On Tue, Nov 3, 2015 at 3:42 PM, oshwm wrote:

Well, this will tackle the problem of the law abiding sheeple using crypto, I wonder what measures they have in store for those who truly wish to protect their privacy using decentralised tools?

Honestly, the way people apparently like to bend over and get fucked up their ass (for both their own pleasure and that of their future descendants), they'll just disconnect the internet of anyone using crypto, unless it's to be a nice little consumer visiting Amazon, a taxpayer at the collector, and let's not forget the druggist, TV and beer... all handily balkanized just for you. If you can't reach the sheeple, you're as fucked as they are.

I wonder what measures they have in store for those who truly wish to protect their privacy using decentralised tools?

They don't care about us. Australia has banned guns. If you work really hard at it you can still get a gun in australia, but its really inconvenient. Simply making guns inconvenient has resulted in far fewer gun-related crimes. They'll never get the last 1% of guns out of people's hands, but it turns out they don't actually need to. Crypto is going to be the same - lets be honest here - if Apple, Google and Facebook are prevented from providing good security out of the box, how many people will take the extra steps to install and use Signal? The government doesn't care about *us*. They care about making sure the remaining 99% of citizens are monitored. -J On Wed, Nov 4, 2015 at 7:42 AM, oshwm wrote:

Well, this will tackle the problem of the law abiding sheeple using crypto, I wonder what measures they have in store for those who truly wish to protect their privacy using decentralised tools?

On 03/11/15 18:20, John Young wrote:

...

Excellent development if the bill is enacted. Should shatter the complacency of crypto advocates and foster other means and methods now getting short shrift due to the faith in crypto hyping and marketing -- and tons of excuses why crypto has not been as effective as foreordained, blame users, blame implementation, blame standards committees, blame spies, blame legislators, blame certificate authorities, blame hardware, blame insiders and outsiders, blame amateurs, blame backdoors, blame venal marketers who sold out to authorities, blame duat hatters working both sides of the porous divide, blame open and closed source, the pile of excuses grows exponentially as money is heaped onto the fire for burning through faster and faster. NSA has at least 191 colleges on the take for information assurance studies, with more joining daily to get while the getting is good, sending graduates to corporations, institutes, NGOs, hack world, leak world, defy authority world as evidenced here in this sacred site of tipped gravestones to cipher heroics.

At 12:27 PM 11/3/2015, you wrote:

...

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Internet...

Internet firms to be banned from offering unbreakable encryption under new laws

3:16PM GMT 02 Nov 2015

Internet and social media companies will be banned from putting customer communications beyond their own reach under new laws to be unveiled on Wednesday. Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to, the Daily Telegraph can disclose. Measures in the Investigatory Powers Bill will place in law a requirement on tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant.

On Fri, Nov 06, 2015 at 03:45:12AM -0500, grarpamp wrote:

On Fri, Nov 6, 2015 at 12:11 AM, Joseph Gentle wrote:

...

The government doesn't care about *us*. They care about making sure the remaining 99% of citizens are monitored.

In war (note the rising "war on crypto" rhetoric among parliaments), a smart attacker generally aims for the officers, generals, supply lines etc, not the cannon fodder 99% on the front lines. Therefore you can expect them to take extra special care of you the 1%.

Also, they will NOT use the system to find evidence against already known suspects but to find suspects in the first place. And this makes you suspect: a) you avoid certain communication channels, i.e. don't use social networks or leave your phone turned off while meeting with someone. b) use encryption. - Tom

On Sat, Nov 7, 2015 at 12:51 AM, Zenaan Harkness wrote:

On 11/6/15, Joseph Gentle wrote:

...

...

I wonder what measures they have in store for those who truly wish to protect their privacy using decentralised tools?

They don't care about us. Australia has banned guns. If you work really hard at it you can still get a gun in australia, but its really inconvenient. Simply making guns inconvenient has resulted in far fewer gun-related crimes.

Your propaganda is propaganda. Serious propagandists at least cite where their crap comes from.

A web search for "australian gun related crime" perhaps?

The second result: http://louderwithcrowder.com/obama-praises-australias-gun-ban-the-actual-res... (also check the comments, although more cites would be good, but hey, your position is simply not true, not even close)

Its amazing NRA propaganda still manages to rewrite the history on the story on the ground here. You just don't see guns in Australia. I don't know anyone who has one. I'd never seen a gun be drawn or fired in real life before I moved to the USA. (Source: I've lived in Australia for 30 years)

From http://theconversation.com/faking-waves-how-the-nra-and-pro-gun-americans-ab... :

While the impact of the Australian gun laws is still debated, there have been large decreases in the number of firearm suicides and the number of firearm homicides in Australia. Homicide rates in Australia are only 1.2 per 100,000 people, with less than 15% of these resulting from firearms. Prior to the implementation of the gun laws, 112 people were killed in 11 mass shootings. Since the implementation of the gun laws, no comparable gun massacres have occurred in Australia. Remarkably, American pro-gun advocates try to use the impact of the Australian gun law reform to make a case that reform “doesn’t work”. This seems amazing given the homicide rate in the United States is five per 100,000 people, with most homicides involving firearms.

From http://sydney.edu.au/news/84.html?newsstoryid=1502 :

"From 1996 to 2003, the total number of gun deaths each year fell from 521 to 289, suggesting that the removal of more than 700,000 guns was associated with a faster declining rate of gun suicide and gun homicide," By 2002/03, Australia's rate of 0.27 firearm-related homicides per 100,000 population had dropped to one-fifteenth that of the United States.

On 7 Nov 2015 11:34 AM, "Peter Gutmann" wrote:

Joseph Gentle writes:

I don't really want to get involved in this debate (who has that much asbestos?), but wanted to comment on one thing:

...

You just don't see guns in Australia. I don't know anyone who has one.

You're a townie then? If it's like NZ, pretty much every farm in the

has (or had) one or more rifles, typically a .303 because they were cheap and a .22 for dealing with rabbit infestations (they're mostly useless against possums, another major plague). Also, the fact that you don't see them doesn't say anything about whether they're there or not. At the time of

gun grab, a friend of mine who lived in Queensland and was doing some work on his house found it more or less impossible to buy PVC fittings of

sizes and types, the explanation being that the stocks had been drained by people using them to sequester their firearms. So they may have managed to destroy large numbers of firearms, but they also drove large numbers off

country the particular the

books and underground (literally, in many cases).

Peter.

Yeah I've lived in Sydney most of my life. But this goes back to my original point - despite lots of guns being quietly hidden around the place, most crimes still don't use them! Which is not at all an obvious outcome. It implies that most crimes aren't well planned and premeditated, and that simply making something *inconvenient* goes a long way toward banning it, even if people have strong incentives to overcome the inconvenience. We've seen exactly this with crypto too. Industry grade crypto has existed for years, but things like PGP being simply *inconvenient* has resulted in it having virtually no adoption. The big threat to pervasive surveillance isn't pgp, its companies like apple and whatsapp bringing that technology to the masses. The UK government only has to outlaw the big players implementing decent crypto, and 90%+ of communications will still be visible to surveillance. Even amongst criminals. We should be worried, but this isn't a play for us. -J

Joseph Gentle writes:

Industry grade crypto has existed for years, but things like PGP being simply *inconvenient* has resulted in it having virtually no adoption. The big threat to pervasive surveillance isn't pgp, its companies like apple and whatsapp bringing that technology to the masses.

That's a good point actually. In my enormous to-read pile I've got "Why Johnny Still Can't Encrypt", and that's from fifteen years after the original paper on PGP's unusability was published. It's scary to think that companies like Apple have done more to protect us from intrusive government surveillance than nearly a quarter century of PGP has, because they've made it usable by the masses. Peter.

By now, cell phones ought to have an end-to-end encryption app available.  Why not?  How many people use smart phones?  Probably half of the population.  Is there a standard format of encryption available?  If such encryption is to take off, there ought to be one target format, so that users using multiple programs can talk to each other.  Is that already defined?                Jim Bell

On Sun, 8 Nov 2015 02:10:19 +0000 Peter Gutmann wrote:

Joseph Gentle writes:

...

Industry grade crypto has existed for years, but things like PGP being simply *inconvenient* has resulted in it having virtually no adoption. The big threat to pervasive surveillance isn't pgp, its companies like apple and whatsapp bringing that technology to the masses.

That's a good point actually. In my enormous to-read pile I've got "Why Johnny Still Can't Encrypt", and that's from fifteen years after the original paper on PGP's unusability was published. It's scary to think that companies like Apple have done more to protect us from intrusive government surveillance

LMAO http://readwrite.com/2014/07/23/apple-ios-backdoor-acknowledgement-support-d...

than nearly a quarter century of PGP has, because they've made it usable by the masses.

and the proof for that claim is, where?

Peter.

On Sun, 8 Nov 2015 15:02:46 +1100 Joseph Gentle wrote:

...

LMAO

http://readwrite.com/2014/07/23/apple-ios-backdoor-acknowledgement-support-d...

Got anything more recent than July 2014?

I don't, though I didn't bother checking. July 2014 isn't too ancient anyway.

Apple has been claiming far and wide that from iOS 8 even they cannot access the data stored on a locked device without a password: http://appleinsider.com/articles/14/09/17/apple-says-incapable-of-decrypting...

Oh, if they so then it must be true =)

All three APIs listed in that readwrite article require access to services via USB, which require a device the phone trusts and (I think) for the device to be unlocked. I would be quite surprised if it turned out that apple really can decrypt data for the government on locked devices. They've been quite public about this policy, and they've claimed they can't access said data under oath. Its also a fantastic strategic move for them to fight off android - given google's business model it'll be impossible for android to follow suit.

I am about 90-95% confident that there aren't any intentional holes in iOS through which apple can read data thats only stored on my device.

Well, I'm 100% confident that a company like apple is not to be trusted.

(I recently switched from android to iOS for this reason.)

Good luck. Out of the fire into the frying pan =P

...

...

than nearly a quarter century of PGP has, because they've made it usable by the masses.

and the proof for that claim is, where?

It was very impressive for its time but what impact has PGP *actually* made? You seem like a sufficiently paranoid human who knows about PGP, knows what it does and you're technically capable of installing it and using it. So tell me - how many encrypted emails do you send and receive with PGP?

Very few. However, as far as I know, people who need to encrypt stuff that the government isn't supposed to read, say people buying and selling 'illegal' drugs, use p/gpg not iphones.

I think PGP's legacy is that it started a conversation around crypto and privacy. But as a *product* it was a complete failure. I mean, it doesn't even protect metadata.

Well, it's a client-side encryption tool. Nobody can 'encrypt' the fact that he sent or received mail. PGP is not a mix network... And does a company like apple which collects information about hundreds of millions of people protect 'metadata' better? Anyway, to expect the likes of apple to actually oppose the government (that is to say their partners) is naive at best, in my opinion.

-J

...

...

Peter.

oshwm writes:

Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation.

... and this is pretty much the poster child for why we have so much unusable crypto today. Peter.

On Sun, Nov 8, 2015 at 7:45 PM, oshwm wrote:

On 08/11/15 08:40, Peter Gutmann wrote:

...

oshwm writes:

...

Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation.

... and this is pretty much the poster child for why we have so much unusable crypto today.

Or, why we have such a fucking retarded human race with the attention span of a knat who expect everything to be given to them on a plate. People have to stop being lazy and start taking an interest and responsibility for what goes on in the world around them - your point of view re-inforces the dumbing down of the population and the increase in power of the Government and big Corps.

Even if thats all true, its still also true that nobody is using PGP. Its easier to make a slick UI than convince people to do work. Is it so much to ask that people who make software try to make life easy for their users? For all your talk of doing hard work oshwm, it looks like you only created that PGP key yesterday: $ gpg --list-packets signature.asc hashed subpkt 2 len 4 (sig created 2015-11-08) [...] And as far as I can tell it hasn't been signed by anyone. At least I think so - after 15 minutes fighting with gpg I still can't find your actual key and I ran out of care. ... Which leads me into my second point, which is that here in 2015 PGP is a terrible technical solution. It doesn't encrypt metadata (which is a non-starter these days - who you communicate with is some of the *most* valuable personal data for the NSA). It also leaks information about who signed your key. That means either: - Your key gets signed by your friends, so now your friend network public or - Emails with PGP are provably from you, in a way that can be traced back to physically witnessed government ID. ... Or both! Personally I would rather the possibility of forgery than either of those outcomes. -J

So... Click on the little options button (three lines) at the top right of Thunderbird. Hover over Enigmail and click on Key Management. A list of local copies of keys will appear, including my own private ones. I double click on my key to show the details about it. This includes the creation date of 23/07/15. Well, that was quite simple, its almost as if someone created a not perfect but workable User Interface called Enigmail - it even has a Wizard for creating new keys and configuring Thunderbird. It's gets more tricky if you have multiple email accounts in Thunderbird but not prohibitively so. It's not created by Apple so the shiny things fanboi's will hate it. That seems easy enough though that even a Windows user could manage it. The tough bit is understanding crypto but with analogies about keys and shit then most people only need a superficial understanding of how to USE GPG rather than Prime Numbery stuff - they should be able to cope. On 08/11/15 18:58, oshwm wrote:

On 08/11/15 13:41, Joseph Gentle wrote:

...

On Sun, Nov 8, 2015 at 7:45 PM, oshwm wrote:

...

On 08/11/15 08:40, Peter Gutmann wrote:

...

oshwm writes:

...

Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation.

... and this is pretty much the poster child for why we have so much unusable crypto today.

Or, why we have such a fucking retarded human race with the attention span of a knat who expect everything to be given to them on a plate. People have to stop being lazy and start taking an interest and responsibility for what goes on in the world around them - your point of view re-inforces the dumbing down of the population and the increase in power of the Government and big Corps.

Even if thats all true, its still also true that nobody is using PGP. Its easier to make a slick UI than convince people to do work. Is it so much to ask that people who make software try to make life easy for their users?

Slick UI would be cool, just a shame that's being used as an excuse by ppl who can't be arsed to do a bit of work. What's the excuse once it has a nice UI?

As for nobody is using PGP, I think that may be a little overstated - what you mean is nobody who doesn't give a fuck about privacy is using it.

...

For all your talk of doing hard work oshwm, it looks like you only created that PGP key yesterday: $ gpg --list-packets signature.asc hashed subpkt 2 len 4 (sig created 2015-11-08) [...]

except the key has been around for quite some time, I did re-sync with the sks servers yesterday.

...

And as far as I can tell it hasn't been signed by anyone. At least I think so - after 15 minutes fighting with gpg I still can't find your actual key and I ran out of care.

No, it hasn't been signed by anyone as I don't have any friends in real life who give two shits about security as I mix with non-techies offline. This is not a difficulty issue, I can't even begin to talk about encryption with them without them changing the issue to great subjects such as what was on telly last night.

...

... Which leads me into my second point, which is that here in 2015 PGP is a terrible technical solution. It doesn't encrypt metadata (which is a non-starter these days - who you communicate with is some of the *most* valuable personal data for the NSA). It also leaks information about who signed your key. That means either:

Oh yeh, some bright spark came up with STARTTLS for encrypting comms with mail servers but made it optional, not a GPG issue. However, the metadata issue a big problem for everyone who connects to a server that isn't owned by them and I suspect really requires a new mail protocol to resolve.

...

- Your key gets signed by your friends, so now your friend network public or - Emails with PGP are provably from you, in a way that can be traced back to physically witnessed government ID.

1) friend network - can't be avoided if you want a system for vouching for email sender authenticity. 2) That's part of what PGP is about - sender authenticity. My PGP is not attached to a Gov Issued ID.

...

... Or both! Personally I would rather the possibility of forgery than either of those outcomes.

-J

On Sun, 08 Nov 2015 18:58:50 +0000 oshwm wrote:

...

... Which leads me into my second point, which is that here in 2015 PGP is a terrible technical solution. It doesn't encrypt metadata (which is a non-starter these days - who you communicate with is some of the *most* valuable personal data for the NSA). It also leaks information about who signed your key. That means either:

Oh yeh, some bright spark came up with STARTTLS for encrypting comms with mail servers but made it optional, not a GPG issue. However, the metadata issue a big problem for everyone who connects to a server that isn't owned by them and I suspect really requires a new mail protocol to resolve.

Looks like Joseph isn't putting too much thought in his replies. There's obviously no way for email encryption to hide the so called metadata. You'd need some kind of mix network to do that. Complaining that pgpg doesn't encrypt the metadata is misguided. Also, his remark about this *public* list not being encrypted is...puzzling...at best.

On 08/11/15 08:40, Peter Gutmann wrote:

...

oshwm writes:

...

Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation. ... and this is pretty much the poster child for why we have so much unusable crypto today.

Or, why we have such a fucking retarded human race with the attention span of a knat who expect everything to be given to them on a plate. People have to stop being lazy and start taking an interest and responsibility for what goes on in the world around them - your point of view re-inforces the dumbing down of the population and the increase in power of the Government and big Corps.

...

Peter.

Really? So what is purpose of this thread if I can ask? To complain that ordinary people are sheep? Whata new approach whata invention. What do you expect? Why people are so easily pressed and tend to follow dictators? Why somebody even tend to be solider or why people do eat meet when it is not necessary. I know there will be a lot of chain of arguing against controversy of eating meet now. Please fck this. We already know, that most of people will never care about crypto without our help. I feel mood on this thread as mood of angry barking dog but pretty toothless. We are not. We can teach, script and just do it better and without extreme barriers for people to adopt crypto seamlessly. We do not need to have it perfect, same as robots are not perfect when driving. It is just enough to be better than average. Telegram is step [however crypto is implemented], Open Whisper Systems is doing huge amount of work. No reason of this half bitter and half angry tone. Now it could be right time to stand against nonsense regulation again. It happened already in time of PIPA, SOPA... So lets bark on right target not to "ordinary people". regards, Over -- “Borders I have never seen one. But I have heard they exist in the minds of some people.” ― Thor Heyerdahl Telegram...................@over23 facebook...................facebook.com/overdrive23 projects...................https://brmlab.cz/user/overdrive twitter....................https://twitter.com/#!/over2393 last.fm....................http://www.last.fm/user/overdrive23 GnuPG key FingerPrint......08EA E4DC EF85 0F02 9267 5B48 2E58 6902 C5F8 794C Public key ................http://overdrive.dronezone.eu/overdrive.txt

Gonna top post cos I can :P If I seem angry then it is because everyone seems to say that making a nice easy to use User Interface will solve all the problems with people not using crypto. This is not the case, Enigmail is a pretty easy to use UI for PGP and yet ordinary people aren't using it. The vast majority of people (not through their own fault, originally) have been programmed to be spoon fed the answers to their needs, not question authority and to only have a 20 second attention span. These are the issues that need addressing, pretty crypto is useful but it will not address these issues. So, go ahead and make pretty crypto UI and see how much of a difference it makes, or find a way (and I'm at a loss myself here) to motivate the sheeple to invest time and effort and overcome their programming. On 09/11/15 21:41, Tomas Overdrive Petru wrote:

On 08/11/15 08:40, Peter Gutmann wrote:

...

...

oshwm writes:

...

Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation. ... and this is pretty much the poster child for why we have so much unusable crypto today.

Or, why we have such a fucking retarded human race with the attention span of a knat who expect everything to be given to them on a plate. People have to stop being lazy and start taking an interest and responsibility for what goes on in the world around them - your point of view re-inforces the dumbing down of the population and the increase in power of the Government and big Corps.

...

Peter.

Really? So what is purpose of this thread if I can ask? To complain that ordinary people are sheep? Whata new approach whata invention. What do you expect? Why people are so easily pressed and tend to follow dictators? Why somebody even tend to be solider or why people do eat meet when it is not necessary. I know there will be a lot of chain of arguing against controversy of eating meet now. Please fck this. We already know, that most of people will never care about crypto without our help. I feel mood on this thread as mood of angry barking dog but pretty toothless. We are not. We can teach, script and just do it better and without extreme barriers for people to adopt crypto seamlessly. We do not need to have it perfect, same as robots are not perfect when driving. It is just enough to be better than average. Telegram is step [however crypto is implemented], Open Whisper Systems is doing huge amount of work. No reason of this half bitter and half angry tone. Now it could be right time to stand against nonsense regulation again. It happened already in time of PIPA, SOPA... So lets bark on right target not to "ordinary people".

regards, Over

Ok, how about this then... Your idea on your blog is pretty cool but I think there is an even simpler way to handle this. When you sign up for a new mail account, the mail provider generates a public/private key pair. It automatically pushes the public key to PGP key servers around the globe (including its own key servers that it maintains). The private key is stored by your email provider but protected with your mail account password (not perfect but simple). Whenever you send an email to anyone, their email addresses are used to find a public key for them and then the email is automatically encrypted and signed using your private key. For those people who sign up to other services then they can during the sign up process, allow that service to access their private key to link the service to their email and their GPG identity - but it can be done using very simple language such as "allow linking to your email"). For existing mail accounts, the email provider can offer to add additional security to the users mail account without mentioning PGP even once. All of the necessary simplified jargon to do this exists in the day to day language used by people using email. More advanced users could have access through 'advanced' mail client menus if they wanted it etc. There you go, this could even be done for people who just don't give a shit about privacy with pretty much no effort and no special language. let me know once you're done implementing it :D Cheers, oshwm. On 14/11/15 09:55, rysiek wrote:

Dnia poniedziałek, 9 listopada 2015 22:03:03 oshwm pisze:

...

If I seem angry then it is because everyone seems to say that making a nice easy to use User Interface will solve all the problems with people not using crypto.

Nobody is saying that. Stop discussing with this straw man, and start -- I don't know -- reading what people are actually saying.

Usability *is* important, but so is motivation and education. They all go hand in hand, and if you do not recognize this, you will constantly be in a state of awe why people are not using GPG. Not sure that's a winning strategy, though.

On 15/11/15 07:43, grarpamp wrote:

On Sat, Nov 14, 2015 at 5:17 AM, oshwm wrote:

...

sign up process, allow that service to access their private key to link the service to their email and their GPG identity - but it can be done using very simple language such as "allow linking to your email").

Which of course will always be answered "yes", where it happens makes not difference. However value in the user brokering their own data out of their own store, at least that way they have some small chance to retain control and/or recover and/or be guided by their geek friend in person.

Required because users don't want to have to learn crypto terms because its too much work.

...

For existing mail accounts, the email provider can offer to add additional security to the users mail account without mentioning PGP even once.

Similarly, it's called HOTP, TOTP or system under user control, not sending your valuable metadata of email, phone or bio auth to them.

Its a shit idea but if you want to give sheeple the opportunity to use encryption without having to learn new stuff then as far as I can see its the only option. Anyone who wants to take control can do so once they have learnt the required knowledge to understand how it all works. You want flexible or simple? choose one.

On 16/11/15 20:34, The Doctor wrote:

On Sat, 14 Nov 2015 10:17:07 +0000 oshwm wrote:

...

The private key is stored by your email provider but protected with your mail account password (not perfect but simple).

http://gizmodo.com/the-25-most-popular-passwords-of-2014-were-all-doomed-168...

Yay.

As I said, "not perfect" :D

...

let me know once you're done implementing it :D

You might find this interesting:

https://github.com/uakfdotb/gpg-mailgate/

Which just needs a little work from the mail providers to implement it. So we have established that what I suggest is not unreasonable, is workable and fatally flawed due to morons with crap passwords :)

Dnia sobota, 14 listopada 2015 10:17:07 oshwm pisze:

Ok, how about this then...

Your idea on your blog is pretty cool but I think there is an even simpler way to handle this.

When you sign up for a new mail account, the mail provider generates a public/private key pair.

This is where I stop reading. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147

Dnia poniedziałek, 9 listopada 2015 22:41:16 Tomas Overdrive Petru pisze:

Really? So what is purpose of this thread if I can ask? To complain that ordinary people are sheep?

I am slowly starting to think that this is the purpose of this whole *list*. -_-; -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147

On 11/9/15, coderman wrote:

On 11/8/15, Peter Gutmann wrote:

...

oshwm writes:

...

Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation.

... and this is pretty much the poster child for why we have so much unusable crypto today.

privacy is for all people! not just the privileged.

effective privacy requires utmost usability.

What, like being able to open all random flash attachments in MSIE on Windows, without any awareness of the possible consequences?

On 09.11.15 6:41, Zenaan Harkness wrote:

On 11/9/15, coderman wrote:

...

On 11/8/15, Peter Gutmann wrote:

...

oshwm writes:

...

Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation. ... and this is pretty much the poster child for why we have so much unusable crypto today.

privacy is for all people! not just the privileged.

effective privacy requires utmost usability. What, like being able to open all random flash attachments in MSIE on Windows, without any awareness of the possible consequences? Been at the doctor last week and just because I was bored b waiting scan showed me that his wiifi for patients is shared with is laptop where medial records are stored and only barrier is WEP.

In one pub I have been all payments transactions are processed through PC with Windows connected to same net as unencrypted free wiifi hotspot... everybody with smartphone/notebook and netmap and wireshark can just read. ... Fact is that security by obscurity still does work and again it is double edged sword. In case you will want to have educated masses to understand technology in the way they understand how vulnerable they are at that same moment you will find how vulnerable is whole society. It is probably good idea that normal people do not think about how easy is to break this glass to just go into somebody house... Do not be evil is basic rule here. How many sysadmins/sysops have root password to whatever we are doing? To all of our identities and our traces. Who of you can download half of today human knowhow just by one smarter script... imho most of us. And here we are technological leaders who decided not to fraud and destroy. This is long time know story about good and about bad. Common sense here seems like: ok we are good and gov is bad. Partially agree because gov tend to be bunch of criminals after all [with more or less visible motives]. Where this idea is heeding? Hard to say, it is not complete yet. But open source is as important as never before after somebody decided we are suppose to pay for copyright. Cryptography is more or less public know how between at least some part of educated people. Kids in pubs are talking about quality of encrypton of software they have in their smart devices... It is not self sustaining system nor gov or criminals are. It is about work to be done after all. But I tend to be optimistic. Regards, - Over -- “Borders I have never seen one. But I have heard they exist in the minds of some people.” ― Thor Heyerdahl Telegram...................@over23 facebook...................facebook.com/overdrive23 projects...................https://brmlab.cz/user/overdrive twitter....................https://twitter.com/#!/over2393 last.fm....................http://www.last.fm/user/overdrive23 GnuPG key FingerPrint......08EA E4DC EF85 0F02 9267 5B48 2E58 6902 C5F8 794C Public key ................http://overdrive.dronezone.eu/overdrive.txt

Just question to plenum: do we know, why eg. Enigmail is not standard part of Thunderbird? It is extremely confortable and easy way how to encrypt emails. Same counts for Pidgin and OTR plugin... e.g. Adium do have crypto as standard part. Isn't it possible that more we are paranoid about merging plugins to upstream clients code more barriers we are putting between ordinary user and crypto? Btw. I have heard nice thing from one of random people at some musical gig: "Today young are bunch of idiots they do not care about any system without *that crypto*" It made me laugh. This proposition of law not so much. Is there some legal way how to say "NO THANK YOU"? We know already that CCTV is not way to make streets safer place same as prohibition of drugs will not cause end of its abusing. IMHO there is no reason to prohibit something in case you want to get a rid of it. It just does not work. Regards, - Over On 08.11.15 9:24, oshwm wrote:

Bollocks to Lazy People.

In the UK, when someone learns to drive a car they take an average of 25 lessons because its not easy to drive a car safely and skillfully. After they pass a relatively difficult theory and practical test they appreciate that they are now only truly beginning to get to grips with the skills required to drive well.

To learn to use GPG/PGP sufficiently to sign and encrypt mail isn't even a fraction of the skill level or time required as learning to drive and there's plenty of free guides on the internet.

So, the issue is one of motivation, not difficulty.

Can GPG be easier to use, I think so, is it too difficult to use by ordinary people - no, they're just too fucking lazy and lack motivation.

You want people to use crypto, scare the fucking living daylights out of them about how their governments and corporations are becoming way too powerful and just maybe they'll become motivated enough to overcome their laziness.

Otherwise, the only option is to make GPG transparent by getting the email providers to automatically create key pairs and automatically handle signing and encryption by integrating their mail services with GPG behind the scenes. However, if we wish to promote choice then this isn't a good way to go about it. This method would also have implications for privacy and anonymity too as communications between the email client and mail servers may occur when a user is not expecting it.

On 08/11/15 06:36, Juan wrote:

...

On Sun, 8 Nov 2015 15:02:46 +1100 Joseph Gentle wrote:

...

...

LMAO

http://readwrite.com/2014/07/23/apple-ios-backdoor-acknowledgement-support-d...

Got anything more recent than July 2014? I don't, though I didn't bother checking. July 2014 isn't too ancient anyway.

...

Apple has been claiming far and wide that from iOS 8 even they cannot access the data stored on a locked device without a password: http://appleinsider.com/articles/14/09/17/apple-says-incapable-of-decrypting... Oh, if they so then it must be true =)

...

All three APIs listed in that readwrite article require access to services via USB, which require a device the phone trusts and (I think) for the device to be unlocked. I would be quite surprised if it turned out that apple really can decrypt data for the government on locked devices. They've been quite public about this policy, and they've claimed they can't access said data under oath. Its also a fantastic strategic move for them to fight off android - given google's business model it'll be impossible for android to follow suit.

I am about 90-95% confident that there aren't any intentional holes in iOS through which apple can read data thats only stored on my device. Well, I'm 100% confident that a company like apple is not to be trusted.

...

(I recently switched from android to iOS for this reason.)

Good luck. Out of the fire into the frying pan =P

...

...

...

than nearly a quarter century of PGP has, because they've made it usable by the masses.

and the proof for that claim is, where? It was very impressive for its time but what impact has PGP *actually* made? You seem like a sufficiently paranoid human who knows about PGP, knows what it does and you're technically capable of installing it and using it. So tell me - how many encrypted emails do you send and receive with PGP? Very few. However, as far as I know, people who need to encrypt stuff that the government isn't supposed to read, say people buying and selling 'illegal' drugs, use p/gpg not iphones.

...

I think PGP's legacy is that it started a conversation around crypto and privacy. But as a *product* it was a complete failure. I mean, it doesn't even protect metadata. Well, it's a client-side encryption tool. Nobody can 'encrypt' the fact that he sent or received mail. PGP is not a mix network...

And does a company like apple which collects information about hundreds of millions of people protect 'metadata' better?

Anyway, to expect the likes of apple to actually oppose the government (that is to say their partners) is naive at best, in my opinion.

...

-J

...

...

Peter.

-- “Borders I have never seen one. But I have heard they exist in the minds of some people.” ― Thor Heyerdahl Telegram...................@over23 facebook...................facebook.com/overdrive23 projects...................https://brmlab.cz/user/overdrive twitter....................https://twitter.com/#!/over2393 last.fm....................http://www.last.fm/user/overdrive23 GnuPG key FingerPrint......08EA E4DC EF85 0F02 9267 5B48 2E58 6902 C5F8 794C Public key ................http://overdrive.dronezone.eu/overdrive.txt

On 11/7/15, Joseph Gentle wrote:

On Sat, Nov 7, 2015 at 12:51 AM, Zenaan Harkness wrote:

...

http://louderwithcrowder.com/obama-praises-australias-gun-ban-the-actual-res...

The following quote does have embedded links: "there’s argument about whether the gun related homicides and other various crimes have actually increased or not. Some places have the homicide rate increasing at 3.2% along with armed robbery at 44%, while some other stats have them remaining about the same. At the very least, we do know that the policies have not significantly decreased crime. That’s not even being debated. Which…considering that the Australian government spent a considerable amount of money on the laws, seems at the very least, disappointing." That article's comments also linked to the following, which is much more useful: "Australia enacted one of the largest gun reforms ever nearly 2 decades ago — and gun deaths plummeted" http://www.businessinsider.com/australia-gun-control-shootings-2015-10 and which, despite the headline, goes on to highlight with stats from -before- the gun law changes (well shit, how can you see a cause if you don't know the numbers prior to the supposed cause), "Firearm suicides and homicides did drop after Australia's buyback and enactment of the NFA. As The Washington Post's Wonkblog has pointed out, researchers from two different Australian universities found that, in the decade after the NFA was introduced, the firearm homicide rate fell by 59% and the firearm suicide rate fell by 65% — without increases in other types of deaths. Here's a bigger picture: [graph] australia gun deaths bi Andy Kiersz/Business Insider Whether the NFA catalyzed that decline, however, is still up for debate. Over the last several decades, gun deaths in most developed nations have been trending downward, and studies struggle to determine how much of the drop resulted from Australia's legislation. Causality is also inherently difficult to determine in social sciences." And that graph is, to my eyes, unequivocally compelling - the trend was already in place, and the Port-Aurthur massacre 'NFA' laws change did -not- effect that trend in an identifiable way - in fact, it could well be argued that the change in laws precipitated a steady decline in the annual reduction of Australian gun-deaths, to the point where it appears that the decline has all but plateaued - i.e. no more decline. But what I won't say is that these Australian post Port Arthur laws caused that plateau - frankly I have no idea, and a proper study of potential causes would need to be undertaken, if it's possible at all... What this graph clearly shows is that it is impossible to conclude that those Australian post Port Arthur compulsory gun buyback 'NFA' laws caused any increase in the prior trend of gun death decline within Australia.

Its amazing NRA propaganda still manages to rewrite the history on the story on the ground here. You just don't see guns in Australia. I

Actually, I do. I live rurally though.

don't know anyone who has one. I'd never seen a gun be drawn or fired in real life before I moved to the USA. (Source: I've lived in Australia for 30 years)

I've lived in Australia for longer than you. So what - that's irrelevant to the point - whether or not gun-related crime and/ or deaths has reduced due to Australia's anti-gun policy, or not. We could also debate whether disarming of the population is a 'good' thing or not but that would be opinion porn.

From http://theconversation.com/faking-waves-how-the-nra-and-pro-gun-americans-ab... :

While the impact of the Australian gun laws is still debated, there have been large decreases in the number of firearm suicides and the number of firearm homicides in Australia. Homicide rates in Australia are only 1.2 per 100,000 people, with less than 15% of these resulting from firearms.

Current rates, are not comparative rates. Common sense 1-0-1. (In case you miss the point - comparative means not between countries, but comparing the point at issue - Australia's compulsory gun buyback laws introduction.)

Prior to the implementation of the gun laws, 112 people were killed in 11 mass shootings. Since the implementation of the gun laws, no comparable gun massacres have occurred in Australia.

I am not qualified to comment on the statistical significance of this, nor do I have facts regarding this - although the Lindt Cafe shooting earlier this year in Sydney may or may not be a relevant data point.

Remarkably, American pro-gun advocates try to use the impact of the Australian gun law reform to make a case that reform “doesn’t work”.

From the comparative statistics I've seen, and everything I've read since Port Arthur, I believe the NRA position to be correct. As of this year, we now have more guns in Australia than we had prior to the buyback. Again, perhaps not a very useful data point.

This seems amazing given the homicide rate in the United States is five per 100,000 people, with most homicides involving firearms.

Again, comparing countries anecdotally is not the same as analysing the effects of population disarming laws.

From http://sydney.edu.au/news/84.html?newsstoryid=1502 :

"From 1996 to 2003, the total number of gun deaths each year fell from 521 to 289, suggesting that the removal of more than 700,000 guns was associated with a faster declining rate of gun suicide and gun homicide,"

Again hog-wash, since there is no comparison to the pre-disarm-laws. Unlike the graph I posted above.

By 2002/03, Australia's rate of 0.27 firearm-related homicides per 100,000 population had dropped to one-fifteenth that of the United States.

Again, I don't know how this is relevant to analysing the efficacy of gun control laws. Zenaan PS: I read in one article the claim that 'unlike America, Australians don't have a constitutional right to bear arms'. This is actually not true, just that most people don't know it. Our Australian federal constitution creates the Commonwealth of Australia, creates each of the states, creates our superior court (the High Court we call it), creates our federal parliament, and our High Court, in Mabo 2 (a ruling from I think 1998) upheld the continuity of the Imperial Acts including the Bill of Rights 1688, as well as the Magna Charta/ Magna Carta. Unfortunately, the head of our NRA equivalent sold us out quite some years back when he proclaimed very publicly "there's nothing we can" (or words to that effect). Australians - mostly bloody ratbags acting in total self interest.

In my consideration of it, the right to bear arms is the right to self determination. Nevertheless, as a sovereign nation, Australia may do as it pleases to Australians, but talking firearms here on this list is almost surely a rathole unless one wants to argue that cyber weapons are a parallel vector; perhaps this selection in forward time order will illustrate: A free people ought not only to be armed but disciplined; to which end a uniform and well digested plan is requisite: And their safety and interest require that they should promote such manufactories, as tend to render them independent on others, for essential, particularly for military supplies. -- George Washington, 8 January 1790 I wish it to be remembered that I was the last man of my tribe to surrender my rifle. -- Sitting Bull, 19 July 1881 Political power grows out of the barrel of a gun. -- Mao Zedong, August 1927 If the opposition disarms, all is well and good. If it refuses to disarm, we shall disarm it ourselves. -- Joseph Stalin, 7 December 1927 Among the many misdeeds of British rule in India, history will look upon the Act depriving a whole nation of arms as the blackest. -- Mohandas K. Gandhi, An Autobiography, pg 446, 1928 That rifle on the wall of the laborer's cottage or working class flat is the symbol of democracy. It is our job to see that it stays there. -- George Orwell, in the English democratic socialist weekly "Tribune," 1940 Even if, for you, the right to bear arms is not the right to self determination, what has changed is that the kinetic weapons of the civilian are no longer even remotely capable of challenging the kinetic weapons of the powers that be, so it is quite remarkable and, some might say, fortuitous that cyber weapons have brought us back to a balance of power some two hundred years old. What we might want, therefore, is to discuss whether we can prevent the overwhelming mismatch in kinetic weapons (between citizen and the powers that be) that now obtains from being recapitulated in cyber weapons. I, for one, favor arms control of big shit, not little, which puts me at odds with all sovereigns and, quite possibly, the arc of history. --dan

On 11/12/2015 09:45 PM, grarpamp wrote:

On Thu, Nov 12, 2015 at 8:01 PM, wrote:

...

I wish it to be remembered that I was the last man of my tribe to surrender my rifle. -- Sitting Bull, 19 July 1881 This quote does not mean what you think it means..

Maybe yes... Maybe no. But Chief Joseph meant EXACTLY what he said: "General Miles said to me in plain words, "If you will come out and give up your arms, I will spare your lives and send you back to the reservation." General Miles had promised we might return to our country with what stock we had left. ... I believed General Miles, or I never would have surrendered." --Chief Joseph, Nez Perce" From "An Indian's View of Indian Affairs." North American Review, vol. CXXVIII, 1879. RR