PGP unsafe! Email security is unsafe and cannot be easily fixed,researchers say

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

I hope nospam is paying attention....

https://en.wikipedia.org/wiki/Boundless_Informant

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I hear you.

I went to a local lawyer to have a simple power of attorney drawn up.
They email me the thing for approval/modification. I questioned their
use of email for this, to find out "that's how we do it..."

So I start poking around and figure out how to call up the header
fields, to find out they don't even have their own domain, but their
domain and email is held on Yahoo servers.

The problem is huge, the perception is minuscule.

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

ARPANet was designed to be secure through its obscurity as far as I
can tell. When it was released to the public, nobody seemed to foresee
how things would need to be secured any further than with a username
and password from what I can tell.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I think that's a good idea.You're doing with security what the
government did with highways here in Quebec. You can usie the public
system and get to your destination but you'll sit in traffic or you
can pay to use the 25 and avoid congestion. I can see such a system
working with security as well since there are always people who think
that sitting in traffic for an hour is better than just paying a $3
toll.

https://www.independent.co.uk/life-style/gadgets-an
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-working-fix-how-to-a8351116.html


--
@~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!!
/ v \ Simplicity is Beauty!
/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3
ä¸�借貸! ä¸�è©�騙! ä¸�è³*錢! ä¸�æ�´äº¤! ä¸�打交! ä¸�打劫! ä¸�自殺! ä¸�求神! 請考慮綜æ�´
(CSSA):
http://www.swd.gov.hk/tc/index/site_...sub_addressesa

https://www.independent.co.uk/life-style/gadgets-and-tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-working-fix-how-to-a8351116.html


--
@~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!!
/ v \ Simplicity is Beauty!
/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3
ä¸�借貸! ä¸�è©�騙! ä¸�è³*錢! ä¸�æ�´äº¤! ä¸�打交! ä¸�打劫! ä¸�自殺! ä¸�求神! 請考慮綜æ�´
(CSSA):
http://www.swd.gov.hk/tc/index/site_...sub_addressesa

On Tue, 15 May 2018 09:16:44 -0400, default
wrote:

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I hear you.

I went to a local lawyer to have a simple power of attorney drawn up.
They email me the thing for approval/modification. I questioned their
use of email for this, to find out "that's how we do it..."

So I start poking around and figure out how to call up the header
fields, to find out they don't even have their own domain, but their
domain and email is held on Yahoo servers.

The problem is huge, the perception is minuscule.

And as we know, Yahoo is synonymous with prosperity and security,
*especially* since they put a woman at the helm.

On Tue, 15 May 2018 09:16:44 -0400, default
wrote:

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I hear you.

I went to a local lawyer to have a simple power of attorney drawn up.
They email me the thing for approval/modification. I questioned their
use of email for this, to find out "that's how we do it..."

So I start poking around and figure out how to call up the header
fields, to find out they don't even have their own domain, but their
domain and email is held on Yahoo servers.

The problem is huge, the perception is minuscule.

I recently bought a European SIM card for a family member who'll be
traveling there soon from the States. Among other things, you have to
provide the traveler's full name, birthday, passport number, and more.

The company offered several methods to get the thing activated, but they
stressed that email was their preferred method. You guessed it, they had
an @gmail.com address! Seriously? You just have to wonder.

Mr. Man-wai Chang was thinking very hard :
https://www.independent.co.uk/life-style/gadgets-and-tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-working-fix-how-to-a8351116.html

it would be nice if this guy could figure out how to correctly reply to
a post instead of littering up the news group with unthreaded replies

On Tue, 15 May 2018 11:26:31 -0400, Doomsdrzej wrote:

On Tue, 15 May 2018 09:16:44 -0400, default
wrote:

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I hear you.

I went to a local lawyer to have a simple power of attorney drawn up.
They email me the thing for approval/modification. I questioned their
use of email for this, to find out "that's how we do it..."

So I start poking around and figure out how to call up the header
fields, to find out they don't even have their own domain, but their
domain and email is held on Yahoo servers.

The problem is huge, the perception is minuscule.

And as we know, Yahoo is synonymous with prosperity and security,
*especially* since they put a woman at the helm.

Do you really think that the CEO's of companies understand the
business of the companies they manage? They only understand profit;
let me restate that: they only understand PROFIT!!!

Not the solvency of the company, not the long term viability of the
company, not who they hurt or what they do, just the instantaneous
peak dollar amount of the stock price. That is all that matters.

Being female has nothing to do with it, greed and short-sighted
stupidity affects women as well as men.

"default" wrote

| And as we know, Yahoo is synonymous with prosperity and security,
| *especially* since they put a woman at the helm.
|
| Being female has nothing to do with it, greed and short-sighted
| stupidity affects women as well as men.

And Marissa Meyer was a former Googlite, thus already
tainted by arrogant disregard for human decency. She's
been noted numerous times for not caring about privacy.
She even cooperated to write software to let the NSA
access yahoo email clandestinely, without even consulting
her own security chief.

The solution has to be partially encryption, but the real
problem is that there are no laws to cover the issues.
Companies that store data online are not punished.
Companies that sell your data to each other are not
punished. Even where it's illegal there are workarounds,
such as CVS selling customer drug records to drug
companies when doctors couldn't.

I read the other day that an organization (caprivacy.org)
is pushing a new California privacy law. But even that is
just a joke. They want to enforce an opt-out option on
selling data. You'd have to specifically tell companies
you don't want them to sell your data!
As I read their website, with warnings that I should enable
javascript, I looked at the source code. They were trying
to track me via both Facebook and Google Analytics.
I wouldn't be surprised if the people pushing this new
law don't even know their website is doing that. The ignorance
and stupidity is jaw-dropping. It's so bad that I actually
can't tell whether the caprivacy people are naive or
whether they're really industry plants assigned to push
a toothless law for PR purposes.

I think Ed Markey and others are pushing a real privacy
law, but I don't know the details.

Fullscale encryption is great for people like political
activists in Tibet or Iran, but for most people it's not
a realistic solution. I don't know anyone who's even
heard of PGP, much less set up end-to-end
encryption. The only realistic approach is to make it
seriously illegal for people to read your email
or track you online, just as it's illegal to read your
postal mail or set up surveillance in someone's house.
But it has to be gravely illegal, because collecting
and analyzing the data is so easy.

There was an interesting article in the New Yorker
some time ago, about Estonia.

https://www.newyorker.com/magazine/2...gital-republic

They have little privacy, but anyone accessing
personal info is logged and the person is notified.
If the accessing party doesn't have a very good
reason they can be in big trouble. It's a completely
different approach. Essentially computerization
planned for society rather than engineered by
"yahoos" (and Googlites, Facebookies, Amazonians,
Apple maniacs, Microsofties, etc) operating in a
Wild West environment with no real planning or
vision -- only profits for big business on their minds.

In article , Mayayana
wrote:

| And as we know, Yahoo is synonymous with prosperity and security,
| *especially* since they put a woman at the helm.
|
| Being female has nothing to do with it, greed and short-sighted
| stupidity affects women as well as men.

And Marissa Meyer was a former Googlite, thus already
tainted by arrogant disregard for human decency.

you've said a lot of ignorant things, but that one is at the top.

is everyone who works at google tainted? all 75,000+ of them?

are the dozen 'googlites', who quit their jobs in protest of what
google is doing, also tainted? if so, why did they quit?

https://arstechnica.com/gadgets/2018...resign-in-prot
est-of-googlepentagon-drone-program/
Despite protests from employees, Google is still charging ahead with
a Department of Defense collaboration to produce machine-learning
software for drones. Google hasn't listened to a contingent of its
employees that is unhappy with Google's involvement in the
military-industrial complex, and now a report from Gizmodo says
"about a dozen" employees have resigned over the issue.





Fullscale encryption is great for people like political
activists in Tibet or Iran, but for most people it's not
a realistic solution. I don't know anyone who's even
heard of PGP, much less set up end-to-end
encryption.

apparently you're oblivious to just how easy it actually is.

simply download and install an encrypted messaging app. no need to know
what pgp is.

here's a list of popular options:
https://fossbytes.com/best-secure-encrypted-messaging-apps/

there are also encrypted email options, although not as common as
messaging.

The only realistic approach is to make it
seriously illegal for people to read your email
or track you online, just as it's illegal to read your
postal mail or set up surveillance in someone's house.

reading other people's email is illegal except in very specific
circumstances, such as a court order.

at google, reading *any* user data requires multiple authorizations and
anyone who tries to get around that will be fired on the spot.

But it has to be gravely illegal, because collecting
and analyzing the data is so easy.

collecting and analyzing data isn't anything new and not necessarily
bad.

it's just *much* easier now and can be done in ways that were once
impossible.

In article , Char Jackson
wrote:


I recently bought a European SIM card for a family member who'll be
traveling there soon from the States. Among other things, you have to
provide the traveler's full name, birthday, passport number, and more.

that's not unusual.

The company offered several methods to get the thing activated, but they
stressed that email was their preferred method. You guessed it, they had
an @gmail.com address! Seriously? You just have to wonder.

not really.

they were probably using gsuite, which is *very* secu
https://gsuite.google.com/faq/security/