Ari Silverstein <AriSilverstein@yahoo.com> wrote in
news:8e5tg2F8a1U1@mid.individual.net:
Ari, you have so many names, so many aliases, so many
sockpuppets that I've lost track. However, the feature that
unites them all is rambling incoherence coupled with unfocussed
hostility.
>I am John (though, I am not the only one here named John). The
>identities of our investors is not public information. Is this
>something that is important for you to know? If so, may I ask why?
If someone wants to keep his mail private, he probably has an idea
*WHO* he most wants to keep it private from. For example:
- his wife and her lawyer
- other companies competing with his company in the field he's working on.
- nations unfriendly to his nation.
- anyone who might want to hold him for ransom or assassinate him
- anyone who might want to trade on insider information for profit
Designers of cryptosystems can leave in trap doors so they can read
the traffic. Especially if it's not open-source, you have to trust
them not to do so. Or sometimes it's done so their servers are the
ones that do the encryption/decryption in the first place (as is the
case for digital cell phones, so the cell phone companies handle the
cleartext).
It would be extremely prudent to try to determine if your investors are,
for example:
- The NSA, KGB, and Mossad
- Al Queda and similar terrorist groups
- North Korea, Iraq, and Iran
- A Columbian drug cartel
- TransUnion, Equifax, and Experian
- Organized crime
gordon@hammy.burditt.org (Gordon Burditt) wrote in
news:2radnZPtks1AVeDRnZ2dnUVZ_uWdnZ2d@posted.internetamerica:
> If someone wants to keep his mail private, he probably has
> an idea *WHO* he most wants to keep it private from. For
> example:
>
> - his wife and her lawyer
> - other companies competing with his company in the field
> he's working on. - nations unfriendly to his nation.
> - anyone who might want to hold him for ransom or
> assassinate him - anyone who might want to trade on insider
> information for profit
Yes, a risk and consequence analysis, however informal and
unstructured, is a prudent idea. However, it's not likely
that any prudent man, even though untutored in the intricacies
of encryption, would entrust TrulyMail with really serious
matters where disclosre could have severely adverse
consequences. TrulyMail is plainly intended for more light-
duty matters of ordinary privacy.
Perhaps the best analogy is that if ordinary mail is
equivalent to a postcard that anyone can read, then TrulyMail
would provide protection equivalent to a letter enclosed in an
envelope. Better privacy, yes, but far from impregnable
security. Ordinary privacy, not bombproof spy-versus-spy
privacy.
> Designers of cryptosystems can leave in trap doors so they
> can read the traffic. Especially if it's not open-source,
> you have to trust them not to do so. Or sometimes it's
> done so their servers are the ones that do the
> encryption/decryption in the first place (as is the case
> for digital cell phones, so the cell phone companies handle
> the cleartext).
>
> It would be extremely prudent to try to determine if your
> investors are, for example:
>
> - The NSA, KGB, and Mossad
> - Al Queda and similar terrorist groups
> - North Korea, Iraq, and Iran
> - A Columbian drug cartel
> - TransUnion, Equifax, and Experian
> - Organized crime
>
> before using their cryptosystem.
A lovely idea. How the flying **** would you suggest an
ordinary person - the kind of person that TrulyMail is clearly
intended for - would go about doing anything of the sort? Are
you seriously suggesting that Mossad or the NSA could not
disguise the true principals of such a company from the
investigations of all but an equally well-resourced agency?
Hogwash!
Have you considered how many "trust relationships" you have in
your life? from a contractor putting a roof on your house, to
the girl you dated and married, to the oncoming drivers in the
other lane every morning commute? Are you sure your
greengrocer isn't poisoning you? Have you vetted him? Do you
know his grandmother's maiden name?
Do you run a full background check of the airline pilot before
you board a flight or do you just "trust" in the mechanisms of
the airline to do this? And how thorough are they? - even if
they did a good job initially, perhaps the pilot has become
sucicidally depressed of late?
In short, there are a gazillion trust relationships you rely
upon every day of your life - trust relationships that could
portentially have far more adverse consequences than disclosed
email. Let's not obsess about cryptographic mechanisms - some
folks just want a little better privacy than open email.
"TrulyMail Support" <support@trulymail.com> wrote in message
news:408b2458-61cd-4985-b311-c7f148301512@m35g2000prn.googlegroups.com...
> On Sep 1, 7:46 am, "Joseph Ashwood" <ashw...@msn.com> wrote:
>> From there on, anything else you say is completely irrelevant, your
>> design
>> is a complete security failure.TrulyMailis completely snake-oil.
> The password that is recoverable is the password to download new
> messages from the server.
So the recovered password is the password to read the messages. The
recovered password is the exact password that should not be recovered.
Its like offering the thieves the key your house.
Its still snake oil, and stating the exact problem will not change that.
Joe
On Wed, 01 Sep 2010 04:20:44 GMT, nemo_outis wrote:
> gordon@hammy.burditt.org (Gordon Burditt) wrote in
> news:2radnZPtks1AVeDRnZ2dnUVZ_uWdnZ2d@posted.internetamerica:
>
>> If someone wants to keep his mail private, he probably has
>> an idea *WHO* he most wants to keep it private from. For
>> example:
>>
>> - his wife and her lawyer
>> - other companies competing with his company in the field
>> he's working on. - nations unfriendly to his nation.
>> - anyone who might want to hold him for ransom or
>> assassinate him - anyone who might want to trade on insider
>> information for profit
>
> Yes, a risk and consequence analysis, however informal and
> unstructured, is a prudent idea. However, it's not likely
> that any prudent man, even though untutored in the intricacies
> of encryption, would entrust TrulyMail with really serious
> matters where disclosre could have severely adverse
> consequences. TrulyMail is plainly intended for more light-
> duty matters of ordinary privacy.
Untutored men have no prudence when examining the trust factor of
Trulymail. By definition. They are conned into believing Trulymail and
Trulymail alike products actually do what they exorbitantly claim to
do.
But you knew that. Why the falsehoods, the lies and the deceit from
you?
> Perhaps the best analogy is that if ordinary mail is
> equivalent to a postcard that anyone can read, then TrulyMail
> would provide protection equivalent to a letter enclosed in an
> envelope. Better privacy, yes, but far from impregnable
> security. Ordinary privacy, not bombproof spy-versus-spy
> privacy.
There is nothing, nothing at all, zero, nada, that corroborates this
proclamation of yours. Nothing from you, certainly nothing from closed
lipped, tightly concealed, "working in the shadows" Trulymail.
There were times on thse forums, outis, where you were so much more
truthful, foregoing and inquisitive. Why the falsehoods, the lies and
the deceit from you?
> How the flying **** would you suggest an
> ordinary person - the kind of person that TrulyMail is clearly
> intended for - would go about doing anything of the sort? Are
> you seriously suggesting that Mossad or the NSA could not
> disguise the true principals of such a company from the
> investigations of all but an equally well-resourced agency?
> Hogwash!
No one suggests anything other than that. Which is not the point and,
again, you know that. Why the falsehoods, the lies and the deceit from
you?
It is incumbent on any crypto system provider to be all in or all out
if they are ethical and true purveyors of privacy. What might be
private to one person (a sentimental note to a friend) and private to
another (overthrow of a government) is inconsequential to the privacy
goals of the user. They buy Trulymail to be assured that regardless of
their messages *their commo is private*.
Trulymail fails this test in spades. MOF, there is no test for
Trulymail which is by many magnitudes a much greater indiscretion.
> In short, there are a gazillion trust relationships you rely
> upon every day of your life - trust relationships that could
> portentially have far more adverse consequences than disclosed
> email. Let's not obsess about cryptographic mechanisms - some
> folks just want a little better privacy than open email.
What a hypocritical oaf you are. you fashion arguments to meet your
personal agendas. In this case, it is to attack me.
Let's look at neom outis when he had a pair and not consumed with
emotional issues and insane rants.
"Ok, I've given you some high-level stuff to think about; now I'm
going to give you some specifics.
The first is regarding encryption. This is the main line of
defence in preserving computer security/privacy. There are a lot
of different approaches out there, some of which are suspect, and
some of which are downright snakeoil. For instance, Microsoft's
encrypting file system for NTFS (available as part of Windows
NT/2k/2k3/XP) is easy to implement incorrectly (e.g., leave key
on HD), has inherent flaws (e.g., is not OTFE) and many suspect
there are backdoors put in it for law enforcement."
Yet you are willing to cut Trulymail a pass card because...well, hell,
because why? They have already admitted to having zero expertise in
implementing encryption yet you blither and blather on in their
defense?
On Tue, 31 Aug 2010 22:30:37 -0500, Gordon Burditt wrote:
>>I am John (though, I am not the only one here named John). The
>>identities of our investors is not public information. Is this
>>something that is important for you to know? If so, may I ask why?
>
> If someone wants to keep his mail private, he probably has an idea
> *WHO* he most wants to keep it private from. For example:
>
> - his wife and her lawyer
> - other companies competing with his company in the field he's working on.
> - nations unfriendly to his nation.
> - anyone who might want to hold him for ransom or assassinate him
> - anyone who might want to trade on insider information for profit
Or you might say that they perceive different levels of capabilities
of their adversaries and adjust accordingly.
The Trulymail model has no verifiable privacy against any of your
adversaries mentioned. For all anyone knows, they could read emails,
contact your adversaries and sell their info.
> So the recovered password is the password to read the messages.
No, it is not.
The password allows you to 'access' the encrypted message (hence the
metaphor of your email account's password - if I have that password I
still cannot read your encrypted messages). You still need your
private key, not your password, to decrypt it. We keep your password
on the server (to verify who you are) but we don't keep (or ever have)
your private key.
On Sep 1, 7:10*pm, "Mr. B" <n...@supplied.com> wrote:
> TrulyMailSupport wrote:
> > On Sep 1, 2:11 am, "Mr. B" <n...@supplied.com> wrote:
>
> >> -- B
>
> > Mr. B: Is there a way to contact you off-group?
>
> I will contact you; is supp...@trulymail.com the correct email address to
> use?
>
> -- B
Ari Silverstein <AriSilverstein@yahoo.com> wrote in
news:8e4f2tFo5nU1@mid.individual.net:
> On Tue, 31 Aug 2010 01:42:07 -0700 (PDT), TrulyMail Support wrote:
>
>> On Aug 31, 12:10*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>>
>>> Thanks for the info, John.
>>>
>>> What is you and your companies background in delivering and
>>> implementing encryption?
>>
>> TrulyMail (the company) has been around a short time (two years). Our
>> products include the TrulyMail Client and related TrulyMail services
>> (encrypted, private messaging, for example). We have been offering
>> these products for about two years now.
>>
>>> Who is "John", who are the investors, management and directors
>>> ofTrulymail?
>>
>> I am John (though, I am not the only one here named John). The
>> identities of our investors is not public information. Is this
>> something that is important for you to know? If so, may I ask why?
>
> If you're dealing with security products, especially without open
> source coding, /who/ you are and your background is extremely
> important.
>
> The fact that you ask this question is startling.
>
> And informative.
I installed this program three weeks ago and nobody has hacked my email yet.
Can you read my email? No. Good program.
On Wed, 01 Sep 2010 02:23:19 GMT, nemo_outis wrote :
> "Steve Terry" <gfourwwk@tesco.net> wrote in
> news:i5kcvg$m1a$1@news.eternal-september.org:
>
> Oooh, another Ari sockpuppet. The voices in your head must
> get hard to sort out, eh Ari?
>
>> nemo blathered like a loon: PGP and GPG, no matter how interesting
>> they are, are a failure - they have totally failed to convert
>> ordinary email users from the postcard model of email with
>> everything wide open.
> In all likelihood, Trulymail will also be a failure. PGP did not fail
> because it was too complicated to use, or too complicated to set up, it
> failed because most users did not perceive the problem it solves as being a
> problem. The general public still holds the belief that if they have
> nothing to hide, then there is no problem with others having the ability to
> inspect their email. Try having a conversation about the issue some time,
> with a person who is completely unaware of cryptography, and you will be
> lucky to even get to the topic of email encryption before that person loses
> interest.
nemo wants to blame PGP and label it a failure because it did not
majickally educate the masses that email is insecure?
*LARF*
No wonder nemo keeps dropping the Xposts to sci.crypt and
alt.comp.security (now reinstated from his doing so for the umpteenth
time in this thread).
PGP was Zimmerman's response to having his life compromised from
intercepted email and other commo from his pre-PGP, ongoing and
historically recorded human rights activism. He had no stated
intention whatsoever to "educate the world" regarding email
insecurities. He primarily developed PGP to solve his own problems and
those of his fellow activists. Once it was developed, he gave it away
for free.
If from the release of PGP people asked "why do I need this" as a
secondary or tertiary result, that was all fine a good. But it was not
the focus of his work anymore than the auto was conceived by Ford so
we can populate the Earth with backseat babies.
Ari Silverstein <AriSilverstein@yahoo.com> wrote in news:8e5j7sFmtfU1
@mid.individual.net:
> On Tue, 31 Aug 2010 17:13:29 +0100, B℮ar Bottoms wrote:
>
>> On Tue, 31 Aug 2010 11:25:32 -0400, Ari Silverstein wrote:
>>
>>> Don't even think about trying to sell to the US Gov't, DoD or any
>>> of the intertwined military-intelligence agencies. They /really/ frown
>>> on foreign nationals who play at such serious business.
>>
>> We will see. I say, see you next Tuesday Silverstein. Who needs to sell to
>> the government? I have friends who will pay big for the right service.
>
> Well Bottoms there are times I would much prefer to deal with you,
> Debbie and the Bear crew than some of the dunderheads we have to screw
> around with in the USGov.
>
> Not many times.
>
> Maybe only once to be truthful.
Dave U. Random <anonymous@anonymitaet-im-inter.net> wrote in
news:f312ada478be39e86a514661b73c7f41@anonymitaet-im-inter.net
:
> On Wed, 01 Sep 2010 02:23:19 GMT, nemo_outis wrote :
>> "Steve Terry" <gfourwwk@tesco.net> wrote in
>> news:i5kcvg$m1a$1@news.eternal-september.org:
>>
>> Oooh, another Ari sockpuppet. The voices in your head
>> must get hard to sort out, eh Ari?
>>
>
> The real Steve Terry..........
> http://www.freeuploadimages.org/imag...adt155iou6wxj9.
> jpg
>
On Wed, 1 Sep 2010 04:44:22 -0700 (PDT), TrulyMail Support wrote:
>> So the recovered password is the password to read the messages.
>
> No, it is not.
>
> The password allows you to 'access' the encrypted message (hence the
> metaphor of your email account's password - if I have that password I
> still cannot read your encrypted messages). You still need your
> private key, not your password, to decrypt it. We keep your password
> on the server (to verify who you are) but we don't keep (or ever have)
> your private key.
The password on your server verifies nothing. It is simply a process
that resolves /someone/ has a password and, in turn, /someone/ has a
key. No identification is made of who that someone is. Hence, no
verification or authentication.
The terms identification, authentication, verification and ultimately
authorization are defined from the world of biometrics. Where these
processes can be invoked.
I can't fault you too much for this misuse of term. These terms have
been abused for years now by many companies who desire to overstate
the capabilities of their security systems.
Think of it this way. If I walk up to you and say "Hi, I'm Ari"
without something to verify my ID (Passport, secure credentials card,
etc.) you have nothing of value except a statement. Much like your
password matching on your server.
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702
On Wed, 1 Sep 2010 16:49:03 +0200 (CEST), Dave U. Random wrote:
> On Wed, 01 Sep 2010 02:23:19 GMT, nemo_outis wrote :
>> "Steve Terry" <gfourwwk@tesco.net> wrote in
>> news:i5kcvg$m1a$1@news.eternal-september.org:
>>
>> Oooh, another Ari sockpuppet. The voices in your head must
>> get hard to sort out, eh Ari?
>>
>
> The real Steve Terry..........
> http://www.freeuploadimages.org/imag...55iou6wxj9.jpg
nemo always plays the "sockpuppet" card when he's getting his ass
kicked off. lol
A quick Google would have placed Terry in the UK but, hey, when nemo
gets all fluffed up and spitting hairballs, why let truth get in the
way, eh?
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702
Ari Silverstein <AriSilverstein@yahoo.com> wrote in
news:8e7fvlFpgU1@mid.individual.net:
....
> The terms identification, authentication, verification and
> ultimately authorization are defined from the world of
> biometrics. Where these processes can be invoked.
No, Ari, the "world of biometrics" is not where these terms
are defined, despite the eagerness of some techies to coopt
and kidnap them. Identification, authentication, verification
and authorization are terms with long, well-understood and
broadly applied meanings dating back long before the word
"biometrics" was even coined. And even the diversity and
range of meaningS (not meaning) of these terms carries
considerable significance.
If techies wish to apply specialized limited meanings to these
terms in some specialized limited context, fine - but don't
pretend that that somehow pre-empts and supplants the
original.
> Think of it this way. If I walk up to you and say "Hi, I'm
> Ari" without something to verify my ID (Passport, secure
> credentials card, etc.) you have nothing of value except a
> statement. Much like your password matching on your server.
No, Ari, all a passport, birth certificate, Verisign cert, or
other document is is just another "statement" from some other
person or institution. Why you should put more trust in one
rather than the other is determined by the context and
circumstances.
Trust is a non-trivial problem. And dressing it up with
pseudomathematical techie concepts that are manifestly wrong
(e.g., trust relationships are transitive) doesn't really
tackle the problem - it's just putting lipstick on the pig.
If you truly want security than human relationships are the
core (of which trust is one very mportant aspect). If you
really want security you would do far better to read
Shakespeare than the HAC. Greed, power-lust, ambition, envy,
spite, betrayal, revenge - these are the real security issues
- not trivia such as whether you use 128 or 256-bit AES.
Techies fall in love with the technology and often lose track
of the real issues for which it is just a tool.
Reply With Quote
Bookmarks