#5yrsago #Efail: instructions for using #PGP again as safely as is possible for now https://www.eff.org/deeplinks/2018/05/how-turn-pgp-back-safely-possible

#5yrsago @eff on #Cockygate: trademark trolls vs romance literature https://www.eff.org/takedowns/author-trademarks-cocky-earns-ire-romance-writers-everywhere

#1yrago Apple's Cement Overshoes https://pluralistic.net/2022/05/30/80-lbs/#malicious-compliance

9/

NEW ARTICLE: Responding to Friendly Criticism of a Previous Article on Encryption
#criticisms #efail #gpg #pgp #signal #cishuman
https://www.cishuman.org/2023/02/24/responding-to-friendly-criticism-of-a-previous-article-on-encryption/

A...

E-Mails: Not Safe For Work?

Was ist, wenn deine E-Mails nicht so sicher sind, wie du denkst? Schonmal vom #EFAIL gehört? Denn auch Ende-zu-Ende-Verschlüsselungen können geknackt werden. David und Béla erklären das in #Softwarekatastrophen
17.2. 9 Uhr

https://www.campusradio-karlsruhe.de/2023/02/16/e-mails-not-safe-for-work/

@laplace You can, but to a point #EFAIL (https://efail.de/) has demonstrated why that's a brittle way to handle the issue.

There are also other issues with #GPG's quality as a cryptographic implementation (part of those design flaws being inherent to #PGP).

I haven't given its code enough of a look-over, but #NNCP (https://nncp.mirrors.quux.org/) seems like a viable method (https://nncp.mirrors.quux.org/UsecasePOP.html) that is also simpler (https://www.complete.org/nncp/).

#email #AsynchronousCommunication

It's been 3 years since the #EFAIL disclosure, and I'm still impressed with the attack.

Today's #35C3 talk recommendation is rather technical: "Attacking end-to-end email encryption" -- #EFail explained:
https://media.ccc.de/v/35c3-9463-attacking_end-to-end_email_encryption

@varx I just got reminded of it recently thanks to #Efail.

GPG Suite 2018.3 with #GPGMail 3.0b7 and #GnuPG 2.2.8 fixes #EFAIL and #SigSpoof

https://releases.gpgtools.org/GPG_Suite-2018.3.dmg

I managed two #Mailpile team meetings in under an hour today... plus getting a contributor on IRC unstuck! Woo!

One of the meetings was w/ our PM. In case you were wondering why pay for a PM, these are things I put on her plate:

Desktop packages: almost ready, so how do we a) get people to test, b) coordinate translations and i18n/QA, c) release and d) structure ongoing relations w/ contractors?

EFail: I feel I made mistakes in handling #EFail. Followup? We need processes for security issues!

GPG Suite 2018.2 with #GPGMail 3.0b6 which includes mitigations against #EFAIL exploits

https://releases.gpgtools.org/GPG_Suite-2018.2.dmg

https://seenthis.net/messages/696121#message697225

About #Signal, #Efail, #XMPP and #OMEMO.

Email is a mess, writes @quinnnorton@twitter.com, and it's going to get worse. https://www.theatlantic.com/technology/archive/2018/05/email-is-dangerous/560780/ -> After #Efail https://efail.de

Does anybody know if it's possible to view a single message as HTML in Thunderbird without switching my default? I've turned off HTML email since #efail but a lot of mass-mailings don't even have a text option at all!

Daniel (dkg) at the ACLU is one of the smarter people in the PGP world. He says some reasonable things about#EFail (and #EFFail) here: https://www.aclu.org/blog/privacy-technology/internet-privacy/encrypted-email-and-security-nihilism

Reading this, I get the feeling he's missing point 2) from my previous toot - how #EFail is particularly scary because Lazy User A can put Careful User B at risk.

In InfoSec, we're so used to thinking in an individualistic way about how we protect ourselves, I think we often fail to consider how our choices affect others.

Turns out Thunderbird + Enigmail is still vulnerable to #efail 😑

https://twitter.com/hanno/status/997138771194859521

RT @EFF@twitter.com: There has been a lot of different information about the #efail vulnerability in PGP, GPG, and S/MIME in the last few days. We’ve attempted to answer some important questions about the current state of email security here. https://www.eff.org/deeplinks/2018/05/pgp-and-efail-frequently-asked-questions
🐦🔗: https://twitter.com/EFF/status/996556917232168960

I’m so accustomed to dropping the “e” from “email” that it was only few moments ago that I realized that #efail is a pun on “email”

The more I think about #EFail and the #EFF's take, the more sympathy I have with their approach.

I wish they'd given more nuanced advice and avoided some of drama, but here are some factors to consider:

1) People don't read. Security advice needs to be simple.

2) Lazy User A can put careful User B at risk.

3) Social engineering works.

4) The PGP/e-mail community's knee-jerk was "we're not vulnerable."

But many were & are vulnerable if you count SocEng and/or old versions. #Mailpile too.

Went to update the #Mailpile #EFail blog post to mention our nightly Debian packages... and discovered that our build-bot had been dormant for 10 days, due to a full disk. Oops!

Fixed that. The nightly packages are up to date now.

Added the buildbot output to my monitors, so it won't take me 10 days to notice next time.

Updated the blog post: https://www.mailpile.is/blog/2018-05-14_PGP_Security_Alert.html

Whee!

PGP users,

I implemented a simple #efail exploit for Apple Mail, which is vulnerable to direct exfiltration with its default settings. The mitigation, disabling remote content, works but is brittle. So never click "Load Remote Content". (Thunderbird/Enigmail is vulnerable in a similar way, but I haven't tried that one yet.)

https://www.youtube.com/watch?v=_67Pz9zpPb0&feature=youtu.be