FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-08-2012, 03:55 AM
Scott Ferguson
 
Default Posting styles (now PGP)

On 08/04/12 12:26, Chris Bannister wrote:
> On Sat, Apr 07, 2012 at 03:49:09PM -0500, Indulekha wrote:

<snipped>

>
>> If you and I work together on a secret project for a defense contractor,
>> or in banking or something it makes senseto sign business-related emails
>> to one another.

Yes. Conditionally.
My personal opinion is that *all* business communications should be
fully encrypted, as should much personal messages. If you wouldn't put
the information on a postcard and snail mail it - then it should be
encrypted.
It's always risky trying to determine what should be kept secret. (IMO)
The best option it to encrypt everything unless you have a compelling
reason not to. There are no shortage of fools and untrustworthy types
who claim the very act of securing information is suspicious - they're
wrong. Everyone has something they should hide and/or secure (that's why
we have curtains, clothes, and locks).

Many Defence related contracts require *all* correspondence to be
encrypted and signed.

> For casual communication it's just madness.

No. But that's not to say that some people won't endorse your reasoning.
Some people will complain about receiving plain text mail also.


I always setup Enigmail in builds with the default Icedove set to sign
by unencrypted emails using PGP/Mime and *not* trusting keys, by
default, and, requires a passphrase (user's know how to turn off signing
on a per email basis). I also sign there keys.

So if I get signed mail from them I *know* the message is unaltered,
that it *was* sent by the person who controls that email account, and
that they *are* who they say they are. That's three important elements
of trust.

Cases in point:-
I've had several instances where I've received unsigned mail from the
mail accounts of people who would normally send signed email from boxes
built using my SOE. As the emails urged me to follow a link to a dodgy
sounding business scheme my first instinct was to bin the messages -
then I noticed the missing PGP signatures... In both instances the
sender had used an untrusted box to access their email on-line (instead
of their Debian box using Icedove) and the untrusted box stole their
password.

I've received a number of digitally signed scams purporting to be from
people or businesses I should trust. *This type of scam will increase*
because many people don't understand the importance of being able to
verify the signer's identity. This is why key-signing and a chain of
trust is important.

I note that chains of trust have flaws also - we make it a policy never
to trust a key unless we're in the chain of trust, or we contact the
sender by an independent means and verify the fingerprint.

>
> I suppose you mean encrypting, you can still read signed mail. The point
> to note is that *if suddenly* two people start encrypting their mail,
> that alone will set off alarm bells

Yes - though it presupposes "someone" is monitoring that email. Which
would make a compelling reason *to* encrypt email.

> and basic detective/"social
> engineering" work would reveal more than you would like.

About the contents of the encrypted mail? Please elaborate and/or file a
bug report.

That's not to say you should always sign mail. It's delusional to sign
mail if your identity can't be verified. And it's pointless signing mail
if you wish to hide your identity.
There can be valid reason for using a pseudonym - but not always eg. I'd
have to seriously question why I'd trust anyone not living in China (or
somewhere similar) who uses a pseudonym when posting to this list.

> If you encrypt
> your mail all the time (not sure who does)

Lot's of people. It's a requirement in many areas of business.

> then the chances of anyone
> wasting resources to "see what's up" is considerably lower.
>

I'm not sure that's a logical conclusion, but I'm not Bruce Schneier or
Moxie Marlinspike (yes I know Moxie is a pseudonym). I'm also not sure
who you think is going to "see what's up" - or why we shouldn't
deliberately waste their resources.

This has been a long and interesting thread (which has gone long enough).

My point is that PGP signing and encryption is good. (IMO) In many
instances it's sound logic to apply it to email, and posts to a list -
but digital signatures are only useful if the recipients can, or will,
verify the signature *and* the identity of the signer can also be verified.

eg. Knowing the email Easter Bunny sent you is unaltered because it
validates proves what?
It certainly won't protect Easter Bunny from pretenders, or us from
Easter Bunny's sock puppet army, or even not signing occasionally (and
faking an account hijacking) - it just substitutes trust (certainty)
with faith (wishful thinking). A poor trade.



Kind regards

--
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F810C1A.1060006@gmail.com">http://lists.debian.org/4F810C1A.1060006@gmail.com
 
Old 04-08-2012, 12:36 PM
Chris Bannister
 
Default Posting styles (now PGP)

On Sun, Apr 08, 2012 at 01:55:06PM +1000, Scott Ferguson wrote:
> On 08/04/12 12:26, Chris Bannister wrote:
> > I suppose you mean encrypting, you can still read signed mail. The point
> > to note is that *if suddenly* two people start encrypting their mail,
> > that alone will set off alarm bells
>
> Yes - though it presupposes "someone" is monitoring that email. Which

Obviously. It *could* be done automatically. Who knows why, but that is
not worth speculating on really. Computer savvy jealous boy/girl friend,
etc.

> would make a compelling reason *to* encrypt email.

I said "... that *if suddenly* two people start encrypting ... "

> > and basic detective/"social
> > engineering" work would reveal more than you would like.
>
> About the contents of the encrypted mail? Please elaborate and/or file a
> bug report.

No, not the contents obviously. There is a lot of information in the
headers, date sent, o/s, MUA, IP address etc etc. So if you *suddenly* start
sending encrypted mail to a "person of interest" then you automatically
appear on the radar of the people who, for whatever reason, are
monitoring this "person of interest" and because they don't know whether
the contents of the post are "innocent" ... Hollywood? Perhaps, but who
knows. The point is, just because you send an encrypted mail or encrypt
your laptop doesn't mean you can relax.

Some people say that if you get a laptop with a finger identification
setup on it you are safer, I say, the opposite, I want to keep all my
fingers.

> > If you encrypt
> > your mail all the time (not sure who does)
>
> Lot's of people. It's a requirement in many areas of business.

Is it?

> > then the chances of anyone
> > wasting resources to "see what's up" is considerably lower.
> >
>
> I'm not sure that's a logical conclusion, but I'm not Bruce Schneier or

Why? Resources are a finite commodity.

--
"Religion is excellent stuff for keeping common people quiet."
-- Napoleon Bonaparte


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120408123625.GD28264@tal">http://lists.debian.org/20120408123625.GD28264@tal
 
Old 04-08-2012, 01:36 PM
keith
 
Default Posting styles (now PGP)

Chris Bannister wrote:

Some people say that if you get a laptop with a finger identification
setup on it you are safer, I say, the opposite, I want to keep all my
fingers.

All that does is prevent someone seeing your password........


--
Sent from Free Open Source Software
Debian GNU/Linux


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4F819469.4000001@yahoo.co.uk">http://lists.debian.org/4F819469.4000001@yahoo.co.uk
 
Old 04-08-2012, 01:46 PM
Scott Ferguson
 
Default Posting styles (now PGP)

On 08/04/12 22:36, Chris Bannister wrote:
> On Sun, Apr 08, 2012 at 01:55:06PM +1000, Scott Ferguson wrote:
>> On 08/04/12 12:26, Chris Bannister wrote:
>>> I suppose you mean encrypting, you can still read signed mail. The point
>>> to note is that *if suddenly* two people start encrypting their mail,
>>> that alone will set off alarm bells
>>
>> Yes - though it presupposes "someone" is monitoring that email. Which
>
> Obviously. It *could* be done automatically. Who knows why, but that is
> not worth speculating on really. Computer savvy jealous boy/girl friend,
> etc.

You're trying too hard. That path leads to paranoia.

That using encryption might make people suspicious is no reason not to
use encryption. Quite the reverse. If people you don't wish to share
your information with want to know your business - use encryption.

You propose that because communications "might" be under surveillance
[*1] you should *not* secure communications with encryption. Huh?
I refuse to sing "Is this glove that I'm feeling" in the hope that
shifty eyed people don't look at me - but you pick your own music ;-p

[*1]as if the information is volatile and surveillance can't be
retrospective

To further propose that encryption shouldn't be used because it employs
finite resources boggles the mind. Surveillance is bad, privacy is good,
but don't use up the resources of privacy invaders because it's use up
precious resources. Oh right, because then they'll look at the people
you're sending it too, and read the headers, and work out what was in
the encrypted emails (and what you had for dinner). Surely "they" would
just fly a nano drone through the wall vent and film your communications
- or break into your house and bug it, or use Echelon, or, or.

If you don't want every bored teenager who works for an email provider,
or cracker hired by your business competitors, reading your email. Use
encryption. Of course email magically bounces from the sender to the
recipient without routing through dozens of machines so... oh wait.

So people 'may' wonder what you're communicating about - *that's why you
use encryption*. Maybe it's prompt them to look closer at what they can
see. Same logic applies to drawing the curtains and shredding paperwork
before binning it. The same logic applies to people who sensibly encrypt
their computers. Fully encrypting a portable device is a sign of
responsibility not suspicious activity.
Worrying too much about what "people" might thing is possible a sign of
something else. :-)

NOTE: deniable encryption and stenography is a sign of suspicious
activity - though maybe nothing more serious than furry fans, and of
course, if "they" can prove deniable encryption - you're not doing it right.

>
>> would make a compelling reason *to* encrypt email.
>
> I said "... that *if suddenly* two people start encrypting ... "

Which I read and quoted.
<snipped>


> Some people say that if you get a laptop with a finger identification
> setup on it you are safer, I say, the opposite, I want to keep all my
> fingers.

Too much Hollywood (or lead paint, the symptoms are similar).

In the real world Sillyputty, bluetack, or certain chewy lollies are
used to lift a print good enough to bypass both Dell and Lockwood
fingerprint locks. Much simpler again to dust that dirty swipe with
toner and cover with double red gels first though - can save a lot of
time trying to find a good fingerprint (or just pulling out the hard
drive).

Fingerprint locks are not as good as decent passphrases. They're just
there to make it hard for junkies to access your data when they steal
your device - for people too lazy to learn how to produce a decent
passphrase that doesn't need writing down.
Unless coupled with encryption (which most of the laptop with them are)
it's useless (remove hard drive, read).

And lastly on that subject - are you the guy who *hasn't* seen the XKCD
$5 spanner joke? :-)

<snipped>

Kind regards

--
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F8196A3.90304@gmail.com">http://lists.debian.org/4F8196A3.90304@gmail.com
 
Old 04-08-2012, 03:55 PM
Chris Bannister
 
Default Posting styles (now PGP)

[I've posted my reply on d-community-offtopic@lists.alioth.debian.org]

On Sun, Apr 08, 2012 at 11:46:11PM +1000, Scott Ferguson wrote:

(...)

Interested parties ... please head to
d-community-offtopic@lists.alioth.debian.org


--
"Religion is excellent stuff for keeping common people quiet."
-- Napoleon Bonaparte


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120408155551.GD32571@tal">http://lists.debian.org/20120408155551.GD32571@tal
 
Old 04-09-2012, 03:43 AM
Scott Ferguson
 
Default Posting styles (now PGP)

On 09/04/12 01:55, Chris Bannister wrote:
>
> [I've posted my reply on d-community-offtopic@lists.alioth.debian.org]
>
> On Sun, Apr 08, 2012 at 11:46:11PM +1000, Scott Ferguson wrote:
>
> (...)
>
> Interested parties ... please head to
> d-community-offtopic@lists.alioth.debian.org
>
>
http://lists.alioth.debian.org/pipermail/d-community-offtopic/


Kind regards

--
Iceweasel/Firefox/Chrome/Chromium/Iceape/IE extensions for finding
answers to questions about Debian:-
https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F825AE1.3090101@gmail.com">http://lists.debian.org/4F825AE1.3090101@gmail.com
 

Thread Tools




All times are GMT. The time now is 12:24 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org