Re: Quotes from GPG users
On 03/11/13 20:13, Daniel Kahn Gillmor wrote: As a Debian user, I rely on GnuPG to ensure that the software I install hasn't been tampered with. Excellent thanks Daniel! Sam. -- Sam Tuke Campaign Manager Gnu Privacy Guard 0044 78680 77871 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Details on the GnuPG 1.4.15 and 2.0.22 release
Hi! Taylor asked me to forward this background info: On Sat, 5 Oct 2013 10:56, w...@gnupg.org said: not yet been seen in the wild. Details of the attack will eventually be published by its inventor. The zlib compression language that OpenPGP uses is powerful enough to express an OpenPGP compression quine -- that is, an OpenPGP compressed data packet that decompresses to itself -- causing infinite nesting of OpenPGP packets. Source code to generate such a quine is at http://mumble.net/~campbell/misc/pgp-quine/. When fed the quine, older versions of GnuPG would blow the stack and crash. GnuPG 1.4.15 and GnuPG 2.0.22 avoid this by setting a small constant bound on the depth of packet nesting. (This is similar to Tavis Ormandy's IPcomp compression quine, reported in CVE-2011-1547, which I didn't know about at the time I made the OpenPGP compression quine. Both of us had read Russ Cox's article on zlib compression quines: http://research.swtch.com/zip.) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 2 November 2013 at 6:48:39 PM, in mid:87fvreprlk@mat.ucm.es, Uwe Brauer wrote: Your point being? I presume it goes like this: NSA is a government based organisation doing, among other things, violations of civil rights. So any other government based organisation cannot be trust, end of argument. Exactly. Well I just talked about a service, which provides certificates to its citizen. That means it signs a public/private key pair, which is generated by the, hopefully open source, crypto module of your browser. So either you claim to have evidence that this modules have been hacked and the key pair is transferred to some of these evil organisations or I really don't see your point. Simply stated, it is established that government based organisations sometimes act in a nefarious manner, contrary to the law and contrary to the interests of the population. I view that as a reason not to trust government based organisations. And if I don't trust government based organisations, I cannot trust a certification issued by one. Of course, private companies or individuals who issue certifications are susceptible to coercion. Whether issued by government or by private sector, a single certification on a public key represents a single point of failure. It does not provide any great level of assurance the corresponding private key is controlled by the identity it claims. Such assurance could potentially be derived from numerous certifications that are independent from each other, but how do you tell which are truly independent? Where actual identity is not required, just continuity of communication, I see no value in obtaining any certification at all. - -- Best regards MFPAmailto:expires2...@ymail.com Can you imagine a world with no hypothetical situations? -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ3qQVXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pFGMD/3YXsKuEtEf9+H4qiQckLlEkv+ulrQnuepRn PlDE6rsbzdIaa3aU9eRCwa9mydwwIByadgI1YhrdXlnxRk2Aa6mfuoFPkg5MEa8c 3ysvmrVY5DHPkSELkEeUZe6Nk1lcJz1JUUd2vT6cNpks68kYG1Zb/VaLoKbC4sW2 ypuROxWl =1Moi -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Smart card reader issues with Windows 8.1 Pro 64bit
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi list, for a couple of years now I use an OpenPGP SmartCard for my daily mail. Every message I sign gets signed by the card, every encrypted message I receive gets decrypted by it. My v1 card failed one day without warning, my v2 card works fine ever since I got it (when v2 cards were released). I used several computers, running Windows most of the time. And had many issues. With Windows, Mac OS X, and Linux. While I was astouned by the lack of support and plug-n-play integration of smart card readers (at least some years ago), I also had trouble with Windows. My Fujitsu Lifebook E780 for example: i7, 8G RAM, SSD, 15 non-glare display,... A configuration one may also buy today. But it's no longer supported by Fujitsu. Support in terms of BIOS and driver updates ended 2009(!), shortly after I bought it, and as soon as the successor model was released. I chose to buy that laptop because it had a self-encrypting SSD, a fingerprint reader - and a built-in smart card reader. But I was never able to use it with my OpenPGP SmartCard: after the laptop went to standby the reader would no longer recognize any card until rebooted. Fujitsu support (3rd Level, Japan!) told me that this must be a SmartCard issue since the reader works fine in many big companies around the globe. Thank you... In all Windows versions, that internal smart card reader needs a special driver, it's not known by Windows/Microsoft. In Windoes 7 and 8 I had the above issues. In Windows 8.1 I could install the W7 drivers and the device would be listed 100% functional. But once I enter ANY SmartCard, I get a blue screen. So I disabled the built-in reader Instead, I bought myself a CardMan 4040 and it worked absolutely smoothly for me - from Windows XP to Windows 8 - without special drivers! Not so in Windows 8.1. Here the reader is also recognized and installs its drivers. For some seconds, device properties show that it is up an running fine, but after what sems like no time, it shows a device error and can't be accessed. Asking HID support, I received no answer at all... Since my other SCM readers SCR-335 (USB) and SCR-3340 (PC-Express/54) work fine and there are at least more recent drivers on their website, I bought a used(!) SCR-243 (PCMCIA). It also gets recognized after an automatic initial driver download through Windows Update but it does not recognise any SmartCard. I try to find out now whether just the reader I bought is broken or does not work with Windows 8.1 at all. Does anyone use a SCR-243 with Windows 8.1? Any other good experiences with other PC-Express/54 and/or PCMCIA readers using GnuPG on Windows 8.1? Any hints or recommendations? I own a CryptoStick (1.1) and could use that, but I really would like to use my Card as it is - with a SmartCard reader... on Win 8.1, Mac OS X, and Linux. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Dies ist eine elektronische Signatur - http://www.enigmail.net/ iQGcBAEBAwAGBQJSd7kDAAoJEKGX32tq4e9WwikMAIXFP7UuPZgb8IajaSQ87t7d BtQKKoyJiIVhCNwqAE58azoqQcY4IpMSp83AVkUSWjsCzBCJGmMvpW62p6EIojc3 HQ+kux++rwSo/iW2qmmG9S4K8t2veW81v/8sgecaTdxIj2NXu3ssUewIu5N1yVfx gwLqPQ8JcCOmBkCWO0ULAA8AdDy5ayebmkWbY5JHEjXM+Os6g929yhQ6CnYnLCpH yPiNLUBig6/aUHA9xIXWFbuFd5uKGQj6rU/SFhDRrjkLqZKMJoVBAyxNGQaooiaH 7Jy/gAg1Xaye1UogWPmPrM+QjbyD7B/54+rlx22ACotpbTvWCOmVAElUdw6Re4Na EIZpZ9XVrTGty3Ho0JHQnKg9i+QZcZ1WcRdcMb9neYnu38CK/nX00UvWDhQkgotB evFwEEwqznJRbYz5TaxaBl6HKDdna0y4OOTRJSOs6pBSty/LQx/FSqmbHTFPIBnr hRp8TXhYR+v2c0LLpcaRpNzD7Fy7J3DT4SZZ/U1mwg== =DL+2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Sunday 3 November 2013 at 10:02:14 PM, in mid:87habtnnyx@mat.ucm.es, Uwe Brauer wrote: Ingo == Ingo Klöcker kloec...@kde.org writes: So, your point/hope probably was that a government based CA wouldn't have such a business model and would instead offer this service gratis to the people (so that more people would be protected from the NSA reading their mail). If this was your point then apparently I didn't see it when I first read your message. That was *precisely* my point, thanks for clarifying it There are already several private sector CAs who provide free S/MIME certificates in the hope that punters may take one of their paid products instead or in addition. Potential sales is their incentive to provide some products free. What would be a government's incentive to provide them free of charge instead of charging for the admin? And what would a government based CA bring to the party that is not already available? If all we are talking about is email encryption to protect people's email from being read in transit, a self-signed certificate takes care of the encryption without the need for a CA. The only value in using a recognised CA rather than a self-signed certificate is convenience for the recipient, whose MUA is likely to automatically trust a recognised CA but would need to be told to accept a self-signed certificate. - -- Best regards MFPAmailto:expires2...@ymail.com CAUTION! - Beware of Warnings! -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ3sFNXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5ptlAD/jWuP+IpjL+RRBH1CazALnqMcKfb0M4pyBoe +9SSDpPAR3CLFKBNi9/ThnVR28BAW3DWqILMq7n+5D+0Vu3jT4nC4Tvpz2tt2YfI rTUV37E2U62tpydkIhsHuuD9auqjtS3nwxd3db6jfTf+yzz+1LY4+pXtAipdwKQr JUKD0Rnl =Kt8y -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 2 November 2013 at 4:22:29 PM, in mid:20131102162229.gc7...@fritha.org, Heinz Diehl wrote: GPG - keeps the XXX from your door! :-) [Replace XXX with any three letter agency of your choice] Is that actually true, rather than bringing you to their attention? - -- Best regards MFPAmailto:expires2...@ymail.com Two wrongs don't make a right. But three lefts do. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ3vVlXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5ppEkEALUTk4HKS5noJv5oohDxMQwefzfkmJ57QGK4 2YDO/Qb7Y70K0ZC+gO/eiOb5m7ZFR5dTaJTLD/tbf5rdoXRrjdSlMK9PUvwS7AFQ P7vAtRJucgGNbGvlu/T4P+v0mNkXKqCHyvRXUA+jMl8b/H2ZfzfPHg1KVakclhPA wL/yFsKR =Cp/U -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Sunday 3 November 2013 at 2:08:15 AM, in mid:5275b00f.7030...@gmail.com, Paul R. Ramer wrote: When you verify a key to sign you are verifying the following: 1) For each UID, that the name is correct and that the purported owner has control of the email in that UID (possibly also verifying the comment if it contains something such as CEO ABC Corporation). 2) That the purported owner has control of the key and can decrypt and sign messages. For #1, it is possible that the user has no name or email address in the UID(s). Either way, you need to verify the details of the UIDs that you intend to sign. For #2, you need to verify the key fingerprint, algorithm, and key size (but the fingerprint at a minimum) and then have the user demonstrate that he can decrypt a message encrypted with the key in question and also sign with it. This can be done by sending a message of unknown content (from the purported key owner's perspective) to him to each email that he claims to have in each of his UIDs (provided he has any) and require him to reply with a signed copy of the decrypted message. This serves to verify the control of the key and the email addresses. Why do we need to establish they can also sign? Isn't it enough to demonstrate they control the email address and can decrypt, by signing one UID at a time and sending that signed copy of the key in an encrypted email to the address in that UID? And as an aside, does it really make a difference to only sign some UIDs and not others? Does GnuPG actually take account of which UIDs are signed in its validity or trust calculations? - -- Best regards MFPAmailto:expires2...@ymail.com Life is far too important a thing ever to talk seriously about -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ3xQFXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5p6WwD/i8S1/IozG/diojvmFKmDfVEe5kEKrIjku1z hGOySg4SkkwF9qI00iKTS29mJe9WeU22gRQk8ODLRvF7UqQgbV85KvmA6uvYmRHJ /Z4O5R9tFS7h7d32FBWF/HQ0uVSaIWKaHvY9M4ZBIzeyQBjwRQrCtPhjxief210N 2r2VwDfA =6C8E -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 30/10/13 9:58 PM, Sam Tuke wrote: Hi all, I'm working with Werner to promote GnuPG and raise awareness. To that end we're collecting quotes from users - endorsements from people who know and trust GPG, people like you. Feel free to use any of my public comments on the topic, either on my blog or on Twitter. http://www.adversary.org/wp/2011/01/27/securing-gmail/ http://www.adversary.org/wp/2011/08/20/preventing-political-blunders-with-digital-signatures/ http://www.adversary.org/wp/2012/09/20/protecting-yourself-in-a-surveillance-state/ http://www.adversary.org/wp/2013/09/10/australias-dsd-recommends-weak-encryption/ Related category: http://www.adversary.org/wp/tag/crypto/ Some prior tweets: Intercepted phone calls and emails caught Standen according to #4corners. Three words: GPG and Zfone. http://twitter.com/benmcginnes/statuses/103053838977728512 Another reason why people should digitally sign their email. http://t.co/t0q8DtB #crypto #openpgp #auspol #gpg #gnupg http://twitter.com/benmcginnes/statuses/104452618016915456 That t.co link forwards here (for those of you who hate URL forwards): http://www.abc.net.au/news/2011-08-19/lnp-candidate-expelled-over-email/2847428 If you make a hashtag for this topic, let me know so I can point my fellow Pirates at it all. We've got some very good people on our social media team. Regards, Ben - -- Ben McGinnes http://www.adversary.org/ Twitter: benmcginnes Systems Administrator, Writer, Trainer, ICT Consultant Encrypted email preferred - primary OpenPGP/GPG key: 0x73590E5D OpenPGP/GPG key here: http://goo.gl/GVGwT and http://goo.gl/SDs0D OpenPGP/GPG key transition: http://www.adversary.org/keyswitch.txt.asc -BEGIN PGP SIGNATURE- iQGcBAEBCgAGBQJSd7FPAAoJEH/y03E1x1U8wZsL/09VWbKKRh5kWtjcV7VrYMlT CAwNAmBtTetU71BnQAw3qdSnpER5scR1WmT1cYpxqwMMWjKFn8YDKbfW73sC+Yen IqrNxOvJKRn1uhxfp/dh6igJYa+M/+iHuEM9XHcf/0QK/4ln8I4fCXWwsxQ807GJ iAgAqQGDbxrNVSX5huAd1Fs6PRCN5hZe708Nx2ZO28SryAWjdpneReU1m0wxrwn4 j+GgJ0vwVmYVJgk1a85GXEA+jFBoIwy+gtAYzdtWQ3MFVwA0+KU1coW4e2c5Sp6z R7PYN7TrNnbmUL7w9eGPPRgvbdFuQbf5+i1yY2hKDt1Ekbdf8kyUzbrWC1DrcTSe 3DuZYAeck0+OHVjmPcnvPlcQKThj3lwznDatVA8lccPRyf4R5n/BV85iV3D0f2Sp qvSmEjhG850AlsGD9KljFt7WIy6uof20wxym47qgOTfo/GHo0GOOc0fTQy5dq/Og fgH2xpsMOh43C6me17RzP8jXzmAps4843vJgJO3aPA== =pc68 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and expired certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 4 November 2013 at 2:02:30 PM, in mid:563460450.20131104140230@my_localhost, MFPA wrote: Where actual identity is not required, just continuity of communication, I see no value in obtaining any certification at all. Or, indeed, where encryption is required but not actual identity. - -- Best regards MFPAmailto:expires2...@ymail.com The best way to destroy your enemy is to make him your friend. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ3y/JXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pVJoD/i5/w+wDB4bqbDdRD1N0vNFAhOA5tP/nVP5P pXfZV8U3XE3igNz6Y3NCrH4/kSnNyEwXUtPmo0I60TMIOJaPvJn8dkuUeaiNiERS PGNPg4K0EIgng2OqPiUvU67feqdMCByEh1OfdZS0sbsfW7NQ0LhrcFO9gKdAllWO +yufHrcY =+o2F -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
On 11/04/2013 11:02 AM, MFPA wrote: And as an aside, does it really make a difference to only sign some UIDs and not others? Does GnuPG actually take account of which UIDs are signed in its validity or trust calculations? Yes, it does make a difference. Let's say I make key X and attach to User IDs to it: * Daniel Kahn Gillmor d...@fifthhorseman.net * Alice Munroe al...@example.com You meet me, check my identity, verify that i'm actually dkg, and just sign the first User ID (because you have been unable to verify whether i am also somehow Alice Munroe). (in fact, i am not Alice Munroe, but i would like to be able to read her mail) At some point, you find you want to encrypt a message to Alice Munroe (who you met at a conference, perhaps). If you had certified both User IDs on my key, gpg would be happy to encrypt the message to my key instead of Alice's actual key. If i get a copy of that message, i would be able to read it. This would be bad. An OpenPGP certification (a keysigning) is an identity assertion, over *both* the key and the User ID. It says this key K belongs to the person known in the real world by the User ID U, and it is cryptographically signed by the person making the assertion. If you substitute some arbitrary other User ID for U, the meaning of the certification changes radically (and the cryptographic certification breaks). This is an intended feature. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
On 30/10/13 9:58 PM, Sam Tuke wrote: Hi all, I'm working with Werner to promote GnuPG and raise awareness. To that end we're collecting quotes from users - endorsements from people who know and trust GPG, people like you. If you want to help us, send your own statement about why GPG is important to you. Please keep it less than or equal to 130 characters, so it can be used on social networks. Now, for some new quotes (feel free to point to my Twitter account, @benmcginnes): * As a member of the Pirate Party Australia National Council, GPG is essential to securing confidential data. * Pirate Party Australia uses GPG to secure data transferred amongst the NC, such as financial disclosure data. * GPG was one of the essential tools I taught people at CryptoParty Melbourne. * Once you can use GPG, you can use any encryption tool. BTW, aside from the above quotes you won't be able to list a specific endorsement of Pirate Party Australia, but if you or Werner want I can take it to the next NC meeting. For the record I'm the current Party Treasurer. Contact me at this address or my Party address (it's on my key and very obvious). Encrypt anything to that address, though, because we have not yet completed the migration of the old email system to servers here in Australia. Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 4 November 2013 at 4:52:02 PM, in mid:5277d0b2.9040...@fifthhorseman.net, Daniel Kahn Gillmor wrote: Yes, it does make a difference. [snipped] If you had certified both User IDs on my key, gpg would be happy to encrypt the message to my key instead of Alice's actual key. Thank you. I had not realised gpg worried about which User IDs were signed. At some point in the past I thought I tested this and concluded it didn't make a difference, but have just tested again and confirmed to myself that it does. An OpenPGP certification (a keysigning) is an identity assertion, over *both* the key and the User ID. It says this key K belongs to the person known in the real world by the User ID U, and it is cryptographically signed by the person making the assertion. If you substitute some arbitrary other User ID for U, the meaning of the certification changes radically (and the cryptographic certification breaks). This is an intended feature. Thanks for the explanation. - -- Best regards MFPAmailto:expires2...@ymail.com Two rights do not make a wrong. They make an airplane. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ33LBXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5px60D/1VDKpSRAjsFM04KBJCMtoyMUJQA/MSu6l0d fckN0TY5E98dTLxF8LI2y3XEszMKh8N76JItSNZyoZYmBW+pcwgnhEZ4Y/jiha3d SZdapAHE91oDoGhnBn1zJ2txz41r0jHN1Y0w6MGuBvV9t92OHWAL1CnBlbMFzjkh nhz6WBw4 =fWqu -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
On 04.11.2013, MFPA wrote: GPG - keeps the XXX from your door! :-) [Replace XXX with any three letter agency of your choice] Is that actually true, rather than bringing you to their attention? It depends. My key is publically available, with my current email address in it. Thus, anybody knows that I'm using gpg from time to time, at least those who are interested to. But that doesn't mean that I'm encrypting information which could be of importance for a three letter agency. In fact, I'm much more concerned about all the people sitting in-between (e.g. provider employees etc.) who could use content of my emails to spam on me or to sell it to advertisers and the like. After all, I have a private life.. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 4 November 2013 at 8:07:01 PM, in mid:201311042007.ra4k71qh085...@fire.js.berklix.net, Julian H. Stacey wrote: Talking about an alien loathed three letter agency ... See 4 top secret papers from it published by UK's Guardian newspaper today :-) at the bottom of this link http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded You don't need to be talking to a terror suspect to have your communications data analysed by the NSA. The agency is allowed to travel three hops from its targets. That's phenomenal: isn't everybody in the world separated by an average of just six hops? - -- Best regards MFPAmailto:expires2...@ymail.com Why is the universe here? Well, where else would it be? -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJ4Ec1XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pHbkD/0IXO5XUkNE9+2Lebn6Oz3em9B1iXojVH0n5 x3jrjc9vnYy7BmNWU37fpy1f16YJi/Jy3dkOUuLAOvYoEDdN+mrUfDqPwT167zht M74WA0wStyGu99qSCF0tQ1WV2LoNHHB5JDSFKyyYqNmbPisJbnOX35Nl2aecWWTv SFDVZqWu =4VzI -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
UK Guardian newspaper publishes USA NSA papers
information which could be of importance for a three letter agency. In Talking about an alien loathed three letter agency ... See 4 top secret papers from it published by UK's Guardian newspaper today :-) at the bottom of this link http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded I haven't had time to read it all yet, but IMO if they say Gnupg makes their life hard, it'll make me happy. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Interleave replies below like a play script. Indent old text with . Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. Extradite NSA spy chief Alexander. http://berklix.eu/jhs/blog/2013_10_30 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
MFPA expires2...@ymail.com wrote: Why do we need to establish they can also sign? Isn't it enough to demonstrate they control the email address and can decrypt, by signing one UID at a time and sending that signed copy of the key in an encrypted email to the address in that UID? You are right. Decryption is sufficient to demonstrate control of the private key, because if he can decrypt, he can also sign. What I said, decrypt and sign, was redundant. Cheers, --Paul -- PGP: 3DB6D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/04/2013 04:29 PM, MFPA wrote: That's phenomenal: isn't everybody in the world separated by an average of just six hops? I tried to check that out, and I have never needed more than about three hops. Three hops to former president Richard Nixon. Two hops from me to Mikhail Gorbachev, Albert Einstein. One hop from me to Margaret Leng Tan, Maurice Wilkes, Phyllis Chen, Claire Chase, David Wagner (I met him when he was a baby), Eric Lamb, Ronald Coase, Sylvia Milo, Nathan Davis. Some of these are very famous, and some are famous in their own fields. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:00:01 up 19:21, 2 users, load average: 4.77, 4.67, 4.52 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSeB2QAAoJEBZthAoMYQyLbTgIAKn1VLcsgXEAUgwacr/fU09Q teXaJ6JnUNfVmEH/hdwlyfwTlBkbV8SmFQ3aN8LZjz5b2osI659P9tNA3LXEi7Jz +H0wa0aE/HBy/neumxv24Bu0s5bdeI3CU+FYqPBYtYjx1Q0Qeoug6VZqqI4TbJZo lcby5oWvXldwFunS9jvAbmtpl5G9uchzDSP+Y2hI3XEmT4OISb3jZPP0LHt8sPYc kv1qAedpg67GrANlPOJqsZaPbfm/hJnNm0z2qGbc+l5tl/hoXM6M30pFrNFoB6n4 ZFqPrwHjxgGfoaHD+sO9ZEWjLg8bKz70dmdQmtoKANQY9PuXSplkfBWsD4aH2y8= =IzJe -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
On Mon, Nov 04, 2013 at 01:44:51PM -0800, Paul R. Ramer wrote: MFPA expires2...@ymail.com wrote: Why do we need to establish they can also sign? Isn't it enough to demonstrate they control the email address and can decrypt, by signing one UID at a time and sending that signed copy of the key in an encrypted email to the address in that UID? You are right. Decryption is sufficient to demonstrate control of the private key, because if he can decrypt, he can also sign. What I said, decrypt and sign, was redundant. Well... I still do not understand why decryption is sufficient to demonstrate control of the private key and not adding a UID (note I'm talking about signed UID's, not unsigned ones, of course). Sorry. Cheers, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
On Monday 04 Nov 2013 21:07:01 Julian H. Stacey wrote: http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa -files-surveillance-revelations-decoded And in other news... http://slashdot.org/topic/datacenter/google-chief-eric-schmidt-slams-nsa-for-tapping-datacenters/ Google Chief Eric Schmidt Slams NSA. -- Richard https://twitter.com/SleepyPenguin1 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
That's phenomenal: isn't everybody in the world separated by an average of just six hops? That's more urban myth than reality. Reality is hard to model. An isolated village in a remote area of Africa might have a very hard time connecting to London in six hops, but the instant one villager gets a cell phone suddenly they're on the phone jawing with 10 Downing Street. It's hard to give simple six hops is about it, yes answers: what we have to talk about instead is the degree of connectivity within a network. Given a network with a certain set of nodes and a certain set of connections between nodes, how many hops will it take to traverse the network? This is a function of both how many nodes there are, and the particular connections they have. When the network forms a bunch of neighborhoods and there are few if any long-distance connections, the hop count quickly goes out of control. As a historical example, look at the Black Death. Despite the worldwide conditions being virtually ideal for the various forms of plague (principally bubonic), it still took many years for the Black Death to spread from China to Europe. At that time in history the overwhelming majority of people not only had never traveled more than 30km from their homes, they didn't even know someone who had traveled more than 30km from their homes. The Black Death was condemned to spread 30km at a time -- ravaging a 'neighborhood' of the network and then moving on. Today, though, many of us have traveled internationally and virtually all of us are connected to someone who has traveled intercontinentally. (Including all of you. I've traveled to Europe multiple times and you know me, so even if you've never left your small rural village you're still connected to someone who has traveled a long distance.) It turns out that if you have even a small number of long-distance connections, neighborhoods get bridged *very* quickly. Let's connect me to Vladimir Putin as an example. I'm looking for a good long-distance hop that will get me most of the way to Russia. I attended undergrad with a Russian woman named Yelena (last name omitted for her privacy), whose great-uncle sat on Gorbachev's Politburo (his name omitted again for her privacy). He, in turn, is *scary*-well connected among the political elite. If he doesn't have a certain former KGB counterintelligence agent on speed-dial, I'll eat my hat. So: Rob -- Yelena -- Y's Great-Uncle -- Vladimir Putin Three hops. It's worth asking: if I didn't have that long-distance hop, could I still make it to Putin? Sure. I just need a different hop. It turns out my co-worker Greg, who was born and raised in Moscow, knew Yelena's great-uncle (and hated him something fierce, but that's beside the point). So now it's: Rob -- Greg -- Y's Great-Uncle -- Vladimir Putin Okay, so the real 'focus' node is Yelena's great-uncle. Let's get rid of that. And let's do something weird, like require that the connection be made through official government contacts and coordinated through the Department of State. Well, my father is a federal judge who has professional and personal connections with Senator Tom Harkin (D-IA). Senator Harkin happens to be a close friend of John Kerry, the United States Secretary of State. Secretary Kerry in turn has Vladimir Putin on speed-dial. So there's... Rob -- Rob's dad -- Harkin -- Kerry -- Putin It's not hard to come up with ways I'm connected to Vladimir Putin. Try to connect yourself to Putin: seriously, it's a fun game. :) Hop counts will be lowest where each node in the network is connected to a modestly-large neighborhood, and where each of those neighbors has a good chance of having one or more long-distance connections. It used to be that a neighborhood consisted of no more than a couple of hundred people, none of whom had long-distance connections of their own. This would be the case for a medieval village, for instance. Nowadays we may have *thousands* of connections, and each connection has an extremely good chance of having one or more long-distance connections. The combination of large neighborhoods and long-distance connections is called the Small World Effect, and it has a lot of academic literature backing it. You may want to check out the Wikipedia page for more information: http://en.wikipedia.org/wiki/Small-world_network ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
I tried to check that out, and I have never needed more than about three hops. Sure, but then again you're trying to hit people with *extremely* large networks, and whose first-order networks are themselves *extremely* well-connected. Even the exotic ones like Ronald Coase -- he co-authored a ton of papers and attended a lot of conferences and advised a lot of Ph.D. candidates and taught a lot of courses. If you can map out a line to my great-uncle Ormo Rasmussen in three hops without using me as a link, I'll be impressed. ;) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
On Monday 04 Nov 2013 21:07:01 Julian H. Stacey wrote: http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa -files-surveillance-revelations-decoded And in other news... http://slashdot.org/topic/datacenter/google-chief-eric-schmidt-slams-nsa-for-tapping-datacenters/ Google Chief Eric Schmidt Slams NSA. I met him in North Korea once. -- Richard https://twitter.com/SleepyPenguin1 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
On 11/04/2013 05:40 PM, Robert J. Hansen wrote: I tried to check that out, and I have never needed more than about three hops. Sure, but then again you're trying to hit people with *extremely* large networks, and whose first-order networks are themselves *extremely* well-connected. Even the exotic ones like Ronald Coase -- he co-authored a ton of papers and attended a lot of conferences and advised a lot of Ph.D. candidates and taught a lot of courses. If you can map out a line to my great-uncle Ormo Rasmussen in three hops without using me as a link, I'll be impressed. ;) I would not even know how to go about it. In my little list, I did not pick these people and see how to link to them; they were people I new directly (the one-hop ones), Or I knew someone who knew them (my piano teacher: Gorgbachev, my grandfather: Albert Einstein). Getting to Richard Nixon was a bit harder. A friend of mine knew his mother. I am actually surprised and impressed by my list. Not that anyone else should care. And on this list, David Wagner was easy since I worked with his mother at Bell Labs and met him not long after he was born. He surely has no recollection of me. Speaking of Bell Labs, kind of a name-dropping switchboard. My grandfather worked there, so I am a two handshakes away from Clinton Davisson. And I worked there and knew Doug McIlroy, and knew Ken Thompson and Dennis Ritchie very slightly. Also Bela Julesz. And Vic Vyssotsky was the most compulsive cigarette smokers I ever met, but a uniquely brilliant computer scientist. Jean Felker, who lead the TRADIC project (possibly the first transistorized electronic computer) interviewed me when I first tried, as a high school student, to get a summer job there. We talked about round-off problems when using fixed-length and fixed-point arithmetic. Oh! Well! Memories. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 17:55:01 up 20:16, 2 users, load average: 4.74, 4.61, 4.54 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users