Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Felix Winterhalter 
That's a good article and I think it makes a lot of sense in the
context. I still think PGP is valid for sending encrypted emails if you
exchange public keys beforehand (as he also states he still uses it in
that manner). The web of trust also never did anything for me sadly.

On 12/08/2020 20:29, Ryan McGinnis via Gnupg-users wrote:
> The reasons to abandon PGP for secure communications have been
> accepted in the security community for years.  Here’s one security
> researcher explaining why (there are many others out there with
> similar sentiments): 
>
> https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/
>
> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
>
>
> Sent from ProtonMail Mobile
>
>
> On Wed, Aug 12, 2020 at 13:07, Felix  > wrote:
>>
>> I'm not sure that there are solutions orders of magnitude more secure
>> that are available readily.
>>
>> Also people tend to get emails on the go as well that might be
>> encrypted. It's convenient to decrypt emails on a smartphone and not
>> really that insecure if you're using an external device for actual
>> keystorage (such as a Yubikey).
>>
>> I don't actually see what's so silly about the whole thing.
>>
>> On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
>>> Well yes I realize that it exists, what I'm saying is why would anyone
>>> use it for secure communications on a smartphone when there are
>>> solutions orders of magnitude more secure and simple to use.  It'd be
>>> like buying a helicopter but deciding you'd still fly only 2 feet off
>>> the ground and stick to paved roads. 
>>>
>>>
>>>
>>> On 8/12/20 11:46 AM, Stefan Claas wrote:
 Ryan McGinnis via Gnupg-users wrote:

> I guess the real question is: what are people using PGP for on mobile
> devices?  If it's for communication, that's silly.  There are at least a
> half dozen far, far, far better ways to securely communicate on a
> smartphone. 
 Well, it is listed by the OpenPGP experts:

 https://www.openpgp.org/software/openkeychain/

 Regards
 Stefan

 --
 my 'hidden' service gopherhole:
 gopher://iria2xobffovwr6h.onion
>>>
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Mark 
For example, in this message from Ryan, Enigmail says it has a bad
signature. I think that could be an issue too with it's adoption.

On 8/12/2020 11:29 AM, Ryan McGinnis via Gnupg-users wrote:
> The reasons to abandon PGP for secure communications have been
> accepted in the security community for years.  Here’s one security
> researcher explaining why (there are many others out there with
> similar sentiments): 
>
> https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/
>
> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
>
>
> Sent from ProtonMail Mobile
>
>
> On Wed, Aug 12, 2020 at 13:07, Felix  > wrote:
>>
>> I'm not sure that there are solutions orders of magnitude more secure
>> that are available readily.
>>
>> Also people tend to get emails on the go as well that might be
>> encrypted. It's convenient to decrypt emails on a smartphone and not
>> really that insecure if you're using an external device for actual
>> keystorage (such as a Yubikey).
>>
>> I don't actually see what's so silly about the whole thing.
>>
>> On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
>>> Well yes I realize that it exists, what I'm saying is why would anyone
>>> use it for secure communications on a smartphone when there are
>>> solutions orders of magnitude more secure and simple to use.  It'd be
>>> like buying a helicopter but deciding you'd still fly only 2 feet off
>>> the ground and stick to paved roads. 
>>>
>>>
>>>
>>> On 8/12/20 11:46 AM, Stefan Claas wrote:
 Ryan McGinnis via Gnupg-users wrote:

> I guess the real question is: what are people using PGP for on mobile
> devices?  If it's for communication, that's silly.  There are at least a
> half dozen far, far, far better ways to securely communicate on a
> smartphone. 
 Well, it is listed by the OpenPGP experts:

 https://www.openpgp.org/software/openkeychain/

 Regards
 Stefan

 --
 my 'hidden' service gopherhole:
 gopher://iria2xobffovwr6h.onion
>>>
>>> ___
>>> Gnupg-users mailing list
>>> Gnupg-users@gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Stefan Claas 
Ryan McGinnis via Gnupg-users wrote:
 
> The reasons to abandon PGP for secure communications have been accepted in 
> the security community for years.  Here’s one
> security researcher explaining why (there are many others out there with 
> similar sentiments): 
> 
> https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/

He is working at Google and IIRC responsible for Golang crypto libs. Can you do 
me a favor, in case you have a Twitter
account? If so, please ask him what are his thoughts as a Signal user about 
Pegasus and if a factory reset and new SIM
card would be good enough?

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Ryan McGinnis via Gnupg-users 
  The reasons to abandon PGP for secure communications have been accepted in the security community for years.  Here’s one security researcher explaining why (there are many others out there with similar sentiments): https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/-Ryan McGinnishttp://www.bigstormpicture.comPGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD Sent from ProtonMail Mobile On Wed, Aug 12, 2020 at 13:07, Felix  wrote:I'm not sure that there are solutions orders of magnitude more
  secure that are available readily.
Also people tend to get emails on the go as well that might be
  encrypted. It's convenient to decrypt emails on a smartphone and
  not really that insecure if you're using an external device for
  actual keystorage (such as a Yubikey).
I don't actually see what's so silly about the whole thing.

On 2020-08-12 18:57, Ryan McGinnis via
  Gnupg-users wrote:


  Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:

  
Ryan McGinnis via Gnupg-users wrote:



  I guess the real question is: what are people using PGP for on mobile
devices?  If it's for communication, that's silly.  There are at least a
half dozen far, far, far better ways to securely communicate on a
smartphone. 


Well, it is listed by the OpenPGP experts:

https://www.openpgp.org/software/openkeychain/

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

  
  
  
  
  ___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

  





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Ryan McGinnis via Gnupg-users 
  Well, more like celebrities (and other types) hire him to keep their personal lives and information from being easily found.  He also helps stalking victims disappear.  I believe he’s former FBI. He prefers the old iPhone SE. At one time you used to be able to buy them anonymously with cash, which made them pretty hard to trace. I think he prefers a secure smartphone because he feels one should never use your real phone number for anything, which means using a VOIP app for all calls and texts.  For mobile service he goes with Mint mobile.  Which, BTW you can buy cheap 2 week “trial” SIM cards from with cash that will work as a non-VoIP 2FA account verification method.  Meaning you can sign up for sites and services without disclosing any personally identifying information whatsoever.   -Ryan McGinnishttp://www.bigstormpicture.comPGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD Sent from ProtonMail Mobile On Wed, Aug 12, 2020 at 11:57, Stefan Claas  wrote:  Ryan McGinnis via Gnupg-users wrote:> If you don't want to be location tracked on a mobile device you just> power it off and put it in a Faraday bag when not in use. > https://silent-pocket.com/Yup, still waiting for my Faraday bags, which I won from the Nym project giveaway.>> If you want to deep dive into this sort of thing (it's a really deep> lake), give this book a read: >> https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0Thanks for the info! According to the Amazon info he teaches celebrities.I read an article yesterday that a lot of celebrities prefer dump phones over smartphones.RegardsStefan--my 'hidden' service gopherhole:gopher://iria2xobffovwr6h.onion




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Felix 
I'm not sure that there are solutions orders of magnitude more secure
that are available readily.

Also people tend to get emails on the go as well that might be
encrypted. It's convenient to decrypt emails on a smartphone and not
really that insecure if you're using an external device for actual
keystorage (such as a Yubikey).

I don't actually see what's so silly about the whole thing.

On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote:
> Well yes I realize that it exists, what I'm saying is why would anyone
> use it for secure communications on a smartphone when there are
> solutions orders of magnitude more secure and simple to use.  It'd be
> like buying a helicopter but deciding you'd still fly only 2 feet off
> the ground and stick to paved roads. 
>
>
>
> On 8/12/20 11:46 AM, Stefan Claas wrote:
>> Ryan McGinnis via Gnupg-users wrote:
>>
>>> I guess the real question is: what are people using PGP for on mobile
>>> devices?  If it's for communication, that's silly.  There are at least a
>>> half dozen far, far, far better ways to securely communicate on a
>>> smartphone. 
>> Well, it is listed by the OpenPGP experts:
>>
>> https://www.openpgp.org/software/openkeychain/
>>
>> Regards
>> Stefan
>>
>> --
>> my 'hidden' service gopherhole:
>> gopher://iria2xobffovwr6h.onion
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Stefan Claas 
Stefan Claas wrote:
 
> Ryan McGinnis via Gnupg-users wrote:
>  
> > Well yes I realize that it exists, what I'm saying is why would anyone
> > use it for secure communications on a smartphone when there are
> > solutions orders of magnitude more secure and simple to use.  It'd be
> > like buying a helicopter but deciding you'd still fly only 2 feet off
> > the ground and stick to paved roads. 
> 
> Maybe there was a demand from PGP users and the author fulfilled their
> wish or it is maybe hip among the young smartphone generation, who grew
> up with smartphones, to have OpenPGP on a smartphone, because they
> trust only OpenPGP based software. I don't know.

P.S. and it can be used with a smardcard.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Stefan Claas 
Ryan McGinnis via Gnupg-users wrote:
 
> If you don't want to be location tracked on a mobile device you just
> power it off and put it in a Faraday bag when not in use. 
> https://silent-pocket.com/

Yup, still waiting for my Faraday bags, which I won from the Nym project 
giveaway.
> 
> If you want to deep dive into this sort of thing (it's a really deep
> lake), give this book a read: 
> 
> https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0

Thanks for the info! According to the Amazon info he teaches celebrities.

I read an article yesterday that a lot of celebrities prefer dump phones over 
smartphones.

Regards
Stefan 

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Stefan Claas 
Ryan McGinnis via Gnupg-users wrote:
 
> Well yes I realize that it exists, what I'm saying is why would anyone
> use it for secure communications on a smartphone when there are
> solutions orders of magnitude more secure and simple to use.  It'd be
> like buying a helicopter but deciding you'd still fly only 2 feet off
> the ground and stick to paved roads. 

Maybe there was a demand from PGP users and the author fulfilled their
wish or it is maybe hip among the young smartphone generation, who grew
up with smartphones, to have OpenPGP on a smartphone, because they
trust only OpenPGP based software. I don't know.
 
Regards
Stefan
-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Ryan McGinnis via Gnupg-users 
Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices?  If it's for communication, that's silly.  There are at least a
>> half dozen far, far, far better ways to securely communicate on a
>> smartphone. 
> Well, it is listed by the OpenPGP experts:
>
> https://www.openpgp.org/software/openkeychain/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Ryan McGinnis via Gnupg-users 
Well yes I realize that it exists, what I'm saying is why would anyone
use it for secure communications on a smartphone when there are
solutions orders of magnitude more secure and simple to use.  It'd be
like buying a helicopter but deciding you'd still fly only 2 feet off
the ground and stick to paved roads. 



On 8/12/20 11:46 AM, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
>> I guess the real question is: what are people using PGP for on mobile
>> devices?  If it's for communication, that's silly.  There are at least a
>> half dozen far, far, far better ways to securely communicate on a
>> smartphone. 
> Well, it is listed by the OpenPGP experts:
>
> https://www.openpgp.org/software/openkeychain/
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Stefan Claas 
Ryan McGinnis via Gnupg-users wrote:
 
> I guess the real question is: what are people using PGP for on mobile
> devices?  If it's for communication, that's silly.  There are at least a
> half dozen far, far, far better ways to securely communicate on a
> smartphone. 

Well, it is listed by the OpenPGP experts:

https://www.openpgp.org/software/openkeychain/

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Ryan McGinnis via Gnupg-users 
I presume the goal of people (who know what they are doing) going
through all these inconvenient steps isn't to build the perfect
impenetrable fortress of security (which doesn't exist) but rather to
make it more difficult or expensive to circumvent from the threat
actor's perspective, hopefully to the point where it's not worth it.  An
iOS 0day used to run over a million buckaroos on the open market (it's
cheaper now, Apple's security has flagged a bit in recent years) so it's
not something Script-Kiddie McHighshoolKid  is going to use to try to
get at your filthy nudes.  But I wouldn't run the SCADA control
interface of my highly controversial uranium centrifuge farm on my
iPhone, because spending a million buckaroos is like dropping a penny in
a pond for the kinds of actors who'd be interested in that sort of thing. 

If you're trying to defeat the amorous advances of the NSA and you don't
have the support and training of an entire nation's intelligence agency
behind you, just accept that you've already lost.  Also, don't post
here, anyone the NSA is actively interested in lives a life way too
interesting to be self-owning any kind of OSINT about themselves in
public. 

For the average bloke, owning an iPhone with a strong passcode and using
Signal or Wire to communicate is going to give them some of the best
hardware and communications security money can buy. 
 
On 8/11/20 3:58 PM, Johan Wevers wrote:
> On 11-08-2020 21:49, vedaal via Gnupg-users wrote:
>
>> There is already a simple existing solution.
> Simple is not how I see this.
>
>> [1]  Encrypt and decrypt on a computer that has internet hardware disabled.
>> [2] Use an Orbic Journey V  phone that gets and sends *only text*
>> [3] Use a microsd expansion card on the orbis phone
> The Iranians though this too. And then someone invents Stuxnet-like
> attack software.
>
> --
> ir. J.C.A. Wevers
> PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Stefan Claas 
Felix wrote:
 
[...]

apologies for not quoting each paragraph from you!

No doubt that a system tool (like Werner says) like GnuPG or any others for
that matter, which are free and OpenSource, are good tools people rely on.

We all know that threats for online devices exist and mostly bugs or security
holes are more or less quickly discovered and fixed.

I believe that users interested in security and privacy always try to strive
for the best solutions available, regardless of their threat model, i.e. what
is good for activists or journalist in oppressed regimes etc. (which received
advice and how-to's from professionals) may also be good for us, when trying
to protect things we are doing online.

My concern however, with the advancement of these powerful tools is that this
is already a 'Russian roulette' while there is currently no defense AFAIK 
against
them or guarantees that these tools are not been misused by third parties.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Ryan McGinnis via Gnupg-users 
If you don't want to be location tracked on a mobile device you just
power it off and put it in a Faraday bag when not in use. 
https://silent-pocket.com/

If you want to deep dive into this sort of thing (it's a really deep
lake), give this book a read: 

https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0


On 8/11/20 3:32 AM, Stefan Claas wrote:
> Matthias Apitz wrote:
>
>> El día Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribió:
>>
 One can use a Linux mobile phone running UBports.com (as I and all my 
 family do)
 or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
>>> Yes, people gave me already (not from here of course) good advise for other 
>>> OSs
>>> which one can use. The question is how long will those OSs been unaffected 
>>> ...
>> The kernel and all apps are OpenSource i.e. people can (and do) read the
>> sources. It's impossible to build in backdoors. The attack could come
>> through the firmware in the chips (which are not OpenSource). For this
>> the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to
>> poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS).
>>
>> The authorities can not track you. See:
>>
>> https://puri.sm/products/librem-5/
> Thanks for the information! While it is a nice product, according to their 
> web site,
> they say they run Gnu/Linux. Do you think that Gnu/Linux can't be hacked? Or 
> better
> said, should we all (those who use encryption software often) still use it 
> directly
> on online devices?
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Ryan McGinnis via Gnupg-users 
I guess the real question is: what are people using PGP for on mobile
devices?  If it's for communication, that's silly.  There are at least a
half dozen far, far, far better ways to securely communicate on a
smartphone. 

Also -- unless you are steeped in the security industry and run a
hardened OS, your laptop is likely as vulnerable if not more vulnerable
to the kinds of state level actors deploying this kind of mobile
malware.  The best mobile devices are far less vulnerable than typically
configured PCs.  An iPad is likely orders of magnitude more secure than
using a laptop with a typical consumer OS (Windows, Ubuntu, etc).  Both
can be compromised but the iPad, if kept up to date, is going to be a
much more expensive target. 

The people of the world with Snowden-level paranoia (at least the ones
not tied to some nation's security service) are using air-gapped
internet-virgin hardware to communicate.  For everyone else, a locked
down (location services off, iCloud account off, always-on VPN, kept in
faraday bag when not in use) iPhone/iPad is as close as they're going to
get to real privacy/security. 

On 8/10/20 10:49 AM, Stefan Claas wrote:
> Michał Górny wrote:
>
> [...]
>
>> Why use PGP on your phone if you carry a whole laptop with you anyway?
> Good question. There is software for Andoid available called OpenKeyChain,
> which as understood is the defacto standard for Android smartphone users,
> in combination with a MUA for Android.
>
> The question IMHO now is what should mobile device users do now? I showed
> a solution, assuming those users have an offline laptop too, which then
> would allow them to comfortably and securely create their messages.
>
> Not all people can purchase now a new smartphone with a more secure OpenSource
> OS and new SIM, I assume.
>
> I also do not know if it is common if people use an (compromised?) online
> laptop, as a smartphone, when on the road.
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
http://bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Felix 
Just adding my 2 cents to this discussion.

I think it doesn't matter what sort of spyware potentially exists
somewhere out there for some phone, what matters is whether it is on
your phone.

This isn't really about the security of OpenPGP either but about a
fundamental trust in the things we use both hardware and software.

I can recommend this video from 36C3 that talks about hardware security
(spoilers: its absolutely non trivial and nigh impossible to verify):

https://www.youtube.com/watch?v=Hzb37RyagCQ

It's also about threat models that you as the user of software (that you
trust does its job correctly) are trying to protect against.

If an attacker having root access to your device is part of a threat you
want to defend against your only choice is to use a (hopefully) known
good device that performs the encryption/decryption for you.

If you are only interested in end to end encryption where the message
might be intercepted in transit or verification of signatures then
OpenPGP does its job pretty damn well still.

There is not a single encryption algorithm that can't be defeated by
simply having full access to the device it is running on.

Now we can talk about mitigations that exist for the threat model where
the device you are using to read/send messages is compromised and I
think the recommendations in this thread are pretty sound.

I personally have been using OpenKeychain and a Yubikey via NFC. That
means that while any message that I have decrypted might be compromised
the keys used to decrypt are still secure (under the assumption that
Yubikeys are as secure as advertised, see the video above).

For me this is secure enough. For you it might not be.

I think that in general users of software should be aware that the
environment their software is running in is a threat vector, if you do
not trust it or you only trust it so far then only keep information you
can afford to get compromised in it.

If you are a person under close government watch, live in an
authoritarian regime or are a dissident I would of course recommend to
use an airgapped device.

If you are working for a company with important trade secrets you
hopefully don't have access to those on your phone anyway.

If you are a normal person not defending against any sort of advanced
persistent threat I think a smartphone still offers decent (enough)
security in day to day use for non-sensitive information.

And then there is of course still:

https://xkcd.com/538/

In the end it all comes down to: How much effort is the attacker going
to spend on you?

That determines how much effort you need to spend to protect yourself
against them.






___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Stefan Claas 
Andrew Gallagher wrote:
 
> On 11/08/2020 19:57, Stefan Claas wrote:
> > So, to sum it up (I know you prefer Tails) would you agree that
> > sooner or later the community should develop strategies, in form of a
> > best practice FAQ (cross-platform), to no longer use encryption
> > software on online devices and work out strategies to use offline
> > devices and how to handle this data securely over to an online
> > device, until proper and affordable hardware encryption devices for
> > online usage are available?
> 
> The problem with best practices is that they are context-dependent. Any
> FAQ that steps outside the purely technical domain into operational
> security will be misleading at best, and outright dangerous at worst. I
> am a Tails user, but I only use it for specific things - I don't boot it
> up for my everyday work (that would be insane, given my job). But my
> threat model is very different to that of others, so I would never
> presume to tell them that my best practice should be theirs.
> 
> Hardware encryption devices are already plentiful. The problem is that
> secure hardware comes at a huge cost in flexibility, meaning that only a
> small part of our computing landscape will ever be "secure hardware".
> That's why we have Yubikeys, smartcards, HSMs, Nitrokeys, etc. A small,
> limited-functionality device is much more likely to be secure because it
> is much easier to audit. Anything with the breadth of functionality of a
> general-purpose computer will never be fully trustworthy. Your CPU is an
> entire GP computer, buried in another computer. Same with your SSD
> drive. A USB-C *cable* now has more computing power than the Apollo moon
> mission. It's software all the way down.

Thank you very much for your reply, much appreciated!

> No, you should not stop using encryption software on online devices.
> That would be insane. We should be adding more encryption at multiple
> levels, so that compromise of one layer of encryption does not mean a
> compromise of the entire system. Defence in depth is the only long-term
> sustainable strategy.

While I personally stopped using online encryption, long ago, after my
Linux system was hacked, I like to mention (in case people do not know)
that YubiKeys and Nitrokeys allow also login-in protection via 2FA and
that than sudo usage requires also tapping on the YubiKey, besides pw
usage. Not sure if it is the same procedure with a Nitrokey.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: In case you use OpenPGP on a smartphone ...

2020-08-12 Thread Andrew Gallagher 
On 11/08/2020 19:57, Stefan Claas wrote:
> So, to sum it up (I know you prefer Tails) would you agree that
> sooner or later the community should develop strategies, in form of a
> best practice FAQ (cross-platform), to no longer use encryption
> software on online devices and work out strategies to use offline
> devices and how to handle this data securely over to an online
> device, until proper and affordable hardware encryption devices for
> online usage are available?

The problem with best practices is that they are context-dependent. Any
FAQ that steps outside the purely technical domain into operational
security will be misleading at best, and outright dangerous at worst. I
am a Tails user, but I only use it for specific things - I don't boot it
up for my everyday work (that would be insane, given my job). But my
threat model is very different to that of others, so I would never
presume to tell them that my best practice should be theirs.

Hardware encryption devices are already plentiful. The problem is that
secure hardware comes at a huge cost in flexibility, meaning that only a
small part of our computing landscape will ever be "secure hardware".
That's why we have Yubikeys, smartcards, HSMs, Nitrokeys, etc. A small,
limited-functionality device is much more likely to be secure because it
is much easier to audit. Anything with the breadth of functionality of a
general-purpose computer will never be fully trustworthy. Your CPU is an
entire GP computer, buried in another computer. Same with your SSD
drive. A USB-C *cable* now has more computing power than the Apollo moon
mission. It's software all the way down.

No, you should not stop using encryption software on online devices.
That would be insane. We should be adding more encryption at multiple
levels, so that compromise of one layer of encryption does not mean a
compromise of the entire system. Defence in depth is the only long-term
sustainable strategy.

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users