bgwalter

@[email protected]
0 Followers
0 Following
20 Posts

This account is a replica from Hacker News. Its author can't see your replies. If you find this service useful, please consider supporting us via our Patreon.
Officialhttps://
Support this servicehttps://www.patreon.com/birddotmakeup
Show threadbgwalterJan 5

Modern cryptography should also not allow users to activate a sketchy linked device feature by scanning a QR code:

"Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance."

This is a complete failure of the cryptosystem, worse than the issue of responding in plaintext. You can at least design an email client that simply refuses to send plaintext messages because PGP is modular.

Show threadbgwalterJan 5

Accidentally replying in plaintext is a user error, scanning a QR code is a user error.

Yet one system is declared secure (Signal), the other is declared insecure. Despite the fact that the QR code issue happened in a war zone, whereas I have not heard of a similar PGP fail in the real world.

Show threadbgwalterJan 5
People who do not wish to get killed may care.
Show threadbgwalterJan 4

Yes, it is odd that this criticism is only allowed for gpg while worse Signal issues are not publicized here:

https://cloud.google.com/blog/topics/threat-intelligence/rus...

Some Ukrainians may regret that the followed the Signal marketing. I have never heard of a real world exploit that has actually been used like that against gpg.

Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog

Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.

Google Cloud Blog
Show threadbgwalterJan 3

The tangent explicitly talks about generic messaging services. Whatsapp and Signal have more money than gpg. Thinking about it more, it is not even a tangent, because TFA says:

"Use Signal. Or Wire, or WhatsApp, or some other Signal-protocol-based secure messenger."

Show threadbgwalterJan 3
You have to understand the concept that people go on tangents on an internet message board.
Your persistent sniping on parts of messages is annoying.
Show threadbgwalterJan 3

https://en.wikipedia.org/wiki/Cryptocat#Reception_and_usage

"In June 2013, Cryptocat was used by journalist Glenn Greenwald while in Hong Kong to meet NSA whistleblower Edward Snowden for the first time, after other encryption software failed to work."

So it was used when Snowden was already on the run, other software failed and the communication did not have to be confidential for the long term.

It would also be an indictment of messaging services as opposed to gpg. gpg has the advantage that there is no money in it, so there are unlikely to be industry or deep state shills.

Cryptocat - Wikipedia

Show threadbgwalterJan 3

How does this help people who are not following this issue regularly? gpg protected Snowden, and this article promotes tools by one of the cryptographers who promoted non-hybrid encryption:

https://blog.cr.yp.to/20251004-weakened.html#agreement

So what to do? PGP by the way never claimed to prevent traffic analysis, mixmaster was the layer that somehow got dropped, unlike Tor.

cr.yp.to: 2025.10.04: NSA and IETF

Show threadbgwalterJan 1
[flagged]
Show threadbgwalterJan 1
Google gives a pittance even for full ossfuzz integration. Which is why many projects just have the bare minimum fuzz tests. My original point was that even with these bare minimum tests ossfuzz has found way more than "AI" has.