[gentoo-user] Encrypted cell 2 gentoo

[gentoo-user] Encrypted cell 2 gentoo

[James]

Hello,

I've been googling for some guides on setting up encrypted mail
on a gentoo system and specifically how you would set up the apple
or android phone on the other end. Lots to read. Guidance on the
applications (both cell phone and the gentoo workstations. I guess
that inter-operability is what I'm most curious about. I'm not running a 
MTA, but I could if that helps?

Re: [gentoo-user] Encrypted cell 2 gentoo

[Max R.D. Parmer]

Do I understand correctly that you're looking to set up a Gentoo server
as a "hub" from which you can retrieve your mail using any of your
client systems?

If I understood correctly, interoperability should be easy because
mostly it comes down to IMAP/SMTP/POP3 and support for those protocols
is pretty good across lots of applications. But maybe I got it wrong?

--
0x7D964D3361142ACF

On Mon, Mar 28, 2016, at 08:21, James wrote:
> Hello,
> 
> I've been googling for some guides on setting up encrypted mail
> on a gentoo system and specifically how you would set up the apple
> or android phone on the other end. Lots to read. Guidance on the
> applications (both cell phone and the gentoo workstations. I guess
> that inter-operability is what I'm most curious about. I'm not running a 
> MTA, but I could if that helps?
> 
> 
> 
> 

[gentoo-user] Re: Encrypted cell 2 gentoo

[James]

Max R.D. Parmer <maxp <at> trystero.is> writes:




> Do I understand correctly that you're looking to set up a Gentoo server
> as a "hub" from which you can retrieve your mail using any of your
> client systems?

Not really. Yes that has to work but... What I want to read up on 
and test is encrypted (secure) communications between the (2) major
cell phone types and whatever client on a gentoo workstation. The 
goal is good security, that is reasonable to setup and manage
and allows folks to use any of those 3 devices to exchange encrypted mail.
Suppose I had a friend that has an ios phone. What page do I send him to
to encrypt his emails? What will work with thunderbird, sylpheed, etc.
Some discussion, url links that I can refer others to and then
recommendations.

> If I understood correctly, interoperability should be easy because
> mostly it comes down to IMAP/SMTP/POP3 and support for those protocols
> is pretty good across lots of applications. But maybe I got it wrong?

What I want to do is find documents that at least provide an overview
of which specific apps to put on a cell phone (android or ios) some
example configs and then a few docs on the gentoo side.

Free or do you buys those apps from a vendor on the cell phones?
Which ones are better, i.e. more trusted or have different algos
for encryptions (bit-lenght etc). May, I just need to find
a forum where this is routinely discuss to see what's new, what's
not secure, what may be prohibited by whom, etc etc.


OK?

James  

Re: [gentoo-user] Re: Encrypted cell 2 gentoo

[Max R.D. Parmer]

Ahh, OK. So secure communications between all these clients.

The two big players for client-side encryption for email or messaging
data would be GPG and OTR; for VoIP you would want to look into ZRTP.
There are several clients that support these three protocols on all the
platforms you've listed (though support for ZRTP is across the board
pretty rare).

Unfortunately, I'm not aware of any single cohesive guide to tie it
altogether.

--
0x7D964D3361142ACF

On Mon, Mar 28, 2016, at 09:13, James wrote:
> Max R.D. Parmer <maxp <at> trystero.is> writes:
> 
> 
> 
> 
> > Do I understand correctly that you're looking to set up a Gentoo server
> > as a "hub" from which you can retrieve your mail using any of your
> > client systems?
> 
> Not really. Yes that has to work but... What I want to read up on 
> and test is encrypted (secure) communications between the (2) major
> cell phone types and whatever client on a gentoo workstation. The 
> goal is good security, that is reasonable to setup and manage
> and allows folks to use any of those 3 devices to exchange encrypted
> mail.
> Suppose I had a friend that has an ios phone. What page do I send him to
> to encrypt his emails? What will work with thunderbird, sylpheed, etc.
> Some discussion, url links that I can refer others to and then
> recommendations.
> 
> > If I understood correctly, interoperability should be easy because
> > mostly it comes down to IMAP/SMTP/POP3 and support for those protocols
> > is pretty good across lots of applications. But maybe I got it wrong?
> 
> What I want to do is find documents that at least provide an overview
> of which specific apps to put on a cell phone (android or ios) some
> example configs and then a few docs on the gentoo side.
> 
> Free or do you buys those apps from a vendor on the cell phones?
> Which ones are better, i.e. more trusted or have different algos
> for encryptions (bit-lenght etc). May, I just need to find
> a forum where this is routinely discuss to see what's new, what's
> not secure, what may be prohibited by whom, etc etc.
> 
> 
> OK?
> 
> James  
> 
> 
> 
> 

Re: [gentoo-user] Re: Encrypted cell 2 gentoo

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1101 bytes --]

On Monday 28 Mar 2016 09:26:54 Max R.D. Parmer wrote:
> Ahh, OK. So secure communications between all these clients.
> 
> The two big players for client-side encryption for email or messaging
> data would be GPG and OTR; 

Also S/MIME encryption of the email message body using SSL certificates 
achieves the same end result (i.e. encrypted payload) as GnuPG offers.  For 
GPG you may need a plugin (e.g. enigmail on T'bird) or something similar for 
phone clients, but S/MIME is usually available by default for most email 
clients and platforms.

A word of caution:

Snowden warned us that the end devices do not possess strong enough randomness 
generators to ensure that the encryption they perform cannot be reverse 
engineered.

A recent article shared on this M/L also showed that anything with Intel 
inside® can be deemed as intentionally weakened to enable potential 
interference with our privacy.

Therefore treat your encrypted communications and their content with caution, 
because you don't know how private these may remain in the future.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

[gentoo-user] Re: Encrypted cell 2 gentoo

[James]

Mick <michaelkintzios <at> gmail.com> writes:

> > Ahh, OK. So secure communications between all these clients.
> > The two big players for client-side encryption for email or messaging
> > data would be GPG and OTR; 

Good 2 know. I'll keep searching for docs. 

> Also S/MIME encryption of the email message body using SSL certificates 
> achieves the same end result (i.e. encrypted payload) as GnuPG offers.  
> For GPG you may need a plugin (e.g. enigmail on T'bird) or something 
> similar for phone clients, but S/MIME is usually available by default for
>  most email clients and platforms.

OK, so maybe I'll test out a few devices, provide some feedback and then
seen about a (gentoo wiki) page. If the community is not interested in 
that I bet these guys would put up some sort of community cook-book on
this topic:: [1] 

Dont know who they are, but they seem to be on the right track,
and they big on Gentoo!

> A word of caution:  Snowden warned us that the end devices do not ossess 
> strong enough randomness generators to ensure that the encryption they 
> perform cannot be reverse engineered.

Intel has long been hiding extra hardware inside of their processors, for a
variety of nefarious activities. Here is a link where they now let the
retail world in on what has been going on for decades [2].

This is why the US gov keeps hyping how bad security is, so the gov can take
steps and the sub-contract out the details for billions (it's the new cold
war and we have to be scared enough to get the govs to protect us, right?
And all of that horse_feathers....

Anyone doing gate/register design/validations with Intel parts, decades ago,
stumbled into areas of the the intel chips with hidden hardware. Just slice
them and put them under any high res scanner nowadays.... Sadly, everybody
in the chip bidness does this routinely now. SoCs are all full
of this crap.

The old AT&T phone switches (think 3B2) had this sort of 'undefined
hardware'. Nothing new 'signal intercept' is good to search on, but most
of the Intel (get the pun?) has been scrubbed form the internet on 
'signal intercept'; particularly the Rf stuff.

> A recent article shared on this M/L also showed that anything with Intel 
> inside® can be deemed as intentionally weakened to enable potential 
> interference with our privacy.

Got that link handy? Part of the SSL v2 v3 stuff? I was hoping somebody
would write up a summary, and  detail action plans from a gentoo
workstation, gentoo server and gentoo-cluster perspective on the state
of SSL.* issues.  

> Therefore treat your encrypted communications and their content with  
> caution, because you don't know how private these may remain in the 
> future.

Kinda like a very gorgeous woman, with a low credit score (yak yak yhak)?
Or like an 'old bug' flying towards the light (ZAP)?
Certainly, but, the low rent hacks might be held at bay a little longer.
Still, we should make the effort to streamline and document pathways, with
ample warnings of cautions.


[1] https://wiki.installgentoo.com/index.php/Encryption

[2]
http://www.extremetech.com/extreme/184828-intel-unveils-new-xeon-chip-with-integrated-fpga-touts-20x-performance-boost

Re: [gentoo-user] Re: Encrypted cell 2 gentoo

[Max R.D. Parmer]

I think the paper on Intel issues Mick is referring to is the one I
linked not too long ago:
http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

It seems like you're looking for something like the EFF's "surveillance
self-defense"[1] site but with some stuff specific to Gentoo.

[1]: https://ssd.eff.org/

--
0x7D964D3361142ACF

On Mon, Mar 28, 2016, at 10:25, James wrote:
> Mick <michaelkintzios <at> gmail.com> writes:
> 
> > > Ahh, OK. So secure communications between all these clients.
> > > The two big players for client-side encryption for email or messaging
> > > data would be GPG and OTR; 
> 
> Good 2 know. I'll keep searching for docs. 
> 
> > Also S/MIME encryption of the email message body using SSL certificates 
> > achieves the same end result (i.e. encrypted payload) as GnuPG offers.  
> > For GPG you may need a plugin (e.g. enigmail on T'bird) or something 
> > similar for phone clients, but S/MIME is usually available by default for
> >  most email clients and platforms.
> 
> OK, so maybe I'll test out a few devices, provide some feedback and then
> seen about a (gentoo wiki) page. If the community is not interested in 
> that I bet these guys would put up some sort of community cook-book on
> this topic:: [1] 
> 
> Dont know who they are, but they seem to be on the right track,
> and they big on Gentoo!
> 
> > A word of caution:  Snowden warned us that the end devices do not ossess 
> > strong enough randomness generators to ensure that the encryption they 
> > perform cannot be reverse engineered.
> 
> Intel has long been hiding extra hardware inside of their processors, for
> a
> variety of nefarious activities. Here is a link where they now let the
> retail world in on what has been going on for decades [2].
> 
> This is why the US gov keeps hyping how bad security is, so the gov can
> take
> steps and the sub-contract out the details for billions (it's the new
> cold
> war and we have to be scared enough to get the govs to protect us, right?
> And all of that horse_feathers....
> 
> Anyone doing gate/register design/validations with Intel parts, decades
> ago,
> stumbled into areas of the the intel chips with hidden hardware. Just
> slice
> them and put them under any high res scanner nowadays.... Sadly,
> everybody
> in the chip bidness does this routinely now. SoCs are all full
> of this crap.
> 
> The old AT&T phone switches (think 3B2) had this sort of 'undefined
> hardware'. Nothing new 'signal intercept' is good to search on, but most
> of the Intel (get the pun?) has been scrubbed form the internet on 
> 'signal intercept'; particularly the Rf stuff.
> 
> > A recent article shared on this M/L also showed that anything with Intel 
> > inside® can be deemed as intentionally weakened to enable potential 
> > interference with our privacy.
> 
> Got that link handy? Part of the SSL v2 v3 stuff? I was hoping somebody
> would write up a summary, and  detail action plans from a gentoo
> workstation, gentoo server and gentoo-cluster perspective on the state
> of SSL.* issues.  
> 
> > Therefore treat your encrypted communications and their content with  
> > caution, because you don't know how private these may remain in the 
> > future.
> 
> Kinda like a very gorgeous woman, with a low credit score (yak yak yhak)?
> Or like an 'old bug' flying towards the light (ZAP)?
> Certainly, but, the low rent hacks might be held at bay a little longer.
> Still, we should make the effort to streamline and document pathways,
> with
> ample warnings of cautions.
> 
> 
> [1] https://wiki.installgentoo.com/index.php/Encryption
> 
> [2]
> http://www.extremetech.com/extreme/184828-intel-unveils-new-xeon-chip-with-integrated-fpga-touts-20x-performance-boost
> 
> 

Re: [gentoo-user] Re: Encrypted cell 2 gentoo

[Mick]

[-- Attachment #1: Type: text/plain, Size: 741 bytes --]

On Monday 28 Mar 2016 10:54:49 Max R.D. Parmer wrote:
> I think the paper on Intel issues Mick is referring to is the one I
> linked not too long ago:
> http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

Yes, here's the M/L thread:

http://article.gmane.org/gmane.linux.gentoo.user/288720


> It seems like you're looking for something like the EFF's "surveillance
> self-defense"[1] site but with some stuff specific to Gentoo.
> 
> [1]: https://ssd.eff.org/

Also worth a read, for sysadmins at least is this:

https://bettercrypto.org/static/applied-crypto-hardening.pdf

Revisit regularly, as this is WIP and it gets updated every now and then as 
more vulnerabilities are discovered.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] Encrypted cell 2 gentoo

[wabenbau]

James <wireless@tampabay.rr.com> wrote:

> Hello,
> 
> I've been googling for some guides on setting up encrypted mail
> on a gentoo system and specifically how you would set up the apple
> or android phone on the other end. Lots to read. Guidance on the
> applications (both cell phone and the gentoo workstations. I guess
> that inter-operability is what I'm most curious about. I'm not
> running a MTA, but I could if that helps?

For PGP encrypted mail on android phones you can use K-9 Mail 
together with OpenKeychain or AGP. All of these apps are available
at fdroid.org and also at Google playstore.

A good address for information and apps about privacy on phones is 

https://guardianproject.info

--
Regards
wabe

Re: [gentoo-user] Re: Encrypted cell 2 gentoo

[covici]

If you have your own mta and use imap-s won't that do it?

Max R.D. Parmer <maxp@trystero.is> wrote:

> Ahh, OK. So secure communications between all these clients.
> 
> The two big players for client-side encryption for email or messaging
> data would be GPG and OTR; for VoIP you would want to look into ZRTP.
> There are several clients that support these three protocols on all the
> platforms you've listed (though support for ZRTP is across the board
> pretty rare).
> 
> Unfortunately, I'm not aware of any single cohesive guide to tie it
> altogether.
> 
> --
> 0x7D964D3361142ACF
> 
> On Mon, Mar 28, 2016, at 09:13, James wrote:
> > Max R.D. Parmer <maxp <at> trystero.is> writes:
> > 
> > 
> > 
> > 
> > > Do I understand correctly that you're looking to set up a Gentoo server
> > > as a "hub" from which you can retrieve your mail using any of your
> > > client systems?
> > 
> > Not really. Yes that has to work but... What I want to read up on 
> > and test is encrypted (secure) communications between the (2) major
> > cell phone types and whatever client on a gentoo workstation. The 
> > goal is good security, that is reasonable to setup and manage
> > and allows folks to use any of those 3 devices to exchange encrypted
> > mail.
> > Suppose I had a friend that has an ios phone. What page do I send him to
> > to encrypt his emails? What will work with thunderbird, sylpheed, etc.
> > Some discussion, url links that I can refer others to and then
> > recommendations.
> > 
> > > If I understood correctly, interoperability should be easy because
> > > mostly it comes down to IMAP/SMTP/POP3 and support for those protocols
> > > is pretty good across lots of applications. But maybe I got it wrong?
> > 
> > What I want to do is find documents that at least provide an overview
> > of which specific apps to put on a cell phone (android or ios) some
> > example configs and then a few docs on the gentoo side.
> > 
> > Free or do you buys those apps from a vendor on the cell phones?
> > Which ones are better, i.e. more trusted or have different algos
> > for encryptions (bit-lenght etc). May, I just need to find
> > a forum where this is routinely discuss to see what's new, what's
> > not secure, what may be prohibited by whom, etc etc.
> > 
> > 
> > OK?
> > 
> > James  
> > 
> > 
> > 
> > 
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com

Re: [gentoo-user] Re: Encrypted cell 2 gentoo

[Max R.D. Parmer]

The recipients mail server could still see the message in plaintext.

If you are concerned your correspondent's mail server might be used to
try to read their messages then another layer of encryption is needed
that only the recipient themselves can decrypt and that would be
GPG/PGP.

It depends on your particular needs whether that extra step is needed.

--
0x7D964D3361142ACF

On Mon, Mar 28, 2016, at 13:45, covici@ccs.covici.com wrote:
> If you have your own mta and use imap-s won't that do it?
> 
> Max R.D. Parmer <maxp@trystero.is> wrote:
> 
> > Ahh, OK. So secure communications between all these clients.
> > 
> > The two big players for client-side encryption for email or messaging
> > data would be GPG and OTR; for VoIP you would want to look into ZRTP.
> > There are several clients that support these three protocols on all the
> > platforms you've listed (though support for ZRTP is across the board
> > pretty rare).
> > 
> > Unfortunately, I'm not aware of any single cohesive guide to tie it
> > altogether.
> > 
> > --
> > 0x7D964D3361142ACF
> > 
> > On Mon, Mar 28, 2016, at 09:13, James wrote:
> > > Max R.D. Parmer <maxp <at> trystero.is> writes:
> > > 
> > > 
> > > 
> > > 
> > > > Do I understand correctly that you're looking to set up a Gentoo server
> > > > as a "hub" from which you can retrieve your mail using any of your
> > > > client systems?
> > > 
> > > Not really. Yes that has to work but... What I want to read up on 
> > > and test is encrypted (secure) communications between the (2) major
> > > cell phone types and whatever client on a gentoo workstation. The 
> > > goal is good security, that is reasonable to setup and manage
> > > and allows folks to use any of those 3 devices to exchange encrypted
> > > mail.
> > > Suppose I had a friend that has an ios phone. What page do I send him to
> > > to encrypt his emails? What will work with thunderbird, sylpheed, etc.
> > > Some discussion, url links that I can refer others to and then
> > > recommendations.
> > > 
> > > > If I understood correctly, interoperability should be easy because
> > > > mostly it comes down to IMAP/SMTP/POP3 and support for those protocols
> > > > is pretty good across lots of applications. But maybe I got it wrong?
> > > 
> > > What I want to do is find documents that at least provide an overview
> > > of which specific apps to put on a cell phone (android or ios) some
> > > example configs and then a few docs on the gentoo side.
> > > 
> > > Free or do you buys those apps from a vendor on the cell phones?
> > > Which ones are better, i.e. more trusted or have different algos
> > > for encryptions (bit-lenght etc). May, I just need to find
> > > a forum where this is routinely discuss to see what's new, what's
> > > not secure, what may be prohibited by whom, etc etc.
> > > 
> > > 
> > > OK?
> > > 
> > > James  
> > > 
> > > 
> > > 
> > > 
> > 
> 
> -- 
> Your life is like a penny.  You're going to lose it.  The question is:
> How do
> you spend it?
> 
>          John Covici
>          covici@ccs.covici.com
> 

Re: [gentoo-user] Re: Encrypted cell 2 gentoo

[covici]

Not if you use smtp with port 587 and not use plain login options.

Max R.D. Parmer <maxp@trystero.is> wrote:

> The recipients mail server could still see the message in plaintext.
> 
> If you are concerned your correspondent's mail server might be used to
> try to read their messages then another layer of encryption is needed
> that only the recipient themselves can decrypt and that would be
> GPG/PGP.
> 
> It depends on your particular needs whether that extra step is needed.
> 
> --
> 0x7D964D3361142ACF
> 
> On Mon, Mar 28, 2016, at 13:45, covici@ccs.covici.com wrote:
> > If you have your own mta and use imap-s won't that do it?
> > 
> > Max R.D. Parmer <maxp@trystero.is> wrote:
> > 
> > > Ahh, OK. So secure communications between all these clients.
> > > 
> > > The two big players for client-side encryption for email or messaging
> > > data would be GPG and OTR; for VoIP you would want to look into ZRTP.
> > > There are several clients that support these three protocols on all the
> > > platforms you've listed (though support for ZRTP is across the board
> > > pretty rare).
> > > 
> > > Unfortunately, I'm not aware of any single cohesive guide to tie it
> > > altogether.
> > > 
> > > --
> > > 0x7D964D3361142ACF
> > > 
> > > On Mon, Mar 28, 2016, at 09:13, James wrote:
> > > > Max R.D. Parmer <maxp <at> trystero.is> writes:
> > > > 
> > > > 
> > > > 
> > > > 
> > > > > Do I understand correctly that you're looking to set up a Gentoo server
> > > > > as a "hub" from which you can retrieve your mail using any of your
> > > > > client systems?
> > > > 
> > > > Not really. Yes that has to work but... What I want to read up on 
> > > > and test is encrypted (secure) communications between the (2) major
> > > > cell phone types and whatever client on a gentoo workstation. The 
> > > > goal is good security, that is reasonable to setup and manage
> > > > and allows folks to use any of those 3 devices to exchange encrypted
> > > > mail.
> > > > Suppose I had a friend that has an ios phone. What page do I send him to
> > > > to encrypt his emails? What will work with thunderbird, sylpheed, etc.
> > > > Some discussion, url links that I can refer others to and then
> > > > recommendations.
> > > > 
> > > > > If I understood correctly, interoperability should be easy because
> > > > > mostly it comes down to IMAP/SMTP/POP3 and support for those protocols
> > > > > is pretty good across lots of applications. But maybe I got it wrong?
> > > > 
> > > > What I want to do is find documents that at least provide an overview
> > > > of which specific apps to put on a cell phone (android or ios) some
> > > > example configs and then a few docs on the gentoo side.
> > > > 
> > > > Free or do you buys those apps from a vendor on the cell phones?
> > > > Which ones are better, i.e. more trusted or have different algos
> > > > for encryptions (bit-lenght etc). May, I just need to find
> > > > a forum where this is routinely discuss to see what's new, what's
> > > > not secure, what may be prohibited by whom, etc etc.
> > > > 
> > > > 
> > > > OK?
> > > > 
> > > > James  
> > > > 
> > > > 
> > > > 
> > > > 
> > > 
> > 
> > -- 
> > Your life is like a penny.  You're going to lose it.  The question is:
> > How do
> > you spend it?
> > 
> >          John Covici
> >          covici@ccs.covici.com
> > 
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com