Apologies if this is dumb or an FAQ or both, but is anyone in here using PGP/GPG in conjunction with Mystic somehow? If so, how are you doing it? I used PGP on FidoNet back in the day, when that was still an edgy thing to do. Especially for some of the people I talked to in places where crypto was still illegal!
Apologies if this is dumb or an FAQ or both, but is anyone in here using PGP/GPG in conjunction with Mystic somehow? If so, how are you doing it?
I used PGP on FidoNet back in the day, when that was still an edgy thing to do. Especially for some of the people I talked to in places where crypto was still illegal!
Apologies if this is dumb or an FAQ or both, but is anyone in here using PGP/GPG in conjunction with Mystic somehow? If so, how are you doing it?
I used PGP on FidoNet back in the day, when that was still an edgy thing to do. Especially for some of the people I talked to in places where crypto was still illegal!
On 11-05-18 22:19, Avon wrote to Lizard King <=-
I'm hoping to test some ideas out soon in this space... the appeal is there for me too :)
I am inclined to think that reason why it is not more ubiquitous is because people don't know how it works and don't bother. I think as well with the hard soloing of "the internet" to merely being Google/Youtube/Facebook for most, those parties are not interested.
One of my requirements is transparency of use. Back in the 90s, I used
to have an add-on that worked with Bluewave, which allowed me to encrypt and decrypt PGP encrypted messages. Worked really well. Today, I have
On 11-05-18 07:19, pixelheresy wrote to Vk3jed <=-
@TZ: 412c
Now a days (beyond what may be available in Mystic... I admittedly
never made the jump to actually running a board), PGP/GPG encryption in readily available in most computing if you look.
PGP or GPG tools are available on the OS level for everything and
frankly the standard GPG for Mac/Linux on the command-line is quite
easy to use once you get the hang of it. As such, any arbitrary text,
Beyond that, there are plenty of online mail services that have free-to-cheap mail services with PGP/GPG enabled. I am in the process
of migrating to Protonmail and had no problem setting up better keys in<--> GPG). Haven't played with it much, but could be a nice way to do
it than "factory default" (4k hashes rather than 2k hashes). This comes with the security of having two-factor for webmail and a secure mobile client (also, being able to send expiring elliptical cypher messages to any email, even if you don't have or *they* don't have a public key is kind of fun). Also on iOS I recently got PGP Encrypt, which is a
keyboard extension, key manager, and arbitrary encryption tool (text
quick and dirty in cases where you want to "on-off"
a sensitive text message or encrypt the content on a web form...
I remember back in the day, I used to see a lot of people putting keys
or links to them in sigs, etc. but now it seems like either email is
seen irreverent or people seem secure with Google handling
everything... No idea.
On 11-05-18 08:47, Lizard King wrote to Vk3jed <=-
Having a way to communicate via strong crypto can only be a good thing.
I've heard rumblings about it being controlled/outlawed again in some places, and I hope that is alarmist nonsense, but the one thing that's guaranteed to get me using it is to tell me I shouldn't.
Beyond that, there are plenty of online mail services that have free-to-cheap mail services with PGP/GPG enabled. I am in the process
If you're talking about webmail, forget it. Another non starter for me. Poor performance and navigation plagues a lot of web based services, and as mail is a fairly high volume one for me, that's a big issue.
Given the dependency of commerce and banking on strong cryptography
these days, I think that particular genie is out of the bottle. The
more cryptography can be embedded into everyday life, the harder it will be to outlaw.
The other thing is that unless I'm missing something, you are trusting
the remote party to keep your private key secured, and the emails are being decrypted on their server so you can view them (right?) So basically you don't know if your email is secure or not, you're taking their word for it.
The other thing is that unless I'm missing something, you are trusting
the remote party to keep your private key secured, and the emails are being decrypted on their server so you can view them (right?) So
On 11-05-18 15:45, Lizard King wrote to Vk3jed <=-
The other thing is that unless I'm missing something, you are trusting
the remote party to keep your private key secured, and the emails are being decrypted on their server so you can view them (right?) So basically you don't know if your email is secure or not, you're taking their word for it.
That said, I would probably trust the people who run Protonmail more
than I trust Google with my data... but that ain't saying much.
On 11-05-18 15:50, Lizard King wrote to Vk3jed <=-
I very much hope you are right, but I am still hearing various
government agencies griping about the fact that terrorists can encrypt their email and there's no way for anyone to read it. That is true, as
far as it goes, but to my knowledge terrorists aren't using strong
crypto. Last I heard they were logging into gmail, writing emails, quitting out before sending, and then a second person would go in and
view the saved draft. No email sent.
But when the government can take away our rights and claim to be doing
it for our own protection, the temptation always seems to be too much
for them to stand. I have a feeling that somewhere down the line we'll hear people arguing that crypto is fine for banking and stuff like
that, but only terrorists would want to encrypt their personal correspondence.
Let me put it another way: 20 years ago, would you have believed that you'd have to risk being groped by a government employee to get on an airplane? Somehow we accept this as normal.
On 11-05-18 20:04, StackFault wrote to Lizard King <=-
I use GnuPG quite extensively and it works pretty well, you can arrange your workflow quite easily. The biggest challenge is to find someone
who also understand how to use it.
One of my requirements is transparency of use. Back in the 90s, I used
to have an add-on that worked with Bluewave, which allowed me to encrypt and decrypt PGP encrypted messages. Worked really well. Today, I have
Having a way to communicate via strong crypto can only be a good thing.
I very much hope you are right, but I am still hearing various government agencies griping about the fact that terrorists can encrypt their email and there's no way for anyone to read it. That is true, as far as it goes, but to my knowledge terrorists aren't using strong crypto. Last I
heard they were logging into gmail, writing emails, quitting out before sending, and then a second person would go in and view the saved draft. No email sent.
for them to stand. I have a feeling that somewhere down the line we'll hear people arguing that crypto is fine for banking and stuff like that, but only terrorists would want to encrypt their personal correspondence.
Let me put it another way: 20 years ago, would you have believed that you'd have to risk being groped by a government employee to get on an airplane? Somehow we accept this as normal.
I'm very sensitive to workflow disruptions, especially anything that is tedious/fiddly (regardless of how simple).
I use GnuPG quite extensively and it works pretty well, you can arrange your workflow quite easily. The biggest challenge is to find someone who also understand how to use it.
Very much the same here. I deal with tedious and fiddly all day long,
for money. I don't want to do it in my spare time. I want things that just magically work. I'm willing to put up with a certain amount of
On 11-07-18 21:19, Avon wrote to Vk3jed <=-
@TZ: 030c
On 11/05/18, Vk3jed pondered and said...
One of my requirements is transparency of use. Back in the 90s, I used
to have an add-on that worked with Bluewave, which allowed me to encrypt and decrypt PGP encrypted messages. Worked really well. Today, I have
So you're talking about ease of use? I'm lost by transparency.
On 11-07-18 00:27, Lizard King wrote to Vk3jed <=-
@TZ: 41e0
I'm very sensitive to workflow disruptions, especially anything that is tedious/fiddly (regardless of how simple).
Very much the same here. I deal with tedious and fiddly all day long,
for money. I don't want to do it in my spare time. I want things that just magically work. I'm willing to put up with a certain amount of head-scratching to set it up the first time, though. (Or I wouldn't be here typing this.) :)
On 11-07-18 21:25, Avon wrote to Lizard King <=-
heard they were logging into gmail, writing emails, quitting out before sending, and then a second person would go in and view the saved draft.
No email sent.
On 11-07-18 21:31, Avon wrote to Lizard King <=-
@TZ: 030c
On 11/07/18, Lizard King pondered and said...
Very much the same here. I deal with tedious and fiddly all day long,
for money. I don't want to do it in my spare time. I want things that just magically work. I'm willing to put up with a certain amount of
Heh... BBSing can be fiddly but then some find that the 'fun' bit :)
But yeah I hear you it can be nice for stuff just to auto-magically
just happen :)
I use GnuPG quite extensively and it works pretty well, you can arran your workflow quite easily. The biggest challenge is to find someone who also understand how to use it.
I'm very sensitive to workflow disruptions, especially anything that is tedious/fiddly (regardless of how simple).
One of my requirements is transparency of use. Back in the 90s, I us to have an add-on that worked with Bluewave, which allowed me to encr and decrypt PGP encrypted messages. Worked really well. Today, I ha
So you're talking about ease of use? I'm lost by transparency.
Well, if I have to save a file, run GPG to decrypt, then load the result into an editor all manually, it's a non starter for me, even if the
steps are imple.
heard they were logging into gmail, writing emails, quitting out befo sending, and then a second person would go in and view the saved draf No email sent.
That's encrypted via TLS, the weak link is Google itself, of course.
On 11-07-18 07:07, StackFault wrote to Vk3jed <=-
I agree with you, I see myself rearranging my workflow on a frequent
basis in the sake of optimization. Whenever I feel things are getting automatic, I change a little something just to keep my edge.
I have a good interest in crypto in general but the lack of seemless integration (for messaging at least) always makes it harder to use for
non tech-savvy, thus limiting it's wide adoption.
On 11-07-18 07:14, StackFault wrote to Vk3jed <=-
This looks like a tedious process indeed. Clipboard decryption is
easier but still not seamlessly integrated.
If we take the context to BBS for example, using PGP seemlessly would require you to use an offline reader so you keep the keys locally at
all times. But that can be the least intrusive way of using it on a
larger scale.
On 11-07-18 07:19, StackFault wrote to Vk3jed <=-
Encryption is a beast by itself. Many focus only on the data-in-transit aka network stream encryption (the TLS part) and often forget about the data-at-rest aka storage.
I've seen numerous times people spending countless hours securing
traffic, disabling weak ciphers and setting up strong keys, but keeping the data in clear on the database backend once received.
I agree with you, I see myself rearranging my workflow on a frequent basis in the sake of optimization. Whenever I feel things are getting automatic, I change a little something just to keep my edge.
With me, it depends. Simple, routine things need to be also
streamlined. I have to keep those steps away from my conscious
attention, because (1) that would be more error prone, and (2) over
time, my aversion to fiddly work will caue me to use it less. Most
crypto products have fallen into that. Two notable exceptions have been Enigmail on Tnnderbird, because I can activate that at the click of a button, and the old PGP wrapper that I used as my "editor" in the DOS/Bluewave days, which inserted itself into the workflow ell.
Encryption is a beast by itself. Many focus only on the data-in-trans aka network stream encryption (the TLS part) and often forget about t data-at-rest aka storage.
I've seen numerous times people spending countless hours securing traffic, disabling weak ciphers and setting up strong keys, but keepi the data in clear on the database backend once received.
Yep, encryption is only as secure as the weakest link, and unencrypted databases can be a particularly soft target. The offline mail system
was good in that regard, in that the plaintext message only ever existed as a temporary file. On the BBS the message was still ciphertext.
Sure, one could forensically trawl the local HDD for the plaintext, but how many BBS messages are going to attract that level of scrutiny? (and
if the spooks have your HDD, they have your private key as well anyway). :)
On 11-08-18 07:09, StackFault wrote to Vk3jed <=-
I have a huge automation side, whatever can be automated is or will be
at some point. The encryption however have always been a darker area,
you don't want to automate it too much for a client based application. Passphrase is a good example, I like long passphrases just because it
is faster to type as opposed to shorter passwords with symbols. Even if you automate it, you still need to type it, thus breaking the
automation workflow. It can make things simpler to use however...
These days, my GPG integration with Mutt is working very well, this is running smoothly but this is not for everyone... Setting it up can be a pain, luckily all my setups are scripted so it's a breeze now... It probably took me a full day to get it to a level I am happy with...
On 11-08-18 07:15, StackFault wrote to Vk3jed <=-
Protecting the keys is the biggest challenge, using a good passphrase
can surely help but it's more like a second stage.
I didn't know the offline mail files were encrypted, I tought it was
just a database of some sort (which is not plaintext) but could be accessed pretty easily if you have the specifications.
You are touching another very point, which is temp files. On most
systems these are writtent in publicly available folders and most developpers don't use the right permissions, allowing anyone to read
from them...
Sometimes, we focus our attention at the wrong place...
I didn't know the offline mail files were encrypted, I tought it was just a database of some sort (which is not plaintext) but could be accessed pretty easily if you have the specifications.
Well, if you're processing GPG encrypted messages, then they will be encrypted until you decrypt them. If your decryption setup is built
into an offline reader, then the decryption takes place when you read
the message locally, so it's still encrypted at all point in transit.
On 11-10-18 10:26, StackFault wrote to Vk3jed <=-
Yes, this is perfectly logic, I tought you were referring the QWK files could be encrypted as well. Being out of the business for so long,
things might have changed quite a bit. I have put myself into "forget everything you know" so I don't make any assumptions.
With the ciphers and hashing algos being busted one after the other, I wonder what would happen if aes256 managed to be broken, we don't have much choices available already.
Cipher-Bloc-Chaining being deprecated now, when you setup a new system
and want to pass with flying colors, your list of available ciphers is greatly reduced.
Yes, this is perfectly logic, I tought you were referring the QWK fil could be encrypted as well. Being out of the business for so long,
No, encryption of the QWK is something I haven't yet seen. Theoretically possible, but probably pointless.
With the ciphers and hashing algos being busted one after the other, wonder what would happen if aes256 managed to be broken, we don't hav much choices available already.
Cipher-Bloc-Chaining being deprecated now, when you setup a new syste and want to pass with flying colors, your list of available ciphers i greatly reduced.
And one wonders what the rise of quantum computing will mean too...
On 11-10-18 16:13, StackFault wrote to Vk3jed <=-
I have not dug this one very far but depending on the algo used to password protect the archive, it might not be too bad in transit. The issue is at rest. But again, if privacy is a real issue, use another layer.
Well, I don't know enough about QC, but we will certainly see some
issues with the value of all crypto-currencies...
Time will tell I guess...
I always found interesting the fact they used old VIC-20 in John Wick
2, pretty hard to hack into and since most don't even know how to load
a software on it and finding a drive that can read these floppies nowadays...
I have not dug this one very far but depending on the algo used to password protect the archive, it might not be too bad in transit. The issue is at rest. But again, if privacy is a real issue, use another layer.
Yes, you could slip password protection into the archiver command,
though not sure how that can be done on a per link basis.
The big issue with quantum computing is the ability to solve many equations in parallel, which would render all current ciphers vulnerable to brute force attacks. But quantum computing is likely to give us new and vastly more powerful encryption. Quantum key distribution, which is immune to key interception has also been demonstrated in test environments, I believe. Attempting to intercept a key in transit on a quantum channel will resunt in 2 things. Firstly, the intercepter will NOT get a copy of the key, and secondly, the legitimate recipient will immediately know someone's tampered with the channel.
I always found interesting the fact they used old VIC-20 in John Wick 2, pretty hard to hack into and since most don't even know how to loa a software on it and finding a drive that can read these floppies nowadays...
Yeah that seems a bit far fetched, and how well can it run modern crypto algorithms anyway?
On 11-10-18 21:53, StackFault wrote to Vk3jed <=-
Well, this will trigger a revolution that's for sure. The side abou addressing the confidentiality and non-repudiation is intersting too. I will read a little bit about that, this is something I am not familiar enough.
Not very well that's for sure. The lack of compatibility with modern computing equipment makes it a challenge in itself. I have some good stories about old technology seen by younger folks. But this is
drifting from the original topic, it's more obfuscation than encryption
at that point...
Yeah that seems a bit far fetched, and how well can it run modern crypto algorithms anyway?
On 11-11-18 00:55, Lizard King wrote to Vk3jed <=-
@TZ: 41e0
On 11/11/18, Vk3jed said the following...
Yeah that seems a bit far fetched, and how well can it run modern crypto algorithms anyway?
How much time you got? :)
Yeah that seems a bit far fetched, and how well can it run modern cry algorithms anyway?
How much time you got? :)
Sysop: | digital man |
---|---|
Location: | Riverside County, California |
Users: | 1,045 |
Nodes: | 17 (0 / 17) |
Uptime: | 04:39:15 |
Calls: | 500,996 |
Calls today: | 13 |
Files: | 109,379 |
D/L today: |
2,621 files (2,348M bytes) |
Messages: | 305,881 |
Posted today: | 2 |