LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 01-07-2022, 05:30 AM   #1
Mental-Octopus
Member
 
Registered: Sep 2018
Posts: 34

Rep: Reputation: Disabled
Power Of Privacy


If you have nothing to fear you have nothing to hide "those who say that almost always have something to hide" -- Quote From Person Of Interest (TV Series)

Even in business, legitimate business you have to keep your affairs secret especially from competitors.

The ones who most certainly have something to hide because of something they fear are the ones who want to know everyone's secrets.

The secrets they want to know of course is the secrets that expose their dirty secrets. If you have nothing to fear you don't have know what everyone hides.

Last edited by Mental-Octopus; 01-07-2022 at 05:31 AM.
 
Old 01-07-2022, 06:30 AM   #2
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,991
Blog Entries: 16

Rep: Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546
I thought the saying was "If you have nothing to hide, you have nothing to fear." This is supposed to invalidate our very proper desire for privacy by implying that it is in itself a suspicious sign. Anyone who uses this argument obviously fancies himself as Big Brother.
 
Old 01-07-2022, 11:11 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,547
Blog Entries: 4

Rep: Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434
If you are going to use an intrinsically-insecure network like the Internet, crypto is a very basic resource. (Notice the "s" in "https" on this address bar.)

"Don't Leave Home Without It.™"

Crypto technology not only protects information from disclosure, but it also provides a strong way to ensure that the message you received was "delivered as tendered by the sender." The message is known to be authentic and known to be complete. You know right now that you are, in fact, talking to the LQ server, not to a "man in the middle." But you can't see it happening – you just ignore it.

To this day, it baffles me why [SMTP/POP ...] e-mail is not "routinely encrypted," just as web-sites now are. Unless you take action yourself, you have no way to know if any email that you receive is authentic, nor if it has been tampered with. Yet, businesses routinely use this completely-insecure venue every day.

(Note that other email systems like Microsoft Exchange do transparently use encryption to safeguard and verify the provenance of messages, even though this technology is not apparent to the end user.)

Plug-ins for email clients are readily available to support standards including GPG/PGP® and S/MIME. But I can't explain why "web mail" clients, specifically including Google's now-ubiquitous one, no longer support encryption when at one time they did. It would be so very obvious and easy to do. Even if what you were looking for is just "digital signing," which vouches for the content and the origins of a message that is not encrypted. This omission makes utterly no sense to me. If "GMail" did it, it would very quickly become standard practice.

Last edited by sundialsvcs; 01-07-2022 at 11:16 AM.
 
Old 01-07-2022, 11:37 AM   #4
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,991
Blog Entries: 16

Rep: Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546
The trouble with email encryption, and also digital signing, is that it only works if both correspondents understand and use it. None of the people I correspond with by email have the faintest idea what a public key is.
 
Old 01-07-2022, 11:54 AM   #5
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,708
Blog Entries: 6

Rep: Reputation: 2332Reputation: 2332Reputation: 2332Reputation: 2332Reputation: 2332Reputation: 2332Reputation: 2332Reputation: 2332Reputation: 2332Reputation: 2332Reputation: 2332
Encryption is unfriendly to "free" email service providers - work it out...
 
Old 01-08-2022, 11:06 AM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,547
Blog Entries: 4

Rep: Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434
My point is that it shouldn't be rare – it should be a universal practice. If I get "an email from Southwest Airlines," or even an email that purports to contain a link to their site, I cannot trust it. I've seen emails with "hyperlinks" that actually ran JavaScript to send you somewhere else while doctoring the URL display to conceal that this was just done. But if message-signing and verification was a universal practice, supported especially by Gmail, then this very important messaging system would be vastly more reliable and secure ... even if the messages being passed were not encrypted. You could reliably know that the purported sender actually did send the message, and that you received exactly what he sent. You could tell this at-a-glance ... and pay no further attention to it.

Now that "https" has become universal ... why don't we do the same thing for email?

Again, at one time, Gmail's web client did support message encryption and signing.

Last edited by sundialsvcs; 01-08-2022 at 11:08 AM.
 
Old 01-08-2022, 11:18 AM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,096
Blog Entries: 3

Rep: Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180Reputation: 3180
Quote:
Originally Posted by sundialsvcs View Post
My point is that it shouldn't be rare – it should be a universal practice. If I get "an email from Southwest Airlines," or even an email that purports to contain a link to their site, I cannot trust it. I've seen emails with "hyperlinks" that actually ran JavaScript to send you somewhere else while doctoring the URL display to conceal that this was just done. ...
That's the main advantage of web clients and one of the reason that normal IMAPS clients have been marginalized. If you use a normal mail client you'll see through ruses like those. However, with web mail, even hovering over the link won't tell you the truth about what it will do to you.

Quote:
Originally Posted by hazel View Post
The trouble with email encryption, and also digital signing, is that it only works if both correspondents understand and use it. None of the people I correspond with by email have the faintest idea what a public key is.
Thunderbird, for example, used to have the Enigmail plug-in. It was not so straight forward for a novice to begin with but it was definitely learnable with instructions. The later versions of Thunderbird were going to have built-in support for OpenPGP so Engimail shut down. Unfortunately the devil is in the details and Mozilla never said when (or if) they would get around to making their "support" for OpenPGP functional.

Similar for GNU Privacy Guard 2 (gpg2) as compared to gpg version 1. The latter was like pretty much any other shell based utility. Its successor is substantially more complex and I've only ever got it working by accident and find it worlds easier to work with the first version.

With web-based interfaces there cannot be end-to-end encryption. That is by design. I suspect that much of the ostensible help that the various standalone encryption projects have been subjected to are part of those designs. And that is just the technical side, not to mention the incessant stream of propaganda and disinformation against privacy and encryption.
 
Old 01-08-2022, 02:14 PM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,547
Blog Entries: 4

Rep: Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434
Basically, what I would do with Gmail is this:

Every message is digitally signed, and checked. When you sign up, a digital certificate will be prepared for you, or you can upload your own. When a message is received, it is automatically checked for a valid signature and you see this on the screen. Then, after a suitable period of time, if you receive a message that is not signed, you get a warning to that effect. We're trying to get you to become used to, and to expect, and to trust, signatures.

Every message can be optionally encrypted. If both the recipient and the sender have keys on file, the message will be secured in transit (as well as signed), if you ask for that. You will never personally encounter the encryption/decryption process.

• The mail service will also deliver you a copy of any public key that it has on file. (Using other public key-repositories as its source, and populating those services.)

• All of the methods used to do this are public, peer-reviewed standards such as GPG/PGP® or S/MIME. No "obscurity."

This does not mean that the web-mail host would be unable to see for itself what the message contained, but that isn't the point. These changes would greatly increase the security and integrity of e-mail, for all users, while being mostly transparent to them. "A freebie," if you will. Just as "secure web sites" have become the new normal, the same would now be true for email.

Forgery, tampering, and "spoofing" are all a serious problem with this technology which has extreme business and personal importance. These defenses work extremely well to prevent this. If I "get an e-mail from Southwest Airlines," I should know at a glance that it really did come from them, that it is authentic, and that it hasn't been tampered with by anyone else. And, so should Southwest as a corporation. All of this would not be hard to do – it just takes the business decision to do it.

Last edited by sundialsvcs; 01-08-2022 at 02:22 PM.
 
Old 01-12-2022, 08:42 PM   #9
Xeratul
Senior Member
 
Registered: Jun 2006
Location: UNIX
Distribution: FreeBSD
Posts: 2,364

Rep: Reputation: 215Reputation: 215Reputation: 215
Quote:
Originally Posted by sundialsvcs View Post
Basically, what I would do with Gmail is this:

Every message is digitally signed, and checked. When you sign up, a digital certificate will be prepared for you, or you can upload your own. When a message is received, it is automatically checked for a valid signature and you see this on the screen. Then, after a suitable period of time, if you receive a message that is not signed, you get a warning to that effect. We're trying to get you to become used to, and to expect, and to trust, signatures.

Every message can be optionally encrypted. If both the recipient and the sender have keys on file, the message will be secured in transit (as well as signed), if you ask for that. You will never personally encounter the encryption/decryption process.

• The mail service will also deliver you a copy of any public key that it has on file. (Using other public key-repositories as its source, and populating those services.)

• All of the methods used to do this are public, peer-reviewed standards such as GPG/PGP® or S/MIME. No "obscurity."

This does not mean that the web-mail host would be unable to see for itself what the message contained, but that isn't the point. These changes would greatly increase the security and integrity of e-mail, for all users, while being mostly transparent to them. "A freebie," if you will. Just as "secure web sites" have become the new normal, the same would now be true for email.

Forgery, tampering, and "spoofing" are all a serious problem with this technology which has extreme business and personal importance. These defenses work extremely well to prevent this. If I "get an e-mail from Southwest Airlines," I should know at a glance that it really did come from them, that it is authentic, and that it hasn't been tampered with by anyone else. And, so should Southwest as a corporation. All of this would not be hard to do – it just takes the business decision to do it.

The solution is not to encrypt every thing. You finally cannot work and spend your day with multiple senseless login/calls for id/... and software installation

The solution is just to run it on your own server and avoid using a Cloud.

See here.
https://audio-video.gnu.org/video/TE...lman05_LQ.webm


Code:
apt-get install ...server...
netsurf 10.0.0.x
Open your port, share your world, and host yourself
 
Old 01-13-2022, 09:52 AM   #10
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,547
Blog Entries: 4

Rep: Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434
@Xeratul, notice that I am attaching most importance to digital signing, not encryption. This is your assurance that the message that you received did come from its purported sender, and that it is exactly what they sent. It has not been forged nor tampered with. Even though many messages do not require secrecy, they do require this "message integrity."

It's easy to do this in universally-recognized, standard ways ... so it is still baffling to me why we don't do it routinely. Just as we now do with "https" and for the same reasons. E-mail is every bit as important as a web site – perhaps more so. Given that we can protect it, why aren't we routinely doing so?

Last edited by sundialsvcs; 01-13-2022 at 09:53 AM.
 
Old 01-13-2022, 03:09 PM   #11
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,547
Blog Entries: 4

Rep: Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434
It's well worth noting that the usual application of encryption isn't: "encrypting a document or a keychain."

It is actually quite rare that you need to "seal one particular thing inside of Fort Knox."

The most typical application of encryption is to secure a particular, ephemeral, conversation which usually lasts for a very or extremely short amount of time. Communications concealment might not be a priority. In the grand scheme of things, it is actually less important than integrity.

Whether or not(!) you are concerned that someone is eavesdropping, you must have confidence of communications integrity:
  • That you really are talking to the right party, who likewise knows that he is really talking to you.
  • That every message you receive is exactly the message that was sent.
  • That you did in fact receive every message that the sender intended to send, and none other.
Without all of these things, your global network is worthless.

And yet, to be truly successful, your solution must also be transparent. As is the "https" that is sending this posting to you – or the "VPN" that these days lets you go to work in your bathrobe.

Last edited by sundialsvcs; 01-13-2022 at 03:14 PM.
 
Old 01-13-2022, 04:45 PM   #12
rokytnji
LQ Veteran
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: antiX 21, MX 21 Fluxbox
Posts: 6,486
Blog Entries: 21

Rep: Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267Reputation: 3267
Living out in the boonies. Where no one else wants to live. Pretty much summed up my place in Esperanza Texas.

Privacy is then broken when I go to a store.

Amazing how many emails I get on " how was your shopping experience "

Every store now has cameras. Computer registrars. Clueless clerks and managers.

Hard to be private in a crowded IT type world. Bonnie and Clyde would have been caught rickey tic now-a-days. Ever pass through a American Border Patrol checkpoint?

Now there is people monitoring at it's finest. You get your picture taken. Licence plate recorded. Make of car recorded. Plus you are filmed at all times. Dogs are circling your vehicle. Mirrors are under your vehicle. Penetrating radar is also in their toolbox.
Would not surprise me if they copied EU border check point procedures.
Locals here, don't like it. East Texas runs it. Cuz they have no border check points near Dallas or Waco. Watched a 80 year old man once, go to jail for marijuana roach in his ashtray. NO TOLERANCE is their policy in trade.
 
Old 01-17-2022, 03:23 AM   #13
Mental-Octopus
Member
 
Registered: Sep 2018
Posts: 34

Original Poster
Rep: Reputation: Disabled
Isn't there also a security concern with VPNs too. VPNS can also save your search history, most of the time ask you register your details and address and can easily sell your information to the highest bidder or be requested by the government to give them your information. Basically run into the same exact problem with trust in these companies.
 
Old 01-17-2022, 11:49 AM   #14
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,547
Blog Entries: 4

Rep: Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434Reputation: 3434
VPN technology – if used properly with digital certificates and not "PSKs = Passwords" – epitomizes what I am talking about. The various servers can uniquely identify one another, and the access rights of any certificate can be selectively revoked. The messages that are passed are both known-secure and known-integrity. And yet, none of this is visible at all to the end-users, who simply regard it as an ordinary network appliance. The combination very effectively presents what the acronym means: a "Virtual Private Network." Reliable and secure communication over an unreliable and insecure global network ... a service provided invisibly to its users, who need do nothing to be fully protected. With thousands of bits of good entropy, a certificate cannot be forged.

If you are connecting to a public VPN endpoint only to release your data into the Internet "somewhere other than in this coffee shop," then yes, you must trust them with your registration details, and be aware that they necessarily do keep detailed connection logs which can be subject to subpoena or a search warrant. Yes, the recipient can see that the packets emerged from "a known endpoint," but no one in that coffee shop could eavesdrop, and that is the objective.

"HTTPS" is another epitome of the same thing: you know that you are communicating directly with the LQ server. Your communications are secure but you don't see that. The only thing you see is a padlock icon that you can click. All of the technology is "out of sight, out of mind."

Last edited by sundialsvcs; 01-17-2022 at 12:16 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: U.S. Broadband Privacy Rules: We will Fight to Protect User Privacy LXer Syndicated Linux News 2 04-07-2017 11:44 AM
LXer: Data Privacy Day 2017: Solutions for everyday privacy LXer Syndicated Linux News 0 01-29-2017 11:12 AM
LXer: Are you Privacy Aware? Data Privacy Day, and Every Day LXer Syndicated Linux News 0 01-27-2017 06:33 AM
LXer: FCC Online Privacy Ruling Helps, not Hurts, Privacy-Minded Users LXer Syndicated Linux News 0 11-11-2015 04:40 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 09:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration