paperkey // ? feature request

Robert J. Hansen rjh at
Wed Feb 11 01:25:55 CET 2009

Faramir wrote:
>   IMHO, the difference is the recipients can send it's public to me by
> some way, and check the fingerprint by telephone...

It's not a disposable session key if the recipients need to contact the
sender afterwards.  If you're assuming a high threat environment, you
kind of need to assume the sender got flipped right after sending the

> But how? There is still the chance to buy things with effective, not
> with credit or debit cards, and USB Flash Drives are cheap enough and
> easy to find at stores to make it very hard to trace...

Timothy McVeigh was tracked through his use of a prepaid calling card...
which he paid for with cash.

I don't know how the FBI and ATF did it, but I'm willing to bet they've
already taught an improved version of the technique to the next
generation of agents.

> We are talking about something between 320 and 480 hours of work, the
> info on that CD must have been (or they suspected it to be) of high
> importance...

[shrugs]  Not really.  Consider the cost-benefit ratio for two common
things: military campaigns and child pornography.  Assume lab time costs
 $100/hr., which pays the DF's salary and equipment costs.  We're
looking at about $50,000 for 500 hours of work.

One soldier being grievously injured on the battlefield can cost the
Army easily $5 million in lifetime medical care.  $5 million versus
$50,000 is a 100:1 cost savings.

Consider child porn.  How much is it worth to take a child pornographer
off the street before he or she can exploit another kid?  $100,000?  2:1
cost savings.

How much is it worth to... etc., etc.

Divorce lawyers are getting into the swing of things, too.  I was once
paid to do some data recovery on a hard drive that was an issue in a
lawsuit.  The lawyer was laughing all the way to the bank: my fee paid
for itself many, _many_ times over.

More information about the Gnupg-users mailing list