Subj : Re: Anyone using PGP/GPG in here? To : Vk3jed From : StackFault Date : Thu Nov 08 2018 07:15 am Vk> St> Encryption is a beast by itself. Many focus only on the data-in-trans Vk> St> aka network stream encryption (the TLS part) and often forget about t Vk> St> data-at-rest aka storage. Vk> Vk> St> I've seen numerous times people spending countless hours securing Vk> St> traffic, disabling weak ciphers and setting up strong keys, but keepi Vk> St> the data in clear on the database backend once received. Vk> Vk> Yep, encryption is only as secure as the weakest link, and unencrypted Vk> databases can be a particularly soft target. The offline mail system Vk> was good in that regard, in that the plaintext message only ever existed Vk> as a temporary file. On the BBS the message was still ciphertext. Vk> Sure, one could forensically trawl the local HDD for the plaintext, but Vk> how many BBS messages are going to attract that level of scrutiny? (and Vk> if the spooks have your HDD, they have your private key as well anyway). Vk> :) Protecting the keys is the biggest challenge, using a good passphrase can surely help but it's more like a second stage. I didn't know the offline mail files were encrypted, I tought it was just a database of some sort (which is not plaintext) but could be accessed pretty easily if you have the specifications. You are touching another very point, which is temp files. On most systems these are writtent in publicly available folders and most developpers don't use the right permissions, allowing anyone to read from them... Sometimes, we focus our attention at the wrong place... ß Þ úúúÄÄÄÄÄúÄÄúúÄÄÄÄúÄú Ý ßúÄúÄÄÄúÄÄÄÄÄÄúúÄÄÄÄÄúÄÄÄÄúÄÄÄÄÄÄúúÄÄÄÄÄÄÄÄÄúÄÄÄÄúúú Dave aka Stackfault ß Ýß bbs.bottomlessabyss.net (telnet/2023ússh/2222) Bottomless Abyss BBS ÜßÞ 21:1/172@fsxNet þ 1:249/317@FidoNet -úúú --- - - --- -- ú-úú ú úúú úúú ú- -úúú -ú-- úúú úúú -úúú -úúú úúú --- Mystic BBS v1.12 A39 2018/04/21 (Linux/64) * Origin: The Bottomless Abyss BBS (21:1/172) .