• PGP

    From NuSkooler@21:1/101 to All on Thu Aug 25 20:28:00 2016
    I'm a little late to the game, but my PGP info can be found here:

    https://keybase.io/nuskooler

    I also have quite a few invites for the site if anyone wants one.

    For the oldschool, my key:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1

    mQINBFYf5HABEAC25JNKmGH1g4jMr4nAN0V4JBvDtf5oyYrdwRMqWcFnA3ywAs6I GbuQ/ACcoG+Gd2s43h2PRvah2Ix2vpwXqBY6k6wfQhFOls2fvwzdszyigdrZTHzM WIoxj+LyLfvFBApcRBANLvX87TWvhXsWmi6GS2875VBgnxXLBhAm6bnRDs8zLkAm kta5HLFvh16jmyvuWaaXu6fMDn3gumltTMypY7/OXc//5AHctOi/CJqjkH8e5lFN DuSqmZegBMvZx4EEZI/VgHcBl0WjpfVhT0WYjJQNywBCPHPej3klm2sW/H6jloJ7 nVWixSOVTIRSKve7p0ARkOIpd7u1FVgLcCyK5FOo3zt5VBACMb3QFwMej0Ecxxtm Md6IqKgPIyUWOZdUheK7xCsCG3cM5Ik4RDXT9MhzxD8jWBaTwaKyCjPEPuT9utY6 +NjUsfce3qc8h8DvF4qY/EVUiJOyFP/fMMgUKf0zsG2ayEkUYe601OQwUtFREnIR PapO6FPb4IYlXkJbX9Dl+WlDj7ra88d6sEfUcHIQvAKQP45T3pWrNyne7hO5gAMY b4hgKtFLF/ZKV3aCjTuT7yScJ9HqsjVJGS30fCqzL2Y8BVz6V/xiUJ32cpv1v0VC UG1ShmnxydBtPQVsPsY8rKhmVHcPO1dUpAHCTuYjhTzT+QTgCgHbRUaL4wARAQAB tClCcnlhbiBELiBBc2hieSAoQnJ5YW4pIDxicnlhbkBsMzN0LmNvZGVzPokCOAQT AQIAIgUCVh/kcAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQtJ60N5Ud JUJjwQ/8DbsQ4JVVzJdy5Ce3vIhgPiOxKrqfy0S66XdtCSOYt5HhyzxRB2uc7eSJ MdFLV5jSFERwyhU+Qvi71dItjw+vew0BrD5Gu/gDKkjTPujdLVnTpwmVDovG5zfw G8Yv3oc5OPFSN/fmWhxwqi1Tyvpc28FnCj+5/Hcp2nQdwCSSzhhxiVibhAxvp52C BC8AbmcpRdxxgqxEV0WMohqcofJvzzm5uq8hsPxdPRmDtKgDcpxhp9MWSq14D4gK M1yvH3zCL5Zo2PQXhf+B5UXvkbC3dfXLPL4YsToHDAzr8VArMIKwAp33inLxsn/k koVB4ly5usUmtmkMEelZfnAckCjlL4TljRlNEmNMLB+hjnXz1/L6rvXDpxtFgdDp GIxuVebztRQjzt/5Z0v8b40/0oXue6NhOB4J+otW1j81kAmihg7tSYR6UA6cABm2 0SxuyJQ8bATOaFDARzrvn0+fwxigC5UVeSsZxu2xZXNFbd3mtVY3I0CRaVui8+rm Dc1jf7YSflBAahjiURaY+mp+GHAIqLMpPMCBcr1F02O05J6dvM8J2gzhLPxcLQjz 7da36s60+3x4yE+bhuLhNFmFPrg/BL8Sz0XnzAx9EU/RWJr+yqsq0MpDjtLJjoAX k3dl8QBYyWEfbbXsYAriYHt6+dOniIg+SzrOgG7sDhqC1S3GFi25Ag0EVh/kcAEQ AM/4ofy6sH6OjbhTRurqSWY55YAmPTF9ByADjRGLCq7docPef9UAr4OlBltN0Jc3 M+MQ11Nduk2G/dkJN/hWsAuftL9n+1wk6+Hqg/cIpbTtGtxnVmKDs6X1Cf8ROISk KL+czSqwm1UDnLGbVBKtEiGUEnxWJiu/klxcG6k9WPu0MF87H5D0ijbKopBS/jKJ XLGrWgyEjwybhlAguxzATq5ACoP9zYdPz8lMQfbCcfYDVhq9DHOlZC8kGStVJbz/ th9Tmx9GT7MTCKa9ChTCoqaO6nZsPQegaYerqX71CELiSoLt72PYJhJjEK8msKLE RqIiYBHq2AGPxv+CWmJV5KEotPQS6j9PC/52V0JhR5tE1IJ6kcd3Iz62B2VkBdiI m/DxsYa14FUCjQg0UmJjbzxu+wWTAJ74wyrdQ5ibGsMe0sR2ty/twcOvFDEp+FCJ WJyH9bCybEJs3fjvtUnbbQX5AZsxNSKguYu37AtTikjNwxNxLRNke6/ne+nObDgp M1hFMalUPk9MgjEkkNoXoiDk4J4CjR+jYLvNv33xKG1yBoIsiZm2D7R4nNlnmxut nwUeLXk8cxQwiWfZq9u4Yy6rim66UEpvQCreXwIIE5Sv7/85E4BYSvn74/avJ7Uz eFg1byZK0quoO0J5zaSegM+1m9miM2c7ujTRy4pbRGBhABEBAAGJAh8EGAECAAkF AlYf5HACGwwACgkQtJ60N5UdJUJwLw//VKEwHVOFb/baoPf2gdYXr98Q2WdbA0+s DFksty1eE918Uw8mEBmZtCGRUHXYTCqaF21TXE0uGHees2pZpNxZSOPyRnfgIruv c2BW2OVBqbHo2qxTo8fvct1tiJOrUYJ2YffvxCrb4hQBKMhVMslc6vk4nniJJpSl hac+9U6TD5EIem0K47b6Qb8w7XqSpwFyWUGIFxk7Mpnk9Kurzoi+ypv0w8lv/Kuo InNbc11/MW8G9+oDv4RgCuTzvGaouSbNvN3gxPfmlJkQq1RkD2H099xky2HzZ8kk 2gh25foHLnmLcmQCKllBTGi9TDP4iuWpFjC/7rvLyupFrd0ZzE3H4z7Glpn+LN4v NaycW5Xv/Kt2oU6GPQrn6oxIjd2lQRxD+WPnD2UQGbyK7F5sFHQL1uKvad48V0Xj 8nn7HpJ1tmos3iR5E0ClAt3VDjG/K+py+SXZ9qPx8pfUQUFKBw4sIB95aCYOH3Wb Kjo2YKFNLtEmT6z3ztbfujHNLgWfd43rU6cBP71bn8JPTTmFETTHPrUbquzWbr2B L0qCaptoDsAzMfaTZQznFctgsrTe3vzNp7Cj+zCgbJiEI/Kg/rGL/GMNFpVh0psx uS8UFgMiX3Xmj7zOP/27tJx6b0i356HEvqkQTNFsuitlnMEOA73rnZbgHC+d9bkK
    RGUx/deYouM=
    =UTdI
    -----END PGP PUBLIC KEY BLOCK-----

    --- Mystic BBS v1.12 A31 (Windows)
    * Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)
  • From Avon@21:1/101 to NuSkooler on Sat Sep 10 16:31:00 2016
    On 08/25/16, NuSkooler pondered and said...

    https://keybase.io/nuskooler

    I also have quite a few invites for the site if anyone wants one.

    Just sent you a netmail but also trying for contact here also - if it's not
    too late for an invite, then yes please :)

    Best, Paul

    --- Mystic BBS v1.12 A31 (Windows)
    * Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)
  • From Tony Langdon@21:1/143 to NuSkooler on Sat Sep 10 08:39:00 2016
    NuSkooler wrote to All <=-

    I'm a little late to the game, but my PGP info can be found here:

    https://keybase.io/nuskooler

    I also have quite a few invites for the site if anyone wants one.

    Sure, could be useful. :)


    ... Cursor: An expert in four-letter words
    ___ MultiMail/Win32 v0.49

    --- Mystic BBS/QWK v1.12 A31 (Raspberry Pi)
    * Origin: The Bridge - bridge.vkradio.com (21:1/143)
  • From Avon@21:1/101 to All on Tue May 15 21:17:44 2018
    Here's an updated post from eff.org

    https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e- fail-and-pgp-flaw-0

    [snip]

    A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that
    can allow an attacker to use the victim's own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation
    of this new type of attack, and variants may follow in the coming days.

    Because of the straightforward nature of the proof of concept, the severity
    of these security vulnerabilities, the range of email clients and plugins affected, and the high level of protection that PGP users need and expect,
    EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now.

    Because we are awaiting the response from the security community of the flaws highlighted in the paper, we recommend that for now you uninstall or disable your PGP email plug-in. These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community. There may be simpler mitigations available soon, as vendors and commentators develop narrower solutions, but this is the safest stance to take for now. Because sending PGP-encrypted emails to an unpatched client will create adverse ecosystem incentives to open incoming emails, any of which could be maliciously crafted to expose ciphertext to attackers.

    While you may not be directly affected, the other participants in your encrypted conversations are likely to be. For this attack, it isn't important whether the sender or the receiver of the original secret message is
    targeted. This is because a PGP message is encrypted to both of their keys.

    At EFF, we have relied on PGP extensively both internally and to secure much
    of our external-facing email communications. Because of the severity of the vulnerabilities disclosed today, we are temporarily dialing down our use of
    PGP for both internal and external email.

    Our recommendations may change as new information becomes available, and we will update this post when that happens.
    How The Vulnerabilities Work

    PGP, which stands for "Pretty Good Privacy," was first released nearly 27
    years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP transformed the level of privacy protection available for digital communications, and has provided tech-savvy users with the ability to encrypt files and send secure email to people they've never met. Its strong security has protected the messages of journalists, whistleblowers, dissidents, and human rights defenders for decades. While PGP is now a privately-owned tool,
    an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, and is described
    in the OpenPGP Internet standards document.

    The paper describes a series of vulnerabilities that all have in common their ability to expose email contents to an attacker when the target opens a maliciously crafted email sent to them by the attacker. In these attacks, the attacker has obtained a copy of an encrypted message, but was unable to
    decrypt it.

    The first attack is a "direct exfiltration" attack that is caused by the details of how mail clients choose to display HTML to the user. The attacker crafts a message that includes the old encrypted message. The new message is constructed in such a way that the mail software displays the entire
    decrypted message-including the captured ciphertext-as unencrypted text. Then the email client's HTML parser immediately sends or "exfiltrates" the
    decrypted message to a server that the attacker controls.

    The second attack abuses the underspecification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext. Here are some technical details of the vulnerability, in plain-as-possible language:

    When you encrypt a message to someone else, it scrambles the information into "ciphertext" such that only the recipient can transform it back into readable "plaintext." But with some encryption algorithms, an attacker can modify the ciphertext, and the rest of the message will still decrypt back into the correct plaintext. This property is called malleability. This means that they can change the message that you read, even if they can't read it themselves.

    To address the problem of malleability, modern encryption algorithms add mechanisms to ensure integrity, or the property that assures the recipient
    that the message hasn't been tampered with. But the OpenPGP standard says
    that it's ok to send a message that doesn't come with an integrity check. And worse, even if the message does come with an integrity check, there are known ways to strip off that check. Plus, the standard doesn't say what to do when the check fails, so some email clients just tell you that the check failed,
    but show you the message anyway.

    The second vulnerability takes advantage of the combination of OpenPGP's lack of mandatory integrity verification combined with the HTML parsers built into mail software. Without integrity verification in the client, the attacker can modify captured ciphertexts in such a way that as soon as the mail software displays the modified message in decrypted form, the email client's HTML
    parser immediately sends or "exfiltrates" the decrypted message to a server that the attacker controls. For proper security, the software should never display the plaintext form of a ciphertext if the integrity check does not check out. Since the OpenPGP standard did not specify what to do if the integrity check does not check out, some software incorrectly displays the message anyway, enabling this attack.

    This means that not only can attackers get access to the contents of your encrypted messages the second you open an email, but they can also use these techniques to get access to the contents of any encrypted message that you
    have ever sent, as long as they have a copy of the ciphertext.
    What's Being Done to Fix this Vulnerability

    It's possible to fix the specific exploits that allow messages to be exfiltrated: namely, do better than the standard says by not rendering
    messages if their integrity checks don't check out. Updating the protocol and patching vulnerable software applications would address this specific issue.

    Fixing this entirely is going to take time. Some software patches have
    already begun rolling out, but it will be some time before every user of
    every affected software is up-to-date, and even longer before the standards
    are updated. Right now, information security researchers and the coders of OpenPGP-based systems are poring over the research paper to determine the
    scope of the flaw.

    We are in an uncertain state, where it is hard to promise the level of protection users can expect of PGP without giving a fast-changing and increasingly complex set of instructions and warnings. PGP usage was always complicated and error-prone; with this new vulnerability, it is currently almost impossible to give simple, reliable instructions on how to use it with modern email clients.

    It is also hard to tell people to move off using PGP in email permanently. There is no other email encryption tool that has the adoption levels,
    multiple implementations, and open standards support that would allow us to recommend it as a complete replacement for PGP. (S/MIME, the leading alternative, suffers from the same problems and is more vulnerable to the attacks described in the paper.) There are, however, other end-to-end secure messaging tools that provide similar levels of security: for instance,
    Signal. If you need to communicate securely during this period of
    uncertainty, we recommend you consider these alternatives.
    We Need To Be Better Than Pretty Good

    The flaw that the researchers exploited in PGP was known for many years as a theoretical weakness in the standard-one of many initially minor problems
    with PGP that have grown in significance over its long life.

    You can expect a heated debate over the future of PGP, strong encryption, and even the long-term viability of email. Many will use today's revelations as
    an opportunity to highlight PGP's numerous issues with usability and complexity, and demand better. They're not wrong: our digital world needs a well-supported, independent, rock-solid public key encryption tool now more than ever. Meanwhile, the same targeted populations who really need strong privacy protection will be waiting for the steps they can take to use email securely once again.

    We're taking this latest announcement as a wake-up call to everyone in the infosec and digital rights communities: not to pile on recriminations or criticisms of PGP and its dedicated, tireless, and largely unfunded
    developers and supporters, but to unite and work together to re-forge what it means to be the best privacy tool for the 21st century. While EFF is dialing down our use of PGP for the time being (and recommend you do so too) we're going to double-down on supporting independent, strong encryption-whether
    that comes from a renewed PGP, or from integrating and adapting the new generation of strong encryption tools for general purpose use. We're also
    going to keep up our work improving the general security of the email
    ecosystem with initiatives like STARTTLS Everywhere.

    PGP in its current form has served us well, but "pretty good privacy" is no longer enough. We all need to work on really good privacy, right now.

    EFF's recommendations: Disable or uninstall PGP email plugins for now. Do not decrypt encrypted PGP messages that you receive. Instead, use non-email based messaging platforms, like Signal, for your encrypted messaging needs. Use offline tools to decrypt PGP messages you have received in the past. Check
    for updates at our Surveillance Self-Defense site regarding client updates
    and improved secure messaging systems.

    [snip]

    --- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)