bantering with punk was Re: What advantage does Signal protocol have over basic public key encryption?

Punk-BatSoup-Stasi 2.0 punks at tfwno.gf
Tue Jan 26 14:40:27 PST 2021 

On Tue, 26 Jan 2021 06:57:15 -0500
Karl <gmkarl at gmail.com> wrote:


> 
> > 	"4. perfect forward secrecy.  addresses the issue with pgp where future
> > advancements decrypt all your messages"
> >
> > 	FUTURE ADVANCEMENTS can decrypt all your signal messages as well. Fact.
> 
> Man, here you quoted some slight hand-waving with focused argument ;P
> I'm not up on the detailed meaning of perfect forward secrecy, but it
> sure looks like a _lot_ more advancement is needed to decrypt it from
> network data, because there is no single private key associated with
> every message to simply recover from the flash media of a discarded
> device.

	so 'foward secrecy' is better than pgp, because an attacker that gets your pgp key can read all the messges you received. But key stealing is a problem today, it doesn't require 'future advancements' in crypto.


> 
> I want my messages preserved, so I don't worry about forward secrecy =S

	In that case it seems that signal has little to offer to you apart from their surveillance services tied to your phone number. 
	
 

> > 	So what the hell are you saying about 'time travel' now? YOU first alluded
> > to the fact that IN THE FUTURE p-gpg could be broken. I just added, broken
> > JUST LIKE SIGNAL. And so you are FALSELY ADVERTISING signal.
> 
> Second half of above paragraph.
> 
> I'll try to read your caps: you're saying that signal is similar to
> pgp, 


	In some ways signal is worse than pgp. For example, you don't need to register with morlonpoke using a phone number to use pgp. You just compile it and run it. 

	on the other hand signal makes it easy for lazy or 'non-technical' people to use encryption. Instead of getting people to be more educated...



> and dangerous, and we need to cut the bullshit and get to stuff
> that's real, being honest about the problems of all the solutions we
> have?


	Pretty much. I don't see signal solving any fundamental problem, contrary to what advertisers seem to believe.


> >
> >> I don't remember what we were talking about,
> >
> > 	so go read what you wrote 2 hours ago. You don't even need to do that. I
> > quoted what you said above. And I'll quote you once more
> >
> > 	"4. perfect forward secrecy.  addresses the issue with pgp where future
> > advancements decrypt all your messages"
> 
> So what are you saying the "basic problem" is, now.


	My  point was/is that your claim about 'PFS' and pgp is wrong, that's all. 


> 
> you often send insulting things, I'll treat the reply as my form of
> sending insulting things.

	yeah, people say insulting things all the time, while pretending to be 'polite'. I insult people after they try to take me for an idiot. 

 
> [personal experience description inhibited.  meanwhile, maybe you've
> been mind controlled to argue on this list.]

	see, that sounds pretty insulting. But Ok.

 

> > 	If thanks to 'future advancements' keys are broken then there's no 'foward
> > secrecy'.
> 
> well, maybe i'll go look up forward secrecy so as to try to be more
> rational here, but i'm also remembering you asked me not to reply
> unless i was able to give you the respect of reviewing message content
> you snipped away, to reply.


	I 'snip away' stuff that I don't think needs to be quoted repeatedly. Or stuff I won't reply to because I don't think it's important. If there's something you think it's important and I should reply to, then let me know. 




> I know I'm wrong there about something.  Do you know what it is,
> specifically and clearly in language somebody experienced on this list
> would agree to?  What does forward secrecy address, if not this?


	'forward secrecy' separates long-term identity keys from session keys so that 'compromise' of identity keys doesn't affect session keys. Also compromise of one session key doesn't affect other session keys. Why it is called 'forward secrecy', I don't know. Seems like a stupid name to me.


> 
> > 	Also, we're using plain text here because this is a public forum.
> 
> that's not how I feel, the comparison seems like gossiping instead of
> sending a letter to a mailing list.  in signal, messages are signed by
> the sender and misbehavior of the isp and server are defended against
> a little more.

	well yeah. And yet, misbehavior of isps or list server is not a problem here. You keep talking about it, but there isn't evidence of any tampering. I'm not saying it can't happen, just that it isn't happening here as far as I can tell.


 
> it's notable that speaking in a forum transparent to those who dislike
> the topic gets you hurt.  anarchists everywhere learn to organise in
> small private groups.


	Yes, I'm certainly not against that tactic, but now we're on the public arpanet, which is a very big public forum, not a 'small private group'. 
	

 
> pgp is broken by factorization.  teleportation would not be an
> efficient way to research this.
> 
> not sure if https://primecoin.io/ is that relevant but we can make an
> economy focused around compromising any cryptographic primitive, now.

	heh


> >
> > 	
> > 	at least decentralization doesn't allow the NSA to get all the data at
> > once, directly from morlonpoke.
> 
> where are you from?  it's so funny to see the 'z'.  it's the united
> states spelling.

	i'm not a native speaker of english. My english is mostly US-influenced I'd guess, but you shouldn't expect any consistent spelling from me =)


> 
> i guess we'd better find this mr morlonpoke and defend them =/  dunno
> how to do that.  we can call it freeing them from the shackles of
> technology and forcing them to work on what actually makes sense to
> work on.
> 
> the nsa already has agreements with isps, whereas a
> morlonpoke-agreement would be a new negotiation. 


	like I said signal.org website is 'hosted' by amazon-NSA. That's trivial to check. And a quick search seems to suggest that the servers for signal the 'app' are also amazon-NSA 
	
	https://metager.org/meta/meta.ger3?eingabe=where+are+signal+servers+located&submit-query=&focus=web

	see the reddit posts 

	"Signal use both AWS and Azure with zero physical servers. I believe that they use the US-based AWS regions" 

	So at first sight signal is hosted by the NSA which is infinitely pathetic. You can of course easily check by looking at your phone's traffic...



> you have a point
> here but i don't think it's as big an issue as you seem to be saying
> it is.  maybe cause i'm from the states so i already have their isps.
> 
> we could invest time and energy in making a contribution to signal to
> make it decentralised.  this is phyiscally possible.
	

	doesn't look like something they are interested in. 


> 
> >> It is weird that signal uses centralised servers.   [if you could quote this line it would help me remember this topic.  i can forget things when what i see, changes.]
> >
> > 	I don't think 'weird' is the right word.
> 
> how about "painful as if you were getting beaten up by a fake holding
> a surveillance camera so many times that you can't feel anymore"
> 
> what word would you use?


	painful is a lot a better than 'weird'.

	And if their server is run on the amazon-M$-NSA 'cloud' then I'd call it 'outrageous'.



> >
> > 	I don't see why we need a blockchain based messenger. A blockchain may
> > solve part of the 'key distribution problem' but in turn key distribution is
> > just one part of the whole communication problem. So a blockchain is not a
> > silver bullet.
> 
> blockchains break filters and firewalls like a tsunami, if they are
> cryptographically sound and functioning.  if there is some protocol
> quirk that makes for a censorship worry, that code can be designed to
> not have that quirk.
> 
> it's getting late for making a blockchain messenger as people slowly
> start noticing that money is just a fake thing to move them around,
> but that hasn't actually happened yet.  the strength of a
> cryptocurrency blockchain comes from the belief in money (because it
> gives it to people as its steps of functioning).
	

	the claim that money is a fake thing is pretty bold. And I still don't see what a 'blockchain' bassed messenger would look like. You seem to believe that 'blockchains' can solve many problems? They rather look like nasty surveillance tools to me, except if carefully used. 


> I didn't like how the people running it engaged in a chest-beating
> competition with another cryptographic organisation, but they were
> probably doing the best they could, just like you are.  I also don't
> like that they have a centralised server, require a phone number to
> register, and mostly support web-enabled technologies run by
> corporations that have huge opportunity to put backdoors in.  But it's
> pretty clear they gave a _lot_ of avenues for people to help address
> those situations.

	I'm not sure how people who are not part of the company can fix those problems? Apart from using the software to run a different service I guess.

More information about the cypherpunks mailing list