paperkey // ? feature request

Faramir faramir.cl at gmail.com
Wed Feb 11 00:21:35 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Robert J. Hansen escribió:
...
> So only someone with the private key can decrypt it.  Okay.  How do you
> communicate the private key with your intended recipients?  And how is
> communicating the private key with your intended recipients different
> from the key distribution problem when using symmetric crypto?

  IMHO, the difference is the recipients can send it's public to me by
some way, and check the fingerprint by telephone... of course, I would
need to be able to recognise the recipient's voice. Also, the encrypted
files in transit don't require a very good passphrase in order to be
hard to bruteforce (or whatever), as symmetric crypto would require... I
don't need to exchange communicate any "secret" passphrase at all.


> USB tokens have GUIDs, Globally Unique Identifiers.  Computers keep
> track of what GUIDs they've seen.  If the secret police get access to
> the PC, then they know "ah, someone used GnuPG on a USB token, with a
> GUID of...", etc.  That USB token can now be connected to you.

  But how? There is still the chance to buy things with effective, not
with credit or debit cards, and USB Flash Drives are cheap enough and
easy to find at stores to make it very hard to trace...


> Okay, so the obvious tactic is to dispose of it.  But how?  Losing
> and/or destroying things reliably is pretty hard.[1]  If you lose track
> of your car keys for thirty seconds you'll spend a week finding them; if
> you flush a USB token down the toilet a plumber will be called out five
> minutes later to find out what's causing the clog.  Call it the spy's
> version of Murphy's Law.

  Certainly... probably a big river would be a better place than a
toilet... Another option would be the use of a hammer, previous to
dispose the artifact... they are plastic stuff, very different from an
hdd, so probably the only surviving part would be the USB connector.


> DF is interesting stuff.  If you're serious about wanting to come up
> with effective spy-versus-spy techniques, then I'd strongly recommend
> reading up on DF.  The more you know about the capabilities of the
> people who are trying to recover your secrets, the more you'll know
> about how to make life difficult on them.

  And I probably will also thanks God for not having to do it for
real... I mean, probably there is enough information to make anybody a
bit paranoid... even if they don't have "anything to hide".

    But I think it is an interesting subject... after all, any advice
about how to recover damaged info is potentially useful... I have heard
a lot more times the question "how do I recover my lost file" than "how
do I not recover...". Where do you suggest searching? In addition to
looking in google, of course...

> [2] I had sushi with a colleague of the guy who recovered the crosscut
> CD-R.  They gave that task to him person specifically because of his
> severe OCD.  The guy later said it was the happiest month he'd ever
> worked: he was allowed to indulge his OCD for 16 hours a day and
> everybody left him alone.

  We are talking about something between 320 and 480 hours of work, the
info on that CD must have been (or they suspected it to be) of high
importance...

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJkgv/AAoJEMV4f6PvczxAIi4H/RIbtZMeXOfiaMnDsgA0cH6z
r6Mm8YktgCNVPjlvBy3aXUMpK2+9kxVuQjSxHfssBwHzlr1b4C5xR30vwb9dOcUj
Kh1mVektIY6T81V7gISTgYDuHNUui9zUsoO+T3bfIxGFzuKOLq54g3t/ombi7IRl
oZUu6zZe4byEiVADFJHbZPCd6mXuXdFxND+04T3yqXHuPPF4DfGq74d5uze1QeUw
KvHe11Xn98sf443TsUi+8ISYsbUBQEsUWP9iHbYxf/1JCyZC+ysGZ8x10vVW2Tc+
MOMjsesfl3GPoPU14rS7EYZ7GaCprf2pKBoIpTDocbPgWtM0EwDCVQtDefCc3CQ=
=+JDy
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list