Readit NewsPerceptes commented on Sear: An always-encrypted tar-like file archive format github.com/iqlusioninc/se... · Posted by u/Perceptes
Submitting this re: the recent discussion about PGP alternatives. It seems right in line with the types of tools that were being suggested for replacing specific use cases of PGP. Written by Tony Arcieri, who is well-regarded in the cryptography community.
Perceptes commented on History and Effective Use of Vim begriffs.com/posts/2019-0... · Posted by u/begriffs
Mmm.. I see there are also vim plugins for multiple cursors, like https://github.com/terryma/vim-multiple-cursors ..
I've been using that for years after I switched to Vim from sublime. It has worked just fine for me.
Is there a specific issue other than "it's not the default" that precludes it from secure messaging? This is the thing I don't understand about your position -- you have been saying for a very long time that "it's not ready yet" but as far as I can see the default-to-unencrypted setup is the main issue you have with it? I get that asking a journalist to use it right now is a bad idea, but if E2EE was the default today what other issues do you see?
From my PoV, Matrix has many features that might actually end up increasing security over Signal's design. Just as an example, you cannot blacklist or even get alerted to new devices being added to an E2EE conversation with Signal (and if you look at things like the Assistance and Access legislation here in Australia, that is a serious concern). With Matrix you do detect it and can blacklist the other device (and with cross-signing being done very soon, you can also be sure that verification of devices will be a rare event). I also think the new emoji-based verification is a massive improvement over Signal's "safety numbers" setup.
I'd also be interested to hear Thomas clarify this. I saw a recent thread on Twitter where he and bascule were talking about it and it still wasn't super clear, but one specific point I recall is that Matrix has a significant amount of metadata stored on the server side which constructs a social graph. As opposed to something like Signal which has close to nothing stored on the server.
To me this seems like an issue of use case. If my goal is to be able to talk to my family and friends, and I don't care that it's known that I'm talking to them as long as the contents of the messages are private, that is fine for me. For a case with more stringent requirements, I can see Matrix not being a good recommendation in its current design.
I’d argue for replacing TLS if it were plausible to replace TLS for mainstream users. HTTPS is a dumpster-fire for a lot of the same reasons PGP is.
For example, the fact that there’s a grab bag of different ciphers, compression options, and other toggles makes properly picking settings an exercise in copy-pasting from a site you trust or guessing and then running an SSL Labs test until it comes back green. If you miss something, congrats, somebody can MITM and trick your users into downgrading.
Things like this are why the most notable features of TLS 1.3 are the things it removed, more so than what was added.
I guess one difference here is that often major implementations of HTTPS make the best choices (like operating systems, major browsers, major web server software, etc.), whereas with something like PGP, everyone is using GPG which has only one implementation which is known to be terrible.
Perceptes commented on 1Password: Standalone / Local Vault Option Gone? discussions.agilebits.com... · Posted by u/Tomte
I'll go against the grain and defend this. I really, really love 1Password - it's UI is incredible and it works so well - it follows the "don't make me think" philosophy which I really appreciate and makes me feel respected. It feels like a default piece of Apple software in how well it integrates with OS X and iOS. The desktop PDF QR scanner is something I didn't even know was possible to do with software, it blows my mind every time I use it. 1Password X is perfect for Linux and a great solution to the distro fragmentation problem.
So I don't know more about password management than Agilebits. They have a long history of really good ideas for their software. If they want me to use their cloud instead of local vault, that's probably a good idea. I'm more than happy to pay the $2-3 per month to have access to this, and knowing they have recurring revenue gives me confidence that they'll be around for a while.
I don't know how I never heard about 1Password X. The last time I attempted to switch from macOS to Linux, the lack of 1Pasword was one of the biggest things that made it hard for me.
That said, a browser-based 1Password is really not what I want. I just really don't try web technologies for keeping my passwords safe. If I really was going to use it, this might be the only instance in which I'd actually prefer an Electron version to using it my main browser, just for the additional isolation.
Perceptes commented on Cryptography Dispatches: Hello World, and OpenPGP Is Broken buttondown.email/cryptogr... · Posted by u/FiloSottile
>it is not a comprehensive summary of all the ways in which OpenPGP is broken
Is there a comprehensive summary anywhere?
This article by the same author is perhaps not comprehensive, but a good place to start: https://blog.filippo.io/giving-up-on-long-term-pgp/
Perceptes commented on How I encrypt my data in the cloud robertclarke.com/cloud-en... · Posted by u/robertjfclarke
I'd never heard of Boxcryptor. Does anyone else use this? I'm not sure I understand why I need to sign up for an account to use it if its entire purpose is to do client-side encryption.
Also, it's not quite the same functionality, but this also reminds me: For a long time I've used Knox (by AgileBits, the same company that makes 1Password) for encrypted disk images, but they no longer sell or maintain it. It works just fine, but I should probably find a replacement that's still maintained, at least for security updates. Anyone know a good alternative? VeraCrypt (mentioned in the article) seems like one possibility.
Perceptes commented on Kuo: Apple to include new scissor switch keyboard in MacBook 9to5mac.com/2019/07/04/ku... · Posted by u/jeremylevy
I desperately hope this is true. I have the first MacBook Pro that came with the Touch Bar, and it's the worst computer I've ever owned. The keyboard has failed twice, and the Touch Bar is inferior to the old hardware keys in every way. I hate it. The only reason I got it is because the MacBook Air it replaced was dying and I couldn't wait any more. Assuming this report is true, my only remaining worry is that they won't offer a version of this new Pro without a Touch Bar, or that only a model with a smaller display will offer hardware function keys, like they've done in the past.