LeaKissnerCryptography is a tool for turning a whole swathe of problems into key management problems. Key management problems are way harder than (virtually all) cryptographers think.
Alan Chen@leak This potentially gives new meaning to an old acronym PEBCAK
l'empathie mécanique
John Mastodon@leak pfttttt! all my keys are in my single keychain behind the door. (I lied! one is under the doormat...)
JørnMe: I made this super secure system to exchange data. Make a private GitHub repo, give yourself and recipients access and share data
Cryptographer: 🤦
C: I made this actually secure New Age program that uses an asymmetric key for encryption, so eavesdroppers have no chance.
Me: Where does the key come from?
C: Dunno it’s just a file. It supports SSH keys so with GitHub slash username dot keys it’s easy to use.
Me: So GitHub can spoof my keys?
C: You decide the risk.
Me: 🤦♂️
Cassandrich
Kevin Karhan 
@leak that's what #PasswordManagers are for...
Andromeda Yelton@thatandromeda @leak did so.
The problem isn't #Cryptography, but the fact that #TechIlliterates are allowed to use #tech and that leads to the digital equivalent of 12 year olds driving gasoline tankers with neither license nor permit nor experience.
#Malware would not be the widespread issue it is today if we didn't allow the #GAFAMs to groom people into #TechIlliterate #Consoomers!
The problem are people being ignorant and openly hostile to the obvious issues...
Roy Wiggins@kkarhan @thatandromeda @leak No, people are *required* to use tech. It's not optional. So the tech needs to be good enough that anyone can use it, because they don't have a choice.
@roywig @thatandromeda @leak it is "good enough", cuz we ain't 15 years ago where eberything needed archaic commands.
#Thunderbird integrates #OpenPGP / #GnuPG out of the box for some time.
#Gaijim & #MonoclesChat do support #XMPP - #OMEMO and #PasswordManagers like #Enpass are so easy, it literally took me 5 minutes to explain the use and setup a complete #Noob in it.
People aren't stupid, they are lazy and get groomed into being #TechIlliterate #Consoomers...
That is the problem!
Genders: ♾️, 🟪⬛🟩; Soni L.@leak this is why we use burner keys for GPG/email.
anonymity!
@SoniEx2 Because you prefer trust-on-every-use to trust-on-first-use?
GPG is so amazingly hard
@leak GPG sucks and it doesn't even have """niceties""" (read: things often considered critical for protocols like these) like PFS, PD and whatnot ;-;
@SoniEx2 GPG was a big advancement at the time, as I understand it, even if things like web of trust didn't work out
... But yeah I personally don't use it
James Forshaw 
@leak nothing a pad of one time keys and a diplomatic bag can't solve 😆
@tiraniddo Mastodon is secure, right?
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvpnaPKLIKdvx98KW68lz8pGaRRcYersNGqPjpifMVjjE8LuC
oXgPU0HePnNTUjpShBnynKCvrtWhN+haKbSp+QWXSxiTrW99HBfAl1MDQyWcukoE
b9Cw6INctVUN4iRvkn9T8E6q174RbcnwA/7yTc7p1NCvw+6B/aAN9l1G2pQXgRdY
C/+G6o1IZEHtWhqzE97nY5QKNuUVD0V09dc5CDYBaKjqetwwv6DFk/GRdOSEd/6b
W+20z0qSHpa3YNW6qSp+x5pyYmDrzRIR03os6DauZkChSRyc/Whvurx6o85D6qpz
ywo8xwNaLZHxTQPgcIA5su9ZIytv9LH2E+lSwwIDAQABAoIBAFml8cD9a5pMqlW3
@leak even if its public as long as you used a suitably long passphrase to encrypt the private key then it's secure. This solves the key distribution problem, because as everyone knows distributing passphrases is a completely different problem which I assume has been solved by now.
tupperward@leak Hey, at least I only have one category of problem now!
Insecurity Princess 🌈💖🔥@leak but there's such "great" documentation on threat modeling practical key management challenges, such as for TLS session ticket encryption keys 🙃
@saraislet
No problem*
* as long as you're Google
Gregory P. Smith (he/him) 
🚲🦝 @leak is "IV Management" also lumped into the key management bucket or do we still get to surprise people? 
Matt Palmer
Aranjedeath@leak yup. We don't recommend clients to use encryption at work specifically because our clients are small businesses, and they lose keys. Simple as. People in interesting industries already know the stakes and do it.
@Aranjedeath There are certain kinds of encryption your clients *definitely* should be using.
... But having been in "interesting" (meaning high-target) industries, key management is definitely something we have to address carefully
@leak Yup, but TLS is not a way you can permanently lose your business. When the database is encrypted at rest and the client loses the password? They no longer have a business. We have to do a lot of education around this to make sure a minimum risk of that happening.
synlogic@leak why when I hear like a 1Password or LastPass or whatever has a breach I'm like, "Guys... you had ONE job..One! And you just failed it." the fancy crpto & rules matter 0 if the baddies can get at your sekrets. like pw or private keys
I knew a would-be employer who wanted me to install their opaque exe on my box AS ROOT. those folks are not in my life
I knew another would-be employer (where my boss there would have been Chinese-Amer) who wanted me to use THEIR laptop *mailed* to me. NEIN!!
boiert