[liberationtech] the 14th reason not to start using PGP is out!

[carlo von lynX]

On 11/24/2013 12:38 PM, Tempest wrote:
>carlo von lynX:
>>Hmmm.. if you're anonymous, then you don't have friends to email with...
>that is an incredible logical fallacy. myself and many others
>communicate with each other without having the sligtest amoont of
>knowledge as to who each other actually are.

Ok, Mr Tempest. Now that I understand your point of view better I see
that it is a very unusual use case you have there. You are not my target
audience. For your use case PGP may just be superfine. I am talking about
the people that are currently exposing all of their social and private
life over Facebook, SMS and E-Mail. These folks should be able to speak
to their real life friends without being graphed and mapped. Btw, you
bypassed all of my criticism for your proposed solution, so there isn't
very much left to say.


On Sun, Nov 24, 2013 at 02:41:18PM -0500, Jonathan Wilkes wrote:
> >>Pond, Cables, Bitmessage, Susimail, Briar, I2PBote.. even RetroShare
> >>does that part right.
> 
> But what about Cables?  Would those Silk Road users you reference
> have been more or less safe if they had used Cables instead of
> GPG-with-Tor?

We are still talking about a scenario that is not my main focus, but..
yes. They would be safer. In detail:

- Whoever has been talking over silkroad in the clear is subject to
  investigation immediately.
- Whoever has been using PGP with the same id as in regular e-mail
  (and OpenPGP leaked it, check Fabio's thread next to this one)
  might be getting visitors at home.
- Whoever else has been using PGP is postponed for later analysis,
  either should in some other way the suitable private keys surface,
  or because someday all of that will be decrypted.
- At that point it depends on whatever is in there, if it is still
  going to get people to jail.
- Depends also on the state of democracy and justice, if limitation
  period and due process are still state of the art.
- Should those people have exchanged PGP only to then bootstrap a
  communication over safer means, then they would indeed be safer.

So the question is, what IS safer?

Arguably something that uses DJB's elleptic curves, in any case
something that does forward secrecy, but since even that will one
day be decryptable, what really counts is how the communication
is lost in much larger amounts of cover traffic and transmission
obfuscation. A tool like Pond makes it hard for an attacker to
figure out what he should try to decrypt - should he one day have
the processing power to try. That is why it is much safer than PGP
on some .onion website, where the valuable content is just waiting
to be processed. Still, if you don't trust tools like Pond, you can
always embed PGP into them - that makes them double bullet proof.

I'm describing Pond because I think I understood its architecture
the best, but the other tools might be just as good. Pointing out
how the new code hasn't been reviewed yet only re-enforces the need
to do so.

But, I repeat, it is not my interest to keep people out of jail.
I am interested in the respect for the constitution to avoid us
experiencing a further degradation of the quality of democracy.
So when you use PGP instead of something more advanced, it is
not about you. It is about us all.