Re: In case you use OpenPGP on a smartphone ...
On 2020-08-11T21:18:24+0200 Johan Wevers wrote 0.9K bytes: > On 11-08-2020 17:18, Stefan Claas wrote: > > >> Why hardware? If a bug is found you can't upgrade it easily. > > > > Because hardware can't be tampered with like software. > > If a hardware bug is found you're still lost. Even Apple has found out > the hard way. A hardware smartcard is meant to be a closed system, and you can enumerate all (or fuzz most) of the possible inputs. If you have a Nest thermostat, why bother with an alcohol thermometer? Perhaps there is a bug with your Nest and it reports in Farenheit instead of Celcius. Google can issue an update, and send out an email apologizing profusely. If your alcohol thermometer is inaccurate, your homeostasis is surely doomed. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why does gpg -k write to tofu.db?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Aug 11, 2020 at 5:32 PM Brian Minton wrote: > > I have a lot of public keys in my keybox (it's about 45 MB or so). > I was trying to figure out why seemingly innocent tasks in gpg take > a very long time. It seems that gnupg is making a very long > running transaction to the sqlite3 database ~/.gnupg/tofu.db > This did eventually complete: pops-mintonw10:~/.gnupg$ time gpg -k|wc -l 13729 real 117m26.112s user 25m56.486s sys 90m31.859s -BEGIN PGP SIGNATURE- iHUEARYIAB0WIQTu0BWAE9wubW4AHqQ3uVB6z/IBbgUCXzMRXgAKCRA3uVB6z/IB bn01AP9W/gmgerjE836I0I1wDnLwqDsHL8zI5Ns47MaMOmJo+gD7BQtr67zdb8Wo LoRRRASIMbzR+lIbBg1xbuvXcNkZdQiIdQQBEQgAHRYhBPnEu3YOeD8N7BCmimuO s6Blz7qpBQJfMxFeAAoJEGuOs6Blz7qp4T0A/2ts7xVV21ywpbVXPwaaCmJO8DhN VEsYBhja9VjfBB2rAP0WFbgbAsjKhuCh/ilot78DKS0xNbLjnwKYRUkTVNhC3A== =23f5 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why does gpg -k write to tofu.db?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Aug 11, 2020 at 5:32 PM Brian Minton wrote: > > I have a lot of public keys in my keybox (it's about 45 MB or so). > I was trying to figure out why seemingly innocent tasks in gpg take > a very long time. It seems that gnupg is making a very long > running transaction to the sqlite3 database ~/.gnupg/tofu.db > This did eventually complete: pops-mintonw10:~/.gnupg$ time gpg -k|wc -l 13729 real 117m26.112s user 25m56.486s sys 90m31.859s -BEGIN PGP SIGNATURE- iHUEARYIAB0WIQTu0BWAE9wubW4AHqQ3uVB6z/IBbgUCXzMQOAAKCRA3uVB6z/IB buclAQCkAgCcf5qGZg0Z57NLBl1FiE1x/cKnzD8V5Hy6++UW+AD7BHRFb90QZv8d cHrod3qCQb9dqZwmyQk8sLsADTH6uweIdQQBEQgAHRYhBPnEu3YOeD8N7BCmimuO s6Blz7qpBQJfMxA4AAoJEGuOs6Blz7qpqvEA/1ZkQLqdOLMSeJA+vle3nPe0m8j+ hrfGY2rjEyQAJKQGAP9vsR4vZ8BjgcNvVWnePvrEoRJ4CvkrQwa56193kvisJw== =ZXla -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
ved...@nym.hush.com wrote: > There is already a simple existing solution. > > [1] Encrypt and decrypt on a computer that has internet hardware disabled. > > [2] Use an Orbic Journey V phone that gets and sends *only text* > > [3] Use a microsd expansion card on the orbis phone > > [4] set up the phone to save encrypted texts on the microsd 'storage' card > > [5] Take out the microsd card and use a card reader in the computer in [1] > transfer text only (encrypted or decrypted) > > Any file can be sent as encrypted text by using the armor option -a on the > GnuPG command line. > (this includes audio, video .jpg, .png, pdf, etc.literally any and all > possible file types.) > > Even if the Orbic uses the *unknown* system, if your are encrypting and > decrypting on a separate air-gapped computer, and > transferring only text to a microsd, it is hard to see how it can be > compromised. (Yes *Anything* can happen, but without > evidence, there is no end to paranoia) (I only replied to you and not the list) Thanks for the detailed description, much appreciated! > It is not the place of the FAQ to solve the transmission issues of an already > perfectly formed GnuPG encrypted .asc file. > > The manual and/or FAQ, tells how to use GnuPG to encrypt or decrypt the file, > and armor it. > > The rest is up to the User's threat model. Well, yes and no. It should be a least discussed and if to many people write from old FAQs new tutorials then new users will never know these dangers, when using online devices. > (btw, > There is, [afaik], no protection available in GnuPG > against a Clairvoyancy attack vector on an encrypted file even in an > air-gapped computer, > and there is a rumour that any Witch or Wizard can instantly behold the > plaintext of an encrypted message > by flicking a wand at it, and using the simple charm 'Revelato') I think I know what you mean. But I think it does not scale well for the masses due to manpower shortage. > but not really in my threat model 8^ Mine neither. :-) Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why does gpg -k write to tofu.db?
I have a lot of public keys in my keybox (it's about 45 MB or so). I was trying to figure out why seemingly innocent tasks in gpg take a very long time. It seems that gnupg is making a very long running transaction to the sqlite3 database ~/.gnupg/tofu.db laptop:~/.gnupg$ date;ls -last Tue 11 Aug 2020 03:38:14 PM EDT total 101184 4 drwxr-xr-x 109 bminton bminton 4096 Aug 11 15:35 .. 12 drwx-- 5 bminton bminton12288 Aug 11 15:17 . 112 -rw-r--r-- 1 bminton bminton 111320 Aug 11 15:16 tofu.db-journal 4 -rw--- 1 bminton bminton 600 Aug 11 15:16 random_seed 2580 -rw-r--r-- 1 bminton bminton 2637824 Aug 11 15:16 tofu.db 0 -rw--- 1 bminton bminton0 Aug 11 15:16 tofu.db-want-lock 4 -rw-r--r-- 1 bminton bminton 26 Aug 11 15:05 .#lk0x... So, this seems like the transaction has been running for at least 20 minutes. That's just to run gpg -k Why does gpg -k need to write to the tofu db? I should mention that gpg is running at 100% cpu in the R state. Before starting the gpg -k command, I killed all gpg processes with gpgconf --kill all just to make sure there was no other process trying to talk to gpg. This seems like it may also be related to https://dev.gnupg.org/T1938 or https://dev.gnupg.org/T2019 but I'm not sure. Some version info: gpg (GnuPG) 2.2.20 libgcrypt 1.8.4 Linux kernel 5.5.0 Debian 10 (buster) + backports arch: x86_64 hardware: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz with 4 cores (note that gpg only seems to be pegging one core) 16 GB RAM SATA SSD signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users wrote: > Yubikey dealt with a mass recall only last year due to a bug in their > firmware: > https://www.engadget.com/2019-06-13-yubico-recalls-government-grade-security-keys-due-to-bug.html Quote: Fortunately, any affected customers will receive a replacement key. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
On 11-08-2020 21:49, vedaal via Gnupg-users wrote: > There is already a simple existing solution. Simple is not how I see this. > [1] Encrypt and decrypt on a computer that has internet hardware disabled. > [2] Use an Orbic Journey V phone that gets and sends *only text* > [3] Use a microsd expansion card on the orbis phone The Iranians though this too. And then someone invents Stuxnet-like attack software. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
Yubikey dealt with a mass recall only last year due to a bug in their firmware: https://www.engadget.com/2019-06-13-yubico-recalls-government-grade-security-keys-due-to-bug.html -- ಚಿರಾಗ್ ನಟರಾಜ್ Pronouns: he/him/his 11/08/20 22:10 ನಲ್ಲಿ, Stefan Claas ಬರೆದರು: > > Johan Wevers wrote: > > > On 11-08-2020 17:18, Stefan Claas wrote: > > > > >> Why hardware? If a bug is found you can't upgrade it easily. > > > > > > Because hardware can't be tampered with like software. > > > > If a hardware bug is found you're still lost. Even Apple has found out > > the hard way. > > Yes, you are right. While I am no programmer I would assume that designers > of such little hardware devices, same as YubiKey or Nitrokey for example, > do not have to deal with a boatload of large software components, burned > into ROMS. > > > >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest, > > >> and it uses Signal's encryption algorithm which is excellent. > > > > > > And you think that continuing with those is a good practice since > > > Mr Snowden's YouTube Video was released? > > > > It is a risk, but not a bigger risk than someone taking over your pc or > > laptop. Signal and GnuPG are both defenseless against that. > > Yes, a risk, but at what price? I could imagine that many people do not > care to much if it hurts journalists or activists from foreign countries. > > But how about cybercrimes in general? > > https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users publickey - gpg-users@chiraag.me.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
Johan Wevers wrote: > On 11-08-2020 17:18, Stefan Claas wrote: > > >> Why hardware? If a bug is found you can't upgrade it easily. > > > > Because hardware can't be tampered with like software. > > If a hardware bug is found you're still lost. Even Apple has found out > the hard way. Yes, you are right. While I am no programmer I would assume that designers of such little hardware devices, same as YubiKey or Nitrokey for example, do not have to deal with a boatload of large software components, burned into ROMS. > >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest, > >> and it uses Signal's encryption algorithm which is excellent. > > > > And you think that continuing with those is a good practice since > > Mr Snowden's YouTube Video was released? > > It is a risk, but not a bigger risk than someone taking over your pc or > laptop. Signal and GnuPG are both defenseless against that. Yes, a risk, but at what price? I could imagine that many people do not care to much if it hurts journalists or activists from foreign countries. But how about cybercrimes in general? https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
On 8/11/2020 at 3:00 PM, "Stefan Claas" wrote: ... >As understood a Pegasus operator can do what ever >he likes to do remotely, anonymously with our (Android/iOS) >smartphone, without that we know that this happens. ... >in form of a best practice FAQ (cross-platform), to no longer use >encryption software on online devices and work out >strategies to use offline devices and how to handle this data >securely over to an online device, until proper and affordable >hardware encryption devices for online usage are available? = There is already a simple existing solution. [1] Encrypt and decrypt on a computer that has internet hardware disabled. [2] Use an Orbic Journey V phone that gets and sends *only text* [3] Use a microsd expansion card on the orbis phone [4] set up the phone to save encrypted texts on the microsd 'storage' card [5] Take out the microsd card and use a card reader in the computer in [1] transfer text only (encrypted or decrypted) Any file can be sent as encrypted text by using the armor option -a on the GnuPG command line. (this includes audio, video .jpg, .png, pdf, etc.literally any and all possible file types.) Even if the Orbic uses the *unknown* system, if your are encrypting and decrypting on a separate air-gapped computer, and transferring only text to a microsd, it is hard to see how it can be compromised. (Yes *Anything* can happen, but without evidence, there is no end to paranoia) It is not the place of the FAQ to solve the transmission issues of an already perfectly formed GnuPG encrypted .asc file. The manual and/or FAQ, tells how to use GnuPG to encrypt or decrypt the file, and armor it. The rest is up to the User's threat model. (btw, There is, [afaik], no protection available in GnuPG against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer, and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message by flicking a wand at it, and using the simple charm 'Revelato') but not really in my threat model 8^ vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
On 11-08-2020 17:18, Stefan Claas wrote: >> Why hardware? If a bug is found you can't upgrade it easily. > > Because hardware can't be tampered with like software. If a hardware bug is found you're still lost. Even Apple has found out the hard way. >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest, >> and it uses Signal's encryption algorithm which is excellent. > > And you think that continuing with those is a good practice since > Mr Snowden's YouTube Video was released? It is a risk, but not a bigger risk than someone taking over your pc or laptop. Signal and GnuPG are both defenseless against that. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
I suppose, you're right. I'm wary of blindly believing videos, especially when faking them has become relatively easy at this point. I think one thing both Android and iOS get wrong is that the user isn't really in control of the device. So many manufacturer ROMs have built-in bloatware and various apps you'll never use, and there's no way to get rid of it. There are different classes of apps with differing levels of access to the internals of the OS, and there isn't much you can do about it. And on iOS, you're at the mercy of Apple as to whether your device remains supported and whether e.g. bugs in WebKit (the only renderer available on iOS) get fixed for your device. While custom ROMs solve some of these issues, most phones are bought with a locked bootloader (since most people aren't rich enough to buy their smartphones outright and end up leasing them through the service provider), which sort of renders that argument moot for *most* people. Fundamentally, while a Linux phone may not necessarily have all of the hardening or whatever that many Android phones come with today, I'd argue that the privacy aspects, and the fact that the user truly _owns_ their device, more than make up for those (current) deficiencies. It will be easier, I think, to defend against what you're talking about in terms of malware, shady links, and so on because you have the opportunity to control literally *everything* running on your device. Once I get my PinePhone, one of the first things I will be doing is playing around with things like firejail to see if I can get seamless sandboxing for most programs (I already heavily utilize firejail on my laptop). And I suspect that level of control (and ability to keep receiving updates, no matter how old the phone) will put Linux phones over the top in terms of security. Sincerely, Chiraag -- ಚಿರಾಗ್ ನಟರಾಜ್ Pronouns: he/him/his 11/08/20 19:32 ನಲ್ಲಿ, Andrew Gallagher ಬರೆದರು: > > It matters little whether these statements were made by Snowden. Whether a > particular piece of software exists or not, and whether it is owned by the > Russians or the Israelis or the Americans, is beside the point. In principle, > it can exist and similar pieces of software have existed in the past, so we > can safely assume that something like it will always exist in some form or > another. > > If someone roots your phone, or your laptop, it is Game Over. It does not > matter if you are using Signal, or WhatsApp, or PGP. If the Bad Guys have > rooted your phone you are helpless against them. The solution is not to let > them root your phone in the first place (i.e. update regularly and don’t > click on anything unsolicited), and don’t use your phone for anything that > would endanger your life if you were rooted. > > Andrew Gallagher > > > On 11 Aug 2020, at 17:18, Stefan Claas wrote: > > > > Please ask native U.S. citizens if this is a video with a faked voice from > > Mr. Snowden, not me. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users publickey - gpg-users@chiraag.me.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
Andrew Gallagher wrote: > It matters little whether these statements were made by Snowden. Whether a > particular piece of software exists or not, and > whether it is owned by the Russians or the Israelis or the Americans, is > beside the point. In principle, it can exist and > similar pieces of software have existed in the past, so we can safely assume > that something like it will always exist in some > form or another. Fully agree! > If someone roots your phone, or your laptop, it is Game Over. It does not > matter if you are using Signal, or WhatsApp, or > PGP. If the Bad Guys have rooted your phone you are helpless against them. > The solution is not to let them root your phone in > the first place (i.e. update regularly and don’t click on anything > unsolicited), and don’t use your phone for anything that > would endanger your life if you were rooted. I must admit that I only use a smartphone for a couple of months now, because I wanted to see what things I can do with it. Besides that I must also say that I am no fan of smartphone technology. You say that we must be careful that not someone roots our smartphone. As understood a Pegasus operator can do what ever he likes to do remotely, anonymously with our (Android/iOS) smartphone, without that we know that this happens. And then some people may also have problems with their Desktop computer, in case FinFisher and friends allows zero-clicks too, which we don't know. So, to sum it up (I know you prefer Tails) would you agree that sooner or later the community should develop strategies, in form of a best practice FAQ (cross-platform), to no longer use encryption software on online devices and work out strategies to use offline devices and how to handle this data securely over to an online device, until proper and affordable hardware encryption devices for online usage are available? Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
It matters little whether these statements were made by Snowden. Whether a particular piece of software exists or not, and whether it is owned by the Russians or the Israelis or the Americans, is beside the point. In principle, it can exist and similar pieces of software have existed in the past, so we can safely assume that something like it will always exist in some form or another. If someone roots your phone, or your laptop, it is Game Over. It does not matter if you are using Signal, or WhatsApp, or PGP. If the Bad Guys have rooted your phone you are helpless against them. The solution is not to let them root your phone in the first place (i.e. update regularly and don’t click on anything unsolicited), and don’t use your phone for anything that would endanger your life if you were rooted. Andrew Gallagher > On 11 Aug 2020, at 17:18, Stefan Claas wrote: > > Please ask native U.S. citizens if this is a video with a faked voice from > Mr. Snowden, not me. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users wrote: > > 11/08/20 17:18 ನಲ್ಲಿ, Stefan Claas ಬರೆದರು: > > > > And you think that continuing with those is a good practice since > > Mr Snowden's YouTube Video was released? > > I mean, don't you think it's odd that you can't find a single other source > for those statements coming from Snowden? And > don't you find it odd that Pegasus is claimed to be a Russian group, when in > fact they're Israeli (showing a basic lack of > care regarding factual statements that are easily verified or debunked)? I > don't think Snowden would make that sort of > mistake, and I would think we'd see a lot more articles or videos or whatever > about this. > > Is Pegasus dangerous? Absolutely. Do I take the claims in the video at face > value? Not really, no. And I doubt that Snowden > actually said all of those things as one coherent statement (although they > might be various statements taken from various > different interviews or speeches or whatever). > > The whole veracity of the video rests on Snowden's authority, and I suspect > the people who made the video are banking on > people trusting it because it seems to come from Snowden. Please ask native U.S. citizens if this is a video with a faked voice from Mr. Snowden, not me. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
11/08/20 17:18 ನಲ್ಲಿ, Stefan Claas ಬರೆದರು: > > And you think that continuing with those is a good practice since > Mr Snowden's YouTube Video was released? I mean, don't you think it's odd that you can't find a single other source for those statements coming from Snowden? And don't you find it odd that Pegasus is claimed to be a Russian group, when in fact they're Israeli (showing a basic lack of care regarding factual statements that are easily verified or debunked)? I don't think Snowden would make that sort of mistake, and I would think we'd see a lot more articles or videos or whatever about this. Is Pegasus dangerous? Absolutely. Do I take the claims in the video at face value? Not really, no. And I doubt that Snowden actually said all of those things as one coherent statement (although they might be various statements taken from various different interviews or speeches or whatever). The whole veracity of the video rests on Snowden's authority, and I suspect the people who made the video are banking on people trusting it because it seems to come from Snowden. Sincerely, Chiraag publickey - gpg-users@chiraag.me.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
Johan Wevers wrote: > On 11-08-2020 11:39, Stefan Claas wrote: > > > Based on my proposal, I would like to see in the future (OpenSource) > > *hardware* based encryption products, for at least voice comms, which > > is affordable for the majority of us and easy to use, so that people > > do not need to use good old email encryption for important things, > > on a mobile device. > > Why hardware? If a bug is found you can't upgrade it easily. Because hardware can't be tampered with like software. > On mobile, encrypted messengers are the norm. WhatsApp is the biggest, > and it uses Signal's encryption algorithm which is excellent. And you think that continuing with those is a good practice since Mr Snowden's YouTube Video was released? You may like to read an older brochure of Pegasus and then tell us your thoughts. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html or Google for zero-click attacks/exploits. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
On 11-08-2020 11:39, Stefan Claas wrote: > Based on my proposal, I would like to see in the future (OpenSource) > *hardware* based encryption products, for at least voice comms, which > is affordable for the majority of us and easy to use, so that people > do not need to use good old email encryption for important things, > on a mobile device. Why hardware? If a bug is found you can't upgrade it easily. On mobile, encrypted messengers are the norm. WhatsApp is the biggest, and it uses Signal's encryption algorithm which is excellent. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
Mark wrote: > I was thinking about getting an app called iPGMail for iPhone/iPad to > use PGP on them. From my very limited experience it looks like it might > be a good choice as well. For me it looks like that encryption alà OpenPGP, whether iOS or Android is unfortunately dead, after I have seen Mr Snowden's YouTube Video. Based on my proposal, I would like to see in the future (OpenSource) *hardware* based encryption products, for at least voice comms, which is affordable for the majority of us and easy to use, so that people do not need to use good old email encryption for important things, on a mobile device. https://www.securstar.com/en/phonecrypt-voice.html Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
Matthias Apitz wrote: > El día Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribió: > > > > One can use a Linux mobile phone running UBports.com (as I and all my > > > family do) > > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). > > > > Yes, people gave me already (not from here of course) good advise for other > > OSs > > which one can use. The question is how long will those OSs been unaffected > > ... > > The kernel and all apps are OpenSource i.e. people can (and do) read the > sources. It's impossible to build in backdoors. The attack could come > through the firmware in the chips (which are not OpenSource). For this > the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to > poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS). > > The authorities can not track you. See: > > https://puri.sm/products/librem-5/ Thanks for the information! While it is a nice product, according to their web site, they say they run Gnu/Linux. Do you think that Gnu/Linux can't be hacked? Or better said, should we all (those who use encryption software often) still use it directly on online devices? Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
El día Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribió: > > One can use a Linux mobile phone running UBports.com (as I and all my > > family do) > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). > > Yes, people gave me already (not from here of course) good advise for other > OSs > which one can use. The question is how long will those OSs been unaffected ... The kernel and all apps are OpenSource i.e. people can (and do) read the sources. It's impossible to build in backdoors. The attack could come through the firmware in the chips (which are not OpenSource). For this the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS). The authorities can not track you. See: https://puri.sm/products/librem-5/ matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users