Discussion:
Signal Threatens to Leave UK Over New Law,
(too old to reply)
Nomen Nescio
2024-03-15 23:47:29 UTC
Permalink
Encrypted communications app Signal is mulling an exit from the UK
market in response to a new law threatening its core operational
model,
while E2EE email service provider Tutanota is taking the opposite
approach, pledging to stay and help the British protect their
communications from government scrutiny.
Instead of an encryption service, use PGP.
http://www.rossde.com/
Excellent advice. Unfortunately, for the vast majority of the public,
this
advice is about as acceptable as a glass full of castor oil.
Stainless Steel Rat
I agree SS Rat.
Even before you get to the PGP stage, you'd be battling for the
majority to
string two cognitive sentences together, let alone accept that PGP
might be the way to go.

At 70 years of age I've given up expecting any of my family, associates
or
friends to use it. I find the dumbing down of communication very
depressing.

Just to demonstrate this further, examine a bit closer some of the
famous UAP researchers.
A lot of them expect whistleblowers to contact them either through a
very unsecure website, or
their site never ever supplies their public key !
One even thought Facebook was an acceptable idea.
I've tried to explain to one in particular, that writing in the clear,
destroys any attempt
at privacy and anonymity for both the sender and receiver.
Therefore why would a whistleblower with 1st hand evidence consider
making contact.


Cheers
Fred
Anonymous
2024-03-16 10:58:13 UTC
Permalink
Post by Nomen Nescio
Therefore why would a whistleblower with 1st hand evidence consider
making contact.
Make contact through a nym account with your PGP key added
to the message and ask for an encrypted conversation in
case they are interested in some confidential information.

OmniMix is your friend!
D
2024-03-16 12:23:18 UTC
Permalink
Post by Anonymous
Post by Nomen Nescio
Therefore why would a whistleblower with 1st hand evidence consider
making contact.
Make contact through a nym account with your PGP key added
to the message and ask for an encrypted conversation in
case they are interested in some confidential information.
OmniMix is your friend!
Btw, isn't omnimix windows only?
Linux Guy
2024-03-16 15:27:30 UTC
Permalink
Post by D
Btw, isn't omnimix windows only?
It works very well in Linux Wine.
https://danner-net.de/omom/tutorinstall.htm
Loading Image...
Nomen Nescio
2024-03-16 18:34:28 UTC
Permalink
On Sat, 16 Mar 2024 13:23:18 +0100, in article
Post by D
Post by Anonymous
Post by Nomen Nescio
Therefore why would a whistleblower with 1st hand evidence consider
making contact.
Make contact through a nym account with your PGP key added
to the message and ask for an encrypted conversation in
case they are interested in some confidential information.
OmniMix is your friend!
Btw, isn't omnimix windows only?
But it's a server you can access from throughout your network, and with
its .onion addresses even from abroad.
Anonymous
2024-03-16 12:31:40 UTC
Permalink
Post by Anonymous
and ask for an encrypted conversation
Good luck with asking a nice normal citizen
to twist their brain with pgp.
πŸŒˆπŸ’πŸŒ»πŸŒΊπŸŒΉπŸŒ»πŸ’πŸŒ·πŸŒΊπŸŒˆJenπŸŒˆπŸ’πŸŒ»πŸŒΊπŸŒΉπŸŒ»πŸ’πŸŒ·πŸŒΊπŸŒˆ Dershmender πŸ’πŸŒ»πŸŒΊπŸŒΉπŸŒ»πŸ’πŸŒ·πŸŒΊπŸΆη¬›πŸŒˆπŸ’πŸŒ»πŸŒΊπŸŒΉπŸŒ»πŸ’πŸŒ·πŸŒΊπŸŒˆ
2024-03-16 12:50:05 UTC
Permalink
On Sat, 16 Mar 2024 12:31:40 +0000, LO AND BEHOLD; Anonymous
<***@yamn.paranoici.org> determined that the following was of not
great importance to Anonymous <***@yamn.paranoici.org> and
subsequently decided to NOT freely share it with us in
<***@yamn.paranoici.org>:

=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= On Sat 16 Mar 2024 1:58 pm, Anonymous wrote:
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= =?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= and ask for an encrypted conversation
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?=
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= Good luck with asking a nice normal citizen to twist their brain with
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= pgp.
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?=

Are you mocking the number of regimes toppled by APAS loonies?
--
"If you worried half as much about your own personal life as you do everyone else's, you might almost be tolerable, obsessed stalker." -James "Checkmate" Gorman, in perhaps the most ironic and mentally-challenged statement ever made on Usenet. <***@usnews.blocknews.net>

"Trying to diminish others doesn't make you look any better. In fact, it does quite the opposite. Why are you always so bitter and angry? Do you have AIDS or something like so many other tranny girls do?" -James "Checkmate" Gorman in <***@test.blocknews.net>

"You should see my archive on you" -James "Checkmate" Gorman teases us with his "dosser" in <***@usnews.blocknews.net>

Golden Killfile, June 2005
KOTM, November 2006
Bob Allisat Memorial Hook, Line & Sinker, November 2006
Special Ops Cody Memorial Purple Heart, November 2006
Special Ops Cody Memorial Purple Heart, September 2007
Tony Sidaway Memorial "Drama Queen" Award, November 2006
Busted Urinal Award, April 2007
Order of the Holey Sockpuppet, September 2007
Barbara Woodhouse Memorial Dog Whistle, September 2006
Barbara Woodhouse Memorial Dog Whistle, April 2008
Tinfoil Sombrero, February 2007
AUK Mascot, September 2007
Putting the Awards Out of Order to Screw With the OCD Fuckheads, March 2016
Nomen Nescio
2024-03-16 15:17:23 UTC
Permalink
Post by Anonymous
Post by Anonymous
and ask for an encrypted conversation
Good luck with asking a nice normal citizen
to twist their brain with pgp.
We're talking about reporters and investigators, for
whom confidentiality in communication is mandatory.
So it's their duty to know about ciphering methods.
Anonymous
2024-03-16 18:46:42 UTC
Permalink
Post by Nomen Nescio
So it's their duty to know about ciphering methods.
Sir, yes Sir.
πŸŒˆπŸ’πŸŒ»πŸŒΊπŸŒΉπŸŒ»πŸ’πŸŒ·πŸŒΊπŸŒˆJenπŸŒˆπŸ’πŸŒ»πŸŒΊπŸŒΉπŸŒ»πŸ’πŸŒ·πŸŒΊπŸŒˆ Dershmender πŸ’πŸŒ»πŸŒΊπŸŒΉπŸŒ»πŸ’πŸŒ·πŸŒΊπŸΆη¬›πŸŒˆπŸ’πŸŒ»πŸŒΊπŸŒΉπŸŒ»πŸ’πŸŒ·πŸŒΊπŸŒˆ
2024-03-16 12:48:08 UTC
Permalink
On Sat, 16 Mar 2024 10:58:13 +0000 (UTC), LO AND BEHOLD; Anonymous
<***@remailer.paranoici.org> determined that the following was of
not great importance to Anonymous <***@remailer.paranoici.org> and
subsequently decided to NOT freely share it with us in
<***@remailer.paranoici.org>:

=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= Nomen Nescio <***@dizum.com> wrote:
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?=
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= =?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= Therefore why would a whistleblower with 1st hand evidence consider
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= =?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= making contact.
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?=
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= Make contact through a nym account with your PGP key added to the
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= message and ask for an encrypted conversation in case they are
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= interested in some confidential information.
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?=
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?= OmniMix is your friend!
=?UTF-8?B?8J+Ps++4j+KAjfCfjIg=?=

Get yourself a sharpie and scribble on the wall of a pisser if you think people take anon communication seriously.
--
"If you worried half as much about your own personal life as you do everyone else's, you might almost be tolerable, obsessed stalker." -James "Checkmate" Gorman, in perhaps the most ironic and mentally-challenged statement ever made on Usenet. <***@usnews.blocknews.net>

"Trying to diminish others doesn't make you look any better. In fact, it does quite the opposite. Why are you always so bitter and angry? Do you have AIDS or something like so many other tranny girls do?" -James "Checkmate" Gorman in <***@test.blocknews.net>

"You should see my archive on you" -James "Checkmate" Gorman teases us with his "dosser" in <***@usnews.blocknews.net>

Golden Killfile, June 2005
KOTM, November 2006
Bob Allisat Memorial Hook, Line & Sinker, November 2006
Special Ops Cody Memorial Purple Heart, November 2006
Special Ops Cody Memorial Purple Heart, September 2007
Tony Sidaway Memorial "Drama Queen" Award, November 2006
Busted Urinal Award, April 2007
Order of the Holey Sockpuppet, September 2007
Barbara Woodhouse Memorial Dog Whistle, September 2006
Barbara Woodhouse Memorial Dog Whistle, April 2008
Tinfoil Sombrero, February 2007
AUK Mascot, September 2007
Putting the Awards Out of Order to Screw With the OCD Fuckheads, March 2016
Yamn Remailer
2024-03-16 15:13:00 UTC
Permalink
Post by Γ°ΒŸΒŒΒˆΓ°ΒŸΒ’ΒΓ°ΒŸΒŒΒ»Γ°ΒŸΒŒΒΊΓ°ΒŸΒŒΒΉΓ°ΒŸΒŒΒ»Γ°ΒŸΒ’ΒΓ°ΒŸΒŒΒ·Γ°ΒŸΒŒΒΊΓ°ΒŸΒŒΒˆJenΓ°ΒŸΒŒΒˆΓ°ΒŸΒ’ΒΓ°ΒŸΒŒΒ»Γ°ΒŸΒŒΒΊΓ°ΒŸΒŒΒΉΓ°ΒŸΒŒΒ»Γ°ΒŸΒ’ΒΓ°ΒŸΒŒΒ·Γ°ΒŸΒŒΒΊΓ°ΒŸΒŒΒˆ Dershmender Γ°ΒŸΒ’ΒΓ°ΒŸΒŒΒ»Γ°ΒŸΒŒΒΊΓ°ΒŸΒŒΒΉΓ°ΒŸΒŒΒ»Γ°ΒŸΒ’ΒΓ°ΒŸΒŒΒ·Γ°ΒŸΒŒΒΊΓ°ΒŸΒΒΆΓ§Β¬Β›Γ°ΒŸΒŒΒˆΓ°ΒŸΒ’ΒΓ°ΒŸΒŒΒ»Γ°ΒŸΒŒΒΊΓ°ΒŸΒŒΒΉΓ°ΒŸΒŒΒ»Γ°ΒŸΒ’ΒΓ°ΒŸΒŒΒ·Γ°ΒŸΒŒΒΊΓ°ΒŸΒŒΒˆ
Get yourself a sharpie and scribble on the wall of a pisser if you think people take anon communication seriously.
Am I anyone's nanny? No, not my business.

I only need to care about my own privacy
and am glad to have appropriate tools,
which don't require the goodwill of others.
Nomen Nescio
2024-03-17 20:52:47 UTC
Permalink
Before continuing with "How To Send Anonymous Email" please take a moment to check out your
FREE or premium sevice E2E encrypted email provider here: https://tuta.com/pricing
Get off Hotmail, Gmail or whetever you're using and send your email encrypted so that your
ISP or email provider can't profile you. FREE and premium services! END TO END ENCRYPTION!!!
https://tuta.com/pricing

Hotmail and all non encrypted email providers can read your email and that's a NO NO!!!!

NO NEED TO DOWNLOAD SOFTWARE!!!

How to send anonymous mail manually...

The first thing you need to do is check the stats of the remailer/s you want to use...

Remailer Reliability Stats: https://www.mixmin.net/echolot/rlist2.html
https://tincture.ws/pinger/classic/rlist2.html
Encrypt Everything: https://gnupg.org/download/

Then get their keys...

Remailer key for hsub: https://groups.google.com/g/alt.privacy.anon-server/c/HGKfUsks2Hg
Remailer key for shalo: https://groups.google.com/g/alt.privacy.anon-server/c/QtTm2-Spi7c
Remailer key for paranoia: https://groups.google.com/g/alt.privacy.anon-server/c/Sbw708Rgkmo
Remailer key for dizum: https://groups.google.com/g/alt.privacy.anon-server/c/C7tk1vFkSS8
Remailer key for frell: https://groups.google.com/g/alt.privacy.anon-server/c/_q6eQoBXHjI

How To Send Anonymous Email / Posts Manually

Sending manually eliminates the need for software on your computer which could have a backdoor!

These are the fundamental instructions to understand how remailer messages are created and this
will help you to understand how remailers work.

If you want to send an anonymous message, first of all create a file containing:
- two colon signs ( :: ) in the first line,
- the phrase "Anon-To: e-mail address" in the second line
whereby the e-mail address should be the address the remailer will send the message to.
The third line should be empty and the message text will follow.

For Usenet posts you must use: Anon-Post-To: rec.sport.football.college or the target group.
For rec.arts.tv you would use: Anon-Post-To: rec.arts.tv and so on.

e.g.:

2 colons on the first line.
Anon-To: or Anon-Post-To: on second line.
One blank space line. (third line)
2 hash tags. (fourth line)
Subject: (fifth line)
One blank space line. (sixth line)
Start message on 7th line.

Type your message eg:
____________________________________________________________________________________
::
Anon-Post-To: rec.sport.football.college

##
Subject: Going To War (or whatever your subject is)

War is about to break out in...

(now encrypt above message with the remailer key of the remailer you're sending it to
and when ready to send it should look something like below)

::
Encrypted: PGP

-----BEGIN PGP MESSAGE-----

owE1jMsNwjAUBH3gZMk9PClnUoBPUANpwElW2OBPZD8H0gd1UCP2gduuNDNfj
IcSHT4zCbQmtlbzGFM9T0jSD7QVvEzaPcUlBSSWHQclbnR9YWJNp5BFSLdR9s
CijF3NGxybry/1Rsqn4la3a0JiIhLvnYGCu9HFtiC8oIxnlkeuIYe+EH=HgDa
-----END PGP MESSAGE-----

=============================================================
::
Anon-To: ***@example.org

Write here your message
=============================================================

Remailers only accept messages encrypted through PGP or GPG, so your message must be encrypted
with the remailer public key, which you can get by sending a message to the remailer
(***@remailer.paranoici.org) and by entering "remailer-key" in the subject.

So the above message must be encrypted with the remailer PGP key and eventually sent to
***@remailer.paranoici.org by entering two colon signs at the beginning of the message
and, in the second line, the phrase "Encrypted: PGP" followed by the previously encrypted
message.

=============================================================
From: ***@test.com
To: ***@remailer.paranoici.org

::
Encrypted: PGP

-----BEGIN PGP MESSAGE-----
Version: 2.6.3i

owE1jMsNwjAUBH3gZMk9PClnUoBPUANpwElW2OBPZD8H0gd1UCP2gduuNDNfj
IcSHT4zCbQmtlbzGFM9T0jSD7QVvEzaPcUlBSSWHQclbnR9YWJNp5BFSLdR9s
CijF3NGxybry/1Rsqn4la3a0JiIhLvnYGCu9HFtiC8oIxnlkeuIYe+EH=HgDa
-----END PGP MESSAGE-----
=============================================================

The remailer will decode your message and send it anonymously. If you want to include a subject
or other headers which shouldn't be filtered by the remailer, you can enter them as explained
below before encrypting the message for the remailer:

=============================================================
::
Anon-To: ***@example.org

##
Subject: Re: Twofish
In-Reply-To: Your message of "Tue, 12 Jan 1999 22:47:04 EST."
<***@example.com>

Message text
=============================================================

Even if PGP encryption is very safe, using a remailer in the simplest way is not the best system
for protecting your identity. Therefore, you can tell the remailer, for instance, to keep the
message you've sent for a certain period of time and to forward it later so as to avoid the
so-called traffic analysis.
If you enter the header Latent-Time: +2:00, your message will be delayed by 2 hours, while if you
use the syntax Latent-Time: +5:00r, you'll have a random delay between 0 and 5 hours.

The best way to use a remailer is by using them in a chain, by sending a message from one remailer to
the other before it reaches your address.
Let's make an example with the above message:

=============================================================
::
Anon-To: ***@remailer.paranoici.org

::
Encrypted: PGP

-----BEGIN PGP MESSAGE-----
Version: 2.6.3i

owE1jMsNwjAUBH3gZMk9PClnUoBPUANpwElW2OBPZD8H0gd1UCP2gduuNDNfI
T4zCbQmtlbzGFM9T0jSD7QVvEzaPcUlBSSWHQclbnR9YWJNp5BFSLdR9CijF3
ybry/1Rsqn4la3a0JiIhLvnYGCu9HFtiC8oIxnlkeuIYe+EH=HgDq
-----END PGP MESSAGE-----
=============================================================

you can encrypt this message with the PGP key of another remailer (e.g. Dizum) and send the
encrypted message to this remailer: ***@dizum.com

Thus Dizum will receive the message and decode it and will find the instructions to send it
to ***@remailer.paranoici.org, which in its turn will decode it and send it to
***@example.org

There is more on remailing here:
https://groups.google.com/g/alt.privacy.anon-server/c/vMNR33GCKhs
This page needs updating but worth a look: https://dizum.com/

Now don't delay, get started with encrypted daily email now with the basic FREE Service.
https://tuta.com/pricing You know it makes sense!

Stay safe, stay encrypted!
David Lesher
2024-03-21 03:52:54 UTC
Permalink
Post by Nomen Nescio
Encrypted communications app Signal is mulling an exit from the UK
market in response to a new law threatening its core operational
model,
while E2EE email service provider Tutanota is taking the opposite
approach, pledging to stay and help the British protect their
communications from government scrutiny.
Instead of an encryption service, use PGP.
Traffic analysis.
--
A host is a host from coast to ***@panix.com
& no one will talk to a host that's close..........................
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead....................................20915-1433
William Unruh
2024-03-21 16:29:15 UTC
Permalink
Post by David Lesher
Post by Nomen Nescio
Encrypted communications app Signal is mulling an exit from the UK
market in response to a new law threatening its core operational
model,
while E2EE email service provider Tutanota is taking the opposite
approach, pledging to stay and help the British protect their
communications from government scrutiny.
Instead of an encryption service, use PGP.
Traffic analysis.
Ane exactly what information will that give you other than that you are
communicating with a certain IP address? And what is wrong with a VPN to
hide even that? And the question was why use an encrytion service when
you can encrypt using PGP and if you want to hide who your talking to,
use an external VPN. To let someone else encrypt your stuff for you
seems to me to be the hight of folly. You want to hide your stuff, so
you give it to someone else in clear text. For all you know, Tutanota
is an arm of the government (I am not saying it is, but do you have
proof it is not?)
D
2024-03-21 21:03:56 UTC
Permalink
Post by William Unruh
Post by David Lesher
Post by Nomen Nescio
Encrypted communications app Signal is mulling an exit from the UK
market in response to a new law threatening its core operational
model,
while E2EE email service provider Tutanota is taking the opposite
approach, pledging to stay and help the British protect their
communications from government scrutiny.
Instead of an encryption service, use PGP.
Traffic analysis.
Ane exactly what information will that give you other than that you are
communicating with a certain IP address? And what is wrong with a VPN to
hide even that? And the question was why use an encrytion service when
you can encrypt using PGP and if you want to hide who your talking to,
use an external VPN. To let someone else encrypt your stuff for you
seems to me to be the hight of folly. You want to hide your stuff, so
you give it to someone else in clear text. For all you know, Tutanota
is an arm of the government (I am not saying it is, but do you have
proof it is not?)
I think you can safely ignore the Nomen-guy. He seems to be some kind of
paid marketing guy for tutanota.

Personally I completely share your position. Tuta could be compromised
without any of its users ever knowing, so much better and safer to "roll
your own" or use truly decentralized services.

If you're in europe it would of course be better to rely on a service
that's not in europe, that would add some paper work in case the
government is after you.
William Unruh
2024-03-21 21:24:24 UTC
Permalink
Post by D
Post by William Unruh
Post by David Lesher
Post by Nomen Nescio
Encrypted communications app Signal is mulling an exit from the UK
market in response to a new law threatening its core operational
model,
while E2EE email service provider Tutanota is taking the opposite
approach, pledging to stay and help the British protect their
communications from government scrutiny.
Instead of an encryption service, use PGP.
Traffic analysis.
Ane exactly what information will that give you other than that you are
communicating with a certain IP address? And what is wrong with a VPN to
hide even that? And the question was why use an encrytion service when
you can encrypt using PGP and if you want to hide who your talking to,
use an external VPN. To let someone else encrypt your stuff for you
seems to me to be the hight of folly. You want to hide your stuff, so
you give it to someone else in clear text. For all you know, Tutanota
is an arm of the government (I am not saying it is, but do you have
proof it is not?)
I think you can safely ignore the Nomen-guy. He seems to be some kind of
paid marketing guy for tutanota.
Personally I completely share your position. Tuta could be compromised
without any of its users ever knowing, so much better and safer to "roll
your own" or use truly decentralized services.
Of course the problem with rolling your own is that 99% of the computer
user have vey little idea about cryptography or about "rolling you r
own" "Use PGP" is of very little help since it needs to be made
automatic and needs to have a "phonebook" containing people you might
want to communicate with and their public keys. Plus you have to make
sure to keep your own private keys secret. There are so many ways of
messing up and making the system insecure, depite using the best tools.
That is of course what companies presumably like Tutanota provide.
Unfortunaely with a huge potential security hole. The balance between
security and ease of use (both of which are crucial) is delicate. Oepn
source is a bare minimum ( so you can check up on their claims, or at
least have others check up on their claims).
Also you have to make sure that the people you communicate with also
have the software, and use it. encrytion is useless if your recipient
replies to your missive by quoting it all in cleartext and then adding
their own reply.
Post by D
If you're in europe it would of course be better to rely on a service
that's not in europe, that would add some paper work in case the
government is after you.
Stefan Claas
2024-03-21 22:02:36 UTC
Permalink
Post by William Unruh
Of course the problem with rolling your own is that 99% of the
computer user have vey little idea about cryptography or about
"rolling you r own" "Use PGP" is of very little help since it needs
to be made automatic and needs to have a "phonebook" containing
people you might want to communicate with and their public keys. Plus
you have to make sure to keep your own private keys secret. There are
so many ways of messing up and making the system insecure, depite
using the best tools. That is of course what companies presumably
like Tutanota provide. Unfortunaely with a huge potential security
hole. The balance between security and ease of use (both of which are
crucial) is delicate. Oepn source is a bare minimum ( so you can
check up on their claims, or at least have others check up on their
claims). Also you have to make sure that the people you communicate
with also have the software, and use it. encrytion is useless if
your recipient replies to your missive by quoting it all in cleartext
and then adding their own reply.
There is Mailvelope for Gmail and others, which is a browser based
plug-in and it has it's own key server. This should simplify the
process of using PGP for encrypted email and you don't have to sign-up
for tuta, proton.me etc.

https://mailvelope.com/
--
Regards
Stefan
D
2024-03-22 09:20:41 UTC
Permalink
Post by Stefan Claas
Post by William Unruh
Of course the problem with rolling your own is that 99% of the
computer user have vey little idea about cryptography or about
"rolling you r own" "Use PGP" is of very little help since it needs
to be made automatic and needs to have a "phonebook" containing
people you might want to communicate with and their public keys. Plus
you have to make sure to keep your own private keys secret. There are
so many ways of messing up and making the system insecure, depite
using the best tools. That is of course what companies presumably
like Tutanota provide. Unfortunaely with a huge potential security
hole. The balance between security and ease of use (both of which are
crucial) is delicate. Oepn source is a bare minimum ( so you can
check up on their claims, or at least have others check up on their
claims). Also you have to make sure that the people you communicate
with also have the software, and use it. encrytion is useless if
your recipient replies to your missive by quoting it all in cleartext
and then adding their own reply.
There is Mailvelope for Gmail and others, which is a browser based
plug-in and it has it's own key server. This should simplify the
process of using PGP for encrypted email and you don't have to sign-up
for tuta, proton.me etc.
https://mailvelope.com/
Doesn't that just trade tuta for mailvelope.com?
Stefan Claas
2024-03-22 16:21:25 UTC
Permalink
Post by D
Post by Stefan Claas
Post by William Unruh
Of course the problem with rolling your own is that 99% of the
computer user have vey little idea about cryptography or about
"rolling you r own" "Use PGP" is of very little help since it needs
to be made automatic and needs to have a "phonebook" containing
people you might want to communicate with and their public keys.
Plus you have to make sure to keep your own private keys secret.
There are so many ways of messing up and making the system
insecure, depite using the best tools. That is of course what
companies presumably like Tutanota provide. Unfortunaely with a
huge potential security hole. The balance between security and
ease of use (both of which are crucial) is delicate. Oepn source
is a bare minimum ( so you can check up on their claims, or at
least have others check up on their claims). Also you have to make
sure that the people you communicate with also have the software,
and use it. encrytion is useless if your recipient replies to
your missive by quoting it all in cleartext and then adding their
own reply.
There is Mailvelope for Gmail and others, which is a browser based
plug-in and it has it's own key server. This should simplify the
process of using PGP for encrypted email and you don't have to
sign-up for tuta, proton.me etc.
https://mailvelope.com/
Doesn't that just trade tuta for mailvelope.com?
Well, I would say no. People can keep their email account and do
not need to switch to tuta.com, for encrypted email. Mailvelope
is also older than tuta.com
--
Regards
Stefan
D
2024-03-23 11:24:16 UTC
Permalink
Post by Stefan Claas
Post by D
Post by Stefan Claas
Post by William Unruh
Of course the problem with rolling your own is that 99% of the
computer user have vey little idea about cryptography or about
"rolling you r own" "Use PGP" is of very little help since it needs
to be made automatic and needs to have a "phonebook" containing
people you might want to communicate with and their public keys.
Plus you have to make sure to keep your own private keys secret.
There are so many ways of messing up and making the system
insecure, depite using the best tools. That is of course what
companies presumably like Tutanota provide. Unfortunaely with a
huge potential security hole. The balance between security and
ease of use (both of which are crucial) is delicate. Oepn source
is a bare minimum ( so you can check up on their claims, or at
least have others check up on their claims). Also you have to make
sure that the people you communicate with also have the software,
and use it. encrytion is useless if your recipient replies to
your missive by quoting it all in cleartext and then adding their
own reply.
There is Mailvelope for Gmail and others, which is a browser based
plug-in and it has it's own key server. This should simplify the
process of using PGP for encrypted email and you don't have to
sign-up for tuta, proton.me etc.
https://mailvelope.com/
Doesn't that just trade tuta for mailvelope.com?
Well, I would say no. People can keep their email account and do
not need to switch to tuta.com, for encrypted email. Mailvelope
is also older than tuta.com
Sorry, what I meant is that does this not mean that someone could break
into mailvelop and send malicious updates to people who have the mailvelop
plugin?
Stefan Claas
2024-03-23 12:35:01 UTC
Permalink
Post by D
Post by Stefan Claas
Post by D
Post by Stefan Claas
https://mailvelope.com/
Doesn't that just trade tuta for mailvelope.com?
Well, I would say no. People can keep their email account and do
not need to switch to tuta.com, for encrypted email. Mailvelope
is also older than tuta.com
Sorry, what I meant is that does this not mean that someone could
break into mailvelop and send malicious updates to people who have
the mailvelop plugin?
If they can break into Mailvelope Server, hosting the plug-in, than this
a problem. Same as with other security software.

But users can also switch to GnuPG as backend for Mailvelope.

Last but not least the software had an audit.

<https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.pdf?__blob=publicationFile&v=1>
--
Regards
Stefan
William Unruh
2024-03-23 17:41:52 UTC
Permalink
Post by D
Post by Stefan Claas
Post by D
Post by Stefan Claas
Post by William Unruh
Of course the problem with rolling your own is that 99% of the
computer user have vey little idea about cryptography or about
"rolling you r own" "Use PGP" is of very little help since it needs
to be made automatic and needs to have a "phonebook" containing
people you might want to communicate with and their public keys.
Plus you have to make sure to keep your own private keys secret.
There are so many ways of messing up and making the system
insecure, depite using the best tools. That is of course what
companies presumably like Tutanota provide. Unfortunaely with a
huge potential security hole. The balance between security and
ease of use (both of which are crucial) is delicate. Oepn source
is a bare minimum ( so you can check up on their claims, or at
least have others check up on their claims). Also you have to make
sure that the people you communicate with also have the software,
and use it. encrytion is useless if your recipient replies to
your missive by quoting it all in cleartext and then adding their
own reply.
There is Mailvelope for Gmail and others, which is a browser based
plug-in and it has it's own key server. This should simplify the
process of using PGP for encrypted email and you don't have to
sign-up for tuta, proton.me etc.
https://mailvelope.com/
Doesn't that just trade tuta for mailvelope.com?
Well, I would say no. People can keep their email account and do
not need to switch to tuta.com, for encrypted email. Mailvelope
is also older than tuta.com
Sorry, what I meant is that does this not mean that someone could break
into mailvelop and send malicious updates to people who have the mailvelop
plugin?
It is opensource, which is a plus. It is javascript, which I suspect is
a minus (I am not at all sure how safe Javascript is). It is a plugin
into browsers (chrome or firefox), which again is a minus (how much does
it depend on the the security of the whole browser?)

mailvelope runs on your own machine and encrypts (using a javascript
version of OpenPGP) on you own machine. So the breaking would have to
occur on your own machine. Not sure what you mean by "malicious
updates". Updates of what? mailvelope? I think you would have to
initiate the download and the installation. I presume it does not
initiate and install its own updates.
D
2024-03-23 21:15:27 UTC
Permalink
Post by William Unruh
Post by D
Post by Stefan Claas
Post by D
Post by Stefan Claas
Post by William Unruh
Of course the problem with rolling your own is that 99% of the
computer user have vey little idea about cryptography or about
"rolling you r own" "Use PGP" is of very little help since it needs
to be made automatic and needs to have a "phonebook" containing
people you might want to communicate with and their public keys.
Plus you have to make sure to keep your own private keys secret.
There are so many ways of messing up and making the system
insecure, depite using the best tools. That is of course what
companies presumably like Tutanota provide. Unfortunaely with a
huge potential security hole. The balance between security and
ease of use (both of which are crucial) is delicate. Oepn source
is a bare minimum ( so you can check up on their claims, or at
least have others check up on their claims). Also you have to make
sure that the people you communicate with also have the software,
and use it. encrytion is useless if your recipient replies to
your missive by quoting it all in cleartext and then adding their
own reply.
There is Mailvelope for Gmail and others, which is a browser based
plug-in and it has it's own key server. This should simplify the
process of using PGP for encrypted email and you don't have to
sign-up for tuta, proton.me etc.
https://mailvelope.com/
Doesn't that just trade tuta for mailvelope.com?
Well, I would say no. People can keep their email account and do
not need to switch to tuta.com, for encrypted email. Mailvelope
is also older than tuta.com
Sorry, what I meant is that does this not mean that someone could break
into mailvelop and send malicious updates to people who have the mailvelop
plugin?
It is opensource, which is a plus. It is javascript, which I suspect is
a minus (I am not at all sure how safe Javascript is). It is a plugin
into browsers (chrome or firefox), which again is a minus (how much does
it depend on the the security of the whole browser?)
mailvelope runs on your own machine and encrypts (using a javascript
version of OpenPGP) on you own machine. So the breaking would have to
occur on your own machine. Not sure what you mean by "malicious
updates". Updates of what? mailvelope? I think you would have to
initiate the download and the installation. I presume it does not
initiate and install its own updates.
Ahh... thank you that sheds more light on it, and yes, that's what I had
in mind, if mailvelop "pesters" people to upgrade, or even worse,
automatically upgrade. That would be an enormous risk in case they are
broken into.
William Unruh
2024-03-24 03:32:09 UTC
Permalink
Post by D
Post by William Unruh
Post by D
Post by Stefan Claas
Post by D
Post by Stefan Claas
Post by William Unruh
Of course the problem with rolling your own is that 99% of the
computer user have vey little idea about cryptography or about
"rolling you r own" "Use PGP" is of very little help since it needs
to be made automatic and needs to have a "phonebook" containing
people you might want to communicate with and their public keys.
Plus you have to make sure to keep your own private keys secret.
There are so many ways of messing up and making the system
insecure, depite using the best tools. That is of course what
companies presumably like Tutanota provide. Unfortunaely with a
huge potential security hole. The balance between security and
ease of use (both of which are crucial) is delicate. Oepn source
is a bare minimum ( so you can check up on their claims, or at
least have others check up on their claims). Also you have to make
sure that the people you communicate with also have the software,
and use it. encrytion is useless if your recipient replies to
your missive by quoting it all in cleartext and then adding their
own reply.
There is Mailvelope for Gmail and others, which is a browser based
plug-in and it has it's own key server. This should simplify the
process of using PGP for encrypted email and you don't have to
sign-up for tuta, proton.me etc.
https://mailvelope.com/
Doesn't that just trade tuta for mailvelope.com?
Well, I would say no. People can keep their email account and do
not need to switch to tuta.com, for encrypted email. Mailvelope
is also older than tuta.com
Sorry, what I meant is that does this not mean that someone could break
into mailvelop and send malicious updates to people who have the mailvelop
plugin?
It is opensource, which is a plus. It is javascript, which I suspect is
a minus (I am not at all sure how safe Javascript is). It is a plugin
into browsers (chrome or firefox), which again is a minus (how much does
it depend on the the security of the whole browser?)
mailvelope runs on your own machine and encrypts (using a javascript
version of OpenPGP) on you own machine. So the breaking would have to
occur on your own machine. Not sure what you mean by "malicious
updates". Updates of what? mailvelope? I think you would have to
initiate the download and the installation. I presume it does not
initiate and install its own updates.
Ahh... thank you that sheds more light on it, and yes, that's what I had
in mind, if mailvelop "pesters" people to upgrade, or even worse,
automatically upgrade. That would be an enormous risk in case they are
broken into.
Well, if they find a security bug, pestering them to upgrade is what
they should do. One would hope that if they were broken into, and a
security flaw introduced and then the cracker sent out requests to
upgrade, that they would quickly notice and take down the bad version.
The same is true of the kernel, which would be evenmore of a security
threat.
D
2024-03-24 10:33:52 UTC
Permalink
Post by William Unruh
Post by D
Post by William Unruh
Post by D
Post by Stefan Claas
Post by D
Post by Stefan Claas
Post by William Unruh
Of course the problem with rolling your own is that 99% of the
computer user have vey little idea about cryptography or about
"rolling you r own" "Use PGP" is of very little help since it needs
to be made automatic and needs to have a "phonebook" containing
people you might want to communicate with and their public keys.
Plus you have to make sure to keep your own private keys secret.
There are so many ways of messing up and making the system
insecure, depite using the best tools. That is of course what
companies presumably like Tutanota provide. Unfortunaely with a
huge potential security hole. The balance between security and
ease of use (both of which are crucial) is delicate. Oepn source
is a bare minimum ( so you can check up on their claims, or at
least have others check up on their claims). Also you have to make
sure that the people you communicate with also have the software,
and use it. encrytion is useless if your recipient replies to
your missive by quoting it all in cleartext and then adding their
own reply.
There is Mailvelope for Gmail and others, which is a browser based
plug-in and it has it's own key server. This should simplify the
process of using PGP for encrypted email and you don't have to
sign-up for tuta, proton.me etc.
https://mailvelope.com/
Doesn't that just trade tuta for mailvelope.com?
Well, I would say no. People can keep their email account and do
not need to switch to tuta.com, for encrypted email. Mailvelope
is also older than tuta.com
Sorry, what I meant is that does this not mean that someone could break
into mailvelop and send malicious updates to people who have the mailvelop
plugin?
It is opensource, which is a plus. It is javascript, which I suspect is
a minus (I am not at all sure how safe Javascript is). It is a plugin
into browsers (chrome or firefox), which again is a minus (how much does
it depend on the the security of the whole browser?)
mailvelope runs on your own machine and encrypts (using a javascript
version of OpenPGP) on you own machine. So the breaking would have to
occur on your own machine. Not sure what you mean by "malicious
updates". Updates of what? mailvelope? I think you would have to
initiate the download and the installation. I presume it does not
initiate and install its own updates.
Ahh... thank you that sheds more light on it, and yes, that's what I had
in mind, if mailvelop "pesters" people to upgrade, or even worse,
automatically upgrade. That would be an enormous risk in case they are
broken into.
Well, if they find a security bug, pestering them to upgrade is what
they should do. One would hope that if they were broken into, and a
security flaw introduced and then the cracker sent out requests to
upgrade, that they would quickly notice and take down the bad version.
The same is true of the kernel, which would be evenmore of a security
threat.
Then there's not much of a difference. I would think that the kernel
project has more eyes on it than mailvelop. It could also be the
government who probably could throw the entire mailvelop team into prison.
D
2024-03-22 09:19:28 UTC
Permalink
Post by William Unruh
Post by D
Post by William Unruh
Post by David Lesher
Post by Nomen Nescio
Encrypted communications app Signal is mulling an exit from the UK
market in response to a new law threatening its core operational
model,
while E2EE email service provider Tutanota is taking the opposite
approach, pledging to stay and help the British protect their
communications from government scrutiny.
Instead of an encryption service, use PGP.
Traffic analysis.
Ane exactly what information will that give you other than that you are
communicating with a certain IP address? And what is wrong with a VPN to
hide even that? And the question was why use an encrytion service when
you can encrypt using PGP and if you want to hide who your talking to,
use an external VPN. To let someone else encrypt your stuff for you
seems to me to be the hight of folly. You want to hide your stuff, so
you give it to someone else in clear text. For all you know, Tutanota
is an arm of the government (I am not saying it is, but do you have
proof it is not?)
I think you can safely ignore the Nomen-guy. He seems to be some kind of
paid marketing guy for tutanota.
Personally I completely share your position. Tuta could be compromised
without any of its users ever knowing, so much better and safer to "roll
your own" or use truly decentralized services.
Of course the problem with rolling your own is that 99% of the computer
user have vey little idea about cryptography or about "rolling you r
own" "Use PGP" is of very little help since it needs to be made
Sorry, this is true. I was in the mindset of "solving the problem" as a
somewhat computer literate user.

What would you suggest as the best solution for the rest? Centralized
solutions will never work at scale, because they become natural targets
for the government.

So I believe decentralized or federated is the way to go. But I also think
that before any solution will happen, privacy has to be seen as something
valuable by the public.

As long as privacy is not seen as something valuable by the public, it
doesn't really matter what technologists do, since no one will use it.

There is this law of security with 100% security on one end of the scale,
and 100% usefulness on the other. It is impossible to combine the two, you
will always have a trade off between security and use.
Post by William Unruh
automatic and needs to have a "phonebook" containing people you might
want to communicate with and their public keys. Plus you have to make
sure to keep your own private keys secret. There are so many ways of
messing up and making the system insecure, depite using the best tools.
That is of course what companies presumably like Tutanota provide.
Unfortunaely with a huge potential security hole. The balance between
security and ease of use (both of which are crucial) is delicate. Oepn
source is a bare minimum ( so you can check up on their claims, or at
least have others check up on their claims).
Also you have to make sure that the people you communicate with also
have the software, and use it. encrytion is useless if your recipient
replies to your missive by quoting it all in cleartext and then adding
their own reply.
Post by D
If you're in europe it would of course be better to rely on a service
that's not in europe, that would add some paper work in case the
government is after you.
Nomen Nescio
2024-03-21 21:04:27 UTC
Permalink
Post by William Unruh
Post by David Lesher
Post by Nomen Nescio
Encrypted communications app Signal is mulling an exit from the UK
market in response to a new law threatening its core operational
model,
while E2EE email service provider Tutanota is taking the opposite
approach, pledging to stay and help the British protect their
communications from government scrutiny.
Instead of an encryption service, use PGP.
Traffic analysis.
Ane exactly what information will that give you other than that you are
communicating with a certain IP address?
Which easily can be resolved. The metadata around an encrypted channel
tells volumes!

Ex-NSA Director Michael Hayden once told us:
"We Kill People Based on Metadata"
Post by William Unruh
And what is wrong with a VPN to hide even that?
Short answer: You don't hide it from the VPN. Better to use Tor and
remailers instead of having to trust anyone.
Nomen Nescio
2024-03-22 07:37:31 UTC
Permalink
Post by Nomen Nescio
Post by William Unruh
Post by David Lesher
Post by Nomen Nescio
Encrypted communications app Signal is mulling an exit from the UK
market in response to a new law threatening its core operational
model,
while E2EE email service provider Tutanota is taking the opposite
approach, pledging to stay and help the British protect their
communications from government scrutiny.
Instead of an encryption service, use PGP.
Traffic analysis.
Ane exactly what information will that give you other than that you are
communicating with a certain IP address?
Which easily can be resolved. The metadata around an encrypted channel
tells volumes!
"We Kill People Based on Metadata"
Post by William Unruh
And what is wrong with a VPN to hide even that?
Short answer: You don't hide it from the VPN. Better to use Tor and
remailers instead of having to trust anyone.
"You can't hide it from the VPN" is more factual. Some VPNs are
DIA honeypots.
Loading...