I will have to conclude that importing PGP keys in to Thunderbird (78.7.1) on Manjaro isn't going to happen for me. I have tried everything, including the little dance and the burning of camel whiskers whilst rotating west. Nothing works. When searching online I only find people that have the same issue.

Somehow it both tells me "Great! Your personal key is now imported!" whilst also, in the very same box, saying "Sorry, there are no keys for this account."

Ah well. If you are trying to send me encrypted mails I can still read/open them on my Mac, where Canary works just as usual with the very same keys.

@mathias So when did you receive an encrypted e-mail (for a good reason, not just a joke) the last time? Or in other words, how many did you receive last year?

@FailForward haha, three. 2 from myself to ensure it was working, 1 from a mate. I have spent an exponential time vs benefit on it, yet it is part of the things I usually sort out on new machines, "just in case". :D

@mathias My experience too. Between 2000-2003 almost all my work e-mail were encrypted. Since I left that place, only encrypted e-mails I sent/received were passwords sent around. And since we have encrypted channels in Element/Matrix, not even that is a use case for e-mails anymore.

I however use my GPG keys extensively for 1) signing my e-mails - I find that extremely appealing, especially in business context; and 2) ssh keys (I use GPG key on a Yubikey with ssh-agent for access). But encrypted e-mails? Not really any more…

@FailForward @mathias
Sorry for interference here, but encrypting private messages makes sense in, how do I put it, politically tense situations. Especially for certain type of messages. I usually dont use it but most of my friends (ones who know how to use the stuff) have my public pgp just in case. You never know these days.

Indeed, you are right. But you shall do a proper threat/risk analysis. For instance, there’s this problem: with PGP/GPG your e-mail is encrypted in transport, but then you read it on a potentially compromised machine. I find the most annoying thing with encrypted e-mail that I cannot search in it (I do search in my mailbox 20 years back quite often). Finally, often the metadata is more damning than the content: “hey, so you communicated with that and that criminal? Ahaa!” - and I am not going to look up that xkcd comic with the wrench, you saw it, I am sure ;-).

It seems to me, for really really politically sensitive comms, I would think deeply about the whole transport chain and I would not let the thing even touch my e-mail - like never even touch 1) my domains (ideally not even country TLD which can be associated with me), 2) certainly not any SMTP/IMAP servers associated with me, 3) not even any direct connection with my own computer. And I would care deeply about whether the message is persistent (bad!) or ephemeral (good!). In this sense, maybe Tor+anonymous Protonmail account - if it must be e-mail, or ideally some ephmeral anonymous snapchat stuff could work better than e-mail. Simply: go the Snowden way.

@mathias

Anyway, just for the fun of it 😉 : xkcd.com/538/

@mathias

@FailForward @mathias
:D I think I have seen this at some point, indeed. The point is not necessarily to protect oneself from being taken in. If they caught you there is little to nothing that can be done. But covering your ass up at least from automated search queries is good enough. And I’m not necessarily talking about emails, more like instant messaging.

The funny thing is, I've ensured I have also set up various instant messaging apps. I prefer Signal for those that have my phone number, but I've also set up XMPP, Wire and Jami so I can be contacted by people who do not have my phone number and I don't feel comfortable enough to share it with yet either.
The thing is: I know exactly zero people that have any of those services. I can't even test them, hehe. A lot of it though is mainly to "be ready" for that day when I wish I had them. They haven't costed me anything to set up either so...one day perhaps! :)

@mathias @FailForward
I use telegram daily, not for security perks as there are none, but mostly for convinience and dope stickers. And there is signal if tg goes down or whatever.

@academicalnerd @mathias I was thinking today about the fact that encrypted e-mail still leaks metadata. This is an acceptable risk in business where it’s typically public with whom you trade, but you need to exchange trade secrets, i.e., content. Leaking metadata is problematic in 2 contexts: against corporates which build your profile and and against state actors. I find it somewhat amusing that plenty (if not most) people who want to protect their privacy and are fleeing WhatsApp still use gmail accounts all the time 😂.

Anyway, I am digressing. What I wanted to say is this: it’s probably fair to say that GPG encrypted e-mail is about the same level of privacy as WhatsApp. You don’t leak content, but you leak metadata. Now the questions is “to whom?”. In the case of e-mail potentially to state actors (filtering traffic and illegal access to servers). In the case of WhatsApp, it’s to FB AND US govt et al, i.e., selected state actors (let’s not be naive, we need to assume that FB cooperates). If you use Gmail, the same.

To finish off this rant, I have a feeling that using WhatsApp might not be actually too bad in the end. I rather leak my metadata to US govt than to Chinese.

Of course this is all somewhat incoherent late Friday stuff, anyway, I am in a mood to rant a bid :-).

@academicalnerd @mathias BTW, recently there was this chatter about Delta Chat flying around here. Go and check out delta.chat/en/. I find it so intriguing. Implemented via existing e-mail channels, i.e., SMTP (and IMAP?). No phone numbers, no central servers, no nothing. You can directly speak anybody via their e-mail, even if they never heard about delta chat, it’s all encrypted (as e-mails in transport), etc. Since I found out about it, I wonder “how come nobody came up with this idea before?!” It’s just so obvious… Hidden in plain sight. I am really intrigued… Need to check out.

@FailForward @mathias
That looks dope. I added it to bookmarks, gonna nerd into the thing later…

@academicalnerd @mathias So I tested this and it works really well.

1. when you chat with somebody who does not use delta chat, they receive a plain e-mail and can respond
2. when you speak to somebody with delta chat, the clients exchange public gpg keys and everything they send will be encrypte with Autocrypt
3. works via IMAP(+push)+SMTP/SSL
4. uses a separate IMAP folder called Deltachat. Stuff inside is encrypted, all comms are there. Including read notifications. I checked the raw data, it’s just standard GPG block with extra e-mail headers.
5. I think this is absolutely cool piece of tech.

@FailForward @academicalnerd @mathias will check out deltachat when I get some time.

An angle that gets missed with the "don't worry unless it's politically sensitive" approach is that state actors at least, and large corporations at worst, get a free option on reading your data. Or to be more precise, they get a free option on *most* people's data while more privacy concerned folks have a more "hardened" chain of comms; this free option on comms for most people is a social engineers gold mine.

If you can measure it, you can control it. Now I don't believe that much social engineering goes into much more than getting people to spend money *most* of the time and that most of the evils of social media are byproducts of technological amplification of what makes humans tick.

But on balance of probability there are certain hot button political issues that social engineering might be used in earnest. If to 90% of the populations day to day chatter was accessible it would make it simple to measure what was on people's minds and, as I said, if you can measure it you can control it. the infamous "memory hole" might well operate on a similar principle.

Even if this sort of thing isn't done right now it's not a great tool to leave on the table. So while I'm big fan of privacy tech we still leave most of our societies open to this stuff, on the aggregate. Social media isn't going anywhere and people actually *want* to share this stuff, can't stop 'em and it is a big part of our lives now for better or worse.

In any case, a fairly standardised and easy to use decentralised messaging service would be a really strong medium/long term goal. Most people you talk to aren't happy about being listened to in private comms (everyone has a story about getting ads for stuff they spoke about in private) and would use a service if it was simple and easy to use.

TL;DR Using hardened comms for politically sensitive stuff is a good stopgap but we need to be more ambitious and inclusive to deny "soft surveillance" to would-be social engineers

@skells

Using hardened comms for politically sensitive stuff is a good stopgap but we need to be more ambitious and inclusive to deny “soft surveillance” to would-be social engineers

Absolutely. As engineers, we however need to understand that there’s a balance between privacy and convenience. Most people fall for convenience first, privacy later. I.e., we need to make privacy convenient.

@FailForward @skells @mathias
Good. Lord. Tried deltachat out today, it’s sooo good. Ridiculously good. Like telegram, but actually, you know, secure. And the client is pretty good, too.