To somewhat answer my own question, this except of a blog post recommended elsewhere:
Encrypting Email: Don’t.
Email is insecure. Even with PGP, it’s default-plaintext, which means that even if you do everything right, some totally reasonable person you mail, doing totally reasonable things, will invariably CC the quoted plaintext of your encrypted message to someone else (we don’t know a PGP email user who hasn’t seen this happen). PGP email is forward-insecure. Email metadata, including the subject (which is literally message content), are always plaintext.
If you needed another reason, read the Efail paper. The GnuPG community, which mishandled the Efail disclosure, talks this research down a lot, but it was accepted at Usenix Security (one of the top academic software security venues) and at Black Hat USA (the top industry software security venue), was one of the best cryptographic attacks of the last 5 years, and is a pretty devastating indictment of the PGP ecosystem. As you’ll see from the paper, S/MIME isn’t better.
This isn’t going to get fixed. To make actually-secure email, you’d have to tunnel another protocol over email (you’d still be conceding traffic analysis attacks). At that point, why bother pretending?
I also recently watched some young guys on YT examine and test a high-end Nvidia graphics card. I think they said it was a 7 nanometer process and they'll soon be coming out with even faster, more efficient 6 nm process silicon. What was interesting is that Nvidia would not sell to these enthusiasts even though it was far superior to what they made available for the public. The one they were able to borrow had its identification sticker removed and were told not to ask too many questions about where it came from.
Three naive hypotheses: Could it be merely a development iteration that was not ready for sale, that Nvidia does not want to provide support for? Sure, maybe, but they must have a revenue stream in place for a neighboring product. Could they be selling to cryptocurrency miners? While this market is now dominated by large players and large contracts, crypto is still has a decentralized ethos, and I as a private individual can buy a $10k mining ASIC if I wanted to. Could they be selling to governments? Ding ding very likely. And for what purpose? In combination with analog Bayesian neural simulations, a government quasi-monopoly on breaking encryption.
Alarm bells are going off here, sure hope this is not part of the “new business model.”
I am really missing reading comments of the tribe on various threads, the collective mind here is as interesting as what Chris produces. Hope those threads come back soon, I like the new site just fine and it feels hollow without the backbone of the tribe.
I don’t have any particular arrangement, Sekur is offering a discount to our readers and followers. I always disclose arrangements, fully and completely.
The ‘business model’ is to find things of value to people and help them connect with them. Sometimes we have an arrangement and sometimes we don’t. It’s always disclosed when we do.
I agreed with that sentiment to large extent too (Ex-IT tech here). However, I need to buy a newer car, and guess what, all cars from the last few years use some form of connectivity.
Agreed. How do you think your smartphone uses SSL and TLS encryption to establish private connections wtih websites? I’m sure it’s faster on a large server/server farm, but a smartphone is plenty fast enough to do it.
We will have to look into this. A group of mine is really looking for something as an alternative to Google and zoom. Our main problem is we use the document sharing functions constantly and this is so much easier on Google for us technically challenged folks, lol.
Chris: As someone who used to work in the industry, may I suggest Brian Krebs from Krebs on Security? He is both extremely knowledgeable and passionate about helping people. He lives and breathes the stuff. I’m not sure he’s good at explaining things in simple terms, as he caters more towards industry folks, but it’s probably worth asking him.
Im not convinced Signal is problematic for security. It looks to be much better than most options, possibly the best out there.
It’d be interesting to hear from a security expert on the best options available.
Bruce Schneier Is one of the best. https://www.schneier.com/
Discussion of Signal: https://www.schneier.com/tag/signal/
A hard disconnect from electronics is the only solution which would give me complete confidence. Everything else is a matter of increasing the time effort for someone to access my info. Layers of encryption and good online practices are best. Keeping a low profile to avoid being on a target list is another way (security via anonymity).
Heh. I totally agree. ET aren’t fans of the CCP. Unlike most of Washington. Its helpful to know the biases. At least ET is straightforward about theirs. Naughty Nancy - and “10 held by H for the Big Guy” - much less so. NYT pretends to have no biases at all.
Alright, I’m posting way too much to this thread, but I also just want to remind people, if you’re concerned about privacy, use an ad blocker. If you research the amount of data harvesting that goes on while you use your web browser, it’s staggering.
I use one built into my router, but the free software ones (for real free, no catches) that run on your PC work great, as long as you don’t have a really slow PC. There are versions for smartphones too.
Here’s one very good but long article on data brokers: https://www.fastcompany.com/90310803/here-are-the-data-brokers-quietly-buying-and-selling-your-personal-information
Note: Not everything mentioned in that article is web-based, so an ad blocker may not block all of it. That article is sort of a wide, topographic view of the industry.
Gun to my head, I’d say the same thing about the EFF. (Caveat - I used to think the same thing about the ACLU)
I’d need tech details as to why encrypting a stream using a shared secret (swapped via key exchange) is computationally infeasible on a modern phone - when it was doable on a VAX 11/780 back at the dawn of time. I recall using little program called “crypt”; yes, that was just single-DES, but the “more modern” encryption algorithms aren’t all that much slower.
My gut says: signal is probably ok. The phone OS is probably the weak spot; they can hack the OS in a bunch of different ways, especially via the RF modem. That’s what I recall anyway.
Something that Schneier said always stuck with me: “if its connected to the network, the NSA can get at it.” The only way to make a box halfway secure is an air-gap. And even those Iranian off-net boxes got hacked with stuxnet. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
I really just have enough tools to keep my ISP, and google, from spying on my traffic. And I’m allergic to things associated with TWTR, FB, GOOG, and MSFT. And I’m starting to wonder about AAPL.