Security practices of others may lead _____ to me

I am alluding to: If I communicate with others, they may, because of -poor computer practices-,
-just don’t care- may reveal much about me. Whereabouts. Where I might be traveling, when. While it is often said, never post on Facebook that I am going to be away from home for so many days. If those I communicate with are not as -versed in the issues of privacy, security, what I am doing is not much better.

Personally, I do not have emails with anyone else who does PGP, well, except for it is available automatically on some email accounts I have. Not a quality end to end encryption.

My point being, my actual security, my identity is related to those I communicate with.

I just have to let them be themselves, and I have to be aware what I say to them.

I do not see considering the impact of -security practices of others- as a topic anywhere.

Raising the concept that for me to be secure, we need to find Security solutions that are rolled up in a package that can be implemented by the -technologically inexperienced. What we have now is a whole bunch of pieces that must be put together by someone knowledgeable. Then someone who has a recipe book of what to do, what never to do. Plus considering what parts of their computer presence they must give up.

One easy to implement package for the technologically inexperienced?

Tutanota or Protonmail should do the trick easy.

I wouldnt suggest PGP because you do not have forward secrecy. If others get your encryption key, they could decrypt all your past messages.

Well, there are some intricacies here that may not be first apparent. Can I call you good buddy?

I am not quite sure what you mean by ‘forward secrecy?’

My understanding is like this: Proton Mail. If I communicate from one Proton Mail account to another, I can choose the option to let it automatically use a PGP type encryption.

If the government puts the screws to the handlers of Proton Mail, they will open their vault of codes, give the decrypted message to the government, who gives it to? Whatever power structure demands the emails.

I can, on my own computer, create a PGP Key Pair. One to encrypt, a public key. One to decrypt, a private Key. I give the public key to whomever I want to send encrypted messages to me. When they send an encrypted message to me, they might send that message through Proton Mail. but when some government demands the messages, what they get is the message you encrypted with my public key. The decryption key is my Private Key, which I have in my possession.

Of course there are all kinds of ways this could go sideways for keeping the secret. but it is a well thought out system that is more safe than may first appear with my description. There is an excellent write up on Rise Up. Rise Up has a website and represents a non violent anarchists group, opposed to government ____ . Well this is not about politics.

Both Proton Mail and Rise Up have rolled over for demands on governments to turn over emails from people in the past. I suspect Tutanota staff are not going to go to jail to protect me. I don’t blame them. If I was part of the staff of a mail server, and the government said, child porn. And offered a warrant. Saying if it is not there, no foul. We will consider this email account holder cleared.

But I digress into too much detail.

If you notice, many of the folks on the Qubes WebSite post their public PGP Key on their threads.

I have to think, do they really have a good reason to be afraid of governments? Or are they just screwing with the man?

If I am truly afraid of my government? Do I have good reason?

That would prompt me to do a lot of reading about how to communicate without their knowing.

But to pose a different question. To whom would I communicate if I felt my government was dangerous to my well being, or practicing human rights abuses? With the expectation of what kind of outcome do I expect?

We know that there are in China a bunch of Cyber Journalists in jail for writing about government policies. If they are to report to those outside their country, they need a tool that does not require a lot of reading, study. A tool that can be directly implemented.

Some will suggest Tails Linux. Uh, well. I am not qualified to judge if that would be a good choice for someone in the area where Muslims are being persecuted by the Chinese Government. Or a person in Hong Kong who wants the Chinese to practice the kind of government they had when the England, Great Britain, United Kingdom ran the show.

I think the original post is about how, no matter how much I might try to practice good security, if those I send emails too, leave those same emails unencrypted on their computer, the more likely those might be read by someone I did not intend them to be read by.

It means changing the key every minute so even if your key gets leaked only few of your messages will get decrypted

Have you read the documentation for PGP? Created your own PGP keys? Used the PGP key server system? Used the PGP system to Authenticate Keys?

There is an option to create Sub-Keys, which the Rise Up site recommends in its write up. Is that what you are referring to?

Still, I am trusting that those I send emails to, use reasonable effort to not let the emails I send to to be just laying around. And in any case, I should presume there is a possibility that despite their best efforts. Things Happen.

And I need to make sure my computer does not allow those whose emails I get to be compromised.

And I am often wrong in what I say. So feel free to criticize.

Yes to all 4 of them have look at This and this
EDIT:fixed the link

Then I do not understand why you want to constantly change keys.

I guess I am just irritated by a bank I use to have that demanded I change Passwords every six weeks or they would not let me log in. Security experts suggest that technique is less secure. It encourages people to use easy passwords that they write down someplace convenient.

Assuming you are using Linux. Usually one has downloaded and used.

enigmail
gnupgp
Thunderbird.

Frankly using command line should be safer.

If you keep using the same key and if that key gets leaked your messages can de decrypted by anyone who has your key and messages and i don’t use mail because i don’t trust them

As someone on Qubes-OS suggested. My key could be compromised by several big men beating on my head. Maybe with a bright light in my eyes.

Actually he suggested a five dollar wrench. I think a solid metal wrench might do too much damage.

Sorry, some of the programs did have link where I copied them from. They should not be active. I was not sure this forum actually much approves of people providing links. Since one of your links works. The forum must allow them.

Several years ago, It was suggested with one of the earlier versions of Qubes. One should have two computers. One that was air gapped to the internet. That one Encrypted and Decrypted messages. Another to be on the internet and transmit and receive messages, and other kinds of house keeping. Authenticating keys for instance.

You should have a look at privacytools email section and wikipedias Forward secrecy it would be helpful

You are correct. I will. Thank you for your advice.

You should probably rethink online messaging in a new paradigm.

Emails are mostly used just for account signups these days.

The only reason to use email for primary communication is that you hate drowning in a barrage of notifications from real time message and just want a nice solid block of correspondence.

You may need to consider using Matrix/Signal/Session/Threema etc for casual correspondence. You can send attachments like normal email in these messaging apps.

Formal business correspondence usually uses unencrypted email anyway.

1 Like

It sounds to me that you need to define your threat model.

Once you understand exactly what it is you are trying to do, you can start defining more concrete rules about what is an acceptable trade-off between convenience and security/privacy.

QubesOS and Tails are made explicitly with security and/or privacy in mind. But they can be inconvenient and difficult to use in many situations or by those less technically inclined.

If your “weakest link” are the people you communicate with I would suggest asking them to use Signal instead. It’s quite popular these days, and a reliable privacy-friendly alternative to email, very easy to use and works on (I think) all platforms. This alone is likely not enough depending on your threat model but it’ll have a big impact on your privacy.

1 Like

Poster is correct in that if someone got hold of my PGP private key, and its password, they could read all the emails addressed to me they have a copy of.

PGP does create a fresh, single use key with each email.

If I was the director of the NSA, I would try to create, or own any company which does Security Software. At least, put someone I could control, get info from, with these companies. Big Companies, like Microsoft, Apple, Google, companies to plant people inside, as well as to speak with corporate management about Cooperation.

The companies I would also focus on are those who build servers, operate servers, write server software. Writing Firmware. Uh, A lot of that, used to be, written in places like India.

But I am often wrong about what I think I know. I have been told most of those round silicon wafers which have IC’s on them, are made in the USA. While the places which make Boards, are nearly all in Asia. I think most, or is it all in China. After Trumps trade war, I think I heard China has dedicated itself to making the part on which the US had a monopoly.

But that was word of mouth, that the US has had a monopoly on making those round wafers. Perhaps the Chinese cut up the wafers, and put the individual parts into IC’s. But those round wafers were created here, in the US.