lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C167253.2040502@googlemail.com>
Date: Mon, 14 Jun 2010 20:17:55 +0200
From: Nid <nidfulldisc@...glemail.com>
To: "Thor (Hammer of God)" <Thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Introducing TGP...

Hi Timothy
>
> TGP – “Thor’s Godly Privacy”
>
> 06/13/10 v1.1.06
>
> it does things a bit differently – differently in a way that can
> change the way you work with your encrypted data. At the simplest
> level, this is done by encrypting data into byte arrays, and then
> converting those byte arrays into Base64 encoded text wrapped inside
> XML tags. In this way, not only do you get your typical file-based
> encrypted representation of your data, but you also get data that you
> can copy and paste directly into any email, mailing list, blog-page,
> or social networking site.
First of all you should keep in mind, that base64 raises the size of
your data by 33%.
>
> What I think is interesting about this is that if we choose to, we no
> longer have to be the custodians of our encrypted data – we don’t have
> to worry about actually housing the files: we can just post them to
> the internet and let someone else assume the burden of storing the
> files for us.
>
posting big files especially on mailing lists might offend the other
users of the list. specially if you see the headline of lsi's answer.
there your message is marked as spam. Also assuming to have a lot of
people behaving like this would result in moderated lists.
BTW why not storing your data on rented space?

The next issue is that you can not trust private keys which are
published on the internet with respect to signatures. These keys could
have been cracked.
Using such a key only for yourself to have data on the internet seems
also not to make sense. It could be better placed on a private machine
where you have controled access to for example with VPN or ssh.

The next point is if you would like to use the key in an internet cafe
at a restaurant, you will not be able to trust the machine. most likely
there is a trojan on it or a key grabber.

> Normally, you want to keep your private keys as safe as possible. This
> is still the case with TGP. However, it is trivial to build as many
> private keys as you wish to use for anything you want to use them for.
> TGP Private Key files are password protected and individually salted,
> so with a strong passphrase you have very reasonable assurance that no
> one is going to get to your key any time soon. So, you can create a
> private key with a strong password, post that, and then, say, encrypt
> a scan of your passport and post that. Then if you are ever in a pinch
> while travelling or something like that, you can simply use Google or
> Bing to access your data wherever you are.
>
> That’s really the main different between TGP and an application like
> PGP. That and of course, TGP is free, and personally, I think PGP is
> tardware. It’s bloated, it’s far too expensive, it’s hard to use, and
> if you don’t watch your licensing, you can get screwed hard like I did
> when I didn’t want to buy the extended support and one day my
> encrypted drives stopped working until I paid them. That doesn’t fly.
> TGP also doesn’t require that you are an admin to install. However,
> the .NET installer for the 4.0 client profile does – that’s not my
> doing. Regardless, here are the file structures TGP uses:
>
there are other possibilities than PGP for example GPG ect. I would
rather trust such a software, since I am somehow sure, that enough
people tried to find bugs in it. Also a lot of scientists and hackers
tried to find a bug in the implementation.

If for example your software uses a weak Pseudo random number generator
this could result in weak key room.

Best regards Norbert

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ