Posts by PapaPepe

In praise of Gmail

I consider keeping one's email traffic either on provider's web-mail servers (Gmail or any similar) or on mobile devices operated on behalf of their owners (Apple or Google) as an extremely imprudent thing to do. To those that hold a different opinion, this comment is not likely to be of any value or interest - kindly ignore what follows.

The way I read the article, Google is terminating the ability to fetch traffic from third-party mail services, but there seems to be no indication that they are suspending POP3/SMTP access by mail-client programs running on user's PC. If that is correct, Gmail is actually one of the most reliable and privacy oriented email services around.

Under controlled conditions it will allow creation of an anonymous e-mail address (no secondary email, no telephone number). TOTP can be enabled for such address/account, and using so enabled authentication the account can be enabled for POP3/SMTP access. Faketime and GnuPG version 1.4x on an air-gapped computer can be used to create 4096bit RSA private/public key pair, with no identifying information other than the e-mail address. The public key may either be uploaded to keys.openpgp.org, or it can be passed out-of-email-channel to the correspondents. Thunderbird or similar can be used to read/write encrypted mail on a networked PC. For maximum security, a mail directory on a removable medium can be used by client program such as ALPINE, simultaneously operating on a networked PC to send/receive traffic and on an air-gapped PC to handle encryption/decryption using GnuPG 1.4x. Gmail mail servers have probably highest up-time in the industry, and the account will accept incoming SMTP traffic regardless of how is the client connected to the Internet - including public WiFi hot-spots.

So, whats not to love about Gmail?

Required reading

The article and comments are now on the required reading list for my grand kids.

Google is already secure (but they don't know it ;)

There is no such thing as secure web-mail: no off-the-shelf browser provides any method by which an average user could confirm that script-crypto code sent to the browser at each login is not sending either the cleartext or the private key back to the service provider. However, web-mail system that are OpenPgP conformant (which this Google hogwash is not, but Proton - for instance - is) are of some use: they allow encrypted communication with users that do use OpenPgP encryption in PoP mode with client like Thunderbird on the end-point they are the only administrator of. Thus, with a modicum of care, the damage of breach is restricted to a single pair of communicators).

Incidentally, since Gmail allows creation of anonymous accounts (no CC number, no "recovery" email, no telephone number, no 2FA...), and since as of late it makes PoP/SMTP use mode less cumbersome than it was the case, it is - used with just a bit of knowledge and care - one of the most reliable services that provide e2e encrypted e-mail. Use their web-interface to administer the account only, and download/upload the messages using Thunderbird and OpenPgP. Distribute Captcha-like photographs with full fingerprint of your public key, keep Thunderbird profile and mail folder on encrypted removable media and calmly wait for the adversary to knock on your door with a rubber-hose. (Unless they prefer the "no-knock" MO in your particular jurisdiction).

'antizionist, not antisemitic'

Please enlighten me.

I believe the creation of the state of Israel was an act of grave injustice towards the population of Palestine. It is also my observation that what that state is doing in Gaza today is genocide and not self-defence.

On the other hand, I do not have any ill-feelings towards Jews as an ethnicity, and I am perfectly aware that they themselves suffered immensely during the Third Reich.

If and when simplified political labels can not be avoided, this makes me "antizionist" but not "antisemitic".

(I will consider the ratio of up- vs down-votes as an indication of the correctness of the above-expressed view).

Geese, ganders and hockey sticks

Should the same criteria that applies to software models that can determine the fate of one man be likewise applied to software models that can determine the fate of multitudes?

Just asking...

Plastics?

One word: Truecrypt 7.1a

The only thing you must ensure is not that your adversary never gets physical access to your kit (very hard, with some adversaries impossible), but that she does not manage do so without leaving any trace. With just a bit of imagination, that is often surprisingly easy.

Nothing much to see here...

A pop entertainer rakes in millions selling her sex-appeal. Meanwhile, one of her lonely customers acts on his wet dream and shares a digital file with his compadres. I harbour no sympathy or antipathy for either, and I specifically see no particular reason for the Chief Magistrate to stick her nose into the case.

For those finding graphic artist's behavior disgusting, please consider the following beneficial consequence of the forthcoming deluge of such imagery and footage: simple and convincing deniability by the models featured in such material, whether real or fake. The ability of blackmailing the model is from now on inversely proportional to the volume of such product on the public 'net.

Brilliant engineering...

To turn each wheel with an individually synchro-controlled electric motor was one of the most brilliant ideas in the history of automotive engineering.

To build a practical piece of equipment based on that idea, another related problem had to be solved: how to transfer the energy from a stationary terrestrial infrastructure all the way to the clamps on each one of those electrical motors.

To perform a slow electro-chemical reaction in-situ on a device that weights almost one half of the of the mass of the moving platform itself, and which does not decrease as the energy is consumed is probably the most idiotic idea in the whole history of engineering.

OpenPGP

As far as I was able to find out, Proton is the only web-mail service that is fully interoperable with OpenPGP {https://www.openpgp.org/). (It does not implement W-O-T, but so does not - for instance - Thunderbird native OpenPGP).

Can somebody please correct me if I failed to identify another service?

Implementing "E2E mail encryption" only for the traffic between users of the same web-mail service vendor is pointless, even if done "lege artis" - which this is far from.