Engaging Newbies In Email Encryption and Network Privacy
"All six parts of my series introducing beginners to PGP encryption and network privacy are now freely available. I hope it's useful for Slashdot readers to share with their less-technical acquaintances. There's an introduction to PGP, a guide to email encryption on the desktop, smartphone and in the browser, an introduction to the emerging key sharing and authentication startup, Keybase.io, and an intro to VPNs. There's a lot more work for us to do in the ease of use of communications privacy but this helps people get started more with what's available today." -- source: http://it.slashdot.org/story/15/08/20/2041235 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On 2015-08-21 11:34, Peter Reutemann wrote:
"All six parts of my series introducing beginners to PGP encryption and network privacy are now freely available. I hope it's useful for
While I've always been keen to see this kind of thing working, it only requires one person to reply (quoting all the previous correspondence) in an unencrypted message to defeat all the effort to encrypt the original messages. With all the business now done by email, it still amazes me that we rely on what are essentially postcards to transact commercially interesting/sensitive information. Thanks for the link. Cheers Chris
On Sat, 22 Aug 2015 10:57:32 +1200, Chris O'Halloran wrote:
With all the business now done by email, it still amazes me that we rely on what are essentially postcards to transact commercially interesting/sensitive information.
So the transport is insecure. The whole Internet is insecure, anyway. The security (along with the smarts) is implemented at the endpoints, not in the network itself.
... it only requires one person to reply (quoting all the previous correspondence) in an unencrypted message to defeat all the effort to encrypt the original messages.
True. Perhaps the right approach is to build the ability into the e-mail app to mark an entire thread as confidential, so replies to it are automatically encrypted. Encryption seems hard to understand... <https://www.google.com/search?q=why+johnny+can't+encrypt>
True. Perhaps
On 2015-08-22 14:45, Lawrence D'Oliveiro wrote: the right approach is to build the ability into the
e-mail app to mark an entire thread as confidential, so replies to it are automatically encrypted.
What you've described would be excellent. It just surprises me that tool like Outlook do not already do this. And the third party tools that try (I've tried using them) are still a bit clunky and not up with the latest versions. It almost seems like the agenda is 'don't implement PGP in Outlook, we don't want to upset our friends who gather a lot of business intelligence by keeping email unencrypted'
Heh Chris' conspiracy theory is hard to refute. After THIS LONG, email *should* be secure. It's even WORSE than postcards, because postcards don't automatically replicate the entire contents of the conversation on each subsequent reply. I remember being absolutely astounded when I received a GPG-signed email in Outlook 2013, and it had a little badge on the far-right. I've never seen it again, even with other GPG-signed emails. *shrug* Anyway - https://Keybase.io -- I have a small number of invitations for this! If you want one, let me know and you'll go into the ballot ;-) Eric -------------------------------------------- Q: Why is this email five sentences or less? A: http://five.sentenc.es On Sat, Aug 22, 2015 at 4:38 PM, Chris O'Halloran < mailinglist(a)blahdeblah.co.nz> wrote:
On 2015-08-22 14:45, Lawrence D'Oliveiro wrote:
True. Perhaps the right approach is to build the ability into the e-mail app to mark an entire thread as confidential, so replies to it are automatically encrypted.
What you've described would be excellent.
It just surprises me that tool like Outlook do not already do this. And the third party tools that try (I've tried using them) are still a bit clunky and not up with the latest versions.
It almost seems like the agenda is 'don't implement PGP in Outlook, we don't want to upset our friends who gather a lot of business intelligence by keeping email unencrypted'
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
What is the point of keeping e-mail private by e.g. encrypting their content? If you want to go onto the list of persons to be watched, write a few mails that contain words like "bomb", "Beehive", etc. Be sure that existing surveillance programs will catch it and bring you to the attention of one of the observers employed by the organization running the surveillance. So you go on the list and are marked "Subversive, to be watched". And if I then send a picture of a Queen Bee, what other reaction can you expect than "Assassination Plans" and a general alert? Catch it? Unfortunately for these security types, I did learn the one or other bit about thermodynamics and concepts like "Closed System" and "Second Law". Closed System is like a room with doors. If one is locked, try the next one, and if that is locked too, try the next next one. Replace "door" with "encryption" and you get the link. But don't forget that rooms also have windows, air conditioning ducts, etc., all of which can be used to get into the room, by person or by proxy (listening device). Meta-data come to mind here, data about you and me that are needed to get that mail from one place to the other and thus need to be clear text. Peter has sent us enough mails on that topic to make clear even to me how transparent we all are there, e.g. "[wlug] 81% of Tor Users Can Be De-anonymized By Analysing Router Information", sent 15 Nov 2014. "Second Law" encompasses all the methods available to me to downgrade my presence on the watch list and thus make the list inconsequential. General Alerts are great to have, but 100 false alerts? Entropy is not just about heat, it is also about information. Peter has done enough work on data mining (i.e. catching the few fish (=useful information) in a huge lake of muddy and unpalatable water), so what about doing something that allows those fish to escape his nets? Steganography is one way this may be done. Planting doubt in the mind of the observer is another. Read this mail a second time, and see how I set out to make myself a terrorist suspect at the start, and then ask yourself, after you have read all of it: "Is he ISIL material? Or is he just a modern version of Diogenes?" (a Greek cynic, cynic meaning "dogs that bark don't bite?" Wolfgang On 22/08/15 16:38, Chris O'Halloran wrote:
On 2015-08-22 14:45, Lawrence D'Oliveiro wrote:
True. Perhaps the right approach is to build the ability into the e-mail app to mark an entire thread as confidential, so replies to it are automatically encrypted.
What you've described would be excellent.
It just surprises me that tool like Outlook do not already do this. And the third party tools that try (I've tried using them) are still a bit clunky and not up with the latest versions.
It almost seems like the agenda is 'don't implement PGP in Outlook, we don't want to upset our friends who gather a lot of business intelligence by keeping email unencrypted'
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
Wolfgang - I'm not sure I follow. Are you saying "everything else is broken so why worry about this one more broken thing"? Eric -------------------------------------------- Q: Why is this email five sentences or less? A: http://five.sentenc.es On Mon, Aug 24, 2015 at 10:09 AM, Wolfgang <wv99999(a)gmail.com> wrote:
What is the point of keeping e-mail private by e.g. encrypting their content?
If you want to go onto the list of persons to be watched, write a few mails that contain words like "bomb", "Beehive", etc. Be sure that existing surveillance programs will catch it and bring you to the attention of one of the observers employed by the organization running the surveillance. So you go on the list and are marked "Subversive, to be watched". And if I then send a picture of a Queen Bee, what other reaction can you expect than "Assassination Plans" and a general alert? Catch it? Unfortunately for these security types, I did learn the one or other bit about thermodynamics and concepts like "Closed System" and "Second Law". Closed System is like a room with doors. If one is locked, try the next one, and if that is locked too, try the next next one. Replace "door" with "encryption" and you get the link. But don't forget that rooms also have windows, air conditioning ducts, etc., all of which can be used to get into the room, by person or by proxy (listening device). Meta-data come to mind here, data about you and me that are needed to get that mail from one place to the other and thus need to be clear text. Peter has sent us enough mails on that topic to make clear even to me how transparent we all are there, e.g. "[wlug] 81% of Tor Users Can Be De-anonymized By Analysing Router Information", sent 15 Nov 2014. "Second Law" encompasses all the methods available to me to downgrade my presence on the watch list and thus make the list inconsequential. General Alerts are great to have, but 100 false alerts? Entropy is not just about heat, it is also about information. Peter has done enough work on data mining (i.e. catching the few fish (=useful information) in a huge lake of muddy and unpalatable water), so what about doing something that allows those fish to escape his nets? Steganography is one way this may be done. Planting doubt in the mind of the observer is another. Read this mail a second time, and see how I set out to make myself a terrorist suspect at the start, and then ask yourself, after you have read all of it: "Is he ISIL material? Or is he just a modern version of Diogenes?" (a Greek cynic, cynic meaning "dogs that bark don't bite?"
Wolfgang
On 22/08/15 16:38, Chris O'Halloran wrote:
On 2015-08-22 14:45, Lawrence D'Oliveiro wrote:
True. Perhaps the right approach is to build the ability into the e-mail app to mark an entire thread as confidential, so replies to it are automatically encrypted.
What you've described would be excellent.
It just surprises me that tool like Outlook do not already do this. And the third party tools that try (I've tried using them) are still a bit clunky and not up with the latest versions.
It almost seems like the agenda is 'don't implement PGP in Outlook, we don't want to upset our friends who gather a lot of business intelligence by keeping email unencrypted'
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
Quite the opposite, Eric. The point I am trying to make is "Why barricade one door if there is another one into the same room that is wide open, and there are no means to lock it"? In a wider context, if Peter invites me to do so, I would be willing to present a talk at the monthly meeting about this, a talk that would start with "Words are spoken one after another" or something to this effect, exploring the consequences of how we acquire and use a language, and how we use it to lie to ourselves and others, without ever deviating a single iota from the truth. Wolfgang On 24/08/15 10:16, Eric Light wrote:
Wolfgang - I'm not sure I follow. Are you saying "everything else is broken so why worry about this one more broken thing"?
Eric
-------------------------------------------- Q: Why is this email five sentences or less? A: http://five.sentenc.es
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
On 2015-08-24 10:09, Wolfgang wrote:
What is the point of keeping e-mail private by e.g. encrypting their content?
So that a privileged person or company (one with access to in transit emails or an email server (such a google)) does not sell information gleaned from the writings of others - be that pricing for competitive tenders or technical discussions that are the beginnings new ideas or trends. Or to use personal information that might 'persuade' them to take a course of action under threat of revelation.
This was not on my mind, as this is a rather minor consequence of the openness of e-mails. What I had in mind you may find by googling e.g. "use of metadata nsa" which returns links like http://www.huffingtonpost.com/news/nsa-metadata/ If you read a few of the articles listed there, you get a better idea of why I wrote "What is the point . . ." Take for example http://www.huffingtonpost.com/peter-van-buren/using-metadata-to-catch-a_b_50... and understand how your privacy is compromised by metadata. Or read https://firstlook.org/theintercept/2014/02/10/the-nsas-secret-role/ how metadata is can be used to send you a package you did not order. E-mail addresses used to be collected and sold by many companies as the starting point for electronic advertising. Today, this spam is filtered away by your Service Provider. Does that mean we get fewer advertisements? I value my privacy. How can I enforce it if my choice of electronic traffic gives me away anyway? Why then encrypt? If you have sensitive data to transmit, put them on paper (encrypted, if you like) and snail-mail them. That way, you know there are no metadata to reveal you. Wolfgang On 24/08/15 13:03, Chris O'Halloran wrote:
On 2015-08-24 10:09, Wolfgang wrote:
What is the point of keeping e-mail private by e.g. encrypting their content?
So that a privileged person or company (one with access to in transit emails or an email server (such a google)) does not sell information gleaned from the writings of others - be that pricing for competitive tenders or technical discussions that are the beginnings new ideas or trends. Or to use personal information that might 'persuade' them to take a course of action under threat of revelation.
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
On Mon, 24 Aug 2015 10:09:15 +1200, Wolfgang wrote:
What is the point of keeping e-mail private by e.g. encrypting their content?
In addition to what Chris said, there is also the point that, if encryption becomes commonplace, then you can no longer be singled out for special attention just because you use encryption.
+10,000 Eric -------------------------------------------- Q: Why is this email five sentences or less? A: http://five.sentenc.es On Mon, Aug 24, 2015 at 1:51 PM, Lawrence D'Oliveiro < ldo(a)geek-central.gen.nz> wrote:
On Mon, 24 Aug 2015 10:09:15 +1200, Wolfgang wrote:
What is the point of keeping e-mail private by e.g. encrypting their content?
In addition to what Chris said, there is also the point that, if encryption becomes commonplace, then you can no longer be singled out for special attention just because you use encryption. _______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
participants (5)
-
Chris O'Halloran -
Eric Light -
Lawrence D'Oliveiro -
Peter Reutemann -
Wolfgang