Proposal - transferring a NaClbox public key with a dumb phone

[Stefan Claas]

Hi all,

DJB's NaCl crypto library is pretty cool IMHO, but as many public key crypto systems, the problem of Eve acting as MITM is known.

When Alice and Bob meet in a local computer club or pub with friends
they only have to exchange pieces of paper with the key written on.

But when Alice likes to transfer her key to Maria, in Germany, it might
be an issue since the key is only a string of hex values, when sending
as email.

I like to show a possible way (privacy costs money) which hopefully
makes it harder for Eve.

Alice calls Maria and tells her how to create her NaClbox[1] key pair.

Once Maria has created the key pair, on an offline device, she then
creates a token with hashcash[2] where the verifiable token contains
her pub key and her phone number, in international notation.

In step two she creates from that token a QR-Code and submits it
to a blockchain[3] time stamping service. When the QR-Code image
is published on the blockchain, she simply sends then the .png image
with her dumb phone as MMS to Alice.

Maria and Alice of course could have read the hex values over the
phone and compare them, but It could also introduce errors and then
they have to call each other again.

Another possible advantage this procedure might have is that Maria
could also publish a link from a censor resistant IPFS[4] directory,
containing the data, on her website, so that other may use her key too,
for encrypted MMS communications.

What do you think about this proposal?

[1] https://github.com/rovaughn/box

[2] https://github.com/catalinc/hashcash

[3] https://originstamp.com/verify/

[4] https://ipfs.io/ipfs/QmSuZ8d2Xyt8fLiwXwU7FhSSyAVydMKsbNU2QrAWatNRKq

If you download from [4] the data and verify with [3] the .png image
it should tell you that the data is ok. If you then decode the QR-Code
you will see Maria's pub key in the first string part and her dumb phone
number in the second string part, which should also very ok with [2]

Regards
Stefan

[Richard Heathfield]

"Against all odds, over a noisy telephone line, tapped by the tax
authorities and the secret police, Alice will happily attempt, with
someone she doesn't trust, whom she can't hear clearly, and who is
probably someone else, to fiddle her tax return and to organise a
cout d'etat, while at the same time minimising the cost of the phone
call." - John Gordon

--
Richard Heathfield
Email: rjh at cpax dot org dot uk
"Usenet is a strange place" - dmr 29 July 1999
Sig line 4 vacant - apply within

[Stefan Claas]

Since Alice knows her friend Maria they can of course use the noiseless
postal system. :-) But It may not be so reliable in the United States, as it
occurred to me in the past, and I had to send then again an expensive
registered letter.

Regards
Stefan

[Stefan Claas]

On Tuesday, December 21, 2021 at 3:53:05 PM UTC+1, Stefan Claas wrote:

> Another possible advantage this procedure might have is that Maria
> could also publish a link from a censor resistant IPFS[4] directory,
> containing the data, on her website, so that other may use her key too,
> for encrypted MMS communications.

An important note. When Alice and Maria likes to communicate via
encrypted MMS they will figure out that QR-Codes can not store that
much data, so they will most likely need a tool that allows them to
send encrypted NaClbox payloads as noisy .png images[1]. If they
like to hide that they send a noisy .png image they have the option
to hide that image in another image, or movie clip[2].

Another thing to keep in mind is how much data each Telekommunications
carrier can handle with MMS. In Germany, for example, the max. size AFAIR
is 300 KB.

[1] https://github.com/jweyrich/imgify

[2] https://github.com/umahmood/steg

Regards and Happy Holidays
Stefan

[Stefan Claas]

On Friday, December 24, 2021 at 8:39:17 PM UTC+1, Stefan Claas wrote:
> On Tuesday, December 21, 2021 at 3:53:05 PM UTC+1, Stefan Claas wrote:

> Another thing to keep in mind is how much data each Telekommunications
> carrier can handle with MMS. In Germany, for example, the max. size AFAIR
> is 300 KB.

If in doubt and both have sufficient funds, they can of course split messages
and in case the file size of the original was odd they can pad the parts, so that
all are equal and as a little gag for Eve they can add equal sized dummy parts
with openssl and run the original parts through a format preserving cipher, for
obfuscation so that all parts are not distinguishable from each other.

Regards
Stefan

[Snail Mail Blob]

The postal mails between two P.O. boxes are usually more secure than any
encrypted channel where PKI is involved. The likelihood of any spy or
spook tapping your particular first class letter for eavesdropping is
statistically close to zero. There are strong penal laws in most
countries that dissuade that sort of activity. It occasionally happens,
but the volume of mails is so vast that it is the needle in a haystack
problem for Alice.

If one uses a inner envelope that is tamper evident then one won't end
up using a compromised key if the letter is tampered by state agents.

I had this happen once with a encrypted USB flash drive many years ago
when USB media was a brand new thing and thus was treated suspiciously
as if it were a cloak and dagger device. Someone at the post office
opened the envelope, and upon realizing it was a tamper evident setup
they just kept the flash drive and sent the envelope along empty. They
tore gashes in the outer envelope to make it look like accidental
damage. Always encrypt removable media! And send microSD cards instead
of thumb drives.

Sending a initial session key via the post office to negotiate a later
key exchange is almost as secure as exchanging keys in the pub.

What does it cost, like a dollar or two to send a international letter?
A tamper-proof inner envelope will cost less than a dollar.

You can use tape and super glue on a regular envelope to convert it to
tamper-evident.

Draw smiley faces all over the envelope, smear some superglue streaks on
the envelope, cover that over by sealing the key inside with packing
tape, then lay several courses of tape on it and rub on the super glue
across the tape. Then glue that inner envelope into the outer envelope,
making it impossible to open without destroying both envelopes.

It will take about five minutes. Not a big time investment. It is
impossible to steam off and remove the tape without visibly damaging the
envelopes and smiley faces.

If you are really paranoid, use a piece of thin, rough felt, or
styrofoam packing felt, for the inner envelope. The felt will get torn
to shreds by any manipulation of the covering tape.

The nice thing about this kind of key exchange is that once you have the
mailed key, using it you can start off with a cascade of symmetric
ciphers over a big blob file and exchange a whole basket of new
symmetric keys and pads over any channel before using any asymmetric
ciphers at all.

[Stefan Claas]

On Tuesday, December 28, 2021 at 1:06:06 PM UTC+1, Snail Mail Blob wrote:

[...]

Sorry for making 'snip', and thanks for your detailed reply!

I ordered also a brand-new Fax machine, which looks pretty awesome
(Laserfax) and which costed me 300 Euros and should then replace
private emails, which are IMHO nowadays pretty outdated.

Good old and hardworking postman plus fax machines rules! :-)

Regards
Stefan

[Stefan Claas]

BTW. I forgot ... NFC stickers on postcards are also pretty cool,
if you purchase then a reader/writer for NFC tags. Good free
software for that is available, and it is also a lot of fun to use
them with offline devices.

Regards
Stefan

[Snail Mail Blob]

Any time! I am jealous that you have a fax machine. Now I will have to
get one so I can fax you! I will send you all kind of silly memes you
can tape to your wall or use to light cigars.

I agree that email is outdated. Email providers seem to refuse to update
POP/IMAP protocols to handle end-to-end encryption gracefully. Using PGP
is still a pain for the uninitiated, so almost nobody uses it aside from
crypto experts and hackers.

Thought experiment: negotiate shared key using three-pass protocol via
fax machines.

[Stefan Claas]

On Tuesday, December 28, 2021 at 11:12:26 PM UTC+1, Snail Mail Blob wrote:
> On 12/28/21 3:33 PM, Stefan Claas wrote:
> > On Tuesday, December 28, 2021 at 1:06:06 PM UTC+1, Snail Mail Blob wrote:
> >
> > [...]
> >
> > Sorry for making 'snip', and thanks for your detailed reply!
> >
> > I ordered also a brand-new Fax machine, which looks pretty awesome
> > (Laserfax) and which costed me 300 Euros and should then replace
> > private emails, which are IMHO nowadays pretty outdated.
> >
> > Good old and hardworking postman plus fax machines rules! :-)
> Any time! I am jealous that you have a fax machine. Now I will have to
> get one so I can fax you! I will send you all kind of silly memes you
> can tape to your wall or use to light cigars.

Sure, we can do this. I had to order today also one telephone line adapter,
which should arrive hopefully on weekend, because an old is broken.

> I agree that email is outdated. Email providers seem to refuse to update
> POP/IMAP protocols to handle end-to-end encryption gracefully. Using PGP
> is still a pain for the uninitiated, so almost nobody uses it aside from
> crypto experts and hackers.

Correct, and I gave already up with PGP.

> Thought experiment: negotiate shared key using three-pass protocol via
> fax machines.

Yes, please. We should work out something so that it is useful for the
sci.cript community, and it is IMHO a good learning exercise.

Regards and Good Night
Stefan

[Richard Heathfield]

On 28/12/2021 22:13, Snail Mail Blob wrote:
> On 12/28/21 3:33 PM, Stefan Claas wrote:
>> On Tuesday, December 28, 2021 at 1:06:06 PM UTC+1, Snail Mail Blob wrote:
>>
>> [...]
>>
>> Sorry for making 'snip', and thanks for your detailed reply!
>>
>> I ordered also a brand-new Fax machine, which looks pretty awesome
>> (Laserfax) and which costed me 300 Euros and should then replace
>> private emails, which are IMHO nowadays pretty outdated.
>>
>> Good old and hardworking postman plus fax machines rules! :-)
>
> Any time! I am jealous that you have a fax machine. Now I will have to
> get one so I can fax you!

You shouldn't need to. Lots of people wrote fax emulators back in the
day, some of them very good. It shouldn't be hard to find one online.

[Stefan Claas]

On Wednesday, December 29, 2021 at 10:38:27 AM UTC+1, Richard Heathfield wrote:
> On 28/12/2021 22:13, Snail Mail Blob wrote:
> > On 12/28/21 3:33 PM, Stefan Claas wrote:
> >> On Tuesday, December 28, 2021 at 1:06:06 PM UTC+1, Snail Mail Blob wrote:
> >>
> >> [...]
> >>
> >> Sorry for making 'snip', and thanks for your detailed reply!
> >>
> >> I ordered also a brand-new Fax machine, which looks pretty awesome
> >> (Laserfax) and which costed me 300 Euros and should then replace
> >> private emails, which are IMHO nowadays pretty outdated.
> >>
> >> Good old and hardworking postman plus fax machines rules! :-)
> >
> > Any time! I am jealous that you have a fax machine. Now I will have to
> > get one so I can fax you!
> You shouldn't need to. Lots of people wrote fax emulators back in the
> day, some of them very good. It shouldn't be hard to find one online.

True, but in the days of popular and undetectable Government Trojans
it might be better to use a dedicated fax machine with an offline usage
computer. Not to mention the almost daily security holes in popular
Operating Systems, like Linux, Mac and Windows.

Regards
Stefan

[Rich]

Stefan Claas <spam.tra...@gmail.com> wrote:
> On Wednesday, December 29, 2021 at 10:38:27 AM UTC+1, Richard Heathfield wrote:
>> On 28/12/2021 22:13, Snail Mail Blob wrote:
>> > On 12/28/21 3:33 PM, Stefan Claas wrote:
>> >> On Tuesday, December 28, 2021 at 1:06:06 PM UTC+1, Snail Mail Blob wrote:
>> >>
>> >> [...]
>> >>
>> >> Sorry for making 'snip', and thanks for your detailed reply!
>> >>
>> >> I ordered also a brand-new Fax machine, which looks pretty awesome
>> >> (Laserfax) and which costed me 300 Euros and should then replace
>> >> private emails, which are IMHO nowadays pretty outdated.
>> >>
>> >> Good old and hardworking postman plus fax machines rules! :-)
>> >
>> > Any time! I am jealous that you have a fax machine. Now I will have to
>> > get one so I can fax you!
>> You shouldn't need to. Lots of people wrote fax emulators back in the
>> day, some of them very good. It shouldn't be hard to find one online.
>
> True, but in the days of popular and undetectable Government Trojans
> it might be better to use a dedicated fax machine with an offline usage
> computer.

What attack senario are you protecting against by using a dedicated fax
machine?

Because now you have to trust that the firmware of the fax machine does
not itself contain an "undetectable Government Trojan".

You also have added the issue that it is trivial, given a court order,
for the government to 'tap' your phone line which you use for your
dedicated fax machine, in order to capture each 'fax' that you
send/receive.

[Stefan Claas]

On Wednesday, December 29, 2021 at 3:13:09 PM UTC+1, Rich wrote:
> Stefan Claas <spam.tra...@gmail.com> wrote:
> > On Wednesday, December 29, 2021 at 10:38:27 AM UTC+1, Richard Heathfield wrote:
> >> On 28/12/2021 22:13, Snail Mail Blob wrote:
> >> > On 12/28/21 3:33 PM, Stefan Claas wrote:
> >> >> On Tuesday, December 28, 2021 at 1:06:06 PM UTC+1, Snail Mail Blob wrote:
> >> >>
> >> >> [...]
> >> >>
> >> >> Sorry for making 'snip', and thanks for your detailed reply!
> >> >>
> >> >> I ordered also a brand-new Fax machine, which looks pretty awesome
> >> >> (Laserfax) and which costed me 300 Euros and should then replace
> >> >> private emails, which are IMHO nowadays pretty outdated.
> >> >>
> >> >> Good old and hardworking postman plus fax machines rules! :-)
> >> >
> >> > Any time! I am jealous that you have a fax machine. Now I will have to
> >> > get one so I can fax you!
> >> You shouldn't need to. Lots of people wrote fax emulators back in the
> >> day, some of them very good. It shouldn't be hard to find one online.
> >
> > True, but in the days of popular and undetectable Government Trojans
> > it might be better to use a dedicated fax machine with an offline usage
> > computer.
> What attack senario are you protecting against by using a dedicated fax
> machine?

Most important for me is reliability, which can not been guaranteed with
email, once they have you on the radar. Secondly in combination with an
offline device, it is much more secure than email with an online device.

>
> Because now you have to trust that the firmware of the fax machine does
> not itself contain an "undetectable Government Trojan".

I trust classic Fax machines, Made in Japan, more than computers
designed in the United States, with CPU backdoors etc.

> You also have added the issue that it is trivial, given a court order,
> for the government to 'tap' your phone line which you use for your
> dedicated fax machine, in order to capture each 'fax' that you
> send/receive.

They can do that if they wish, same as third parties can do with email.

But with Fax I am the boss, so to speak, and not my email or a VPS
provider and it is more decentralized, even if the phone lines nowadays
run also via the Internet.

And last but not least, fax is cool (privacy costs money) compared
to free email, everybody uses (that's why they use it ...).

Regards
Stefan

[Snail Mail Blob]

Imagine this thought exercise.

Fax a page of encrypted QR codes for which only the recipient has the
keys. Recipient scans the QR codes in as ciphertext then decrypts. No
plaintext has transit via fax, and both parties now have timestamped,
hard copy of ciphertext for their files.

This antique system is quite trusty compared to Google mail.

[Rich]

Stefan Claas <spam.tra...@gmail.com> wrote:
> On Wednesday, December 29, 2021 at 3:13:09 PM UTC+1, Rich wrote:
>> Stefan Claas <spam.tra...@gmail.com> wrote:
>> > On Wednesday, December 29, 2021 at 10:38:27 AM UTC+1, Richard Heathfield wrote:
>> >> On 28/12/2021 22:13, Snail Mail Blob wrote:
>> >> > On 12/28/21 3:33 PM, Stefan Claas wrote:
>> >> >> On Tuesday, December 28, 2021 at 1:06:06 PM UTC+1, Snail Mail Blob wrote:
>> >> >>
>> >> >> [...]
>> >> >>
>> >> >> Sorry for making 'snip', and thanks for your detailed reply!
>> >> >>
>> >> >> I ordered also a brand-new Fax machine, which looks pretty awesome
>> >> >> (Laserfax) and which costed me 300 Euros and should then replace
>> >> >> private emails, which are IMHO nowadays pretty outdated.
>> >> >>
>> >> >> Good old and hardworking postman plus fax machines rules! :-)
>> >> >
>> >> > Any time! I am jealous that you have a fax machine. Now I will have to
>> >> > get one so I can fax you!
>> >> You shouldn't need to. Lots of people wrote fax emulators back in the
>> >> day, some of them very good. It shouldn't be hard to find one online.
>> >
>> > True, but in the days of popular and undetectable Government Trojans
>> > it might be better to use a dedicated fax machine with an offline usage
>> > computer.
>> What attack senario are you protecting against by using a dedicated fax
>> machine?
>
> Most important for me is reliability, which can not been guaranteed
> with email, once they have you on the radar.

Nor can reliability be guaranteed with fax, once they have you on the
radar. If you are "on the radar" then you have a much more difficult
time at everything.

> Secondly in combination with an offline device, it is much more
> secure than email with an online device.

You can do the same with an airgapped system as well. The 'fax
machine' will be 'online' (to the extent that it is connected to a
phone line). If you are "on the radar" do not for one second believe
that your "fax machine" is somehow less "online" than a computer, to
the relevant authorities that have you "on the radar".

>> Because now you have to trust that the firmware of the fax machine
>> does not itself contain an "undetectable Government Trojan".
>
> I trust classic Fax machines, Made in Japan, more than computers
> designed in the United States, with CPU backdoors etc.

False trust. A fax machine is, underneath the plastic, a computer at
heart as well. And it /can/ contain all the same backdoors that a
computer can contain. As well, it is quite possible your Japan made
fax machine contains the same CPU, with the same backdoors, as the
United States made computer. I.e., an Intel CPU, might just be the CPU
powering the computer that is the "fax machine".

>> You also have added the issue that it is trivial, given a court
>> order, for the government to 'tap' your phone line which you use for
>> your dedicated fax machine, in order to capture each 'fax' that you
>> send/receive.
>
> They can do that if they wish, same as third parties can do with email.

Which means using fax has not bought you anything other than the false
feeling of protection.

> But with Fax I am the boss, so to speak, and not my email or a VPS
> provider and it is more decentralized,

How do you reach this conclusion? I don't recognize your reasoning.

> even if the phone lines nowadays run also via the Internet.

Once you no longer have a legacy copper phone line to a 7ess switch,
then you no longer have the 'mild' isolation of the phone network
providing some minimal level of security. As soon as your phone calls
traverse the internet, you have all the same 'on the internet' issues
as with every other transmission medium which uses the internet,
including email.

> And last but not least, fax is cool (privacy costs money) compared to
> free email, everybody uses (that's why they use it ...).

This is such an odd point of view, given that so many see fax as an
archic legacy system of a time long ago.

Do note that nothing prevents you from operating your own email server
and thereby removing the "free email provider" from the mixture. I've
hosted my own email for about twenty years now, I've never used the
"free providers" for anything other than throwaway test accounts.

[Rich]

Besides the "hardcopy" (note, not guaranteed, because the receiver
could be receiving the 'fax' into an image file on a computer, not a
legacy scanner/printer style fax machine) aspect, if the "encryption"
is sound, what benefit is gained by converting the encrypted data to qr
codes for fax transmission?

If the encryption is sound, simply transmitting the encrypted file as a
file using any of the various file transfer methods, achieves the same
result.

And, if the recipient wanted "hard copy" for their paper files, the
could always create and print a qr code hard copy for themselves.

[Stefan Claas]

Yes, I worked with QR-Codes in the past, for small payloads and it
works fine. I also have a words' encoder/decoder on GitHub, which
allows converting binary blobs to simple five-letter words (German
and English version) as a much better alternative, to mnemonicode
or the PGP word list, for people with basic English skill, say a guy
from Bavaria (Germany) would fax a document to a guy in Japan.

> This antique system is quite trusty compared to Google mail.

For sure, and not only Gmail.

Regards
Stefan

[Stefan Claas]

On Wednesday, December 29, 2021 at 6:26:31 PM UTC+1, Rich wrote:

[...] sorry for making 'snip' and not quoting.

If more and more people (globally) would return to fax machines,
for private and business comms, third parties have plenty of work.

And please do not forget, that a fax IMHO can be better protected
from third parties, if not all phone lines are running through the
Internet, in case some countries, or parts of their, do not like the
global American centralization system, of the commercial Internet,
Democrat Al Gore has 'invented'. And optionally there are copy shops
where people can fax documents too.

Back to the roots :-) UUCP email and Usenet should also been
explored on Raspberry Pis at home, via Elon Musk his super
Starlink, which then ISPs have no access to and Elon Musk
is IMHO a cool guy.

BTW. I run for many years also my own postfix email server.

Regards
Stefan

[Rich]

Stefan Claas <spam.tra...@gmail.com> wrote:
> On Wednesday, December 29, 2021 at 6:26:31 PM UTC+1, Rich wrote:
>
> [...] sorry for making 'snip' and not quoting.
>
> If more and more people (globally) would return to fax machines,
> for private and business comms, third parties have plenty of work.

As to the businesses -- because now to "transfer data" requires the
hiring of key-punch clerks to read the fax and type the data into the
computer system on the receiving end where it is intended. A slow, and
error prone, process as compared to the receiving end consuming a
computer readable format (JSON/XML/protobufs/etc.).

> And please do not forget, that a fax IMHO can be better protected
> from third parties,

Only minimally. Not sufficient that the parties can forgo encryption
of the data if they wish to keep it secret. And once the data is
properly encrypted, there is no additional security gained by "faxing"
it.

> if not all phone lines are running through the Internet, in case some
> countries, or parts of their, do not like the global American
> centralization system, of the commercial Internet, Democrat Al Gore
> has 'invented'.

Ah, that one... That one was another 'out of context' quote by our
news media. https://www.snopes.com/fact-check/internet-of-lies/

> And optionally there are copy shops where people can
> fax documents too.

Yes, but.... If the contents are properly encrypted, 'faxing' (which
necessitates converting into an image format) adds no additional
security.

> Back to the roots :-) UUCP email and Usenet should also been explored
> on Raspberry Pis at home,

One does not need UUCP once one has a proper TCP/IP pipe up and going.
But in any case, email can be done at home. The reason why most do not
is that most do not have the skill to do so, not because it is an
impossibility.

> via Elon Musk his super Starlink, which then ISPs have no access to
> and Elon Musk is IMHO a cool guy.

Except that starlink is just another ISP, and when the authorities have
you "in their radar" using starlink will no more help you than using
Verizon, Comcast, Amazon AWS, or any other "ISP". When the authorities
serve Starlink with a court order for tapping out your comms, Starlink
will comply just as much as the rest will also comply.

[Stefan Claas]

On Wednesday, December 29, 2021 at 8:24:30 PM UTC+1, Rich wrote:
> Stefan Claas <spam.tra...@gmail.com> wrote:

> > if not all phone lines are running through the Internet, in case some
> > countries, or parts of their, do not like the global American
> > centralization system, of the commercial Internet, Democrat Al Gore
> > has 'invented'.
> Ah, that one... That one was another 'out of context' quote by our
> news media. https://www.snopes.com/fact-check/internet-of-lies/

I put that in quotes.

Whatever arguments you like to bring, I would suggest that you or any
other person working in the United States in surveillance or IT business
as system admin etc. The times of the centralized Internet is changing.

Russia, for example, did missile tests to knock out reliable a GPS satellite.
China has his firewall. EU finances modern Mixnets, with already more
nodes than the Tor Network has, and it can once, in production, withstand
NSA surveillance. Many nodes run in Russia and also have gateways in
China, with lots of nodes outside the United States. IPFS is censor resistant
and can be anonymously fed with whatever content people like to exchange.

Add to this that cybercrime is the third-largest economy, besides the United
States and China, you can be rest assured that the US will have for sure
problems in the future to sell their Internet 'solutions'.

And let's not forget, we all have our 100 percent reliable and trustworthy
postman, working super hard each day, to feed his family. :-)

Regards
Stefan

[Stefan Claas]

On Wednesday, December 29, 2021 at 8:48:14 PM UTC+1, Stefan Claas wrote:

> And let's not forget, we all have our 100 percent reliable and trustworthy
> postman, working super hard each day, to feed his family. :-)

BTW. We have in Germany also cool meshnet projects ,encrypted, which
are out of reach for third parties and are run by individuals, while simply
setting up an additional router, which is not controlled by any ISPs and
is for free, well, except the router costs.

Regards
Stefan

[Snail Mail Blob]

On 12/29/21 1:56 PM, Stefan Claas wrote:
> On Wednesday, December 29, 2021 at 8:48:14 PM UTC+1, Stefan Claas wrote:
>
>> And let's not forget, we all have our 100 percent reliable and trustworthy
>> postman, working super hard each day, to feed his family. :-)

Heil Postmaster!

>
> BTW. We have in Germany also cool meshnet projects ,encrypted, which
> are out of reach for third parties and are run by individuals, while simply
> setting up an additional router, which is not controlled by any ISPs and
> is for free, well, except the router costs.

Where might I find about 300 volunteers who would like to test a mesh
network idea that I'm working on? Think Tor with hidden services but no
exit nodes to clearnet. Would many hackers be interested in such a
thing? Who? Where?

[Stefan Claas]

I guess the idea of mesh nets was to have those for *local* communities,
like when a disaster happened and no Internet was available, so that people
could communicate. They do not rely on the Internet and ISPs, so if you live
in a rural area, it might be a bit difficult to reach out to get 300 users.

Regards
Stefan

[Chris M. Thomasson]

Get a secure encryption algo.

Encrypt your plaintext on an offline computer in a "cloak", or safe room.

Write down the ciphertext. [*]

destroy the computer.

Send the ciphertext via facebook, email, anything.

Burn the paper you wrote it down on.

;^)

[*]

If you trust SD cards, instead of writing the ciphertext down, save it
to the card, send it, destroy the card.

;^)

[Stefan Claas]

Hi Chris,

while I do not have the programming skills, like Richard, Max and others have,
I am online roughly 40 years and I think I gained enough knowledge about
Cryptography, that I can safely say, I can, if needed, archive Crypto Supremacy,
air, land, sea, at least within the borders of Germany, even on compromised
devices (TEMPEST attacks included).

Long live our super awesome and super hard-working postmen! :-)

Regarding digital signatures ... The super smart Russians (I like Russians
and also Chinese people, very much) have purchased years ago German
classic typewriters, which allows them to communicate in a way that they
can 100 percent reliably identify from which typewriter a document was
made, thus no need for digital signatures, when it comes to documents,
which can't be intercepted by foreign third parties.

Pretty awesome if you ask me.

BTW. If I would be a CEO, like cool Elon Musk, you could be rest assured
that then my HQ building, with all its workers and secretaries etc. would
get modern electric typewriters, with the *super secure* Rohrpost[1] for
in house comms and bringing smartphones to work would be *strictly*
prohibited.

[1] https://en.wikipedia.org/wiki/Pneumatic_tube

Regards
Stefan

[Snail Mail Blob]

On 12/30/21 5:14 AM, Stefan Claas wrote:
> BTW. If I would be a CEO, like cool Elon Musk, you could be rest assured
> that then my HQ building, with all its workers and secretaries etc. would
> get modern electric typewriters, with the *super secure* Rohrpost[1] for
> in house comms and bringing smartphones to work would be *strictly*
> prohibited.

This is very smart. Old school tech still has use cases and probably
always will. It is a interesting coincidence that I have been working on
a security plan for a development and operations center. I will share
some parts of that plan with you.

- All electronic devices are strictly prohibited, especially cell
phones, personal tablets, wifi routers, cameras, and smart watches.
- Silent RF detectors throughout the building to catch any signals.
- No Internet connection to the building. Web site and email in a
separate location with daily media dumps brought in for processing.
- All computers on the local network authenticate both by MAC address
and cryptographic keys.
- Network hubs check the routing to ensure cryptographic signatures
permit it.
- Admin jump box is the only place where devices can be authorized on
the network.
- Admin jump box is located in a Faraday cage and solar powered with
local UPS batteries to inhibit TEMPEST attacks on the electrical line.
- All office computers and developer workstations are custom built
without any radio or bluetooth. USB hardware and kernel modules are
accessible only to root. BIOS/UEFI are protected from settings modification.
- All customer data is forwarded through a serial port to a closed
database. Each request for a customer record must be digitally signed
with a registered workstation key. Too many record requests in a short
period of time will lock that key out and alert the security desk. Thus
data dumps will be impossible.
- With no Internet access on the premesis, programmers will need to use
and grow a local knowledgebase and wiki.
- No follow-up business is conducted via email. Everything possible is
done over the phone or via postal mail. Messages sent through a exterior
mail server are dumped and brought in to the premesis daily to be
processed. Nothing is left on the mail server after next business day.
- Phone challenge verification for any inter-office information request.
- DSL blocking filters on the main phone trunk line into the building.
- No cloud or third-party services are utilized by the company.
Everything is in-house, simple, and barebones.
- Employees are prohibited by contract from mentioning their employment
on social media, such as LinkedIn. This is to inhibit social engineering
attacks and vishing.
- CCW holders are encouraged to wear their concealed weapons to work.
- Company will pay 50% of CCW training for all qualified employees.
- With a bunch of CCWs a large paid security enforcement team is not
necessary-that money can go to bonuses and such.
- CCW policy will attract veterans with technical MOS, which already
tend to be hyper-vigilant about worksite security and normalcy, and are
least likely to be selfish nerdfags with an axe to grind.

The plan is much more detailed than this. It focuses on complete and
absolute separation of concerns into separate premesis that have no data
link between them except via phone calls.

Everywhere I know of in the US we still have copper phone lines. If you
can get Internet access at your location they can still run telco copper
to your building since the same thing runs DSL. With a filter on your
main line it prevents anyone from surreptitiously setting up a DSL link
into your building, which spooks would do if you were a target, then try
to get it jacked to your network or hidden devices inside the building.

[Stefan Claas]

On Thursday, December 30, 2021 at 7:06:19 PM UTC+1, Snail Mail Blob wrote:
> On 12/30/21 5:14 AM, Stefan Claas wrote:
> > BTW. If I would be a CEO, like cool Elon Musk, you could be rest assured
> > that then my HQ building, with all its workers and secretaries etc. would
> > get modern electric typewriters, with the *super secure* Rohrpost[1] for
> > in house comms and bringing smartphones to work would be *strictly*
> > prohibited.
> This is very smart. Old school tech still has use cases and probably
> always will. It is a interesting coincidence that I have been working on
> a security plan for a development and operations center. I will share
> some parts of that plan with you.

[...] Sorry for making snip!

Sounds great, and should create more jobs within the United States
and secure work places and intellectual property.

May I ask you, if you still have those analogous intercom devices available,
which were used besides analogous rotary telephones, in buildings, to allow
free 'phone' calls, in case the secretary or boss must speak to employees?

Maybe there is a market for developing them again, but with hardware based
encryption, like dumb phones with AES/DH for politicians.

Regards
Stefan

[Chris M. Thomasson]

On 12/30/2021 10:06 AM, Snail Mail Blob wrote:
> On 12/30/21 5:14 AM, Stefan Claas wrote:
>> BTW. If I would be a CEO, like cool Elon Musk, you could be rest assured
>> that then my HQ building, with all its workers and secretaries etc. would
>> get modern electric typewriters, with the *super secure* Rohrpost[1] for
>> in house comms and bringing smartphones to work would be *strictly*
>> prohibited.
>
> This is very smart. Old school tech still has use cases and probably
> always will. It is a interesting coincidence that I have been working on
> a security plan for a development and operations center. I will share
> some parts of that plan with you.
>
> - All electronic devices are strictly prohibited, especially cell
> phones, personal tablets, wifi routers, cameras, and smart watches.

[...]

Are you familiar with fractal cloaks?

https://youtu.be/_JpMJTJXf28

https://www.businesswire.com/news/home/20180724005626/en/Breakthrough-Invisibility-Cloak-Absorber-Technologies-Receive-Patents

[Jakob Bohm]

On 2021-12-28 13:06, Snail Mail Blob wrote:
> On 12/21/21 9:24 AM, Stefan Claas wrote:
>> On Tuesday, December 21, 2021 at 4:11:50 PM UTC+1, Richard Heathfield wrote:
>>> On 21/12/2021 14:53, Stefan Claas wrote:
>>
>>>> What do you think about this proposal?
>>
>>> "Against all odds, over a noisy telephone line, tapped by the tax
>>> authorities and the secret police, Alice will happily attempt, with
>>> someone she doesn't trust, whom she can't hear clearly, and who is
>>> probably someone else, to fiddle her tax return and to organise a
>>> cout d'etat, while at the same time minimising the cost of the phone
>>> call." - John Gordon
>>
>> Since Alice knows her friend Maria they can of course use the noiseless
>> postal system. :-) But It may not be so reliable in the United States, as it
>> occurred to me in the past, and I had to send then again an expensive
>> registered letter.
>
> The postal mails between two P.O. boxes are usually more secure than any
> encrypted channel where PKI is involved. The likelihood of any spy or
> spook tapping your particular first class letter for eavesdropping is
> statistically close to zero. There are strong penal laws in most
> countries that dissuade that sort of activity. It occasionally happens,
> but the volume of mails is so vast that it is the needle in a haystack
> problem for Alice.
>

The secure comes not from the postal system, but from the physical
security of the tamper evident packaging. The tamper evidence if done
correctly ensures that any key that has been accessed via (legal or
otherwise) mail intercept will be rejected by Bob as if it never arrived.

If the tamper evidence is done such that even reading the contents
will be detected, the method can be used to distribute actual OTP keys,
otherwise it is limited to public signature keys, such as those using
XMSS or its generic non-NSA equivalent with a strong enough hash algorithm.

> If one uses a inner envelope that is tamper evident then one won't end
> up using a compromised key if the letter is tampered by state agents.
>
> I had this happen once with a encrypted USB flash drive many years ago
> when USB media was a brand new thing and thus was treated suspiciously
> as if it were a cloak and dagger device. Someone at the post office
> opened the envelope, and upon realizing it was a tamper evident setup
> they just kept the flash drive and sent the envelope along empty. They
> tore gashes in the outer envelope to make it look like accidental
> damage. Always encrypt removable media! And send microSD cards instead
> of thumb drives.

If the keys are short enough, physically scan friendly paper formats
such as QR codes or OCR-B text, these can do the job without leaving
anything other than a normal-looking letters in the envelopes. Add
something in the outer envelope which makes the presence of the inner
envelope non-suspect, like "Here's the letters for you that arrived at
your hotel after you left". Also make the inner tamper evidence
sufficiently subtle that an experienced Eve won't find it.

The hard part is to arrange the secret tamper detection protocol before
the exchange over untrusted postal courier. Because if Eve knows, she
can completely fake it by creating a new pair of nested envelopes
matching the protocol.

>
> Sending a initial session key via the post office to negotiate a later
> key exchange is almost as secure as exchanging keys in the pub.
>
> What does it cost, like a dollar or two to send a international letter?
> A tamper-proof inner envelope will cost less than a dollar.
>

Unless you are mailing from China or any other historically poor
country, the price has gone up in recent years, but still affordable
for the task.

> You can use tape and super glue on a regular envelope to convert it to
> tamper-evident.
>
> Draw smiley faces all over the envelope, smear some superglue streaks on
> the envelope, cover that over by sealing the key inside with packing
> tape, then lay several courses of tape on it and rub on the super glue
> across the tape. Then glue that inner envelope into the outer envelope,
> making it impossible to open without destroying both envelopes.
>
> It will take about five minutes. Not a big time investment. It is
> impossible to steam off and remove the tape without visibly damaging the
> envelopes and smiley faces.
>
> If you are really paranoid, use a piece of thin, rough felt, or
> styrofoam packing felt, for the inner envelope. The felt will get torn
> to shreds by any manipulation of the covering tape.
>

These methods don't provide an unknown-to-Eve indication that this
wasn't an envelope made by Eve after intercepting the original.

One method could be to transmit, in an authenticated plaintext
transmission after the envelope is required to arrive, a set of
locations on the inner envelope where the seemingly or actually
random details occur, Bob can then hold the received envelope until
receiving the authentic details from Alice, then check as he opens
the envelopes.

If the envelopes match the authentic checks, Bob can send Alice an
initial confirmation message using one part of the sealed key material,
thus allowing Alice to know which (if any) keys reached Bob securely.

> The nice thing about this kind of key exchange is that once you have the
> mailed key, using it you can start off with a cascade of symmetric
> ciphers over a big blob file and exchange a whole basket of new
> symmetric keys and pads over any channel before using any asymmetric
> ciphers at all.
>

Indeed, a read-evident seal can distribute an initial OTP key for
later key exchange. Hard part is to safely expand a short OTP into
a set of agreed upon secure secret keys for much larger messages.
Obvious way would be to OTP transmit a random symmetric key for a strong
algorithm, which is then used to encrypt further random symmetric keys.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Stefan Claas]

Additionally, one may think also about purchasing tracking chips, available at
post offices, in case one is unsure if the mail was rejected.

Regards
Stefan

[Jakob Bohm]

Tracking products by postal services have limited reliability and may
signal to interceptors that this letter is important. Besides, anyone
with the ability to break the secrecy of public mail will probably have
countermeasures for all the postal service's own tracking mechanisms.

This is why security measures for postal messages need to be designed to
operate independently of the postal service's own security features,
just as cryptographic messages over the public telegraph service need to
work without special features offered by the telegraph office (or its
modern equivalent, the Internet). It's one of the established K principles.

[Stefan Claas]

Well, the sci.crypt community could run some experiments, with security
envelopes and tracking chips, to see, if for example homeland security
in the United States, would allow passing such (a registered) postal mail
to its destination or not.

I am also open now for international encrypted Telefax communications,
if people like to test a possible workflow.

Regards
Stefan

[Bate Heister]

You might have already be scammed by an imposter who you fell in love with, or an unregulated crypto broker. People that fall for such frauds don't always consider the fact that they can get assistance for this. They think that people will laugh at them.
But, this doesn't mean that you should just ignore it, and try to go on with your life. This is not something you are going to forget over night and it may affect you in a lot of ways. The good news is that with the technology that we have today, it is a lot easier to get assistance after falling for this type of scams.

This is the good news. It is actually possible for crypto fraud victims to get their money back after being scammed.
The secret is that you should just know where to find the right assistance for this scams.
I went through similar situation and i met a hacker who helped me out. be rest assured your lost or stolen funds will be recovered back to either your wallet or bank account depending on how you want to receive it. contact them here if you are in similar situation.
website: https://albarshazom.wixsite.com/blockwiz
Email: block...@cyber-wizard.com
Tel: +1 (352) 443-8803 (whatsapp only)