"Robert J. Hansen" wrote: > This is not my experience. I've received spam addressed to my amateur > radio call sign (KC0SJE) at a domain that's not directly associated with > me. I don't know how it was discovered, but for right now I'm leaning > towards the hypothesis that spammers have made pacts with the Devil and > learned dark arts.
My first guess would be that you are in one of your friends address book, and your friend has spyware that got it. > If I know that one sort of antispam measure is going to reduce the spam > I receive 100-fold over the reduction produced by another antispam > measure... and the 100-fold measure takes the same amount of resources > as the other one... then why should I ever use the second measure? If the amount of resources are so small that even combined they are insignificant, then why not use both? Everyone who gets sent spam isn't on one single list, which all the spammers use. Spammers get their addresses in different ways, so different spammers will have different lists. Lists are valuable, you can make money by selling a list of working addresses, so they are not likely freely shared between spammers. The fewer lists you are on, the less spam you will be sent. It's not an all or nothing deal. Just because you won't be able to be totally free from spam, is that a good reason to carelessly leave your address all over the Internet? > I get a 100-fold reduction from X amount of time and labor, or a > 101-fold reduction from a 2X amount of time and labor. This is really > simple to me; I'm going to take the 100-fold reduction and spend the > extra X time goofing off, or visiting my nephews, or grabbing lunch with > my sister, or doing thesis research, or... Yes, it's logical to use the measure(s) that gives the best results for your amount of time and effort. It's also logical to use all of the measures that gives you or you contacts no inconvenience at all. > "User IDs do not provide any authentication", okay, that much is true. > If you want authentication, you're really looking for a trusted > signature on the user ID, fine. You are confusing authenticity and trust. I you visit Bob and he gives you his fingerprint, and when you get home you see that it matches the one on his key, then the key is authenticated. If you now get Marys key, with a signature from Bob, this does not make Marys key authenticated! Bob might not know much about security, and have been tricked to signing a false key. He might secretly hate you and have created "Marys" key himself. Someone might hold his cat hostage and force him to sign false keys. The point is that even if Bob is your best friend and a security guru who has no cat, his signature is still not a 100% guarantee that the key really belongs to Mary. All the signature provides is various degrees of trust. > You are apparently not up to date on something called traffic analysis. > I suggest you look into it. What you're talking about here is probably > a pipe dream. I have an account on a server run by a trusted party, which has an encrypted connection for accessing e-mail accounts. Most of my friends have accounts on the same server, so our messages to each other never leaves the server. Traffic analysis will reveal what time you are active, and how much data you are transferring. To only way to protect against it is to download and upload all the time at a constant rate. Not worth it in my situation. > 1. Stop posting to crypto mailing lists that keep public archives. > Creating an electronic paper trail of yourself saying "I'm concerned > about getting raided by the cops, please help me figure out how to > protect my electronic privacy" is not a very smart thing to do. I don't think there's anything wrong with saying that I want to protect my privacy. I think if asked if they care about privacy, most people would answer yes. I have been sent letters by the police on several occasions telling me that my phone has been listened to (by law they have to inform you of this some time after). I had my car confiscated and searched. So if I know they are interested in me, surely the strange thing would be if I did not try to protect my privacy? I never said I was concerned about getting raided, I said if someone else got raided it's not good if they find info about me there. > 2. Hire an information security professional. GnuPG can be part of a > security solution, it can even be a very effective part, but it is not > magic fairy dust. You will not find privacy or security just by > sprinkling a little magic fairy dust here and there and thinking that it > will "just work". Heh, I certainly don't think that only encrypting e-mail and signing backups with GnuPG will somehow make all aspects of my life secure. I don't know how you got this impression. I also use TrueCrypt for whole disk encryption, BCWipe for secure deletion, TOR for anonymity, a good firewall, and all my machines run Linux and my "supersecure" machine is never connected to the Internet. > If your needs are this high-level, you need the > services of an information security professional. My needs are not high level, and I don't really need security for anything other that paying bills online. But it's nice to have some privacy, and security is a very interesting an inexpensive hobby. Oskar _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
