Author Topic: Word of Warning -- All versions of PGP are NOT created equally!  (Read 31084 times)

Nightcrawler

  • Guest
The version lines that are usually shown by default in PGP keys and PGP signature blocks, often reveal which OS the person is using.

PGP/GPG Version strings:

You can tell a fair bit about a user's PGP/GPG setup from their Version: string. Here are some typical examples:

Version: GnuPG v1.4.11 (GNU/Linux)

This key belongs to a Linux user.

Version: GnuPG v2.0.19 (MingW32)

This key belongs to a Windows user.

Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

This key belongs to a Mac OS X user.

Versions that should make you nervous:

Version: 9.9.0.397

This person is using the official PGP version, as published by Symantec. I've read statements by Kevin Mitnick that he no longer trusts PGP, since it was acquired by Symantec.   In his post, Mitnick refers to the case of Diskreet, which back in the early days, was an encryption package sold by Symantec. This software purported to use the full 56-bit DES cipher algorithm, which was quite strong for its day. Mitnick stated that he acquired a copy of the Diskreet source code, and discovered that the actual key was nowhere near 56-bits, but was incredibly weak. He went on to say that based on his experience, he would not trust any version of PGP published by Symantec.

His caution is only underscored by the Snowden revelations earlier this Summer, which set out the NSA's campaign of attempting to weaken or backdoor crypto.
I, for one, would not trust any closed-source crypto software published by an American company -- that goes double for companies with a history like Symantec.

To the best of my knowledge, Symantec does not publish PGP source code, and as an American company, their crypto software is now suspect.

Versions of PGP  that should make you run away screaming:

Versions of PGP with these Version: strings are based on the BouncyCastle Java crypto libraries. They should be avoided like the plague.

Version: BCPG v1.45
Version: BCPG v1.47

These versions of PGP are absolutely NOTORIOUS for generating MASSIVELY UNSAFE PGP keys by default. These versions typically generate DSS/Elgamal keys
with signing keys with a size of 1024-bits, and an encryption sub-key of as little as 512-bits.

512-bit keys are so unsafe, that they were being broken by hobbyists on spare hardware a dozen years ago. 1024-bit keys were deprecated by NIST more than 3 years ago.

Version: BCPG C# v1.6.1.0

This version of PGP generates by default a PGP key of 1024-bits, with NO encryption sub-key. Again, these keys are unsafe/obsolete.

Recommendations:

Any software that uses the Java Bouncycastle crypto libraries (like PortablePGP) should be avoided like the plague. These typically contain BCPG in the Version: string.

GPG4Win/Kleopatra/GPA are also deprecated -- Kleopatra generates RSA keys without an encryption sub-key. Dual RSA keys, with one RSA key for signing, and the other exclusively for encryption have been standard since the Fall of 2009.
GPA will not generate keys over 3072-bits in length.

GPG4USB or Gnu Privacy Tray (GnuPT) are recommended, as they are:

* Easy to use

* Standards compliant

GnuPT, in particular, is frequently updated. Usually, when there is a new GPG version (e.g. 1.4.15), the GnuPT developers issue an update with a day or two, reflecting the change.

Download links:

GPG4USB: http://gpg4usb.cpunk.de/index.html

GnuPT: http://www.gnupt.de/ (Site is in German)


Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

cespo

  • Full Member
  • ***
  • Posts: 109
  • Karma: +45/-1
  • It is the most important thing spelled backwards
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #1 on: October 31, 2013, 06:22:07 pm »
Thanks a lot!
We are Silkroad. We are Legion. We do not FE. We do not surrender. Expect drugs.

Ziggy

  • Hero Member
  • *****
  • Posts: 1207
  • Karma: +192/-174
  • Vaporiser and top shagger
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #2 on: October 31, 2013, 06:37:41 pm »
thank you.

yhere is a vendor on bmr using the unsafe Version: BCPG v1.47 he is also a scam artist so hopefully he gets karma.

satisfried

  • Newbie
  • *
  • Posts: 14
  • Karma: +1/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #3 on: October 31, 2013, 08:34:18 pm »
sooo... basically stay away from all versions of BCPG?  Isnt there some tweak you can do to have it not display the version?  I think astor or KMK posted about it in the old SR forums.

ManInTheMirror

  • Sr. Member
  • ****
  • Posts: 270
  • Karma: +49/-11
  • No FE, 4096 bit PGP, Tumble BTC
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #4 on: October 31, 2013, 08:38:48 pm »
Sticky it ;D
Remember Remember, the 6th of November.
Cocaine-Powder, MDMA and Pot.
I see no reason why Silk Road,
should ever be forgot.

Ziggy

  • Hero Member
  • *****
  • Posts: 1207
  • Karma: +192/-174
  • Vaporiser and top shagger
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #5 on: October 31, 2013, 09:15:04 pm »
sooo... basically stay away from all versions of BCPG?  Isnt there some tweak you can do to have it not display the version?  I think astor or KMK posted about it in the old SR forums.

I am sure that most public keys I have seen have the version at the top. There may be a tweak but I am not sure. good thread.

40005a

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +7/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #6 on: October 31, 2013, 09:45:10 pm »
I believe with gpg4usb adding no-version to the gpg.conf file located at gpg4usb/keydb/gpg.conf will strip the version line from your public key.
FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large. We have no names, man. No names. We are nameless!

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #7 on: October 31, 2013, 09:57:59 pm »
sooo... basically stay away from all versions of BCPG? 

I wouldn't be caught dead using any of them.

Isnt there some tweak you can do to have it not display the version?  I think astor or KMK posted about it in the old SR forums.

You can use the no-emit-version directive in your gpg.conf.  You also might wish to use the no-comments directive as well.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.
« Last Edit: November 11, 2013, 10:48:18 pm by Nightcrawler »

ukconnections

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #8 on: October 31, 2013, 10:08:07 pm »
Nice one OP  8)

El Presidente

  • Sr. Member
  • ****
  • Posts: 288
  • Karma: +134/-5
  • Buena Mierda
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #9 on: October 31, 2013, 11:12:30 pm »
Versions of PGP  that should make you run away screaming:

Versions of PGP with these Version: strings are based on the BouncyCastle Java crypto libraries. They should be avoided like the plague.

Version: BCPG v1.45
Version: BCPG v1.47


Indeed, these implementations not only generate weak keys they also allow generation of 'broken' keys, for example keys that contain no valid uid (name) field. Avoid Java based PGP implementations and stick with GPG or a GPG wrapper such as GnuPT as stated by the OP or Seahorse.

=================================================
The All Market Vendor Directory - http://directory4iisquf.onion
=================================================

Thirtyrox

  • Vendor
  • Sr. Member
  • *****
  • Posts: 271
  • Karma: +23/-12
  • Nosce te Ipsum!
    • View Profile
    • Personal Message (Online)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #10 on: November 01, 2013, 02:01:20 am »
Thanks very much for posting this! I used Kleopatra for my key, and will be generating a new one tonight with one of the better options you provided.

I agree, this would be a good candidate for a sticky!!
OG SR1 Vendor since mid 2012

http://silkroad6ownowfk.onion/users/thirtyrox
$30 30mg Roxies
$2.35 2mg Xanax Bars

Jeks

  • Full Member
  • ***
  • Posts: 155
  • Karma: +12/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #11 on: November 01, 2013, 05:09:06 am »
sub
OPSEC: Collection of Tutorial & Research Info: PGP, Tails, Whonix, Data, + more
http://silkroad5v7dywlc.onion/index.php?topic=494.0

Dread Pirate Roberts

  • Captain
  • Administrator
  • *****
  • Posts: 566
  • Karma: +552/-41
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #12 on: November 01, 2013, 06:11:46 am »
Stickied. This is a very important point and BCPG is becoming increasingly common. You should never sacrifice security for convenience.

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on" - Edward Snowden
Quote 23: Criticism has plucked the imaginary flower from the chain not so that man may continue to bear the chain without consolation or fantasy but so that he may throw off the chain and cull the living flower.

holog1n

  • Sr. Member
  • ****
  • Posts: 274
  • Karma: +125/-22
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #13 on: November 01, 2013, 10:58:27 am »
Thanks a lot, these details are big shots man, didnt knew this about PGP, yes the OS thing, but not the crypting algo's. Will try the recommended
Death is just another point of view
b4kerluna@safe-mail.net
torchat > 5fupjdb6xvispoyr

AnTa2f6y

  • Full Member
  • ***
  • Posts: 159
  • Karma: +21/-13
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #14 on: November 02, 2013, 01:48:54 am »
im using GPG4Win/Kleopatra/GPA and if you go into your settings you can generate 4096r

click KLEOPATRA then file and new cert,
choose option create personal x.509 key and cert,
next go for advanced settings and click rsa and you can choose up to 4096

hope this helps
pub key: http://silkroad5v7dywlc.onion/index.php?action=profile;u=1579

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #15 on: November 02, 2013, 11:49:49 am »
im using GPG4Win/Kleopatra/GPA and if you go into your settings you can generate 4096r

click KLEOPATRA then file and new cert,
choose option create personal x.509 key and cert,
next go for advanced settings and click rsa and you can choose up to 4096

hope this helps

x.509 certificates are irrelevant -- we're talking about PGP here, not SSL server certs.

Now, with respect to PGP,  you can now generate a 4096-bit RSA key in Kleopatra, but it will have NO encryption sub-key.  That is why I assert that Kleopatra is broken.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

ChemCat

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9225
  • Karma: +949/-191
  • I Stand Tall, Among the Giants of the Silk Road
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #16 on: November 02, 2013, 01:43:16 pm »
+1 Karma to ya @ Nightcrawler  :)


I've been telling a shit ton of people not to use anything "BCPG"  (BouncyCastle)

???


they just don't listen  :-\



Peace & Hugs  8)


ChemCat




    O0
You Don't know PGP?         :o

Go here: http://silkroad5v7dywlc.onion/index.php?topic=41104.0

Then go Here: http://silkroad5v7dywlc.onion/index.php?topic=179.0

Sink your teeth into it and Learn  ;)

If you cannot take the little bit of Time to Learn & Use PGP..Do Not msg Me
 

Hugs 8)

anontoker

  • Hero Member
  • *****
  • Posts: 1137
  • Karma: +214/-33
  • Resident Anonie
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #17 on: November 02, 2013, 02:10:31 pm »
Thanks for the recommendations. +1

Looks like I have to make all new keys now and change my recommendations for encryption software.

And also thanks to DPR for the sticky. :)
-=Supported vendors=-
NwNugz
 Items:http://silkroad6ownowfk.onion/users/nw-nugz/items
 MoodyMayhem: http://silkroad6ownowfk.onion/users/moodymayhem/item

AnTa2f6y

  • Full Member
  • ***
  • Posts: 159
  • Karma: +21/-13
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #18 on: November 02, 2013, 02:57:07 pm »
im using GPG4Win/Kleopatra/GPA and if you go into your settings you can generate 4096r

click KLEOPATRA then file and new cert,
choose option create personal x.509 key and cert,
next go for advanced settings and click rsa and you can choose up to 4096

hope this helps

x.509 certificates are irrelevant -- we're talking about PGP here, not SSL server certs.

Now, with respect to PGP,  you can now generate a 4096-bit RSA key in Kleopatra, but it will have NO encryption sub-key.  That is why I assert that Kleopatra is broken.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.


Well i will listen to you man ya know alot more than i do about this topic.
i was just giving the info out on how to get 4096 encryption key for kleopatra.
i am always on the lookout to strengthen my security so i take all of your comments on board and will do some more research
thank you kindly for putting me in my place :)
pub key: http://silkroad5v7dywlc.onion/index.php?action=profile;u=1579

Leaf of Amber

  • Full Member
  • ***
  • Posts: 234
  • Karma: +44/-6
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #19 on: November 03, 2013, 07:15:08 pm »
Great post, thanks :)
DON'T PANIC! :)

DoctorFreedom

  • Vendor
  • Full Member
  • *****
  • Posts: 112
  • Karma: +6/-4
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #20 on: November 04, 2013, 02:20:27 pm »
What's the recommended algorithm?

the bigger the key size the better i guess?
 I see that my software supports up to 4096 key size
BitMessage: BM-NB3Ud96xCXhuTbPYFatGDSEkKPiAiNBz  (preferred)
e-mail: doctorfreedom@Safe-mail.net (not preferred)

psilo92

  • Full Member
  • ***
  • Posts: 200
  • Karma: +33/-8
  • Be Grateful (~}; )
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #21 on: November 04, 2013, 04:55:49 pm »
 I have one key on my keyring of a vendor that has a 8192 bit key...how do you get on that big?  with gpg4usb, which i use and love, the largest key you can create, as far as i know, is 4096...cant hurt to have one DOUBLE the size right lol
Don't Tread On Me

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #22 on: November 04, 2013, 07:46:29 pm »
I have one key on my keyring of a vendor that has a 8192 bit key...how do you get on that big?  with gpg4usb, which i use and love, the largest key you can create, as far as i know, is 4096...cant hurt to have one DOUBLE the size right lol

4096-bit are the largest keys that can be generated with the stock software. It's possible to modify the software to produce larger keys, but this is overkill. Even on reasonably good hardware, 8192-bit keys take a LONG time to generate. Some software versions will choke on keys that large.

Frankly, according to the best estimates that are currently available, 4096-bit keys are expected to be secure until approximately 2040-2050.
I think that's more than reasonable.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.


Agent

  • Sr. Member
  • ****
  • Posts: 332
  • Karma: +34/-8
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #23 on: November 04, 2013, 08:01:07 pm »
Thank you for all of the great information Nightcrawler, I hope everyone takes this thread seriously and take any needed steps to patch any holes they may have in their security by using a more trusted source of PGP.
Knowledge is power and as a community that knowledge can be used as a tool to aid the community, as I am only human if anything I submit on these forums is incorrect please contact me directly or quote the noted error and I can learn from my mistakes and minimize any form of misinformation.

Agent

  • Sr. Member
  • ****
  • Posts: 332
  • Karma: +34/-8
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #24 on: November 04, 2013, 09:33:32 pm »
http://www.debian.org/security/2013/dsa-2773

This should also be of some intrest to this threat outlining that the GPG package built with debian stable was recently patched and and everyone should upgrade their version as the previous has some serious issues.
Knowledge is power and as a community that knowledge can be used as a tool to aid the community, as I am only human if anything I submit on these forums is incorrect please contact me directly or quote the noted error and I can learn from my mistakes and minimize any form of misinformation.

fugit

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +1/-1
  • fug it!
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #25 on: November 04, 2013, 11:32:00 pm »
Great post OP! Hopefully everyone will follow read this and update as needed.
"You can spend minutes, hours, days, weeks, or even months over-analyzing a situation; trying to put the pieces together, justifying what could've, would've happened... or you can just leave the pieces on the floor and move the fuck on."
— Tupac Shakur

sanrio1

  • Full Member
  • ***
  • Posts: 214
  • Karma: +222/-22
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #26 on: November 05, 2013, 08:09:28 am »
+1 thanks op

Kahukura

  • Newbie
  • *
  • Posts: 5
  • Karma: +1/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #27 on: November 05, 2013, 10:22:26 pm »
Thanks for that OP. Most appreciated.

I've installed Gpg4usb and I shall redo my keys  :)

GGGreenbud

  • Full Member
  • ***
  • Posts: 189
  • Karma: +50/-9
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #28 on: November 05, 2013, 10:31:25 pm »
   I've been using Symantec PGP Desktop 10.2.0, for all I know it could be comprimised, although I am not sure about that, it seems like you would have to go through a hell of a lot of trouble to make a source code that could insert a backdoor into a program like that, although I digress, with Symantec being a US company, I might change after reading this.  The one thing that bothers me about it most, is how when you export your public key, it is very easy to "publish" it to the global PGP directory that symantec maintains.  DO NOT PUBLISH YOUR KEY TO A DIRECTORY.  I'm not worried, as I'm not a vendor, and only buy personal quantities, although I will probably switch to a different program soon, after I tie up some loose ends(and make a new key).
 Thanks for the info!
G to those that know me, Mr. G to everyone else.

R160K

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +3/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #29 on: November 06, 2013, 12:34:55 am »
DO NOT PUBLISH YOUR KEY TO A DIRECTORY.

If you ARE a vendor (or anyone who wants their PGP key public) you could post it to the Onion-only keyserver (hkp://lbnugoq5na3mzkgv.onion/), though doing so directly through Symantec's app (even if using Tor) is possibly best avoided. If you want to publicise your PGP key, just enter it manually at http://lbnugoq5na3mzkgv.onion/.
The malcontent, by virtue of being excluded from the status quo, are always the first to embrace new technologies.

SeemsLegit

  • Newbie
  • *
  • Posts: 29
  • Karma: +7/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #30 on: November 07, 2013, 02:27:13 am »
I am a little reluctant to use GnuPT or gpg4usb since they seem to be so unknown.

I generated a RSA+RSA key with the console gpg, can you check that it came out ok? Once I have generated it using command line, will Kleopatra sign using the correct subkey? Sorry for the wall of hex

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQINBFJ69B4BEADRDmsQoF7LIWBSsUcywgw2ePAsbw4T2ADuUnHmz0AVLzok/Z5m
Kuu6k46kJr1rqx8gzmwZVbLyp2T60cYsoSQbc7W/NswThsq1kAzFjCBaqg7T/3Df
ppIg2V5iU8lyVcRNCm0VQYXUuW51F5dL/vKgnfp80FPC64tQbzdy2T/lf9G6HtRs
/SQDBRGFt4gl0gaZ9R134v+WxDweZGKGnvNc8T81tgu7m2hZWJE1AtpJgNKdGSrP
mE6+u7+tP7Y7Zr73XbxyXcINDuvA+oOjQyUTJdv4ukFVn7UgnbvRN7nSpkIRsmpl
yHmz0RXxv7cgU3Cqt2qQpQ9aUXWuFU6T91ldzMxjUhqG834OXp95c/m/EnMzf3Sg
4cDm6xCDV7kl7arvjLUqtFMTlXBT18nGxFiePzTZtut8jRGHCwLG/8p02T1ZDjxT
cmg6iZg9JFG1xwH/E72AeQZI2tWAMvfscnPjHmh7I72q+GQaw3BhA9ZTx4mwzQDY
mWIjYG683j9cLelCiN4GS8WqZ5CcCxKnE+laU6YqgoppqOlbNNaX3D1y43xM7h2J
Om4vPhO/8FOIPpCG1c/j1B9Z1RrLxVId2xXS/zZcR4R25/wUK/1M/h/CqdeCEPRD
jjZgL7lkxo0DyynogkJRKWqSmlYj2z7kBIC269xeY3pRuq3KFNsTeVQ+nQARAQAB
tCVTZWVtc0xlZ2l0IDxtOHItNW1ld3FAbWFpbGluYXRvci5jb20+iQI/BBMBAgAp
BQJSevQeAhsDBQkUU5CABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQtGJH
f2vOeW2IOxAAtBMlJfxwkxTxAUDJtgGQaZfZ3kpbHYQ9ThSsKyCWCHqyd8NgvGBp
zgZeIoQ6KdW/iaP6oaaEUhgmtnoFa1Z+NCfVXu4+QSHutzuxUfmVBkiBiJf2s8WY
KqAskN02uj3kuO4sAKa9f9nAqbinu4Cgi8VcmnuUz0U/FwngXJttNnJG9qgcMRxf
iEC3CZThCPJ3B0X3cpdQ+qB7q0EunU57mAjKHbY5kAmmCgeCzziGDv52sGsn7Qxf
Pdh/bEg0xxXRZpO+Y7Pw20FBQj8SRR8V+tccioPXikkoxEExLXAX2VvEQKXJF9p4
mlbhVZDEf1VgiCpi33DeIlxxGMSUWrGyfB2Fz/WjJrrjjf7HoeRe9/2nTPYSSY0U
OdkhBZUq2NNhKMk4/37l8eJGFNMZXSxqPYPszfqCKw638sL1B626q0BxWAkmABrD
Z9iLhi0ujn8oAFgpXsL1Z2kKf2HcrTHpRlWybjkLXFWqnAx29m3io4pjspN5EzX/
vtrWHTWYOtEZgCoFnHpPGVG9ROivYwsbR8m94lS6L5ptAlnM/6lGR7Xg/V5z453l
jUb6IzeJ/7Jkd7E9ZLz+nhah6ul8PhVcYjZVYq9rixUrwNHhQPQH2/UtqLvrtzLl
5upRBEy8VT5SAIZPq4sUtPi4syvhu1Oi/crV704Fr2rzsg9OX5OJgOC5Ag0EUnr0
HgEQANi/a2XSomqulQvEHMI1TwdDpSPcKrvS4js+oA1y3m/cRfe6cdBpgpuKl+oK
kn8UG3Z+wHDJUqylqE5jcyP1Z7PvZltunTaB6suZ4HE4Ev8OZlPbLPDfDSp6NPcY
zOY31cPoj5GxvEzFN2JGX+zatvxAROIs+pTuU3uduxbbUk/tobfROZye1l+r+o6s
NqKtWaevt4/UEbx1PMb9lIcYUR1d5hLtglG/ZpZiTib+WeTvrA0f25FIaO9EitGv
aAIZtFY3A8uvQb7txsF4KaH8Vvh+oydwcQ/9fp12m2l8g6TTVnYqJE2880jkmm2W
plhcf2oEkuVtWXifn0uGX6VcHz9y64EPqFaB8HA4tXDaDIIVdB5BKhWtDHPgwrfE
R6v6bCfig7R2hCQNA6ytofkMlaBy9Eb/R0Q1Q5CZLPWLBIcHuCwVnjPM13SEwzNw
LUsndD1iL9Rq0QGWsN6lpm3/zOQYVLRjf3yn9A4kuU0tMntWMgjXpNElhIP36pB+
B961kX20Xr61tWasPCNDqz5d/1Tpr1YVDJned/DVm4A8+yca5Be5peaEGvCI/+bD
qE8umHk0a1yTdOqlLQbsKladMxTc4s4dDNcRwWG88XenBEdSUdZay+i4xQqnCF/F
pQ8QOcLZxvtO+CNqlbk7XXJooiMLC2XNrRA/3ZSaVtDlFQrpABEBAAGJAiUEGAEC
AA8FAlJ69B4CGwwFCRRTkIAACgkQtGJHf2vOeW3Aww//ZMSKDDa9etGp8Oo6ZAvU
FOSSkdkjcH7Gvanvr4b3Tx9Y7Tv0EhqmK0JD7BWCW1Af2zzrINX74Ye+T7xbCMEe
yowPZKqqdsg0HCOKxMQHU7EPIEHOOXuZ6wCSrFFAQy+QhATma99bo7w4RI+8prfs
7kS6jYZ+4u3mKrB5Vik8K+kowzJjNjs7Hz9vzb9EThv2GCjUTDlFbEff0cSAMS/i
vHXdf9T1bVJkBFeqCc55wjN1T6xYQNDnF2C3c4U2i9uQn5dpQ5tsCXufCUA7MJNc
g+rtJo6+oTis+V/VgZMNnDeFxmDIJF68Xwb0VLGJHVrdAJG+KH0aABUBJAerFxXw
R9Q3eN/+MekyQghYkU+2vOjFm7RHLp5iSR/g5aP847sC2aAfkL6o+Ppbqxs/sUUi
o5KDcz17+gzqaSMPJxdvIKzqpxdWMP3YuJNUpVrYb6wyrA/N60ok7gONAs6LFta3
R9+q2oUhYvx8vtGtafmiuJBM6IsuEE4Au7FmCjkhDd5/aDZwodsavUIwB7T4fsCJ
N5QUfpg2KW8hKpGxxKjuOd/bet2fpmjzKOKRxRaKtaylTNrwqGtL3TA7W7scAcEO
U9EJgsnb9p4Vt83+wtYjtkTn+eKbZJ0/eHQW2MfH/+IYuFMB3wmcf+C+liMPnZlm
cX8HViWfBh1KbXeXsnLirv4=
=QG+t
-----END PGP PUBLIC KEY BLOCK-----


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Test signature using kleopatra
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJSevtfAAoJELRiR39rznltHpEQALIHEM0yEywvTUMqQYOwHGV5
JQ1gTy3hMmSTOH6rPVXl8W2oknAqx1t9KpsFXvAEd3jE5vIVz2V43r9sj4b2Mk4l
G/myx9R6bYti2cuI+5tt2etJUodSF2rbtwe9Ncfd+5u7AaQ9wZB0UkGybcFmctR/
a58lK/NbvMc9KnXaaosxCUC6km+889ARypaPrR4jKYsyYAClC1Udu5nq7/brzLE1
jF7OKybtuRBMY64LNvV8kiwQaf7Je/pgMoXbyTOHvKE5mcB/ClaDpCPPtjXDMNOU
BZJZn7zeQzgms53MX0UZcAGMt/FK2Odbh6EaQJ+7J5KRwqr4HgHbRsxPb8LzdUaf
fpzGuHFmkjnIdkIZn7R9N0RRNR7S5mqpH9w5RWId+9EZs5S6nMM2/kRW8lQYoscW
V+dBHEKdWTP9+t4rrv+qVmz6De7gAs4Yr1qUi/5CGtvi6jejmrt6FwdY9984/zme
2n4QJD8Owo/UA93XfShcj5NrcRZOhaDkAUIHTZDI5piF2AMfumxx/6NSEfaVVphT
x94m53iPC430eS9470ktn/jVRT+9lzKtfk+Kh8ZQ5e6XDirFd0OsVOPyLrmDHKxF
nD/IzLWf5kIQZvmTeQgj1znofUS/wX+XaQxxDyE4tYDFnNd8XGUVk+iOlGx7n5nW
JLDmWVIYBBGYouHxyhwi
=v0eO
-----END PGP SIGNATURE-----


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Test signature using console
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJSevugAAoJELRiR39rznltqywQAKn5FNCl4ht0kTW8mNH5pW3X
K9lT2UNB+8xmh5Fr5AzFTFb4PRfhM4SnjecnI11AER4P8V0hknXXWa1ctja9OB/c
Q1QtFZ305eL/8U6DGyNiAwriYh4CXbAIZqaFhbRCv8LMZeq/zYBxfrStXOBzT6NT
53RR8A/3ZJRT82jqn2oskfPROB3qq4Bq3u0FvhYh78bTxgWdPtnMp0phF5P5LkTd
uLZ6X/o6abd1BXbnxzjEOqjKUSHtncZ8wdrSdSNX4gjy/yiZ1Fd/5oea3jogvw/p
j9YD22vktmSZVTFp49cIDlTvgXzRYf/ceBxlHqXIe9EiaYWi0yB5nLGc0CNNBjop
b/tSM+xuLwIVD/ko8SRcjAsU7IZyyhSnN6Hj/fP5Di3ZkfflAfjP6EX++EATshf4
J0OHNjx1a6lXUyqS2l6HMJqxZ76C8IBw4yTas940uHdE5+/mPFdGdXj6KhlkVCPZ
Bu+tvt1/0+akBerOt5mRQFHGBW1xP7N3PWvkS7houtZ4QBmQl5lJ24c0vwpHJrGK
CeGdl0Nvfp8n4/ARsJ0b7b6ApFiIyYJZwCTIUmVxMJ41Z2LnkFowEBdD0Piotppl
MReIAkhX5UU7b1hz3w4L6k4rswjxk7uTP6VnphS/98dbzINytnPRYpcjBaVVyPAX
MR4Uhi54pCFlckDz4GOe
=+Z3k
-----END PGP SIGNATURE-----
Amateurs practice until they get it right; professionals practice until they can’t get it wrong

anonymousGuy57

  • Hero Member
  • *****
  • Posts: 1591
  • Karma: +246/-107
  • OG SR 1ST Generation. The Best of the best
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #31 on: November 07, 2013, 03:22:10 am »
So is the One you down load from gpg4win good to go? Comes with Kleopatra and also GPA?
I Also Provide full Detailed Reviews for Products for new Vendor's who need a Long time trust worthy member to sample their product.  If Needed Hit me Up!

Great God Pan

  • Sr. Member
  • ****
  • Posts: 330
  • Karma: +44/-6
  • "... after all, she has seen the Great God Pan.”
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #32 on: November 07, 2013, 04:21:18 am »
I am a little reluctant to use GnuPT or gpg4usb since they seem to be so unknown.

I generated a RSA+RSA key with the console gpg, can you check that it came out ok? Once I have generated it using command line, will Kleopatra sign using the correct subkey? Sorry for the wall of hex

The public key you posted shows that it has an encryption sub-key, and both are 4096 bits.  Looks good.

Both of the signed messages were signed using the private key corresponding to the public key you posted above (Key ID 6BCE796D).  You can also check this yourself by copying the signed text from your post and using your PGP program to verify the signature.  Part of the output will tell you which key ID was used to sign it.  Then you can look at the information on your command line key and check that the key IDs match.
"...that 1984 may remain a warning and not become a history book."
----------------------
PGP help available through PM, but requires bitcoin tip:
18xp2PkhZRWcuURt4azk957Seb7nCPBE1P

Great God Pan

  • Sr. Member
  • ****
  • Posts: 330
  • Karma: +44/-6
  • "... after all, she has seen the Great God Pan.”
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #33 on: November 07, 2013, 04:22:57 am »
So is the One you down load from gpg4win good to go? Comes with Kleopatra and also GPA?

I'd suggest re-reading all of the first post again.  In a nutshell, it's okay, but definitely not the best choice because by default it won't let you choose a 4096 bit key in Kleopatra, and the keys are non-standard (no encryption sub-key).  If you have to use windows, try GPG4USB.
"...that 1984 may remain a warning and not become a history book."
----------------------
PGP help available through PM, but requires bitcoin tip:
18xp2PkhZRWcuURt4azk957Seb7nCPBE1P

SeemsLegit

  • Newbie
  • *
  • Posts: 29
  • Karma: +7/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #34 on: November 07, 2013, 04:25:31 am »
I am a little reluctant to use GnuPT or gpg4usb since they seem to be so unknown.

I generated a RSA+RSA key with the console gpg, can you check that it came out ok? Once I have generated it using command line, will Kleopatra sign using the correct subkey? Sorry for the wall of hex

The public key you posted shows that it has an encryption sub-key, and both are 4096 bits.  Looks good.

Both of the signed messages were signed using the private key corresponding to the public key you posted above (Key ID 6BCE796D).  You can also check this yourself by copying the signed text from your post and using your PGP program to verify the signature.  Part of the output will tell you which key ID was used to sign it.  Then you can look at the information on your command line key and check that the key IDs match.

But what I wonder is if the right SUBkey was used
Amateurs practice until they get it right; professionals practice until they can’t get it wrong

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #35 on: November 07, 2013, 06:35:12 am »
I am a little reluctant to use GnuPT or gpg4usb since they seem to be so unknown.

The Gnu Privacy Tray people are good folk, who go out of their way to keep the software updated. When there is an update to GPG, they generally update their software within a day or two.

I generated a RSA+RSA key with the console gpg, can you check that it came out ok? Once I have generated it using command line, will Kleopatra sign using the correct subkey? Sorry for the wall of hex

[key snipped]

Your key is perfect. FWIW, it looks like this:

pub  4096R/6BCE796D  created: 2013-11-07  expires: 2024-08-28  usage: SC 
This is your primary key. The usage SC indicates that it is used for signing. Any messages that you sign will be signed with this primary key.

sub  4096R/EC6AA06F  created: 2013-11-07  expires: 2024-08-28  usage: E   
[ unknown] (1). SeemsLegit <m8r-5mewq@mailinator.com>

This is your encryption sub-key. Its' only use is for encryption-- it has no signing capability whatsoever.

If you use Kleopatra to sign anything, it is the primary key, 0x6BCE796D, that will be used, not the sub-key.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.


devildrx

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +3/-3
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #36 on: November 08, 2013, 02:09:36 pm »
Let me ask you all something.

PGP is to encrypt your street address, messages, etc right?

How to get familiar with it? I don't know how to encrypt messages and things like that, how do you unencrypt? And what is the safest way to contact a vendor? Should I mention him what version I used so he knows how to unencrypt?

anonymousGuy57

  • Hero Member
  • *****
  • Posts: 1591
  • Karma: +246/-107
  • OG SR 1ST Generation. The Best of the best
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #37 on: November 09, 2013, 10:24:37 am »
I am a little reluctant to use GnuPT or gpg4usb since they seem to be so unknown.

I generated a RSA+RSA key with the console gpg, can you check that it came out ok? Once I have generated it using command line, will Kleopatra sign using the correct subkey? Sorry for the wall of hex

The public key you posted shows that it has an encryption sub-key, and both are 4096 bits.  Looks good.

Both of the signed messages were signed using the private key corresponding to the public key you posted above (Key ID 6BCE796D).  You can also check this yourself by copying the signed text from your post and using your PGP program to verify the signature.  Part of the output will tell you which key ID was used to sign it.  Then you can look at the information on your command line key and check that the key IDs match.

But what I wonder is if the right SUBkey was used

Thanx for summing that up for me, I really didny grasp fully what the 1 post was saying.. So just figured id come out and ask. Again thanks, Going to make that change now
I Also Provide full Detailed Reviews for Products for new Vendor's who need a Long time trust worthy member to sample their product.  If Needed Hit me Up!

Tessellated

  • Vendor
  • Hero Member
  • *****
  • Posts: 737
  • Karma: +217/-23
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #38 on: November 09, 2013, 09:09:22 pm »
The idea of javascript encryption is a nice one, but unfortunately browsers do not provide a reliable source of cryptographically secure random numbers.
Vendor of high quality LSD and MDMA - http://silkroad6ownowfk.onion/users/tessellated - http://silkroad6ownowfk.onion/users/tessellatedmdma

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #39 on: November 13, 2013, 02:28:26 am »
Let me ask you all something.

PGP is to encrypt your street address, messages, etc right?

How to get familiar with it? I don't know how to encrypt messages and things like that, how do you unencrypt? And what is the safest way to contact a vendor? Should I mention him what version I used so he knows how to unencrypt?

You should be using PGP to encrypt addresses, messages, EVERYTHING.

How it works is like this:

You get a copy of some software that can generate/use PGP public keys.  One good one is GPG4USB.  Although the name implies it requires an USB thumbdrive, it does not. You download the software in a .zip file, and unzip the file to a folder. Inside that folder you will find both Windows and Linux executables. Run the executables, and the software will open-up.

The first thing you need to do is to generate your own PGP key. Other people will use your key to send messages to you that only you can read. Likewise, when you want to send secure messages to other people, you use their PGP keys to create messages that only they can read.

PGP is an Internet standard -- PGP keys are pretty-much the same, regardless of which software was used to generate them -- in other words, almost all versions of PGP are interoperable.

You can download GPG4USB from their home page: http://gpg4usb.cpunk.de/index.html

The GPG4USB site also has an excellent help files complete with screenshots to help you learn to master the program.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.



kurtvonnegut

  • Sr. Member
  • ****
  • Posts: 391
  • Karma: +52/-17
  • Torchat ID: v4y5kmuhha542wtf
    • View Profile
    • Email
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #40 on: November 13, 2013, 04:20:46 am »
very informative and helpful. will +1 when I reach 50 posts
Contact me via PM or at kurtvonnegut@riseup.net

AmericanSpirit

  • Newbie
  • *
  • Posts: 5
  • Karma: +1/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #41 on: November 13, 2013, 11:58:54 pm »
I DL's GnuPT, and generated a keypair. I noticed it is only 2056 bits or whatever it is and version 1.4.

Question?

1) Do I need to DL a different version to get the 2.O

2) Do I need to delete the 2096 key and generate a new stronger 4096 pair or do I change the existing key?

Thanx in Advance

ester-cA+

  • Full Member
  • ***
  • Posts: 117
  • Karma: +9/-6
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #42 on: November 14, 2013, 06:34:35 am »
Just wondering if anyone could help..


I have just tried to decrypt a message from another user, they are using a windows version of PGP and im on a mac. When i go to decrypt the message (apparently encrypted with my pgp pub key) it comes up as 'Decrypt Failed!" code = 0.



any help ??

thanks!

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #43 on: November 14, 2013, 02:04:31 pm »
I DL's GnuPT, and generated a keypair. I noticed it is only 2056 bits or whatever it is and version 1.4.

There are two versions of GnuPG (GPG). There are the 1.4 series and the 2.x series. Both of them are functionally equivalent. The 1.4 series was originally intended a a lighter version that was more suitable for constrained circumstances, like server use.  Personally, I prefer using the 1.4 series.

Question?

1) Do I need to DL a different version to get the 2.O

Yes, but you don't need the 2.0 version. The version you have will do everything you require, and then some.

2) Do I need to delete the 2096 key and generate a new stronger 4096 pair or do I change the existing key?

Thanx in Advance

Yes, you will need to generate a new keypair if you want a 4096-bit key.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #44 on: November 14, 2013, 02:17:07 pm »
Just wondering if anyone could help..


I have just tried to decrypt a message from another user, they are using a windows version of PGP and im on a mac. When i go to decrypt the message (apparently encrypted with my pgp pub key) it comes up as 'Decrypt Failed!" code = 0.



any help ??

thanks!

There are two main causes for this error:

1) Improper copying and pasting. You must ensure that all 5 dashes are present in the -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE----- lines.

2) It may be that the message was not encrypted to your key. This is a common newbie error. 

Here is how you can check which keys it was encrypted to:

* Save the message as a file, say test.asc

* Open up a terminal window and cd to the directory where you saved the file (usually MyDocuments)

* Use the following command: gpg --list-packets test.asc

You should then see the key-ids that the message is encrypted to.

I would have shown you an example, but you do not have a PGP key on your profile.

Remember, you can have separate keys for the main site and the Forum.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #45 on: November 14, 2013, 10:51:32 pm »
I DL's GnuPT, and generated a keypair. I noticed it is only 2056 bits or whatever it is and version 1.4.

There are two versions of GnuPG (GPG). There are the 1.4 series and the 2.x series. Both of them are functionally equivalent. The 1.4 series was originally intended a a lighter version that was more suitable for constrained circumstances, like server use.  Personally, I prefer using the 1.4 series.

They aren't actually functionally equivalent.  The 2.x series will not run everywhere that the 1.4 series does.  I agree with the design philosophy of the 2.x series, but I strongly dislike it.  Primarily because it will not work without a window system and apparently does not contain the code necessary to work independently of pgp-agent: when it asks you for the passphrase for your private key, it fails and dies if gpg-agent can't display a GUI input window.  To be fair, I spent all of 5-10 minutes before I said "fuck this, give me my 1.4 back."  Maybe you can disable that.  Maybe not.

pgp-agent is an independent program that handles caching of passphrases and keys and stuff.  I don't know that much about it, but it shouldn't be required IMHO.  gpg 1.4 will quite happily accept your passphrase from standard input and show you the message.  I was amazed, but I actually had to compile and install it from source myself: couldn't find a package for it.
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

ChemCat

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9225
  • Karma: +949/-191
  • I Stand Tall, Among the Giants of the Silk Road
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #46 on: November 14, 2013, 10:54:32 pm »
^^^^


+1  ;)


Hugs  8)



Chem




  O0
You Don't know PGP?         :o

Go here: http://silkroad5v7dywlc.onion/index.php?topic=41104.0

Then go Here: http://silkroad5v7dywlc.onion/index.php?topic=179.0

Sink your teeth into it and Learn  ;)

If you cannot take the little bit of Time to Learn & Use PGP..Do Not msg Me
 

Hugs 8)

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #47 on: November 14, 2013, 11:11:51 pm »
I DL's GnuPT, and generated a keypair. I noticed it is only 2056 bits or whatever it is and version 1.4.

There are two versions of GnuPG (GPG). There are the 1.4 series and the 2.x series. Both of them are functionally equivalent. The 1.4 series was originally intended a a lighter version that was more suitable for constrained circumstances, like server use.  Personally, I prefer using the 1.4 series.

They aren't actually functionally equivalent.  The 2.x series will not run everywhere that the 1.4 series does.

They are in the sense that they both encrypt/decrypt/sign/verify etc. That is the sense in which I meant they were equivalent. What I was trying to get across was that the 2.x version, from a user standpoint, really doesn't give you anything you really need, that the 1.4 series does not.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.



SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #48 on: November 14, 2013, 11:18:11 pm »
I DL's GnuPT, and generated a keypair. I noticed it is only 2056 bits or whatever it is and version 1.4.

There are two versions of GnuPG (GPG). There are the 1.4 series and the 2.x series. Both of them are functionally equivalent. The 1.4 series was originally intended a a lighter version that was more suitable for constrained circumstances, like server use.  Personally, I prefer using the 1.4 series.

They aren't actually functionally equivalent.  The 2.x series will not run everywhere that the 1.4 series does.

They are in the sense that they both encrypt/decrypt/sign/verify etc. That is the sense in which I meant they were equivalent. What I was trying to get across was that the 2.x version, from a user standpoint, really doesn't give you anything you really need, that the 1.4 series does not.

Yeah, I guess that's basically true; sorry if I came off as oppositional: I took you as meaning functionally equivalent as in interchangeable.  Looking back I didn't really add any info that you hadn't already implied, did I.  Oh well.
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #49 on: November 16, 2013, 01:41:09 am »
I DL's GnuPT, and generated a keypair. I noticed it is only 2056 bits or whatever it is and version 1.4.

There are two versions of GnuPG (GPG). There are the 1.4 series and the 2.x series. Both of them are functionally equivalent. The 1.4 series was originally intended a a lighter version that was more suitable for constrained circumstances, like server use.  Personally, I prefer using the 1.4 series.

They aren't actually functionally equivalent.  The 2.x series will not run everywhere that the 1.4 series does.

They are in the sense that they both encrypt/decrypt/sign/verify etc. That is the sense in which I meant they were equivalent. What I was trying to get across was that the 2.x version, from a user standpoint, really doesn't give you anything you really need, that the 1.4 series does not.

Yeah, I guess that's basically true; sorry if I came off as oppositional: I took you as meaning functionally equivalent as in interchangeable.  Looking back I didn't really add any info that you hadn't already implied, did I.  Oh well.

Sometimes I'm not clear, and I don't mind people pointing that out. Other points of view are always welcome.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

flwrchlds9

  • Full Member
  • ***
  • Posts: 198
  • Karma: +52/-9
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #50 on: November 17, 2013, 10:07:14 am »
Make 4096 RSA key.

$ gpg ‐‐gen-key

Choose RSA and RSA then 4096 for key size.

Easy.
** LOOSE LIPS   SINK SHIPS **

Odin80

  • Jr. Member
  • **
  • Posts: 57
  • Karma: +19/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #51 on: November 17, 2013, 03:44:12 pm »
Quick question. I downloaded gpg4win to get the software on my pc. I used Mozilla Thunderbird's enigmail to generate a key pair that said it was 4096. Is this key garbage? Here is my public key block. Let me know if I need to provide something in addition to get my question answered. Thanks

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.19 (MingW32)

mQINBFJ9D4UBEAC/z0jcXbj8BPgxKwud8JHgYvUAui5qKyntajQ65i3ZN2bc+CU0
nrmdWEDbhhA06TEOgDjYuopaQGzTl19FGi6jprAKFURB2r8voGNo9bhcIK9rslZf
T+Fc7585J/qf/DfJ6j9WQR/xPobYUNV3J2V0Ka6p4XY3cN1O4LQg9dbO9x4OTTTi
zAv18iVjijqJtW2Pv0V5xhpX9oihoasD4iakFqGe7Fvp7d0qyg1DBPiXPVdtW/Ai
QSsxJtDO1vze2BrP4N7oGW9mQFZhZJGZsCq6Mu/9I/mU1aNklimHv9kd/7nJcgIV
zaSxY7306XyUDv88rtRehcqRreVjeDtuFf8MR9WqXR9QaO+JH1HbvGP20n7nQs3D
nFFHgFbSBJoGKcCWu5KvO95+W5Ds8G+IC2/hJdvxhS92Wu7sLZZ7NJ8RGStkRxAN
DCGLC4R6aqzCFkYmbikZvBIKf7i2z7wAM/lowIWU09Nei3ETEYN2vOCXh/dypkqa
HQOToSwzjiemuMeyzpjMvCbDcqX+5rIzISbOLci2lLlodHpYhW09cb4I1XZ+XDAB
tTtamX8XNEf2U81SmENQZyP8ORvbJzCb25Hm09ueS3mWNHG0qihjXUahGiMW5gls
sB0BL++zQMXxnCTwTt6NCnyR3tnPCHVOj3NoHrmjE5sAldw+Nf4xeBdmgQARAQAB
tB9vZGluODAgPG9kaW41MTUwQHNhZmUtbWFpbC5uZXQ+iQI4BBMBAgAiBQJSfQ+F
AhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBo4ugdmsJSPZVLEACCRzMM
ZGhttNt6AsZbSex5CfJu9VijV5YER+xqTL1c2LwDVmxaKm/Y+RhR0ymUyOlZiJ64
kRN3yweKKR5MHI3w1DoC2bckAfep2Tlikf+ccjh7pkt9H39pHYM3OBkR6Y4aEIwH
eoCL+ODqjLG3ima/pbPuFQx1vVw0CFdP7w3TxrmT/WbzNagYoGtsbltUTld37yv1
IEQvSCVDh+Fcb2cjLRXQUXgGFyIvsKFE/ilYdPPTeEUG430M/KLn7Fu38kriAhhB
c5AZO85/my9vAlYhdaJbWkybu+qCvFdVkh8/3Bb20MBc80Y545D14+l8rW1vZfwH
6EWiaxyeS2uP8wEi45Mgkh2FY1/cwuKLFDceyOhF2NdaWbpjtzvunf8k+ufQsCnm
diZGX6GWAMd5z+goeyUs+7DPHRJsibVRMugnwrtR40pmUK+XuEXZk2wXDG3ufld7
Ne6Jy/rv7aQV8e3n7P17J1E5qs0RRe5VpXj0aathbZemMmRi5X3CfHXAPF0iRK5u
WQYgg9iNuuKMtMaHoqx1anpmpj9LkO135jIhCJnpMNkR5ZUCr4f6kK9V2cMQVunI
YJMKA6Lqz8U7zCshdyS1r/xb+wsvCyhfMArvYOqctlclfkhaYcl2hObtTBSADkFg
pi/cRTsxC63bgCKeeKqNm8XKhdG9EfVTf7y0CLkCDQRSfQ+FARAA4IYmB1iuE9bx
O4i64HrqbCuwAhb3C+NLU6XKPELhwVptJwu455q4t1DV+OhlMNjhuMCEvF91xTYD
V/e/pnfjaWriWy4KV1UJEqFCI07BEoK/kdfV0YDmxzcnN25z8E0kO8+AytqhdLn/
JoqlxZoGJz/TADjHNWzC2RMVDRl4y0mhjH+N2Xh+GD1Ivdob4EAUpc4Otb1VU1ur
/GfRM2DAaMuq6Ey4Jw3QgY1TzvZe/ugZtDjLUPvnBaWlSHT3327xjaDtzfFWQe4U
wIGMhaFMso1DIufEYxHt2BZhY11einbsCmUZr2KJ2lIzK06zNPeujw0y1dfG3eJt
Jm9F5zH+dmYfAbcq9BtbLWbnh/WvyUlRISOkLjBpI+w6ETn//aN1i6dQ8z/U7Rpn
cdKZbRarlUJFDEpfcB9zC99mkaCCYqZYlRdSvGZC/JboNFzsdJe7KBXeW2+IIcp7
8DkI3i39aYaFTAgvvYblzcs64HWlf6urCElE5H58wmAJfMIjJ1AkY+DNwWqr9ojZ
pzRQSVUU9XZ5gHBvmm953HLxQ3BKJry6JEYCnjZsBnnjxurbAXrN6GoxbvMifHZm
A8c/ACRlo0OJUWf8Kkat+VK9V3TcF6KIOPk+3CugBaAf44fAmU0h5HBrFNKqYfFx
ua1/2gL4itSwp+Y0ZjkAEHFQZIpyEO8AEQEAAYkCHwQYAQIACQUCUn0PhQIbDAAK
CRBo4ugdmsJSPZt3D/9gYCoe0oU/gDSxTUawWqkwAvU2XpwAEyxzFttQ7/JCitzn
WOMrUvtV1ugcMRIn2DkThdH9cwr11iK/aHTkKd32Fn5uVmViZPY1OzCc4KAcx5dh
gp/YVbpsfBNvMzgUpUns+B0Cv9vpOQn/HDzWgUBN3h+7h2Wd9e5qgSRNy6PyNR3F
sMs+vHviSHVLldHq9bxuw6YS/ipHvRiaBVMEy/Wn7dmOi0fBeRrnsaHgE/BprXae
XTk1nd4U0/Uy9NV9M+vmr4uoDe7TN7cBfuojVEw/2fOc4wdOIa7CVin/kjJesVvZ
UiIKRMoXXg1jD/PUaxunubgZnwlgKNGeV444mSK5uRrx+Hbii1pan9mU9cmLK/Dl
PCCHlmV14VmXxf98qi+S9fMMJZH7kXjDkjlQi1NYDZ0X3W1ZtXKG4UqrtttQLTmS
HiN9lx/neilLhWAEdPju1FP9iCczgfppYd375vy4P0+aHPOite7eYyZKW6HZcL8s
skB7bQH+pD4XvtO5YReGRxZoXL/5UAX4Xvh9iorRq4fJPwmu2ljdVz0dKol0NFmd
w6UdfAvoB83JO69TjKpaURvWxnbJfsYQOgFb82wQzSK4pG9Aif7MDXsqi/itXKeP
CPlABCUrtKpBZl6wz4WisrFhJstAyBvZjF1qMyezJd63NGx/W7dqBNof31eEGA==
=QlXE
-----END PGP PUBLIC KEY BLOCK-----
The Code is to Protect-
Protect with savagery your blood and kin. Let no one or nothing violate your love or way. Let there always be inequity in defense. Always protect thrice as fiercely as one is attacked. Protection is the mark of a warrior spirit.

SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #52 on: November 17, 2013, 05:20:02 pm »
Quick question. I downloaded gpg4win to get the software on my pc. I used Mozilla Thunderbird's enigmail to generate a key pair that said it was 4096. Is this key garbage? Here is my public key block. Let me know if I need to provide something in addition to get my question answered. Thanks

No, it's fine.  4096 bit RSA primary key with a 4096 bit RSA encryption subkey.  I don't know what algorithm or third party tool Enigmail uses to generate keys, but presumably it's gpg or a safe alternative.
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

Odin80

  • Jr. Member
  • **
  • Posts: 57
  • Karma: +19/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #53 on: November 17, 2013, 09:39:38 pm »
Quick question. I downloaded gpg4win to get the software on my pc. I used Mozilla Thunderbird's enigmail to generate a key pair that said it was 4096. Is this key garbage? Here is my public key block. Let me know if I need to provide something in addition to get my question answered. Thanks

No, it's fine.  4096 bit RSA primary key with a 4096 bit RSA encryption subkey.  I don't know what algorithm or third party tool Enigmail uses to generate keys, but presumably it's gpg or a safe alternative.

Good looking out. +1
The Code is to Protect-
Protect with savagery your blood and kin. Let no one or nothing violate your love or way. Let there always be inequity in defense. Always protect thrice as fiercely as one is attacked. Protection is the mark of a warrior spirit.

Odin80

  • Jr. Member
  • **
  • Posts: 57
  • Karma: +19/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #54 on: November 18, 2013, 02:08:03 am »
This may be a bit off topic, however, I trust the info from those who are posting here. I primarily use my Samsung GS4 that is rooted and runs on the hyperdrive rom. I use the orbot and orbweb bundle to access TOR. Would someone give me the proper settings to use? Should I fully encrypt both my phone and sd card? I dont do big things on SR, but I am still security conscious.  I appreciate all the feedback and if I was inappropriate to hijack this thread my apologies.
The Code is to Protect-
Protect with savagery your blood and kin. Let no one or nothing violate your love or way. Let there always be inequity in defense. Always protect thrice as fiercely as one is attacked. Protection is the mark of a warrior spirit.

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #55 on: November 18, 2013, 02:48:05 am »
This may be a bit off topic, however, I trust the info from those who are posting here. I primarily use my Samsung GS4 that is rooted and runs on the hyperdrive rom. I use the orbot and orbweb bundle to access TOR. Would someone give me the proper settings to use? Should I fully encrypt both my phone and sd card? I dont do big things on SR, but I am still security conscious.  I appreciate all the feedback and if I was inappropriate to hijack this thread my apologies.

I don't have a phone, and I absolutely REFUSE to carry one.  It is my long-held view that phones are insecure, regardless of what software is installed on them. I wouldn't be caught dead doing anything illegal on a phone. That's my 2 cents, anyway.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

KeyserSöze

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #56 on: November 18, 2013, 08:06:46 am »
I installed gpg4usb today, however I still am unclear on the differences between gpg4usb and the version I am currently using. Would appreciate a little more insight.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.21 (MingW32)

mQINBFJ9UbMBEACui+r0gbWh98TDMDyRCa+Zn6Sl8INbH02UTXRTPOWquhwLb2fw
M5VfjxgQeKUSrTjXMYMAEVp68Ll/DsJf7zWzGVby0EEMKu9e15gHuCIhOfYL1QEH
hZ8RAE1hPkHfRLqUByeEjOMo+SKnX0oPwJQjYWkaIANplbNLfsQacT9j2amaXAld
RWcBLbzl9/0CTo9T4Q0G0gpGJR1A4+HePSilA504gXIg3wQtWDQZa1DTjjVLgw1g
xBPGco1Hvh9Jw7MISPsvW3a3/UD+aNqdAEPlYVPSZbOVyQ29VvGm/rNdemgh0All
E9veO8bE9jPXxnHpADIW3irA5vWqsE58NUQ8bQpIAUacK0T5A833P9t3EN+epbTB
TE/rpC1IkmiFykwWCwZAijSKqTo53meLEbrZHqok9V8Paq23EZKBndhl7kuyJxJh
rWeSPuNXWELv5Ks9w9MEHiDn+yXBfk9c9/2M4D7flGfX+pmmB7VbyGUgYk1k4IE0
XXk9Qm1RKOBHp8dUnXDVWL6o3+L4WYZZFzkcR8VomJyixPY49NSelpsooGugzGtw
4yLU/oSkltaa3Hgq3CT4cUyieK6zB4TdXQ/2Otw0gMCU+3NBEs4iSed+A0b9yOjW
kDMuWeLOb4Dyyo1+qMny2c43leKSJywtn35zlmrp2B9i4ZqczNFBSBaYBQARAQAB
tCFLZXlzZXIgU296ZSA8YW5hcmNoeUB0b3JndWFyZC50Zz6JAjkEEwECACMFAlJ9
UbMCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRAdUDiNIsg9c6+mD/4n
+BE7FlFu6cghD/qQ5SkhTV6/Jy4Y4GuF7tqWYRB0tns4uF83h76QsNqk0DdOcj3P
Yjeb04NO045//p/DI/vrq8lF7AHSNjzz6U64t+MbUHTMg2BTcrqV54TiupbIDcpA
THm03COKT2b/wgpifnw15RjtUWzp64zwYa0THZ2CCldN0dH+HfXQKwChlR6SIKZi
98gtVji1C4hiK59ecuacJkRVezdcIrKYzAPkUpOVwDsqS4V3Z0B3fPYeH4Rgy631
9GkSKAhYq/Qec3Cw1TeHWzxoBFLv1teUtZpCt4kePKcZ3A8kDyQcrk6pthTWMUPE
XNIsO9blcqzZDAmLEky1MJIr1qUvM1J0q93mjIUcNC8Mqbgxiv2D3QIu6eQQW8V7
MRv16LEbtGKk4pqHNnwoFAaVFoblnqp6BM5NfXMkam+gvZjbxZ+3gRLIe2nXB6+G
OFiwVEA43fs8QE5hCxopfa2Y+fR/iUa7JFApCQn6QzjDUiUTIr2G6g7qEW0J203y
h36NHzxjnjS1oLUSrM8XxRr9BhJegpf12bOP2eOuMaAAJsE350sSi06V5z0P8NMS
m8qf7XN+BgWEhjUPT1Go6k9OiTaT5wXPCjagyeclJ9Hglrtd+CUUClDxEW4qojbN
lq/imgTY2UdsH1694gH7EqAq0ns1lX/XxbNpQKs5U4kCHAQQAQIABgUCUonIrAAK
CRDls5jJ/k3PP5PlD/9TBR+o1tbXtPBd/Q4KZF2yfl5R5/YQkwZzYpjAbkOBU8sy
/HCxS5kNJLvOz+ViLPZqLTXvaipeIAqnLthlXPTgJBRH3OXLBF1BYIbA67J62JjG
gosuDlA3TtWxGsZGRshCiNw5sbnHs8AJDpqRatTyF/Bg9bLVZzByojqspNE4UjXm
OBVRn2bhudXJuwb+fECygpIcXoFD867JU2/011sztYh5rghjip8xq3iYjl+Xg34e
UhDxXUqA6LCl0HOfNsYhrqkLVsHnal41ejDPdTYIVk7qEfIx2Smgtf3cJL98wt+y
AEAZtLqK2C+KU/Da+QOPm98x3342nOIzW7rYZTv2OiivwOZNgYfLCPq9iACxUemk
nukcj9DudAkPBaypY4xhsJDxm6iZybOEMRGJgI8npdpuFitbbp5QFIrtxjBtiTNw
84o29W4uhTWJNrN8jLKcHgOmQezNCFP2o58TFhL/lBlovxtYWTjUVhF0vgYj4J7u
WJEXYfI9zM0w67idzJ2BpNvXow1ZRMISRJEumx77PQqETuoXNBMyeKog4V+2AW4Q
WWjsaB63Rda8/L3ZW9+X0QNkc1ZzCU+nIN77eknaHEU7DCUSbJgCFvVcU4nlGNbM
O0TH9o0lxkf02Ef6SvCFyDMiwy+P1pkXlNjDoOszCkalkn9i6eKxaMzsRgJSDrkC
DQRSfVGzARAA35J3/oy9ZmwuDSTEPmrbu+pDXaxlC0rv68K59pz+9eHQLTUEvyMn
gO3t23InRO9To1rPdQKs9Or9BeadKAb+Azf1AyYzv8RJ+bTAxmz7XglW7HyplMel
58Bf4OqJHBmg3EmPRydyMPIEvo0P6/PJLSHoY3vlPHVE+vBNtolWPKaayh/z3WAd
fFYhldMzoStid+z4jNxEzWXPBwEdNRiovYdmGm8DzAMDNodnTw2oQXRT9jXbvnkN
xsJLrDWZpJp5488DfU1oI4a+peCPxnQhbn6pMiXqEIN0pHLzIdCalEGG7GrncbMp
P2a/igWA/Ezxc+XeyNd1l66dufAw6OC41jzqj/Bltxk+NZbOhkGHdIlMm8nqv7Z0
SFbTm7oHo9C0+NbIpnttnO0K+k6ItE8gADxjle2uOZb/gAP97vB1k5Vcx5WFX5KJ
hnS76k0wy9ncWkp33k6kowO38Ao7I+39KEG4lHbUjkMNDkwWPjnzeqGZhNFWMBXS
XGBFyA5TMXAv30TyWh+MiHEQod7i1WTSh++quEyF9PGrlfFgI0CDvxWLQI9GwN3f
nZViSGYw/Pz5sIOMUnmAwrt9ulv3rBjluQOl8H9j5evkvlJUlmDmWt+1CzaiEIjG
ON71MAcZYJPvT/XsqReh+JuRPqxc/7GKU+WCzN2R9IDy61j1g0Liv4EAEQEAAYkC
HwQYAQIACQUCUn1RswIbDAAKCRAdUDiNIsg9c9CPD/4tI4CnZXvTvxCVwCot/KVd
TH5BdOPeq5XTxrfxA7WQomiDyKpyHz2tY3h9pISC6VIMwYMNUdElrKOWMqgk/ec7
CiVj3v1GdgZMzwIoc+/TVUOpcyKX9FRDkWHEwIIZVrKos8w5PvpW950jX8vUg9ol
nU2MhSC8pHpWPV6DSr32DEvdNi5vLZZ5t/aUcGO/eAoT3SKawysUWAwcpvk9WFcM
aT/rtuXIpXMzVUWkMmm5VpdlI08IDCtraAvx7enIIjtf4Az19N5xU7nw+Q6LZG63
p/ESxrT3NAxRAgz+RV48jrPkN0mRpD0DKkhscZ4ZFCM5Tc4KqSNDoOSoOpaR+jxO
QkrqSYpdBcb1qI35T/X/rMqze/b6PX8JqXxnKDx0fe80+rEZ9tnO8uuAwX5i/zjf
0WDDG0LxA901DVd+6MfcN1arjEFZ/4BcXwIm1JxwnxPW6S+PePCOOsYQyMSM+DZN
bU2qr7Bt7ZpysI0Gotr8URoRBTzUYL/ZnNRdWuuAIecZmsZ+hXheoCpiyGsL25fd
0i9knjYqjOJ507r3SQsnayVW6TpIMKyJMk1STWsTM47sq96sS31QzVgD8LpCv1OG
cgVyDm6HZ+JupG3tp6H9/5hMlxM94QZ6IF2l2OXR+SHfVPzlCA7vcuB2/9TXwQcP
orpLpbwxXmqTJtdX03I87g==
=hc41
-----END PGP PUBLIC KEY BLOCK-----

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #57 on: November 18, 2013, 09:35:55 am »
I installed gpg4usb today, however I still am unclear on the differences between gpg4usb and the version I am currently using. Would appreciate a little more insight.

The differences are minor, nothing really. The major rationale for pointing newbies towards GPG4USB is that the interface is simple to use.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

D.STORM

  • Full Member
  • ***
  • Posts: 113
  • Karma: +13/-24
  • ★= Welcome =★
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #58 on: November 18, 2013, 11:06:09 am »
Hello, i putt little message, because i have one buyers with PGP problem .
maybe some body help me .
always i recover this message from him :

No valid UTF 8 encoding at position 0.
Assuming latin-1 encoding instead .


i real not says what speak him, please help community .
For custom orders or requests, or if you have any questions,
feel free to contact me.

~ D.Storm™ ~

silkroad6ownowfk.onion

http://silkroad6ownowfk.onion/users/d-storm

KeyserSöze

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #59 on: November 18, 2013, 07:25:54 pm »
I installed gpg4usb today, however I still am unclear on the differences between gpg4usb and the version I am currently using. Would appreciate a little more insight.

The differences are minor, nothing really. The major rationale for pointing newbies towards GPG4USB is that the interface is simple to use.

Nightcrawler


Oh perfect, thanks. Thought that I was at a security risk. The next thing I need to learn is how to export my keyring into my Tails. I have an email service that has my keyring and when I copy and paste my Public Key in Tails it is converted to Linux. Curious to learn if this is ok and normal or if they keys should not be altered this way?

Thanks for all the great info you are posting!
« Last Edit: November 18, 2013, 07:31:22 pm by KeyserSöze »

KeyserSöze

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #60 on: November 18, 2013, 07:40:16 pm »
Correction. It seems that when my PGP keys are imported to my email Keyring they are converted to Linux regardless if I am in Windows or Tails. The following key is the same key I posted above. From what I've read it does seem that Linux is more secure than Windows, it is the same key being converted back and forth that has me a little confused. Is there a difference in this case which one is used?

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQINBFJ9UbMBEACui+r0gbWh98TDMDyRCa+Zn6Sl8INbH02UTXRTPOWquhwLb2fw
M5VfjxgQeKUSrTjXMYMAEVp68Ll/DsJf7zWzGVby0EEMKu9e15gHuCIhOfYL1QEH
hZ8RAE1hPkHfRLqUByeEjOMo+SKnX0oPwJQjYWkaIANplbNLfsQacT9j2amaXAld
RWcBLbzl9/0CTo9T4Q0G0gpGJR1A4+HePSilA504gXIg3wQtWDQZa1DTjjVLgw1g
xBPGco1Hvh9Jw7MISPsvW3a3/UD+aNqdAEPlYVPSZbOVyQ29VvGm/rNdemgh0All
E9veO8bE9jPXxnHpADIW3irA5vWqsE58NUQ8bQpIAUacK0T5A833P9t3EN+epbTB
TE/rpC1IkmiFykwWCwZAijSKqTo53meLEbrZHqok9V8Paq23EZKBndhl7kuyJxJh
rWeSPuNXWELv5Ks9w9MEHiDn+yXBfk9c9/2M4D7flGfX+pmmB7VbyGUgYk1k4IE0
XXk9Qm1RKOBHp8dUnXDVWL6o3+L4WYZZFzkcR8VomJyixPY49NSelpsooGugzGtw
4yLU/oSkltaa3Hgq3CT4cUyieK6zB4TdXQ/2Otw0gMCU+3NBEs4iSed+A0b9yOjW
kDMuWeLOb4Dyyo1+qMny2c43leKSJywtn35zlmrp2B9i4ZqczNFBSBaYBQARAQAB
tCFLZXlzZXIgU296ZSA8YW5hcmNoeUB0b3JndWFyZC50Zz6JAjkEEwECACMFAlJ9
UbMCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRAdUDiNIsg9c6+mD/4n
+BE7FlFu6cghD/qQ5SkhTV6/Jy4Y4GuF7tqWYRB0tns4uF83h76QsNqk0DdOcj3P
Yjeb04NO045//p/DI/vrq8lF7AHSNjzz6U64t+MbUHTMg2BTcrqV54TiupbIDcpA
THm03COKT2b/wgpifnw15RjtUWzp64zwYa0THZ2CCldN0dH+HfXQKwChlR6SIKZi
98gtVji1C4hiK59ecuacJkRVezdcIrKYzAPkUpOVwDsqS4V3Z0B3fPYeH4Rgy631
9GkSKAhYq/Qec3Cw1TeHWzxoBFLv1teUtZpCt4kePKcZ3A8kDyQcrk6pthTWMUPE
XNIsO9blcqzZDAmLEky1MJIr1qUvM1J0q93mjIUcNC8Mqbgxiv2D3QIu6eQQW8V7
MRv16LEbtGKk4pqHNnwoFAaVFoblnqp6BM5NfXMkam+gvZjbxZ+3gRLIe2nXB6+G
OFiwVEA43fs8QE5hCxopfa2Y+fR/iUa7JFApCQn6QzjDUiUTIr2G6g7qEW0J203y
h36NHzxjnjS1oLUSrM8XxRr9BhJegpf12bOP2eOuMaAAJsE350sSi06V5z0P8NMS
m8qf7XN+BgWEhjUPT1Go6k9OiTaT5wXPCjagyeclJ9Hglrtd+CUUClDxEW4qojbN
lq/imgTY2UdsH1694gH7EqAq0ns1lX/XxbNpQKs5U4kCHAQQAQIABgUCUonIrAAK
CRDls5jJ/k3PP5PlD/9TBR+o1tbXtPBd/Q4KZF2yfl5R5/YQkwZzYpjAbkOBU8sy
/HCxS5kNJLvOz+ViLPZqLTXvaipeIAqnLthlXPTgJBRH3OXLBF1BYIbA67J62JjG
gosuDlA3TtWxGsZGRshCiNw5sbnHs8AJDpqRatTyF/Bg9bLVZzByojqspNE4UjXm
OBVRn2bhudXJuwb+fECygpIcXoFD867JU2/011sztYh5rghjip8xq3iYjl+Xg34e
UhDxXUqA6LCl0HOfNsYhrqkLVsHnal41ejDPdTYIVk7qEfIx2Smgtf3cJL98wt+y
AEAZtLqK2C+KU/Da+QOPm98x3342nOIzW7rYZTv2OiivwOZNgYfLCPq9iACxUemk
nukcj9DudAkPBaypY4xhsJDxm6iZybOEMRGJgI8npdpuFitbbp5QFIrtxjBtiTNw
84o29W4uhTWJNrN8jLKcHgOmQezNCFP2o58TFhL/lBlovxtYWTjUVhF0vgYj4J7u
WJEXYfI9zM0w67idzJ2BpNvXow1ZRMISRJEumx77PQqETuoXNBMyeKog4V+2AW4Q
WWjsaB63Rda8/L3ZW9+X0QNkc1ZzCU+nIN77eknaHEU7DCUSbJgCFvVcU4nlGNbM
O0TH9o0lxkf02Ef6SvCFyDMiwy+P1pkXlNjDoOszCkalkn9i6eKxaMzsRgJSDrkC
DQRSfVGzARAA35J3/oy9ZmwuDSTEPmrbu+pDXaxlC0rv68K59pz+9eHQLTUEvyMn
gO3t23InRO9To1rPdQKs9Or9BeadKAb+Azf1AyYzv8RJ+bTAxmz7XglW7HyplMel
58Bf4OqJHBmg3EmPRydyMPIEvo0P6/PJLSHoY3vlPHVE+vBNtolWPKaayh/z3WAd
fFYhldMzoStid+z4jNxEzWXPBwEdNRiovYdmGm8DzAMDNodnTw2oQXRT9jXbvnkN
xsJLrDWZpJp5488DfU1oI4a+peCPxnQhbn6pMiXqEIN0pHLzIdCalEGG7GrncbMp
P2a/igWA/Ezxc+XeyNd1l66dufAw6OC41jzqj/Bltxk+NZbOhkGHdIlMm8nqv7Z0
SFbTm7oHo9C0+NbIpnttnO0K+k6ItE8gADxjle2uOZb/gAP97vB1k5Vcx5WFX5KJ
hnS76k0wy9ncWkp33k6kowO38Ao7I+39KEG4lHbUjkMNDkwWPjnzeqGZhNFWMBXS
XGBFyA5TMXAv30TyWh+MiHEQod7i1WTSh++quEyF9PGrlfFgI0CDvxWLQI9GwN3f
nZViSGYw/Pz5sIOMUnmAwrt9ulv3rBjluQOl8H9j5evkvlJUlmDmWt+1CzaiEIjG
ON71MAcZYJPvT/XsqReh+JuRPqxc/7GKU+WCzN2R9IDy61j1g0Liv4EAEQEAAYkC
HwQYAQIACQUCUn1RswIbDAAKCRAdUDiNIsg9c9CPD/4tI4CnZXvTvxCVwCot/KVd
TH5BdOPeq5XTxrfxA7WQomiDyKpyHz2tY3h9pISC6VIMwYMNUdElrKOWMqgk/ec7
CiVj3v1GdgZMzwIoc+/TVUOpcyKX9FRDkWHEwIIZVrKos8w5PvpW950jX8vUg9ol
nU2MhSC8pHpWPV6DSr32DEvdNi5vLZZ5t/aUcGO/eAoT3SKawysUWAwcpvk9WFcM
aT/rtuXIpXMzVUWkMmm5VpdlI08IDCtraAvx7enIIjtf4Az19N5xU7nw+Q6LZG63
p/ESxrT3NAxRAgz+RV48jrPkN0mRpD0DKkhscZ4ZFCM5Tc4KqSNDoOSoOpaR+jxO
QkrqSYpdBcb1qI35T/X/rMqze/b6PX8JqXxnKDx0fe80+rEZ9tnO8uuAwX5i/zjf
0WDDG0LxA901DVd+6MfcN1arjEFZ/4BcXwIm1JxwnxPW6S+PePCOOsYQyMSM+DZN
bU2qr7Bt7ZpysI0Gotr8URoRBTzUYL/ZnNRdWuuAIecZmsZ+hXheoCpiyGsL25fd
0i9knjYqjOJ507r3SQsnayVW6TpIMKyJMk1STWsTM47sq96sS31QzVgD8LpCv1OG
cgVyDm6HZ+JupG3tp6H9/5hMlxM94QZ6IF2l2OXR+SHfVPzlCA7vcuB2/9TXwQcP
orpLpbwxXmqTJtdX03I87g==
=hc41
-----END PGP PUBLIC KEY BLOCK-----

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #61 on: November 19, 2013, 12:13:15 am »
Correction. It seems that when my PGP keys are imported to my email Keyring they are converted to Linux regardless if I am in Windows or Tails. The following key is the same key I posted above. From what I've read it does seem that Linux is more secure than Windows, it is the same key being converted back and forth that has me a little confused. Is there a difference in this case which one is used?

Version: GnuPG v1.4.5 (GNU/Linux)

PGP keys are the same, regardless of which platform you are running PGP/GPG on.  When you export a key, the Version string reflects the nature of the system and software that the key was exported from. I am somewhat concerned about the Version: string -- 1.4.5 was released in August 2006 -- that's 7 years ago now. The latest version in the 1.4 series is 1.4.15.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #62 on: November 19, 2013, 12:14:08 am »
Correction. It seems that when my PGP keys are imported to my email Keyring they are converted to Linux regardless if I am in Windows or Tails. The following key is the same key I posted above. From what I've read it does seem that Linux is more secure than Windows, it is the same key being converted back and forth that has me a little confused. Is there a difference in this case which one is used?

I don't understand what you're talking about, to be honest.  Linux format and Windows/DOS format are virtually identical and only matter with text data.  The convention is that Linux uses a newline at the end of lines, and Windows/DOS uses a carriage-return and a newline both.  "\r\n" or just "\n" is the usual representation, or sometimes "^M" for DOS format in Linux editors (technically that's how the "\r" is displayed, which is just another character before the newline to a Linux editor).  The actual bytes are usually 0d0a if viewed in a hex editor.  "Conversion" from one to the other is simply adding or removing that "\r".

Technically the DOS format is more correct, as newline is historically a linefeed command I believe.  This would drop a typewriter down a line.  The carriage return "\r" is what would bring it back to the first position at the beginning of the line.  So technically, Linux is only saying "drop down a line," not "drop down a line and go back to the beginning position."  But whatever, it's understood that that's what's intended and it really is neither here nor there anyway.

So that said, what do you mean it converts?  Also, if an email service has your keys... then your keys are not secure and you should assume that they're already known by an adversary.  Period.  There's really no good way around this.  They may be secure, maybe nobody cares, maybe nobody even knows really... but you must assume that you've been targeted and you must change your keys.  And stop giving them out, for God's sake!  :P

Frequently when you export a key twice, it won't be the same.  At least it shouldn't be the same.  GPG uses a random session value as part of how it works internally to aid security.  That value changes the data that gets exported, but it still works fine as you'll notice.  I don't know the technical mathematical details of how they do it, but it's how they do it.  Does that explain whatever it is you're observing and/or what you're assuming is a conversion?  Also, v1.4.5 is kind of old.  They're on v1.4.12 I believe.  You probably want to update whatever tool you're using.

Lastly... that key makes me excessively nervous.  I looked at it with gpg, and I got a notice I have never seen before and that I don't understand.  It told me that there's no need for a trustdb check with my trust model.  Is it possible for a gpg key to request that upon import the user's trustdb is checked for revocation?  That would be an unbelievably unfortunate design detail for those of us who would be royally fucked by gpg reaching out without Tor to update a trustdb entry for a specific key that only appears in, say, a thread on SR forums about pgp versions...

NightCrawler?  Can you explain that?

Edit: he beat me to it, but I spent so much time typing this I figured why not just post it anyway, hah...
« Last Edit: November 19, 2013, 12:16:05 am by SelfSovereignty »
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #63 on: November 19, 2013, 01:40:53 am »

[snip]

Lastly... that key makes me excessively nervous.  I looked at it with gpg, and I got a notice I have never seen before and that I don't understand.  It told me that there's no need for a trustdb check with my trust model.  Is it possible for a gpg key to request that upon import the user's trustdb is checked for revocation?  That would be an unbelievably unfortunate design detail for those of us who would be royally fucked by gpg reaching out without Tor to update a trustdb entry for a specific key that only appears in, say, a thread on SR forums about pgp versions...

NightCrawler?  Can you explain that?

Edit: he beat me to it, but I spent so much time typing this I figured why not just post it anyway, hah...

FWIW, your trust model should be set to either no trust or all trust. When it comes to anonymous/pseudonymous entities, such as we have here on the Road, the web of trust (and thus the trust database) is irrelevant. My copy of gpg.conf contains the directive: trust-model always

The one thing you do not want is for your client software to try and fetch keys from the various keyservers. For starters, many people here do not post their keys on the keyservers. (Most of them that do, their software does it automatically for them, and they likely never ever realize it.)

The Web of Trust was originally designed for people using real names and traceable email addresses. It makes very little sense in our situation.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
DPR is the poster child for that, right now.

KeyserSöze

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #64 on: November 19, 2013, 06:01:37 am »
Thanks Nightcrawler, I figured that it was just a different platform, just wanted to make sure. Not sure why they are using such an old version.

 SelfSovereignty thanks for that explanation, it seems that "convert" was not the correct term to use. The encrypted/anonymous email service provided through my VPN service has a PGP plugin option. I have never used it before and the key I created was only a couple days old and I have never used it in any communications so far either. My original idea was to use this email keyring so I could access it in Tails. I haven't quite figured out how to get my PGP keyring saved on my persistence volume in Tails.

I will take your word on it and just scrap that key and create a new one. Thanks to both of you for your input!

SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #65 on: November 19, 2013, 07:31:12 am »

[snip]

Lastly... that key makes me excessively nervous.  I looked at it with gpg, and I got a notice I have never seen before and that I don't understand.  It told me that there's no need for a trustdb check with my trust model.  Is it possible for a gpg key to request that upon import the user's trustdb is checked for revocation?  That would be an unbelievably unfortunate design detail for those of us who would be royally fucked by gpg reaching out without Tor to update a trustdb entry for a specific key that only appears in, say, a thread on SR forums about pgp versions...

NightCrawler?  Can you explain that?

Edit: he beat me to it, but I spent so much time typing this I figured why not just post it anyway, hah...

FWIW, your trust model should be set to either no trust or all trust. When it comes to anonymous/pseudonymous entities, such as we have here on the Road, the web of trust (and thus the trust database) is irrelevant. My copy of gpg.conf contains the directive: trust-model always

The one thing you do not want is for your client software to try and fetch keys from the various keyservers. For starters, many people here do not post their keys on the keyservers. (Most of them that do, their software does it automatically for them, and they likely never ever realize it.)

The Web of Trust was originally designed for people using real names and traceable email addresses. It makes very little sense in our situation.

Agreed, that's exactly why I have the "always-trust" line in my gpg.conf.  But all I did was type "gpg --import" in a shell, paste the key in question into the terminal, and hit control-D.  It then gave me the usual output, followed by this:
Code: [Select]
-----END PGP PUBLIC KEY BLOCK-----
gpg: key REDACTED: public key "REDACTED <REDACTED@REDACTED>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no need for a trustdb check with `always' trust model

I know the public key is right there for anybody to see the redacted information, but there's no need to let it show up on Google or whatnot so I'm leaving that info out.  Anyway, I've never seen that last line before.  I am 100% certain I did and typed nothing else.  The xterm I did it in is still open and I'm still looking at it wondering what the Hell it told me that for...


Edit: holy shit...

Quote
If GnuPG feels that its information about the Web of Trust has to be updated, it automatically runs the --check-trustdb command internally. This may be a time consuming process. --no-auto-check-trustdb disables this option.

... uh... that ain't good  :(

Let me actually say what I'm thinking: that's unbelievably mother fucking bad.  That would make it fucking trivial to ID anybody who imports a key that will trigger a trustdb check.  They sync information, and gpg is only going to ask about specific keys that exist in the keychain.  All they'd have to do is flag anybody asking about specific keys.  Like... wtf?!  Can that possibly be the reality of the situation?  Is gpg horribly unsafe for us if not using the always-trust model or the no-auto-check-trustdb options set?  I've gotta be jumping to conclusions or something... right?
« Last Edit: November 19, 2013, 07:54:37 am by SelfSovereignty »
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

Eduardo

  • Full Member
  • ***
  • Posts: 240
  • Karma: +15/-6
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #66 on: November 19, 2013, 10:14:32 am »
So am I using the right one? 

GPA 0.9.4
Encrypt everything sm:)e

Off white breeze

  • Sr. Member
  • ****
  • Posts: 289
  • Karma: +50/-18
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #67 on: November 22, 2013, 01:40:17 am »
So am I using the right one? 

GPA 0.9.4

 This^^^

 I am currently using GPG4USB.   I remember reading something not too long ago, I forget where, about GPG4USB having problems.
Don't take the rantings of random druggies on the internet too seriously!
Unless it's one of my hilarious anecdotes, because they are all Gospel, and fucking funny too.

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #68 on: November 22, 2013, 02:09:23 am »

[snip]

Lastly... that key makes me excessively nervous.  I looked at it with gpg, and I got a notice I have never seen before and that I don't understand.  It told me that there's no need for a trustdb check with my trust model.  Is it possible for a gpg key to request that upon import the user's trustdb is checked for revocation?  That would be an unbelievably unfortunate design detail for those of us who would be royally fucked by gpg reaching out without Tor to update a trustdb entry for a specific key that only appears in, say, a thread on SR forums about pgp versions...

NightCrawler?  Can you explain that?

Edit: he beat me to it, but I spent so much time typing this I figured why not just post it anyway, hah...

FWIW, your trust model should be set to either no trust or all trust. When it comes to anonymous/pseudonymous entities, such as we have here on the Road, the web of trust (and thus the trust database) is irrelevant. My copy of gpg.conf contains the directive: trust-model always

The one thing you do not want is for your client software to try and fetch keys from the various keyservers. For starters, many people here do not post their keys on the keyservers. (Most of them that do, their software does it automatically for them, and they likely never ever realize it.)

The Web of Trust was originally designed for people using real names and traceable email addresses. It makes very little sense in our situation.

Agreed, that's exactly why I have the "always-trust" line in my gpg.conf.  But all I did was type "gpg --import" in a shell, paste the key in question into the terminal, and hit control-D.  It then gave me the usual output, followed by this:
Code: [Select]
-----END PGP PUBLIC KEY BLOCK-----
gpg: key REDACTED: public key "REDACTED <REDACTED@REDACTED>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no need for a trustdb check with `always' trust model

I know the public key is right there for anybody to see the redacted information, but there's no need to let it show up on Google or whatnot so I'm leaving that info out.  Anyway, I've never seen that last line before.  I am 100% certain I did and typed nothing else.  The xterm I did it in is still open and I'm still looking at it wondering what the Hell it told me that for...


Edit: holy shit...

Quote
If GnuPG feels that its information about the Web of Trust has to be updated, it automatically runs the --check-trustdb command internally. This may be a time consuming process. --no-auto-check-trustdb disables this option.

... uh... that ain't good  :(

Let me actually say what I'm thinking: that's unbelievably mother fucking bad.  That would make it fucking trivial to ID anybody who imports a key that will trigger a trustdb check.  They sync information, and gpg is only going to ask about specific keys that exist in the keychain.  All they'd have to do is flag anybody asking about specific keys.  Like... wtf?!  Can that possibly be the reality of the situation?  Is gpg horribly unsafe for us if not using the always-trust model or the no-auto-check-trustdb options set?  I've gotta be jumping to conclusions or something... right?

To the best of my knowledge, checking the trustdb does NOT cause your copy of PGP/GPG to query any of the keyservers.  The notice you saw was simply a reminder that since your trustlevel was set to trust all keys, there is/was no need to check the trustdb file. Some versions of PGP can be setup to post a newly-generated key to the keyservers,but this can usually be turned off. (I don't think it's the default in any case.)

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.



SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #69 on: November 22, 2013, 03:14:16 am »

[snip]

Lastly... that key makes me excessively nervous.  I looked at it with gpg, and I got a notice I have never seen before and that I don't understand.  It told me that there's no need for a trustdb check with my trust model.  Is it possible for a gpg key to request that upon import the user's trustdb is checked for revocation?  That would be an unbelievably unfortunate design detail for those of us who would be royally fucked by gpg reaching out without Tor to update a trustdb entry for a specific key that only appears in, say, a thread on SR forums about pgp versions...

NightCrawler?  Can you explain that?

Edit: he beat me to it, but I spent so much time typing this I figured why not just post it anyway, hah...

FWIW, your trust model should be set to either no trust or all trust. When it comes to anonymous/pseudonymous entities, such as we have here on the Road, the web of trust (and thus the trust database) is irrelevant. My copy of gpg.conf contains the directive: trust-model always

The one thing you do not want is for your client software to try and fetch keys from the various keyservers. For starters, many people here do not post their keys on the keyservers. (Most of them that do, their software does it automatically for them, and they likely never ever realize it.)

The Web of Trust was originally designed for people using real names and traceable email addresses. It makes very little sense in our situation.

Agreed, that's exactly why I have the "always-trust" line in my gpg.conf.  But all I did was type "gpg --import" in a shell, paste the key in question into the terminal, and hit control-D.  It then gave me the usual output, followed by this:
Code: [Select]
-----END PGP PUBLIC KEY BLOCK-----
gpg: key REDACTED: public key "REDACTED <REDACTED@REDACTED>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no need for a trustdb check with `always' trust model

I know the public key is right there for anybody to see the redacted information, but there's no need to let it show up on Google or whatnot so I'm leaving that info out.  Anyway, I've never seen that last line before.  I am 100% certain I did and typed nothing else.  The xterm I did it in is still open and I'm still looking at it wondering what the Hell it told me that for...


Edit: holy shit...

Quote
If GnuPG feels that its information about the Web of Trust has to be updated, it automatically runs the --check-trustdb command internally. This may be a time consuming process. --no-auto-check-trustdb disables this option.

... uh... that ain't good  :(

Let me actually say what I'm thinking: that's unbelievably mother fucking bad.  That would make it fucking trivial to ID anybody who imports a key that will trigger a trustdb check.  They sync information, and gpg is only going to ask about specific keys that exist in the keychain.  All they'd have to do is flag anybody asking about specific keys.  Like... wtf?!  Can that possibly be the reality of the situation?  Is gpg horribly unsafe for us if not using the always-trust model or the no-auto-check-trustdb options set?  I've gotta be jumping to conclusions or something... right?

To the best of my knowledge, checking the trustdb does NOT cause your copy of PGP/GPG to query any of the keyservers.  The notice you saw was simply a reminder that since your trustlevel was set to trust all keys, there is/was no need to check the trustdb file. Some versions of PGP can be setup to post a newly-generated key to the keyservers,but this can usually be turned off. (I don't think it's the default in any case.)

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Thanks Nightcrawler; apparently I wasn't (and still am not actually) clear on just what it is that GnuPG is doing when it updates its web of trust.  I assumed the duration was due to network activity, but I guess not.  Well, the factorial of even tiny numbers is still a bloody huge number, isn't it.

i.e. 10 keys with a web of trust could, I suppose in the worst case, involve fact(10) checks, which is 3,628,800.
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

domesticdoode

  • Vendor
  • Full Member
  • *****
  • Posts: 195
  • Karma: +34/-16
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #70 on: November 22, 2013, 09:22:04 am »
subbed

great thread. thanks so much for posting, really enlightens
DomesticDoode - SR 2.0 / A G O R A - Vendor
Vendor Page- http://silkroad6ownowfk.onion/users/domesticdoode or @safe-mail.net

TheDemiGod

  • Newbie
  • *
  • Posts: 9
  • Karma: +1/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #71 on: November 23, 2013, 02:28:56 am »
This was an awesome post especially for someone completely new like I am not to make what could have been a costly mistake. Now just have to figure out how the hell to use this :)
"The question isn't who is going to let me, Its who's going to stop me." -Ayn Rand

NordicShrooms

  • Vendor
  • Sr. Member
  • *****
  • Posts: 352
  • Karma: +68/-9
  • unity/balance/peace
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #72 on: November 23, 2013, 07:43:57 am »
Hi there :)

It looks like we're having issues with the ACII text when copying/pasting to our textedit from the site. It took help from someone here before we could import a buyers private key, but it worked. All we need to do is decrypt buyers messages to us that they PM us on the site, but every time comes 'Decrypt failed, Code = 0.'

Is anyone else experiencing this? Is there some small tricks that is available to be used, like a spacing which is getting deleted, or the font being changed? Has anyone else experienced cross-platform compatibility issues?

Thanks in advance
NS
-- New B+ cubensis available! --

5g: €20 | 10g: €35 | 20g: €60 | 50g: €130

ALWAYS FREE SHIPPING, WORLDWIDE :D

http://silkroad6ownowfk.onion/users/nordicshrooms

Find us also on Agora :)

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #73 on: November 23, 2013, 11:11:06 am »
Hi there :)

It looks like we're having issues with the ACII text when copying/pasting to our textedit from the site. It took help from someone here before we could import a buyers private key, but it worked. All we need to do is decrypt buyers messages to us that they PM us on the site, but every time comes 'Decrypt failed, Code = 0.'

Is anyone else experiencing this? Is there some small tricks that is available to be used, like a spacing which is getting deleted, or the font being changed? Has anyone else experienced cross-platform compatibility issues?

Thanks in advance
NS

I hope you just made a typo above... I most certainly hope that you're NOT importing buyers' private keys.

If you're going to be using TextEdit, you simply MUST turn OFF Rich Text Format (.rtf).

N.B.: To properly be able to import a  PGP key into GPGChain (via TextEdit) you need to change the default on TextEdit from .rtf to plain text. You can do that through the Format menu, or you can go through the main configuration menu, accessible by using Command-comma. Ensure the plain text radio button is selected.

Also ensure that the following are UNCHECKED in TextEdit preferences: smart quotes, smart dashes, smart links.

Also, for any keys that you retrieve from the customer's Forum profile, you have to remove the leading spaces. In other words, the first character of the key should be in line 1, not line 4:

When you copy/ppaste your key from the Forum, it will likely look like this:

PGP Public Key:
    -----BEGIN PGP PUBLIC KEY BLOCK-----

    mQINBFKKM2oBEAClW4b3DpnQxeCv0B/X2EAuYLekBf2Q9BuNXHp3PoTv0o7QxZBk
    nui8htC+bLtvN/5Qa9SondxyQFHKe+cBA85YHbS55GXn+ooEfHIa6PB9LU1WeZ9F
    ecY4jLaTYYb/XvoJSqwzLXWMbpqewApMW5FYZS2d+d6AwrN0i1vUhLkF4ra/nJSl
    eYU6p8rp/RIGSMAI4wLDwbFfHtHVu/YvDgO1zc8hVnZYLuIJGkivrChGoVhCOEb0
    pBahw3cmey0RGY87j/KxTFIOs3qJeHvvt9ck5SB/utyy6Fo8bn8prMFpmk/EK2PS
    MtSV6btYUtaZGNiVOLeE2tkThp/HrkXc7D1vU4j3tKmQUo0CrOTRGpX3NlRWdS5U
    bW8iBsl8Giz8Qe3KmzMVLFRIjBmnAkQi8FXtVvuWIT3kJuZ8rxHElCGIHNdWfxIu
    FlwvZhlDs+AQZL3Em97eQeTbUFt6AIg+pMlCfaA+ZoQx4M8v8H9VgsONRPc/fcPX
    KZZwjJ7jBy8gbTBjPQTTtIWpKXch/uiCYPE+8557MduKUIE3rMEC7dTUNv4N4KSz
    fj68ZgeKrbpcgC3cPhPYn1iteIEFRdpUwKwJuPNtrkkFuR3CC0p0hri6iK0NNOmZ
    emCIa6DF9DyeUbEHJ0K74tWICEbCzls5AcSmZ8Pv45yn195209YP7Rz3WQARAQAB
    tAktLU5TMi4wLS2JAj4EEwECACgFAlKKM2oCGwMFCQeEzgAGCwkIBwMCBhUIAgkK
    CwQWAgMBAh4BAheAAAoJEEbxkr4MHqTcYwYP/18Cq9lBahNkqFumSu2JVd2mX4tv
    BhuRghsbSNGlm7EKYnxOdJolCSwnTdLvQuoP3W4PmpcYuXFGU/7x4+TUWkj/MsZW
    8Vvf/JiVbgsSX0lS1fhVXQMxmgYoRZaSpywCVoRGy6hbKCOv4iAjQH5gxK14yMmE
    keIAuqWYZ8MfALkyDoubKgY5R/Uh2aFKVr3FSHCe5t0qAH6zei3KPjT0925fNopq
    iCiyB0wmpiN7WMkxv4BIK80sLuz+N7tZtu0F2Dpsv+3pHd+sD+4A5v3O6o+kGc+d
    IlZPk8XGiCdiYKDyze4xc2s0e+KSH10EgiXTmwz8WsLlFSjFMh53gxTtbtZdDrMk
    im6cyiMCot8m4VTgT7MJpAN0rLmp1ylyy1CIdjuRWmAsg1UJuxm04tXnkznf3ING
    308IQTBmXlIoGH19BEeQkHsa3ZFcVl/3Tp0Hn6Y8NEudm1ocFt24RgL5YOs23AfM
    PIe7p6VljOZTxTJWJNk/zlH5ZX3tH6mKTqteSQk+kQaNzygzgm4movT/pPLgxVk2
    D+Xy3BFgwJKrHu5RpbeXC9TXTvBH8ARMzq4IYiQZYLqKieD1O0G36uoW4U7BCMPa
    oF/YZTPquHnfR+WWEW3FIqWDRi/JX5Nl7p+O8yWaPUFB7wl4cinv/0gek42SAft4
    VAK/vR3+0gBDowPNuQINBFKKM2oBEACygb3ieuu20ksldpQzCp0kuhZFGyjf8buc
    pXdSQvqaIIJ4dOVhDAaPJ9zdd8v58jsN9Zf780bdBZwNBPbGQOyQZon+oipqexwB
    WtnAoR02G/9CgGYxGvR1NaIWULzm1A3wdL15U2Mie6uZzX8SIc94Dp5/JMrtLyoD
    7JIlnI7yWpDoAHEhvc+pRpwCxbO+enVUXNZ6ZwPH0uswbexXW1lqtqwYivQujsok
    vKx9xGryQoyU0RBEqI903lTYc6zOvoEDJwXB/T9GNksBd+BaznhEJA6lzI4sfDZI
    nD5KOHYqbAcN+2XYgKR20k87Adiul30bxdAU3n+mdoU73FOXRphjyugkEUv5fiPX
    4bN02FNL6QreMiM08u1MK7rLHJkBiRQFCyxIPiqTHW4V43j/ZMlEQ4pknBdYYo+C
    NYz6DH2bqmyRe+ggypbxnk0EduCLY7qQUIH7t6KRBFSKFVUqIhC5BNSZeMB1yk6a
    JAEsHqoyv1GMh2neob2RHo1kywqKlRyW9mJKb3GnwhGZHHFjSTAqQejYOOea24uK
    LHrom5zN897jnhWAT0g6eu4UAbkgKa0hS3ipjAD7wiSAYfob2YZcwQBVZCZESkoF
    Uw+qCBEJ547TBoXd1hp9sHTJ98Kp18GYwcaqNSJLdUrAxMl9vdFZViAGvPXg1yr7
    1sZEy9C/uwARAQABiQIlBBgBAgAPBQJSijNqAhsMBQkHhM4AAAoJEEbxkr4MHqTc
    3wAP/iJXyD5mhJPVS0IIloYDH2lKvZi4+irCNooz5kDuxmv4gsEpn1exY1JrVCm8
    F9IpUAzxu7SUIaB8LxzhBNM5JQJhd17pwgpO94qImiCfGAk2sJ5watfQPOJZo2Gl
    WRP6Ug6xxbSBRTfpPakpQe33c0IQG+tzRxhbCiW/asrBQ4NEJvpvGcWMc626e7/+
    jYLDEa/3MI0qHjoSb0jye4rQPh2rTq+HMySHn6bhtrSKh8Irlvy96KLSJqhi993x
    TpCl8DmdtW/kRNOVpZfoYEQNVX4m4dZY1msFb80FJvhpvbRc68d10MaDCdPX8qeh
    mtih3HIz2+NVBgXB8yZnjz8+X6FuzzOjo+VL/j/KnD46fhgqdngjowswFq5I5hC8
    oRE6/Yw4NsjVSa1Jb9F3v7d3aILs9XmyDBi6JtFxeRL6s74j1gV/W1U6o/Inz6Gs
    6gdHhILOPMb4cZquZA9UXZWNXdjUwZz5IIs3+EhjPZAvEJxAtoIUToyeucYrRcbO
    M5u3nOQdj5juNyCyEdvnW9qS05jqv6YrLLuk0b7Ce7PJNg7Mc/EHEC4b8OYPqV4I
    4xLwGZ28dlL3dpw9CEJ2vEhT+27KUkjR2ruOoQwrqnzNvjOs0G9CAjwrvJYe3igq
    k8LvuZpze494790rlQPDCGzuWeIgMAfSRCzH54sSPT68+4DX
    =gmX9
    -----END PGP PUBLIC KEY BLOCK-----

Note the leading spaces ... this will cause PGP/GPG to choke on the key.

To properly import a key, it should look like this:

PGP Public Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFKKM2oBEAClW4b3DpnQxeCv0B/X2EAuYLekBf2Q9BuNXHp3PoTv0o7QxZBk
nui8htC+bLtvN/5Qa9SondxyQFHKe+cBA85YHbS55GXn+ooEfHIa6PB9LU1WeZ9F
ecY4jLaTYYb/XvoJSqwzLXWMbpqewApMW5FYZS2d+d6AwrN0i1vUhLkF4ra/nJSl
eYU6p8rp/RIGSMAI4wLDwbFfHtHVu/YvDgO1zc8hVnZYLuIJGkivrChGoVhCOEb0
pBahw3cmey0RGY87j/KxTFIOs3qJeHvvt9ck5SB/utyy6Fo8bn8prMFpmk/EK2PS
MtSV6btYUtaZGNiVOLeE2tkThp/HrkXc7D1vU4j3tKmQUo0CrOTRGpX3NlRWdS5U
bW8iBsl8Giz8Qe3KmzMVLFRIjBmnAkQi8FXtVvuWIT3kJuZ8rxHElCGIHNdWfxIu
FlwvZhlDs+AQZL3Em97eQeTbUFt6AIg+pMlCfaA+ZoQx4M8v8H9VgsONRPc/fcPX
KZZwjJ7jBy8gbTBjPQTTtIWpKXch/uiCYPE+8557MduKUIE3rMEC7dTUNv4N4KSz
fj68ZgeKrbpcgC3cPhPYn1iteIEFRdpUwKwJuPNtrkkFuR3CC0p0hri6iK0NNOmZ
emCIa6DF9DyeUbEHJ0K74tWICEbCzls5AcSmZ8Pv45yn195209YP7Rz3WQARAQAB
tAktLU5TMi4wLS2JAj4EEwECACgFAlKKM2oCGwMFCQeEzgAGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJEEbxkr4MHqTcYwYP/18Cq9lBahNkqFumSu2JVd2mX4tv
BhuRghsbSNGlm7EKYnxOdJolCSwnTdLvQuoP3W4PmpcYuXFGU/7x4+TUWkj/MsZW
8Vvf/JiVbgsSX0lS1fhVXQMxmgYoRZaSpywCVoRGy6hbKCOv4iAjQH5gxK14yMmE
keIAuqWYZ8MfALkyDoubKgY5R/Uh2aFKVr3FSHCe5t0qAH6zei3KPjT0925fNopq
iCiyB0wmpiN7WMkxv4BIK80sLuz+N7tZtu0F2Dpsv+3pHd+sD+4A5v3O6o+kGc+d
IlZPk8XGiCdiYKDyze4xc2s0e+KSH10EgiXTmwz8WsLlFSjFMh53gxTtbtZdDrMk
im6cyiMCot8m4VTgT7MJpAN0rLmp1ylyy1CIdjuRWmAsg1UJuxm04tXnkznf3ING
308IQTBmXlIoGH19BEeQkHsa3ZFcVl/3Tp0Hn6Y8NEudm1ocFt24RgL5YOs23AfM
PIe7p6VljOZTxTJWJNk/zlH5ZX3tH6mKTqteSQk+kQaNzygzgm4movT/pPLgxVk2
D+Xy3BFgwJKrHu5RpbeXC9TXTvBH8ARMzq4IYiQZYLqKieD1O0G36uoW4U7BCMPa
oF/YZTPquHnfR+WWEW3FIqWDRi/JX5Nl7p+O8yWaPUFB7wl4cinv/0gek42SAft4
VAK/vR3+0gBDowPNuQINBFKKM2oBEACygb3ieuu20ksldpQzCp0kuhZFGyjf8buc
pXdSQvqaIIJ4dOVhDAaPJ9zdd8v58jsN9Zf780bdBZwNBPbGQOyQZon+oipqexwB
WtnAoR02G/9CgGYxGvR1NaIWULzm1A3wdL15U2Mie6uZzX8SIc94Dp5/JMrtLyoD
7JIlnI7yWpDoAHEhvc+pRpwCxbO+enVUXNZ6ZwPH0uswbexXW1lqtqwYivQujsok
vKx9xGryQoyU0RBEqI903lTYc6zOvoEDJwXB/T9GNksBd+BaznhEJA6lzI4sfDZI
nD5KOHYqbAcN+2XYgKR20k87Adiul30bxdAU3n+mdoU73FOXRphjyugkEUv5fiPX
4bN02FNL6QreMiM08u1MK7rLHJkBiRQFCyxIPiqTHW4V43j/ZMlEQ4pknBdYYo+C
NYz6DH2bqmyRe+ggypbxnk0EduCLY7qQUIH7t6KRBFSKFVUqIhC5BNSZeMB1yk6a
JAEsHqoyv1GMh2neob2RHo1kywqKlRyW9mJKb3GnwhGZHHFjSTAqQejYOOea24uK
LHrom5zN897jnhWAT0g6eu4UAbkgKa0hS3ipjAD7wiSAYfob2YZcwQBVZCZESkoF
Uw+qCBEJ547TBoXd1hp9sHTJ98Kp18GYwcaqNSJLdUrAxMl9vdFZViAGvPXg1yr7
1sZEy9C/uwARAQABiQIlBBgBAgAPBQJSijNqAhsMBQkHhM4AAAoJEEbxkr4MHqTc
3wAP/iJXyD5mhJPVS0IIloYDH2lKvZi4+irCNooz5kDuxmv4gsEpn1exY1JrVCm8
F9IpUAzxu7SUIaB8LxzhBNM5JQJhd17pwgpO94qImiCfGAk2sJ5watfQPOJZo2Gl
WRP6Ug6xxbSBRTfpPakpQe33c0IQG+tzRxhbCiW/asrBQ4NEJvpvGcWMc626e7/+
jYLDEa/3MI0qHjoSb0jye4rQPh2rTq+HMySHn6bhtrSKh8Irlvy96KLSJqhi993x
TpCl8DmdtW/kRNOVpZfoYEQNVX4m4dZY1msFb80FJvhpvbRc68d10MaDCdPX8qeh
mtih3HIz2+NVBgXB8yZnjz8+X6FuzzOjo+VL/j/KnD46fhgqdngjowswFq5I5hC8
oRE6/Yw4NsjVSa1Jb9F3v7d3aILs9XmyDBi6JtFxeRL6s74j1gV/W1U6o/Inz6Gs
6gdHhILOPMb4cZquZA9UXZWNXdjUwZz5IIs3+EhjPZAvEJxAtoIUToyeucYrRcbO
M5u3nOQdj5juNyCyEdvnW9qS05jqv6YrLLuk0b7Ce7PJNg7Mc/EHEC4b8OYPqV4I
4xLwGZ28dlL3dpw9CEJ2vEhT+27KUkjR2ruOoQwrqnzNvjOs0G9CAjwrvJYe3igq
k8LvuZpze494790rlQPDCGzuWeIgMAfSRCzH54sSPT68+4DX
=gmX9
-----END PGP PUBLIC KEY BLOCK-----

Note the lack of leading spaces.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.
« Last Edit: November 23, 2013, 11:15:49 am by Nightcrawler »

NordicShrooms

  • Vendor
  • Sr. Member
  • *****
  • Posts: 352
  • Karma: +68/-9
  • unity/balance/peace
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #74 on: November 23, 2013, 07:03:50 pm »
@Nightcrawler

Thanks for the help :) Yes, that was definitely a typo. Still not working for the previous messages sent to me. I can still encrypt and decrypt fine via the forum however.

Sometimes, is it valid to say its the other persons fault?
-- New B+ cubensis available! --

5g: €20 | 10g: €35 | 20g: €60 | 50g: €130

ALWAYS FREE SHIPPING, WORLDWIDE :D

http://silkroad6ownowfk.onion/users/nordicshrooms

Find us also on Agora :)

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #75 on: November 23, 2013, 09:08:42 pm »
@Nightcrawler

Thanks for the help :) Yes, that was definitely a typo. Still not working for the previous messages sent to me. I can still encrypt and decrypt fine via the forum however.

Sometimes, is it valid to say its the other persons fault?

It depends. If you can decrypt messages from someone on the Forum, but not decrypt messages sent by the same person on the main site, then I'd say the problem is that the main site is doing something to the messages on their end. Sometimes people encrypt messages to their own keys, and not the vendor's. If you want to see which keys a message is encrypted to, you can always:

1) Save the message to a file, e.g. message.txt

2) Enter terminal mode, and the use the following command: gpg --list-packets message.txt

When prompted for your password, just hit return and eventually GPG will tell you which keys the message is encyrpted to.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

missfartypants

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #76 on: November 24, 2013, 03:59:00 am »
I'm new to PGP, and using a mac.  Does anyone have recommendations for what to use?  Both the programs OP recommends are for Windows and/or Linux only.

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #77 on: November 24, 2013, 01:31:52 pm »
I'm new to PGP, and using a mac.  Does anyone have recommendations for what to use?  Both the programs OP recommends are for Windows and/or Linux only.

Here is a tutorial Guru wrote originally that'll help you get up and running...

GPGTools is highly version dependent -- depending on which version of OS X
you have, it may or may not work as expected.  If you have Leopard (10.5)
then you're pretty much out of luck. Your only option then will be using
the command-line.

If you have Snow Leopard (10.6), Lion (10.7), Mountain Lion (10.8), or
Mavericks (10.9) the following instructions should be sufficient to allow
you to get up and running.

Download and install GPGTools: https://releases.gpgtools.org/GPG%20Suite%20-%202013.10.22.dmg

Once you have installed GPGTools,  what you want to do is to go into
System Preferences --> Keyboard --> Services.

Scroll down until you find the following entries. Be sure to put a check
mark in the boxes to activate each keyboard shortcut.

Keyboard shortcuts:

OpenPGP: Decrypt Selection:             Shift-Command-D

OpenPGP: Encrypt Selection:             Shift-Command-E

OpenPGP: Import Key from Selection:     Shift-Command-I

OpenPGP: Insert My Fingerprint:         Shift-Command-F

OpenPGP: Insert My Key:                 Shift-Command-K

OpenPGP: Sign Selection:                Shift-Command-R

OpenPGP: Verify Signature of Selection: Shift-Control-V

Remember, these shortcuts only operate on highlighted or selected text.

To copy your key to a TextEdit document, open up TextEdit, so you have a
blank document open. Then you can use the Insert My Key command,
Shift-Command-K -- this will bring up a little dialog box, where you can
choose your key from the drop-down box; click Choose Key, and the
key will be inserted into your TextEdit document.

You can then use Command-A to highlight the key, and Command-C to copy it
to the clipboard. You can then use Command-V to paste your public key into
a PM (to me) for example.

N.B.: To properly be able to import PGP into GPGChain (via TextEdit) you
need to change the default on TextEdit from .rtf to plain text. You can do
that through the Format menu, or you can go through the main configuration
menu, accessible by using Command-comma. Ensure the plain text radio button
is selected.

Also ensure that the following are UNCHECKED in TextEdit preferences:
smart quotes, smart dashes, smart links.

To select text within TextEdit, use Command-A to highlight the entire
document, or use your mouse to selection the section that you want to
verify/sign/encrypt/decrypt. It is highly recommended that you use only
plain-text, as opposed to Rich Text (.rtf) format. Use Command-comma to
bring up Preferences and ensure that the plain text radio button is
checked.

Once your text is highlighted in TextEdit, (by pressing Comand-A) you then
encrypt using Shift-Command-E. You will then be presented with a list of
keys to encrypt to, that you have added to your PGP keyring:

Other Commands You May Need:
============================

OpenPGP: Decrypt File:                   Control-Command-D

OpenPGP: Encrypt File:                   Control-Command-E

OpenPGP: Sign File:                      Control-Command-S

OpenPGP: Verify Signature of File:       Control-Command-V


Once you have setup these shortcuts, you can begin using GPG.

To encrypt a message to someone using GPG, you first need a copy of the
recipient's PGP public key.

Once you have located someone's PGP public key, you should copy and paste
it into TextEdit. Save the PGP key to a file; you can call the file,
import.asc (or import.txt), for example. This saved file will usually be
found in the Documents folder.

Launch GPG Keychain Access from the Applications folder. click on the
Import icon in the upper left hand corner. GPG Keychain Access will then
prompt you for the name of the file which contains the key to import. It
will usually show you a list of files in the Documents folder. Click on the
file named import.asc (or import.txt), and click ok. The PGP public key
will then be imported into your PGP keyring.

To encrypt a message to a person, the message must be contained in a
TextEdit document. Use Command-A to hightlight the entire document. Then
use Shift-Command-E to encrypt. GPG will pop-up a list of public keys in
your PGP keyring. Each key will have a little checkbox beside it which you
can check, to select that particular key. If you were encrypting a message
to me, you would put a check in the box beside my PGP key (Guru@SR).

When you click on OK, the plaintext (unencrypted) message in TextEdit will
be replaced with the encrypted message. You can then copy and paste the
encrypted message to enter it into a form on Silk Road, or anywhere else
that it needs to go.

To decrypt a message sent to you by other people, you need to copy that
message to the clipboard, and paste it into a TextEdit document. Again use
Command-A to highlight all the encrypted message. Then use Shift-Command-D
to decrypt the message. If the message is encrypted to your PGP public key,
you will be prompted to enter your passphrase. Once the correct passphrase
has been entered, and you click OK, then the message will be decrypted,
and the decrypted text will be placed in the TextEdit document, replacing
the encrypted message that was there previously.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.


KAKAKIII

  • Newbie
  • *
  • Posts: 10
  • Karma: +1/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #78 on: November 25, 2013, 03:07:45 pm »
Security will remain the principal bridge between personal safety and safe customer/ delivery service. I'll strongly advice that new vendors on SR take more time learning on security issues than rushing in trying to make money fast without fully implementing security strategies that ill guarantee customers as well. I have been doing just that as well.
KAKAKIII 

Psychonautical

  • Newbie
  • *
  • Posts: 48
  • Karma: +2/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #79 on: November 28, 2013, 08:58:32 pm »
I'm trying to switch over to a non-local version of Ubuntu for my Darkweb needs, so as to avoid anything on my personal machine, and I'm having some trouble with the PGP. How should I go about making sure my PGP version is secure, and works correctly? (In the past, trying to copy-paste my key into forums/sites causes an error, and I'm unsure as to why)
a Psilly Psychonautical Explorer!

Tang

  • Newbie Guide
  • Hero Member
  • ***
  • Posts: 4656
  • Karma: +399/-65
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #80 on: November 28, 2013, 09:03:05 pm »
I'm trying to switch over to a non-local version of Ubuntu for my Darkweb needs, so as to avoid anything on my personal machine, and I'm having some trouble with the PGP. How should I go about making sure my PGP version is secure, and works correctly? (In the past, trying to copy-paste my key into forums/sites causes an error, and I'm unsure as to why)

Sometimes that can happen, if you don't copy and paste it carefully you get a void space down the left side of the key and it doesn't seem to accept the Public Key.

Make sure you put your mouse right next to the first character of the private key and slowly drag it right to the end. I had this trouble and it seemed to fix it for me.

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #81 on: November 28, 2013, 09:09:49 pm »
I'm trying to switch over to a non-local version of Ubuntu for my Darkweb needs, so as to avoid anything on my personal machine, and I'm having some trouble with the PGP. How should I go about making sure my PGP version is secure, and works correctly? (In the past, trying to copy-paste my key into forums/sites causes an error, and I'm unsure as to why)

Non-local? As in remotely hosted?  What you're proposing is ABSOLUTELY FUCKING INSANE! 

No one in their right mind would do as you're proposing: hosting your application on a remote machine, including your private keys, and transmitting your passphrase over a net connection.

If you have experience with Linux, and want to avoid traces on your local machine, you should be using Tails.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Psychonautical

  • Newbie
  • *
  • Posts: 48
  • Karma: +2/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #82 on: November 28, 2013, 10:44:42 pm »
I'm trying to switch over to a non-local version of Ubuntu for my Darkweb needs, so as to avoid anything on my personal machine, and I'm having some trouble with the PGP. How should I go about making sure my PGP version is secure, and works correctly? (In the past, trying to copy-paste my key into forums/sites causes an error, and I'm unsure as to why)

Non-local? As in remotely hosted?  What you're proposing is ABSOLUTELY FUCKING INSANE! 

No one in their right mind would do as you're proposing: hosting your application on a remote machine, including your private keys, and transmitting your passphrase over a net connection.

If you have experience with Linux, and want to avoid traces on your local machine, you should be using Tails.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Non-local as in, a portable device that isn't LOCAL to the physical hard drive itself, something like a separate partition, or a secondary hard drive(slave device) within the actual machine. I am attempting to remove all traces of DarkWeb on my personal harddrive, so all the iffy data would be on a hard drive I could easily chuck out a window if neccesary. Get the idea?

Anyway, I have just started using Linux, Ubuntu 12.04-3 actually, and was wondering if there was a tutorial on using GPG with Linux. So far, I've managed to use the terminal the command "gpg --gen-key" and created an RSA 4096Bit key. So far so good, but I'm kind of stuck as to how I move forward with beginning to use it for standard encryption for placing orders and sending messages on SR/SMP/BMR.

Now, as a GPA/GPG4WIN user, I always just copied the key I was trying to import to my clipboard, and pasted it while having the GPA window selected. When I wanted to encrypt/decrypt a message, I'd go to the "Clipboard" window, and type the message I wanted to encrypt or paste the contents, and click Encrypt or Decrypt. Now things seem to be a bit more complicated using this Terminal, since the GPG appears to be built into the system, rather than a 3rd Party program that's being run for the purpose of encryption.

Advice on how to use the Terminal correctly would be appreciated. Otherwise, I'm going to try and mess with messages posted in the PGP Club thread.
a Psilly Psychonautical Explorer!

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #83 on: November 28, 2013, 11:00:37 pm »
I'm trying to switch over to a non-local version of Ubuntu for my Darkweb needs, so as to avoid anything on my personal machine, and I'm having some trouble with the PGP. How should I go about making sure my PGP version is secure, and works correctly? (In the past, trying to copy-paste my key into forums/sites causes an error, and I'm unsure as to why)

Non-local? As in remotely hosted?  What you're proposing is ABSOLUTELY FUCKING INSANE! 

No one in their right mind would do as you're proposing: hosting your application on a remote machine, including your private keys, and transmitting your passphrase over a net connection.

If you have experience with Linux, and want to avoid traces on your local machine, you should be using Tails.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Non-local as in, a portable device that isn't LOCAL to the physical hard drive itself, something like a separate partition, or a secondary hard drive(slave device) within the actual machine. I am attempting to remove all traces of DarkWeb on my personal harddrive, so all the iffy data would be on a hard drive I could easily chuck out a window if neccesary. Get the idea?

Anyway, I have just started using Linux, Ubuntu 12.04-3 actually, and was wondering if there was a tutorial on using GPG with Linux. So far, I've managed to use the terminal the command "gpg --gen-key" and created an RSA 4096Bit key. So far so good, but I'm kind of stuck as to how I move forward with beginning to use it for standard encryption for placing orders and sending messages on SR/SMP/BMR.

Now, as a GPA/GPG4WIN user, I always just copied the key I was trying to import to my clipboard, and pasted it while having the GPA window selected. When I wanted to encrypt/decrypt a message, I'd go to the "Clipboard" window, and type the message I wanted to encrypt or paste the contents, and click Encrypt or Decrypt. Now things seem to be a bit more complicated using this Terminal, since the GPG appears to be built into the system, rather than a 3rd Party program that's being run for the purpose of encryption.

Advice on how to use the Terminal correctly would be appreciated. Otherwise, I'm going to try and mess with messages posted in the PGP Club thread.

Virtually every Linux distro in existence has a copy of GPG built-in. I'm somewhat surprised you're not interested in a GUI client -- the overwhelming majority of people are.

Encrypting from the command-line:

gpg -ear recipient1 -r recipient2 -o output_filename input_filename

Example: gpg -ear nightcrawler@sr -r psychonaut -o encrypted_test_file.txt testfile.txt

This would take the input file testfile.txt, encrypt it with both of our PGP keys, and place the ascii-armoured, encrypted output into the file ecrypted_test_file.txt

To decrypt, use the following commands:

gpg --decrypt -o decrypted_output_file.txt enccrypted_test_file.txt

The decrypted file will be placed in the filedecrypted_output.txt

Hope this helps. Sorry for misunderstanding what you were originally proposing.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.


Psychonautical

  • Newbie
  • *
  • Posts: 48
  • Karma: +2/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #84 on: November 28, 2013, 11:12:20 pm »
I am interested in using a GUI Client, I just figured the only way to use GPG via-Linux was with the Terminal. Everything I searched for when typing "GPG Linux" in google returned with Terminal commands and the likes. I'm a pretty advanced computer user, but I've never messed with Linux distros.

Since you seem to the be individual to ask...: How do I find the GUI based GPG programs you speak of.
a Psilly Psychonautical Explorer!

Psychonautical

  • Newbie
  • *
  • Posts: 48
  • Karma: +2/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #85 on: November 28, 2013, 11:22:57 pm »
I saw something about "Seahorse" so I searched for it in the Dash Home, found something called "Passwords and Keys"

I opened it, saw my GPG Key that I generated in the Terminal, and started messing with it. I was able to import your Key by way of simple copy and paste. I figure this program is more like a "Keyring" rather than a GUI with the full capability of using GPG for the means of encrypting/decrypting messages. amirite?

Have you ever used Pyrite?
« Last Edit: November 28, 2013, 11:35:44 pm by Psychonautical »
a Psilly Psychonautical Explorer!

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #86 on: November 28, 2013, 11:35:52 pm »
I saw something about "Seahorse" so I searched for it in the Dash Home, found something called "Passwords and Keys"

I opened it, saw my GPG Key that I generated in the Terminal, and started messing with it. I was able to import your Key by way of simple copy and paste. I figure this program is more like a "Keyring" rather than a GUI with the full capability of using GPG for the means of encrypting/decrypting messages. amirite?

Seahorse is problematic. Older versions used to include a gedit plugin, so you could encrypt/decrypt/sign/verify right from within the gedit editor.  Later versions of Linux (e.g. Debian 7) have dropped this plugin due to library issues, which is a real shame, as it is mind-bogglingly useful. I believe that later versions of Ubuntu have dropped the plugin as well.

GPA is a reasonable choice, so long as you generate your keys manually. (GPA, for some unknown reason, maxes-out keys at 3072-bits.)

Yours is the first mention I've heard of Pyrite... I'll download the source and give it a look-see. Based on the screen-shots, it looks promising.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.
« Last Edit: November 28, 2013, 11:47:48 pm by Nightcrawler »

Psychonautical

  • Newbie
  • *
  • Posts: 48
  • Karma: +2/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #87 on: November 28, 2013, 11:41:34 pm »
I saw something about "Seahorse" so I searched for it in the Dash Home, found something called "Passwords and Keys"

I opened it, saw my GPG Key that I generated in the Terminal, and started messing with it. I was able to import your Key by way of simple copy and paste. I figure this program is more like a "Keyring" rather than a GUI with the full capability of using GPG for the means of encrypting/decrypting messages. amirite?

Seahorse is problematic. Older versions used to include a gedit plugin, so you could encrypt/decrypt/sign/verify right from within the gedit editor.  Later versions of Linux (e.g. Debian 7) have dropped this plugin due to library issues, which is a real shame, as it is mind-bogglingly useful. I believe that later versions of Ubuntu have dropped the plugin as well.

GPA is a reasonable choice, so long as you generate your keys manually. (GPA, for some unknown reason, maxes-out keys at 3072-bits.)

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

I found something that is seemingly useful on Github called Pyrite, and it's used specifically for encrypting/decrypting text.  Seems legit enough, as it uses the built in version of GPG on the system. Which would be v1.4 in my case.
github.com/ryran/pyrite if you're interested in taking a look.
a Psilly Psychonautical Explorer!

Psychonautical

  • Newbie
  • *
  • Posts: 48
  • Karma: +2/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #88 on: November 29, 2013, 04:56:59 pm »
@Nightcrawler

After meddling with Linux all day yesterday, and attempting to install Pyrite, GPA, and other "packages" that were missing, I just gave up. Every time I'd try to install one thing, I'd be missing 4 things. And whilst attempting to install those 4 missing packages, I'd be missing like 12 more. It just got worse and worse as I went backward down the chain of installing missing packages. So, now I'm back messing with TAILS as it seems to have everything necessary to encrypt/decrypt text without having to use actual files. I just wanted to say thanks for what little help you were able to provide, though it was all in vain.

ONWARD WITH 4096Bit KEYS!
Thanks.
a Psilly Psychonautical Explorer!

Hijinx

  • Sr. Member
  • ****
  • Posts: 263
  • Karma: +55/-8
  • "Silence Means Security."
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #89 on: November 30, 2013, 01:36:40 am »
If you are using a recommended version, do you need to worry about what the other person is using?
"Some tourists think Silk Road is a website of sin, but in truth it is a website of freedom. And in freedom, most people find sin."
"Does this smell like cocaine to you?"

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #90 on: November 30, 2013, 02:32:18 am »
If you are using a recommended version, do you need to worry about what the other person is using?

You should. If a vendor is using a grossly-unsafe key, the mere fact that you are using a proper version, with a decent key size means little, because you cannot make up for the deficiency in their key.  Take the following vendor's key, for example:

pub   1024D/8B8E2001 2013-09-13
uid                 Zyntaks <>
sub    512g/D303B36C 2013-09-13

Because of its 512-bit encryption sub-key, this key is grossly unsafe. Nothing can make up for this deficiency -- it literally doesn't matter what you're using.

The fact that someone is using a PGP version that produces weak (or broken) keys is a clear indication that they haven't done their homework.  If they haven't done their homework with respect to security, then the odds are that they're gonna get busted.  The original DPR (allegedly Ross Ulbricht) didn't do his homework, by all accounts, and in the end, it sank him.

I'm not saying that every vendor or buyer has to be a crypto-nerd, but at the very least, one should use recommended software. If someone doesn't, this tells me that they're more interested in convenience or ease of use as opposed to security.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

NotBritHume

  • Newbie
  • *
  • Posts: 4
  • Karma: +1/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #91 on: December 01, 2013, 08:58:05 pm »
Sry for the newbie questions...but this is ALL new to me. Firstly, what is pgp for? Do I need one if I am not a vendor? I see them on Vendor pages but have no clue what to do with them or what they even are LOL. God it sucks being a nO_ob...  This is my first post. Im scouring all forums and doing my research. It seems this site is now in a state of untrustworthy (of one another) MAYHEM. I don't know how to find legit vendors without taking a huge gamble... any advice would be awesome. Thanks!  8)
"The trick to creativity is knowing how to hide your sources..." Albert Einstein

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #92 on: December 01, 2013, 09:46:19 pm »
Sry for the newbie questions...but this is ALL new to me. Firstly, what is pgp for? Do I need one if I am not a vendor? I see them on Vendor pages but have no clue what to do with them or what they even are LOL. God it sucks being a nO_ob...  This is my first post. Im scouring all forums and doing my research. It seems this site is now in a state of untrustworthy (of one another) MAYHEM. I don't know how to find legit vendors without taking a huge gamble... any advice would be awesome. Thanks!  8)

Read the stickied security threads, for a start. The most important piece of advice I can give you is: TAKE YOUR TIME, DO NOT BE IN A HURRY.  In large part, the reason that the original DPR is in jail is that he didn't take the time to adequately prepare himself. He should have spent another six months studying security, and learning how to protect himself instead of wasting his time on crackpot Libertarian economic and political theories. He had a great idea, he just fucked-up in his haste to bring it to fruition.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

ChemCat

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9225
  • Karma: +949/-191
  • I Stand Tall, Among the Giants of the Silk Road
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #93 on: December 01, 2013, 10:06:13 pm »
to quote a Friend,

 
Quote from: Nightcrawler
Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.

Words of Wisdom  :)

;)


Peace & Hugs  8)


ChemCat



  O0
You Don't know PGP?         :o

Go here: http://silkroad5v7dywlc.onion/index.php?topic=41104.0

Then go Here: http://silkroad5v7dywlc.onion/index.php?topic=179.0

Sink your teeth into it and Learn  ;)

If you cannot take the little bit of Time to Learn & Use PGP..Do Not msg Me
 

Hugs 8)

ChemCat

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9225
  • Karma: +949/-191
  • I Stand Tall, Among the Giants of the Silk Road
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #94 on: December 01, 2013, 10:07:49 pm »
@ NotBritHume  :)


+1 Karma to get you started on your Journey on the Road  ;)


Hugs   8)



ChemCat



 O0
You Don't know PGP?         :o

Go here: http://silkroad5v7dywlc.onion/index.php?topic=41104.0

Then go Here: http://silkroad5v7dywlc.onion/index.php?topic=179.0

Sink your teeth into it and Learn  ;)

If you cannot take the little bit of Time to Learn & Use PGP..Do Not msg Me
 

Hugs 8)

UmSound

  • Jr. Member
  • **
  • Posts: 55
  • Karma: +0/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #95 on: December 02, 2013, 07:46:08 am »
With the news of the difference in these versions of PGP encryption software, what are the thoughts on the clipboard text encryption that comes with Tails?

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #96 on: December 02, 2013, 09:17:40 am »
With the news of the difference in these versions of PGP encryption software, what are the thoughts on the clipboard text encryption that comes with Tails?

Last time I looked at Tails, it was using GPG 1.4.10 -- I wish they would update it to the latest 1.4.15, but 1.4.10 is acceptable.  The Seahorse gedit plugin is the most convenient way of using GPG. As far as clipboard encryption goes, it still uses GPG 1.4.10, so again, there is no real problem with it.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

UmSound

  • Jr. Member
  • **
  • Posts: 55
  • Karma: +0/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #97 on: December 02, 2013, 04:42:53 pm »
Thanks for the quick reply!

co8c6G9o8lb

  • Jr. Member
  • **
  • Posts: 73
  • Karma: +4/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #98 on: December 03, 2013, 01:09:16 pm »
-----BEGIN PGP MESSAGE-----

hQIMA/yjfDj/mMPqARAAmv9VPoyLBJCNBfdJa3ktx9VDqlFzJp+qekTEvLvBN0vG
OObz5N6sh2x4yu3sfWCMt/W5UhO3AtLiTa1TUd4TKMHGo5aiM25CMkDTwZlXnX7J
5KqH/dkj6hqvUj8TbF7DuL4QRYGkyh2SDVQrQKEbL8tGFGKMAtn1POgwD38+aadB
Hku3DQYs3gtLtCBcCGtvR8B2cx/X8LMTC694Kyv+FV/WvFOZx3oHoj32sVEI95Ag
129y4Sv04lQisuLn4rHYvVqyL5W/3zN+jrHM+85rVxL+o6l1U6AxzrDe2/Zx802l
qwOfqDxlGxTSGjBnqDehz6TPMC5AGI0sJFlSaDY1pErLO800yMBGEmRRGbVEyFXv
0bTlfkPpENQjesVnOlsiWwJQqziO4EqWAUi0oIdSZzFuUPnvhk1SvYlLYzeb473x
vSEL1mDFKDoWb3fQa/6qfCJBiGMr/SvaSsyEeP1xEOLEDVxhp+omI0ctcIsFnimc
9Ck5hJV7sG29vF6K8agjscTKb2J2a5ZGgH0qYniua4FCImf7E8RCsxVQ9zOpnUHK
B0A9tIt8Z6PhUKXfxtRX81hehNQTMMz1JUdHSaDgodr81ruwmIrhk2J76/rFYEzv
pTIeT6gMUO0ru2cNQmrNa/Uy/i9nMGEgQExrhq5DZMrLPDTsxsJokqUCglMF5xmF
BAwDAAAAAAAAAAABIACPOuB6VoAzsQjG04OjwmviVrpWVzIDFxtW3HH5iUnxU1sf
b3+QRXVffMr+5uY8SHU2nZPnmAE/MJiyvntCQEyciZSqhCGnnDUrwRpUdSCkmOqN
tQzA9YZgLnRGogkL01oQUrhFhVNpzkt2oaU+sBYRd2VRls0MlfPrDF+TeeKd7Jnt
hEax1Q8Eq1YImvF1NKmqYPPtTAlvatxn9iEA97SHLvGmxqLcdJcQ1vgUVilPK+mV
biVy+SmDDHgFAdX66jvyLa54h8YBN9qha7RurceR85+awiC0LwLxa/hFimkZ7Cng
mTw1GnqkeuzKYf9iVQ2Q3p3HdltF8I7N7Lff3escWG6Da2OZRCvr/tkCaqZxx+Mp
G5ccN/SJfjPuzagG2WJXNmJDqQRayjYu5z6ZCyT/4gEF7kg9H86aQ7HDU8gIrfUX
6tTSwMafh9Mvxhz6YKgmrmCfN9xfwRyfD6KBNtdWdApGh0K9CE5U4xSLEGnXOyBo
cqnQmLFKariDgqeVMIW3rz3xv47ooqHQEiMSt0+FuESauPWMFvgzFNj/j0RxizNr
SWY7vPKVQHxMiF1+eMvwIQQweEKWvQjS9faAvK7Rax04iVY44AqeQ/pbZGru7tMk
SLluQKGunx2qUWDHVlvi5rvfmliUKhqI7OJk6J4EfmHNlC7ERiOCfxdSokowSk5K
IzvVc61xHNZHzP8rgCa3qCmN26BK47B3p3fT26D45g7M3Q0Rp9SG5gSihtAn0kLy
vosVkk9h6jEA1BoJVS9EnlaEiCHWGg88iwO2G5P6TsNsdrBAQeDG/t5f6L0vW2+9
6EnOljvP1egXPYDYXR/NM2HD6+v/aoW+DT5OaSmEQCrxauhDesHp0SS18fC5rD3V
JU4nnE+3aLzIqUZ4xXeIgvSh+Kufu4uccKTdziP+MxQ5+M5jwYMtlybUFzrIph9j
PtnwdQIcXDdURs6FoDarQHLnTygk1wJ7/Dg8+u0IX7DFBgXHE9S+HMZHpofyPJQS
M/DMH/vuwITvoM4OIwLZrLer2SK89hqgiA+JxnHQLJK7HB/pMvriRngjguSufSWo
Z2tatVCqUtle8+IPH+O+2au2mpKyL+swRzxoCuTUlJKJrx/IO0i+Xi59szS/1keb
aUOKMOxd0jmcqP3Jp+RkBrXNK9UuL2qdvgogHZCVu+ezkZj3TIPii+MwA5fgetl+
FU0f6gGav/xekF/1BLigkGndvUy70Ts17CIBrY1+A2lS4hNl4gERvnVpRM6hdE2L
V6Pn8tc3Pn5IiqvcZMH8r63O5500cXGqbwGcY7V7q26XQ1S1fD3YmXZiQ/Dl9SZj
aevfFDPW0mz6dI6eincQVgwWwcD6n7kbQTMXWaKs0sCeATmofEcoupQYWtSYouHG
DZgYQsMxUtnnzhR52J1/DaQHLPkv3RLozvuYjXxuSWXYYN8ft4RvXg4c4GF8aotz
eZVtyykgqVUMc1TBa5YITu7zW+9OIcdEorM6A2Lm17g9E9aQaA9dAXASVKoo+z4U
9kAbaYVfaUX3C/mkAtyGonJWazBjUClbpH2wIjHxPVATXIEKC9k/iImv+26ZTEQp
Ro00hRic/YdePWSl5qlkY8GM2h6FnFMWeFtJmeJEt4fw42aKIKmLQIsm/EQgBnNz
5bi6hc/JTzYsGP7cTU2Gq2KQciH5cAqJZHWUKeYWopPz6GaW0qBHVX+R/47IK8Ao
B1EimrbP1dmp8i6XhjyhcSk/c0O7Voi/telMnFm8b+1HBSTSf2lZd/qlYUqrToWc
DbyOuEPOVQAITCfNXAy6zewW1fjLxA/JSnOTS+HmJJYTQAq9o+r9FYRZ8JzCyEU=
=rRdI
-----END PGP MESSAGE-----
PGP key in profile.  I only respond to PGP encrypted messages.

thecatisback

  • Hero Member
  • *****
  • Posts: 1444
  • Karma: +109/-199
  • The Official Kitty Cat Of The Road! Meow!
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #99 on: December 03, 2013, 05:14:43 pm »
Ah what did he just say??? Lol
"Ignorance killed the cat, curiosity was framed".

goonerforlife

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #100 on: December 03, 2013, 06:54:07 pm »
little bit of help here guys.  not a gpg newbie but a vendor is running into a snag when trying to decrypt messages from me:

"No valid UTF-8 encoding at position 28. Assuming Latin-1 encoding instead."

any help would be appreciated!


co8c6G9o8lb

  • Jr. Member
  • **
  • Posts: 73
  • Karma: +4/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #101 on: December 04, 2013, 08:08:31 am »
Ah what did he just say??? Lol

-----BEGIN PGP MESSAGE-----

rGViBG51bGxSnuJ2Tm90aGluZyBzcGVjaWFsLiAgSSBqdXN0IHRoYW5rZWQgTmln
aHRjcmFsd2VyIGZvciBhbGwgaGlzIHdvcmsgaW4gaGVscGluZyBwZW9wbGUgbGVh
cm4gUEdQLg==
=fqXS
-----END PGP MESSAGE-----
PGP key in profile.  I only respond to PGP encrypted messages.

laughingboy

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #102 on: December 04, 2013, 09:59:00 am »
Hi Nightcrawler

can you confirm if anyone can access the silk road site?

Every time I try & login I get the message 'error, we cannot find the page you are looking for'

Is everyone getting this due to DPR working on the site, or is it just me?

would really appreciate your help/advice

thanks

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #103 on: December 04, 2013, 03:09:01 pm »
Hi Nightcrawler

can you confirm if anyone can access the silk road site?

Every time I try & login I get the message 'error, we cannot find the page you are looking for'

Is everyone getting this due to DPR working on the site, or is it just me?

would really appreciate your help/advice

thanks

I can login just fine, but then it's also 6 hours after you couldn't, so perhaps that's it.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

thecatisback

  • Hero Member
  • *****
  • Posts: 1444
  • Karma: +109/-199
  • The Official Kitty Cat Of The Road! Meow!
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #104 on: December 04, 2013, 05:16:58 pm »
I have no idea what you just said with that pgp message I can't import the frickin public code errrr... Time to take a break I'm getting frustrated with all this technology!
"Ignorance killed the cat, curiosity was framed".

RS7FI8ZRkm

  • Full Member
  • ***
  • Posts: 246
  • Karma: +77/-7
  • All you need is love.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #105 on: December 08, 2013, 08:35:47 am »
intresting read, thank you for sharing.  :)
rseven@lelantos.org
(lelantoss7bcnwbv.onion)

PGP key found in profile. (keep in mind I have two keys) use the email key when emailing only please. :)

animalinpain5440

  • Sr. Member
  • ****
  • Posts: 262
  • Karma: +23/-6
    • View Profile
    • Email
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #106 on: December 11, 2013, 08:33:05 am »
Absolutely invaluable information, glad I chose the correct client for encryption, Thank You so much for making it a sticky.  I consider it good luck that I chose correctly to begin with but I did spend a lot of time researching and felt this to be the best choice...pgp4usb

thanks again for the post..Merries!

animalinpain5440

  • Sr. Member
  • ****
  • Posts: 262
  • Karma: +23/-6
    • View Profile
    • Email
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #107 on: December 11, 2013, 09:54:58 am »
I read the entire sticky, I had been reading it earlier but not in its entirety. Don't be upset but I found nothing about never attaching a signature to an encrypted message. I returned to my post in security and passed your warning on to anyone who might peruse my topic. I will keep looking in other posts and will add accordingly if I find no references to "never" signing an encrypted message,

@a5440

SmokesHisBroccoli

  • Hero Member
  • *****
  • Posts: 761
  • Karma: +100/-33
  • I live for a living
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #108 on: December 11, 2013, 09:56:32 pm »
Can somebody at your convenience please look at my key and see if it's OK?  Thanks.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQINBFJkSuABEADeptO9MIGu3Rkl21gOjAaXSXTSbRbwaPj5vSdaaNbn6wbVze1P
vypPvCduhlghxk4XTb4g2PN6bARWFPbfyQCBhbavRWBGvMUDjJ9mtOaUscPRTX97
lcB9uyTzf8rMBeSs4LrwKQ/q2TFHIc+xIAjgX0YlNkwa04juem5EOP/JdOpP+ysr
z2RXE6DWU/UW5skmB2uUODhpElWAf+lNsgnFaE9TkNGoSNI1GuLJ29qs0Uvy6cBX
2F5Vu9qGLvhQoHIIsaMOlh2ylhiYushDFI6X8Q+5xrOFRtJG06FfE9woz4NhJtjv
y6REgYD8JFaZIaNOSTHOGsprC8zUIs6RXddRl7CXbWJVegJ6+vZx5z+qTtgTW72o
MdPKE3ixmfe82O4agToyV9zC1DhNFQXroINbmiWrxCpMqF4GU/YIdTClgjwez6NJ
cqgq4V8jvs/uEKy8+lf1PwvhHbaTbW3EjInamNki0p0j+z/+ivZEle6Zv3T81CeM
3MEQU9nPaC5Rh+Gfmy11OrVBebungu2CEAt5TOkEDC3qWinRPKmdR3XGroSu30/K
mw2rQ7x5pO0RatPwtflqp3cfnyy1zcShMOsvb3s/Ey/PBkkPiN8np3VUKbi3C5sE
I7h3mz1TjRLI1JqP+gQF+PJYg8JCMHmLLgkujTXyK7WL1771vqSJAakUGQARAQAB
tB5XYXRlcnNSaXNpbmcgPHdhdGVyQHdhdGVyLmNvbT6JAjkEEwECACMFAlJkSuAC
Gw8HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBXGhm7NiXEGntREAC1Py9I
NwVAEqtvSD6fG2/RJNfJEYGzysb3vdG6416CKPS4qzqgpLl+nGhaAECxFcRItSSm
icVLZLcTtxGEHE98Yg2YjFHXdNTf9uvLYjmjgmBBUa3YFeMSsXDCLw9Y6utIyaFS
G1nlsFa1wP2Bq1fPGlg+STgcfrUEQFsBaUHytzT8aLDKlyMEEVAtkhEdzU7ES4vM
PRinOzta6g1d+hzH+y6+N2fjhGOquyv1LrUe+eKPA+GhQ1byBP7IqkqUpL7EU5XM
m48wkeChGRrapyTZqZ9mOw6IgU6pCnD4Xfq0SzbK7AZN6eV52Dw6h5eAbZidrfw+
bhBDZmp9EYCk26/JD+RN8glMZUmMOp/CMnWopNHOHd8A4ZZWwMHWBbJgWCEp9M9F
Whd+0riavsROZcOLR+Xh3anxZ8exRKogHrA0wfovtGyxmPhz79T/YQ6YfoYvLzVL
rOzHuPUlwZtfeVBgMYWj3d80pNaEZhITQBgHaIFpzWy7x/cKEOrZhcd+LON+LFSj
t1lte4i7S2lhrD4CCtSL8hSi+bA8WSVz0o5/GO1S2IvC12pb0orI3a1qElKC/tVO
o2bZxOmPcBfVvamnpAMLulDDUdyeHlL7Z8Gae7RdDVwpsgdgwmt/KPJNqQ7B6zMK
0UULGUL3UoeT//EHn6TQmxZBF4+fz+VySB/yyw==
=n6uK
-----END PGP PUBLIC KEY BLOCK-----

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #109 on: December 11, 2013, 11:24:34 pm »
Can somebody at your convenience please look at my key and see if it's OK?  Thanks.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQINBFJkSuABEADeptO9MIGu3Rkl21gOjAaXSXTSbRbwaPj5vSdaaNbn6wbVze1P
vypPvCduhlghxk4XTb4g2PN6bARWFPbfyQCBhbavRWBGvMUDjJ9mtOaUscPRTX97
lcB9uyTzf8rMBeSs4LrwKQ/q2TFHIc+xIAjgX0YlNkwa04juem5EOP/JdOpP+ysr
z2RXE6DWU/UW5skmB2uUODhpElWAf+lNsgnFaE9TkNGoSNI1GuLJ29qs0Uvy6cBX
2F5Vu9qGLvhQoHIIsaMOlh2ylhiYushDFI6X8Q+5xrOFRtJG06FfE9woz4NhJtjv
y6REgYD8JFaZIaNOSTHOGsprC8zUIs6RXddRl7CXbWJVegJ6+vZx5z+qTtgTW72o
MdPKE3ixmfe82O4agToyV9zC1DhNFQXroINbmiWrxCpMqF4GU/YIdTClgjwez6NJ
cqgq4V8jvs/uEKy8+lf1PwvhHbaTbW3EjInamNki0p0j+z/+ivZEle6Zv3T81CeM
3MEQU9nPaC5Rh+Gfmy11OrVBebungu2CEAt5TOkEDC3qWinRPKmdR3XGroSu30/K
mw2rQ7x5pO0RatPwtflqp3cfnyy1zcShMOsvb3s/Ey/PBkkPiN8np3VUKbi3C5sE
I7h3mz1TjRLI1JqP+gQF+PJYg8JCMHmLLgkujTXyK7WL1771vqSJAakUGQARAQAB
tB5XYXRlcnNSaXNpbmcgPHdhdGVyQHdhdGVyLmNvbT6JAjkEEwECACMFAlJkSuAC
Gw8HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBXGhm7NiXEGntREAC1Py9I
NwVAEqtvSD6fG2/RJNfJEYGzysb3vdG6416CKPS4qzqgpLl+nGhaAECxFcRItSSm
icVLZLcTtxGEHE98Yg2YjFHXdNTf9uvLYjmjgmBBUa3YFeMSsXDCLw9Y6utIyaFS
G1nlsFa1wP2Bq1fPGlg+STgcfrUEQFsBaUHytzT8aLDKlyMEEVAtkhEdzU7ES4vM
PRinOzta6g1d+hzH+y6+N2fjhGOquyv1LrUe+eKPA+GhQ1byBP7IqkqUpL7EU5XM
m48wkeChGRrapyTZqZ9mOw6IgU6pCnD4Xfq0SzbK7AZN6eV52Dw6h5eAbZidrfw+
bhBDZmp9EYCk26/JD+RN8glMZUmMOp/CMnWopNHOHd8A4ZZWwMHWBbJgWCEp9M9F
Whd+0riavsROZcOLR+Xh3anxZ8exRKogHrA0wfovtGyxmPhz79T/YQ6YfoYvLzVL
rOzHuPUlwZtfeVBgMYWj3d80pNaEZhITQBgHaIFpzWy7x/cKEOrZhcd+LON+LFSj
t1lte4i7S2lhrD4CCtSL8hSi+bA8WSVz0o5/GO1S2IvC12pb0orI3a1qElKC/tVO
o2bZxOmPcBfVvamnpAMLulDDUdyeHlL7Z8Gae7RdDVwpsgdgwmt/KPJNqQ7B6zMK
0UULGUL3UoeT//EHn6TQmxZBF4+fz+VySB/yyw==
=n6uK
-----END PGP PUBLIC KEY BLOCK-----

Lemme guess... you're using Kleopatra, right?   Your PGP key has NO encryption sub-key.

Open up a command-prompt, and use the command: gpg --gen-key to generate a new one. (Or use GPG4USB)

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

SmokesHisBroccoli

  • Hero Member
  • *****
  • Posts: 761
  • Karma: +100/-33
  • I live for a living
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #110 on: December 11, 2013, 11:32:35 pm »
Can somebody at your convenience please look at my key and see if it's OK?  Thanks.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQINBFJkSuABEADeptO9MIGu3Rkl21gOjAaXSXTSbRbwaPj5vSdaaNbn6wbVze1P
vypPvCduhlghxk4XTb4g2PN6bARWFPbfyQCBhbavRWBGvMUDjJ9mtOaUscPRTX97
lcB9uyTzf8rMBeSs4LrwKQ/q2TFHIc+xIAjgX0YlNkwa04juem5EOP/JdOpP+ysr
z2RXE6DWU/UW5skmB2uUODhpElWAf+lNsgnFaE9TkNGoSNI1GuLJ29qs0Uvy6cBX
2F5Vu9qGLvhQoHIIsaMOlh2ylhiYushDFI6X8Q+5xrOFRtJG06FfE9woz4NhJtjv
y6REgYD8JFaZIaNOSTHOGsprC8zUIs6RXddRl7CXbWJVegJ6+vZx5z+qTtgTW72o
MdPKE3ixmfe82O4agToyV9zC1DhNFQXroINbmiWrxCpMqF4GU/YIdTClgjwez6NJ
cqgq4V8jvs/uEKy8+lf1PwvhHbaTbW3EjInamNki0p0j+z/+ivZEle6Zv3T81CeM
3MEQU9nPaC5Rh+Gfmy11OrVBebungu2CEAt5TOkEDC3qWinRPKmdR3XGroSu30/K
mw2rQ7x5pO0RatPwtflqp3cfnyy1zcShMOsvb3s/Ey/PBkkPiN8np3VUKbi3C5sE
I7h3mz1TjRLI1JqP+gQF+PJYg8JCMHmLLgkujTXyK7WL1771vqSJAakUGQARAQAB
tB5XYXRlcnNSaXNpbmcgPHdhdGVyQHdhdGVyLmNvbT6JAjkEEwECACMFAlJkSuAC
Gw8HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBXGhm7NiXEGntREAC1Py9I
NwVAEqtvSD6fG2/RJNfJEYGzysb3vdG6416CKPS4qzqgpLl+nGhaAECxFcRItSSm
icVLZLcTtxGEHE98Yg2YjFHXdNTf9uvLYjmjgmBBUa3YFeMSsXDCLw9Y6utIyaFS
G1nlsFa1wP2Bq1fPGlg+STgcfrUEQFsBaUHytzT8aLDKlyMEEVAtkhEdzU7ES4vM
PRinOzta6g1d+hzH+y6+N2fjhGOquyv1LrUe+eKPA+GhQ1byBP7IqkqUpL7EU5XM
m48wkeChGRrapyTZqZ9mOw6IgU6pCnD4Xfq0SzbK7AZN6eV52Dw6h5eAbZidrfw+
bhBDZmp9EYCk26/JD+RN8glMZUmMOp/CMnWopNHOHd8A4ZZWwMHWBbJgWCEp9M9F
Whd+0riavsROZcOLR+Xh3anxZ8exRKogHrA0wfovtGyxmPhz79T/YQ6YfoYvLzVL
rOzHuPUlwZtfeVBgMYWj3d80pNaEZhITQBgHaIFpzWy7x/cKEOrZhcd+LON+LFSj
t1lte4i7S2lhrD4CCtSL8hSi+bA8WSVz0o5/GO1S2IvC12pb0orI3a1qElKC/tVO
o2bZxOmPcBfVvamnpAMLulDDUdyeHlL7Z8Gae7RdDVwpsgdgwmt/KPJNqQ7B6zMK
0UULGUL3UoeT//EHn6TQmxZBF4+fz+VySB/yyw==
=n6uK
-----END PGP PUBLIC KEY BLOCK-----

Lemme guess... you're using Kleopatra, right?   Your PGP key has NO encryption sub-key.

Open up a command-prompt, and use the command: gpg --gen-key to generate a new one. (Or use GPG4USB)

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

Yes I am and I certainly will do that.  Could you please explain in layman's terms to me what risk having my key setup like this most possess?  Is this an easily crackable key?  Like what purpose do the sub keys serve?  I'm just trying to understand the difference.  Thanks in advance. 

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #111 on: December 12, 2013, 12:17:30 am »
Can somebody at your convenience please look at my key and see if it's OK?  Thanks.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQINBFJkSuABEADeptO9MIGu3Rkl21gOjAaXSXTSbRbwaPj5vSdaaNbn6wbVze1P
vypPvCduhlghxk4XTb4g2PN6bARWFPbfyQCBhbavRWBGvMUDjJ9mtOaUscPRTX97
lcB9uyTzf8rMBeSs4LrwKQ/q2TFHIc+xIAjgX0YlNkwa04juem5EOP/JdOpP+ysr
z2RXE6DWU/UW5skmB2uUODhpElWAf+lNsgnFaE9TkNGoSNI1GuLJ29qs0Uvy6cBX
2F5Vu9qGLvhQoHIIsaMOlh2ylhiYushDFI6X8Q+5xrOFRtJG06FfE9woz4NhJtjv
y6REgYD8JFaZIaNOSTHOGsprC8zUIs6RXddRl7CXbWJVegJ6+vZx5z+qTtgTW72o
MdPKE3ixmfe82O4agToyV9zC1DhNFQXroINbmiWrxCpMqF4GU/YIdTClgjwez6NJ
cqgq4V8jvs/uEKy8+lf1PwvhHbaTbW3EjInamNki0p0j+z/+ivZEle6Zv3T81CeM
3MEQU9nPaC5Rh+Gfmy11OrVBebungu2CEAt5TOkEDC3qWinRPKmdR3XGroSu30/K
mw2rQ7x5pO0RatPwtflqp3cfnyy1zcShMOsvb3s/Ey/PBkkPiN8np3VUKbi3C5sE
I7h3mz1TjRLI1JqP+gQF+PJYg8JCMHmLLgkujTXyK7WL1771vqSJAakUGQARAQAB
tB5XYXRlcnNSaXNpbmcgPHdhdGVyQHdhdGVyLmNvbT6JAjkEEwECACMFAlJkSuAC
Gw8HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBXGhm7NiXEGntREAC1Py9I
NwVAEqtvSD6fG2/RJNfJEYGzysb3vdG6416CKPS4qzqgpLl+nGhaAECxFcRItSSm
icVLZLcTtxGEHE98Yg2YjFHXdNTf9uvLYjmjgmBBUa3YFeMSsXDCLw9Y6utIyaFS
G1nlsFa1wP2Bq1fPGlg+STgcfrUEQFsBaUHytzT8aLDKlyMEEVAtkhEdzU7ES4vM
PRinOzta6g1d+hzH+y6+N2fjhGOquyv1LrUe+eKPA+GhQ1byBP7IqkqUpL7EU5XM
m48wkeChGRrapyTZqZ9mOw6IgU6pCnD4Xfq0SzbK7AZN6eV52Dw6h5eAbZidrfw+
bhBDZmp9EYCk26/JD+RN8glMZUmMOp/CMnWopNHOHd8A4ZZWwMHWBbJgWCEp9M9F
Whd+0riavsROZcOLR+Xh3anxZ8exRKogHrA0wfovtGyxmPhz79T/YQ6YfoYvLzVL
rOzHuPUlwZtfeVBgMYWj3d80pNaEZhITQBgHaIFpzWy7x/cKEOrZhcd+LON+LFSj
t1lte4i7S2lhrD4CCtSL8hSi+bA8WSVz0o5/GO1S2IvC12pb0orI3a1qElKC/tVO
o2bZxOmPcBfVvamnpAMLulDDUdyeHlL7Z8Gae7RdDVwpsgdgwmt/KPJNqQ7B6zMK
0UULGUL3UoeT//EHn6TQmxZBF4+fz+VySB/yyw==
=n6uK
-----END PGP PUBLIC KEY BLOCK-----

Lemme guess... you're using Kleopatra, right?   Your PGP key has NO encryption sub-key.

Open up a command-prompt, and use the command: gpg --gen-key to generate a new one. (Or use GPG4USB)

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

Yes I am and I certainly will do that.  Could you please explain in layman's terms to me what risk having my key setup like this most possess?  Is this an easily crackable key?  Like what purpose do the sub keys serve?  I'm just trying to understand the difference.  Thanks in advance.

The original key format, when PGP was first written back in 1991 or so, was a single RSA key used for signing and encryption.  There were legal catfights over that, because RSA was patented by its inventors, and I believe, MIT, who were none too pleased about Phil Zimmermann's use of RSA in PGP.  Several years later, they switched to patent-free algorithms: The Digital Signature Standard, (DSS) which made use of the Digital Signature Algorithm (DSA).  This key, as the name implies, could be used only for signing.  For encryption, they chose a public-key algorith developed by Taher Elgamal, based on the discrete logarithm problem. (RSA is based on factoring prime numbers.)

The Digital Signature Standard called for signing keys of 1024-bits in length, and it was built around the SHA-1 hash algorithm, as earlier versions of PGP used the MD5 hash algorithm.

In recent years, improvements in factoring have brought 1024-bit keys close to the point where they can be broken. (The mathematics are extremely complex, but I am led to believe that the difficulty of factoring a 1024-bit RSA key and solving a key of the same size based on the discrete logarithm problem are about equally hard.)  I expect that the first public break of a 1024-bit key to occur sometime in the next 2-3 years.

Also, advances have been made in attacks on hash algorithms.  SHA-1 is a hash function which outputs a hash of length 160-bits.  There are an infinite number of possible files, but only a finite number of values that can be expressed in 160-bits.  Therefore, it is possible for two files to hash to the same value -- this is supposed to be extremely rare. The SHA-1 hash algorithm was originally designed to result in a probability of a hash collision no more than 1 in 2^80 or 1 in 1.46x 10*48 (that 146 followed by 46 zeroes.)

Advances in recent years have lowered that probability first to 2^59, then to 2^53, both of which are considerably lower than the original design called for.  So, while SHA-1 is not yet completely broken (like MD5) it is well on the way there. 

One additional wrinkle presented itself in 2007 (if memory serves). Someone found a very subtle vulnerability in PGP keys that were used for both signing and encryption (like yours is.)
Under certain circumstances, some of the private key bits could leak, making the key easier to break.

Accordingly, in the Fall of 2009, the PGP/GPG developers decided to switch from DSS/Elgamal to a dual-RSA key format, with the primary RSA key used exclusively for signing, and an additional RSA key used exclusively for encryption. It was also decided at that time to raise the minimum key size to 2048-bits. 

One of the things you have to realize is that cryptographers are, by nature, extremely conservative -- they don't change standards on a a whim -- they do so only when they perceive that there is a potential security threat.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

coolblue

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +9/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #112 on: December 12, 2013, 12:26:20 am »
Night-interesting post, thanks- but wondering can you clairify

"In recent years, improvements in factoring have brought 1024-bit keys close to the point where they can be broken. (The mathematics are extremely complex, but I am led to believe that the difficulty of factoring a 1024-bit RSA key and solving a key of the same size based on the discrete logarithm problem are about equally hard.)  I expect that the first public break of a 1024-bit key to occur sometime in the next 2-3 years. "


Interesting stuff- do you have source for this info? thanks
« Last Edit: December 12, 2013, 12:27:45 am by coolblue »
pgp key :  http://silkroad5v7dywlc.onion/index.php?topic=179.msg31708#msg31708

SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #113 on: December 12, 2013, 01:00:22 am »
Night-interesting post, thanks- but wondering can you clairify

"In recent years, improvements in factoring have brought 1024-bit keys close to the point where they can be broken. (The mathematics are extremely complex, but I am led to believe that the difficulty of factoring a 1024-bit RSA key and solving a key of the same size based on the discrete logarithm problem are about equally hard.)  I expect that the first public break of a 1024-bit key to occur sometime in the next 2-3 years. "


Interesting stuff- do you have source for this info? thanks

You continue to impress me, Nightcrawler :)  Don't mean to step on your toes, but since I'm here and can answer the question I may as well.  A "theoretical" hardware device for cracking 1024-bit RSA keys given a year or so -- only a few million USD, which I'm sure the NSA has in their reception room couch:
http://cs.tau.ac.il/~tromer/twirl/

There's also very recently been some talk about RSA being completely and utterly broken by "possible" breakthroughs in mathematics within a decade.  I haven't read any whitepapers on it, but as I understand it it's very unlikely, but widely accepted as possible, that within 10 years all RSA keys of any bit strength will be useless.  Again, very unlikely though.  Or you could just make a working quantum computer and do the same thing.  Fortunately enough that's so difficult nobody can figure out how the fuck to actually do it.
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

SmokesHisBroccoli

  • Hero Member
  • *****
  • Posts: 761
  • Karma: +100/-33
  • I live for a living
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #114 on: December 12, 2013, 01:15:14 am »
Alright well hopefully the fact that I used a 4096 bit RSA is enough to overshadow the fact that my key doesn't have an encryption sub-key.  I like the sounds of "very subtle vulnerability."  Sounds a lot better than "very major security breach."  Like I said I'll be using a new key going forward and I guess at this point all I can do is hope that my previous messages are protected. 

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #115 on: December 12, 2013, 03:26:50 am »
Night-interesting post, thanks- but wondering can you clairify

"In recent years, improvements in factoring have brought 1024-bit keys close to the point where they can be broken. (The mathematics are extremely complex, but I am led to believe that the difficulty of factoring a 1024-bit RSA key and solving a key of the same size based on the discrete logarithm problem are about equally hard.)  I expect that the first public break of a 1024-bit key to occur sometime in the next 2-3 years. "


Interesting stuff- do you have source for this info? thanks

You continue to impress me, Nightcrawler :)  Don't mean to step on your toes, but since I'm here and can answer the question I may as well.  A "theoretical" hardware device for cracking 1024-bit RSA keys given a year or so -- only a few million USD, which I'm sure the NSA has in their reception room couch:
http://cs.tau.ac.il/~tromer/twirl/

There's also very recently been some talk about RSA being completely and utterly broken by "possible" breakthroughs in mathematics within a decade.  I haven't read any whitepapers on it, but as I understand it it's very unlikely, but widely accepted as possible, that within 10 years all RSA keys of any bit strength will be useless.  Again, very unlikely though.  Or you could just make a working quantum computer and do the same thing.  Fortunately enough that's so difficult nobody can figure out how the fuck to actually do it.

This is just off the top of my head, but aren't you referring to Eli Biham's "Twinkle" device? If I remember correctly this was the rationale behind Cypherpunk Lucky Green's abandonment of all his 1024-bit keys in April 2002 -- almost 12 years ago, now.

From BRuce Schneier's Crypto Gram Newsletter, April 2002
https://www.schneier.com/crypto-gram-0204.html

Is 1024 Bits Enough?

Last month I wrote about Dan Bernstein's factoring research, and how it might affect RSA key lengths. Recently there's been a discussion on BugTraq, as cypherpunk Lucky Green cited the research as his primary motivation for revoking his 1024-bit PGP keys.

This brings up the interesting question: are 1024-bit RSA keys insecure, and what should we do about them?

The current public factoring record is 512 bits, using general purpose computers. Prudence requires us to suspect that institutions like the NSA can do better, although we don't know how much better.

Way back in 1995, I estimated key lengths required to be secure from different adversaries: individuals, corporations, and governments (Applied Cryptography, 2nd Edition, table 7.6, page 162). Back then I suggested that people migrate towards 1280-bit keys, and even 1536-bit keys, if they were concerned about large corporate or government adversaries:

Recommended Public-Key Key Lengths (in bits)
Year   Ind.   Corp.   Govt.
1995   768     1280   1536
2000   1024   1280   1536
2005   1280   1536   2048
2010   1280   1536   2048
2015   1536   2048   2048

Looking back on those numbers written seven years ago, I think they were conservative but not unduly so. Factoring, at least in the academic community, has not progressed as fast as I expected it to. But mathematical progress is bursty, and a single breakthrough could more than make up for lost time. So if I were making recommendations today, I would still stand by my 2000 estimates above.

I have long believed that a 1024-bit key could fall to a machine costing $1 billion. And that a 1024-bit RSA key is approximately equivalent to a 80-bit symmetric key. (In Applied Cryptography, I wrote that a 768-bit RSA key is equivalent to an 80-bit symmetric key; that's probably too low an RSA key.)

Comparing symmetric and public-key keys is a lot like comparing apples and oranges. I recommend 128-bit symmetric keys because they are just as fast at 64-bit keys. That's not true for public-key keys. Doubling the key size roughly corresponds to a six-times speed slowdown in software. This might not matter with PGP, but it will make client-server applications like SSL slow to a crawl. I've seen papers claiming that you need 3072-bit RSA keys to correspond to 128-bit symmetric keys and 15K-bit RSA keys for 256-bit symmetric keys. This kind of thinking is ridiculous; the performance trade-offs and attack models are so different that the comparisons don't make sense.

But there's no reason to panic, or to dump existing systems. I don't think Bernstein's announcement has changed anything. Businesses today could reasonably be content with their 1024-bit keys, and military institutions and those paranoid enough to fear from them should have upgraded years ago.

To me, the big news in Lucky Green's announcement is not that he believes that Bernstein's research is sufficiently worrisome as to warrant revoking his 1024-bit keys; it's that, in 2002, he still has 1024-bit keys to revoke.  [Emphasis added]

This discussion highlights the huge inertia in key rollover. Many people are still using short keys. Lucky Green's e-mail sheds a light on this phenomenon. He wrote "In light of the above, I reluctantly revoked all my personal 1024-bit PGP keys and the large web-of-trust that these keys have acquired over time." The web of trust attached to those keys was of great value, and reestablishing it with a new set of keys will be difficult and time-consuming. To Green, that pain was more important than having a "long enough" key.

Lucky Green's BugTraq announcement:
<http://online.securityfocus.com/archive/1/263924>

My essay on Bernstein's factoring paper:
<http://www.schneier.com/crypto-gram-0203.html#6>

News coverage:
<http://zdnet.com.com/2110-1105-863643.html>
<http://www.infosecuritymag.com/2002/apr/...>

Other essays on the Bernstein paper:
<http://www.rsasecurity.com/rsalabs/technotes/...>

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #116 on: December 12, 2013, 03:31:33 am »
No, I hadn't come across that one actually.  This is what I was referring to -- it's based on speculation about solutions to the discrete logarithm problem (note the word speculations): http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/
« Last Edit: December 12, 2013, 03:40:32 am by SelfSovereignty »
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

BasilBrush

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #117 on: December 13, 2013, 04:17:16 am »
is there anyway to generate a key greater than 2048 using the GnuPG version, Am using the GPA software.

If so, how!

thanks

ENP

  • Full Member
  • ***
  • Posts: 173
  • Karma: +20/-5
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #118 on: December 13, 2013, 08:29:25 am »
+1 Thanks for sharing your knowledge Nightcrawler. I'm a very minor crypto-enthusiast and you've taught me things I don't know just on this page.

nathan.burnett

  • Full Member
  • ***
  • Posts: 109
  • Karma: +30/-5
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #119 on: December 14, 2013, 04:41:13 am »
Thank you for sharing, this is a very informative post, and I did not know that about Symantec, are there any thoughts on GPG? If they have already been answered I will surely read them

coolblue

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +9/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #120 on: December 15, 2013, 08:35:45 am »
Fantastico info! Thanks!  lets hope that the Gods of PGP continue to smile down on us
pgp key :  http://silkroad5v7dywlc.onion/index.php?topic=179.msg31708#msg31708

SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #121 on: December 19, 2013, 07:56:40 pm »
Long story short. Is using the OpenPGP encryption applet in Tales with RSA 4096 safe or no?

WTF Is a sub key? Should I be signing my messages and keys or not ?

It's acceptable.  If you don't generate the key with the applet, it's probably even every bit as good as any other way of doing things.  If you do generate it, it's probably fine, but I haven't looked at to be able to say that for sure.  It probably just does the same thing with "gpg" that you would by hand under the hood.

Don't worry about what a subkey is.  Basically gpg has users more than keys, and users have keys & subkeys.  No big deal, ignore it.  Don't sign your messages, ever, unless it's specifically required that you prove your identity to someone for a good reason.  Never ever.  Ever.

... ever :P
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #122 on: December 21, 2013, 09:34:28 am »
Looks like RSA has been compromised all along ?

** CLEARNET SOURCE **
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
** END SOURCE**

Stop spreading FUD, for Christ's sake!   The only product affected by the NSA-influenced  random number generator (RNG) was RSA's BSafe product.  The actual RSA algorithm is not even involved in this story. The RNG used in BSafe was dual-elliptic curve based, with constants chosen by the NSA. Bruce Schneier blew the whistle on this dodgy software a few years back, questioning whether it was back-doored.

The only new wrinkle to the story is that Snowden's documents show that RSA was paid $10 million by the NSA to make this back-doored RNG a standard in their BSafe product line.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.      --Friedrich Schiller

Marvin

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +2/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #123 on: December 25, 2013, 02:12:19 pm »
I was surprised I located my private and public PGP keys from 12 years ago. Wow. I used to use PGP a lot more but its been about 12 years since I last used it.

Anyway, I generated new ones specific for SR. How does this look?

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (MingW32)

mQGiBFK65IsRBACwrW0ed6laK1bx20kfLNOUcq/OlwYrg1WXsyL3wlv2CJ899Mcx
0RQOxtdUCPp0zBkJYZiQ8yXZvsEWnV24seBV8fdmvBpguwkePymiN2YdjK6DmORk
nMpTyAS4aTMcnhnpuYkGNjE55FzdJNgSEZ0CWQ3QFUbpZY4goKzynwVTTwCghby9
nsrDC+bh57hVNxRg7k3QH7ED/2Dm3/fuY3wjyfr12Y12QkP7vkCbOwnIkAYSEeIe
iBMKdnyLye20f9YLEu4gKt9Dr2OCxtiY6+3WhUqLi1mF5SSM8ED1C4uWXMWQwjVM
tB5+B4/vuxbs30aaagTB7E/NmJlYhmoRHoMa0V5Us3b+zZVffaBlzMydT0CleiTV
lytqBACvpmgLfUx0qz+qNNzE7pacLOQl5pp7k+Xu+h+ps+sU6e7/lFp/kbPH4G+7
SHS4odOz1V2648W07tk/AiSjT4QbzIIVIyUACKbgm5JXOe4yS0zsve9bBrtV8AsF
D75csWs6VcL9WdOR5mvGBDe0QpfavktVr+cQyfuE+f0sjxROjbQGTWFydmluiGIE
ExECACIFAlK65IsCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFPOm9gl
Wxje6p4An1EiuFWApUmHcCLTSotP9iZoJ7Z0AJ9nAzFudDgz1vrfU/JzYvg2Twki
nrkEDQRSuuSLEBAA0+8UWwgyt6WjysF3XKiAL6kfZ9aAPymg66VtQRyoQE0ILPgA
yyjQCCoSZkIsYb2/GoId76pX9kqwE5WIQOmCpo9GW/VZfhGTY3jJ0i98tmJtXHrT
UQTkX8SZhAn0CUqaZf5A8ViMZ7qtLbUJjmT03HEF9k6bBkkpph9rNqnUPeu1cGxb
JvPsKwSxdUov/XiyoH2pAyS05puo6o0QNRO8jTVu394/4NBuiUH5YYCXZ1bc+G2G
7odxx2OYwvhKP8k82xyvonjMqj5/RNNOtzMTjp7/wv1MkxhCYvyXlQMf+pfDmkvu
RUJACOsAqk4tPmWNzNB9YIoj3ikxy110KzH555UrOjj7yTlibrMQjdmOSferLP0Y
KK9/DD+V4ZZTUlJWvIeGTbKdvwh+TiMjM2PQqgr5Bq+EKdDj679/I/zRhQynlay7
VYnhHb4nE56Eh4fIFxR/wc93jIR82nnXHoaBABFE3KhpgbZUu2xxOCcYDUi/9K5e
fSBfGudi00IDmkpmsFwvZwcsQYxZ++KublNVUwOKAH8ZcUX+J5fog6QF9JJ/gUmz
i1IMHICXR2EktWoGjQ5LWGNPb1hrG8dpDxRuwT5BAQ4JEIL+Ne3x+3YtQL0svYHy
XaGMMUGbR6KTn47WqawfIT3eO0mzWd8VoCDbOCJ8KJ1l3j+NxWiW8PsxcEcAAwUP
/0BY67CfLM2xcWejesYQiGHXYtIoddiQfzioUHFiDKrt5DJt40iuemgWQkuRpgln
urfptAO/F09tCBVjd/fQX/29OtY5OwASZtc5VjBquM4R+rasle0eOjHUs60j0E0j
PywfLCPtrS3jKAPHxd8/enOx4fI7evFKqCYi2LneVwuf18RsPRBbrWhpKWnd0o/1
ts6eE8reuYm6+RFAy8pYOZERcxE4iNSBAvlTDqFBkmcUGdPWz6yz9n8pb3hfHdiY
QBNAk7cVOJfFYA61PfYMJevFy3cHVlHWlchhsKUv6KLDo4Jmsu86hDA3UbK9U6w4
7Z3l4FAvnShg8iTQb75WroRsPyVhhhfVnTeoi4NQ2HtDb3Uwq1LbrQzpTjx2FSxM
aMtaEJrJ8z2fh9kZECW+6bkHKaiwyd1a/sWfdSveFzuIY4vNTNcYjJnMxgdQ1Mt8
+QLXFUnuL8cKV8bfYmubr7ospg30nUGNpLgY/8bwLT3N+bfvN9PFXDjTgG6H1xXQ
Q7KUB7QjD1uG3km8paAT5HQppBKLGYSstRE2q0/SmOd3wHTB6PqX8yLyx5O/wxDZ
BOjIml09/F6CC1pDiUaz7STH6VD/MVMNFRBiFI4xronMM8KvjPU6CMfiL78CX545
gGv6vaq2izrduEnL49Kqs3pxvE55UEh/abc3IbIfIEmiiEkEGBECAAkFAlK65IsC
GwwACgkQU86b2CVbGN5UJgCfYMkiIsX0Px5Ks4p+nTmlyjiD6/cAn3yjcQRs2wnX
VRBjL3EhwT3Y2FLe
=51MM
-----END PGP PUBLIC KEY BLOCK-----


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Test test testicles.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlK655MACgkQU86b2CVbGN5G/QCeOapnRN7uSHqlkP8b78rYdN7H
rk0An23QoQWBJyTBOnSGzAd1kUCrbZt4
=xJMs
-----END PGP SIGNATURE-----


Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #124 on: December 25, 2013, 04:01:34 pm »
I was surprised I located my private and public PGP keys from 12 years ago. Wow. I used to use PGP a lot more but its been about 12 years since I last used it.

Anyway, I generated new ones specific for SR. How does this look?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Test test testicles.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlK655MACgkQU86b2CVbGN5G/QCeOapnRN7uSHqlkP8b78rYdN7H
rk0An23QoQWBJyTBOnSGzAd1kUCrbZt4
=xJMs
-----END PGP SIGNATURE-----

<Sign> Software (1.4.11) is several versions out of date.  Just from looking at your signed text, it is obvious you are using a DSS/Elgamal keypair.  These types of keys have not been standard for over 4 years now, as has been discussed in this very thread.

pub   1024D/255B18DE 2013-12-25
uid       [ unknown] Marvin
sub   4096g/6B439699 2013-12-25

1) Update your software.

2) Generate a standards-compliant dual-RSA keypair, 4096-bits each.

3) Update your hash preferences to SHA-256 or SHA-512.  Add one of the following lines to your gpg.conf:  personal-digest-preferences sha256 or personal-digest-preferences sha512

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller







Marvin

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +2/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #125 on: December 26, 2013, 01:37:47 am »
I was surprised I located my private and public PGP keys from 12 years ago. Wow. I used to use PGP a lot more but its been about 12 years since I last used it.

Anyway, I generated new ones specific for SR. How does this look?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Test test testicles.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlK655MACgkQU86b2CVbGN5G/QCeOapnRN7uSHqlkP8b78rYdN7H
rk0An23QoQWBJyTBOnSGzAd1kUCrbZt4
=xJMs
-----END PGP SIGNATURE-----

<Sign> Software (1.4.11) is several versions out of date.  Just from looking at your signed text, it is obvious you are using a DSS/Elgamal keypair.  These types of keys have not been standard for over 4 years now, as has been discussed in this very thread.

pub   1024D/255B18DE 2013-12-25
uid       [ unknown] Marvin
sub   4096g/6B439699 2013-12-25

1) Update your software.

2) Generate a standards-compliant dual-RSA keypair, 4096-bits each.

3) Update your hash preferences to SHA-256 or SHA-512.  Add one of the following lines to your gpg.conf:  personal-digest-preferences sha256 or personal-digest-preferences sha512
 in vain.  --Friedrich Schiller

1) I downloaded PGP4USB from http://gpg4usb.cpunk.de/index.html So no idea how I got an older version? Updating.

2) Will do. I guess back when I used to use PGP it was DSA not RSA. Hell doesn't SSH (ssh2) still use DSA? and RSA is an old ssh1 thing? Hmm. I need to do some catching up on security it seems. :D

3) Will do.

Will post back once I've done this.

Marvin

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +2/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #126 on: December 26, 2013, 01:46:03 am »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hopefully this is better.

Question, then. Why are the defaults for gpg4usb bad and why are the defaults and gui apps for the main gpg4win project so outrageously terrible? Such as no encryption subkey at all?

Something just seems fishy...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (MingW32)

iQIcBAEBCgAGBQJSu4oPAAoJEG+LMUrCbjwgkwsP/2EGUTMmf+623OuH+txcH+ei
ZapWxtdPswkE8dRB8DdA9gZxTv3O+HiM+Q2FU8esAiKP/bThfm1QdGUZEpP+xV9c
ohPEQgpl/s7aLDMrFUB9r0kMvynDe7sTS0axiiu9DwThfTanSVEXt7dzm6js5i2V
J8oxUckVynoS8bLSg050ozzp0JeA8r4TyW2xQ6Mm7tMJY0Q/aM0SVkzc9dh7MRj5
MhD4ecfOn0jx3wzmVFglsatQ77PcpPD4u00/M1kgt2D61GsDSVEH+dO+w1lHVTmD
rlW5lUt+YlvQRshLYjKdWYCHXNFhF7GSlNbToD3exBAdu0RYoo55SdVMrCKpcUUz
M6whmCrAcDlLVYLYoiMlq50ZCRIxPbXZ1EDDpkBJ6nloxqk55Rpa3D3OkV14RK+O
AOjIoyPqb4vqwejilOokNCYxpFgeDCyEVBlSwyRpL08udNUVe1rwda/Ae+FfBZsk
SApzeXit7BLd8BrAHSYGuniVeIivJOSih7rOtcZBwIeXl6+M9taAgoZ6KxQSRcxp
esIUtWJrk/Jxw4OKuxXL+YaKnzmT2DSMWtc+x8Tfa4SS5PNRbtodlaw87AuO4RMw
KQb94h7o3Kw9IDCTuiBXUwHRHFKBmgePhWokM98QVKier+ojeMtb2r2kRQUFRS9f
RJlWtBidcMcu3jek5R+Z
=IiDE
-----END PGP SIGNATURE-----


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (MingW32)

mQINBFK7iMIBEADLyvq1eDlJBNFDmE517P2+x3VF5WqK1nWzxPVsb8iZquC1L6DK
mb3TylfjPwbtBLQ3MPeah6du/a3tesaoCkqH+Upxc4gWlin8soQI1JbxQW09nG6D
eYnjBrAQlJWuIGr/vCFR64sTHvKtVoiPlmy3N+uD4o4RLYAP59gPMIXW1XP0S2mr
kYlH8CkfeSzZdxX/9d4JiBb3T6a507uY/D553nBiUNRSFIjjz7bASWzF1vGA+w36
LBbkAdlGfC3HHfW3ZIT9qayWC/ds28Sd/Hm2WXyY6Sc8oWrSvILeItoHuopZpToe
Vq9ZfS3zzsov0oWW7H1Abaf6FZIQanFBudIubL9Qohg9WbLGSEQWkoTvYOODyqlJ
gsCUlsf4nuAjChZtXT9U3sdN/K54zfAFvfacfiirqcEJd2Px/tFXQ9ayoxWDHfxm
3m5CQhrSxGm2sBfYd5OumagJxXka0hQ0h9KXByZkCE2jj9G6v4/Tvbjr0QN/oyVp
zWApyaBQ/iTJZMdUo7+yJ/zJ3EePsSM1hfnn3YhB71kN1MdRDTUbGETbTc4XJ4T8
xomj34HhNahiQDrZEJKIT+MCeMqMKJK1xqndaqjMYqbRMCyyLiX3QJ4kysKxwg8n
EK4Hb5Azj6dRZINIPf+NKQr598bUubGrCHjopAdVYtqLAZSPsXbmHP+a6QARAQAB
tAZNYXJ2aW6JAjgEEwECACIFAlK7iMICGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
AheAAAoJEG+LMUrCbjwghYcP/RXu5L1NMtEmLNk4KGBhXGeGh3ROHEwaPiXjxMEF
EqpfmraX8nr02JO8tdWGwFrf+QQ1N1qKsxZw4lDF/WP5Ff4LJJLirnZuiXUuWund
L/JTJQssAf+uVo0lWQ8jPhOfnEzJWj/uTqNHl0ZefqHk/rUOwpN3V2yXO8uRSihp
1d1Onomuk1RHvBxuu0ifnhaZPmn9JyYFruyWP5QaTL2Xvjux9C6YO9DFfJXuzuQU
XN6XAxvUdQ8/AY2f/rxIf6ggIspVJJV4EpnEH2sFUUBkp35lfpwtYZMq67gsLTmf
9YnmUH+l19hlQEOMoXixDK36QRnYLBTSCfMXRGPny5a+g1pdqx7uSXI7qSFJjnqN
0lS9IEYmBE5YyGlr4cPQvpGXypUNlK5lX+KsyZECc6txpGeDeDbp58b4W5Ddi0Ja
r9aEzvA7eoFjuZFcKZYzPIsUrOzFU9Qa4FuMB8MyI9sbPnSDhVPSAMVA7gDskFpy
hzPxGyhuhz1MlT3lHxd6pW35OMPB2s2fnbPbbzjJykzxbV1Zc/5jWyzOSCbofL0p
LIkXaa6ODG7AmS41cvDKHLxFl3UTKxly7iF+ne+xuCbIqTjDnnUNosI1JC+dmBw/
jHZAfhqNAOF97YME+/AgiZV1lWRYIFQsGbiUT9qb02zgJWlxPGOZJ9Gu0rjCYabq
riB1uQINBFK7iMIBEACn7yXV6DzzWWpd8L6BcSsWFq7Z/U1CQQiepaKvSrzKCGbQ
uhzrBX0F8u5wux7jXq+9GNPweV0NcL6m6bR/mEUWwQm4YwrLlf/T1P8gIYW6oMiO
X+s4lg6RAVCa7c/oPSiLN4NfDfhC18ywPtvT5pv9Kx19+hU16VH32vpbHc00h2zG
tzIkFEED6X4RQ3eifB/m/XvupnMeZed56qSZWNkvw9FYRhvMyMVzJFLQuSRyLA4I
BtLVZG4ztALdVjLwED1TEIWOJgwlPFARL3z3dstPmlX+a4HCOt6fcodMFE4cWTTd
i4RxEcLtcoyjDvzdAAx9aQkD59LyAf6/M2ZIPj/NsJytuM+g56GZHIdXSq69DuZI
tRBOuawHtSd6DnrMEGtWY3RvVJW/Ooc6DzIkioNVGDELdWwYLD5JWLYAOdfK1PjR
sre7QN1FXo+uahK4lDz7q3J+oqi3rTiyfe3zK+PRzvT8cUryY3wIjsSZcDD63ub4
swMAVXV4UHmavj3FWE3LPm55g3UvljzUhL+wAaV8NKNTGed7Vd9qthuHZOBoJCLu
mM/40SmnktZSl05/9Go/PVGQ30WZsgmXgCm5ASqB4sB8SagZqM+4hSBBUXcEW1Ib
5bnVXkuyZlM7RBq5HYIhl/2AVZ3UUESw0inTRkytv9Qwqbh0Jjv+b7lVpvGIqQAR
AQABiQIfBBgBAgAJBQJSu4jCAhsMAAoJEG+LMUrCbjwgv8wP/1gNycrBG3EGRI7+
59Ui6nhezU3QdDBfqN9TioENpDoI70lj20TNjCPALF5Tks9oV/vJLVtgutVJtsmG
1/Hm4KVScR5y5A7+SyqZZFItY5lXxL3eXCI51DhlfhItR1ZP5i6/N+pJfMqTTWwp
s83zm71r1RgZdDVRnBMSKyg9STVU68INHyw+FRZ23G05GpHtIRKTr2ri5MaKPIOK
PmW2AFgk+bgxGH7pUNd5TMnqX0qqqLZjPvIRYjYzXaLFEDIHP4mdqGcFwMUiaod0
1Ony3Y+ggPn6G7RT6rJvgwsyoC6kDH3FaoB9AHutPXuKq/vdmWFHvmodoCTwxLgc
m0T7Lzc8dFVDp4yRJNs5aIYaIq+AHTVx9rZIKu34yEbEaLw+RKZl8HOo9vRSHmF9
E21cTCDbnoRctWJL1LATObAn1O1jEzkXpUSHcp8h517OKKS8utsbBLLlxEjBChVN
ZSS/uffMR6FzV7lMLE88dhZCOMTj02vJHZPj8Og9OoZTmr0gQvEeZ6vY3Cx5um8U
1EVec0PKSAtgAkZX0lm6uQQhLdws9EnR0WmbCECM2/vcbEeOdSkKQtMBsXcq7vsL
t11eTVbfNQnPVzErtBSN1CixXol6PhDGeiGtjx7vGSivRSHSpHURHC2rW98YWJD/
2UlpevRUugosWFLCxE6+1sbeqX5a
=/G2c
-----END PGP PUBLIC KEY BLOCK-----

rosevolt

  • Jr. Member
  • **
  • Posts: 68
  • Karma: +1/-5
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #127 on: December 31, 2013, 08:04:29 am »
thank you for your help and i will believe in your advice i have alrady use gpg4usb plz allow me to send message to you

Simple_Simon

  • Jr. Member
  • **
  • Posts: 88
  • Karma: +2/-2
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #128 on: January 02, 2014, 04:13:57 pm »
With the news of the difference in these versions of PGP encryption software, what are the thoughts on the clipboard text encryption that comes with Tails?

Last time I looked at Tails, it was using GPG 1.4.10 -- I wish they would update it to the latest 1.4.15, but 1.4.10 is acceptable.  The Seahorse gedit plugin is the most convenient way of using GPG. As far as clipboard encryption goes, it still uses GPG 1.4.10, so again, there is no real problem with it.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Hey Nightcrawler - thank you for all the help you are providing here and your patience with all our questions.  I saw you touched on the subject of Tails but I don't feel the answer was clear.  It looks like Seahorse should be avoided but then said it was ok.  Perhaps I misread it but I was hoping you could clarify for me.  Current version of Tails 0.22 with seahorse 2.30.1.  I am running Tails straight off a DVD and I'm not sure I can download GPG4USB to the desktop and run it but I will give that a try next.  I would love it if using Seahorse withing Tails is acceptable but I will take whatever extra steps I need to do if that isn't secure enough.

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #129 on: January 02, 2014, 08:09:41 pm »
With the news of the difference in these versions of PGP encryption software, what are the thoughts on the clipboard text encryption that comes with Tails?

Last time I looked at Tails, it was using GPG 1.4.10 -- I wish they would update it to the latest 1.4.15, but 1.4.10 is acceptable.  The Seahorse gedit plugin is the most convenient way of using GPG. As far as clipboard encryption goes, it still uses GPG 1.4.10, so again, there is no real problem with it.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Hey Nightcrawler - thank you for all the help you are providing here and your patience with all our questions.  I saw you touched on the subject of Tails but I don't feel the answer was clear.  It looks like Seahorse should be avoided but then said it was ok.  Perhaps I misread it but I was hoping you could clarify for me.  Current version of Tails 0.22 with seahorse 2.30.1.  I am running Tails straight off a DVD and I'm not sure I can download GPG4USB to the desktop and run it but I will give that a try next. 

I would love it if using Seahorse withing Tails is acceptable but I will take whatever extra steps I need to do if that isn't secure enough.

It's not a question of Seahorse not being secure -- it's a question of longevity. I regard gedit and the seahorse gedit plugin as a match made in heaven -- it's one of the best crypto interfaces ever devised.

The problem with Seahorse is that is it deprecated in Debian 7 (codename Wheezy). Apparently the issue has to do with programming libraries or somesuch issue. Regardless of the cause, however, when Tails switches to Debian 7, the gedit crypto plugin will be a thing of the past.

Tails is currently built on Debian 6 (codename Squeeze). Up until the time when Debian 7 (Wheezy) was released, Debian 6 (Squeeze) was the Debian stable version. With the release of Debian 7 (Wheezy) Debian 6 became the oldstable version.

Under Debian policy, the oldstable version is supported for one year after the release of the current stable version. Debian 7 (wheezy) was released in May 2013, meaning that support for Debian 6 (Squeeze a.k.a. oldstable) is due to end in May 2014.

The Tails developers depend heavily on updates/support from the Debian community, so when Debian 6 is essentially end-of-lifed in May 2014, they will have little option but to migrate to Debian 7 (Wheezy). When Tails is upgraded to Debian 7, the gedit Seahorse plugin will no longer be available.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller



nurseJackie

  • Full Member
  • ***
  • Posts: 164
  • Karma: +22/-13
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #130 on: January 02, 2014, 08:17:28 pm »
Too bad. TAILS makes PGP easy for me,an average or above average user but not a technical mastermind.

Nightcrawler, I refer to all of your security posts and when there is confusion whatever you say is what is right, IMHO lol.

This has probably been answered...is there any danger in upgrading,or just using a newversion of TAILS with old persistance from an older TAILS version?  I am debating if I should try to update my TAILS,I usually just make a new version I have never updated.  Now I want to keep my pgp and persistance information...is it better to upgrade/fresh usb in order to accomplish that? Thx!

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #131 on: January 02, 2014, 10:26:58 pm »
Too bad. TAILS makes PGP easy for me,an average or above average user but not a technical mastermind.

Nightcrawler, I refer to all of your security posts and when there is confusion whatever you say is what is right, IMHO lol.

This has probably been answered...is there any danger in upgrading,or just using a newversion of TAILS with old persistance from an older TAILS version?  I am debating if I should try to update my TAILS,I usually just make a new version I have never updated.  Now I want to keep my pgp and persistance information...is it better to upgrade/fresh usb in order to accomplish that? Thx!

I have no experience with updating Tails myself. That said, they do seem to be recommending this on the Tails homepage.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

nurseJackie

  • Full Member
  • ***
  • Posts: 164
  • Karma: +22/-13
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #132 on: January 05, 2014, 08:18:16 am »
Thanks.  I will RTFM.  In the worst case scenario I can always backup by vital information, keys (already backed up), etc, and just create a fresh bootable USB and then add persistence and add the files.

I am still working on the best procedure, one person said they don't sure persisence, or if they set it up they don't save using it.  Then use a 2nd USB for keys that is inserted ONLY when using PGP that way it is not plugged in when you are online.  Is that just over the top or is that a good idea?  I never felt unsafe having volume on my OS bootable with that information, but ever since reading about doing it the above way, I have started questioning my practices of storing the keys.

SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #133 on: January 05, 2014, 08:28:50 am »
Thanks.  I will RTFM.  In the worst case scenario I can always backup by vital information, keys (already backed up), etc, and just create a fresh bootable USB and then add persistence and add the files.

I am still working on the best procedure, one person said they don't sure persisence, or if they set it up they don't save using it.  Then use a 2nd USB for keys that is inserted ONLY when using PGP that way it is not plugged in when you are online.  Is that just over the top or is that a good idea?  I never felt unsafe having volume on my OS bootable with that information, but ever since reading about doing it the above way, I have started questioning my practices of storing the keys.

If they get your keys, they can brute force your passphrase and impersonate you as well as decrypt anything you can.  Unless your passphrase is sufficiently long.  I have no idea how long sufficiently long currently is, though.  Note that it will also prove you are nurseJackie beyond a reasonable doubt whether they can use it or not -- just possessing the private key more or less proves you at least had access to things only nurseJackie (etc.) should have.

They'll also have your collection of public keys, which may give them information you also don't want them having (business contacts and so forth).  They will, for all intents and purposes, have an enormous amount of data as well as be able to act as though they were you very effectively.

These are bad things, I think you'll agree.  Storing your keys on an external USB with full "disk" encryption is a good idea.  Don't even have to unplug it unless you're walking away or think it's worth it: if it's encrypted, yank it out without warning and that's all you need to do to prevent them from getting their hands on the contents (if the encryption suffices to stop them, of course).  What you choose to do is your business, but that's the situation.

Oh, do remember that yanking external drives out without warning can be anything from mildly bad to totally destructive for the filesystem.  Don't make it your usual practice or anything, I mean.
« Last Edit: January 05, 2014, 08:32:33 am by SelfSovereignty »
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

nurseJackie

  • Full Member
  • ***
  • Posts: 164
  • Karma: +22/-13
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #134 on: January 05, 2014, 08:32:43 am »
that sounds good.  it is currently on encrypted persistence,on the same usb I run the OS off of.  It is in when I am there, so no one is going to get their hands on it.  From what you say this is a fine route to go, and the person who uses 2 usbs (1 for OS and 1 for keys) is just a bit anal and it is unnecessary.

mito

  • Sr. Member
  • ****
  • Posts: 444
  • Karma: +24/-37
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #135 on: January 05, 2014, 05:21:06 pm »
GPG4Win/Kleopatra/GPA are also deprecated -- Kleopatra generates RSA keys without an encryption sub-key. Dual RSA keys, with one RSA key for signing, and the other exclusively for encryption have been standard since the Fall of 2009.
GPA will not generate keys over 3072-bits in length.

Nightcrawler

Greetings Crawler of the Night!

Does the above still apply?

I use GPA 0.9.4 (GnuGP 2.0.22).     

I just installed GNU4USB 0.33 and was able to import my public and private keys through that ASC file that is generated.

So now I get rid of that ASC text file and I'm good, right?




Tolerance, Humility and Comprehension - THC
public PGP: http://silkroad5v7dywlc.onion/index.php?topic=179.msg186043#msg186043

mito

  • Sr. Member
  • ****
  • Posts: 444
  • Karma: +24/-37
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #136 on: January 05, 2014, 05:26:25 pm »
message to nightcrawler!

-----BEGIN PGP MESSAGE-----

hQIMA/yjfDj/mMPqAQ//aZvrXghJ4jGMzt24Y2SGN6wNg/tMv9zBgG+4OhmXv6d8
q+MS2vJIc37wEQhSKRfc12loxN9kPLmfhmtjFvPVkbzyafPvD+rgAuvIbi6Ndpkc
cGfdk8MXeW8K8nkWdZVV+OJkfvG5bWzLwmdo0E0ROG/HECH7Ve4znveXPtaO2YhN
IPAigmRVHGqiHYMf2QBrJP7KOS4UB/1kN+tnzWOGlSKBlAev7huP8G+4u3lKxijj
H5U5GawYzK9orTgP2758sM2NbTM287Mi9YXtE1+UIrRtYhWdobSqG6ZqYBLIUXfc
YEzvXkAqUj0rTIcBjOUJLkQuuyhwH23JPZGcaU+ibOpJXAf1Y4DIqUmEOlsKwIzh
5J260AI/rVq9iP4LnrRO/HCGL3ctr0yzOYpYHuTvrEYk0gKMtgtRQGY3T+18J2GV
1e+v0kohkZzJJh7lg+ZniuZLWEe73XmdjMS8CVUDsKdlZrYCw9lXtqT7tper8I9B
v63Ld9ToM3yjT/hQKhjq0JX6ZTsptMVhv+oQq6jslpGvPGh4Q73CMnsJ2igdyKn2
YtC/tV17AU9LcId9nyzoNyOr5AoWAle8qiQqlcKwIfDkUdZePtgw1pi1OeLGST9R
oDQNCyarXbGbR9tfOlhbaCmujQb420M/7m9hsUKm1Y1BHhDW8MTBiM5MXrX4nmXS
hgFcozV4R02yZ6jsg1sRCreCXyEn6G/Wyhj8cr/eDUevveh1r0VzxJVd4JmDXILd
1VxUR5nwDxejnuyBUi9+3pI96hd1HuBSwfqYBuQb4Je1X6+EDlKUaXQKSNKTFops
QsWLUshzag7d+0eP1JlKlzAaXh8h2NQcpbxZ7UvoHpuXpQiHlXZU
=CsAG
-----END PGP MESSAGE-----
Tolerance, Humility and Comprehension - THC
public PGP: http://silkroad5v7dywlc.onion/index.php?topic=179.msg186043#msg186043

alice257

  • Jr. Member
  • **
  • Posts: 71
  • Karma: +4/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #137 on: January 08, 2014, 04:50:55 am »
I am checking out a vendor that has a public key which is different than his/her sr1 public key I have on my key-chain. Is there anyway to verify this is the same person?

What about pgp signatures like marvin used in #126? Is this a standard feature with a pgp program and what is it for/ how is it used?
"Great spirits have always found violent opposition from mediocrities. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." ~Einstein

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #138 on: January 08, 2014, 02:34:23 pm »
GPG4Win/Kleopatra/GPA are also deprecated -- Kleopatra generates RSA keys without an encryption sub-key. Dual RSA keys, with one RSA key for signing, and the other exclusively for encryption have been standard since the Fall of 2009.
GPA will not generate keys over 3072-bits in length.

Nightcrawler

Greetings Crawler of the Night!

Does the above still apply?

I use GPA 0.9.4 (GnuGP 2.0.22).     

I just installed GNU4USB 0.33 and was able to import my public and private keys through that ASC file that is generated.

So now I get rid of that ASC text file and I'm good, right?

Sounds like you should be good to go. I wouldn't get rid of the .asc file, however, I'd stash it in a very safe place just in case your key(s) get lost or corrupted. Without a backup, if you lose your private keys, you're screwed.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.      --Friedrich Schiller

ldopa

  • Jr. Member
  • **
  • Posts: 62
  • Karma: +2/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #139 on: January 14, 2014, 12:19:16 pm »
+1 for the OP.  I have been stubborn and lazy about learning how to generate my own set of keys so that others may send me encrypted messages (I don't exactly have anyone sending me their sensitive information so I had no need for it unless I want to encrypt banter) until now.  Tried once with some instructions on a thread in Sheep and failed.

What we really need is a browser add-on that makes de/encrypting text on a web page and in text fields as easy as Enigmail makes it for email. There is an add-on for Firefox called WebPG but last time I tried it, it didn't work with Tor Browser. PGP adoption might increase if people don't have to copy text back and forth to a separate app.

Spudgun

  • Full Member
  • ***
  • Posts: 209
  • Karma: +14/-3
    • View Profile
    • Email
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #140 on: January 14, 2014, 03:17:51 pm »
Can someone please help me?

Nightcrawler gives this link GPG4USB: http://gpg4usb.cpunk.de/index.html I went and it says it is a portable system but nightcrawler also said avoid portable versions like the plague.

Am I getting confused. I want to instal it but am unsure if it is good or bad. Im not using tails yet.

Thanks.
'No way would I poison my body with that shite.
    All they fucking chemicals. No fucking way'.

SelfSovereignty

  • Sr. Member
  • ****
  • Posts: 412
  • Karma: +104/-25
  • Just call me SS; it's easier than spelling it out.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #141 on: January 14, 2014, 03:19:52 pm »
Can someone please help me?

Nightcrawler gives this link GPG4USB: http://gpg4usb.cpunk.de/index.html I went and it says it is a portable system but nightcrawler also said avoid portable versions like the plague.

Am I getting confused. I want to instal it but am unsure if it is good or bad. Im not using tails yet.

Thanks.

I'm not sure if he said all portable versions or just PortablePGP, which is a specific project I think.  Either way, the "portable" version of gpg4usb is just a bunch of files you don't need to have installed on your computer to use.  No worries, gpg4usb is fine either way.  Do note however that if somebody gets their hands on those files, they've got your private key (which is different degrees of bad depending on how secure your passphrase is).  Whether it's on your hard drive or a USB drive doesn't really matter, unless one is encrypted and the other isn't.


+1 for the OP.  I have been stubborn and lazy about learning how to generate my own set of keys so that others may send me encrypted messages (I don't exactly have anyone sending me their sensitive information so I had no need for it unless I want to encrypt banter) until now.  Tried once with some instructions on a thread in Sheep and failed.

What we really need is a browser add-on that makes de/encrypting text on a web page and in text fields as easy as Enigmail makes it for email. There is an add-on for Firefox called WebPG but last time I tried it, it didn't work with Tor Browser. PGP adoption might increase if people don't have to copy text back and forth to a separate app.
Really?  Have you tried since the Tor browser bundle went to Firefox ESR v24?  They had been using v17 or something, which was pretty behind.
« Last Edit: January 14, 2014, 03:24:48 pm by SelfSovereignty »
"Not to laugh, not to lament, not to curse, but to understand." - Spinoza

Spudgun

  • Full Member
  • ***
  • Posts: 209
  • Karma: +14/-3
    • View Profile
    • Email
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #142 on: January 14, 2014, 03:31:20 pm »
Thank you SelfSovereignty, thats really helpful. I have been starting to stress out big time. You may have prevented a murder from happening. +1 karma

Cheers.
'No way would I poison my body with that shite.
    All they fucking chemicals. No fucking way'.

javier

  • Jr. Member
  • **
  • Posts: 97
  • Karma: +16/-1
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #143 on: January 15, 2014, 01:39:02 am »
this is my current gpg.conf:

Quote
no-greeting
no-emit-version
throw-keyid
no-comments
always-trust
personal-cipher-preferences AES256 TWOFISH AES192 AES BLOWFISH CAST5 3DES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 SHA1 RIPEMD160 MD5
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed

is this configuration ok? are there any other options i should be aware of?
prepared to do years like javier

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #144 on: January 15, 2014, 07:37:57 am »
this is my current gpg.conf:

Quote
no-greeting
no-emit-version
throw-keyid
no-comments
always-trust
personal-cipher-preferences AES256 TWOFISH AES192 AES BLOWFISH CAST5 3DES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 SHA1 RIPEMD160 MD5
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed

is this configuration ok? are there any other options i should be aware of?

Looks good. The only thing you might want to be careful with is the throw-keyid directive. For people with a lot of secret keys on their keyrings, someone who uses throw-keyid can prove a pain in the neck, as PGP/GPG has to cycle through all their secret keys, and that can prove a royal pain.

I can't think of anything else you'd want in there, off the top of my head.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

javier

  • Jr. Member
  • **
  • Posts: 97
  • Karma: +16/-1
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #145 on: January 15, 2014, 09:50:13 am »
Looks good. The only thing you might want to be careful with is the throw-keyid directive. For people with a lot of secret keys on their keyrings, someone who uses throw-keyid can prove a pain in the neck, as PGP/GPG has to cycle through all their secret keys, and that can prove a royal pain.

thanks.

if some vendor turns out to have a problem with it i might comment throw-keyid out again. it's more a matter of principle anyway. unless i misunderstand, keyid is important metadata and it's being sent in the clear. just feels wrong.

it seems --try-secret-key would ease the problem for anyone using multiple private keys, but yeah, i guess having to use gpg from the cli might count as a royal pain.
prepared to do years like javier

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #146 on: January 15, 2014, 01:29:02 pm »
Looks good. The only thing you might want to be careful with is the throw-keyid directive. For people with a lot of secret keys on their keyrings, someone who uses throw-keyid can prove a pain in the neck, as PGP/GPG has to cycle through all their secret keys, and that can prove a royal pain.

thanks.

if some vendor turns out to have a problem with it i might comment throw-keyid out again. it's more a matter of principle anyway. unless i misunderstand, keyid is important metadata and it's being sent in the clear. just feels wrong.

it seems --try-secret-key would ease the problem for anyone using multiple private keys, but yeah, i guess having to use gpg from the cli might count as a royal pain.

I fully understand, I was just pointing out that, in some circumstances, it could prove problematic.  Another way to get around the metadata issue is to use fresh keys for every transaction, after which they are discarded. Vendors should not be retaining keys anyway.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.      --Friedrich Schiller

Methamatician

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +3/-12
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #147 on: January 17, 2014, 04:10:57 pm »
Hi Nightcrawler. Thanks for the advice. I don't know if someone else has already pointed this out, but the URL to your PGP key isn't working:
http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090

happy.pillz

  • Full Member
  • ***
  • Posts: 191
  • Karma: +25/-6
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #148 on: January 17, 2014, 06:31:50 pm »
Hey Nightcrawler thanks for the info about BCPG. I'm definitely glad you pointed that.... possibly saved me my freedom! But what is it about BCPG thats unsecure anyways? Just asking so I can get a better understanding on what to keep an eye out for in the future.
« Last Edit: January 17, 2014, 06:40:08 pm by happy.pillz »
Agora referral link

http://silkroad6ownowfk.onion

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #149 on: January 17, 2014, 10:02:48 pm »
Hi Nightcrawler. Thanks for the advice. I don't know if someone else has already pointed this out, but the URL to your PGP key isn't working:
http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090

That is the link to where my key was posted on the old Forums.  Must have gotten it from an old post, or something.  My key is now in my profile, as everyone else's should be. Click on my username to see it, and remember to remove the 4-space indentation from the key, prior to importation.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #150 on: January 17, 2014, 10:04:56 pm »
Hey Nightcrawler thanks for the info about BCPG. I'm definitely glad you pointed that.... possibly saved me my freedom! But what is it about BCPG thats unsecure anyways? Just asking so I can get a better understanding on what to keep an eye out for in the future.

The biggest problem with some of the BCPG versions (e.g. 1.4x) is that they generate massively unsafe keys by default. These versions generate 1024-bit DSA keys for signing, and 512-bit Elgamal sub-keys for encryption. 512-bit keys haven't been used for almost 20 years now, due to their insecurity.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.  --Friedrich Schiller

Ghost

  • Proprietor, Green Camel Underground
  • Hero Member
  • *****
  • Posts: 620
  • Karma: +53/-56
  • Ghosts Don't Leave Other Ghosts Behind.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #151 on: January 18, 2014, 01:26:30 am »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hey buddy,

Ive heard alot about you, and your technical guru skills. I was wondering how you protect yourself from being doxxed...I know all the basics but it seems that even if you have PGP encryption, use the latest version of tor, and all people still get caught. Is there a more technical advanced aspect of this that people just dont know? Especially people trying to create their own websites...like the people from blackflag etc that got doxxed. How does that happen? Im not a newbie to tor, but it seems even the smartest of people are getting doxxed...or so it seems. Thanks in advance!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJS2dgpAAoJEBRguxPWRL6ODKQH/RT9GI1ENchcx68yiqIhmFkI
eezsF6l9fClOzAf3Yn+bYXaf71+fhA836PSmJNJsvGJtxwZp3E++PeRCf6DGPdHI
9K9k33P4Uhyu8uZGgHWWaSVqaQlhczw1NpDjTR5p17ioYWpTosD6wJSUDLnjSnCn
cdJn9mG04OVgMGzmnP2ZJeKkBk0KiEm+g7lS0IP8HgRco/2jrWRL/AjvSMk8AkJd
KMC7TZ6tOsQ/9cFnau8YAOkdpbcDFeXc+I6CfghLPFsWUCLBPEMV+jBBqhqzOjOD
XL1JXoQ68e0PLZsltmuVwWqNnuCEGmVYUZxqIazERhXsl/1AdPaZn8o+SI7+xjA=
=JaGn
-----END PGP SIGNATURE-----
Proprietor of Ghost's Tavern  @ The Hub
Proprietor of Green Camel Underground @ SR
Karma tips always appreciated!

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #152 on: January 18, 2014, 02:18:17 am »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hey buddy,

Ive heard alot about you, and your technical guru skills. I was wondering how you protect yourself from being doxxed...I know all the basics but it seems that even if you have PGP encryption, use the latest version of tor, and all people still get caught. Is there a more technical advanced aspect of this that people just dont know? Especially people trying to create their own websites...like the people from blackflag etc that got doxxed. How does that happen? Im not a newbie to tor, but it seems even the smartest of people are getting doxxed...or so it seems. Thanks in advance!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJS2dgpAAoJEBRguxPWRL6ODKQH/RT9GI1ENchcx68yiqIhmFkI
eezsF6l9fClOzAf3Yn+bYXaf71+fhA836PSmJNJsvGJtxwZp3E++PeRCf6DGPdHI
9K9k33P4Uhyu8uZGgHWWaSVqaQlhczw1NpDjTR5p17ioYWpTosD6wJSUDLnjSnCn
cdJn9mG04OVgMGzmnP2ZJeKkBk0KiEm+g7lS0IP8HgRco/2jrWRL/AjvSMk8AkJd
KMC7TZ6tOsQ/9cFnau8YAOkdpbcDFeXc+I6CfghLPFsWUCLBPEMV+jBBqhqzOjOD
XL1JXoQ68e0PLZsltmuVwWqNnuCEGmVYUZxqIazERhXsl/1AdPaZn8o+SI7+xjA=
=JaGn
-----END PGP SIGNATURE-----

There are seven magic words to not being doxxed: Limit Your Exposure and Shut The Fuck Up.

By limiting your exposure, I mean:

- No Facebook
- No Twitter
- No Tumblr
- No Blogs
- No Websites
- No Social Media, period.

If someone wants to dox me, good luck to 'em -- what they see, is what they're gonna get, and it won't be much, and even that isn't guaranteed to be accurate.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.      --Friedrich Schiller

Ghost

  • Proprietor, Green Camel Underground
  • Hero Member
  • *****
  • Posts: 620
  • Karma: +53/-56
  • Ghosts Don't Leave Other Ghosts Behind.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #153 on: January 18, 2014, 02:44:54 am »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

no I figured cross referencing peoples names to clearnet(which btw you wont believe the amount of people who have the same UNIQUE screenname. But is it possible to be doxxed just by the words you write? is there a "print" that is left behind that is consecutive that if worked long enough can trail??? Like Defcon for instance, if he never used any social sites ect, can they ever figure out who he is from the actual website work he has put into it? Dont mean to bother you with trivial things, but Ill never forget Inigo posting that they showed him things that no one could know, and I just wonder how easy it is to doxx the most cautious of people.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJS2eqtAAoJEBRguxPWRL6OKOQH/RJfzjCv1+knmI9m/sBJF/Sq
ey3FVOPlIcrPGfstuExj4CEI2nY4yJbuyuOdPRjuwt5gb8n+q7bdWS2mE/T7sFLG
ApZKbbILGwaiyEnevb08TDync34AMvdKclU8s5aAeuChMIT6V/HVGduq2PW9uWJw
xbDkJOpN7ZpKuHsuJLh/wb8F3zsKNeflbQZuQbIaba55rPbBoG6Dpz5gKlzJlOh8
1/lP3Sv1EcJTVQ0fCr9owQ4LlwyzlELoQyedfQcO2RuZjTWKYNcGaNJf5Qdlr+b2
vgBhHQcgLMhbK/P5WzcP8XY5q+DkV7PDYPyDyGdLs78c45dWsadbEo4YwKktpJY=
=537x
-----END PGP SIGNATURE-----
Proprietor of Ghost's Tavern  @ The Hub
Proprietor of Green Camel Underground @ SR
Karma tips always appreciated!

Kallster

  • Hero Member
  • *****
  • Posts: 1100
  • Karma: +180/-95
  • Sex, Drugs and sausage rolls !
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #154 on: January 20, 2014, 11:26:49 pm »
sub
The only place you need to go for your Nbome.
http://silkroad6ownowfk.onion/users/dahbome

ReD EyE for 1st class hash !
http://silkroad6ownowfk.onion/users/red-eye

Velix

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +4/-5
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #155 on: January 20, 2014, 11:31:38 pm »
Thank you for the info!  I'm quite skilled with programming encryption (RSA, EAS, etc) but I didn't know this about PGP keys.  I was annoyed that PortablePGP would only allow BCPG v1.47, 1024 bit keys, but I didn't realize just how insecure they are.  I'll try generating keys from the command line and importing them instead.
-----\(*(i)*)/-----
torchat: mnergxcklw2velix

bltc

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #156 on: January 27, 2014, 11:01:28 am »
Hey folks. apologies if this has been covered but im in a rush late for work trying to setup my PGP.

Currently installing GnuPT as recommended in the thread, theres 2 options though which one is safest.  WinPT 1.4.3 or WinPT 1.5.3?

Cheers in advance

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #157 on: January 27, 2014, 11:27:47 am »
Hey folks. apologies if this has been covered but im in a rush late for work trying to setup my PGP.

Currently installing GnuPT as recommended in the thread, theres 2 options though which one is safest.  WinPT 1.4.3 or WinPT 1.5.3?

Cheers in advance

They're both good. Neither of them have any security flaws as far as I'm aware. I'd go with the 1.5.3, myself.

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7  3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain.      --Friedrich Schiller

Meerkovo

  • Vendor
  • Sr. Member
  • *****
  • Posts: 495
  • Karma: +172/-84
  • I heart Cocaine
    • View Profile
    • Email
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #158 on: January 27, 2014, 12:14:18 pm »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

no I figured cross referencing peoples names to clearnet(which btw you wont believe the amount of people who have the same UNIQUE screenname. But is it possible to be doxxed just by the words you write? is there a "print" that is left behind that is consecutive that if worked long enough can trail??? Like Defcon for instance, if he never used any social sites ect, can they ever figure out who he is from the actual website work he has put into it? Dont mean to bother you with trivial things, but Ill never forget Inigo posting that they showed him things that no one could know, and I just wonder how easy it is to doxx the most cautious of people.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJS2eqtAAoJEBRguxPWRL6OKOQH/RJfzjCv1+knmI9m/sBJF/Sq
ey3FVOPlIcrPGfstuExj4CEI2nY4yJbuyuOdPRjuwt5gb8n+q7bdWS2mE/T7sFLG
ApZKbbILGwaiyEnevb08TDync34AMvdKclU8s5aAeuChMIT6V/HVGduq2PW9uWJw
xbDkJOpN7ZpKuHsuJLh/wb8F3zsKNeflbQZuQbIaba55rPbBoG6Dpz5gKlzJlOh8
1/lP3Sv1EcJTVQ0fCr9owQ4LlwyzlELoQyedfQcO2RuZjTWKYNcGaNJf5Qdlr+b2
vgBhHQcgLMhbK/P5WzcP8XY5q+DkV7PDYPyDyGdLs78c45dWsadbEo4YwKktpJY=
=537x
-----END PGP SIGNATURE-----


Try speaking to me on a day to day basis, you will see if my vocabulary is the same, or way I write is the same.

Defcon ? A very intelligent and educated chap, disciplined and organized overall as a person. On SR he may appear professional and polite most of the time, however offline, he's just a normal being like most of us dare I say! You know, the type that goes for a pint or two, get's a in a tussle every now and again with a regular at the pub. It's not easy to distinguish a person when they write like this.


Meerkovo
SR Vendor Page - http://silkroad6ownowfk.onion/users/meerkovo
SR Forum Review - http://silkroad5v7dywlc.onion/index.php?topic=16397.0

plathora1

  • Full Member
  • ***
  • Posts: 112
  • Karma: +5/-6
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #159 on: January 27, 2014, 09:34:02 pm »
Anyone know any PGP versions for Mac?
What's the safest one to use?
Thanks, plathora1.
What is not known, is thought.

Wombat

  • Full Member
  • ***
  • Posts: 185
  • Karma: +17/-8
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #160 on: January 30, 2014, 05:39:27 am »
Anyone know any PGP versions for Mac?
What's the safest one to use?
Thanks, plathora1.
I use GnuPG/MacGPG2 v2.0.22 and as far as I know it's safe.  It's 4096 too which was the biggest number I could make it.  I am not sure if that makes any difference at all but I figured it couldn't hurt.  I wish I understood this stuff a little better but I am trying to learn.  I don't do any big business with SR, but I definitely want to know this stuff for the future. 
"Someone's mom her panties are getting wet."
-IMB

rumplesung35

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #161 on: February 02, 2014, 02:47:32 pm »
anyone by chance have a list of all the gpg4usb "directives" and what they do?
I want to verify what is going on in my gpg.conf and possibly set some things in there such as removing the version text in my key among other things.

thanks!
signature? I dont need no stinkin signature!

travailship

  • Jr. Member
  • **
  • Posts: 55
  • Karma: +2/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #162 on: February 02, 2014, 03:33:00 pm »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

no I figured cross referencing peoples names to clearnet(which btw you wont believe the amount of people who have the same UNIQUE screenname. But is it possible to be doxxed just by the words you write? is there a "print" that is left behind that is consecutive that if worked long enough can trail??? Like Defcon for instance, if he never used any social sites ect, can they ever figure out who he is from the actual website work he has put into it? Dont mean to bother you with trivial things, but Ill never forget Inigo posting that they showed him things that no one could know, and I just wonder how easy it is to doxx the most cautious of people.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJS2eqtAAoJEBRguxPWRL6OKOQH/RJfzjCv1+knmI9m/sBJF/Sq
ey3FVOPlIcrPGfstuExj4CEI2nY4yJbuyuOdPRjuwt5gb8n+q7bdWS2mE/T7sFLG
ApZKbbILGwaiyEnevb08TDync34AMvdKclU8s5aAeuChMIT6V/HVGduq2PW9uWJw
xbDkJOpN7ZpKuHsuJLh/wb8F3zsKNeflbQZuQbIaba55rPbBoG6Dpz5gKlzJlOh8
1/lP3Sv1EcJTVQ0fCr9owQ4LlwyzlELoQyedfQcO2RuZjTWKYNcGaNJf5Qdlr+b2
vgBhHQcgLMhbK/P5WzcP8XY5q+DkV7PDYPyDyGdLs78c45dWsadbEo4YwKktpJY=
=537x
-----END PGP SIGNATURE-----


Try speaking to me on a day to day basis, you will see if my vocabulary is the same, or way I write is the same.

Defcon ? A very intelligent and educated chap, disciplined and organized overall as a person. On SR he may appear professional and polite most of the time, however offline, he's just a normal being like most of us dare I say! You know, the type that goes for a pint or two, get's a in a tussle every now and again with a regular at the pub. It's not easy to distinguish a person when they write like this.


Meerkovo

and...this is much likely the key to staying away from doxxing through style points

Nightcrawler

  • Guest
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #163 on: February 04, 2014, 03:26:37 pm »
+1 for the OP.  I have been stubborn and lazy about learning how to generate my own set of keys so that others may send me encrypted messages (I don't exactly have anyone sending me their sensitive information so I had no need for it unless I want to encrypt banter) until now.  Tried once with some instructions on a thread in Sheep and failed.

What we really need is a browser add-on that makes de/encrypting text on a web page and in text fields as easy as Enigmail makes it for email. There is an add-on for Firefox called WebPG but last time I tried it, it didn't work with Tor Browser. PGP adoption might increase if people don't have to copy text back and forth to a separate app.

Browser add-ons are the ABSOLUTE LAST thing we need.  Browsers are very complex software packages, and are extremely difficult to secure. Bolting an encryption package like PGP on a browser is, in my view, a grave mistake. Ease of use is over-rated. If someone is not willing to invest the effort to learn...

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain. --Friedrich Schiller

Therapy

  • Vendor
  • Sr. Member
  • *****
  • Posts: 359
  • Karma: +102/-13
  • If your cup is full...may it be again
    • View Profile
    • Personal Message (Offline)
PGP version - where
« Reply #164 on: February 08, 2014, 08:58:13 pm »
The version lines that are usually shown by default in PGP keys and PGP signature blocks, often reveal which OS the person is using.
.................................................................................

How do you know the version if it is not shown by default?
"...Once in a while you get shown the light 
      in the strangest places if you look just right..."           Hunter / Garcia
               Visit us in The Market...  http://silkroad6ownowfk.onion/users/therapy

Nightcrawler

  • Guest
Re: PGP version - where
« Reply #165 on: February 09, 2014, 01:25:53 am »
The version lines that are usually shown by default in PGP keys and PGP signature blocks, often reveal which OS the person is using.
.................................................................................

How do you know the version if it is not shown by default?

You don't... that's the whole point of using directives to hide them.

In such a case, all you can do is look at the key, and if it's like the following, RUN!

pub   1024D/5B284BA7 2014-02-08
      Key fingerprint = 3E9C DA1A 3206 9F76 4C3A  25DB A724 FA84 5B28 4BA7
uid       [ unknown] PPG <PPG@localhost.onion>
sub    512g/33A340E8 2014-02-08

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key Fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.

Folly, thou conquerest, and I must yield!
Against stupidity the very gods Themselves
contend in vain. --Friedrich Schiller

Travelling Without Moving

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +25/-1
  • "Find the Others." - Leary/McKenna
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #166 on: February 13, 2014, 01:27:58 am »
browser plugins, depends whose plugin it is..

TWM

jackthetripper

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +1/-0
  • After three years, Silk Road feels like home.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #167 on: April 11, 2014, 07:14:49 am »
Nightcrawler 8) you're the best, thanks!
PGP key in my profile.  Long time Silk Roader and lover of good weed, coke, and psychedelics.

Quade

  • Vendor
  • Full Member
  • *****
  • Posts: 198
  • Karma: +16/-5
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #168 on: April 17, 2014, 12:19:43 am »
I have a client who sent me his address via PGP Version BCPG C# v1.6.1.0. Is there any security issues for me by opening this?
quade@safe-mail.net

http://silkroad6ownowfk.onion/users/quade

Also vending @ Evolution

review and discussion : http://silkroad5v7dywlc.onion/index.php?topic=23053.msg463909#msg463909

The Jigsaw Puzzle

  • Hero Member
  • *****
  • Posts: 2277
  • Karma: +618/-188
  • Original 1st Generation Silk Roader - Old School.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #169 on: April 17, 2014, 12:25:38 am »
I have a client who sent me his address via PGP Version BCPG C# v1.6.1.0. Is there any security issues for me by opening this?

Not for you. It just means that he used software which uses the Java Bouncy Castle Crypto Libraries (like PortablePGP) to create his keys, a huge mistake IMO.
PGP encrypt ALL COMMUNICATION & STOP using Windows to access Tor.

Plain text PM's will be IGNORED. Disable Javascript & use an updated Unix/Linux OS with FDE.

Rain (MSB) can you please contact me. ;D I miss you dearly. :-*
 
Just because you can,  doesn't mean you should.

Quade

  • Vendor
  • Full Member
  • *****
  • Posts: 198
  • Karma: +16/-5
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #170 on: April 17, 2014, 12:34:23 am »
I have a client who sent me his address via PGP Version BCPG C# v1.6.1.0. Is there any security issues for me by opening this?

Not for you. It just means that he used software which uses the Java Bouncy Castle Crypto Libraries (like PortablePGP) to create his keys, a huge mistake IMO.

Thanks man! +1
quade@safe-mail.net

http://silkroad6ownowfk.onion/users/quade

Also vending @ Evolution

review and discussion : http://silkroad5v7dywlc.onion/index.php?topic=23053.msg463909#msg463909

The Jigsaw Puzzle

  • Hero Member
  • *****
  • Posts: 2277
  • Karma: +618/-188
  • Original 1st Generation Silk Roader - Old School.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #171 on: April 17, 2014, 12:36:12 am »
I have a client who sent me his address via PGP Version BCPG C# v1.6.1.0. Is there any security issues for me by opening this?

Not for you. It just means that he used software which uses the Java Bouncy Castle Crypto Libraries (like PortablePGP) to create his keys, a huge mistake IMO.

Thanks man! +1

You're welcome. +1 for you too.  :)
PGP encrypt ALL COMMUNICATION & STOP using Windows to access Tor.

Plain text PM's will be IGNORED. Disable Javascript & use an updated Unix/Linux OS with FDE.

Rain (MSB) can you please contact me. ;D I miss you dearly. :-*
 
Just because you can,  doesn't mean you should.

deadhead

  • Sr. Member
  • ****
  • Posts: 425
  • Karma: +23/-9
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #172 on: April 20, 2014, 05:23:07 pm »
Does anyone know anything about pgp versions for mobile ?

Speaking of APG and Open Keychain for android. They both are based on gpg as far as I know and are capable of creating 4096 bit keys using AES and multiple other methods.of encryption.
Andromeda Invite Link :
andromedam363aux.onion/register.php?invite=Edf6cP

Liadavide

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +1/-0
    • View Profile
    • Email
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #173 on: April 25, 2014, 05:51:16 pm »
Is the information I send out to someone with PGP inherently compromised?
« Last Edit: April 29, 2014, 11:53:47 pm by Liadavide »
"When the power of love overcomes the love of power, the world will know peace....."

Jimi Hendrix

Dynasty

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #174 on: April 29, 2014, 09:26:34 pm »
sub

girgis2000

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +10/-3
  • Freedom - every step forward, is a wider horizon
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #175 on: August 08, 2014, 07:02:57 pm »
...

Security is a bit like religion... some things have to be taken on faith.
Where security differs from religion is that security is NOT retroactive.
Unlike Christianity, where you can come to Jesus, be 'saved' and have all
your sins washed away, with security you can adopt Tails or PGP, and be
secure from that point forward, but rest assured that your previous sins
(security failings) WILL come back to haunt you and bite you in the ass.
The original DPR is the poster child for that, right now.


Awesome ending!! Awesome post too. 

Purpnugget

  • Jr. Member
  • **
  • Posts: 64
  • Karma: +5/-4
  • I am HRM, Purple Nugget, King of Candy Kingdom!
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #176 on: August 17, 2014, 02:37:48 pm »
I have a question, what keeps someone from using one version of PGP, and just changing the version # and type string?
Seems like it would fuck with anyone trying to ID your machine without impeding the decryption of the msg?
Also, I think my idea for dedicated encryption machines is solid.  Browse with one machine, encrypt with another, use a USB with PGP anywhere(off-site), edit the version listed in the string, copy the now encrypted msg onto your computer using copy/paste, this way it will lead back to the original machine, granting you plausible deniability to the maximum!
If you are PC, pretend to be Linux, if you are Mac, pretend to be PC?  Screw it, we should all pretend to use Linux!
Is there anything I haven't thought of?  I have a security guy who I run everything by anyway, but I'm curious why subterfuges aren't encouraged, given the whole spy vs. Spy environment.
"Holy Purps, Batman!"
"Weeeeeeed, Man!  Its got Weeded in it!"

GhostProdigy

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +1/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #177 on: September 28, 2014, 04:07:51 pm »
can anyone post step by step how to remove version number from gpg4usb output ver 0.3.3

p3nd8s

  • Vendor
  • Sr. Member
  • *****
  • Posts: 253
  • Karma: +66/-34
  • I came for the drugs but stayed for the Revolution
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #178 on: October 21, 2014, 02:15:20 am »
can anyone post step by step how to remove version number from gpg4usb output ver 0.3.3

You can delete it or change the text manually without affecting the message. Examples below (I don't use BCPG, it's just an example).

Unedited version

-----BEGIN PGP MESSAGE-----

Version: BCPG C# v1.6.1.0

hQIMA72gz+a/XlwcAQ/+IEd+5r9BKScV/y3SuE9uUCFhZkqFljNoiDYq++eniTy0
qAZpT1qOKf6mOshDiYvxweb8Nu6VMIs1+RjcgJT2POqagYx/tBw9hJbtngk4DAo0
tUQYdhHnhAF9xOkwXE9GqGguHAcCyjI9l96VSoJA4uY+plOmQZWYFRafLJQnMELl
aF5f/NRNEGivB+E6J9AeztUeu4ih9YWsnJT6j82ZyhrhreGPhlxAMUEpuUzBXvbG
ZHFQlCbrZRYxTr3VsoBmUrIxvh1hfm0Fa+/cjMlBLTkD7sP/uP7TS03TbL1q3oLP
pQ6JAUj+P9susy+WV0lBSSJ+G+1B61ziR2nXIUy4ee8yGaVhYLhuA1nKTI8+ZSat
ToZTOr03j3gBjcOFlbh17/usBrEW5fsYnck0pxPYukRsUbrZWCE4KGLabWp5swtd
W+W74ZFIeu0AhKDAEhnHoPELZ75X+C36/FeI6qtReS97XGAzRagBdoPl9SwzCQWn
TLB60HWADgXBGDE2czTUwl5gfdXLxAriT71Wx0LfO1Tv/FmUNYoWAoTXXRltrjgA
P+LZZGzyquASQiswwM/xykJd04Qs5iy+Y10EcSf+6YBy3ZX0rLeCwHnmodSyNmZ+
rqUUTxMdtGD4GZ+KFlknlAqH09K1ZOY8561YQYTGdQ1JUUttTDIL6kG1UzeU7r3S
QwE3yTAQ5UUz+J2qNISWZPTQET0N2siVOFk+q5A2K9owXzJz3ez5ymYx4gufDIjj
3RqLFaxtAJkdAsEJk3Qn8GaPb+I=
=Il+r
-----END PGP MESSAGE-----

Edited version:

-----BEGIN PGP MESSAGE-----

hQIMA72gz+a/XlwcAQ/+IEd+5r9BKScV/y3SuE9uUCFhZkqFljNoiDYq++eniTy0
qAZpT1qOKf6mOshDiYvxweb8Nu6VMIs1+RjcgJT2POqagYx/tBw9hJbtngk4DAo0
tUQYdhHnhAF9xOkwXE9GqGguHAcCyjI9l96VSoJA4uY+plOmQZWYFRafLJQnMELl
aF5f/NRNEGivB+E6J9AeztUeu4ih9YWsnJT6j82ZyhrhreGPhlxAMUEpuUzBXvbG
ZHFQlCbrZRYxTr3VsoBmUrIxvh1hfm0Fa+/cjMlBLTkD7sP/uP7TS03TbL1q3oLP
pQ6JAUj+P9susy+WV0lBSSJ+G+1B61ziR2nXIUy4ee8yGaVhYLhuA1nKTI8+ZSat
ToZTOr03j3gBjcOFlbh17/usBrEW5fsYnck0pxPYukRsUbrZWCE4KGLabWp5swtd
W+W74ZFIeu0AhKDAEhnHoPELZ75X+C36/FeI6qtReS97XGAzRagBdoPl9SwzCQWn
TLB60HWADgXBGDE2czTUwl5gfdXLxAriT71Wx0LfO1Tv/FmUNYoWAoTXXRltrjgA
P+LZZGzyquASQiswwM/xykJd04Qs5iy+Y10EcSf+6YBy3ZX0rLeCwHnmodSyNmZ+
rqUUTxMdtGD4GZ+KFlknlAqH09K1ZOY8561YQYTGdQ1JUUttTDIL6kG1UzeU7r3S
QwE3yTAQ5UUz+J2qNISWZPTQET0N2siVOFk+q5A2K9owXzJz3ez5ymYx4gufDIjj
3RqLFaxtAJkdAsEJk3Qn8GaPb+I=
=Il+r
-----END PGP MESSAGE-----

Another example of edited version:

-----BEGIN PGP MESSAGE-----

Version:  You can write anything on this line or delete it altogether Version 02342348032342804832

hQIMA72gz+a/XlwcAQ/+IEd+5r9BKScV/y3SuE9uUCFhZkqFljNoiDYq++eniTy0
qAZpT1qOKf6mOshDiYvxweb8Nu6VMIs1+RjcgJT2POqagYx/tBw9hJbtngk4DAo0
tUQYdhHnhAF9xOkwXE9GqGguHAcCyjI9l96VSoJA4uY+plOmQZWYFRafLJQnMELl
aF5f/NRNEGivB+E6J9AeztUeu4ih9YWsnJT6j82ZyhrhreGPhlxAMUEpuUzBXvbG
ZHFQlCbrZRYxTr3VsoBmUrIxvh1hfm0Fa+/cjMlBLTkD7sP/uP7TS03TbL1q3oLP
pQ6JAUj+P9susy+WV0lBSSJ+G+1B61ziR2nXIUy4ee8yGaVhYLhuA1nKTI8+ZSat
ToZTOr03j3gBjcOFlbh17/usBrEW5fsYnck0pxPYukRsUbrZWCE4KGLabWp5swtd
W+W74ZFIeu0AhKDAEhnHoPELZ75X+C36/FeI6qtReS97XGAzRagBdoPl9SwzCQWn
TLB60HWADgXBGDE2czTUwl5gfdXLxAriT71Wx0LfO1Tv/FmUNYoWAoTXXRltrjgA
P+LZZGzyquASQiswwM/xykJd04Qs5iy+Y10EcSf+6YBy3ZX0rLeCwHnmodSyNmZ+
rqUUTxMdtGD4GZ+KFlknlAqH09K1ZOY8561YQYTGdQ1JUUttTDIL6kG1UzeU7r3S
QwE3yTAQ5UUz+J2qNISWZPTQET0N2siVOFk+q5A2K9owXzJz3ez5ymYx4gufDIjj
3RqLFaxtAJkdAsEJk3Qn8GaPb+I=
=Il+r
-----END PGP MESSAGE-----
US Scopolamine (Burundanga/Devil's Breath) and Claviceps Paspali Vendor; Ron Paul Anhydrides/MDA/LSD Guides; NEW: Meth and DMT guides; Available on:  Agora and SR 2.0
NEW: BLACK COCAINE and Plastic Cocaine Smuggling Guides!
http://silkroad6ownowfk.onion/users/p3nd8s/items

Twisted_Systems

  • Jr. Member
  • **
  • Posts: 55
  • Karma: +0/-0
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #179 on: October 23, 2014, 12:08:59 am »
Im using the main stable version of PGP4USB with a 4096 bit key, when I encrypt text I see its using Version: GnuPG v1, is this a cause for concern? should I update to the new stable release 0.3.3-1

Or is it fine to just remove/edit the version number manually as described in the post above?

The Jigsaw Puzzle

  • Hero Member
  • *****
  • Posts: 2277
  • Karma: +618/-188
  • Original 1st Generation Silk Roader - Old School.
    • View Profile
    • Personal Message (Offline)
Re: Word of Warning -- All versions of PGP are NOT created equally!
« Reply #180 on: October 24, 2014, 10:22:04 am »
Im using the main stable version of PGP4USB with a 4096 bit key, when I encrypt text I see its using Version: GnuPG v1, is this a cause for concern? should I update to the new stable release 0.3.3-1

Or is it fine to just remove/edit the version number manually as described in the post above?


You should always update to the latest stable version of any software, whether it be GPG4USB or Tor. The GnuPG v1 you're seeing is just the version string and is no cause for concern. You're best to remove it altogether because leaving the version string in your public key / messages can give an attacker a heads up on what operating system you are currently running. :)
PGP encrypt ALL COMMUNICATION & STOP using Windows to access Tor.

Plain text PM's will be IGNORED. Disable Javascript & use an updated Unix/Linux OS with FDE.

Rain (MSB) can you please contact me. ;D I miss you dearly. :-*
 
Just because you can,  doesn't mean you should.