Questions about generating keys

Oskar L. oskar at rbgi.net
Fri Aug 24 23:32:15 CEST 2007


"Robert J. Hansen" wrote:

> This is not my experience.  I've received spam addressed to my amateur
> radio call sign (KC0SJE) at a domain that's not directly associated with
> me.  I don't know how it was discovered, but for right now I'm leaning
> towards the hypothesis that spammers have made pacts with the Devil and
> learned dark arts.

My first guess would be that you are in one of your friends address book,
and your friend has spyware that got it.

> If I know that one sort of antispam measure is going to reduce the spam
> I receive 100-fold over the reduction produced by another antispam
> measure... and the 100-fold measure takes the same amount of resources
> as the other one... then why should I ever use the second measure?

If the amount of resources are so small that even combined they are
insignificant, then why not use both?

Everyone who gets sent spam isn't on one single list, which all the
spammers use. Spammers get their addresses in different ways, so different
spammers will have different lists. Lists are valuable, you can make money
by selling a list of working addresses, so they are not likely freely
shared between spammers. The fewer lists you are on, the less spam you
will be sent. It's not an all or nothing deal. Just because you won't be
able to be totally free from spam, is that a good reason to carelessly
leave your address all over the Internet?

> I get a 100-fold reduction from X amount of time and labor, or a
> 101-fold reduction from a 2X amount of time and labor.  This is really
> simple to me; I'm going to take the 100-fold reduction and spend the
> extra X time goofing off, or visiting my nephews, or grabbing lunch with
> my sister, or doing thesis research, or...

Yes, it's logical to use the measure(s) that gives the best results for
your amount of time and effort. It's also logical to use all of the
measures that gives you or you contacts no inconvenience at all.

> "User IDs do not provide any authentication", okay, that much is true.
> If you want authentication, you're really looking for a trusted
> signature on the user ID, fine.

You are confusing authenticity and trust. I you visit Bob and he gives you
his fingerprint, and when you get home you see that it matches the one on
his key, then the key is authenticated. If you now get Marys key, with a
signature from Bob, this does not make Marys key authenticated! Bob might
not know much about security, and have been tricked to signing a false
key. He might secretly hate you and have created "Marys" key himself.
Someone might hold his cat hostage and force him to sign false keys. The
point is that even if Bob is your best friend and a security guru who has
no cat, his signature is still not a 100% guarantee that the key really
belongs to Mary. All the signature provides is various degrees of trust.

> You are apparently not up to date on something called traffic analysis.
>  I suggest you look into it.  What you're talking about here is probably
> a pipe dream.

I have an account on a server run by a trusted party, which has an
encrypted connection for accessing e-mail accounts. Most of my friends
have accounts on the same server, so our messages to each other never
leaves the server.

Traffic analysis will reveal what time you are active, and how much data
you are transferring. To only way to protect against it is to download and
upload all the time at a constant rate. Not worth it in my situation.

> 1.  Stop posting to crypto mailing lists that keep public archives.
> Creating an electronic paper trail of yourself saying "I'm concerned
> about getting raided by the cops, please help me figure out how to
> protect my electronic privacy" is not a very smart thing to do.

I don't think there's anything wrong with saying that I want to protect my
privacy. I think if asked if they care about privacy, most people would
answer yes. I have been sent letters by the police on several occasions
telling me that my phone has been listened to (by law they have to inform
you of this some time after). I had my car confiscated and searched. So if
I know they are interested in me, surely the strange thing would be if I
did not try to protect my privacy? I never said I was concerned about
getting raided, I said if someone else got raided it's not good if they
find info about me there.

> 2.  Hire an information security professional.  GnuPG can be part of a
> security solution, it can even be a very effective part, but it is not
> magic fairy dust.  You will not find privacy or security just by
> sprinkling a little magic fairy dust here and there and thinking that it
> will "just work".

Heh, I certainly don't think that only encrypting e-mail and signing
backups with GnuPG will somehow make all aspects of my life secure. I
don't know how you got this impression. I also use TrueCrypt for whole
disk encryption, BCWipe for secure deletion, TOR for anonymity, a good
firewall, and all my machines run Linux and my "supersecure" machine is
never connected to the Internet.

> If your needs are this high-level, you need the
> services of an information security professional.

My needs are not high level, and I don't really need security for anything
other that paying bills online. But it's nice to have some privacy, and
security is a very interesting an inexpensive hobby.

Oskar



More information about the Gnupg-users mailing list