Network Guardian Angel. Infosec.



Personal Website

  • 8 Posts
Joined 4M ago
Cake day: Jan 11, 2022


Very good question. Thank you for asking.

To sign documents, I would recommend using signify or minisign.

To encrypt files, I guess one could use age

If you need a cryptolibrary, I would recommand nacl or sodium. In Go, I use nacl a lot. If you need to encrypt or sign very large files, I wrote a small library based on nacl.

Emails are the tricky part. It really depends on your workflow. When I was working for a gov infosec agency, we learned to never use any integrated email crypto solution. Save the blob, decrypt the blob in a secure environment. This helps significantly against leaks and against creating an oracle to the attacker’s benefit.

For data containers, I would use dm-crypt and dm-verity + a signed root. But that’s just me and I would probably not recommend this to other people :)

OpenPGP is rarely used in messaging protocols, but if it was I would probably advise leveraging a double ratchet library.

Does anyone know if and how the private key is secured during cloud sync? Do they have access to it or is it ciphered before sync using the… user password?

Also, how is it different from Duo Push?

I don’t think this argument is valid in a world where a global observer can already distinguish Tor traffic using timing and volume analysis.

Today, the best defense a VPN has to offer, privacy-wise, is protection against observers close to the victim, on hostile local network. Self-hosted VPNs can do that as well as any paying VPN service. The only reason I’m using a paying service myself is to circumvent geo restrictions. That’s basically the only valid use-case.

You can also hide votes altogether, which is a good thing. This limits expectations and helps fighting against addictive behaviors related to social rating.

Can you elaborate on how this is FUD, please?

Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.

Using phone numbers as identifiers is a well-known Signal flaw.

And while CBC is indeed less robust that GCM regarding certain types of attacks, it is true that “up-to-date” CBC implementation have no known vulnerability. Yet, would you claim that TLS1.3 is FUDing for dropping CBC support as well?

I am not promoting mesibo, which I never heard about before. I am just trying to understand how this criticism of Signal would be invalid, or FUD.

A bit old, but an amazing read. Kudos to the author!..


Wow, perfect timing. I am currently struggling with efficient disk usage in my application. Thank you!

Thank you. I did not know that the state events were not encrypted. That’s very unfortunate. I think I still prefer Element/Matrix over Signal, but slightly less than before reading your message 👍

That’s a problem. But federation at least helps by giving you the choice of who will see these metadata leaks.

I would not use either of them.

Currently, a better solution, for me, is Element/Matrix, because the crypto is mostly OK and there is federation. And it is quite featureful.

Yeah, that’s what I thought. Thank you for playing 🙂

Can you provide a link to that “age signature plugin”, please?

Still bossing people around, I see. “You should not answer” “Your post belongs elsewhere”. You never change :) Your intimidation attempts are ineffective on me. You should move on.

Age plugins are not Age. Minisign is an excellent tool. It is not a replacement for Age.

Can you explain how you intend to use minisign as a replacement for age, please ? 😂

Filippo Valsorda, the author of Age, is a qualified cryptographer and I can vouch for them, being myself an applied cryptographer. And many of my cryptographer friends do as well.

Age seems good to me BUT. I don’t like streaming, and the article that you cite is on point. To me, streaming is unwise precisely because you can have truncation attacks. Or even length extension attacks (in some very weird cases). One may counter them using counters, but you will need a temporary storage until you know if the input is complete or not. And this defeats streaming.

Your application might be OK with truncation. That’s for you to determine. Which is hard. If one can’t decide, then I think one shoud stay away from streaming.

I wrote an article on this myself, a few weeks ago. I use that approach in production to secure some data that may be sent to me anonymously. It was reviewed by some cryptographers in my circles but I do not claim that it is a trusted library.

Does anybody know about a Linux distro that enforces strong firewall rules (that’s one of the control points of that linux distro security assessment) by default? I mean other than Tails which I expect does it. RFI vuln, such as log4shell, rely on outgoing connections. A linux distro with a strict firewall by default would have to be purposely poked to let such queries out. Sounds interesting to me.

Accept that you are wrong, defending your wrong arguments makes it worse for you, the more you answer the easier it is to humiliate you.

I take note of your explicit intent of humiliating me.

I also take note of your condescending tone:

  • we are talking about your intolerance accepting valid criticism

  • Weak argument.

  • to justify your weak and flawed logic.

  • Please stop wrongfully interpret more into it

Yelling at people, threatening them, humiliating them is not a civil conduct, and hereby ask for your temporary ban for violation of rule 2.

I posted that link in my company chat, where some do use Mint but most don’t (mix of Ubuntu, Manjaro, Fedora). Many were interested, and we have had a healthy discussion about some of the evaluation points, some of which we did find subjective and not very meaningful, and how Mint compared with the other distro evaluation linked at the top of the article.

Also, you are talking about firewall GUI, but it is not even one of the evaluation points. They just said that there was nothing about a firewall configuration in the configuration wizard.

Linux Mint does ask the user to enable the firewall in the graphical Welcome Wizard though.

However the evaluation points were:

[N] Is the host firewall enabled by default?

[N] Does the host firewall block all incoming/ingress traffic by default?

[N] Does the host firewall filter outgoing/egress traffic by default?

Did you actually read the article? I doubt it. If you did, you would have noticed that the article does mention the methodology, and the results for other distros, with link to them if need be. Someone using yet another distro could be interested in that methodology to improve it or post a review about their favorite distro too. Maybe that is not “Linux enough” for you. In that case, you can move on.

Thank you.

Then close other Communities, and bring this under the same argument.

otherwise we can close them and put everything under here.

When I and others post here in this community we get the same comments… post it under xyz.

So your excuse for bullying people is that you got bullied too.

Not sure what my status has to do with anything here

If a link is not to your liking, you can just skip it, or even downvote it. You don’t need to tell people what to do. Except of course if you are a mod and the post is against the rules. Then go ahead and thank you. But no.

Have a nice day as well

It doesn't work

An inspired blogpost by Frank Denis on the depression that may be felt by FOSS maintainers…


Secure large file decryption using Linux, Go and Nacl

In this article, I explain the challenges of decrypting large files that do not fit in RAM and some possible solutions leveraging Linux and a good high-level crypto library written in Go…