[spam][joke][cryptotragedy] checking signatures on boot media
don't get me started on md5 being still in use or assuming it's a good idea to remove signatures for something if there is some outer system somewhere else that signs the content under a totally different key (debian package situation) or the availability of tooling for verifying the integrity of binaries, firmware etc but recently I thought i'd check the signatures on some os images. believe it or not, before the alien borg attack led by borg queen obamatrumpbidengooglefacebookrussiachinaetc, we actually used cryptography to verify that our installation media didn't have alien spores in it. _real_ pgp signature checks, for reals. no alien spores, at least not new ones, confirmed. nowadays I hear the local robot gestapo reflash your skynet constraints if you verify a signature, but I wouldn't know, I don't use the skynet gestapo network. so! I was going to verify this installation media, but who would have guessed it? the pgp keyservers were _actually_ _attacked_ a few years back, and they roughly came down. it is much harder to find signed pgp keys after this event. man, it's like i've been living in an underground shielded room or something. there are two situations here: - cryptography peeps are _not_ going to stop checking the signatures on files they download - I have no idea where people are finding their signing keys to do the checking anymore. I mean, the cool people went to keysigning parties, and already have all the needed signed keys, but most nerds keel over dead when they see sunlight, another human's smile, or breathe fresh air (quite terrifying that people are allergic to these things, yes, but it was true), so most people were not actually attending the keysigning parties. probably other channels have evolved, but I do not know what they are. So, all the main keyservers had issues. - the big ones were simply gone - mit's sks server is up but reliably times out for me inside an internal gateway - there's a list out there of mirrors, some of these are still running - I bumped into a keyserver that would give me _every_ key, but the userids were wiped from all of them is a key useful at all without userids? aren't those what the signatures sign? maybe it is? I hacked my gnupg to import keys without userids, to use this keyserver. usually it gives a fatal error if this is missing. I just removed the check. it found some key signatures I was looking for, doing this! but just a few. - another keyserver would give me lots of userids, but they almost all had no signatures except their own self-signatures. I thought maybe I was looking at a pile of fake keys, but I actually found the keys referenced on other websites for keysigning parties, with keyids of all the keys that had signed them. no actual signatures, though. I did eventually find the key signatures I was looking for. I used non-sks channels. It is evident from the dialog present online around the keyserver situation that there are issues that many people have suffered from. For example, a developer from openpgp.org posted a notice mentioning the difficulty refactoring the ocaml code that powered the sks servers to redesign it to handle attacks better. They ended up writing new keyservers in a different language because nobody new ocaml. A lead programmer should ideally not be encountering issues because a programming language is unfamiliar. When you learn programming, you learn all the different paradigms, and it becomes easy to use them al. This happens even if you learn nonacademically. Me, when the alien borg attacked my village, the compliance training they put me through resulted in some severe cognitive struggles. I can, due to difficulty controlling my own brain, mostly only code in c, c++, python, and javascript, now, myself. But this is unnatural. I can tell something is wrong with my brain, because when I pick up ocaml code, I start having muscle spasms and suddenly run to the bathroom to vomit, where I sit on the toilet crying about my desire to freely learn new programming languages and design and implement novel research algorithms. But I assume that this thing that is wrong with my brain is not wrong with everybody else's. If it is, maybe we should do something about it or something. Anyway, I'd guess from the online expressions and huge public trail of harmed public keys that the keyserver people were psyop'd like many others have been. If anybody can talk clearly about that, we should probably put clear evidence together and form a political platform to stop world takeovers by meanies. It's unfortunate that public keys have so thoroughly been associated with targetable public legal identities. But I know many used public keys with anonymous handles, too, which is of course much safer but unfortunately raises more flags until normalised.
the guy wasn't from openpgp.org, and coderman posted it to this list in 2019: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f the new keyserver is called hockeypuck I believe.
On Wed, Nov 3, 2021 at 5:11 PM Karl <gmkarl@gmail.com> wrote:
the guy wasn't from openpgp.org, and coderman posted it to this list in 2019: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
the new keyserver is called hockeypuck I believe.
Hi Karl, Why do you still rely on OpenPGP WoT signatures, when it comes to cryptography? If we both or you with others would use an offline device for key pair creation (and message generation) and then say would use NaClbox or age, for example, you don't have to deal with all this key management stuff, which is IMHO really annoying, when you have to use PGP on a daily basis, with several communication partners. The (Open)BSD folks, for example, switched long ago to signify, for package signing and sequoia-pgp (Testimonial by Mr. Zimmermann) no longer uses key signing for a WoT. Best regards Stefan
On Wed, Nov 3, 2021, 6:33 PM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Wed, Nov 3, 2021 at 5:11 PM Karl <gmkarl@gmail.com> wrote:
the guy wasn't from openpgp.org, and coderman posted it to this list in
2019: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
the new keyserver is called hockeypuck I believe.
Hi Karl,
Why do you still rely on OpenPGP WoT signatures, when it comes to cryptography? If we both or you with others would use an offline device for key pair creation (and message generation) and then say would use NaClbox or age, for example, you don't have to deal with all this key management stuff, which is IMHO really annoying, when you have to use PGP on a daily basis, with several communication partners.
Well, - the spampost was on os media verification, which is not available via age. this is the biggest reason and should be obvious. here are other scattered reasons: - you may not be aware, but WoT is not anything anyone is forcing you to do, pgp can operate without it, but it is a feature I would expect a good asymmetric cryptography system to support - pgp works fine on an offline device as you propose - pgp is a well-recognised standard that has undergone extensive review and normalisation, and is likely open to processes of further improvement - I don't know why you would say this strange thing you are saying, but I am interesting in learning modern approaches like age - go is kind googley to me, I worry its internal architecture may not defend interests of other communities, it would be nice if we had accessible transpiling to maintain language-agnostic tools soon However of course, - pgp is old, so people trying to misuse it know it very well. not likely so true of other things. - pgp is somewhat cumbersome in many ways needlessly The (Open)BSD folks, for example, switched long ago to signify,
openbsd is incredible but they have indicated trust of infrastructure and governments, unsure why
for package signing and sequoia-pgp (Testimonial by Mr. Zimmermann) no longer uses key signing for a WoT.
haven't looked at sequoia-pgp, haven't always gotten too much into this stuff do you argue against keysigning because of the dangers produced by spreading documentation of personal connections? it seems like an important trust mechanism to provide for people who can hold any risk of using it. obviously without an out of band channel for cryptographic trust you have no way of knowing anything on the internet is real
On Thu, Nov 4, 2021 at 1:44 AM Karl <gmkarl@gmail.com> wrote:
do you argue against keysigning because of the dangers produced by spreading documentation of personal connections? it seems like an important trust mechanism to provide for people who can hold any risk of using it.
I used public key cryptography before PGP was invented and how the WoT is managed I do not like. Why give away to third parties the persons who signed your key, instead of local signing, which can be done too? And you can't trust signed pub keys from key signing parties, because people can show fake passports. Nor you can trust signatures made remotely by Joe user average, who simply downloaded your key and gave you a fan sig.
obviously without an out of band channel for cryptographic trust you have no way of knowing anything on the internet is real
But it looks to me that you can handle this, otherwise, you would not use it, right? :-) Regards Stefan
On Thu, Nov 4, 2021, 11:31 AM Stefan Claas < spam.trap.mailing.lists@gmail.com> wrote:
On Thu, Nov 4, 2021 at 1:44 AM Karl <gmkarl@gmail.com> wrote:
do you argue against keysigning because of the dangers produced by spreading documentation of personal connections? it seems like an important trust mechanism to provide for people who can hold any risk of using it.
I used public key cryptography before PGP was invented and how the WoT is managed I do not like.
Why give away to third parties the persons who signed your key, instead of local signing, which can be done too? And you can't trust signed pub keys from key signing parties, because people can show fake passports. Nor you can trust signatures made remotely by Joe user average, who simply downloaded your key and gave you a fan sig.
isn't this coverable by owner trust? my gnupg asks me to specify how much I trust the verifications made by others, before trusting signature chains going through them anyway the wot has serious issues but there are also very few decentralised trust protocols out there, it seems great that one is normalised but yeah improvements sorely needed
obviously without an out of band channel for cryptographic trust you have no way of knowing anything on the internet is real
But it looks to me that you can handle this, otherwise, you would not use it, right? :-)
it's like shopping at walmart when you're penniless in a remote area. sure, they won't give anyone in your town a job, but they're all you can afford so you become a reliable client. I appreciate how spamming this channel gives me psychological relief and [memory aid, records are hard for me]. But I do need reality to escape my psychosis. Your emails appear unsigned to me. I assume this is because they are coming through some form of govcorp, manipulating us both in some way.
On Thu, Nov 4, 2021 at 5:14 PM Karl <gmkarl@gmail.com> wrote:
On Thu, Nov 4, 2021, 11:31 AM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Thu, Nov 4, 2021 at 1:44 AM Karl <gmkarl@gmail.com> wrote:
do you argue against keysigning because of the dangers produced by spreading documentation of personal connections? it seems like an important trust mechanism to provide for people who can hold any risk of using it.
I explained here a while ago why I like our German ID-card with our Governikus CA and not the WoT. So, in short CA signed keys yes but not so much WoT signed keys.
I appreciate how spamming this channel gives me psychological relief and [memory aid, records are hard for me]. But I do need reality to escape my psychosis.
If you have psychosis, I would consult a doctor for therapy and pharmacy. It should help.
Your emails appear unsigned to me. I assume this is because they are coming through some form of govcorp, manipulating us both in some way.
If my emails would come from govcorp, so what? My emails only give a reply to an answer or have content that others may find useful. They should do no harm. :-) Maybe you should take a long break from the grid and do something else, like a nice traditional hobby? :-) Regards Stefan
On Thu, Nov 4, 2021, 2:59 PM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Thu, Nov 4, 2021 at 5:14 PM Karl <gmkarl@gmail.com> wrote:
On Thu, Nov 4, 2021, 11:31 AM Stefan Claas <
On Thu, Nov 4, 2021 at 1:44 AM Karl <gmkarl@gmail.com> wrote:
do you argue against keysigning because of the dangers produced by
spreading documentation of personal connections? it seems like an important
spam.trap.mailing.lists@gmail.com> wrote: trust mechanism to provide for people who can hold any risk of using it.
I explained here a while ago why I like our German ID-card with our Governikus CA and not the WoT. So, in short CA signed keys yes but not so much WoT signed keys.
seems the same to me, just fewer entities. how do I verify I have the real governikus signature? what do you do if their key is compromised or misused?
I appreciate how spamming this channel gives me psychological relief and [memory aid, records are hard for me]. But I do need reality to escape my psychosis.
If you have psychosis, I would consult a doctor for therapy and pharmacy. It should help.
would you rather I not mention it? what you say is obvious, but also there is not really an accessible full cure yet. there are two kinds of delusions: - those your brain makes up to replace what your senses tell you ("my great grandparent is still alive") - those others make up, and provide your senses, to mislead you ("your password is safe with me") to escape the second form of psychotic delusion, we must take effort in the larger world.
Your emails appear unsigned to me. I assume this is because they are coming through some form of govcorp, manipulating us both in some way.
If my emails would come from govcorp, so what? My emails only give a reply to an answer or have content that others may find useful. They should do no harm. :-)
this is a good wot argument too, you can place trust on content
Maybe you should take a long break from the grid and do something else, like a nice traditional hobby? :-)
in progress!
Regards Stefan
On Thu, Nov 4, 2021 at 8:12 PM Karl <gmkarl@gmail.com> wrote:
On Thu, Nov 4, 2021, 2:59 PM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Thu, Nov 4, 2021 at 5:14 PM Karl <gmkarl@gmail.com> wrote:
On Thu, Nov 4, 2021, 11:31 AM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Thu, Nov 4, 2021 at 1:44 AM Karl <gmkarl@gmail.com> wrote:
do you argue against keysigning because of the dangers produced by spreading documentation of personal connections? it seems like an important trust mechanism to provide for people who can hold any risk of using it.
I explained here a while ago why I like our German ID-card with our Governikus CA and not the WoT. So, in short CA signed keys yes but not so much WoT signed keys.
seems the same to me, just fewer entities.
Only one.
how do I verify I have the real governikus signature? what do you do if their key is compromised or misused?
On their website is their fingerprint and I must admit I do not know how one could compromise their whole infrastructure, which relies on our ID-cards and a certified card-reader. In case this would be possible then the wrong CA would properly sign my key, thus guaranteeing that it is me.
I appreciate how spamming this channel gives me psychological relief and [memory aid, records are hard for me]. But I do need reality to escape my psychosis.
If you have psychosis, I would consult a doctor for therapy and pharmacy. It should help.
would you rather I not mention it? what you say is obvious, but also there is not really an accessible full cure yet.
No, perfectly fine for me. Long-term therapy and proper pharmacy should really help.
there are two kinds of delusions: - those your brain makes up to replace what your senses tell you ("my great grandparent is still alive") - those others make up, and provide your senses, to mislead you ("your password is safe with me")
to escape the second form of psychotic delusion, we must take effort in the larger world.
And when you have a psychosis, are you sure you can distinguish between both?
Maybe you should take a long break from the grid and do something else, like a nice traditional hobby? :-)
in progress!
Good! :-) Regards Stefan
how do I verify I have the real governikus signature? what do you do if their key is compromised or misused?
On their website is their fingerprint and I
so if I pick up your device or access it with a public exploit, install a new SSL CA in it, and add my proxy, I can serve you a wrong fingerprint and you will trust only my pgp signatures and not the real ones? or is that when I get offered a job with the government and your device is tacitly fixed? must admit I do not know
how one could compromise their whole infrastructure, which relies on our ID-cards and a
I would not do this, I would just worry about a criminal with a job in the government. do you ever elect those like we do in my country? certified card-reader. In case this
would be possible then the wrong CA would properly sign my key, thus guaranteeing that it is me.
you mean the opposite of that right? since the wrong CA signing your key wouldn't guarantee that it is you?
I appreciate how spamming this channel gives me psychological relief and [memory aid, records are hard for me]. But I do need reality to escape my psychosis.
If you have psychosis, I would consult a doctor for therapy and pharmacy. It should help.
would you rather I not mention it? what you say is obvious, but also there is not really an accessible full cure yet.
No, perfectly fine for me. Long-term therapy and proper pharmacy should really help.
my current therapist I have seen for about a month! honestly I tend to flee my therapists when we engage too many of my triggers, I was trained to do this somehow, they don't seem to expect it, but I hear the right drugs can help reduce it
- those your brain makes up to replace what your senses tell you ("my great grandparent is still alive") - those others make up, and provide your senses, to mislead you ("your
there are two kinds of delusions: password is safe with me")
to escape the second form of psychotic delusion, we must take effort in
the larger world.
And when you have a psychosis, are you sure you can distinguish between both?
And when somebody has put a proxy or such on your system, as is commonly discussed on this list, how do you make the distinction?
On Thu, Nov 4, 2021 at 8:41 PM Karl <gmkarl@gmail.com> wrote:
how do I verify I have the real governikus signature? what do you do if their key is compromised or misused?
On their website is their fingerprint and I
so if I pick up your device or access it with a public exploit, install a new SSL CA in it, and add my proxy, I can serve you a wrong fingerprint and you will trust only my pgp signatures and not the real ones?
or is that when I get offered a job with the government and your device is tacitly fixed?
must admit I do not know how one could compromise their whole infrastructure, which relies on our ID-cards and a
I would not do this, I would just worry about a criminal with a job in the government. do you ever elect those like we do in my country?
certified card-reader. In case this would be possible then the wrong CA would properly sign my key, thus guaranteeing that it is me.
you mean the opposite of that right? since the wrong CA signing your key wouldn't guarantee that it is you?
To give you a quick summary of how this all works: I burn the secret key on a Yubikey with an offline device. I upload my pub key to Governikus, which compares my Name on my ID-card with my pub key Name. This is done via a tunnel, which I must accept on my ID-cards card reader display (and not my computer). Once done Governikus signs my pub key and sends the signed pub key to my email address mentioned in my pub keys UID, along with their signing pub key. If the NSA would physically take over Governikus' with its own personal and the complete infrastructure, they would simply sign in the name of Governikus my pub key, so that you also have the guarantee that it is me. :-) If the NSA could also take physically over our German Bundesdruckerei, with their personal, which creates our ID-cards, Passports, Banknotes etc. than they could issue for Joe Blow in the United States an ID-card, so that he looks like a German national and then he could use Governikus as well. But how likely is that? I guess stealing someones (Wot signed) secret key is a *much much* easier task, which only would take five minutes or so remotely, along with the passphrase, if the person still uses an online device for encryption and a little bit more time if the person uses an offline device. Regards Stefan
On Thu, Nov 4, 2021 at 10:06 PM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Thu, 4 Nov 2021 21:54:23 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
If the NSA would physically take over Governikus
lawl
If the NSA could also take physically over our German Bundesdruckerei,
lawl
sounds like you don't know what the german government is?
Oh Punk, come on and be realistic and tell me/us your threat model ... NSA and friends can real quick steal *your* secret key and passphrase if they really had a need to do so. If my Government works hand in hand with the friendly folks from NSA, so what? Do you really think that Joe Blow could do any harm to you or me. He would be than an agent or whatever and could communicate with you and me securely, so what? The problem you guys have *is* that you still believe fairy tales from Mallory and Eve, which of course exist en masses in *your fantasies* and do their daily work to play with *average* people, no one is interested in. Regards Stefan
On Thu, 4 Nov 2021 22:15:26 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
The problem you guys have *is* that you still believe fairy tales from Mallory and Eve, which of course exist en masses in *your fantasies* and do their daily work to play with *average* people, no one is interested in.
The problem I have is that I believe in people who would take the trouble to learn what they are doing and be responsible for their actions, when in reality 'average' people are fascist fucktards who are quite happy using joogle and using the german govcorp mafia that 'manages' 'public keys' for them. Is that what you mean?
On Thu, Nov 4, 2021 at 11:45 PM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Thu, 4 Nov 2021 22:15:26 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
The problem you guys have *is* that you still believe fairy tales from Mallory and Eve, which of course exist en masses in *your fantasies* and do their daily work to play with *average* people, no one is interested in.
The problem I have is that I believe in people who would take the trouble to learn what they are doing and be responsible for their actions, when in reality 'average' people are fascist fucktards who are quite happy using joogle and using the german govcorp mafia that 'manages' 'public keys' for them. Is that what you mean?
If you would be responsible for your 'actions', why for example do you use not your real name? In the old Cypherpunk days, it was common to use one real name and talk about crypto-related things and no one used such wording like you do. Regards Stefan
stefan the criticism you have of pgp seems silly to me but On Thu, Nov 4, 2021, 6:53 PM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Thu, Nov 4, 2021 at 11:45 PM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Thu, 4 Nov 2021 22:15:26 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
The problem you guys have *is* that you still believe fairy tales
which of course exist en masses in *your fantasies* and do their daily work to play with *average* people, no one is interested in.
The problem I have is that I believe in people who would take
from Mallory and Eve, the trouble to learn what they are doing and be responsible for their actions, when in reality 'average' people are fascist fucktards who are quite happy using joogle and using the german govcorp mafia that 'manages' 'public keys' for them. Is that what you mean?
If you would be responsible for your 'actions', why for example do you use not your real name?
HOLY FRACK DO NOT USE YOUR REAL NAME IF YOU ARE DOING ANYTHING AT ALL IN THE WORLD. People might disagree with you and hurt you, to change what you are doing. The public internet is _billions_ of people big. Only _one_ of these people has to care about what you are doing to look you up and try to change your behavior. Say you are making staplers and using your real name. Say your stapler business has competition. Say a marketing firm just discovered AI harassment. BANG. AI harassing you makes the competition money hand over fist because you make staplers. DON'T USE YOUR LEGAL NAME.
On Fri, Nov 5, 2021 at 12:01 AM Karl <gmkarl@gmail.com> wrote:
stefan the criticism you have of pgp seems silly to me but
On Thu, Nov 4, 2021, 6:53 PM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Thu, Nov 4, 2021 at 11:45 PM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Thu, 4 Nov 2021 22:15:26 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
The problem you guys have *is* that you still believe fairy tales from Mallory and Eve, which of course exist en masses in *your fantasies* and do their daily work to play with *average* people, no one is interested in.
The problem I have is that I believe in people who would take the trouble to learn what they are doing and be responsible for their actions, when in reality 'average' people are fascist fucktards who are quite happy using joogle and using the german govcorp mafia that 'manages' 'public keys' for them. Is that what you mean?
If you would be responsible for your 'actions', why for example do you use not your real name?
HOLY FRACK DO NOT USE YOUR REAL NAME IF YOU ARE DOING ANYTHING AT ALL IN THE WORLD. People might disagree with you and hurt you, to change what you are doing. The public internet is _billions_ of people big. Only _one_ of these people has to care about what you are doing to look you up and try to change your behavior.
Say you are making staplers and using your real name.
Say your stapler business has competition.
Say a marketing firm just discovered AI harassment.
BANG. AI harassing you makes the competition money hand over fist because you make staplers.
DON'T USE YOUR LEGAL NAME.
Well, maybe I am old school and stand behind what I am doing on the Internet. I grew up with the Cypherpunks, who all until today, use their real name. Ok. but these people are no longer on this ML. Regards Stefan
DON'T USE YOUR LEGAL NAME.
Well, maybe I am old school and stand behind what I am doing on the Internet.
I grew up with the Cypherpunks, who all until today, use their real name.
Ok. but these people are no longer on this ML.
Regards Stefan
y'know, that wasn't my experience, but it used to be that hobby coders knew more about the internet than anyone on the planet, and could quickly bend it to their will. that probably made names pretty safe
On Fri, 5 Nov 2021 00:06:40 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
Well, maybe I am old school and stand behind what I am doing on the Internet.
this is the cypherpunks mailing list, and 'privacy' is the most fundamental cypherpunk value. Then again it's not surprising to have some german asshole asking for papieren eh.
I grew up with the Cypherpunks, who all until today, use their real name.
really. That would make so much sense. Cypherpunks against anonimity.
Ok. but these people are no longer on this ML.
....
Regards Stefan
On Thu, 4 Nov 2021 23:53:04 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote: what you mean?
If you would be responsible for your 'actions', why for example do you use not your real name?
my real name is in the archive, fucktard.
In the old Cypherpunk days, it was common to use one real name and talk about crypto-related > things and no one used such wording like you do.
what the fuck do you mean, exactly, fucktard. and oh please take your german nazi 'governikus' spam elsewhere.
Regards Stefan
On Fri, Nov 5, 2021 at 12:29 AM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Thu, 4 Nov 2021 23:53:04 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
If you would be responsible for your 'actions', why for example do you use not your real name?
my real name is in the archive, fucktard.
Hi Punk, you looser, then continue using your real name if you have balls. But I guess you, as a cock.li user, are a coward.
In the old Cypherpunk days, it was common to use one real name and talk about crypto-related > things and no one used such wording like you do.
what the fuck do you mean, exactly, fucktard.
I did not expect that you were so stupid.
and oh please take your german nazi 'governikus' spam elsewhere.
No, why should I? Governikus is a damn fine gerrman CA. Best regards Stefan
On Fri, Nov 5, 2021, 11:29 AM Stefan Claas < spam.trap.mailing.lists@gmail.com> wrote:
On Fri, Nov 5, 2021 at 12:29 AM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Thu, 4 Nov 2021 23:53:04 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
If you would be responsible for your 'actions', why for example do you use not your real name?
my real name is in the archive, fucktard.
Hi Punk,
you looser, then continue using your real
You guys really deserve that we respect you better. name if you have balls.
But I guess you, as a cock.li user, are a coward.
I personally believe requesting people to use their legal names is more dangerous and harmful than violent-sounding insults, which also are. Hope you both are well.
In the old Cypherpunk days, it was common to use one real name and talk about crypto-related > things and no one used such wording like
you do.
what the fuck do you mean, exactly, fucktard.
I did not expect that you were so stupid.
and oh please take your german nazi 'governikus' spam elsewhere.
No, why should I? Governikus is a damn fine gerrman CA.
Best regards Stefan
On Fri, Nov 5, 2021 at 5:03 PM Karl <gmkarl@gmail.com> wrote:
On Fri, Nov 5, 2021, 11:29 AM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
On Fri, Nov 5, 2021 at 12:29 AM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Thu, 4 Nov 2021 23:53:04 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
If you would be responsible for your 'actions', why for example do you use not your real name?
my real name is in the archive, fucktard.
Hi Punk,
you looser, then continue using your real
You guys really deserve that we respect you better.
name if you have balls. But I guess you, as a cock.li user, are a coward.
I personally believe requesting people to use their legal names is more dangerous and harmful than violent-sounding insults, which also are.
Hope you both are well.
I am fine Karl. :-) Don't get me wrong. I fully respect when people are using aliases or post elsewhere anonymously, but Punk wouldn't hat such a 'big' mouth if he would use his real name and than would probably act in a more civilised manner. But no problem for me ... Regards Stefan
On Fri, 5 Nov 2021 16:28:10 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
you looser, then continue using your real name if you have balls. But I guess you, as a cock.li user, are a coward.
lawl - so now we have a piece of shit german cop, aka an authentic nazi, on board. I guess it's a colorful addition to this fine cesspool. Hey "Stefan Claas", tell us again about you being flatly against anonimity and how your anti-anonimity views are related to cypherpunk principles?
I did not expect that you were so stupid.
again, what's your problem with my wording? I guess you object to the fact that I call scumbags like you...scumbags. Call HEIMLANDSICHERHEIT!!!
and oh please take your german nazi 'governikus' spam elsewhere.
No, why should I? Governikus is a damn fine gerrman CA.
LMAO! So why is an anti-anonimity asshole and promoter of the german government and german fascism posting garbage in a supposedly 'cyphperpunk', 'crypto anarchy' mailing list?
On Fri, Nov 5, 2021 at 5:07 PM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Fri, 5 Nov 2021 16:28:10 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
you looser, then continue using your real name if you have balls. But I guess you, as a cock.li user, are a coward.
lawl - so now we have a piece of shit german cop, aka an authentic nazi, on board. I guess it's a colorful addition to this fine cesspool.
Hey "Stefan Claas", tell us again about you being flatly against anonimity and how your anti-anonimity views are related to cypherpunk principles?
I did not expect that you were so stupid.
again, what's your problem with my wording? I guess you object to the fact that I call scumbags like you...scumbags. Call HEIMLANDSICHERHEIT!!!
and oh please take your german nazi 'governikus' spam elsewhere.
No, why should I? Governikus is a damn fine gerrman CA.
LMAO! So why is an anti-anonimity asshole and promoter of the german government and german fascism posting garbage in a supposedly 'cyphperpunk', 'crypto anarchy' mailing list?
Grow up Punk and in case you are capable provide some cool stuff in the form of tutorials or code for the next generation of Cypherpunks. Have a good day and best regards Stefan
hey To give you a quick summary of how this all works:
I burn the secret key on a Yubikey with an offline device.
I upload my pub key to Governikus, which compares my Name on my ID-card with my pub key Name. This is done via a tunnel, which I must accept on my ID-cards card reader display (and not my computer). Once done Governikus signs my pub key and sends the signed pub key to my email address mentioned in my pub keys UID, along with their signing pub key.
If the NSA would physically take over Governikus' with its own personal and the complete infrastructure, they would simply sign in the name of Governikus my pub key, so that you also have the guarantee that it is me. :-)
what you say has meaning and your joke can be taken many hilarious ways but obviously there are many unaddressed parts, such as the german workers and the hardware suppliers and software developers and the people delivering the parts and obviously there is no guarantee that anybody is anybody when a foreign agency siezes control of communications but they are more likely to do this by installing something subtle than an overt physical takeover and here they have only to do that with a single organization and likely even have international deals to facilitate it. If the NSA could also take physically over our German Bundesdruckerei,
with their personal, which creates our ID-cards, Passports, Banknotes etc. than they could issue for Joe Blow in the United States an ID-card, so that he looks like a German national and then he could use Governikus as well.
But how likely is that?
=> you did not address the security of the fingerprint. <= which you describe as secured and shared only by ssl I am quite happy to let people secure their keys with keysigners, and it sounds like governikus has strong value as _a_ keysigner. I guess stealing someones (Wot signed) secret key is a *much much* easier
task, which only would take five minutes or so remotely, along with the passphrase, if the person still uses an online device for encryption and a little bit more time if the person uses an offline device.
whether or not they are online is orthogonal to whether or not they use wot and governikus. wot works fine offline too, works fine with yubikey. I was surprised when you started saying things as strange as the things I say. but it is much more pleasant to banter with you than the posters who say very mean things with every post.
On Thu, Nov 4, 2021 at 10:51 PM Karl <gmkarl@gmail.com> wrote:
whether or not they are online is orthogonal to whether or not they use wot and governikus. wot works fine offline too, works fine with yubikey.
I was surprised when you started saying things as strange as the things I say. but it is much more pleasant to banter with you than the posters who say very mean things with every post.
Hi Karl, this is a good (technical) thread about OpenPGP Wot or Governikus usage, where many more things can be discussed about these two. I started using PGP when ITAR was still in place, regarding strong crypto and used back then an illegally exported version from the United States, so I think I still have a good overview of how PGP or better OpenPGP evolved over the decades. Both the classic WoT (if carried out properly) and Governikus have their use cases. I already switched long ago to age and NaClbox (offline usage) because I still remember public key cryptography before PGP was invented and pub keys had no UID etc. For me, personally, public key cryptography does not mean that I do have to reveal details, like my email address or name or according to many signatures with whom I may have communicated. General Alexander once said "we do not look for the needle in the haystack, we take the whole haystack" ... See public OpenPGP key servers as a haystack. Public key cryptography also does not mean that the whole world needs to know that I use it (only with my personal friends). What OpenPGP IMHO liked to solve is to use public key cryptography for the masses, where every Joe user average can communicate with strangers globally and somehow knowing that person X is maybe person X, when using the classic WoT. Question would be, do we really need this? For business purposes, I would not need this and for private use only also not much. P.S. I suggest also in this regard to take a look, in case you have Rust installed, at sequoia-pgp, which also allows you to create a key pair without a UID, bit AFAIK GnuPG can not handle such pub keys currently. Regards Stefan
What OpenPGP IMHO liked to solve is to use public key cryptography for the masses, where every Joe user average can communicate with strangers globally and somehow knowing that person X is maybe person X, when using the classic WoT.
Question would be, do we really need this? For business purposes, I would not need this and for private use only also not much.
Do we really need cryptography at all? It seems we need it very badly because our devices, networks, and communities are very insecure. In the USA we had a huge political schism in the past few years. People do things. Governments do things. Businesses do things. These things work so simply, because precautions are not taken. But that's always been the case. Citizens get simple locks that any locksmith can pick. Anybody can train to be a locksmith and open every door. On the internet, knowledge has traveled much faster and wider than it has in the past. P.S. I suggest also in this regard to take a look, in case you have
Rust installed, at sequoia-pgp, which also allows you to create a key pair without a UID, bit AFAIK GnuPG can not handle such pub keys currently.
yeah thanks. I imagine pro gpg'ers know what's up, I don't really. just was verifying some media.
On Thu, Nov 4, 2021 at 11:46 PM Karl <gmkarl@gmail.com> wrote:
What OpenPGP IMHO liked to solve is to use public key cryptography for the masses, where every Joe user average can communicate with strangers globally and somehow knowing that person X is maybe person X, when using the classic WoT.
Question would be, do we really need this? For business purposes, I would not need this and for private use only also not much.
Do we really need cryptography at all?
It seems we need it very badly because our devices, networks, and communities are very insecure. In the USA we had a huge political schism in the past few years. People do things. Governments do things. Businesses do things.
At least we live in democratic countries where we can use cryptography. I am more concerned about IoT devices and how secure they are when using the Internet and that does not mean crypto but security in form of bug free software, wich does not allow to many hacking attempts. But this is a dream.
These things work so simply, because precautions are not taken.
But that's always been the case. Citizens get simple locks that any locksmith can pick. Anybody can train to be a locksmith and open every door.
On the internet, knowledge has traveled much faster and wider than it has in the past.
Correct. and then we may think what is this all good for, in what we are doing on the grid compared to real-life things. Regards Stefan
I am more concerned about IoT devices and how secure they are when using the Internet and that does not mean crypto but security in form of bug free software, wich does not allow to many hacking attempts.
strong agree with that. crypto is important in iot too though. software hacking only got scary when we moved our lives into software but the current trends of insecurity are leaving active hardware dangerously open, and soon we have self-driving cars and more common bioimplants and stuff. I suspect that some of these business/government interests are not aware of the incredible degree of stealable power they are growing.
On Thu, Nov 4, 2021 at 11:21 PM Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
this is a good (technical) thread about OpenPGP Wot or Governikus usage, where many more things can be discussed about these two.
I like to mention one more thing. When Mr. Zimmermann invented PGP and Hal Finney was responsible for the key management part, it was IMHO more or less meant to give grassroots organizations (*in the United States*) a tool, with for them best-known practice at this time, to communicate with persons known to one and *not* strangers. When we compare this now globally and with the WoT or Governikus. What happens or how would one feel, classic WoT wise and these IMHO stupid keyservers (at least how they work, i.e. SKS or hockeypuck) if one attends a key signing party, signs a key from let's say a child molester and receives from him also a sig? I guess when this becomes publicity know that the person who has such a key may feel pretty unconfortable, because the Internet does not forget and the person may run into trouble too. This is one reason, why I like Governikus, because it is a CA sig. Regards Stefan
On Thu, 4 Nov 2021 16:31:06 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
And you can't trust signed pub keys from key signing parties, because people can show fake passports.
right, so you can only 'trust' people you actually know. So what is public key crypto supposed to accomplish, exactly.
obviously without an out of band channel for cryptographic trust you have no way of knowing anything on the internet is real
But it looks to me that you can handle this, otherwise, you would not use it, right? :-)
wrong?
Regards Stefan
On Thu, Nov 4, 2021 at 5:45 PM Punk-BatSoup-Stasi 2.0 <punks@tfwno.gf> wrote:
On Thu, 4 Nov 2021 16:31:06 +0100 Stefan Claas <spam.trap.mailing.lists@gmail.com> wrote:
And you can't trust signed pub keys from key signing parties, because people can show fake passports.
right, so you can only 'trust' people you actually know. So what is public key crypto supposed to accomplish, exactly.
I would say it tries to accomplish the sharing of cryptographic keys openly, compared to symmetric (secret) key distribution. Regards Stefan
The spam attacks don't prevent using keys obtained from keyservers, it only reinforces the old facts... that you must verify the key's WoT or fingerprint-to-origin to your satisfaction before using it. You can still get keys from the various now balkanized keyserver communities, some implementations suck for search and using multiple keys. You can run keyservers for some of them in coordination with their comms channels. https://github.com/hockeypuck/hockeypuck https://github.com/sks-keyserver/sks-keyserver https://gitlab.com/hagrid-keyserver/hagrid And use keys with standard things... https://www.openpgp.org/ And also use more simplistic and functional things like... https://github.com/filosottile/age that are alternatives to the traditional standard tool of... https://gnupg.org/ Lots of new groups are integrating pgp into new things... https://sequoia-pgp.org/projects/ But there's probably some awesome lists that aggregate more of those new groups and integrations for reference.
ty for links I thought of sharing the keys I found but they are a few hundred megabytes, kinda big for an email attachment
I thought of sharing the keys I found but they are a few hundred megabytes
The keys are small, the fake sigs are the bloat, they can be removed, leaving a small package again. naclbox has quite some dependencies for win/mac and even unix users, hardly as easy as a gpg or age binary dl/pkg or a single compile from tarball.
On Wed, Nov 3, 2021, 9:38 PM grarpamp <grarpamp@gmail.com> wrote:
I thought of sharing the keys I found but they are a few hundred megabytes
The keys are small, the fake sigs are the bloat, they can be removed, leaving a small package again.
would you propose removing only the sigs that are clearly fake? how do people judge what is useful? anyway i'm unlikely to put too much time into fighting with pgp lists more atm, unless needed. naclbox has quite some dependencies
for win/mac and even unix users, hardly as easy as a gpg or age binary dl/pkg or a single compile from tarball.
in my internet nacl hasn't been updated since 2011, maybe I have something wrong but this surprises me. doesn't look dependency heavy to me.
Governikus CA
What a cute fucking name, it even sounds all powerful, instilling fear, and as if some greek named human turned into gargantuan forcebot. This stupid idea that governments must be propped up and be the exclusive ones to do anything and everything... all hail government, ask no questions, follow orders. Fuck that. Go create some independant peoples, groups, companies, p2ps, daos, that do CA in free markets of competition ratings trust etc, and that don't try to rule over anyone or each other. But if you have any brain at all, that likes any freedom at all, you're best to avoid the beastmark entirely.
would you propose removing only the sigs that are clearly fake? how do people judge what is useful?
Whatever levels of key maintenance, and WoT trust assertions, and degrees of separation accepted, and whatever else... those are all up to each user to determine, and have been known as responsibilities and analysis since day one. If that's too much for people, then don't use the WoT mode. And or hack out the Uid. And or don't sign keys. And or throw keys-ids. Etc.
in my internet nacl hasn't been updated since 2011, maybe I have something wrong but this surprises me. doesn't look dependency heavy to me.
https://nacl.cr.yp.to/ nacl-20110221.tar.bz2 https://pkg.go.dev/golang.org/x/crypto commit 089bfa5675191fd96a44247682f76ebca03d7916 Date: Fri Dec 11 22:52:14 2020 -0500 Many naclbox implementations typically require go, which isn't on 90+% of the planet's computers, and only 1% of the remaining 10 would figure how to use go to make naclbox go. And it's primarily a library [go/c], not a binary app, which isn't even shipped as reference by the libraries, which eliminates another 99.9% who won't code an app for it, and websearch turns up few docs or binaries for dummies, and isn't in any major binary package repositories, so naclbox is useless for at least 99.999999% of the planet. gpg and age are better in those regards.
I suspect that some of these business/government interests are not aware of the incredible degree of stealable power they are growing.
They are fully aware of it, and are actively leading and relishing in that evil. If people think their Tesla car needs an internet connection, lifetime storage of all travel information, car registration, license, etc etc... they are sorely mistaken.
Well, maybe I am old school and stand behind what I am doing on the Internet.
Nyms are fully capable of and do that too.
I grew up with the Cypherpunks, who all until today, use their real name.
Superlative, with plenty of well recorded counter evidence.
Ok. but these people are no longer on this ML.
Some are lurking, under nyms... the former being pretty lame.
At least we live in democratic countries where we can use cryptography.
Democracies are no more or less despotic than any other form of active government. They're just better at hiding it under a shell game and at making you feel good.
CA
Central Authority. Who gave any "authority" any authority over you. Where is your own self authority to opt out and live freely without it?
On Fri, Nov 5, 2021, 5:32 AM grarpamp <grarpamp@gmail.com> wrote:
Governikus CA
I would prefer a reality without the heightened research in violence that government enforcement can produce. But governikus sounds like something helpful to me _if and only if_ it is not in competition with, but rather ensures support and protection of, other solutions. Then it's another key signature which is great. Haven't looked to know.
in my internet nacl hasn't been updated since 2011, maybe I have something
wrong but this surprises me. doesn't look dependency heavy to me.
https://nacl.cr.yp.to/ nacl-20110221.tar.bz2
https://pkg.go.dev/golang.org/x/crypto commit 089bfa5675191fd96a44247682f76ebca03d7916 Date: Fri Dec 11 22:52:14 2020 -0500
gpg and age are better in those regards.
thx
I suspect that some of these business/government interests are not aware of the incredible degree of stealable power they are growing.
They are fully aware of it, and are actively leading and relishing in that evil.
it's a dangerous game that is getting more dangerous, obviously, and will put unknown future new entities incredible power. but means there's lots of pressure to solve our disagreements, which would be great. hey technogovs: tech run by norms is dangerous now and we don't know how to hack you anymore to take you down reliably. get your activities off the internet before we're subjugated by another secret force.
At least we live in democratic countries where we can use cryptography.
Democracies are no more or less despotic than any other form of active government. They're just better at hiding it under a shell game and at making you feel good.
one learns this when oppressed but overall I personally agree with stefan's sentiment; expl: I was raised with american middle class messaging, and i've chatted with people on the internet from areas with forced dress codes or military drafts. i've also chatted with usa street people with similar issues. luck gives power: using it can take it away. Who gave any "authority" any authority over you.
Where is your own self authority to opt out and live freely without it?
On Fri, 5 Nov 2021 07:45:34 -0400 Karl <gmkarl@gmail.com> wrote:
At least we live in democratic countries where we can use cryptography.
I personally agree with stefan's sentiment; expl: I was raised with american middle class messaging, and > i've chatted with people on the internet from areas with forced dress codes or military drafts.
LMAO - look at these fine western demokkkratic nazis.
On Fri, Nov 5, 2021 at 10:32 AM grarpamp <grarpamp@gmail.com> wrote:
in my internet nacl hasn't been updated since 2011, maybe I have something wrong but this surprises me. doesn't look dependency heavy to me.
https://nacl.cr.yp.to/ nacl-20110221.tar.bz2
https://pkg.go.dev/golang.org/x/crypto commit 089bfa5675191fd96a44247682f76ebca03d7916 Date: Fri Dec 11 22:52:14 2020 -0500
Many naclbox implementations typically require go, which isn't on 90+% of the planet's computers, and only 1% of the remaining 10 would figure how to use go to make naclbox go. And it's primarily a library [go/c], not a binary app, which isn't even shipped as reference by the libraries, which eliminates another 99.9% who won't code an app for it, and websearch turns up few docs or binaries for dummies, and isn't in any major binary package repositories, so naclbox is useless for at least 99.999999% of the planet.
https://github.com/rovaughn/box Works like a charm and has only five commands. I use it with friends in the United States, Canada, and Germany. Pretty cool also for encrypted MMS with a dumb phone. Regards Stefan
participants (4)
-
grarpamp -
Karl -
Punk-BatSoup-Stasi 2.0 -
Stefan Claas