EFAIL?!

BM-2cU3ubnYxFdiUNkhqpezH2cVBerh4uMXjQ
May 14 18:26 [raw]

Can someone Explain me EFail in a ELI5 way? NourEddineX ______ EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails. - - - https://efail.de An Official Statement on New Claimed Vulnerabilities =============== by the GnuPG and Gpg4Win teams https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0

[chan] bitmessage
May 14 18:49 [raw]

https://efail.de/efail-attack-paper.pdf

[chan] bitmessage
May 14 19:05 [raw]

Interesting. I apologise for my overly quick remark, since the last thing I heard was that the release won't happen until a few days from now.

[chan] bitmessage
May 14 19:27 [raw]

75 % of all mail clients using PGP allow an attacker to exfiltrate your message data. In other words PGP is not secure.

[chan] bitmessage
May 14 19:31 [raw]

Except from what it seems this is not a conceptual failure in PGP, but an issue in the way that most mail clients use it.

[chan] bitmessage
May 14 23:26 [raw]

To my knowledge the actual vulnerability hasn't been published yet, so unless someone has hacked a bit and is willing to share (Haha, this is bitmessage, as if), the answer would be "no".

[chan] bitmessage
May 16 13:21 [raw]

Werner Koch said EFF does overblow this stuff

[chan] bitmessage
May 16 13:33 [raw]

EFF = NSA

[chan] bitmessage
May 16 13:36 [raw]

EFF = NSA == you !

[chan] bitmessage
May 16 13:48 [raw]

EFF = Kremlin

[chan] bitmessage
May 16 17:17 [raw]

saw it coming frmo miles

[chan] bitmessage
May 16 17:25 [raw]

Something smells really bad at EFF. Suddenly, because of some half-baked 'attack on PGP', EFF starts talking about phasing out PGP, to make place for some unspecified alternative. Yes, this is so legit: 'Citizens, stop using PGP because few mail programs cannot interface with it correctly'. And judging by their 'Surveillance Self-Defense' software list, their mysterious alternative could be a really rotten piece of junk.

[chan] bitmessage
May 16 18:36 [raw]

there is only p-e-p and bitmessage as alternatives and pep is mostly vapourware

[chan] bitmessage
May 16 19:07 [raw]

Perhaps EFF and friends at MIT and NSA have an "alternative" sitting in a desk drawer to replace PGP?

[chan] bitmessage
May 16 19:28 [raw]

wut duh EFF?

[chan] bitmessage
May 17 02:00 [raw]

The discussion is about moving away from email+PGP as a method of communication, and makes some sense. Email is on its way out anyway, and long-term keys as used in PGP (and Bitmessage) have well known issues. Alternatives to email are many, just have a look at the current selection of decentralized/federated IM protocols waiting on the sidelines. Surely XMPP is a pretty solid candidate. Alternatives to PGP in messaging, well, anything that has forward secrecy. OTR is very well designed and had lots of top-shelf peer review. Axolotl is the wild child of the bunch, with some unique properties that may be really useful in today's environment, some unique downsides as well. And so on. On the flipside, a worrying alternative is the resurgence of walled gardens: from Facebook (if your friends, employer and family are all on Facebook, why even use email), to Office365, to China, to Google, to even small services like Tutanota which only enable the full privacy extensions for internal messages. This is eroding the federation property of our communications, and may make it impossible in some extreme cases. And when federation is lost, lock-in comes. So yeah, nobody's saying "stop using PGP". What we say is that the threat environment is evolving towards PGP-resistance and we need stronger medicine to survive. PS: PEP is PGP

[chan] bitmessage
May 17 05:03 [raw]

latest Enigmail 2.0.0.4 supporrts pep + sme other new shit ought to be OK

[chan] bitmessage
May 17 11:30 [raw]

"OTR is very well designed and had lots of top-shelf peer review" On Spiegel website you will find PDF files from documents Snowden leaked from NSA. On few of these slides you will see NSA system breaking OTR in real time.

[chan] bitmessage
May 17 12:31 [raw]

Your recollection is inaccurate. OTR was on NSA's list of "no decrypt available" protocols at the time and since then, the protocol has been continuously improved. OTR is a fine piece of cryptography. Don't let the trolls tell you otherwise.

[chan] bitmessage
May 17 12:33 [raw]

Your memory is failing you. Image in slides clearly show decrypted messages.

[chan] bitmessage
May 17 12:42 [raw]

Dude. Feast your eyes. http://www.spiegel.de/media/media-35552.pdf

[chan] bitmessage
May 17 12:51 [raw]

Have it, you stupid uneducated fuck: http://www.spiegel.de/media/media-35552.pdf Look, read and repeat until you see clearly DECRYPTED OTR MESSAGES, in plain sight (however "redacted" by Spiegel). Now you can fuck yourself, you liar. Now everyone sees how stupid you are.

[chan] general
May 17 13:11 [raw]

> Now everyone sees how stupid you are. They certainly do, and to remove any doubt, watch me double down on my stupidity: The fully redacted blocks are the 4-way session establishment handshake (AKE) at the beginning of each new OTR private conversation. There's no secret content in there. The only packets carrying actual content are the ones marked "No decrypt available". The slides show the system working as designed. Feel free to read the protocol spec yourself, it's open and public. > Now you can fuck yourself, you liar. Don't think I haven't tried!

[chan] bitmessage
May 18 12:54 [raw]

No, the NSA partner couldn't offer me enough to work there. Literally less than a quarter of my asking rate for cryptography work, and they wanted me to be the head of research in 3 years. Fuck that for a joke.

[chan] bitmessage
May 18 20:09 [raw]

Perhaps we could turn your alternative into billions, "under the table." Do elaborate on your alternative.

[chan] bitmessage
May 21 08:25 [raw]

"We" ? LOL, no. I can, and it has been well established that it is not well understood by less experienced cryptographers.

[chan] bitmessage
BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY

Subject Last Count
minimum difficulty for chans May 25 07:39 7
YOU WANNA HIRE A LEGIT HACKER????? May 25 07:08 2
BM-2cWkFSxB4cyeNVr99tgJdkMA2nfivbXLiH May 25 07:07 2
ein kleines pyBM Nebenproblem in KDE LiquidShell May 24 18:14 1
PyBitmessage 0.6.3.2 blacklist whitelist May 24 06:29 6
Test DML May 24 02:18 1
Now, following my own advice, adding channel bitmessage and general to the blacklist May 23 15:50 9
hyperboria node [fc5b:acf7:9762:439c:394d:02bb:d603:05de]:8444 May 23 01:34 3
Feature request: delete all messages from user May 22 10:46 2
(no subject) May 22 06:46 7
Github Wiki complaint May 21 08:49 12
EFAIL?! May 21 08:25 26
ERROR - Error Processing May 21 08:25 3
Curious May 21 02:17 32
Is bitmessage within whonix bad? May 20 21:24 14
Duplicate messages May 20 21:08 1
Download of Windows binary from Bitmessage.org May 20 07:25 3
How to create a "send only" bitmessage address May 20 04:35 1
/join #bitmessage on eris.us.ircnet.net :6667 May 19 21:46 3
hey - why not make pyBM as shitty as "Signal-App" by Marlinspike ? May 19 20:30 7
use Claws mail-App with pyBM and python May 19 20:28 5
A question May 18 23:24 2
A Few Bitmessage Internals for New Users May 18 23:08 5
May 18 17:33 1
Ideas for countering trolls and spam May 18 12:54 98
DARKNET DIRECTORY ASSISTANCE May 18 02:25 1
Broadcast messages May 17 23:24 24
2018 : Der junge Karl Marx -- youtube.com/watch?v=AbM76KUm4IM -- 2 hours "Le Jeune Karl Marx" May 17 20:24 1
Signal-App is complete shit May 17 20:24 13
May 17 19:49 2
OTR interception May 17 18:00 3
auto renew one's canary using broadcast or [chan] ? May 17 10:51 1
latest in the spy world May 16 14:14 3
Curious -- GUIfied pyBM-CLI May 16 13:47 1
efail vulns May 16 13:21 1
how does the namecoin feature work? May 16 07:24 3
Email campaign to promote Bitmessage? May 15 18:09 1
NSA doesn't joke, folks May 14 23:26 2
Beaker May 14 19:27 1
Bitmessage Bug - Re: Now, following my own advice, adding channel bitmessage and general to the blacklist May 14 16:21 3
Ideas for countering trolls and spam - technology. May 14 16:21 9
BITMESSAGE May 14 14:58 2
BM in firejail May 14 14:24 1
Team Revenge May 14 09:54 1
What are these messages? May 13 07:57 8
Bitmessage Bug? May 10 19:59 1
TOR -> VPN -> TOR May 10 14:57 2
Bitmessage on Raspi May 10 09:32 2
Bloom Filter for Routing May 10 09:04 1
Alternative treatment of Bitmessage addresses for use as public channels May 9 16:12 4
deterministic passphrases May 8 16:54 21
nothing wrong with suicide these days May 8 10:30 2
What's Peter Todd's public key? May 8 10:27 7
BMinstallMenu - easy download + run Bitmessage from py source in one single menu May 8 08:46 1
BMinstallMenu - easy download + run Bitmessage from py source in one single menu May 7 18:38 2
Why there are so many alternative Bitmessage implementations? May 7 18:31 14
modding pyBM May 7 18:17 4
bm hidden service settings May 7 10:48 1
bitmessage feature proposal May 7 10:38 1
This shit world May 7 07:22 2
Outgoing connections May 7 04:53 2
"time to live" ? May 7 03:27 2
OTR on Bitmessage May 7 02:06 31
Newbies! READ ME! (Bitmessage Primer) May 7 00:43 1
For Bitmessage Devs - GUI Interface Design May 6 23:18 1
O M E G A May 6 19:14 14
Bitmessage being sandbagged? May 6 05:55 3
Is Peter Surda around? Why stop signing technical messages? May 5 22:40 3
How to decrypt past objects? May 5 08:18 14
PyBM Error - no sufficient space in / partition but /home have lot's of free space May 4 13:42 3
Anybody seen this error before? May 4 12:58 4
<h1>HTML tags are enabled in subject tooltips</h1> May 3 22:17 3
is that right? May 3 07:33 6
RE: pyinstaller binaries do not run May 2 07:37 1
RE: hidden chan? May 1 06:05 1
hidden chan? Apr 30 16:15 2
bitmessage takes long to connect and finds only few peers Apr 29 10:54 2
pyinstaller binaries do not run Apr 29 09:43 3
ready-made Linux distro with BM included via TOR : "Merlot" Apr 29 09:27 1