Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Well, then, if you are French, you could certainly use encryption to make it a little bit harder for nosy authorities to nose into what you are doing or saying over the Internet. But, if they seriously wanted to know, they're going to find a way to know. One way or the other.
What I meant was: encryption is generally used "to provide secure, reliable communication over an insecure and possibly-hostile [public] network." The data might be concealed for no more reason than "why you routinely put written letters into sealed envelopes." (The data itself might well be "dull and boring," but, "it's nobody's business but yours.") The related technologies of message-signing are valuable even for non-encrypted communications.
When you send a message over the Internet, you don't know who you're talking to, and you don't know who is talking to you, and you also(!) don't know if there's a man in the middle. Your butt is absolutely naked: you have much less protection than you get from that physically-mailed paper envelope, even in the presence of unknown (government) steam-pots. Unless your message is intended for public, non-accountable consumption, the use of basic encryption practices ought to be ... a matter of routine. A matter of elementary prudence.
Guv'mint dude (or dudette) shows up at your door with a bona fide search-warrant issued by the Federal court? What do you do? You comply with the warrant, as the law demands. You hand them the key, because, although you have something to conceal, you have nothing to hide.
Eve has no business reading what Alice sends to Bob. But Frank, the Federal officer, does ... i-f(under US Law ...) Frank has a warrant "upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." If Alice or Bob refuse, they are guilty of obstruction of justice. Nevertheless, Frank has no business to enter the data into the public record, nor to unnecessarily violate the expectation of confidentiality that Alice and Bob – who, as soon will be confirmed, have done no wrong – legitimately enjoy. They are, after all, entitled to be "secure in their persons, houses, papers, and effects."
Last edited by sundialsvcs; 02-29-2016 at 03:03 PM.
Well, then, if you are French, you could certainly use encryption to make it a little bit harder for nosy authorities to nose into what you are doing or saying over the Internet. But, if they seriously wanted to know, they're going to find a way to know. One way or the other.
Here, in the context of the COP21 hysteria and their new toy, the « state of emergency » (for which we thank the US), the confiscation of computers has become the hype.
I know all the theories about OpenPGP/GnuPG and encrypting, asymmetric encryption-algorithms and secret keys. But even when I began using cryptography, and that was *before I had the first internet-connection* twenty-five years ago, it was to secure locally stored files. This appears to become a little more important, again. dm-rypt/LUKS with an external key-file works fine, AFAIS. A militant biological farmer who is suddenly said to be in contact with middle-east terror-organizations should not worry too much, although the time he spends under arrest will be long enough to expose him to whichever mischief appears appropriate to the paying customers of the government when the file-system of his computer is plowed through.
As regards mail-encryption, France had long forbidden the use of strong encryption (different from signatures) and I am not very sure about the current jurisdiction. I remember that the government had once insisted on a kind of key-escrow for those who wish. Anyhow, different from Germany and most of Europe, the French are much less aware of and have never taken the same interest in mail-encryption. By signing my mails, I already stick out from the mass in a way unknown from my German past. Probably due to the prevailing legislation which liberated cryptography only in 2004, this technology hits the French « internauts » rather unexpectedly, as most had not followed the development in the 1990s. The French cypherpunk- and mixmaster-remailers, as far as I remember, had been illegal at the epoch. And with the so-called “social media” being admired and enjoying boundless confidence, privacy is a displeasing topic.
This is all very off-topic. But I deem it nonetheless important to move attention away from NSA, CIA, MI6, BND and „Verfassungsschutz“ (the German services that recognized an US-made Osama-video as forgery, when Denmark and Norway were confounded). Yeah. I am not French.
Last edited by Michael Uplawski; 03-01-2016 at 05:15 AM.
Reason: Nice typo. O_s_ama. Not cool.
As I have said before, it puzzles me why corporations make extensive use of e-mail, even to transmit things like airline boarding passes(!), but they do not digitally sign their messages. When an e-mail arrives, say, "from Southwest Airlines," you have no way to know whether it is or not valid. You have no way to prevent someone else from having read the message first. This should be "a matter of great interest" to a government agency that calls itself a "Transportation Security" Agency (sic ...), and it should also of course be of interest to Southwest Airlines.
It would be a simple matter for them to digitally sign every message, and for the mail-transports and popular webmail sites like "gmail" to automatically validate it. A company could even arrange things such that messages "from southwest.com" which are not properly signed are discarded en-route. All of these things are possible, and would be relatively straightforward to implement. With so much money and so much reputation (not to mention, security!) resting on this, why is it not done?
It is a vast vulnerability, indeed for a society, if so much digital communication is completely unprotected, especially when its users treat all such things as "prima facie trustworthy and valid." They have no such reason for that assurance. Why not? We finally persuaded people to use secure web sites, but we pass terabytes of sensitive information around every single day "in the clear." For what reason? "Business (snicker ...) opportunity?!"
Last edited by sundialsvcs; 03-01-2016 at 09:10 AM.
@sundialsvcs It is interesting, what you write, as I have personally no experience with such exchanges by email. Airline boarding passes are a speaking example and I am surprised to hear that they are transmitted by mail... All that I remember and as regards the companies that I deal with seriously, myself, are strong efforts to authenticate customers, services and the data exchanged.
There are exceptions from the rule, notably in France, but they are so hilarious that I would call them amusing rather than alarming. My wife and I choose to exclude exchanges with these few companies (and authorities) by Internet. Maybe there aren't enough attackers, or these folks simply count on someone commit an infraction of the rules one day... but I bet, they are just uninformed.
Yeah, we blithely treat mail as though it was secure ... but don't secure it, even though we easily could.
To me, the need for secure e-mail is just as obvious as the need for a secure "https" web site, but even more so, because an e-mail message is persistent. We use e-mail for exactly the same, often highly-sensitive things.
We seem to have purposely done just about everything in our corporate power to expose vast amounts of communication between billions(!) of people to scrutiny ... "for 'marketing purposes,' you know." This being a total reversal of what we did, say, for telephones, or even for paper-mail. And no one seems to be seriously considering that this might have drastic, even national security, implications.
Think about it: "If hundreds of millions of yourcitizens are no longer 'secure in their papers and effects,' how can you say that you have achieved 'homeland security?' How can you with a straight face be working so hard to deprive your citizens of that, 'in the name of homeland security?' Do you not see a basic contradiction here?"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.