Am I Paranoid?

From: Peter Veotsch 
I got a new MacBook Air a few weeks ago and am very happy with it. =A0The b=
attery life is excellent as has been reported. =A0It is a vanilla machine w=
ith VirtualBox installed and running Linux under VirtualBox.=0AThe other da=
y =A0I downloaded and installed the GNU PGP suite for Mac OS X and have bee=
n testing the email encryption. =A0I recommend it to any of you Mac users o=
ut there. Now for the paranoia.=0AThis morning at about 7:45 AM I was searc=
hing for some friends on the key servers. =A0Most of my friends don't have =
public keys, and on a lark I entered the name of Glenn Greenwald, the New Y=
ork Times and Guardian reporter who=A0=0Abroke the NSA/Snowden stories. Tur=
ns out he has a 4096 bit encryption key. =A0Within minutes my MacBook Air f=
roze up with a screen that said it had encountered a problem and quit, blan=
k screen, dead to the world. =A0Wouldn't power up.=0AAfter a few minutes it=
 came back up and reported 2 kernel panics to Apple (which I elected not to=
 send). =A0Everything seems normal now. =A0If I'm intercepted by Customs (h=
ere or in England) on my trip to Europe next week, I'll let you know. Meanw=
hile, is it coincidence or have I gotten on a list? =A0BTW =A0I'm sending t=
his from a different machine.

=============================================================== From: Jon Stanford ------------------------------------------------------ Your paranoia is not relevant to the fact that they are tracking you. I wouldn't be surprised if the NSA has some triggers setup on keyboxes... and they have proven they are willing to randomly detain travelers without good reason. Did you log what the panics were?

=============================================================== From: Stephen Kraus ------------------------------------------------------ Until further evidence presents itself, I'd just chalk it up to coincidence.

=============================================================== From: Mike Harrison ------------------------------------------------------ I doubt that's the issue, you can try importing mine if you think that = it's related. My work email key is 4096 bits. Option 1:=20 Random rare coincidence Option 2:=20 Your download of the key was hijacked, injected.. etc.. and used to = compromise your system.=20 IT may or may not have been successful. If truly successful, you would = not have had an issue.=20 Factors: What ISP's were between you and the key-servers, updates = applied to your Mac, cosmic rays=85.. Just because you are paranoid, does not mean they aren't out to get you.=20= An idea, just for fun: a full PGP/GPG encrypted Chugalug sub-list?=20 =20

=============================================================== From: Stephen Kraus ------------------------------------------------------ You figure compromising your system, the last thing they'd want is a kernel panic, as it kind of ends their attempts to gain access. t d

=============================================================== From: Jon Stanford ------------------------------------------------------ Even thoughbus just using pgp/gpg to shoot the proverbial shit with each other would cause the NSA overlords to track us (and/or justification for them already tracking us) I'd welcome the opportunity to secure our traffic. t d

=============================================================== From: Stephen Kraus ------------------------------------------------------ Eh, 'Securing' your traffic is questionable at this point unless you switch back to a 'sneakernet' sort of network. With the growing computing power the NSA has at their fingertips, I'm more apt to assume that if they want to crack your encryption, they will crack it.

=============================================================== From: Jon Stanford ------------------------------------------------------ switch back to a 'sneakernet' sort of network. more apt to assume that if they want to crack your encryption, they will crack it. ... or just us a backdoor they built into the encryption product

=============================================================== From: Stephen Kraus ------------------------------------------------------ That would be the easy way, and I have no doubt that they have such back doors, but with enough computing power any sort of encryption outside of quantum encryption is going to be crack-able with time

=============================================================== From: Rod ------------------------------------------------------ From what I've been reading, check pro republica article, they are mostly relying on back doors in commercial products. Reporting is sayinguse open source. Also heard a they have an ssl backdoor. Something to ponder given recent discussion we have had over keys vs certificates. On Wed, 11 Sep 2013 10:52:59 -0400, Stephen Kraus wrote:

=============================================================== From: Peter Veotsch ------------------------------------------------------ Just to clarify a small point, I only looked at Glenn Greenwald's key, I di= dn't download it.=0A=0AI've also noticed my yahoo mail account is slow and = balky this morning. =A0Could just be the man-in-the-middle=A0=0Ahasn't had = his coffee yet. =A0Oops, there I go again with paranoia.=0A=0AI did not log= the kernel panics, but just reviewed them. =A0They didn't reveal much to m= e, but I'm not a BSD OSX guru.=0A=0AI like the idea of an encrypted sub-lis= t. =A0It would be great for testing PGP software. =A0And then we could have= the next Chugalug meetup at the FBI offices.=0A=0APeter

=============================================================== From: Stephen Kraus ------------------------------------------------------ Yes, but assuming that they are ONLY using backdoors is giving them too little credit. The NSA has both the expertise and the computing power to crack, so assume they are going to use it.

=============================================================== From: Dan Lyke ------------------------------------------------------ On Wed, 11 Sep 2013 08:25:31 -0700 (PDT) Peter Veotsch wrote: So two points: 1. Yes you're being paranoid. I'm outraged at the levels of NSA surveillance, but give what's been released so far there's no way they're crashing people who've looked at Greenwald's keys. For one thing, what would they gain from that? If they have that ability, much better to silently monitor what you do in the background. But the actual machine exploits that have been revealed so far have largely been extremely targeted. 2. You downloaded Greenwald's key. In order to view his key, it was transferred from his server to your computer, where your browser probably cached it, and then displayed it. This is one of the reasons that many of us computer geeks are very wary of, for instance, the fact that simple possession of child pornography is a crime that'll do huge damage to your life. Not that any of us condone child abuse or the people who share evidence of it, but because I can put files on your computer that you don't know are there, that law enforcement can then find. One way to do that: Take an illicit image. Create a legitimate web page that includes that image as , wait for you to hit that legit web page, kick down your door, find kiddieporn.jpg in your browser cache, tell you we'd love to give you a nice plea deal if you'll just testify against your neighbor in this unrelated case... I'll happily participate in an encrypted list. Anyone seen Mailman stuff that'll do that? And how does it work, does everyone on the list have to have everyone else's key, or does the list have everyone's key, decrypt and re-encrypt to a list key? Dan

=============================================================== From: Ed King ------------------------------------------------------ been nice knowing you=0A=0A=0A=0A=0A

=============================================================== From: Mike Harrison ------------------------------------------------------ key, That's the part that is interesting to me.. I think (so far) what I have = envisioned is a=20 web page where you upload your public key to joint the list - say: = and you download the public key for Then it sends an email, signed for each individual person=85.=20 I know it's possible to create an email signed/encrypted for multiple = people, I'd like to see if that is possible as well.=20 It might be a reason to re-learn Python and try to do this as an option = for MailMan.. Or to do it in PHP (don't laugh) as a different mailing list manager completely.=20

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1) Just because you/we're paranoid, doesn't mean they aren't after us. 2) Most likely coincidence, but could be related to the key size. I deal with lots of things that don't work with 4096 keys (Cisco, I'm looking squarely at you on this one) 3) If not coincidence, I highly doubt you have reason to be targeted, which is where the cool toys the NSA uses are directed, at specific targets 4) If it were anything, I highly doubt it was the NSA. The kernel panic is indicative of someone who doesn't know WTF they are doing. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSMPCWAAoJEMP+wtEOVbcds88IAJNodQfY/mJv/QFJvdDC/JDQ muMGD1D1mdbrwhtsmL26U+3YyIeh8ls32yCyriYWckZIUhSg7jHQoCFSDq72TDel WZ1UKOZ3lGsaNmYBoRODAOiXOaU4OtXmezuHxx1FR/Ms5f9T/mg26JxhyCPQaOS4 0qhX64JogIXXkk+pFDf4X3niIJgdC6J7zHwWjh/z3nhQAbGB3qH/4cRlRFwzD+rq 0YCw9zAbCtWH6qu7TSHB8xPGIiJoocozpFswhoG1rpFRbkLRd0bbWJ5MkClGxG1A QrBxGhNl6If+WQaRVrWpOQnIm8EnlOJIm6jUN9mQNtzSZWfaPqF5zy+VtAEFrMc= =+VU+ -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm in! - --dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSMPDSAAoJEMP+wtEOVbcdIQ0H/AowajPQAspniR5B/pOEOsuI AMjN4Su2HuTlqNCNfy6nlQvkhMNox0V4AibU6/YSYla1cElhWR2Slm4CMG3omSyq 6TEGB4lfAE8IqON30rg8+pn/RBlM6ObT+IWCk08RWyiDFFzR04tyZsmbLlBtDNsy tCN/xIAreYyER+4oTtMu6hhH/njz5RKDDdqQAriw3edBx27JeOyTHiISbbVFmE9M RQC451eDNI7Li/Rhr3bXvnrcjfuRzTyvAoLCpKvCHEF4wfMshyJhNNw3ShjpMc46 qoUnC4sFZyT8ZHoEFtKTSFqfY/ceMPU/HgXMDBZd58p5beK1jjU46WfqENjpJv0= =2Otv -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You don't need us to do anything other than receive your public key for that to happen.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSMPNXAAoJEMP+wtEOVbcdb/sH/RghQjLOkcjL1b6jbwMfUXn6 4c8yHFkWmhWhiFfkhcim4eudp2MosdIa87g6ENuKKDEdDZfJ5GcL7Aijvz6e83Fr Am7hj7dgZeqCSrI2onzQjexOv7TTvF6eBv8Kv31/vixYWUjm/R9Rppvfd7k3bEIt LYw7ADBEQcz6wFkOtN6V6tqQh9xTOEfWtjiAVcidTp+9DjR/jL7Bnhp2U/IafNiW 6m+xjIlk5nijPLyiv40GCj7j2FscOH71/gx/TlmNgewyp02Ad9oaLDSAK8RNPnLN aNtRkx/OPG2/tCew4W57/0TvvaKrPVV82ugeLigfMgSbEyQeHV74OvpD+kqwF4k= =lQ6z -----END PGP SIGNATURE-----

=============================================================== From: rdflowers ------------------------------------------------------ How about in general: In person to person traffic ( to self or cooperator ) : Send stuff where the plaintext is actually randomly generated gibberish. Send voluminous trivial stuff. Send stuff where the plaintext looks like gibberish, but is really an additional cypher or -- better yet -- code . Just occasionally, for fun. ----- Message from --------- Date: Wed, 11 Sep 2013 18:48:55 -0400 From: Dave Brockman Reply-To: Chattanooga Unix Gnu Android Linux Users Group Subject: Re: [Chugalug] Am I Paranoid? To: Chattanooga Unix Gnu Android Linux Users Group

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doesn't mean they can do it quickly or cheaply, and the more end to end traffic we encrypt, the harder it will be to separate. The apathy implied in your statement is extremely disheartening. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSMP7XAAoJEMP+wtEOVbcdohgIALPD3pTFdTSfzAa57FrhRTRX k1gmbuYlcfaSMWX6ivwqiaci6SrQba00e3xrLsVLcZMyomfnCU7Mu62S7qcc2YDU W/fZrNsBhXO7stDtFYLyNomVb7aT9obmT6wHuVrfuB0jPvQlY4zONnKgJnofGYS8 VVNbbfxbLvUrO35HRbyxPZIqrjcaKtOJyoLKSt6ssaWxnk0OptnelH27ShRhUHRR gBALaToZf/YKfqIp/J0SNG/U3fhViVA0jIpyfyyGcQsKz/9cnreOcBAh5VZVtWWM 0DqRVeGTgq7Hd3sZj9rexrLccFxldQZogKfQfIEPHv5YOyERpzABLEFKXXGJs8w= =stWB -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There are discussions in other circles pointing out how the NSA and their representatives have (successfully) lobbied for weakening crypto standards for decades. Reminds me of the OpenBSD IPSec issue, although I don't recall anything odd being found, and I'm pretty sure there was at least one complete audit of the code performed.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSMQDPAAoJEMP+wtEOVbcd8b4H/12ogEp6EeU1ednX4NpQQCLF IVb2dJ8lQcWOdwZ/JHJJfmWhVPrsvjsGuPWPU7YYgqRZdOFDWFYYgANVF/GROewI IXo5SnG8Jc5fGkVMun7Z7Is1YWORSqjT6xRtQEkzWkBsc48mHUiT67sd7gaLVwCI sMPqzAjEaWI586aHgakKcrkU8rKKzgcTCvVWhzVzQBo+5i9ELgsRBNw6f5pqRDxQ AIxOYMYCHgPR1aNyqyK0DtfplZQxnUbTtpmk6Y5z1akD+ZD2ePkAYXwrl2cb+ciS Mq727Y6dx3uWDtUxllLUaFi6pZlqHfB8+3qW88Vb4pqhLj1CwLxZbFUI5D35hMc= =Wl03 -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mainly because the volume of email my inbox(es) see is insane as it is, without adding additional garbage the mix. I think encrypting as much as possible at as many layers as possible is a better solution. We have beefier computers these days too. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSMQMoAAoJEMP+wtEOVbcdtW8H/AyFoFQCxkQNUDI7MMeKo9zJ ZQHlFYMRY++KNZk49RXBFM3mHLV+AQKFl3f7n5jIL0R0cvYTJEEH8AhCnigW1O0X fk1xkoN8MC8UxJ+0BwzAPpQtQFVESKjIWlJyDyM56abIq0mHuQMKmNNkMs+SIhB4 lW/wiTB8r/dwmdKaDt1yEgWQ/PYtiIj9j4+UI/O/MeAI/e9XuCEE3eXaxtRgoNBm Q766ZU43oPvP8LCa4lYBTrMj+pjSnO7chrVwyIzlrKIZgv0/ym3jvwjjs/yFvwFA 3Cak06cKVIj5idVOSCKwJVBz05sqCu/AwbWTWETpaBi4BwRRzWnGHj+MxIUoGh4= =U6Hd -----END PGP SIGNATURE-----

=============================================================== From: John Aldrich ------------------------------------------------------ Dave... see item #4... this IS the NSA we're talking about... the Feds are NOT known for being "clueful."

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't think you know who the NSA are, who they employ, and what they do.... You forget the "Feds" don't know any more about what the NSA does/can do than we do. They have become their own entity beyond boundaries and checks/balances. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSMRuFAAoJEMP+wtEOVbcdCPcIALDACO2dsSvcOpp5xQT4v7jR if6VKkXYgB2+v4cn/T12pbKqkjkCbO2X80dyUTkE5iVE7Bnf9r6hbaIfden4kYks qosl281NuvB9djzWsItQOxo1EbgpM0eFOMegInV0cN+3N3O49ZJDImIDyKdVCbbn 8rxBLn1SL8yLdxtzT/rv0dQkVtTf1bKTMiltvYtNGGmSoR3265QiU95H1cL6/ib4 STO0IRTG5w3k1Oq8fp4Tl2SCTsrfIKHn8e8O82QvzwpnmlfKjWXAKq4ygMyyP4QX 5txNG1lgdqLOFEA+8MQMOar8qZlm5l7N7RM9aKOGbv6iDEqg1phcPtmOvO4QXb8= =rU7t -----END PGP SIGNATURE-----

=============================================================== From: Dee Holtsclaw ------------------------------------------------------ Placing deliberate back doors and weaknesses in our security software makes it easier for someone else, besides them, to gain access. What if a foreign government discovers (via study or espionage) one of these and exploits it to damage our economy, military systems, etc.? Risking everything in such a way is just mind-boggingly asinine. Mike: The standard encryption envelope can contain a number of keys for decryption. The content is encrypted using an on-the-fly random key (usually large). This key is then encrypted for each supplied public key and placed in the envelope. To decrypt, it selects the matching entry in the envelope, decodes the content's key, and that's that. Not sure what mail clients would make of it, but the encoding scheme covers it. Incidentally, to do the stream cipher for the content, it uses the random key as the seed for a PRNG and then XOR's each byte with the next random number from the generator.

=============================================================== From: Mike Harrison ------------------------------------------------------ Dee, being Dee, Wonderful Clueful Dee: That's the detailed understandable version of what I almost understood. Thanks. If I get some time this Sunday to experiment, I will. What I'm afraid of is simple 3 line emails to 100 people, becoming HUGE.. and being something the common e-mail tools would have an issue with. But it's a good project, and something that has me "interested". You and Dave have volunteered to be test subjects ;) (Evil Laugh)

=============================================================== From: Mike Robinson ------------------------------------------------------ As long THIS IS THE NSA as the security of DO NOT my LOOK AT THE = computer LITTLE is MAN intact, BEHIND THE as CURTAIN I am WE ARE quite = FROM sure it THE GOVERNMENT is, WE ARE there's HERE really TO nothing = HELP YOU to worry about ...=

=============================================================== From: Dee Holtsclaw ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 understood. Thanks. You're welcome. ;) Not a problem. Created a new key ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - iQIcBAEBAgAGBQJSNlzjAAoJEE6XIKWQFdS+MtsP/1aIak54Ldlqs8RetRPxqf16 1SIoRAazALw9YLd88pgMWP7QdVlB0AtRgE5VvxNtH2xWIdvTc5d+OpJxJlRtaDBZ S4Bl9j7HAFSPvaNIY8+PoGnI7qe1eQbZfLyYsTsawj9HKLZpp+ZpaaDwFVIFAdMi bHE/FHBzRwpyNViDUuXSkLWXsqWCRpqTeKH+Je9KPRTd3f0EzSePKKd3nTzSvSH8 qeYmaCcFc/NYa0d3WK9DtcZf+Ymxe7ptuSnQ8/oOrDxXuRSMy+HA1HfQqq4rMAP2 2ScsWLQY5UxeMDDLh+dr6OWyG0rNod6bvSoBEP/PO43QerSw6f50GOLSRTivDS0w DOlPtk+Ibcmq/lwOF8MB18YTEndaq/8eGlQhhYtH6DvtiZOZfSCny2rBqQg68ur9 aQFZjgZuxdMVktee9SBVAVKpno9soKEE3C1ochfVTyrxDzT6KsFT79ZT5Qm4Ysep 9za0nFxdGVvapTRt3bLA74rMKw85vNtANuBKbZ9294UVkh+YFIHTWk81w5UDkjgT mcbQbLXfqmBl1c4gx5EmrHwvrnMgkmy+/bz2KaZkkYuWn9GC3cQiydQ1AaH8Ym8Z MCZ5wXnq7cWhCn+TgX6YSRGKfQnOJM+6sBvPexjEGY0ofwhqsMSQgtavuE3lKSgX dF7Wd2AbJsFAwOM4/837 =4wp+ -----END PGP SIGNATURE-----

=============================================================== From: Dee Holtsclaw ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 understood. Thanks. You're welcome. ;) Not a problem. Created a new key ... Trying again -- last time it didn't like it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - iQIcBAEBAgAGBQJSNl3RAAoJEE6XIKWQFdS+UMMP/A6Vbsf0vC35hT+QhBLABHHR pp8ER3Sp9b1nhRihrkihIjY6DUi026U4gjQKXxY7Y5RdM9lJjQUQA9W7DFlomqsj KnxCW4GTdz7ElwTKWAMkbgwcqGLzACWDdQF8UBYnY0S/yazDErudBvOhAf5BttpH jbdlJemq0epcbk0wic6iP+SExqRMdvaMcvxh7IiXfIW9kKVRBCByQS9UUNVT1k9w Yy635ReJWbdJtpS2eC+lEhIFripxoLP9RE11zCY2f1uvY2pkuxHDpLXgKtHOQvk7 AGPLySY3lBNjiy4G4vIn1KLcAVAlMtUQFt0fO2GE2625OWQZnrvNlfEJhJPVfQeH iyhIj0eKHLijU3y2UzY5odbqbm51CuHGsGYqiapYu5FUXccyAvRvClTQVoVf1J5B 1N/CNyq2JoOY///SuT/G6VI9w8GCuV3mWJbfPZxZHwkcPfGM/HGt2mjKYxdL7qh8 aC9dxv/heI+RwSzIu5SBhq3/H1XP3ofxvJZyJ+XQ3SIfTB7To+P8JnOWpNOE3Snr tjp+DdEsWQMvOQU2nkFcOX6UNJsrYEJTNDHCsOTqVwDAMYm+CENdU8t/JZ+r2EuC 7vlAI3vn01F4AddyAwF1EnFQNfl4/DGFSZJGXjtgCCiJRFiuwJL9fY4b8ZPz0T4J K4DfAHEHhWPNIZTbvgIl =Uq6s -----END PGP SIGNATURE-----

=============================================================== From: Chad Smith ------------------------------------------------------ ffs. please stop this crap. omg *- Chad W. Smith*

=============================================================== From: Dan Lyke ------------------------------------------------------ On Sun, 15 Sep 2013 21:28:35 -0500 Chad Smith wrote: Signatures are good. Get used to it. Dan

=============================================================== From: DaWorm ------------------------------------------------------ Can't they be attachments instead of inline? As it is, we get one line of message and 30 lines of key. Maybe not too bad on a PC screen, but an absolute PITA on a phone. Add message quoting that quotes the other guy's key too and it becomes rediculous.