Re: [tor-talk] PGP fiddly-diddly - action required

[Sangy]

I feel you, Druida.

Sadly, the EFF is now full of ws and sillicon-valley technocrats
that can't see beyond California. I find it chuckle-worthy that every
single one of the authors pleading for moving past pgp only list their
pgp keys in the staff pages[1][2][3]*. On the signal side, it only takes
less access than the EFail attack and an IMSI catcher for the govt to
whack you, physically.

Stay safe.
-S

* And all encoded differently, oh my! Imagine, they still think that gpg
  defaults to SHA1 for signing. 

[1] https://www.eff.org/about/staff/william-budington
[2] https://www.eff.org/about/staff/david-grant
[3] https://www.eff.org/about/staff/soraya-okuda

On Tue, May 15, 2018 at 08:37:19PM -0400, panoramix.druida wrote:
> ‐‐‐ Original Message ‐‐‐
> 
> El 15 de mayo de 2018 3:01 AM, I  escribió:
> 
> > https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> 
> I respect the EFF for all of its work, but I don't understund this one. So if 
> I have PGP to protect my email, their solution is to stop using PGP because 
> someone could read my encripted mails. So now everyone would be able to read 
> all of may emails. Wouldn't be better to ask people to disable HTML on email 
> and to upgrade their email clients to stay protected.
> 
> I know PGP is not perfect, but it is the best we have for email. I know email 
> is not perfect but it is more or less descentralize. Why should be stop using 
> email in favor of something such as Signal (recomendation from EFF article) 
> that is centralize and we should trust the guys running the server are good 
> guys. I understund that Signal has great security features like foreward 
> secrecy that PGP doesn't. I know it is open source, but you are forbid to 
> installed from free repostiories such as Fdroid.
> 
> Also you can not use Signal if you don't have a phone number. How great is 
> that for anonymity. In the country where I am living you can not activiate a 
> mobile phone number without your national id. 
> 
> I am writing this email from Protonmail wich I only connect from Tor. I don't 
> really trust  Protonmail, but I can be anonymouse to them thanks to Tor. 
> 
> Is Signal the replacement to email? I do like the way the Signal protocol 
> negociate offline the keys and that each message is encrypted with a 
> different key. That idea of encryption for asynchronous communication can 
> actually be a good replacement for email, but in a distirbuted network.
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] PGP fiddly-diddly - action required

[panoramix.druida]

‐‐‐ Original Message ‐‐‐

El 15 de mayo de 2018 3:01 AM, I  escribió:

> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

I respect the EFF for all of its work, but I don't understund this one. So if I 
have PGP to protect my email, their solution is to stop using PGP because 
someone could read my encripted mails. So now everyone would be able to read 
all of may emails. Wouldn't be better to ask people to disable HTML on email 
and to upgrade their email clients to stay protected.

I know PGP is not perfect, but it is the best we have for email. I know email 
is not perfect but it is more or less descentralize. Why should be stop using 
email in favor of something such as Signal (recomendation from EFF article) 
that is centralize and we should trust the guys running the server are good 
guys. I understund that Signal has great security features like foreward 
secrecy that PGP doesn't. I know it is open source, but you are forbid to 
installed from free repostiories such as Fdroid.

Also you can not use Signal if you don't have a phone number. How great is that 
for anonymity. In the country where I am living you can not activiate a mobile 
phone number without your national id. 

I am writing this email from Protonmail wich I only connect from Tor. I don't 
really trust  Protonmail, but I can be anonymouse to them thanks to Tor. 

Is Signal the replacement to email? I do like the way the Signal protocol 
negociate offline the keys and that each message is encrypted with a different 
key. That idea of encryption for asynchronous communication can actually be a 
good replacement for email, but in a distirbuted network.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Anonymity and Voip

[panoramix.druida]

For the record. I did some tests with Mumble and it works great. The test where 
made from Linux and with Plumble + Orbot in Android.

I can conect to the onion service when I start Mumble with torify, but when I 
try to configure proxy socks it doesn't work:
hostname: 127.0.0.1
port: 9050
TCP only

I did try to do onioncat with Linphone no success yet, but is more a 
configuration on Linphone than other thing. I need to configure it to use de 
ipv6 address of the tunnel that OnionCat creates and not the one of the 
physical interface. 

Thanks a lot!!!
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor-talk Digest, Vol 88, Issue 13

[Me]

> Message: 1
> Date: Mon, 14 May 2018 19:01:32 -0800
> From: I 
> To: tor-talk@lists.torproject.org
> Subject: [tor-talk] PGP fiddly-diddly - action required
> Message-ID: <9cd1ba536d3.0641beatthebasta...@inbox.com>
> Content-Type: text/plain; charset=US-ASCII
> 
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> 

This is terribly misrepresented in the press.

There is no problem with the encryption!

The issue is that mail clients are insecurely designed or insecurely configured 
by users to accept HTML commands to send
out clear text content after decryption. This falls into the more general 
category of, "Stop being stupid!"

Set your mail client to TEXT ONLY and stop automatically processing someone 
else's commands on your machine.

If you absolutely can't live without colored fonts and pretty layouts in your 
email, at least limit the HTML processing
to local content only, in Thunderbird this is called, "Simple HTML."

Full HTML processing (Thunderbird "Original HTML") will reach out to the 
Internet and do things you may not like,
ranging from confirming you opened the email, exposing your direct IP address, 
to sending back your now un-encrypted
full content.

Many email clients even support running Javascript or other embedded code. If 
you enable these features, you may also
wish to roll yourself in butter and seasoned breadcrumbs.

Again, PGP/GPG is just fine, stop doing foolish things.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] GNOME Is Removing the Ability to Launch Apps from Nautilus

[Nathaniel Suchy (Lunorian)]

According to recent commits the desktop enviroment GNOME is removing the
ability to launch apps from Nautilus. This will likely affect all Tor
Browser users on Ubuntu in the name of "security". What steps will /
should be taken from now till the time the update is released to protect
Tor Browser users from losing access?

Cheers,
Nathaniel



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk