Page 5 of 8 FirstFirst 12345678 LastLast
Results 81 to 100 of 141

Thread: Re: Truly Trulymail

  1. #81
    nemo_outis
    Guest

    Re: Truly Trulymail

    "Mr. B" <not@supplied.com> wrote in
    news:i5m6j6$sfh$1@speranza.aioe.org:

    ....snip interesting points...


    I'm an old man and old men tell long-winded stories. And so…

    Many, many years ago I was attending a lecture in higher
    mathematics at McGill. The professor was developing a topic
    and at one point said, "And so it obviously follows…" as he
    then proceeded to write down a new equation on the blackboard.

    One student interjected, "Sir, I don't see how that obviously
    follows."

    The professor silently stared at the blackboard for about 30
    seconds and then abruptly turned on his heel and walked out of
    the classroom.

    Fifteen minutes later he returned (dutiful students that we
    were, we hadn't bailed). He then said, "Of course it's
    obvious!" and proceeded to fill two blackboards explaining
    why.

    Your story of how easy it is for someone to set up a mime
    cert. or get GPG going or do whatever other arcana are
    necessary for encrypted email very much reminds me of
    Professor Bach's "Of course it's obvious!"

    No, it isn't easy or obvious. For one thing an ordinary user
    hasn't the slightest clue that it is MIME or PGP or
    Quicksilver he should be tinkering with and not something else
    entirely, never mind the mechanics of doing so once he
    establishes that that is what he should be doing. It's very
    far from obvious or easy. He must become a security hobbyist,
    investigate and research, question others, filter out the
    nonsense and the misinformation, avoid dead ends and wild
    goose chases, and on and on.

    Is it doable? Of course it is - if he wants it badly enough
    and is willing to put up with the pain in the ass of doing all
    this. But for most folks the game isn't worth the candle.
    They don't want to become "junior security experts," they
    don't want a new time-consuming security hobby, they just want
    to CONVENIENTLY send their email with modestly improved
    privacy. Especially since it is far from obvious that, even
    if they do all this security rigmarole, that the encrypted
    email still won't fail for some overlooked reason and bounce,
    get lost in the aether, be unreadable, or whatever.

    And even once he does all this, he's still not finished.
    Nope, he has to become a "security missionary" proselytizing
    to convince all his friends and family to also do the same as
    otherwise the whole exercise is pointless. What a PITA!

    (Consider, for example, that people are willing to pay $25 to
    port their existing telephone number rather than have to
    contact all their friends with a new one. There's a coarse
    metric for how simple encryption has to become to be broadly
    adopted.)

    Ordinary folks want modestly improved privacy - they are not,
    in general, looking for military-grade security. They send
    letters in envelopes rather than postcards because it's easy
    and gives improved privacy - even though they are under no
    illusions that a sealed letter cannot be opened and resealed
    by a sufficiently motivated adversary (or rendered transparent
    by Freon, or…).

    If they had to make their own envelope glue by rendering cow's
    hooves they'd stick with postcards, however. And despite the
    protestations of security aficionados like you and me, the
    ordinary user regards the current state of encrypting email to
    be nearly that much bother. They want quick and easy - or
    better still, invisible and transparent, with no need for any
    hands-on intervention.

    They don't give a **** about MITM attacks (99.99% aren't aware
    there is such a thing but they wouldn't care if they did
    know). They aren't worried about serious adversaries, they
    mostly just want modest privacy with minimum hassle. If the
    hassle is too great it's just not worth it.

    As for crap about needing a lot of additional security
    precautions or you leave people "vulnerable" consider this:
    right now they aren't using ANYTHING for privacy or security
    and won't unless and until it becomes dirt easy. Any method
    of improved email privacy, even though imperfect, would be a
    big improvement.

    (As for security on the PC itself, this is a chimera. NOTHING
    even an expert can do can prevent security compromise if an
    adversary has unfettered access to the machine - the ordinary
    person is wise to be oblivious to this risk. For instance, if
    you want to frighten the **** out of yourself take a look at
    the CAs listed in your certificate store - and spend an
    afternoon trying to purge the flaky ones out of, say,
    Firefox.)

    No, the ordinary person doesn't need the "whole catastrophe"
    you want to foist on him, he just wants modestly improved
    email privacy resistant to casual snooping. CONVENIENTLY!

    Remember: The perfect is the enemy of the good!

    Regards,


  2. #82
    nemo_outis
    Guest

    Re: Truly Trulymail

    unruh <unruh@wormhole.physics.ubc.ca> wrote in
    news:slrni7tber.kak.unruh@wormhole.physics.ubc.ca:

    > On 2010-09-01, nemo_outis <abc@xyz.com> wrote:
    >> "Mr. B" <not@supplied.com> wrote in
    >> news:i5lf39$igk$1@speranza.aioe.org:
    >>
    >> ...
    >>>> PGP and GPG, no matter how interesting they are, are a
    >>>> failure - they have totally failed to convert ordinary
    >>>> email users from the postcard model of email with
    >>>> everything wide open.

    >
    > a) Everything is not wide open. YOu have to work to read
    > others mail in transit
    > b) A failure? Where was the it ever stated that the goal of
    > thse programs was to "convert ordinary email users"?
    > It is like calling cars a failure because they did not
    > persuade everyone to brush their teeth every night.



    The context of this thread is TrulyMail, an attempt to provide
    modestly improved email privacy in a convenient way for a mass
    market rather than for a tiny coterie of security aficionados.

    PGP and GPG don't do this. If you prefer to say that they were
    only intended for security initiates and not a mass market and
    therefore aren't really failures, that's OK by me.

    But viewed either way - as mass-market failures or as niche-
    market successes - PGP and GPG have proved themselves
    irrelevant to mass market email privacy, the context of this
    thread.

    Regards,

  3. #83
    Ari Silverstein
    Guest

    Re: Truly Trulymail

    On Wed, 01 Sep 2010 07:57:31 -0400, Mr. B wrote:

    > Yes, because proprietary cryptosystems have never been disastrous for their
    > users. Really, this would not be so bad if Trulymail was at least
    > compatible with existing cryptosystems like PGP or S/MIME. Perhaps it is,


    Hell, we couldn't get the bugger to connect to the servers. lol

    > but the details are scant; the only relevant detail I have seen so far is
    > that it uses RSA and AES. Even basic details like how keys are signed or
    > verified (or if they are signed/verified) are missing.
    >
    >> Nobody, and I mean nobody, is going to do a thorough review of
    >> the source code of a commercial produuct like TrulyMail, even
    >> if it were available. Open-source for it is a total red
    >> herring, the kind of thing only *******s like you fasten upon.
    >>
    >> The OP for TrulyMail got it exactly right - use it or don't.

    >
    > Hey, this discussion found its way to sci.crypt, so I assume that someone
    > wanted opinions on Trulymail's usefulness as a cryptosystem.


    Gee, I would think so since its cryptography is at the core of its
    software architecture. You know, sorta like a Corvette and Road and
    Track?

    From the thread, and from search engine results, it appears that
    Trulymail isn't very interested in any kind of review. They haven't
    submitted the project anywhere I can find, in over two years, yet they
    are in Ver 3. Trulymail had to get invited to Usenet and Andre was
    forthcoming that he was quite aware of Usenet. I can't find much of
    anything on them...except now this thread.

    > Perhaps "Ari"
    > is a known troll (he is certainly combative), but that does not change the
    > reality that a certain degree of openness is necessary when it comes to
    > cryptography.


    Ari's been around for a long, long time and Ari is very open for
    inspection. Thousands more article/posts have been made about and by
    area than Trulymail.

    Ari has been called more or less everything at some time and Ari
    reflects "That's Usenet"!

    >> It's not targeted at *******s like you, Ari.

    >
    > Then who, in your opinion, is it targeting?


    Trulymail claims (straight from their website to be "better than
    email, better than any email client...truly private, 100% spam
    elimination and on and on and on. That means in no doubt they are
    targeting the most powerful email users, the ones who want, need and
    will utilize "the best".

    In that short list of features above are at severe overstatements, at
    worst complete fabrications. I can tell you the GUI looks like crap,
    absolutely an embarrassment for a Ver3 product.

    http://www.trulymail.com/Features.aspx

    > I could target Joe Public with
    > ROT13, does that mean that I should not be criticized for doing so?
    >
    > -- B


    As long as you come clean about the value of ROT13, target away. Call
    ROT13, say, "truly the best ", and Ari is probably going to pay you a
    visit. :)
    --
    Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

  4. #84
    Buck Mulligan
    Guest

    Re: Truly Trulymail

    On 9/1/2010 6:23 PM, Ari Silverstein wrote:
    > On Wed, 01 Sep 2010 07:57:31 -0400, Mr. B wrote:
    > <snip>


    >> Perhaps "Ari"
    >> is a known troll (he is certainly combative),

    > Ari's been around for a long, long time and Ari is very open for
    > inspection. Thousands more article/posts have been made about and by
    > area than Trulymail.
    >
    > Ari has been called more or less everything at some time and Ari
    > reflects "That's Usenet"!


    I'm wondering if I'm the only one who wonders if you would "reflect"
    that way before or after doing something, for example, like "flooding"
    sci.crypt with forgeries of purely nonsensical posts, you know, the way
    it happened a few years ago?

    Or, just for another example, before or after hacking into someone's
    website and redirecting all traffic to a pornographic website?

    I'm just wondering if you were to do something like that, would you
    "reflect" before, or after?


    >
    > <snip>
    >> I could target Joe Public with
    >> ROT13, does that mean that I should not be criticized for doing so?
    >>
    >> -- B

    > As long as you come clean about the value of ROT13, target away. Call
    > ROT13, say, "truly the best ", and Ari is probably going to pay you a
    > visit. :)


    And now I'm wondering what you could possibly mean by that.





  5. #85
    Ari Silverstein
    Guest

    Re: Truly Trulymail

    On Wed, 01 Sep 2010 20:31:04 GMT, nemo_outis wrote:

    > "Mr. B" <not@supplied.com> wrote in
    > news:i5m6j6$sfh$1@speranza.aioe.org:
    >
    > ...snip interesting points...
    >
    > I'm an old man and old men tell long-winded stories. And so…


    You're also known for snipping anything that knocks your knees out
    from under you (ahem) then bloviating to the max to divert the thread
    to your satisfaction.

    Excuse me, please continue...

    > Many, many years ago I was attending a lecture in higher


    <snipped boring BS>; *reinserted sci.crypt* which is where Mr. B is
    reading this thread...as you know but purposefully left out.

    Hope you don't mind, learned the art of snipping from you, please
    continue...

    > Your story of how easy it is for someone to set up a mime
    > cert. or get GPG going or do whatever other arcana are
    > necessary for encrypted email very much reminds me of
    > Professor Bach's "Of course it's obvious!"
    >
    > No, it isn't easy or obvious. For one thing an ordinary user
    > hasn't the slightest clue that it is MIME or PGP or
    > Quicksilver he should be tinkering with and not something else
    > entirely, never mind the mechanics of doing so once he
    > establishes that that is what he should be doing. It's very
    > far from obvious or easy. He must become a security hobbyist,
    > investigate and research, question others, filter out the
    > nonsense and the misinformation, avoid dead ends and wild
    > goose chases, and on and on.


    Agreed...so?

    > Is it doable? Of course it is - if he wants it badly enough
    > and is willing to put up with the pain in the ass of doing all
    > this. But for most folks the game isn't worth the candle.
    > They don't want to become "junior security experts," they
    > don't want a new time-consuming security hobby, they just want
    > to CONVENIENTLY send their email with modestly improved
    > privacy.


    Stop.

    Typical nemo rant, just gloss over the facts, make assumptions to suit
    your argument, and bury it in an edited, nemo-favorable response.

    Trulymail is *not*, I repeat *not* been found to be private at all.

    <snipped useless continuation of why PGP is not easy; point conceded>

    > Ordinary folks want modestly improved privacy - they are not,
    > in general, looking for military-grade security.


    Not only are "ordinary folks " unable to define or decide what levels
    of privacy they want, OFs by and large aren't aware that email privacy
    is an issue. They don't see spam as privacy invasion, which it is,
    just a PITA.

    Email privacy is a grey matter which is why I claim it has to be all
    in or nothing at all.

    > They send letters in envelopes rather than postcards because it's
    > easy and gives improved privacy - even though they are under no
    > illusions that a sealed letter cannot be opened and resealed by a
    > sufficiently motivated adversary (or rendered transparent by Freon,
    > or…).


    A letter must be physically routed. This is something that can be
    tracked point to point. Postal users understand the system and they
    know that postal mail is protected from being opened by anyone except
    Sender and Recipient.

    Email is an illusory system that OFs have little to no knowledge
    about, are unaware that Federal law allows ISPs to read emails (on
    their servers and providers too).

    So your analogy hols no value.

    > If they had to make their own envelope glue by rendering cow's
    > hooves they'd stick with postcards, however. And despite the
    > protestations of security aficionados like you and me, the
    > ordinary user regards the current state of encrypting email to
    > be nearly that much bother. They want quick and easy - or
    > better still, invisible and transparent, with no need for any
    > hands-on intervention.


    Why do you think this represents an argument for Trulymail? *Everyone*
    would prefer an invisible, automated secure email system, so what?
    Trulymail isn't any of those things. Not one proof whatsoever.

    <snipped repetitive BS>

    > As for crap about needing a lot of additional security
    > precautions or you leave people "vulnerable" consider this:
    > right now they aren't using ANYTHING for privacy or security
    > and won't unless and until it becomes dirt easy. Any method
    > of improved email privacy, even though imperfect, would be a
    > big improvement.


    What? You don't consider https Gmail as "anything for privacy"? Secure
    login to Fastmail? Two of the most robust email services available?

    > (As for security on the PC itself...


    Off topic, bloviation, diversions, etc.

    > No, the ordinary person doesn't need the "whole catastrophe"
    > you want to foist on him, he just wants modestly improved
    > email privacy resistant to casual snooping. CONVENIENTLY!
    >
    > Remember: The perfect is the enemy of the good!
    >
    > Regards,


    One of the things that happens whenever you go off your meds is you
    take 30 min to say the obvious. Above is a perfect example of an
    attempt to thread hijack, not one mention of Trulymail (note subject
    of thread just nemo outising along misinforming and meandering. Why
    you have become so patently disingenuous I proffer is old age.

    Grandpa, you've become a bore.
    --
    Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

  6. #86
    Ari Silverstein
    Guest

    Re: Truly Trulymail

    On Wed, 01 Sep 2010 17:53:20 GMT, nemo_outis wrote:

    > Ari Silverstein <AriSilverstein@yahoo.com> wrote in
    > news:8e7fvlFpgU1@mid.individual.net:
    >
    > ...
    >> The terms identification, authentication, verification and
    >> ultimately authorization are defined from the world of
    >> biometrics. Where these processes can be invoked.


    <selective and dishonest snipping>

    > No, Ari, the "world of biometrics" is not where these terms
    > are defined, despite the eagerness of some techies to coopt
    > and kidnap them.


    Which I alluded to in the part that you dishonestly snipped, you
    disingenuous knucklehead.

    > Identification, authentication, verification
    > and authorization are terms with long, well-understood and
    > broadly applied meanings dating back long before the word
    > "biometrics" was even coined.


    Which I alluded to in the part that you dishonestly snipped, you
    disingenuous knucklehead.

    > And even the diversity and
    > range of meaningS (not meaning) of these terms carries
    > considerable significance.


    Which I alluded to in the part that you dishonestly snipped, you
    disingenuous knucklehead.

    > If techies wish to apply specialized limited meanings to these
    > terms in some specialized limited context, fine - but don't
    > pretend that that somehow pre-empts and supplants the
    > original.


    Which I alluded to in the part that you dishonestly snipped, you
    disingenuous knucklehead.

    >> Think of it this way. If I walk up to you and say "Hi, I'm
    >> Ari" without something to verify my ID (Passport, secure
    >> credentials card, etc.) you have nothing of value except a
    >> statement. Much like your password matching on your server.

    >
    > No, Ari, all a passport, birth certificate, Verisign cert, or
    > other document is is just another "statement" from some other
    > person or institution.


    Which statements are our best and most secure means of verifying
    identity in any ordinary circumstance as per my walk-up scenario.

    But you knew that so why...?

    > Why you should put more trust in one rather than the other is
    > determined by the context and circumstances.


    One and one is two, are we bonding yet?

    > Trust is a non-trivial problem. And dressing it up with
    > pseudomathematical techie concepts that are manifestly wrong
    > (e.g., trust relationships are transitive) doesn't really
    > tackle the problem - it's just putting lipstick on the pig.


    WTF are you talking about? I was talking about Trulymail' using the
    term authentication in terms of verifying the login person's identity.
    They claim it does. It don't, it doesn't do *anythin*g except allow
    the process of /someone/ to match a password to the one on their
    server.

    That's it, no pigs involved. Snap back to reality, nemo.

    > If you truly want security than human relationships are the
    > core (of which trust is one very mportant aspect). If you
    > really want security you would do far better to read
    > Shakespeare than the HAC. Greed, power-lust, ambition, envy,
    > spite, betrayal, revenge - these are the real security issues
    > - not trivia such as whether you use 128 or 256-bit AES.


    *larf*

    > Techies fall in love with the technology and often lose track
    > of the real issues for which it is just a tool.
    >
    > Regards,


    You fall in love with your keyboard and post like a tool. lol
    --
    Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

  7. #87
    nemo_outis
    Guest

    Re: Truly Trulymail

    "Steve Terry" <gfourwwk@tesco.net> wrote in
    news:i5mmrf$92e$1@news.eternal-september.org:

    ....
    >> I believe we were discussing the trustworthiness of
    >> credentials. Well, yours don't make the cut.



    > If you could be bothered to search Google groups archives
    > you'd find i've been posting on Usenet with my own name for
    > years



    Let me quote from my favorite movie, Casablanca:

    Ugarte: "You despise me, don't you?"

    Rick: "If I gave you any thought I probably would."

    Are you beginning to understand how little I care about your
    whining protests?

    Regards,

  8. #88
    nemo_outis
    Guest

    Re: Truly Trulymail

    Ari Silverstein <AriSilverstein@yahoo.com> wrote in
    news:8e83tqFr4vU1@mid.individual.net:

    Ari, you have conclusively demonstrated that you can be stupid
    longer than I can be patient.

    I have no intention of taking your endless whining pointless
    idiocies seriously.

    You were dismissed. So do be a good lad and **** off.


  9. #89
    vince
    Guest

    Re: Truly Trulymail

    On Thu, 2 Sep 2010 11:18:00 +1200, Dave Doe wrote:

    > In article <Xns9DE662FEB7E4Dpqwertyu@69.16.185.250>, abc@xyz.com says...
    >>
    >> Ari Silverstein <AriSilverstein@yahoo.com> wrote in
    >> news:8e69t4FoiuU1@mid.individual.net:
    >>
    >> You still here? You were dismissed.

    >
    > I bozo binned the wanker! :) Look ma, no more crap.


    Look a nemo outis sockpuppet!

  10. #90
    Ari Silverstein
    Guest

    Re: Truly Trulymail

    On Thu, 02 Sep 2010 01:14:28 GMT, nemo_outis wrote:

    > Ari Silverstein <AriSilverstein@yahoo.com> wrote in
    > news:8e83tqFr4vU1@mid.individual.net:
    >
    > Ari, you have conclusively demonstrated that you can be stupid
    > longer than I can be patient.


    I so enjoy kicking your ass around, grandpa, then watching you hit the
    bricks with your tail between your legs.

    > I have no intention of taking your endless whining pointless
    > idiocies seriously.


    Uh-huh. Three thousand words and one butt whooping later.

    > You were dismissed. So do be a good lad and **** off.


    Just send your Nepal ***** of a wife on over to my house and put your
    teeth back in before you gum your macaroni and cheese to yellow
    piss-paste.

    And your attempt to block my response by altering the Follow-Up failed
    too, you sorry sack of ****.

    <VVVBG>
    --
    Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

  11. #91
    nemo_outis
    Guest

    Re: Truly Trulymail

    Ari Silverstein <AriSilverstein@yahoo.com> wrote in
    news:8e8h03Fq5rU1@mid.individual.net:

    **** off, Ari.

  12. #92
    Madhav \Mr. Nepal\ Acharya
    Guest

    nemos wife

    On Thu, 02 Sep 2010 05:42:31 GMT, nemo_outis wrote:

    > Ari Silverstein <AriSilverstein@yahoo.com> wrote in
    > news:8e8h03Fq5rU1@mid.individual.net:


    >> Ari, you have conclusively demonstrated that you can be stupid
    >> longer than I can be patient.


    >> I have no intention of taking your endless whining pointless
    >> idiocies seriously.


    >> You were dismissed.



    > **** off, Ari. I admit, I hate jewball bastards like you and cannot
    > keep myself from constantly answering you.


    > fyi my wife never ****ed anyone from Nepal.


    i phucked your ugly wife i paed nothing you lye you are scum of erth
    --
    skype:mranep cell:813-610-2978; work:813-386-4500; work2:813-915-1663
    Motto: Why face the world myself when my wife's skirt, it is so dark
    and comfy under it? Proclamation: "A man can have sex with sheep,
    cows and camels and so on. However, he should kill the animal after
    he has his orgasm. He should not sell the meat to the people in
    Nepal; Ok I did so beat me with a Yeti dick.




  13. #93
    a
    Guest

    Re: Truly Trulymail

    **** off, Ari. You're just trolling John for the sake of being difficult.
    Hundreds of apps exist where you don't know the makers and their history.





    "Ari Silverstein" <AriSilverstein@yahoo.com> wrote in message news:8e4kfpFr7gU1@mid.individual.net...
    > On Tue, 31 Aug 2010 07:48:47 -0700 (PDT), TrulyMail Support wrote:
    >
    >>> If you're dealing with security products, especially without open
    >>> source coding, /who/ you are and your background is extremely
    >>> important.

    >>
    >> I guess it all depends on who we are targeting as our customer. For
    >> John Q. Public to choose a system to keep his private messages
    >> private, does he care about who made Thunderbird+GPG+Enigmail or who
    >> made TrulyMail?
    >>
    >> I believe he does not. I believe his primary concern is how to keep
    >> his private communications private without spending a day getting
    >> three pieces of software installed, setup, and configured to
    >> interoperate. Of course, the easier path for him is to use TrulyMail,
    >> click the Next button a few times, and have everything done
    >> automatically.

    >
    > Let me translate. You want newbies, dumbasses and those with no
    > education in anything cryptology to guy into your product.
    >
    > OK, at least we have your marketing plan down.
    >
    >> You are clearly a very detail-oriented person. You want to know
    >> everything about whatever topic you dig into. There is nothing wrong
    >> with that. There are many open source systems out there which allow
    >> you to go through the code line-by-line and you can see everything it
    >> does.

    >
    > Hardly detail oriented. Examining open source code isn't my cop of tea
    > either.
    >
    > But I do believe in peer review and your rather flippant attitude "see
    > you in Santiagoe" toward your code is utter ********.
    >
    > But, hey, there is a large market for morons who will trust their
    > privacy with people like you so have at it. Expect to get zero
    > credibility from anyone has any teensy bit of workable knowledge
    > regarding encryption.
    >
    >> We are not that kind of company. We are a 'bring secure, convenient
    >> communications to the masses' kind of company.

    >
    > You're a bring the bucks to John kinda company who hides behind single
    > names and averts the honest intentions of prying eyes.
    >
    >> Different fits for different people.

    >
    > Most certainly but you can have your profits and your credibility as
    > well. For whatever reason, none of which I can think of that is either
    > honest or straightforward, Trulymail has decided to take the lowest of
    > low roads.
    >
    > The only reasons you would do so are:
    >
    > 1) Trulymail is comprised of a set of waffling imbeciles.
    > 2) You're crooked
    >
    > You see, transparency is the lifeblood of professional cryptology. The
    > breast that feeds its reliability and innocence. You guys are as
    > valuable as a tit on a boy pig.
    >
    > Now you are exposed which is a good thing for everyone including you.
    > Repent. Turn away from the Dark Side.
    >
    > This "trust us, we're really good guys" is a bunch of hocus-pocus BS,
    > it demeans you and it demeans your products.
    >
    > Remember Allende.
    > --
    > Ari's Fun Times!
    > http://tr.im/hrFG
    > Motto: Run, rabbit, Run!




  14. #94
    Paulo Marques
    Guest

    Re: Truly Trulymail

    a wrote:
    > **** off, Ari. You're just trolling John for the sake of being difficult.
    > Hundreds of apps exist where you don't know the makers and their history.


    Ari's arguments might not have been expressed in the best of ways (to
    put it mildly) but he is correct in that you can not trust the
    cryptography of a closed source application. Even worse than that is an
    application with an undisclosed algorithm.

    Yes, hundreds (most likely thousands or more) of applications exist for
    which you have no sources, but you don't write sensitive information in
    those applications and expect privacy, etc.

    For all you now, TrulyMail might encrypt an escrow key in the message
    that allows them to decrypt any message, or send an encrypted copy like
    that to their own servers for all the messages you send and snoop on all
    your "secret" traffic.

    The point is that they _might_ be good and honest people who would never
    do anything like that, but there is no way for the end user to know that
    for sure...

    --
    Paulo Marques - www.grupopie.com

    "Who is general Failure and why is he reading my disk?"

  15. #95
    Pubkeybreaker
    Guest

    Re: Truly Trulymail

    On Sep 2, 9:44*am, Paulo Marques <pmarq...@grupopie.com> wrote:
    > a wrote:
    > > **** off, Ari. You're just trolling John for the sake of being difficult.
    > > Hundreds of apps exist where you don't know the makers and their history.

    >
    > Ari's arguments might not have been expressed in the best of ways (to
    > put it mildly) but he is correct in that you can not trust the
    > cryptography of a closed source application.


    Oh??? Has RSA Security made its code open source? I'm sure
    that you can/would/should trust BSAFE for example, even though it is
    not open source.

    Would you not trust closed-source NIST certified FIPS-140 compliant
    code?


    > Even worse than that is an
    > application with an undisclosed algorithm.


    This is certainly true.



  16. #96
    TrulyMail Support
    Guest

    Re: Truly Trulymail

    > On Sep 2, 9:44*am, Paulo Marques <pmarq...@grupopie.com> wrote:

    > > Even worse than that is an
    > > application with an undisclosed algorithm.

    >
    > This is certainly true.


    We have disclosed our algorithms. Please see the posting to that
    effect. I'll repeat it here for your convenience.

    -------
    Our TrulyMail client is built using Microsoft's .Net
    and our encryption uses their cryptographic library using the Rijndael
    algorithm (PROV_RSA_AES cryptographic service provider). We use a
    4096-
    bit key, as mentioned earlier.
    -------

  17. #97
    Pubkeybreaker
    Guest

    Re: Truly Trulymail

    On Sep 2, 10:34*am, TrulyMail Support <supp...@trulymail.com> wrote:
    > > On Sep 2, 9:44*am, Paulo Marques <pmarq...@grupopie.com> wrote:
    > > > Even worse than that is an
    > > > application with an undisclosed algorithm.

    >
    > > This is certainly true.

    >
    > We have disclosed our algorithms. Please see the posting to that
    > effect. I'll repeat it here for your convenience.
    >
    > -------
    > Our TrulyMail client is built using Microsoft's .Net
    > and our encryption uses their cryptographic library using the Rijndael
    > algorithm (PROV_RSA_AES cryptographic service provider). We use a
    > 4096-
    > bit key, as mentioned earlier.
    > -------


    This last comment shows that you have no clue as to what you are
    doing.
    Rijndael's key sizes are 128, 192, and 256 bits.

    If you are using a 4096 bit key for some *public key algorithm*, you
    have not disclosed what that algorithm is, or how you are using it.
    Nor have you disclosed the key generation mechanism.

    I trust Microsoft's crypto library (the one who wrote it is a
    colleague
    and co-author of mine) and would know how to use it.

    By your own admission, your company has ZERO crypto knowledge.
    How can anyone trust you to USE Microsoft's library in the correct
    way?


    If you want your code vetted, you can hire me at $400.00/hr. And I
    do
    have both the required software and crypto background.

  18. #98
    nemo_outis
    Guest

    Re: Truly Trulymail

    Pubkeybreaker <pubkeybreaker@aol.com> wrote in
    news:940e20f3-a654-479a-8fa1-d972c31fe084@f25g2000yqc.googlegr
    oups.com:

    > On Aug 31, 10:01*pm, "nemo_outis" <a...@xyz.com> wrote:
    >> "Joseph Ashwood" <ashw...@msn.com> wrote
    >> innews:Gohfo.36956$6o7.15680@new

    > sfe21.iad:


    > And for an ordinary person, it is no better solution to
    > "trust the code reviewer" than to "trust the code writer."
    > The unqualified layman still has to operate on a **trust
    > model** Whether it's a reviewer or a writer - you're only
    > **displacing** where the trust gets placed. Hell, even if
    > the code were completely vetted a dishonest operator (of
    > closed or open source crypto software) could still subvert
    > security - as I have repeatedly shown right here!


    > Yes, crypto is hard to get right. And not one person in a
    > million has both the programming and crypto skills to do a
    > thorough review of any serious program's crypto code.




    > I would be happy to do a thorough review of this software
    > for them. For a fee. I charge $400.00/hr
    >
    > And yes. I am qualified.



    Which is precisely why open-source crypto code is largely
    pointless in terms of a thorough review. The unqualified
    can't do it, and the qualified won't do it.

    Not without a fee. In which case, the source might just as
    well be closed.

    Moreover, when you're finished your review, why the hell
    should a potential new user place any trust in the quality,
    competence and thoroughness of your review? You (or the
    company that hired you) will be asking the users to "trust"
    you - why should they?

    Why indeed? After all, even if your credentials are
    impressive, your honesty unimpeachable, and your fame
    widespread (and are they?) you're a hired gun with a clear
    conflict of interest. He who pays the piper calls the tune -
    or at least that's a legitimate worry for a potential new
    user. Hell, that question arises even with independent
    certified labs doing FIPS evaluations.

    Once again, all you have done is displace the trust
    relationship - from the code writer to the code reviewer.

    Moreover, the folks at whom TrulyMail is targeted probably
    don't give a flying **** about code reviews even if they were
    done by crypto luminaries like Bruce Schneier. The response
    of an ordinary person to this is likely to be, "Bruce Who?"
    No, the company would likely get better marketing results
    using a frothy endorsement from a chesty blonde bimbo.

    But even if the review was thorough and competent, and even if
    the user did care, he's still nowhere near secure.
    You see, nobody uses source code - they use binaries
    (especially in Windows - nobody compiles from source). And
    there's no guarantee whatsoever that the binary that gets
    executed reflects the source code that was reviewed - the
    company could just substitute a bug-infested backdoored
    version of both the server and client binaries if it chose and
    the poor user would be none the wiser.

    And I haven't even touched upon patches and version upgrades -
    do you expect the company to hire you for another code revierw
    for each of these? Fat chance!

    Regards,









  19. #99
    Mark Murray
    Guest

    Re: Truly Trulymail

    On 09/02/10 15:48, Pubkeybreaker wrote:
    > -------
    >> Our TrulyMail client is built using Microsoft's .Net
    >> and our encryption uses their cryptographic library using the Rijndael
    >> algorithm (PROV_RSA_AES cryptographic service provider). We use a
    >> 4096-
    >> bit key, as mentioned earlier.
    >> -------

    >
    > This last comment shows that you have no clue as to what you are
    > doing.
    > Rijndael's key sizes are 128, 192, and 256 bits.
    >
    > If you are using a 4096 bit key for some *public key algorithm*, you
    > have not disclosed what that algorithm is, or how you are using it.
    > Nor have you disclosed the key generation mechanism.


    http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx

    Pubkeybreaker,

    Look carefully at the "PROV_*RSA*_AES".

    AES has the keysizes you mention, but RSA can quite easily have
    4096 bits.

    > I trust Microsoft's crypto library (the one who wrote it is a
    > colleague
    > and co-author of mine) and would know how to use it.


    Then slow down - I think you are missing important details here.

    > By your own admission, your company has ZERO crypto knowledge.
    > How can anyone trust you to USE Microsoft's library in the correct
    > way?
    >
    >
    > If you want your code vetted, you can hire me at $400.00/hr. And I
    > do have both the required software and crypto background.


    Based on the above RSA detail missed, are you really worth $400 an hour?

    M


  20. #100
    Pubkeybreaker
    Guest

    Re: Truly Trulymail

    On Sep 2, 12:13*pm, Mark Murray <w.h.o...@example.com> wrote:
    > On 09/02/10 15:48, Pubkeybreaker wrote:
    >
    > > -------
    > >> Our TrulyMail client is built using Microsoft's .Net
    > >> and our encryption uses their cryptographic library using the Rijndael
    > >> algorithm (PROV_RSA_AES cryptographic service provider). We use a
    > >> 4096-
    > >> bit key, as mentioned earlier.
    > >> -------

    >
    > > This last comment shows that you have no clue as to what you are
    > > doing.
    > > Rijndael's key sizes are 128, *192, and 256 bits.

    >
    > > If you are using a 4096 bit key for some *public key algorithm*, *you
    > > have not disclosed what that algorithm is, *or how you are using it.
    > > Nor have you disclosed the key generation mechanism.

    >
    > http://msdn.microsoft.com/en-us/libr...8VS.85%29.aspx
    >
    > Pubkeybreaker,
    >
    > Look carefully at the "PROV_*RSA*_AES".
    >
    > AES has the keysizes you mention, but RSA can quite easily have
    > 4096 bits.
    >
    > > I trust Microsoft's crypto library (the one who wrote it is a
    > > colleague
    > > and co-author of mine) and would know how to use it.

    >
    > Then slow down - I think you are missing important details here.
    >
    > > By your own admission, your company has ZERO crypto knowledge.
    > > How can anyone trust you to USE *Microsoft's library in the correct
    > > way?

    >
    > > If you want your code vetted, *you can hire me at $400.00/hr. *And I
    > > do have both the required software and crypto background.

    >
    > Based on the above RSA detail missed, are you really worth $400 an hour?


    I miised no detail. I quote what was written:

    "PROV_RSA_AES"

    This is a bunch of acronyms that have been run together and connected
    by underscores. It is not RSA, I can read, Apparently, you can't.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •