<p>Though largely a lurker, I will break habit here. Bravo Michael and well said. Privacy, electronic or otherwise, is a human right.</p>
<p>Matt R</p>
<div class="gmail_quote">On Oct 22, 2011 5:30 PM, "Michael H. Warfield" <<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Fri, 2011-10-21 at 20:38 -0400, Jim Lynch wrote:<br>
> On 10/21/2011 02:06 PM, Michael Trausch wrote:<br>
> ><br>
> > I would like to know if anyone has any interest in doing a PGP<br>
> > keysigning get-together. My motivation is, of course, that I need<br>
> > signatures on my key. :)<br>
> ><br>
> > Would anyone else be interested?<br>
> ><br>
> ><br>
> I hate to be the dissenting member but why? I don't understand what we<br>
> information we interchange amongst us that need such security.<br>
<br>
Do you put mail in envelopes? Why not just put it on postcards? Why?<br>
You don't care if anybody reads your mail, right? You'd put your credit<br>
card on a postcard and drop it into a mailbox. Right? Nobody else can<br>
read it but the mailman and he can be trusted. Right? I don't think<br>
so.<br>
<br>
> If we<br>
> were collaborating on some top secret project then sure, but I haven't<br>
> seen any topic that merits this level of security.<br>
<br>
That's the red herring that has haunted us and impeded progress since<br>
the early days of PGP. It's a false statement and it's a false<br>
question. The real question is "why wouldn't we?" The question "why<br>
would we" is a lie and backwards. We don't need "a reason to" any more<br>
than we need a reason to put a letter in an envelope and seal it so<br>
nobody else could read it before mailing it. It's our business and we<br>
don't need a reason.<br>
<br>
> I thought we were a bunch of individuals that were interested in Linux<br>
> and wanted to share our experiences, or were looking for assistance with<br>
> respect to Linux not extremest radicals wanting to take over the world.<br>
<br>
And that last bit was utter nonsense. Do you use secure web sites<br>
(https)? You do? You RADICAL! What are you trying to do? Take over<br>
the world? You're using encryption!?!? What are you trying to hide?<br>
<br>
Linux is all about freedom and so it PGP (which is as old as Linux). We<br>
had a long LONG struggle getting cryptography into the Linux kernels<br>
thanks to the US crypto restrictions. Well, we finally won and it was a<br>
hard fought battle for people like use that constantly fought against<br>
those regulations and restrictions. No difference. Part and parcel.<br>
Linux is about freedom. PGP is about freedom. PGP was originally<br>
released as open source a very long time ago, same year Linus released<br>
Linux, and epitomizes the the very principles of OpenSource we cherish<br>
in Linux. Asking why do we do this is as much as asking "why do we us<br>
Linux". I would ask in return "why shouldn't we? "We're free to and<br>
it's an exercise of our freedom to."<br>
<br>
Fact is, there are many people who use cryptography routinely just to<br>
conduct ordinary affairs and to protect themselves and we do it<br>
routinely.<br>
<br>
In some cases, I'm now required by government regulations to employ<br>
cryptography, for very good reasons. Criminals are in the news<br>
constantly having compromised computers and drives and phones that<br>
should have been encrypted and thousands of people are put at risk<br>
because they were. Latest Android (ICE Cream Sandwich) is going to have<br>
encryption available and LUKS encryption is available on earlier<br>
versions if you root your device and install Cyanogen Mod.<br>
<br>
PGP is not just about encryption and confidentiality (though it is<br>
cryptography) it's also about authentication and validation. You can<br>
still read my E-Mails. Yet, did you noticed all my E-Mails are signed?<br>
They are signed with GPG and can authenticate that they came from me.<br>
Do you understand that those signatures have force of law and can be<br>
introduced into court and can be used in transacting government<br>
business? This was passed into law here in Georgia years ago.<br>
<br>
I don't give a flying flip if anyone validates that only I could have<br>
sent this particular message, but they can. I use to get asked by noobs<br>
why I signed everything. Yet, it should be obvious (it is to<br>
experienced people). By signing everything, you develop a baseline<br>
"preponderance of evidence" that this is your key. You also establish<br>
this more formally by having others sign your keys and extending the web<br>
of trust.<br>
<br>
The web of trust is the opposite end of a continuum of authentication<br>
with "certificate providers" (CAs, SSL Certificates, aka big bucks $$$)<br>
at the other end. Yeah, they've been a great success at authentication<br>
and verification with multiple fake certificates out there including<br>
fake code signing certs for MS and the whole Diginotar debacle. The web<br>
of trust is to PGP / GPG what certifying authorities are to SSL. It's<br>
just that we are our own certifying authorities and a keysigning party<br>
is exactly the exercise of that certification authority we all posses.<br>
<br>
> I have no reason to communicate with anyone on this list any information<br>
> that I wouldn't what someone else to view. Is everyone as paranoid as<br>
> Aaron?<br>
<br>
I've heard this since the early days of PGP. Stale, worn out, replayed<br>
nonsense typically quoted by people with vested interests in you NOT<br>
preserving your privacy and arguing you have no right to privacy. You<br>
don't have to be paranoid but they are out there and they are out to get<br>
you. They don't WANT you to be able to protect yourself. "Oh, if we<br>
only protect and save even one little child from child pornographers<br>
then we should prohibit encryption like PGP" (actually said to Phil<br>
Zimmerman and me at a show while he and I were chatting years ago here<br>
in Atlanta). These people really exist. THEY'RE the paranoids. They<br>
don't want us doing this because they don't trust what WE'RE doing. You<br>
think WE'RE paranoid? You have not experienced the paranoid of the<br>
lunatic fringe.<br>
<br>
It has also been said that one major problem with current encryption<br>
practices is in the element of "traffic analysis". If you encrypt<br>
something, that automagically implies you are hiding something and, as<br>
such, worth breaking into. So you're act of protecting something makes<br>
it more vulnerable. You can't deny the attacks are out there. So you<br>
can protect what is vulnerable by encryption (putting in envelops away<br>
from prying eyes) EVERYTHING so, therefore, nothing stands out<br>
different, valuable or innocuous. If everything is encrypted, how do<br>
you decided what to try to decrypt. Even the simplest of encryptions is<br>
effective if EVERYTHING is encrypted because then you would have to<br>
decrypt everything just to determine what was interesting enough to go<br>
to the trouble, and there's not enough computing horsepower in the<br>
universe in that circumstance.<br>
<br>
> Not that I don't want it to happen, but what's the point? I'm not Aaron.<br>
<br>
I think I've listed more than enough points above. But... I'm not<br>
Aaron and I've been a strong enthusiast for PGP since the very early<br>
days were even the US government was openly persecuting Phil Zimmerman<br>
for years for his creation of PGP. The point is to insure THAT level of<br>
paranoia (on the part of governments, law enforcement, and enforcers of<br>
the status quo, religious right, lunatic fringe paranoids, and<br>
criminals) can never return again. The point is to preserve and protect<br>
our freedoms, some of which have been won with more difficulty than<br>
others. After 9/11 there was serious talk about returning to a time<br>
where cryptography was regulated and restricted and we managed to quash<br>
that noise. I've lived through those times and lived under those<br>
regulations and I have stood nose to nose with a couple of the lunatic<br>
fringe paranoids who would deny us those freedoms.<br>
<br>
I believe my identity and my privacy and my security is in my hands to<br>
maintain, when ever and where ever I chose to exercise it. And that IS<br>
the point and that is why I participate in these things and promote<br>
them.<br>
<br>
> Jim.<br>
<br>
Regards,<br>
Mike<br>
--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div>