out the microsd card and use a card reader in the computer in [1] transfer text only (encrypted or decrypted)

Any file can be sent as encrypted text by using the armor option -a on the GnuPG command line.
(this includes audio, video .jpg, .png, pdf, etc. literally any and all possible file types.)

Even if the Orbic uses the *unknown* system, if your are encrypting and decrypting on a separate air-gapped computer, and transferring only text to a microsd, it is hard to see how it can be compromised.
(Yes *Anything* can happen, but without evidence, there is no end to paranoia)

It is not the place of the FAQ to solve the transmission issues of an already perfectly formed GnuPG encrypted .asc file.

The manual and/or FAQ, tells how to use GnuPG to encrypt or decrypt the file, and armor it.

The rest is up to the User's threat model.

(btw,
There is, [afaik], no protection available in GnuPG
against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer,
and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message
by flicking a wand at it, and using the simple charm 'Revelato' )

but not really in my threat model 8^))))


vedaal


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Johan Wevers wrote:

> On 11-08-2020 17:18, Stefan Claas wrote:
>
> >> Why hardware? If a bug is found you can't upgrade it easily.
> >
> > Because hardware can't be tampered with like software.
>
> If a hardware bug is found you're still lost. Even Apple has found out
> the hard way.

Yes, you are right. While I am no programmer I would assume that designers
of such little hardware devices, same as YubiKey or Nitrokey for example,
do not have to deal with a boatload of large software components, burned
into ROMS.

> >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest,
> >> and it uses Signal's encryption algorithm which is excellent.
> >
> > And you think that continuing with those is a good practice since
> > Mr Snowden's YouTube Video was released?
>
> It is a risk, but not a bigger risk than someone taking over your pc or
> laptop. Signal and GnuPG are both defenseless against that.

Yes, a risk, but at what price? I could imagine that many people do not
care to much if it hurts journalists or activists from foreign countries.

But how about cybercrimes in general?

https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Yubikey dealt with a mass recall only last year due to a bug in their firmware: https://www.engadget.com/2019-06-13-yubico-recalls-government-grade-security-keys-due-to-bug.html
--
?????? ??????
Pronouns: he/him/his

11/08/20 22:10 ?????, Stefan Claas <sac@300baud.de> ??????:
>
> Johan Wevers wrote:
>
> > On 11-08-2020 17:18, Stefan Claas wrote:
> >
> > >> Why hardware? If a bug is found you can't upgrade it easily.
> > >
> > > Because hardware can't be tampered with like software.
> >
> > If a hardware bug is found you're still lost. Even Apple has found out
> > the hard way.
>
> Yes, you are right. While I am no programmer I would assume that designers
> of such little hardware devices, same as YubiKey or Nitrokey for example,
> do not have to deal with a boatload of large software components, burned
> into ROMS.
>
> > >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest,
> > >> and it uses Signal's encryption algorithm which is excellent.
> > >
> > > And you think that continuing with those is a good practice since
> > > Mr Snowden's YouTube Video was released?
> >
> > It is a risk, but not a bigger risk than someone taking over your pc or
> > laptop. Signal and GnuPG are both defenseless against that.
>
> Yes, a risk, but at what price? I could imagine that many people do not
> care to much if it hurts journalists or activists from foreign countries.
>
> But how about cybercrimes in general?
>
> https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 11-08-2020 21:49, vedaal via Gnupg-users wrote:

> There is already a simple existing solution.

Simple is not how I see this.

> [1] Encrypt and decrypt on a computer that has internet hardware disabled.
> [2] Use an Orbic Journey V phone that gets and sends *only text*
> [3] Use a microsd expansion card on the orbis phone

The Iranians though this too. And then someone invents Stuxnet-like
attack software.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

?????? ?????? via Gnupg-users wrote:

> Yubikey dealt with a mass recall only last year due to a bug in their firmware:
> https://www.engadget.com/2019-06-13-yubico-recalls-government-grade-security-keys-due-to-bug.html

Quote: Fortunately, any affected customers will receive a replacement key.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal@nym.hush.com wrote:

> There is already a simple existing solution.
>
> [1] Encrypt and decrypt on a computer that has internet hardware disabled.
>
> [2] Use an Orbic Journey V phone that gets and sends *only text*
>
> [3] Use a microsd expansion card on the orbis phone
>
> [4] set up the phone to save encrypted texts on the microsd 'storage' card
>
> [5] Take out the microsd card and use a card reader in the computer in [1] transfer text only (encrypted or decrypted)
>
> Any file can be sent as encrypted text by using the armor option -a on the GnuPG command line.
> (this includes audio, video .jpg, .png, pdf, etc. literally any and all possible file types.)
>
> Even if the Orbic uses the *unknown* system, if your are encrypting and decrypting on a separate air-gapped computer, and
> transferring only text to a microsd, it is hard to see how it can be compromised. (Yes *Anything* can happen, but without
> evidence, there is no end to paranoia)

(I only replied to you and not the list)

Thanks for the detailed description, much appreciated!

> It is not the place of the FAQ to solve the transmission issues of an already perfectly formed GnuPG encrypted .asc file.
>
> The manual and/or FAQ, tells how to use GnuPG to encrypt or decrypt the file, and armor it.
>
> The rest is up to the User's threat model.

Well, yes and no. It should be a least discussed and if to many people write from old FAQs new tutorials then
new users will never know these dangers, when using online devices.

> (btw,
> There is, [afaik], no protection available in GnuPG
> against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer,
> and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message
> by flicking a wand at it, and using the simple charm 'Revelato' )

I think I know what you mean. But I think it does not scale well for the masses due to manpower shortage.

> but not really in my threat model 8^))))

Mine neither. :-)

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2020-08-11T21:18:24+0200 Johan Wevers <johanw@vulcan.xs4all.nl> wrote 0.9K bytes:

> On 11-08-2020 17:18, Stefan Claas wrote:
>
> >> Why hardware? If a bug is found you can't upgrade it easily.
> >
> > Because hardware can't be tampered with like software.
>
> If a hardware bug is found you're still lost. Even Apple has found out
> the hard way.

A hardware smartcard is meant to be a closed system, and you can enumerate all (or fuzz most) of the possible inputs.

If you have a Nest thermostat, why bother with an alcohol thermometer? Perhaps there is a bug with your Nest and it reports in Farenheit instead of Celcius. Google can issue an update, and send out an email apologizing profusely. If your alcohol thermometer is inaccurate, your homeostasis is surely doomed.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 11/08/2020 19:57, Stefan Claas wrote:
> So, to sum it up (I know you prefer Tails) would you agree that
> sooner or later the community should develop strategies, in form of a
> best practice FAQ (cross-platform), to no longer use encryption
> software on online devices and work out strategies to use offline
> devices and how to handle this data securely over to an online
> device, until proper and affordable hardware encryption devices for
> online usage are available?

The problem with best practices is that they are context-dependent. Any
FAQ that steps outside the purely technical domain into operational
security will be misleading at best, and outright dangerous at worst. I
am a Tails user, but I only use it for specific things - I don't boot it
up for my everyday work (that would be insane, given my job). But my
threat model is very different to that of others, so I would never
presume to tell them that my best practice should be theirs.

Hardware encryption devices are already plentiful. The problem is that
secure hardware comes at a huge cost in flexibility, meaning that only a
small part of our computing landscape will ever be "secure hardware".
That's why we have Yubikeys, smartcards, HSMs, Nitrokeys, etc. A small,
limited-functionality device is much more likely to be secure because it
is much easier to audit. Anything with the breadth of functionality of a
general-purpose computer will never be fully trustworthy. Your CPU is an
entire GP computer, buried in another computer. Same with your SSD
drive. A USB-C *cable* now has more computing power than the Apollo moon
mission. It's software all the way down.

No, you should not stop using encryption software on online devices.
That would be insane. We should be adding more encryption at multiple
levels, so that compromise of one layer of encryption does not mean a
compromise of the entire system. Defence in depth is the only long-term
sustainable strategy.

--
Andrew Gallagher

Andrew Gallagher wrote:

> On 11/08/2020 19:57, Stefan Claas wrote:
> > So, to sum it up (I know you prefer Tails) would you agree that
> > sooner or later the community should develop strategies, in form of a
> > best practice FAQ (cross-platform), to no longer use encryption
> > software on online devices and work out strategies to use offline
> > devices and how to handle this data securely over to an online
> > device, until proper and affordable hardware encryption devices for
> > online usage are available?
>
> The problem with best practices is that they are context-dependent. Any
> FAQ that steps outside the purely technical domain into operational
> security will be misleading at best, and outright dangerous at worst. I
> am a Tails user, but I only use it for specific things - I don't boot it
> up for my everyday work (that would be insane, given my job). But my
> threat model is very different to that of others, so I would never
> presume to tell them that my best practice should be theirs.
>
> Hardware encryption devices are already plentiful. The problem is that
> secure hardware comes at a huge cost in flexibility, meaning that only a
> small part of our computing landscape will ever be "secure hardware".
> That's why we have Yubikeys, smartcards, HSMs, Nitrokeys, etc. A small,
> limited-functionality device is much more likely to be secure because it
> is much easier to audit. Anything with the breadth of functionality of a
> general-purpose computer will never be fully trustworthy. Your CPU is an
> entire GP computer, buried in another computer. Same with your SSD
> drive. A USB-C *cable* now has more computing power than the Apollo moon
> mission. It's software all the way down.

Thank you very much for your reply, much appreciated!

> No, you should not stop using encryption software on online devices.
> That would be insane. We should be adding more encryption at multiple
> levels, so that compromise of one layer of encryption does not mean a
> compromise of the entire system. Defence in depth is the only long-term
> sustainable strategy.

While I personally stopped using online encryption, long ago, after my
Linux system was hacked, I like to mention (in case people do not know)
that YubiKeys and Nitrokeys allow also login-in protection via 2FA and
that than sudo usage requires also tapping on the YubiKey, besides pw
usage. Not sure if it is the same procedure with a Nitrokey.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Just adding my 2 cents to this discussion.

I think it doesn't matter what sort of spyware potentially exists
somewhere out there for some phone, what matters is whether it is on
your phone.

This isn't really about the security of OpenPGP either but about a
fundamental trust in the things we use both hardware and software.

I can recommend this video from 36C3 that talks about hardware security
(spoilers: its absolutely non trivial and nigh impossible to verify):

https://www.youtube.com/watch?v=Hzb37RyagCQ

It's also about threat models that you as the user of software (that you
trust does its job correctly) are trying to protect against.

If an attacker having root access to your device is part of a threat you
want to defend against your only choice is to use a (hopefully) known
good device that performs the encryption/decryption for you.

If you are only interested in end to end encryption where the message
might be intercepted in transit or verification of signatures then
OpenPGP does its job pretty damn well still.

There is not a single encryption algorithm that can't be defeated by
simply having full access to the device it is running on.

Now we can talk about mitigations that exist for the threat model where
the device you are using to read/send messages is compromised and I
think the recommendations in this thread are pretty sound.

I personally have been using OpenKeychain and a Yubikey via NFC. That
means that while any message that I have decrypted might be compromised
the keys used to decrypt are still secure (under the assumption that
Yubikeys are as secure as advertised, see the video above).

For me this is secure enough. For you it might not be.

I think that in general users of software should be aware that the
environment their software is running in is a threat vector, if you do
not trust it or you only trust it so far then only keep information you
can afford to get compromised in it.

If you are a person under close government watch, live in an
authoritarian regime or are a dissident I would of course recommend to
use an airgapped device.

If you are working for a company with important trade secrets you
hopefully don't have access to those on your phone anyway.

If you are a normal person not defending against any sort of advanced
persistent threat I think a smartphone still offers decent (enough)
security in day to day use for non-sensitive information.

And then there is of course still:

https://xkcd.com/538/

In the end it all comes down to: How much effort is the attacker going
to spend on you?

That determines how much effort you need to spend to protect yourself
against them.






_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I guess the real question is: what are people using PGP for on mobile
devices?  If it's for communication, that's silly.  There are at least a
half dozen far, far, far better ways to securely communicate on a
smartphone. 

Also -- unless you are steeped in the security industry and run a
hardened OS, your laptop is likely as vulnerable if not more vulnerable
to the kinds of state level actors deploying this kind of mobile
malware.  The best mobile devices are far less vulnerable than typically
configured PCs.  An iPad is likely orders of magnitude more secure than
using a laptop with a typical consumer OS (Windows, Ubuntu, etc).  Both
can be compromised but the iPad, if kept up to date, is going to be a
much more expensive target. 

The people of the world with Snowden-level paranoia (at least the ones
not tied to some nation's security service) are using air-gapped
internet-virgin hardware to communicate.  For everyone else, a locked
down (location services off, iCloud account off, always-on VPN, kept in
faraday bag when not in use) iPhone/iPad is as close as they're going to
get to real privacy/security. 

On 8/10/20 10:49 AM, Stefan Claas wrote:
> Micha? Górny wrote:
>
> [...]
>
>> Why use PGP on your phone if you carry a whole laptop with you anyway?
> Good question. There is software for Andoid available called OpenKeyChain,
> which as understood is the defacto standard for Android smartphone users,
> in combination with a MUA for Android.
>
> The question IMHO now is what should mobile device users do now? I showed
> a solution, assuming those users have an offline laptop too, which then
> would allow them to comfortably and securely create their messages.
>
> Not all people can purchase now a new smartphone with a more secure OpenSource
> OS and new SIM, I assume.
>
> I also do not know if it is common if people use an (compromised?) online
> laptop, as a smartphone, when on the road.
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

If you don't want to be location tracked on a mobile device you just
power it off and put it in a Faraday bag when not in use. 
https://silent-pocket.com/

If you want to deep dive into this sort of thing (it's a really deep
lake), give this book a read: 

https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0


On 8/11/20 3:32 AM, Stefan Claas wrote:
> Matthias Apitz wrote:
>
>> El día Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribió:
>>
>>>> One can use a Linux mobile phone running UBports.com (as I and all my family do)
>>>> or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
>>> Yes, people gave me already (not from here of course) good advise for other OSs
>>> which one can use. The question is how long will those OSs been unaffected ...
>> The kernel and all apps are OpenSource i.e. people can (and do) read the
>> sources. It's impossible to build in backdoors. The attack could come
>> through the firmware in the chips (which are not OpenSource). For this
>> the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to
>> poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS).
>>
>> The authorities can not track you. See:
>>
>> https://puri.sm/products/librem-5/
> Thanks for the information! While it is a nice product, according to their web site,
> they say they run Gnu/Linux. Do you think that Gnu/Linux can't be hacked? Or better
> said, should we all (those who use encryption software often) still use it directly
> on online devices?
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Felix wrote:

[...]

apologies for not quoting each paragraph from you!

No doubt that a system tool (like Werner says) like GnuPG or any others for
that matter, which are free and OpenSource, are good tools people rely on.

We all know that threats for online devices exist and mostly bugs or security
holes are more or less quickly discovered and fixed.

I believe that users interested in security and privacy always try to strive
for the best solutions available, regardless of their threat model, i.e. what
is good for activists or journalist in oppressed regimes etc. (which received
advice and how-to's from professionals) may also be good for us, when trying
to protect things we are doing online.

My concern however, with the advancement of these powerful tools is that this
is already a 'Russian roulette' while there is currently no defense AFAIK against
them or guarantees that these tools are not been misused by third parties.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I presume the goal of people (who know what they are doing) going
through all these inconvenient steps isn't to build the perfect
impenetrable fortress of security (which doesn't exist) but rather to
make it more difficult or expensive to circumvent from the threat
actor's perspective, hopefully to the point where it's not worth it.  An
iOS 0day used to run over a million buckaroos on the open market (it's
cheaper now, Apple's security has flagged a bit in recent years) so it's
not something Script-Kiddie McHighshoolKid  is going to use to try to
get at your filthy nudes.  But I wouldn't run the SCADA control
interface of my highly controversial uranium centrifuge farm on my
iPhone, because spending a million buckaroos is like dropping a penny in
a pond for the kinds of actors who'd be interested in that sort of thing. 

If you're trying to defeat the amorous advances of the NSA and you don't
have the support and training of an entire nation's intelligence agency
behind you, just accept that you've already lost.  Also, don't post
here, anyone the NSA is actively interested in lives a life way too
interesting to be self-owning any kind of OSINT about themselves in
public. 

For the average bloke, owning an iPhone with a strong passcode and using
Signal or Wire to communicate is going to give them some of the best
hardware and communications security money can buy. 
 
On 8/11/20 3:58 PM, Johan Wevers wrote:
> On 11-08-2020 21:49, vedaal via Gnupg-users wrote:
>
>> There is already a simple existing solution.
> Simple is not how I see this.
>
>> [1] Encrypt and decrypt on a computer that has internet hardware disabled.
>> [2] Use an Orbic Journey V phone that gets and sends *only text*
>> [3] Use a microsd expansion card on the orbis phone
> The Iranians though this too. And then someone invents Stuxnet-like
> attack software.
>
> --
> ir. J.C.A. Wevers
> PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Ryan McGinnis via Gnupg-users wrote:

> I guess the real question is: what are people using PGP for on mobile
> devices?? If it's for communication, that's silly.? There are at least a
> half dozen far, far, far better ways to securely communicate on a
> smartphone.?

Well, it is listed by the OpenPGP experts:

https://www.openpgp.org/software/openkeychain/

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices?  If it's for communication, that's silly.  There are at least a
>> half dozen far, far, far better ways to securely communicate on a
>> smartphone. 
> Well, it is listed by the OpenPGP experts:
>
> https://www.openpgp.org/software/openkeychain/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Ryan McGinnis via Gnupg-users wrote:

> If you don't want to be location tracked on a mobile device you just
> power it off and put it in a Faraday bag when not in use.?
> https://silent-pocket.com/

Yup, still waiting for my Faraday bags, which I won from the Nym project giveaway.
>
> If you want to deep dive into this sort of thing (it's a really deep
> lake), give this book a read:?
>
> https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0

Thanks for the info! According to the Amazon info he teaches celebrities.

I read an article yesterday that a lot of celebrities prefer dump phones over smartphones.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices?  If it's for communication, that's silly.  There are at least a
>> half dozen far, far, far better ways to securely communicate on a
>> smartphone. 
> Well, it is listed by the OpenPGP experts:
>
> https://www.openpgp.org/software/openkeychain/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

--
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

Ryan McGinnis via Gnupg-users wrote:

> Well yes I realize that it exists, what I'm saying is why would anyone
> use it for secure communications on a smartphone when there are
> solutions orders of magnitude more secure and simple to use.? It'd be
> like buying a helicopter but deciding you'd still fly only 2 feet off
> the ground and stick to paved roads.?

Maybe there was a demand from PGP users and the author fulfilled their
wish or it is maybe hip among the young smartphone generation, who grew
up with smartphones, to have OpenPGP on a smartphone, because they
trust only OpenPGP based software. I don't know.

Regards
Stefan
--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Ryan McGinnis via Gnupg-users wrote:
>
> > Well yes I realize that it exists, what I'm saying is why would anyone
> > use it for secure communications on a smartphone when there are
> > solutions orders of magnitude more secure and simple to use.? It'd be
> > like buying a helicopter but deciding you'd still fly only 2 feet off
> > the ground and stick to paved roads.?
>
> Maybe there was a demand from PGP users and the author fulfilled their
> wish or it is maybe hip among the young smartphone generation, who grew
> up with smartphones, to have OpenPGP on a smartphone, because they
> trust only OpenPGP based software. I don't know.

P.S. and it can be used with a smardcard.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I'm not sure that there are solutions orders of magnitude more secure
that are available readily.

Also people tend to get emails on the go as well that might be
encrypted. It's convenient to decrypt emails on a smartphone and not
really that insecure if you're using an external device for actual
keystorage (such as a Yubikey).

I don't actually see what's so silly about the whole thing.

On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
> Well yes I realize that it exists, what I'm saying is why would anyone
> use it for secure communications on a smartphone when there are
> solutions orders of magnitude more secure and simple to use.  It'd be
> like buying a helicopter but deciding you'd still fly only 2 feet off
> the ground and stick to paved roads. 
>
>
>
> On 8/12/20 11:46 AM, Stefan Claas wrote:
>> Ryan McGinnis via Gnupg-users wrote:
>>
>>> I guess the real question is: what are people using PGP for on mobile
>>> devices?  If it's for communication, that's silly.  There are at least a
>>> half dozen far, far, far better ways to securely communicate on a
>>> smartphone. 
>> Well, it is listed by the OpenPGP experts:
>>
>> https://www.openpgp.org/software/openkeychain/
>>
>> Regards
>> Stefan
>>
>> --
>> my 'hidden' service gopherhole:
>> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Well, more like celebrities (and other types) hire him to keep their personal lives and information from being easily found. He also helps stalking victims disappear. I believe he’s former FBI.
He prefers the old iPhone SE. At one time you used to be able to buy them anonymously with cash, which made them pretty hard to trace. I think he prefers a secure smartphone because he feels one should never use your real phone number for anything, which means using a VOIP app for all calls and texts. For mobile service he goes with Mint mobile. Which, BTW you can buy cheap 2 week “trial” SIM cards from with cash that will work as a non-VoIP 2FA account verification method. Meaning you can sign up for sites and services without disclosing any personally identifying information whatsoever.
-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD


Sent from ProtonMail Mobile

On Wed, Aug 12, 2020 at 11:57, Stefan Claas <sac@300baud.de> wrote:

Ryan McGinnis via Gnupg-users wrote:

> If you don't want to be location tracked on a mobile device you just
> power it off and put it in a Faraday bag when not in use.
> https://silent-pocket.com/

Yup, still waiting for my Faraday bags, which I won from the Nym project giveaway.
>
> If you want to deep dive into this sort of thing (it's a really deep
> lake), give this book a read:
>
> https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0

Thanks for the info! According to the Amazon info he teaches celebrities.

I read an article yesterday that a lot of celebrities prefer dump phones over smartphones.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion