And there is no reason a MAC address should not randomize itself in between network connections.
No reason other than that the MAC address exists to uniquely identify the device connecting to the network. You seem to have missed the point of the MAC address. Some networks lock down access by MAC address as it is supposed to identify specific devices.
Your phone knows its real Mac, and the mac of the routers it has connected to before. All it need do is use the same mac for any router it has seen before, or use its REAL mac when you request a connection to any router.
Routers you don't CHOOSE TO connect to, have no valid reason to know your mac.
And there is no reason a MAC address should not randomize itself in between network connections.
Probably would require a bit more smarts than that. Such as the randomization would be turned off when the device sees a beacon from a known router. e.g. The device would see the router's mac, and it it is one it had connected to previously it would use the same mac address it did upon first connection.
Also DHCP servers use mac addresses to hand out the same IP addresses, upon re-connection which saves a lot of IP churning just because your phone changed its mac in the middle of a connection. Some routers use IP reservations as well.
Well yeah but web mail is used by many people for its convenience. People rely on it for cloud storage. Telling people to stop using it won't make them stop, not easily.
The rationale for using web browsers for email is convenience, you couldn't have your computer everywhere, and using a Web browser was easy, because you can always borrow a cup of Web from someone to check your email.
But the world has changed since then. You don't have to borrow anymore. You carry your computer in your pocket.
The enigmail configuration has a keyserver setup UI with defaults loaded, which makes the upload of keys quite easy. If we are not at the point where my mother could do it, then we are close.
But this requires I know the keyserver used by every person I might e-mail. How do I know that ahead of time?
No, any key server will do. And there are hundreds of them, and they all talk to each other.
Any modern email program will have a pgp plugin which will query the server for you
People who don't even want governments to know who they communicate with are wise to choose this route. The problem is you have to watch the entire group just to pick up the few messages destined for you, or which you can decrypt.
Most people who use encryption just use it to keep information out of the hands of others, with no real concern that others may know who they correspond with. After all, I have the right to buy stuff from companies and send my credit card info encrypted.
Hackers, child porn, identity thieves, smugglers etc all come to mind, but surely there must be legitimate reasons for using such plausibly deniable methods.
The German BND does not forward domestic communication to the NSA. Doing so is prohibited by law (the G-10 law, specifically) and breaking the law in Germany is actually a bad idea, even for the government. So I'd say your email would be quite secure there.
Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.
You are correct but ONLY if you are guarding nuclear secrets or something. For joe non-terrorist, that's not an issue.
Any off shore mail server that allows secure connections, either by ssl or tls, and which stores its mail off shore falls out of reach of that nonsense in US law that allows the government to access any mail on a server for more than 6 months, because its "abandoned"
Further, those operators are not likely to handle ssl keys over to NSA demands, as has happened already in the US.
So people may send me mail to some ISP in Mozambique or some place pretty much out of the NSA reach, and it it far more likely to be safe sitting there on their server and accessed over ssl than having it right down the street at Google.
You don't have to make everything out to be someone keeping major corporate secrets or moving tons of drug money. Sometimes its just a desire to be anonymous to your government. Since you posted AC, I can't understand why that point is lost on you.
If you're an organization that is for whatever reason making a habit of requesting personal information from various people, then your org's people ought to be going to keysigning parties.
Again, you are conflating two totally unrelated processes.
Signing is saying you trust this key.
Using a public key to encrypt mail is saying I intend only the owner of this key to be able to read my mail.
Having a signed key is neither necessary of significant when sending encrypted mail using a key provided to you by your recipient. He could be a completely bogus person trying to 419 you into sending a credit card. If so, his key will be signed. And the signatures will look impressive. But they too will be bogus. And no part of attending signing parties will prevent this.
But when you send n encrypted mail using the 419-scammers key to the legitimate Bank of Bengal, they will send you back an email saying they could not read your mail, or perhaps simply trash it.
Signing keys is not important to the routine use of PGP. And the more people that use PGP the less it is important.
If you are going to start a Project on git-hub, or exchange super secret product details or high-security information, and want code signed, it would be wise to make sure the signatures are all signed either by yourself or someone you have met personally and trust, but realistically flying to Norway for a key signing party is just a non-starter for almost everybody, and does not help you in any way dealing with new customers. Keys were never intended to always be signed by each mutual correspondent. That's just a silly assumption based on a total misunderstanding of the concept.
Actually there is no such insistence on key exchanges being in person.
You are conflating key signing with key exchanges. There is a world of difference.
You don't have to trust a key or sign a key just to encrypt an email to that keyholder. Many, if not most, keys are only signed by the owner. Important keys may be signed by others so that people can have more confidence that the owner is who he claimed to be.
When you receive a signed or encrypted email, arriving un announced, it's a good idea to have a look at who signed that key (if anyone). But even a self signed key keeps the content of encrypted mail safe from prying eyes of third parties in transit.
The only absolutely essential thing you must do is keep your own private key private.
Not helpful in obtaining a key with which to send email.
You don't need to trust a key to use it. All you have to do is be assured that the recipient received and was able to read your email. If you communicate with that person via other means you simply ask if they got it.
The idea is not to actually send encrypted mail to the IT department, but to shame the IT guy into doing something he should have had set up along time ago.
Ideally, Public keys should be exchanged in person, or be obtained by a third party that you trust.
Failing that, a public key for some company or person with whom you wish to send encrypted email can often be found on their website. And if its been there for a while, and can be verified by a key server, then it is probably good enough to send them encrypted mail with, but you still don't know for sure who they are.
But at least you know that what you send won't be seen by every prying eye along the route.
But the sad part is that 98 percent of the companies you might deal with haven't a single clue what a public key is.
In my day job we've had our public key published on our Web site for 10 or more years, and get maybe one or two emails a year, usually paying by credit card, from cluefull people.
Once set up, all the major email packages can handle pgp. Shame on them for making it an add-on, but its still available, even for gmail and Hotmail, etc. Just stay away from their web interface and set up a decent email software. You can find these even for Android.
The Norwegian you responded to makes a fair point regarding vote selling.
If you can lock in your vote, then change your mind right up to the time polls close, buying votes would be a fools errand, and would simply disappear.
The Washington way is more prone to vote buying, (bring in your ballet down at the union hall, vote the union ticket, sign, seal and drop in the union mailbox and collect 50 bucks). Although I'm not aware of this being done anywhere, Cy Sun managed to get elected somehow.
Electronic voting just makes it easier to rig elections.
I presumed that's what they meant by "modernize the electoral process"
I think you might have presumed wrong. Going through TFA it seems they are concerned witb voter registration and information rather than actual voting on line.
That's article was so full of uninspired prose that I may have fallen asleep mid sentence and missed it but I recall no reference to proposals for electronic voting.
How many do you think Best Buy has in their warehouses nation wide and In their stores? Toss in Wallmart, NewEgg, and amazon all the other major net sellers. How many of them will turn down your purchase order?
Toss in Dell, and HP, maybe even Asus and Lenovo. With enough money they will cough up another month in delivery time to customers and ship you all the video cards they have in stock. (Thousands).
Stop being a small company purchasing agent, and understand that the government get get as many video cards as they could possibly use in way shorter time than they could order a custom card loaded with custom cards.
It matters not a wit who we elect, because the NSA/CIA are somehow above the law, and quickly co-opt every elected official. We can do about as much about this as your lowly jewish shop keeper could do in 1938. We are totally screwed here, and its small comfort that you are in the same boat with your own government's spying programs.
SSL is enabled by flipping a switch, but it offers no real protection when some three letter agency can surf your mail server farm with their fiber back door.
There is a lot of posturing going on in that article.
I can understand why Germans would Not want their emails passing through American control; but it looks like they'll have to clean house if they want to be able to do that just by going domestic.
Yes, at best it sounds like the NSA will have to get get the data from the BND. Big deal! Looks more pre-packaged and easier to handle if you ask me.
Also the summary has this nugget:
Of course the NSA could still break in if they wanted to, but the mass encryption of emails would make it harder and more expensive for them to do so.'"
Except that we all know that SSL protects traffic from one place to another, but not as the email sits on the mail servers. So one tap into their server farm and all the SSL in the world won't help, because its stored in cleartext.
Of what potential? No one has even characterized the degree of sea bed warming, it is currently just a theory, but you phrase it as if it is measured and predictable!
Actually your own source mentions mostly deep sea die offs due to anoxia (allegedly), due to a change in circulation patterns. It give only a speculative nod to methane.
However, they walk away from any conclusion with:
The deep-sea extinctions are difficult to explain, as many were regional in extent. General hypotheses such as a temperature-related reduction in oxygen availability, or increased corrosion due to carbonate undersaturated deep waters, are insufficient as explanations.
Then it follows with this statement:
Contrarily, planktonic foraminifera diversified, and dinoflagellates bloomed. Success was also enjoyed by the mammals, who radiated profusely around this time.
When was the last seabed warming, and how devastating to life on earth was it? Over the history of earth, there were much warmer periods with far smaller ice caps. Do those periods correspond with huge species die off? Or was it exactly to opposite?
Slashdot Mirror
And there is no reason a MAC address should not randomize itself in between network connections.
No reason other than that the MAC address exists to uniquely identify the device connecting to the network. You seem to have missed the point of the MAC address. Some networks lock down access by MAC address as it is supposed to identify specific devices.
Your phone knows its real Mac, and the mac of the routers it has connected to before.
All it need do is use the same mac for any router it has seen before, or use its REAL mac when you request
a connection to any router.
Routers you don't CHOOSE TO connect to, have no valid reason to know your mac.
And there is no reason a MAC address should not randomize itself in between network connections.
Probably would require a bit more smarts than that. Such as the randomization would be turned off when the device
sees a beacon from a known router. e.g. The device would see the router's mac, and it it is one it had connected to previously
it would use the same mac address it did upon first connection.
This solves problems with mac-address filtering that some people use as an ill-conceived attempt at wifi security.
Also DHCP servers use mac addresses to hand out the same IP addresses, upon re-connection which saves a lot of IP churning
just because your phone changed its mac in the middle of a connection. Some routers use IP reservations as well.
Other than that this seems to be a reasonable
Stop using a web browser for a mail interface.
Well yeah but web mail is used by many people for its convenience. People rely on it for cloud storage. Telling people to stop using it won't make them stop, not easily.
The rationale for using web browsers for email is convenience, you couldn't have your computer everywhere, and using a Web browser was easy, because you can always borrow a cup of Web from someone to check your email.
But the world has changed since then. You don't have to borrow anymore. You carry your computer in your pocket.
The enigmail configuration has a keyserver setup UI with defaults loaded, which makes the upload of keys quite easy. If we are not at the point where my mother could do it, then we are close.
But this requires I know the keyserver used by every person I might e-mail. How do I know that ahead of time?
No, any key server will do.
And there are hundreds of them, and they all talk to each other.
Any modern email program will have a pgp plugin which will query the server for you
Google wouldn't store her email in plaintext if she didn't hand it to them that way.
Stop using a web browser for a mail interface.
So you haven't found key servers yet?
Why not try on line at http://pgp.mit.edu/
People who don't even want governments to know who they communicate with are wise to choose this route.
The problem is you have to watch the entire group just to pick up the few messages destined for you, or which you can decrypt.
Most people who use encryption just use it to keep information out of the hands of others, with no real concern that others may know who they correspond with. After all, I have the right to buy stuff from companies and send my credit card info encrypted.
Hackers, child porn, identity thieves, smugglers etc all come to mind, but surely there must be legitimate reasons for using such plausibly deniable methods.
The German BND does not forward domestic communication to the NSA. Doing so is prohibited by law (the G-10 law, specifically) and breaking the law in Germany is actually a bad idea, even for the government. So I'd say your email would be quite secure there.
Well I you might want to peek at this Ars article where multiple security experts are taking the German telecoms to task for their claims of increased security by merely turning on ssl for their web interface.
http://arstechnica.com/business/2013/08/crypto-experts-blast-german-e-mail-providers-secure-data-storage-claim/
Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.
You are correct but ONLY if you are guarding nuclear secrets or something. For joe non-terrorist, that's not an issue.
Any off shore mail server that allows secure connections, either by ssl or tls, and which stores its mail
off shore falls out of reach of that nonsense in US law that allows the government to access any mail
on a server for more than 6 months, because its "abandoned"
Further, those operators are not likely to handle ssl keys over to NSA demands, as has happened already in the US.
So people may send me mail to some ISP in Mozambique or some place pretty much out of the NSA reach, and it it far more likely to be safe sitting there on their server and accessed over ssl than having it right down the street at Google.
You don't have to make everything out to be someone keeping major corporate secrets or moving tons of drug money.
Sometimes its just a desire to be anonymous to your government. Since you posted AC, I can't understand why that point is lost on you.
If you're an organization that is for whatever reason making a habit of requesting personal information from various people, then your org's people ought to be going to keysigning parties.
Again, you are conflating two totally unrelated processes.
Signing is saying you trust this key.
Using a public key to encrypt mail is saying I intend only the owner of this key to be able to read my mail.
Having a signed key is neither necessary of significant when sending encrypted mail using a key provided to you
by your recipient. He could be a completely bogus person trying to 419 you into sending a credit card.
If so, his key will be signed. And the signatures will look impressive. But they too will be bogus.
And no part of attending signing parties will prevent this.
But when you send n encrypted mail using the 419-scammers key to the legitimate Bank of Bengal, they will send you
back an email saying they could not read your mail, or perhaps simply trash it.
Signing keys is not important to the routine use of PGP. And the more people that use PGP the less it is important.
If you are going to start a Project on git-hub, or exchange super secret product details or high-security information, and want code signed, it would be wise to make sure the signatures are all signed either by yourself or someone you have met personally and trust, but realistically flying to Norway for a key signing party is just a non-starter for almost everybody, and does not help you in any way dealing with new customers. Keys were never intended to always be signed by each mutual correspondent. That's just a silly assumption based on a total misunderstanding of the concept.
Unless they have access to the certs.
Famous last words.
You do realize that there are cases where federal authorities are demanding exactly that, right?
Actually there is no such insistence on key exchanges being in person.
You are conflating key signing with key exchanges.
There is a world of difference.
You don't have to trust a key or sign a key just to encrypt an email to that keyholder. Many, if not most, keys are only signed by the owner. Important keys may be signed by others so that people can have more confidence that the owner is who he claimed to be.
When you receive a signed or encrypted email, arriving un announced, it's a good idea to have a look at who signed that key (if anyone). But even a self signed key keeps the content of encrypted mail safe from prying eyes of third parties in transit.
The only absolutely essential thing you must do is keep your own private key private.
Not helpful in obtaining a key with which to send email.
You don't need to trust a key to use it. All you have to do is be assured that the recipient received and was able to read your email. If you communicate with that person via other means you simply ask if they got it.
The idea is not to actually send encrypted mail to the IT department, but to shame the IT guy into doing something he should have had set up along time ago.
This.
Ideally, Public keys should be exchanged in person, or be obtained by a third party that you trust.
Failing that, a public key for some company or person with whom you wish to send encrypted email can often be found on their website. And if its been there for a while, and can be verified by a key server, then it is probably good enough to send them encrypted mail with, but you still don't know for sure who they are.
But at least you know that what you send won't be seen by every prying eye along the route.
But the sad part is that 98 percent of the companies you might deal with haven't a single clue what a public key is.
In my day job we've had our public key published on our Web site for 10 or more years, and get maybe one or two emails a year, usually paying by credit card, from cluefull people.
Once set up, all the major email packages can handle pgp. Shame on them for making it an add-on, but its still available, even for gmail and Hotmail, etc. Just stay away from their web interface and set up a decent email software. You can find these even for Android.
The Norwegian you responded to makes a fair point regarding vote selling.
If you can lock in your vote, then change your mind right up to the time polls close, buying votes would be a fools errand, and would simply disappear.
The Washington way is more prone to vote buying, (bring in your ballet down at the union hall, vote the union ticket, sign, seal and drop in the union mailbox and collect 50 bucks). Although I'm not aware of this being done anywhere, Cy Sun managed to get elected somehow.
Vote by mail is largely successful in Washington, with some of the highest turnout rates in the nation, triple the 21 percent quoted in TFA.
http://www.sos.wa.gov/elections/voter_participation.aspx
http://elections.gmu.edu/Turnout_2010G.html
It might not be broken and may not need fixing.
Electronic voting just makes it easier to rig elections.
I presumed that's what they meant by "modernize the electoral process"
I think you might have presumed wrong.
Going through TFA it seems they are concerned witb voter registration and information rather than actual voting on line.
That's article was so full of uninspired prose that I may have fallen asleep mid sentence and missed it but I recall no reference to proposals for electronic voting.
How many do you think Best Buy has in their warehouses nation wide and In their stores?
Toss in Wallmart, NewEgg, and amazon all the other major net sellers. How many of them will turn down your purchase order?
Toss in Dell, and HP, maybe even Asus and Lenovo. With enough money they will cough up another month in delivery time to customers and ship you all the video cards they have in stock. (Thousands).
Stop being a small company purchasing agent, and understand that the government get get as many video cards as they could possibly use in way shorter time than they could order a custom card loaded with custom cards.
Americans deserve what's coming to them.
Actually we don't.
It matters not a wit who we elect, because the NSA/CIA are somehow above the law, and quickly co-opt every elected official.
We can do about as much about this as your lowly jewish shop keeper could do in 1938. We are totally screwed here, and its small comfort that you are in the same boat with your own government's spying programs.
SSL is enabled by flipping a switch, but it offers no real protection when some three letter agency can surf your mail server farm with their fiber back door.
There is a lot of posturing going on in that article.
I can understand why Germans would Not want their emails passing through American control; but it looks like they'll have to clean house if they want to be able to do that just by going domestic.
Yes, at best it sounds like the NSA will have to get get the data from the BND. Big deal! Looks more pre-packaged and easier to handle if you ask me.
Also the summary has this nugget:
Of course the NSA could still break in if they wanted to, but the mass encryption of emails would make it harder and more expensive for them to do so.'"
Except that we all know that SSL protects traffic from one place to another, but not as the email sits on the mail servers. So one tap into their server farm and all the SSL in the world won't help, because its stored in cleartext.
They care about lead time.
You can order a truck load of off the shelf cards and have them at your bunker tomorrow.
Of what potential? No one has even characterized the degree of sea bed warming, it is currently just a theory, but you phrase it as if it is measured and predictable!
Actually your own source mentions mostly deep sea die offs due to anoxia (allegedly), due to a change in circulation patterns. It give only a speculative nod to methane.
However, they walk away from any conclusion with:
The deep-sea extinctions are difficult to explain, as many were regional in extent. General hypotheses such as a temperature-related reduction in oxygen availability, or increased corrosion due to carbonate undersaturated deep waters, are insufficient as explanations.
Then it follows with this statement:
Contrarily, planktonic foraminifera diversified, and dinoflagellates bloomed. Success was also enjoyed by the mammals, who radiated profusely around this time.
Exactly.
When was the last seabed warming, and how devastating to life on earth was it?
Over the history of earth, there were much warmer periods with far smaller ice caps.
Do those periods correspond with huge species die off?
Or was it exactly to opposite?
NSA letter. Where the hell have you been?
http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/
http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services
http://www.digitaljournal.com/article/355146