Discussion:
Is there a perfect method to guard our communication?
(too old to reply)
m***@icloud.com
2018-02-10 13:58:58 UTC
Permalink
Hello. May I ask your opinions of two questions?

1.Is there a perfect method to guard our electrical communication against an
attacks of peepers?

2.About suppliers of libreboot pre-installed devices.

Regarding 1.
I am a begginer of Linux, and English. I was desiring my privacy.
I have been studied quite hard how to make the environmental. I knew about
libreboot.
I wanted the free PC, free OS, free softwares.
There are many information in the web. It looks that I need a configured
router, own surver, kindly ISP, etc.
I do not still understand that what I need exactly.
I was thinking if I get the PC, I can get the environmental. It looks that it
needs configuration itself.
A strong passphrase, disk encryption, VPN, physical shelter,etc...
But I was thinking if I get the free PC, it can guards my privacy by only
setting itself.
If there is no that method, if I cannot have perfect confidence in that
method, I need not the device.
I have been studied quite hard, but I have never seen a person who assures
that these are the methods logically on one or a few pages. I, and maybe all
beginners who dream the method, that opinion, like yes, you can but...or
no,but... I want to be assured that there is the method at first.
Thank you for reading.
I might state about question 2. after if I will be able to listend to your
opinions.
It concerns 1. And it looks this statement is already long.
m***@icloud.com
2018-02-10 14:12:02 UTC
Permalink
revision: ...who dream the method, "need" that opinion, like yes...
o***@riseup.net
2018-02-10 15:11:34 UTC
Permalink
"Perfect" is impossible. If it's possible for one person to understand
something, it's possible for anyone as long as they have the right knowledge.
But practically speaking, no one is going to crack good encryption; the time
it would take (without e.g. social engineering) is a period of time greater
than anyone's lifetime.

Of course, you do have to guard the key against third parties. To do that,
you should only ever store the key in a system running software you trust.
For maximum security, you would make that machine never connect to any
network, but in practice you don't need to go that far if you're using only
libre software and installing all security updates.

As for what cryptography to use, software developers have already generally
speaking taken care of that. For the Web, turn off JavaScript and use HTTPS.
Use Tor Browser to add anonymity; change the security setting to maximum for
full protection. For email, use GnuPG with the largest supported key size;
there's a guide for Thunderbird (via Enigmail) here:

https://emailselfdefense.fsf.org/en/

And for encrypted instant messaging, Kontalk is probably the easiest choice,
though there's also XMPP with OTR (a little tougher since not all XMPP
clients support OTR).
g***@riseup.net
2018-02-10 21:38:34 UTC
Permalink
Post by o***@riseup.net
And for encrypted instant messaging, Kontalk is probably the easiest choice
Ricochet can not be easier to use. It's also audited software and anonymous.
It's also serverless.

https://ricochet.im
m***@icloud.com
2018-02-11 05:06:47 UTC
Permalink
Thank you. Recochet looks unique. Studying this approach will help me to
learn the whole internet structure.

I would like to listen your opinion for that too. Does that means that is
your opinion the same as, maybe Mr., onpon4's one?
g***@riseup.net
2018-02-11 19:53:22 UTC
Permalink
Post by m***@icloud.com
I would like to listen your opinion for that too
Not quite sure now whether you're asking about ricochet or your previous 2
questions. I assume it's the latter.
Post by m***@icloud.com
Hello. May I ask your opinions of two questions?
1.Is there a perfect method to guard our electrical communication against an
attacks of peepers?

No, there is not. The hardware you use is potentially backdoored, designed to
play against you. The software you use is complex and bloated, probably full
of bugs. There is no 'perfect' solution. If what you need to do could lead
you to jail then what you should do is: do it offline.
If a powerful and motivated adversary wants your data they will get it,
sooner or later. There's a good new though: if you are a regular Joe then
using encryption will help you to maintain some privacy as your noise will
remain just noise. Using encryption will probably flag you though, so
probably they (don't ask me who 'they' is) will check you and if they find
you sufficiently interesting then they will also find a way to decrypt what
is encrypted.
(No, I'm not paranoid. Yes, I am a realist.)


2.About suppliers of libreboot pre-installed devices.

What exactly is the question? I will just take advantage now to shill
minifree and Leah Rowe for it would appear to me she is the one that was
crucial and still is (I hope) in the development of the entire thing. If
money wants to be thrown at then it wants to be thrown at minifree ->
https://minifree.org/


I had some trouble understanding your English, I hope my answers are
relevant. cheers
m***@icloud.com
2018-02-11 22:39:46 UTC
Permalink
The hardware you use is potentially backdoored, designed to play against
you. The software you use is complex and bloated, probably full of bugs.
There is no 'perfect' solution.

Does that means that even if I get a libreboot PC, the PC still has a
potential for be installed the backdoors? Not physical backdoors, via
traffic. And even the free softwares are complex and bloated, probably full
of bugs?
It is obscure about those "the" which are "The" hardware, and "The" software
of your words ( I can't say well, but probably you get it ) . Does those
"the" mean that free hardwares and softwares?

Even if I am a ordinary person, I will never give them critical or fatal
information. That is impossible. If I get those free devices, I will use
those for purely business purpose. I am a nameless painter, maybe as you
know. I think that sometimes that way is best. Sending the USB stick is very
useful for me, if it is possible.
What exactly is the question?
I have been feeling that these Q and A are working well to make a basic
structure of question 2 un-intentionally.
I was going to ask people when I could listend to people's opinions of
question 1 enough.
I really thank you who gave me reply. But I don't feel that that is enough.
Currently I could get just two opinions. That might enough, but if possible,
I want more opinions.

I don't know well why you shill minifree and Ms.Rowe and why now. I don't
like gossip. Hence I don't have interest in gossip mostly. I basically do
not trust things which I see.
m***@icloud.com
2018-02-11 22:48:07 UTC
Permalink
revision: at the last sentence: I basically do trust things which just I see.
o***@riseup.net
2018-02-12 05:41:02 UTC
Permalink
I suggest you assume good faith from all posters; it's very possible for
something you are interpreting as anger is something different entirely,
given your skill level at English that I can see.

And at the same token, don't worry about angering people. You'll be fine as
long as you don't launch straight-up personal attacks.
o***@riseup.net
2018-02-12 05:51:47 UTC
Permalink
Post by m***@icloud.com
Does that means that even if I get a libreboot PC, the PC still has a
potential for be installed the backdoors? Not physical backdoors, via
traffic. And even the free softwares are complex and bloated, probably full
of bugs?

It just means that no software is perfect, and no hardware is perfect, so
mistakes are bound to happen occasionally. We're only human, after all. :)

You don't need to take this as a sign of worry. The protection you can get is
still quite good.
Post by m***@icloud.com
I don't know well why you shill minifree and Ms.Rowe and why now. I don't
like gossip. Hence I don't have interest in gossip mostly. I basically do not
trust things which I see.

You're right that it's an advertisement, but it's an advertisement with a
reasonable purpose: they sell freedom-respecting computers. So in the present
moment, they're one of the best options. It's also an unpaid advertisement,
though that's a minor point.

If you'd rather have a less biased source, that would be the FSF's resource:

https://fsf.org/ryf
g***@riseup.net
2018-02-12 21:59:01 UTC
Permalink
Post by m***@icloud.com
Does that means that even if I get a libreboot PC, the PC still has a
potential for be installed the backdoors?

Yes, they still have 2 proprietary firmware (the hard drive and the embedded
controller), if the laptop is going to be shipped to your location an
adversary could simply intercept it, install a backdoor and you would never
know. All modern CPUs (well, almost all - all Intel CPUS for sure) come with
severe security flaws which can be solved only by redesigning the whole thing
(look for meltdown and spectre). There could be more flaws which we are not
aware of.
Post by m***@icloud.com
And even the free softwares are complex and bloated, probably full of bugs?
Sure they are. Take a look at Firefox for instance, or pidgin (those two come
to my mind right now).
Post by m***@icloud.com
It is obscure about those "the" which are "The" hardware, and "The" software
of your words ( I can't say well, but probably you get it ) . Does those
"the" mean that free hardwares and softwares?

I don't understand what you mean.
Post by m***@icloud.com
I don't know well why you shill minifree and Ms.Rowe and why now. I don't
like gossip. Hence I don't have interest in gossip mostly. I basically do not
trust things which I see.


By 'shill' I mean 'advertise', that is to say 'promote' or 'support'. It has
nothing to do with gossip.
Post by m***@icloud.com
I basically do not trust things which I see.
Strange. I don't trust things I don't see. Like god for instance.
m***@icloud.com
2018-02-12 23:26:20 UTC
Permalink
Thank you very much.
m***@icloud.com
2018-02-13 05:32:46 UTC
Permalink
God exist!!! because...
c***@posteo.de
2018-02-14 22:22:14 UTC
Permalink
You said a ways up that there is no perfect solution. This is true as humans,
we make errors, and mistakes and are constantly improving our ways and
techniques...

But that last line about God, yes, if by that you are saying that because of
the old testament I agree wholeheartedly. But there is a reason for a new
testament.

One book shows that we should obey and honor him and shows his mercy and
love.

but that's besides the point.

Yes, things you cannot see can be dangerous. But how do you know what you
see and what you don't see. People are sometimes deceptive let's say and make
something that looks nice and shiny but has all this crap lurking within to
spy on you, etc,

But that aside, I completely agree with you on amd and intel. They are both
shit.

ARM is a mixed bag though. Shakti on the other hand I really hope is worth
something far beyond all the others.

We disagree on spiritual stuff, and agree on matters of free software mostly
I am sure.

Personally I don't think God wants us to blindly trust everything in our
world. That could lead to great evil after all.

And it has many times due to people abusing his name alas...

False teachers, decievers, evil people... none of whom do anything but try
and taint his name for their own personal game.

Long rant, my bad... ;)
m***@icloud.com
2018-02-15 09:18:49 UTC
Permalink
These issues are complex, so we can't summaring of these. I don't think here
is proper, I want to debate with all of people of trisquel though. After all,
all of you want just everybody making happy life I guess, except the
un-invitable. They try to involve their unhappiness. They know they can't
join in a place, like trisquel. Because they can't change their living by
their cowardice. So he is always surrounded with his nice looks friends. They
can't believe each other. Why they are happy? I also want to feel the world
everybody are happy. How refreshing. How difficult. Just for clarifing a few
of my opinion, of course I attacked the businessmen and trouble searchers.
They dont' care how they earn, what with trouble. Of cource religion is their
one of the excuses. Color, manner, stud, beautiful, communist, terrorist,
witch, heresy, we can anytime find a cause of a war easily. Then always
JUSTICE judge them to fill their ugly desire with law or out law. I was
laughing with my words persistantly. So the reaction was unexpected.
It maybe first line about God for me. I like basically Mr. Christ as far as I
know. I know their masks. They betray you the best time. But I also have to
keep caring my thanatos. Probably any saints also have that. They probably
had thought " Am I a hypocrite? " Important thing is how we control that. If
we are not exterminated by pollution, sooner or later, we have to solve this
problem. A computer is the most effective thing for those issues I still
think, so this situation a bit disappointed me. I put a pollution issue my
current priority. They will try to involve the earth with thanatos. They are
not caring their childs's future, obviously. Only interest is themselves.
絶対反省しない、と僕は思っています。Please excuse me, I
will refrain from now. I can find the spy?
m***@icloud.com
2018-02-10 18:13:04 UTC
Permalink
Thank you foy your opinion. I was caring that if nobody reply to such basic
and maybe stupid question...
These my sentenses are too long. I hesitate about saving, but I am sorry, I
want to tell those. I wish this will be useful for someone.
you would make that machine never connect to any network,
Yes, I thought that recently. I purchase the device which was taken away a
wi-fi card and pre-installed GPG.
Then I make a encrypted email by GPG, then I copy the email to a e.g. USB
stick, then I hand ( or send if I can ) it to my opponent.
As I am not going to ask the detail to people here, but I don't know yet
whether this way is possible or not.
I will satisfy to use only email by the PC.
I will try to avoid that I couldn't do that after I purchase the device.
I am almost giving up to connect always to network the PC.
I am a begginer. I will miss making configuration. I learned one mistake
might make leak.
It would take a long time for making reliance on my knowledge.
And I guess that security updates comes always too late against their
attacks. I don't want to always care about when it gets a malicious software.
So if I get the device, I am going to use the machine as only for
encrypting/decording email machine at least now.
software developers have already generally speaking taken care of that.
Yes, thanks. I feel often I am being educated by them. I've been learning to
use correctly Endless+Onion browser, turning off/on JavaScript, etc, by
current only my device, iPhone.
I am using this iPhone for study. It looks iPhone might be not able to be
secure.
https://emailselfdefense.fsf.org/en/
Some people gave me this link :) Yes, I have to read this through, but maybe
those pages have not the information of how to use this as for a complete
offline :)

I did not know the Kontalk, XMPP, OTR. Thanks.
I am going to study those softwares. And I started to care the social
engineering. It sounds, how I say, danger?
Their attacks keep progressing, updating is almost always late for the
attacks, I guess that is main reason for perfect is impossible. But
practically, I might be able to make it.
But then, I need perfect.

I am glad especially to hearing the "never connect to any network" from other
people.
s***@vmail.me
2018-02-11 11:33:52 UTC
Permalink
@MSuzuqi I suggest that you should watch Citizenfour. Read Glenn Gleenwald's
No Place to Hide and the Snowden Files. Also these sites has alternatives to
proprietary softwares and how to counter surveillance:
https://prism-break.org
https://privacytools.io
m***@icloud.com
2018-02-11 14:35:34 UTC
Permalink
Thank you. It seems your name is Japanese. I'm a Jap.
I watched Citizenfour in the next day of release, in 2016. If I remember
correctly, the day of release in the West was in 2013.
And there were just about 20 peoples in the cinema. And I have watched the
DVD, and read maybe the snowden file.
This would wanders away a bit, I like Mr. Snowden's courage and intelligence,
I think he did decisive work, but although my information about it is not
plenty, I don't understand why he left his family and his girlfriend behind
when he went to HongKong. That looked there was some risk, especially there
is USA. Did he let them move to a better safe place before he open his face
to the media? I can't remember well.

https://privacytools.io/ is new information. Thanks.
But then, I would like to listen to your opinion for that too.
o***@riseup.net
2018-02-11 16:31:42 UTC
Permalink
へぇ~。

But "Jap" is generally seen as a slur. You probably don't want to refer to
yourself as that. It would be like me referring to myself as a 外人, I
guess.

ところで、私は女です。
m***@icloud.com
2018-02-11 17:44:43 UTC
Permalink
Once upon a time, there was a French footballer whose name is like your name.
But that name sounded lady surely.
But I also thought that a lady who learns Japanese is rare. Because Japanese
men are not popular with ladies of the world. It looks that Japanese ladies
are popular in the world.
The avatar looked kindly. How about letting her wear a bra? If that is
awkword, how about a ribbon or something.
言われてみれば確かに女グニューですけどな。
o***@riseup.net
2018-02-12 06:07:28 UTC
Permalink
Post by m***@icloud.com
But I also thought that a lady who learns Japanese is rare. Because
Japanese men are not popular with ladies of the world. It looks that Japanese
ladies are popular in the world.

I don't think many people Japanese because they're attracted to Japanese
girls. xD The number one reason is probably Japanese cartoons, and the number
two reason is probably romanticism of Japanese culture. My reason was a bit
more mundane: I just wanted to learn a language with a different writing
system because I thought that would be cool, and then loved Japanese class to
the point where I just refuse to go away from Japanese study. Plus, I still
think Japanese is a great language.
s***@vmail.me
2018-02-11 20:57:37 UTC
Permalink
I am sorry but I am not japanase, it is only the username in japanese though.
I am still in Asia.
m***@icloud.com
2018-02-12 00:16:38 UTC
Permalink
Hi Akito. Asia is morning. But it was a sleepness night. Making English
sentence takes a quite long time.
And I am insomnia.
m***@icloud.com
2018-02-12 05:44:59 UTC
Permalink
I think I took advantage of your reply. My English and insomnia have no
connection with this reply.
I should have explained to you that just it was a sleepness night, so I try
to sleep from now.
I don't know how you felt, I am sorry if you were offended.
o***@riseup.net
2018-02-12 05:53:24 UTC
Permalink
No worries. Your English is way better than my Japanese, at any rate.
o***@riseup.net
2018-02-11 14:48:22 UTC
Permalink
privacytools.io seems fine, but I don't recommend prism-break as a reference.
It's all over the place and blacklists Trisquel because it's based on Ubuntu,
which just tells me they don't understand how this stuff works.
m***@icloud.com
2018-02-11 15:33:16 UTC
Permalink
Hi MaybeMr. It looks you always state your opinion with its grounds. So the
opinion have reasonableness.
But prism-break has valuable information to me. As this is my brief, They
state that people need a own surver, and a supplier agreed that opinion. I
knew that there. Oh, I need my own surver too? But they are not stating that
ground. So I don't still know why I need own surver, router. Tor is quite
understandable since especially their site. It is difficult for me that
judging information of this computer world. But, in this libre world, it
seems fake information is not quite more than other worlds since maybe that
is people's normal goodwill.
o***@riseup.net
2018-02-11 16:34:06 UTC
Permalink
Most of the recommendations on prism-break are fine, so if you find it
helpful, go for it. I just don't think it's a helpful reference in general.
It's too unfocused.
m***@icloud.com
2018-02-11 17:51:19 UTC
Permalink
After all, What is his intention is always the one of the main issues.
s***@vmail.me
2018-02-11 21:25:53 UTC
Permalink
@MSuzuqi PRISM-break suggest owning your own server so you are in control of
your data.

If you have an ISP(internet service provider) that allows port forwarding and
you can leave a librebooted device 24/7 online (not energy friendly) or just
a freedom friendly single board computer (eg. beaglebone black) [energy
friendly], they can act as a server and you can now host your own
wallabag,mediagoblin,diaspora/gnusocial,seafile/owncloud/nextcloud,wordpress
etc. You just need a free dynamic dns like nsupdate.info
The only problem would be your ISP's router which is proprietary [unless can
be flashed with librecmc[, your net bandwidth limit per month/day.
m***@icloud.com
2018-02-12 00:23:21 UTC
Permalink
So I will try to sleep from now... Thanks. I took a glance this, it looks
difficult, I think about this later...
Have a good day.
n***@guerrillamail.org
2018-02-11 13:30:37 UTC
Permalink
Of course >

Loading Image...
m***@icloud.com
2018-02-11 14:41:37 UTC
Permalink
Thank you! Do you know a few of my abilities? This photo seems a bit Totti.
a***@yahoo.com
2018-02-13 07:14:15 UTC
Permalink
MSuzuqi San,

As I understood, you are both new to GNU/Linux and you are concerned with
your security and privacy. Good security requires good understanding of the
system. You can always change your GNU/Linux distribution or tune your system
settings for best security later, when you have learned better. It is free.
But you can't change your hardware for free. Also, specialized hardware (e.g.
libreboot laptops) are relatively quite expensive than their equivalents. So,
I would suggest you defer specialized hardware purchase for a later time,
when you have learned more about security and GNU/Linux, so that you will
know exactly what hardware/system you want to buy.

I would suggest just start with a typical (normal) PC or laptop and learn
GNU/Linux (and security setup) on it. I think it is the most cost efficient
way for you.

I am using GNU/Linux for a long time, I am also concerned with my security
and privacy, but I am still using a typical PC. To give a rough example;

* With Windows you have 10%-30% security (depending on your expertise)
* With GNU/Linux (typical PC) you have 50%-95% security (depending on your
expertise)
* With GNU/Linux (libreboot PC) you have 50%-%97 security
* With GNU/Linux (special hardware[*]) you have 50%-%99 security
(the % numbers are just symbolic, to give you a rough idea)

[*] Please see;
https://www.crowdsupply.com/eoma68/micro-desktop
http://lists.phcomp.co.uk/pipermail/arm-netbook/2017-December/015062.html
http://rise.cse.iitm.ac.in/shakti.html
http://rhombus-tech.net/riscv/shakti/m_class/

If you install non-free programs (some distributions offer such options) or
some other questionable programs (even though they are free) on GNU/Linux,
your security level can go down (this is why I have shown a large 50%-99%
security range). For "questionable program" examples please see;
https://trisquel.info/en/forum/web-browser

Therefore, whether you use standard PC (cheap) or specialized PC (expensive)
it will only change security level by 2%-4%. For this reason, I suggest you
start with a standard PC or laptop.

Wish you the best. :)
m***@icloud.com
2018-02-14 10:02:44 UTC
Permalink
Ramazanoglu bey,

I thought over what your suggestion. I am going to buy a libreboot laptop.
I am desiring to touch a cleaner machine, and I think I should see those
dirt. If they let he go to eat for playing safe, I will able to move it
symmetrically as my usual tried and favorite methods.
s***@anchev.net
2018-02-14 10:47:56 UTC
Permalink
Post by m***@icloud.com
1.Is there a perfect method to guard our electrical communication against
an attacks of peepers?

Only if you create your own network, completely isolated from the Internet.

For Internet: Abdullah's advice is perhaps the best compromise.
l***@dcc.ufmg.br
2018-02-14 16:58:12 UTC
Permalink
With your own isolated network you would only communicate with yourself,
i.e., not communicate. Free software end-to-end encryption, using
good-enough cyphers and protocols, is the solution. It works on the
Internet. That is for the data. For the meta-data, the best we have is Tor.
Both solutions imply compromises: user-friendliness and performance are
traded for privacy.
s***@protonmail.com
2018-02-14 17:11:16 UTC
Permalink
1. I don't think that was what he meant.

You can set up a communicative network with more people than yourself and
still be isolated from the Internet. I think that was what he meant.


2. You say: Free software end-to-end encryption, using good-enough cyphers
and protocols, is the solution. It works on the Internet.

How come there are people talking about encryption not being safe? And may I
ask for an elaboration on why that is the "solution"?


3. You say: That is for the data. For the meta-data, the best we have is Tor.

May I ask what you mean by this?
s***@anchev.net
2018-02-14 17:15:30 UTC
Permalink
Post by s***@protonmail.com
You can set up a communicative network with more people than yourself and
still be isolated from the Internet. I think that was what he meant.

Yes. But MB likes to twist words and argue over the twist :)
Post by s***@protonmail.com
How come there are people talking about encryption not being safe? And may
I ask for an elaboration on why that is the "solution"?

Encryption itself is safe but the endpoints are infected by proprietary
software running at ring -2 and -3 which means the private keys are not
protected. Read this post and watch the video linked inside it and you will
understand:

https://trisquel.info/en/forum/free-email-providers#comment-127945
s***@protonmail.com
2018-02-14 17:17:25 UTC
Permalink
Post by s***@anchev.net
Yes. But MB likes to twist words and argue over the twist :)
It seems so...
Post by s***@anchev.net
Encryption itself is safe but the endpoints are infected by proprietary
software running at ring -2 and -3 which means the private keys are not
protected. Read this post and watch the video linked inside it and you will
understand:

Allright, thanks. Perhaps I'll take a look.
m***@icloud.com
2018-02-14 18:19:23 UTC
Permalink
By the way, God is.
In 1995, I was at a something called cardozo or cardoso's house in the Cuba.
Santería is a system of beliefs...
https://en.wikipedia.org/wiki/Santer%C3%ADa
s***@protonmail.com
2018-02-14 18:28:15 UTC
Permalink
What?
l***@dcc.ufmg.br
2018-02-14 20:18:19 UTC
Permalink
Why should the communication go through "your own network"? Those are your
words. Isn't your interlocutor entitled to control the network carrying the
communication as much as you are? Should you and your interlocutor build a
network you administrate together? Good luck if an ocean separates you!
Should a network be built for each pair of contacts?
s***@vmail.me
2018-02-15 00:47:28 UTC
Permalink
By 'Own network' are you referring to using Mesh Network?
s***@anchev.net
2018-02-15 07:29:17 UTC
Permalink
Own network = a network in which you can communicate without external
interference, independent of company X, Y, Z.
m***@icloud.com
2018-02-15 14:43:02 UTC
Permalink
I would like to ask you question 2.
It looks that here is valuable many information. Thank you for everybody. I
was searching for information before make this thread. Now I have many
information as like homeworks.
Regarding the suppliers, I think that they should gather these information in
a website for a begginer can searchs basic information easily. You probably
understand other reasons from above. For me, it looks that Mr. Ramazanoglu's
opinion was almost enough. I don't still understand well about how effect
a router and a server on those persentage. But anyway, I understand 100% is
impossible. If they opened these information their website, I would not have
to make this thread. They were not going to make informed-consent with me. I
think that that is a customer's normal right. They said me they are busy. So
I spend quite a lot of my time for search information, criticize them. They
have ignored me while a week, twice or more. That excuse was busy, do it
yourself, you ask too much. Indeed, that might fact. But If they are busy,
much less they should make that website.
I think you probably can get this demerits for both customer side and
productor side than me. I can't see this merit.
How do you think this matter? Thank you for reading.
s***@anchev.net
2018-02-15 15:26:15 UTC
Permalink
First you should understand that this is capitalism and everyone is trying to
sell you something (even "free" things). Too much advertising and too heavy
marketing language is a sign to be noted. Look at how they speak, not only
what they say.

Personally I get in direct contact with the service provider and ask what I
am interested in. From the way they reply I understand what is the depth of
their technical expertise and with what attention they approach the questions
(level of support). If they ignore me or try to entice me too much - I note
this for myself too.

At the end I compare. Usually it is quite easy to choose the best (or least
worse) because in every field there are only a few who really shine.
m***@icloud.com
2018-02-15 16:57:51 UTC
Permalink
First, Although I am not a economist, but I have read Marx at least. i.e. I
understand why when I hand them money, I own the goods and what is dialectic.
Post by s***@anchev.net
At the end I compare. Usually it is quite easy to choose the best (or least
worse) because in every field there are only a few who really shine.

In fact, I told a lie to you, please forgive me. Because modern philosophy
regards everybody as liars. But we can't also summary this idea. I was
noticing that this possibility. That is seclusion. I can understand that your
thought. I also desire to seclude in peaceful world. But I have been living
in the bottom of the worldy ugly world since 20 years over. Indeed, that is
merit, but I guess that you are doubting that way. That is a closed world,
not opened world. But you like open and free. Because you have been seeing
how closed and non-free worlds corrupt their mind. Is that really all of your
agreement? If so, I might not like this world very much. It looks that
obiviously this philosophy relactive your philosophy. Should I reread...
s***@anchev.net
2018-02-15 17:19:48 UTC
Permalink
I simply explained what I do.
m***@icloud.com
2018-02-15 17:26:58 UTC
Permalink
I am just suggesting a third way.
s***@anchev.net
2018-02-15 17:30:02 UTC
Permalink
I thought you were asking.

Anyway it is quite difficult to understand your English, so I may have
misunderstood.
m***@icloud.com
2018-02-15 17:37:05 UTC
Permalink
I could receive your reply for my question.
So I suggested.
It is quite difficult to understand native's English. I probably have
misunderstood quite more than you :)
m***@icloud.com
2018-02-15 17:38:03 UTC
Permalink
I could receive your reply for my question.
So I suggested.
It is quite difficult to understand native's English. I probably have
misunderstood quite more than you :)
m***@icloud.com
2018-02-15 17:40:35 UTC
Permalink
This doble messages is not my fault, probably.
m***@icloud.com
2018-02-16 11:19:46 UTC
Permalink
May I ask you next related question?
• When a libreboot laptop in a their factory, it has no back doors, 100%
ensured.
• But whie it is shipping, there is a possibility of it is installed back
doors.
Is that correct?
If so, it looks that is obstruction of their business.
I want to know it.
s***@anchev.net
2018-02-16 15:04:59 UTC
Permalink
Post by m***@icloud.com
When a libreboot laptop in a their factory, it has no back doors, 100%
ensured.

1) All CPUs are currently buggy and are vulnerable to back doors (Spectre,
Meltdown). The software mitigations don't fix the hardware, only reduce the
risk partially.

2) Microcode is still proprietary

3) Other chips inside the computer may still have proprietary firmware
Post by m***@icloud.com
But whie it is shipping, there is a possibility of it is installed back
doors.

Maybe if you are Edward Snowden. Otherwise quite unlikely.
l***@dcc.ufmg.br
2018-02-17 00:34:31 UTC
Permalink
Spectre and Meltdown are not backdoors. They are attacks to read data in the
main memory that the process should not be allowed to read.
s***@anchev.net
2018-02-17 07:49:16 UTC
Permalink
They are not backdoors per se but because of their nature they open a huge
door to mischief.
o***@riseup.net
2018-02-16 16:53:47 UTC
Permalink
It's a reference to the possibility of a government agent opening the package
and tampering with the hardware to install a bug on it. Not very likely, but
this has been done before when the state has wanted to target an important
person.
m***@icloud.com
2018-02-16 16:35:10 UTC
Permalink
How about a librem laptop? Is it difficult to explain about other suppliers
for you here?
Mr. Ramazanoglu wrote,
* Use only pure libre and audited hardware
* Use only pure libre and audited software
* Encrypt your emails with GPG
* Ensure that there is no back doors to the encryption algorithm you use

That means there is a laptop which has no back doors.
And,
[ ] Is your CPU Shakti? (if not, please give its name and model)
* What is the name and serial number of your BIOS? [__________]
* What is the name and model of your GPU? [__________] .........

But then, if a producer states that our products have no back doors, then the
producer sold the product which has back doors, he lose trust. That is same
as that company. In this era, honest and sincere wins the end. Even if they
became blue color workers, they shouldn't evade their customers. It is not
late now. I am confident of they can smile the end, not far future, if they
don't lose sincere. They have a actual result that they have been fighting
for their conviction. That is people's happiness. But that company also has a
acual result that they contributed to development of people's convenience.
I think they should state facts honestly. If they keep sincere, people will
respect them the end.
a***@yahoo.com
2018-02-16 18:24:57 UTC
Permalink
Post by m***@icloud.com
How about a librem laptop?
Dear MSuzuqi San,

There are 3 segments in an email correspondence and several levels of
security in each segment.

Segments are (assuming you will exchange emails with me):
(A) Your computer : You can do your best in securing your computer. This is a
separate chapter by itself.
(B) Network : You can achieve the best security by disconnecting your PC from
internet and exchange encrypted emails via hand delivering USB flash sticks.
(C) My computer: You can do nothing about my computer, except encouraging me,
educating me, questioning me about my security precautions. If you decide
that I'm not secure enough, you can decline exchanging important emails with
me.

A crack in *any* one of these segments will leak information.

Security levels are (according to my own naming convention):
(1) Hobbyist's grade security ("Yay! Joe the hacker can't figure out what I
say!")
(2) Commercial grade tactical security
(3) Commercial grade strategical security
(4) Intelligence grade tactical security
(5) Intelligence grade strategical security

What level of security you need depends on what kind of information you
communicate over email. You need to achieve the *same* security level
homogenuously throughout *all* the segments. Overall security level of an
email is the security level of the weakest segment. For example, if you
achieved intelligence grade tactical security in your computer and the
network, but the other side (me) achieves only commercial grade tactical
security, then all your communications with me has the level of commercial
grade tactical security.

If you ask me how to secure your computer or the network, then I will need to
ask you: For what level of security?

It is same as securing a building: Do you want to secure it against casual
petty thieves? Or against organized crime? Conventional military attack?
Nuclear attack?

Assuming you want commercial grade tactical security: A typical PC with no
proprietary software on it, and exchanging PGP encrypted emails over internet
(and ensuring that the other side also takes the same precautions) should
suffice. For higher levels of security, the issue becomes more opinion-driven
and controversial.

As for the vendors not telling the truth about the backdoors, there are
several types of backdoors. It can range from a blatant backdoor planted by a
trojan (virus), to a subtle backdoor hidden in the CPU design. By "we have no
backdoors" they may simply mean that "we don't install backdoor trojans to
the systems we sell". It would be a technically correct statement. But, if
they say "we *guarantee* that our computer is free of any kind of hardware
and software backdoors", then they are simply lying, because no vendor can
give such a guarantee. Libreboot PC's included.
Mason Hock
2018-02-16 20:11:08 UTC
Permalink
Thanks for this excellent summary. Could you give an example of what you would consider strategical security? I'm a little unclear on what you mean by that.
a***@yahoo.com
2018-02-16 20:55:44 UTC
Permalink
Post by Mason Hock
Could you give an example of what you would consider strategical security?
I have not yet formally defined the difference between tactical and
strategical security. I use them interchangeably with "minor" and "major".
The transition is rather analogue, with a somewhat arbitrary line between
them. Your question forced me to think over it again.

I don't want to give a quick definition, as it needs some careful brooding
over, but I am inclined to say e.g. if a commercial or intelligence entity is
attacking your privacy by routine procedures, they can be considered
"tactical" attack (hence tactical security measures needed). If they single
out your correspondences and go out of their normal way by giving special
treatment to crack it, then I would say it is a strategical attack. E.g.
communications between two agents of a neutral country would be of tactical
importance. That of a country you are in war with would be strategical
importance.

For example, I would consider PGP encryption (with due diligence) as an
intelligence grade *tactical* security measure. But for intelligence grade
*strategical* security, I would again encrypt it, but treat it as if it still
is in plain text, and take additional precautions accordingly.

Though a better, more deterministic definition should be made, I think.
Including examples of attack vectors / defenses for each level.
f***@runbox.com
2018-02-17 02:34:48 UTC
Permalink
For example, I would consider PGP encryption (with due >diligence) as an
intelligence grade *tactical* security >measure. But for intelligence grade
*strategical* security, >I would again encrypt it, but treat it as if it
still is in >plain text, and take additional precautions accordingly.

How does encrypting something twice transform it from tactical to strategic?
It sounds like both of these are tactics/methods.

Strategic security would be taking into account different components and
coming up with a set of cohesive tactics to achieve security under a specific
threat model, including MITM attacks and physical attacks (which would make
double or multiple encryption useless).

Frankly, I'm skeptical that anyone would benefit from this kind of
conversation, or that anyone here could (or should) provide useful advise
beyond what you qualify as "Commercial grade tactical security." Mandatory
cartoon: https://www.xkcd.com/538/

If you truly want privacy in your communications and you are not a computer
security expert, better go for a walk in the park/woods with your
coconspirator(s). You'll get the added benefit of fresh air.
Mason Hock
2018-02-17 02:55:51 UTC
Permalink
Post by a***@yahoo.com
I would again encrypt
it, but treat it as if it still is in >plain text, and take
additional precautions accordingly.
How does encrypting something twice transform it from tactical to
strategic? It sounds like both of these are tactics/methods.
I think by "again" he meant "in this situation as well," not "a second time." I could have misunderstood though.
Strategic security would be taking into account different
components and coming up with a set of cohesive tactics to achieve
security under a specific threat model
My interpretation was that this is essentially what he was proposing.
Mandatory cartoon: https://www.xkcd.com/538/
Yep. Something I thought about when friends of mine began using their fingerprint to unlock their iTrackers instead of a password, and again when Micro$oft announced that Windblows would support facial recognition instead of a password, was that eventually they won't even need to torture you; they can just cut off your hand and/or head. So much more humane. Isn't technology amazing?
If you truly want privacy in your communications and you are not a
computer security expert, better go for a walk in the park/woods
with your coconspirator(s). You'll get the added benefit of fresh
air.
This is also true, when distance is not an obstacle.
f***@runbox.com
2018-02-17 03:24:47 UTC
Permalink
I think by "again" he meant "in this situation as well," not >"a second
time." I could have misunderstood though.

This is what I understood:
https://en.wikipedia.org/wiki/Multiple_encryption
My interpretation was that this is essentially what he was >proposing.
I have not yet formally defined the difference between >tactical and
strategical security. I use them >interchangeably with "minor" and "major".

This is an incorrect use of tactical and strategic. Perhaps it sounds fancier
on a pitch deck, but if what you mean is "minor" and "major", those words
will do. A tactic can be major and a strategy can be minor. They are
certainly not mutually exclusive terms.
Isn't technology amazing?
Yeah, the whole fingerprint and face recognition as your password is crazy.
s***@anchev.net
2018-02-17 07:57:17 UTC
Permalink
Post by Mason Hock
Micro$oft announced that Windblows would support facial recognition instead
of a password

That would be utterly stupid. One's face is not private data, especially in
the age of social networking with profiles full of pictures.

BTW M$ has very strange understanding of security. Some time ago I read that
when you encrypt your disk with Win10 your encryption key is automatically
uploaded to your profile at microsoft.com "so that it is safe and secure that
you will never loose it". (or something along these lines)
Mason Hock
2018-02-17 08:07:26 UTC
Permalink
Post by s***@anchev.net
That would be utterly stupid. One's face is not private data, especially in
the age of social networking with profiles full of pictures.
Exactly.
Post by s***@anchev.net
BTW M$ has very strange understanding of security. Some time ago I read that
when you encrypt your disk with Win10 your encryption key is automatically
uploaded to your profile at microsoft.com "so that it is safe and secure
that you will never loose it". (or something along these lines)
lol
o***@riseup.net
2018-02-17 13:43:56 UTC
Permalink
It's not just Microsoft. I saw an ad about a month ago advertising this
feature for Apple devices.
a***@yahoo.com
2018-02-17 11:42:06 UTC
Permalink
Post by Mason Hock
I think by "again" he meant "in this situation as well," not "a second
time."

Exactly. Using "again" and "but" words connected in a row, I thought I would
have conveyed that, but my English skills apparently failed me. Sorry for the
confusion.
a***@yahoo.com
2018-02-17 11:43:08 UTC
Permalink
Post by f***@runbox.com
Frankly, I'm skeptical that anyone would benefit from this kind of
conversation, or that anyone here could (or should) provide useful advise
beyond what you qualify as "Commercial grade tactical security."

Would discussing about security not benefit anyone? Well, I think otherwise.

As for advises, yes you are right, and I don't believe in giving and taking
advises through public forums either. But Mr. MSuzuqi seemed to be in need of
one, so I made a limited exception. I would generally rather peer discussions
than giving/taking advises.
Mason Hock
2018-02-17 02:37:08 UTC
Permalink
Post by a***@yahoo.com
Though a better, more deterministic definition should be made, I
think. Including examples of attack vectors / defenses for each
level.
I think that this would be valuable. Your framing of the issue is very logical and practical. I'm generally a fan of approaches like this that can solve one problem at a time, rather than waiting for a perfect solution that will solve all problems at once. Clearly identifying levels of security and what is needed to obtain each one, and then attempting to obtain as many as possible in a given situation seems wise.
s***@anchev.net
2018-02-17 08:32:32 UTC
Permalink
Instead of waiting one could take action. Waiting is like never filing a bug
report but simply expecting someone to find the bug and fix it. Or waiting
for someone else to identify the browser leaks just to say "how nice" or "how
bad". Or never learning because right now there are more "important" (usually
meaning more entertaining) things to do.

Approaching things step by step surely makes sense but only when there is a
clear plan and a possible goal. In case of security in current technology it
is known beforehand that absolute security is impossible and there is no real
plan. So it is a stepping towards nothing. Defining and working against
attack vectors is like blacklisting an infinite and incomplete list of hosts
one by one. This is not security but a perpetual escape from insecurity. That
is the root of the problem. The question "Is there a perfect method to guard
our communication?" has no answer because perfect means complete, finished,
not a continuous never ending process.
m***@icloud.com
2018-02-17 09:53:12 UTC
Permalink
That is the root of the problem. The question "Is there a perfect method to
guard our communication?" has no answer because perfect means complete,
finished, not a continuous never ending process.

I think so. I can understand somehow now. If before, I could not understand.

As this is a no possiblity question,
If you have a fuge factory, and a enough capital, and some artificial
satellites, and some rights for legality, can you make a perfect method?
s***@anchev.net
2018-02-17 11:18:49 UTC
Permalink
Post by m***@icloud.com
If you have a fuge factory, and a enough capital, and some artificial
satellites, and some rights for legality, can you make a perfect method?

Why do you think these are the factors needed to perfect security?

If you have these - you will most likely be visited by FBI/NSA/CIA personally
and be told "You should do this or... (add any terrible things you can
imagine to complete the sentence)".
m***@icloud.com
2018-02-17 12:15:08 UTC
Permalink
Because I just guessed that those are the basic factors, if e.g. Swiss or
Cuba etc 's government tries to realize that philosophy.
It looked there is the possibility just on a satellite.
s***@anchev.net
2018-02-17 12:43:45 UTC
Permalink
For some it is simply staying Ecuador's embassy.
a***@yahoo.com
2018-02-17 12:19:51 UTC
Permalink
Post by s***@anchev.net
Approaching things step by step surely makes sense but only when there is a
clear plan and a possible goal. In case of security in current technology it
is known beforehand that absolute security is impossible and there is no real
plan.

The goal is to strike the best compromise, based on one's security model. So,
the fact that absolute security is impossible, shouldn't automatically
translate into there is no goal and no real plan.
Post by s***@anchev.net
So it is a stepping towards nothing.
Towards the best (or at least, better) compromise.
Post by s***@anchev.net
This is not security but a perpetual escape from insecurity.
Security is a never ending race, between the cat and the mouse :) where the
predator can also simultaneously be a prey, and vice versa.
s***@anchev.net
2018-02-17 12:43:06 UTC
Permalink
Post by a***@yahoo.com
The goal is to strike the best compromise
Then please define clearly and unambiguously "best compromise" explaining:

- why it is best (and can't be any better)
- what exactly is compromised (and cannot be otherwise)

Otherwise without actual measures it is really heading for the horizon which
is not a goal.
a***@yahoo.com
2018-02-17 12:55:06 UTC
Permalink
Post by s***@anchev.net
Then please define clearly and unambiguously "best compromise"
Simply having the least vulnerabilities relative to a given functionality. It
is a goal, not an accomplishment.
s***@anchev.net
2018-02-17 16:16:16 UTC
Permalink
If you can't measure it "best" and "least" have no meaning. A goal is not
merely a direction of movement.
m***@icloud.com
2018-02-16 21:08:29 UTC
Permalink
Dear Ramazanoglu bey,

Please call me TaizoMoteKingSaga at ease.
And excuse me for having let you guys explain maybe redundant things many
times.
Those are the most advanced information of this world, so very interesting
and luxurious experience.
If I can send the USB stick by postal delivery, it is useful. It looks I and
my opponent need a just typical and perfectly disconnected PC and GnuLinux
and maybe a pysical shelter.
But I consider a while. And I will keep seeing your discussion and search
older threads. These your answers cleaned my question mostly.
I will sometimes put a joke between your discussion, then someday, I will
become an asking vampire again.
It looks the situation is quite bad, but it looks public opinion is quite
good to you, and it will lean your side increasingly.
You can anytime send email or paper mail or call me. I set my email address
open later.
a***@yahoo.com
2018-02-16 21:21:50 UTC
Permalink
Post by m***@icloud.com
Please call me TaizoMoteKingSaga at ease.
Taizo Mote King Saga = Thanksgiving

My Japanese is not very good, but from translation engines I gather it as a
thank you.

You are welcome. :)
l***@dcc.ufmg.br
2018-02-17 00:42:05 UTC
Permalink
Assuming you want commercial grade tactical security: A typical PC with no
proprietary software on it, and exchanging PGP encrypted emails over internet
(and ensuring that the other side also takes the same precautions) should
suffice.

It suffices Edward Snowden, who successfully communicated with Laura Poitras
and Glenn Greenwald that way. For months before meeting them in Hong Kong.
Without raising a flag at the NSA or any of its partners. Yet, your
"commercial grade tactical security" is only level 2/5 on your scale, which
therefore does not look very reasonable.
a***@yahoo.com
2018-02-17 11:40:09 UTC
Permalink
Post by l***@dcc.ufmg.br
It suffices Edward Snowden, who successfully communicated with Laura
Poitras and Glenn Greenwald that way. For months before meeting them in Hong
Kong. Without raising a flag at the NSA or any of its partners. Yet, your
"commercial grade tactical security" is only level 2/5 on your scale, which
therefore does not look very reasonable.

You may have a point there, but using encryption on GNU/Linux is the bare
minimum needed against commercial intrusion. Less than that, and you are not
even protected agaist commercial intrusion. The fact that he exchanged top
secret encrypted emails with correspondents probably using *PGP on Windows*
(a bad joke) doesn't make the underlying security scheme suitable, even if he
was lucky enough to escape it. He might as well have used plain text email on
Windows and still not detected, but this wouldn't make it suitable for top
secret communications either, would it?

So Edward Snowden was using hardened GNU/Linux? Then Snowden or one of his
close friends should be quite a security guy and/or fluent with FOSS.
Interesting that. I wonder where he got his laptop from. And he insisting on
his correpondents must use PGP (on Windows!) before he can communicate with
them over email is even more interesting. Given that he was conscious enough
to use PGP on hardened GNU/Linux, I would have either (a) given my
prospective correspondents an exhaustive recipe, or (b) not used email at
all. And the fact that he managed to not get caught in spite of *that*
security flop is still more interesting.

It seems that it was not Edward Snowden's security savvy, but simply that NSA
et.al. have botched it big time - on purpose or not.

That being said, there are other aspects of security and privacy. Firstly,

(1) I like standing on the safe ground and keep a good dose of safety margin.
So I would rather err on the side of caution.

(2) We cannot afford to take - good or bad - examples as precedents in
defining our security measures. We have to account for the threat
*potentials* (and add a healthy dose of margin on top of it) to define them.

Second, there are certain curiousities with Edward Snowden case.

(3) Edward Snowden might have exploited the status of having a low profile
(i.e. not being singled out) by then. I don't know the details of his story
yet, but if he was not singled out by NSA prior to his communications with
the media, then his encrypted communications might not be scrutinized. Also,
he might have taken his chances (as it seems so) and been just lucky.

(4) Edward Snowden, Julian Assange... I take such incidents with a small dose
of salt. I don't want to delve into it as it is controversial. While I am not
skeptical, I don't take anything for granted either.

Anyway, regardless of Snowden case, (1) and (2) is enough for me to adopt
more strict measures than it is perceivably necessary. (Not that I apply
myself everything I say.)

A separate topic to discuss vulnerabilities, possible attack vectors and
defenses would have been nice, and I had hoped that of the security thread in
troll lounge, albeit it has diverged into something else.
s***@anchev.net
2018-02-17 12:02:48 UTC
Permalink
I dare to say that E.S. seems to me not quite thoughtful of the lower ring
issues. In his Twitter feed he merely says "Use Tor, use Signal" which is
meaningless considering the former. This makes me question the actual
competence of the guy as these are really superficial statements (even more
considering what you say - windows etc).
And the fact that he managed to not get caught in spite of *that* security
flop is still more interesting.

Well, let's not forget that just because we consider that something is
possible (a low lever back door) doesn't mean it is necessarily easy,
especially in particular circumstances, e.g. accessing the machine behind a
firewall, or having it online for too short time to perform an attack.
Additionally as an NSA employee he surely knows how his colleagues would
proceed, so he may be able to avoid certain attacks through that info, at
least in a certain time span until they develop new strategies. So that may
be a factor of "luck" as well.
A separate topic to discuss vulnerabilities, possible attack vectors and
defenses would have been nice, and I had hoped that of the security thread in
troll lounge, albeit it has diverged into something else.

We still have that but perhaps it deserves a thread of its own. But what
more/new could we really say about it? As you can see in the video I linked
there is some research going on. Perhaps you can join that approach if you
feel going down to the oscilloscope level but it seems to me reverse
engineering (mouse) will never beat evil engineering (cat) and its
legislation at mass scale (tiger).
a***@yahoo.com
2018-02-17 12:49:43 UTC
Permalink
As you can see in the video I linked there is some research going on.
Perhaps you can join that approach if you feel going down to the oscilloscope
level...

Unfortunately I was unable to watch the video as I don't (can't) do
multimedia on internet, because of my deliberate low quota plan. The reason
being; (which also happens in line with my way of dealing with security and
privacy)

https://trisquel.info/en/forum/vulnerable-meltdown#comment-126742

Your mentioning of oscilloscope suggests me that the video might be about
targeted / side channel attacks. Well, if you are targeted, then there is
really not much options to escape it. There are zillion ways of targeted
attacks and it is virtually impossible to defend against all of them. To give
an example, let me steal a line from the security thread in troll lounge.
9) Targeted attacks (bugging, window listening, etc.)
There is an interesting targeted attack vector that few people knows: Window
listening by laser

Everyone knows the working principle of a microphone: A membrane that
vibrates along sound waves in the environment, and an electrical rig
(resistance that varies with membrane position) to convert mechanical
vibration of the membrane to electrical fluctuation.

Well, a glass window is the best membrane one can think of. There is no
better. But how to pick the vibrations of your lounge window and convert that
to electrical signals?

An invisible laser beam is directed to the center of your window from
hundreds of meters away. Reflected beam vibrates in sync with your window.
Vibration of this reflected beam is converted to electrical signal. (E.g.
shed on a fluorescent surface sensitive to laser's wave length, then the
illuminated surface taken in by camera, and then digitized by an image
processing software. Many other methods are possible.)

No microphone as sensitive as this (1-meter membrane!) is ever produced.

They would hear the foot steps of a mosquito in your lounge.

I can think of no defense against this one, except injecting synthetic
mechanical "white noise" (a "hiss" sound with frequency spreading
characteristics of natural human voice) onto your windows ($$$$) or walling
all your windows. (Moving to basement would equally do)

This is just one (targeted attack) vector. So,
...but it seems to me reverse engineering (mouse) will never beat evil
engineering (cat) and its legislation at mass scale (tiger).

I agree as far as *targeted* attacks go.
s***@anchev.net
2018-02-17 16:45:50 UTC
Permalink
The video is a short presentation by Trammel Hudson who talks about securing
the boot process through replacement of proprietary BIOS/UEFI with
https://www.linuxboot.org/
Post by a***@yahoo.com
Well, a glass window is the best membrane one can think of. There is no
better.

If that was true animals with high sensitivity to sound would have glass
windows inside their ears :)
l***@dcc.ufmg.br
2018-02-17 12:54:18 UTC
Permalink
Edward Snowden might have exploited the status of having a low profile (i.e.
not being singled out) by then.

I would estimate that 99.9999% of the people have a lower profile than a NSA
contractor with top-level permissions! For those people, GPG on a free
software operating system (such as Trisquel) is apparently sufficient or more
than sufficient.

Even if GPG is not necessary, given somebody's threat model, using it helps
those who really need it (whistle-blowers, political dissidents, etc.):

using GPG would not raise a flag (assuming it still does), if the vast
majority of GPG users only encrypt uninteresting messages;
to the best of our knowledge, even the most powerful agencies can only afford
the computing power to decrypt a tiny number of such messages (probably
uninteresting ones given the previous point), if good-enough ciphers are
used.
a***@yahoo.com
2018-02-17 13:52:31 UTC
Permalink
Post by l***@dcc.ufmg.br
I would estimate that 99.9999% of the people have a lower profile than a
NSA contractor with top-level permissions...

Yes I agree with that. I have used "low profile" as in "not singled out" and
have explicitly stated that.
Post by l***@dcc.ufmg.br
For those people, GPG on a free software operating system (such as
Trisquel) is apparently sufficient or more than sufficient.

I think on the contrary, an agent using encrypted communications would be
less suspect arising than average people doing the same, as it is only normal
and natural for an agent to use encryption.

But all these doesn't explain his correspondents' security weaknesses, namely
PGP on Windows. Edward Snowden has *got to* know better than to fall into
that. I have a vague feeling that all this "either get PGP or I won't
communicate" thing might well be a theatrical act. Smells curiously fishy to
me.
Post by l***@dcc.ufmg.br
1. using GPG would not raise a flag (assuming it still does), if the vast
majority of GPG users only encrypt uninteresting messages;

Agreed. Mass penetration stays as a major issue with PGP.

2. to the best of our knowledge, even the most powerful agencies can only
afford the computing power to decrypt a tiny number of such messages
(probably uninteresting ones given the previous point), if good-enough
ciphers are used.

Providing all the other holes and cracks are sealed. Then again, tactical
attack (mass surveillance) and strategical attack (targeted surveillance) are
quite different things. Once they single you out, somehow, then you are faced
with a whole new dimension of security challenges.

Regarding the other holes and cracks, if they can read my private key through
a backdoor embedded e.g. in the CPU (no, I am not necessarily talking about
meltdown and spectre) then they wouldn't have to crack it. How many holes do
we have in hardware and software we use? We never know.
o***@riseup.net
2018-02-17 14:18:19 UTC
Permalink
Post by a***@yahoo.com
But all these doesn't explain his correspondents' security weaknesses,
namely PGP on Windows. Edward Snowden has *got to* know better than to fall
into that.

Snowden used Tails, not Windows. This was also what he had the journalists he
talked to use.
a***@yahoo.com
2018-02-17 14:24:26 UTC
Permalink
This was also what he had the journalists he talked to use.
I knew about Snowden, but didn't know about his correspondents. So they too
were on Tails. It makes sense now.
l***@dcc.ufmg.br
2018-02-17 14:27:11 UTC
Permalink
I think on the contrary, an agent using encrypted communications would be
less suspect arising than average people doing the same, as it is only normal
and natural for an agent to use encryption.

Laura Poitras is not an agent. She was on the watch list of the Department
of Homeland Security before she even knew Snowden existed. And Glenn
Greenwald, who is not an agent either, wrote about it at that time, what
certainly put him on that same list, if he was not on it yet. See
https://deadline.com/2012/04/documentary-directors-protest-homeland-security-treatment-of-helmer-laura-poitras-254291/
for instance.

I have a vague feeling that all this "either get PGP or I won't communicate"
thing might well be a theatrical act. Smells curiously fishy to me.

That probably allowed him to reveal the NSA documents and still be alive
today. That does not look theatrical to me.
a***@yahoo.com
2018-02-17 15:16:01 UTC
Permalink
Post by l***@dcc.ufmg.br
Laura Poitras is not an agent. She was on the watch list of the Department
of Homeland Security before she even knew Snowden existed. And Glenn
Greenwald, who is not an agent either,

You raise a valid point here. That people singled out by and under scrutiny
of NSA were *apparently* able to communicate securely, under the nose of NSA,
by just using a hardened GNU/Linux (Tails) and PGP.

For one, as I have already stated in one my posts above, I don't take
examples as precedents.

Second, I am not assuming anything. It could be due to luck, it could be due
to the plan, it could be something else.

It (the whole lot of the story) could still be some kind of theatre. I can't
guarantee that it was *not* a premeditated scenario by the Big Brother. There
are already a couple of reasons coming to my mind, and there may be much
deeper reasons than those.

E.g.;

* Such an incident would intimidate people to self-censoring.

* It indirectly implies that: "All these security fuss is really much ado
about nothing. Just use Linux and PGP and you are good to go - even against
NSA even when they single you out. Relax people, already!" A substantial and
subliminal message to all.

We can't assess the stakes involved, the greater plan. We can't talk for the
Big Brother. So neither assertion, nor rejection (of such shenanigans) would
make sense.

That carries me to my starting point: That I don't make assumptions, and I
don't take examples as precedents.
s***@anchev.net
2018-02-17 16:56:45 UTC
Permalink
I don't know if anyone has ever considered the possibility of E.S. being a
deliberately created figure (for various purposes). To me it seems quite
possible. NSA surely knows his location and can expunge him at any time. But
they don't.

s***@anchev.net
2018-02-16 23:40:47 UTC
Permalink
Post by m***@icloud.com
That is people's happiness.
I think they should state facts honestly. If they keep sincere, people will
respect them the end.

No merchant cares about your happiness. The convenience they sell to you is
just a tool to put you to sleep, so they can exploit you more efficiently. In
such environment honesty is impossible.

There is this newly emerging trend to sell "ethical" devices which I think
will become more popular as surveillance increases. So ethics is becoming
corrupt too. Wherever there is a scheme for reward and punishment there is
corruption. And in current state of technology it is inevitable because it
requires extreme expertise and extreme resources - things which are managed
by companies through reward-punishment models. Just like it has always been
in human history with everything. Unless that pattern is broken, expect more
misery.
l***@dcc.ufmg.br
2018-02-17 00:43:57 UTC
Permalink
There is this newly emerging trend to sell "ethical" devices which I think
will become more popular as surveillance increases. So ethics is becoming
corrupt too.

"Popular" implies "corrupt"?!
m***@icloud.com
2018-02-17 14:41:31 UTC
Permalink
I call that Master/Dog system. But over 99% people live under the system. The
master is someone's dog. ( I don't dislike dogs. ) So I hate classes.
I think the important thing is how people use the merchant for their
happiness. Why do you work for libre? You just like ilibre is the best
healthy answer, I suppose. The merchant concerns people's happiness.
Most people cannot even normal talking as you guys know. But their talking
level was improved quite well. I think the primary reason is computer exist.
They are learning how to speak by a device. They can see others's chat, they
can send sns very cheap, they can learn e.g. what is informed-consent, where
is a good seller, even a bad seller.
So many bad companies would have bankrupted by information on the internet.
People is the strongest, they are ruling the economy as economy class. If
most them become to dislike a product, they bankrupt. Even public system
cannot ignore that rule. People have been learning what they are doing quite
fast. Sooner or later, people understand that system. Even if they tryied to
control that by surveillance, it must just delays that except they erase
whole internet infrastructure. Their child will be mixed up that. They should
have noticed that living is too risky when they know the being of the
internet. The time comes literal "sooner or larer".
So I don't think they are clever. Those mean why they should sell their
product sincerely. I know that is very difficult in this environment.
In such environmantal honestly is impossible.
If you state "... is very difficult." , I agree. Surely, that would almost
impossible.
But I desire my works will be both theirs and mine benefit. I don't want to
cheat them. I don't buy goods from cheats basically, and there are a few
really sincere and passionate productors.( e.g. they make excellent organic
vegitables. very cheap and unique method) I can search them by this iPhone.
But then, it looks not a big profit though... I like them. Do you separate
your taste and business?
s***@openmailbox.org
2018-02-17 14:59:41 UTC
Permalink
このフォーラムにようこそ。
残念ながら、日本のメンバーが少ないですから貴方の
参加が嬉しいです。
私の日本語の能力が足りないですが多少なりとも手伝えたら,
一生懸命手伝いたいです。
文法間違いましたらすみません。
m***@icloud.com
2018-02-17 15:57:40 UTC
Permalink
いや文法ほぼ完璧です。たまにすごい自分の英語の能力に恥ずかしくなったりします。今もアブドゥラさんの文を読んでて、もう辞書引きっぱなしみたいな感じになって少し落ち込んでました。書いた事に後悔する時もありますし。ちょっとオレでかい面し過ぎなんじゃないの?みたいな感じです。でも皆さん良くしてくれて楽しかったです。
参加が嬉しいですと言われると本当に嬉しいです。良かったです、スレッド立ててみて。
ちっちゃなお礼として、量子重力さんの文を、自然な感じにすると、

フォーラムにようこそ。
残念ながら日本のメンバーが少ないものですから、貴方がご参加下さった事を嬉しく思います。
それほど日本語がうまくはありませんが、お手伝いさせて頂ける事がございましたら、全力でサポートさせて頂きたいと思っております。
文法を間違えておりましたら、恐縮です。

これは、極めてフォーマルではないですが、十分フォーマルで、普通のビジネスマンが使う敬語並みという感じの表現です。
なんかここら辺、日本語使える人多いですね。
ありがとうございます。心強いです。よろしくお願いします。
Loading...