E-Mail 'PGP for Preppers- Part 1, by Groundhog Gravy' To A Friend

10 Comments

1. When you are generating a key, it will ask for a passphrase. This can be a weak point as it either needs to be long (e.g. a bible verse), or complex (mixes of uppercase, lowercase, numbers, special characters), or both.

   Beyond that, keeping the private key on a flash drive or equivalent is a good idea, but I would add insure your computer is completely disconnected from the internet when you decrypt messages, particularly if you have something that does so automatically – that is how the recent security flaws worked – PGP was fine, but the email clients that auto-decrypted could be fooled into sending the decrypted message out. They wouldn’t work if the computer was not connected.

   The safest would be to keep an offline computer – an old laptop would do – that never connects to the internet where you take messages to be decrypted, but you might get into those details in part 2.

   1. I tried to make clear in the article — though maybe I failed — that tools which handle encryption behind the scenes as they do something else, as Enigmail for example does, are part of the problem. That’s why I recommend using PGP using GPA: it does nothing else.

      (I use GPG from the command line, which offers other advantages, but most people find that a little tough to grasp because they lack experience with command-line tools in general.)

2. This is a common subject on blogs. I have no doubt that there is a place for this level of personal security or more correctly this level of worrying about personal security. I think it is all so much whistling in the wind. For 99% of you no one gives a damn what you write to your friends on email or texts, that is, no one is looking. It doesn’t matter if you post it on a billboard in the middle of NY City, no one cares. For that 1% that are committing crimes or treason or sharing corporate secrets, you are delusional if you use the internet, your phone or almost any method of communicating. There is no fool proof way to hide your nefarious acts. I simply do not put anything on the internet or the phone that I wouldn’t say or post in public and that includes all of my personal and financial data. When you hear that China hacked the Pentagon or some contractors military data you can of course blame China but blame the Pentagon (or contractor) as well. It is stupid, stupid, stupid to put data on-line or available somehow/anyhow on-line and think it will be safe. There is nothing that man can do that other men cannot undo.

   I follow my mothers advice; “don’t do/say anything you wouldn’t do/say in front of your grandmother.”

   1. I think that you are missing the point of high level PUBLIC encryption. If more people used PGP on a day-to-day basis, then the sheer volume of traffic would overwhelm the computing power of the world’s intelligence agencies to decrypt it. But if just a few use PGP, then they will be targeted and concentrated computing power will be used for Brute Force decryption.

   2. It’s not about the 1% committing crimes, but the 99% of us that automatically have our data [e.g. emails/ texts/ credit card purchases/ bank transactions/ utility bill monthly utilization/ club card scans/ cell metadata/ phone contact trees/ social media posts/ driving GPS coordinates from smart cars/ internet searches from our IP addresses/ facial recognition camera captures/ etc. etc. etc.] all stored in Bluffdale, Utah’s new NSA data center [by far the largest data gathering center in the world].

      The government understands that they can’t make heads or tails of this NSA data “just yet” but in a decade they’re confident they will have the data mining engines in place along with super computing power that their artificial intelligence allogrithims would be able to create real time profiles of every citizen, including forecasting their next purchase, vacation location, and future spousal selection. They know who would purchase a gun, have a heart attack from too much diet soda, etc. THAT’s WHY YOU ENCRYPT NOW! We know you’re not a criminal.

3. Ana Montes, the Cuban spy at DIA, used an encryption program to send messages to Havana. But what made her really hard to catch was she never carried secrets out, just retyped them from memory on her home computer.

4. Although you and I may not be of interest to the government or other sinister forces right now, you don’t know what the circumstances will be like in the future. MY emails, for example, are of no interest to anyone who does not know me personally, or someone that I might buy something from online. But as I said, that could change in an instant to a case where email between citizens might be the only way to get real news spread to each other. In that case, some kind of a code would be necessary. I personally believe that everything you do on the internet is intercepted by someone, in fact that is why the internet was invented and made available to the public. So beware.

5. Can you elaborate on the use of ProtonMail?
   You say you don’t trust them.
   Is this simply because you can’t verify that they are doing what they claim?

   1. There are a few reasons. One is, as you guessed, that I can’t prove they do what they say they do. Another is that they manage your keys for you; that leaves you open to a message-replacement switch that tricks you into encrypting with a key that is not what you intended to use. It’s also vulnerable to cross-site scripting attacks, where a malicious actor can piggyback their own code on top of the site’s code to extract your data. And since it requires Javascript, it is in conflict with an important approach to anonymity online: use Tails/Tor Browser with Javascript disabled.

6. Take a look at Worldflix – WRFX (publicly traded startup company) they have a couple of military guys in leadership overseeing the development of Parano Protocol under their subsidiary Paranotek. The product falls right into what you are talking about and is supposedly 10+ years ahead of what is currently out there, might be something you are interested in. For transparency I own shares in the company.

Comments are closed.