German ct magazine postulates death of pgp encryption
Peter Lebbing
peter at digitalbrains.com
Fri Feb 27 12:15:36 CET 2015
On 27/02/15 09:45, gnupgpacker wrote:
> German ct magazine has postulated [...] published mail addresses are collected from keyservers
They are?
I can read German, but it is veeerryyyy slooowwww. So I'll probably not do that.
But I have a honeypot key on the keyservers that has a computer-generated random
e-mail address that does however exist. Anybody who looks at the name thinks
"huh?" but the purpose is to not catch spammers that simply address kathy@
peter@ john@ and variations on that, because they would be false positives for
the experiment.
Because the experiment is: does having an e-mail address on the keyserver
attract spam?
I reckoned that there's a good chance e-mail harvesters don't do any filtering
on unlikely local parts in the e-mail address; I think they'd rather not spend
effort on that and simply mail any and all addresses you find. That's insanely
cheap to do (since you use a botnet), and filtering might remove actual spam
targets.
So what did this key attract, being on the keyserver for four years now?
22 Nigerian 419 scams. That's it. Twenty-two! They came in batches; I haven't
seen anything since March last year.
I've kept this little experiment (which admittedly is rather small) secret for a
year, to avoid people with an agenda biassing the results. By then I had only
had one 419 scam. Even after I talked about it just a 419 scam every few months.
The latest one will celebrate its first birthday in 3 weeks! Hmmm.... I think
they might have stopped spamming that address.
I wonder if it says anything that all spams are 419 scams. Do they as a group
collect addresses differently than other spammers? Or is it simply that there is
only one person who harvests keys from keyservers, and his only customers are
419 scammers? Hell, the harvester could be the spammer; just one person.
Sooooo...... back to c't. Since they were writing an article, since they're
journalists, they should do some fact checking, right? Do they have proof, or a
strong indication that spammers use the keyservers?
Or is it the crystal ball "yes, but if more people start to use the keyservers,
then it will surely happen"? I've gazed in there and thought the same, but it's
not a fact and neither is the current keyserver network necessary for widespread
OpenPGP usage, IMHO.
Also, I've said it before: instead of saying "Let OpenPGP die", put effort in
getting something accepted by the mainstream that deserves to live! I think
right now we need an alternative for the e-mail infrastructure more than we need
an alternative to OpenPGP for our current e-mail. Work your way from the ground
up with security and privacy as a goal right from the outset. You could keep
legacy interfaces to the end-user (IMAP, SMTP), but the core should be replaced.
Upon this renewed core, we can build security and privacy.
When your housekeeper, mister Jones, is in his 70's and you need a new
housekeeper because the good man is simply getting too old for the job, what do
you say? "Wanted: good housekeeper, for two days a week, ..." etcetera?
Or "Let mister Jones die"?
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list