Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: e-mail, not phone (Score 1) 229

I would e-mail, not telephone. Phone calls are too short and simplified.

Before you hit Send, trace through an exact example and describe every step in the e-mail message. I expect that the Customer Service Representative won't understand it. But with an e-mail he can forward it to somebody who will understand the security flaw.

That's what I would do.

Comment: Re:I use GnuPG (Score 1) 308

by AndyCanfield (#49144381) Attached to: Moxie Marlinspike: GPG Has Run Its Course

Uhm, this story is about the fact that no one uses PGP, which means your correspondent on the other end of the wire probably can't use it. Paying attention to the world around you might be helpful.

Sorry, the way I read it was "PGP has a bad user interface". Nothing in the original post tells me about anything that has a better user interface. Moxie Marlinspike hates to get PGP-encrypted e-mail because the gnu implementation is hard to use (OK, arguably true). I use Thunderbird with Enigmail. I can agree that Enigmail could be better. The one option I'd like to have is "If there is no encryption key in my list, what should I do? [A:ask, B: ask a keyserver, C:don't encrypt].

your correspondent on the other end of the wire probably can't use it.

I only send encrypted e-mail to correspondents for whom I already have their encryuption key, so I know they can use it. You want enryption that any dumb Windows secretary can use, that's a whole 'nother ball game.

Comment: Re:I use GnuPG (Score 1) 308

by AndyCanfield (#49144177) Attached to: Moxie Marlinspike: GPG Has Run Its Course

... and so is your website, which is trivial to just MITM, making your PGP key less useful than S/MIME from the instant you started using it, and harder to use for everyone else as well.

MITM = Man In The Middle? Not likely. There are several other web sites on that server; you get one or another depending on what DNS name you use. Subverting the name requires subversing the DNS system, and I'm on 8.8.8.8 (Google's DNS server). Subverting the IP address will bring down other companies' production sites. And of course MITM requires a man *IN*THE*MIDDLE*, and you have no idea where the cables are.

Uhm, this story is about the fact that no one uses PGP, which means your correspondent on the other end of the wire probably can't use it. Paying attention to the world around you might be helpful.

I use PGP to correspond with two people. I told them about this exchange. One answered "Well, I'd certainly be happy if he create a better alternative. Until then, I'm using what works." If you've got a better tool for end-to-end e-mail encryption, tell me about it. Maybe nobody uses PGP, but I know of no alternative. And I don't care if you use PGP or not; send me your key and I'll use it, otherwise you get plain text like everybody else. I got enough work solving my own problems without solving the world's problems too.

Hey, gang, let me add a data point here. This discussion has been going on for day or so on Slashdot. During that entire time my web site URL has been in the comments. The web site includes my e-mail address. During that time NOBODY has sent me any e-mail related to this discussion. Nobody said "Hello", nobody said "Here is my PGP public key", nobody said "Andy you're a dumb-ass." (well, here, yes, but not in an e-mail).

Comment: Uninteresting (Score 2) 89

by AndyCanfield (#49144031) Attached to: OPSEC For Activists, Because Encryption Is No Guarantee
The article misses one partial solution: be uninteresting. I've got a bank account in a non-US bank. It's got several hundred dollars in it. Nobody's going to bother to steal that. I've got a password I use all over the Internet, including Slashdot, but you can't do anything with it but post stupid comments. My bank password was a different one. I look just like a million other Amerians living overseas, and that is my ultimate protection. Of course, the cheaper hard disks get, the more data the NSA can store, so the protection is only partial. But for now it is a factor. Of 200 million Americans, how many are worth tracking?

Comment: File transfer from old PC (Score 1) 462

by AndyCanfield (#49143957) Attached to: Ask Slashdot: Old PC File Transfer Problem

I'd make sure to use zip; as I recall unzip has an automatic check on the format of the input. So if you copy W to X and X to Y it might come out wreong, but if you zip W to X.zip and try to unzip X.zip onto anything, it will warn you if there was some loss of bits in the intermediate medium X.

A fall-back solution: e-mail the (zip) files to yourself. Of coures this assumes an internet connection on the old machine, but even an old dial-up modem can be used. This is how I get pictures off from my (new) Android phone. If you've got an RS-232 socket on the old machine you can hook both machines to a LAN router and transfer the files faster. Again, though, in call cases, use zip to provide confirmation of contants.

Comment: Identity theft? (Score 1) 308

by AndyCanfield (#49136085) Attached to: Reddit Imposes Ban On Sexual Content Posted Without Permission
I don't use Reddit, but - how the H* is Reddit going to judge, evaluate, or confirm the pemission? I can post a picture of Julie Smathers naked. Is Reddit going to contact every person in the world name "Julie Smathers" to see if any of them gave their permission? And even if they did, how can they tell if she's the one in the picture? Or do I have to send an e-mail to with an attached signed autographed copy of the photo? This seems like a "call the cops" theory gone wacko.

Comment: Re:I use GnuPG (Score 1) 308

by AndyCanfield (#49134395) Attached to: Moxie Marlinspike: GPG Has Run Its Course

Thing is, there is a mechanism to make doing it this way trustworthy. By opting out of that mechanism, you put the burden onto everyone else for no reason. The result is that you remove your key from the set able to be considered trustworthy without effort.

I never opted out of it. I simply never opted into it. I don't think the mechanism is trustworthy because it is under the control of organizations which are not under my control. I have not put any burden onto anyone else; you can still go to http://www.andycanfield.com./

I "remove my key from the set able to be considered trustworthy without effort."? Again, I did not remove my key; I just never put it in. To me, the Internet is not trustworthy. None of it is. Any trust is an illusion. And "without effort"? You mean like Windows?

Comment: Re:I use GnuPG (Score 1) 308

by AndyCanfield (#49133933) Attached to: Moxie Marlinspike: GPG Has Run Its Course

It feels like you either have a misunderstanding of how the WoT is supposed to work that leads you to false conclusions on how best to use it... only succeeding in making it too annoying for other people to be bothered working with it.

You come very close to saying that you want the Internet to be automatic and trustworthy. Pick one or the other; both are not possible today.

Comment: Re:I use GnuPG (Score 1) 308

by AndyCanfield (#49133733) Attached to: Moxie Marlinspike: GPG Has Run Its Course

You can retain a copy of my public key on your compter. Then you can trust any signed message from me to be from the same source as the previous signed message from me.

Someone could make a key with the same details, get it to me somehow, and I would have no choice but to accept it

"get it to me somehow, and I would have no choice but to accept it"? You allow random strangers to update your hard disk? I don't.

Comment: Re:I use GnuPG (Score 1) 308

by AndyCanfield (#49132925) Attached to: Moxie Marlinspike: GPG Has Run Its Course

It is not on any "KeyServer"

I correct myself. The truth is that as far as I can recall I have never put it on any keyserver. What other people may have spidered and copied I can not control. I was under the impression that KeyServers were voluntary. I guess they're just a newer kind of insecurity.

Actually I've had two keys. A year or two ago I lost my private key and had to create a new key pair. I don't know whether the keyserver you listed has the old one or the new one. I hated to do that; my old PGP key pair predated the Internet. How did I distribute it? By hand.

The new one has more bits. I guess that the number of bits you need in your key depends on how powreful computers are; I think my first key had only 256 bits which was safe from cracking back in 1992. Maybe we'll have to change all our keys every few years.

Later, you say "and the public key you get from my web site should confirm the signature."

In my defense I said "confirm the signature, not prove the signature. The public key on my web site confirms the source of the message matches the site, but it does not 'prove' anything.

Proof? Don't make me laugh. A few years ago I lost my passport and had to go to the U.S. Consulate in Vientiane to get a new one, so even my passport can be doubted. You could ask my mother or father to vouch for my name, but they're dead. If you want fun, search for "Andy Canfield" on Facebook; there are maybe a hundred of us scattered all over the planet.

But I can't trust your site, because it's not HTTPS (which isn't perfect, but is better.) You can get free SSL certs.

I will look into that; I could not get a free cert when I studied HTTPS a few years ago.

And I can't trust your key because it's not in the web of trust.

You could say that I have my own 'web of trust' which are people who have personally met me. You want to join? If you ever come to Thailand say "Hello".

I could never trust any signed message to actually be for you, and I can't trust the information I have to encrypt something to you.

Wrong. You can retain a copy of my public key on your compter. Then you can trust any signed message from me to be from the same source as the previous signed message from me. Who is "me" is an unanswerable issue. You can use my public key to encrypt something to me, and be confident that only the guy with "my" private key can decode it. But once again, who is "me" is an unanswerable issue.

Thinking about it, I suggest the most confidence you can get is by sending me an e-mail arranging for a Skype call. Then in real time you can see my face, hear my voice, and I can show you my passport. But I don't run Skype all the time.

Comment: Re:I use GnuPG (Score 1) 308

by AndyCanfield (#49131307) Attached to: Moxie Marlinspike: GPG Has Run Its Course

Ultimately, it comes down to the question "why do you care who Andy Canfield is?" Are they planning to exchange money for goods or services? Write you a mash note? Collect on a debt?

I am not a part of the world wide financial network. Nobody can steal my credit card number because I have no credit card. I don't borrow money so if you are trying to collect on a debt you're a liar. HSBC once gave me overdraft protection and I told them to take it off; when I run out of money I want to run out of money. You want to write me a mash note? Fine, please include a picture.

Professionally I create software and upload it through the Internet. The customer likes what he gets and deposits money into my bank account. I take it out with my ATM card and buy things in my home town. It may be less convenient, but it's a LOT more secure. And if you don't pay me, I stop doing things for you.

The Internet is ***NOT*** secure. We used to think it was, but Ed Snowden and the NSA proved us wrong. Someday, perhaps, it will be secure again. When it is, let me know.

Comment: Re:I use GnuPG (Score 1) 308

by AndyCanfield (#49131121) Attached to: Moxie Marlinspike: GPG Has Run Its Course

The NSA can't subvert a keyserver.

HAH! Which rock were you born under? I use 'whois' and 'dig' to find out who owns the IP address, and anything with a U.S. IP address is questionable Under US 'Law', the NSA can do anything it pleases and even if you're forced into it it's illegal to tell anyone about it.. 'andycanfield.com' is registered in Thailand and points to a hardware box in Bangkok where I myself have installed and maintain Ubuntu Linux. AFAIK the NSA can NOT subvert my server, although of course they can subvert the routers leading to the server.

Also, I see that your key is on a keyserver: http://pgpkeys.mit.edu/pks/loo...

I have NEVER posted my key on any keyserver. What other people chose to spider and copy is out of my control.

Genius is ten percent inspiration and fifty percent capital gains.

Working...