??? wtf are you on about. since when is PGP able to be decrypted?
If they get a subpoena , they have to disclose what ever the courts ask.
The Gov can crack PGP.
All you do when you encrypt stuff, is set off a red flag you are hiding something.
Let me address this quick:
It is called "Pretty Good Privacy" (PGP) for a reason: it is
pretty good. Not perfect. Not military-grade. Not
uncrackable. However, the math behind the encryption isn't what's been cracked (as long as you use a strong enough key the amount of compute power required would be so high, it would take years for the encryption to be cracked in a factorial manner), it is how users use it. Eventually, compute power will be such that yes, it will become obsolete, especially if quantum computers manifest in the way technologists are aiming for. But they aren't going to use it for low-level drug offenders, that will be used to crack encryption of foreign adversaries, governments, hacker groups that are doing widespread and major damage to various institutions.
So yes, it isn't PERFECT...
However, it is DEFINITELY better than nothing. Consider the following three scenarios:
1.
Nobody encrypts anything: anytime an email server for a company like tuta or protonmail, etc., is accessed by the feds (either via subpoena or because they hack into shit like this on the regular), they get clear-text access to everything. Boom, gold mine, super easy access, zero work required. They can go wild.
2.
Some people encrypt stuff, others don't: same scenario, only this time you can be damn sure the feds are going to go after those who DIDN'T encrypt their messages FIRST, because it's less work. Why go through all the trouble to try to crack encryption when you can just nail people who didn't encrypt and move on? Additionally, people who use
weak encryption (2048 bit isn't weak, persay, but everybody should be using 4096 bit keys nowadays, which should provide protection beyond the year 2031) get targeted first because it takes minimal effort.
3.
Everybody (or most people) encrypt: the feds have no idea what is what. Sure, your messages are obviously trying to keep something private...but what? It could be homemade porn, it could be an order for some schedule 4 or 3 drug that will barely be a misdemeanor and could even get dismissed. Hell, maybe you are just chatting about some private stuff and want to keep it private. Now they have to scour through all these messages, using massive amounts of compute resources to attempt to crack them or brute force the passkeys. Again, they will target the
weak keys first, because that is what is easiest. Then they will move on to the others if they still have the funding and haven't gotten distracted by some other initiative or operation.
So, you see, regardless, using encryption IS better than not using encryption. If you DON'T use encryption, then rather than them seeing your encrypted message and thinking "oh, she/he is hiding something", they will just index all the emails and do a keyword search for various words that imply illegal substances, etc.
Cracking encryption is not easy. As I said, it requires a lot of compute power. In the end, the feds are NOT going to spend the cycles (computer or time, lol) on trying to decrypt random messages that they aren't sure contain something of value. It is expensive for them to try to crack keys or passwords. You would already have to be a pretty high profile suspect in an ongoing operation for them to spend the effort decrypting your messages/keys.
Generally, if you are a suspect, they are going to try alternative things. They will hack into your personal PC and install a keylogger and try to see what you are up to--again, in clear text (they LOOOOVE clear text).
It's not like the feds have some magic backdoor to PGP, or if they do nobody knows about it, and if you do
@Delphi , please share the juicy details lol
In the end, you ARE better off using encryption than not. That is just a fact.
In the US, the 5th amendment protects us from handing over something that would incriminate ourselves, that includes our PGP passphrases (
you better be using a fucking long ass passphrase and not a password). Note:
IN THE UK YOU CAN BE JAILED FOR REFUSING TO HAND OVER YOUR PASSWORD/PASSPHRASE TO POLICE.
For those interested,
here is a list that was exposed by Edward Snowden that covers the technical details of the different tools the feds have to have into various devices.
So
@Delphi I must wholehearted disagree with you. I work in the IT Security space for over a decade and I know for a fact clear text is NEVER good. That is how organizations get pwned over and over again, that is how feds target people when they compromise darknet market servers, that is how fucking assholes target people for blackmail, etc. The compromise is not that the math behind RSA has been cracked, it is that users use shitty passwords or their PCs get hacked, allowing the feds access access to their keys and passwords. The main issue is with both OPSEC and with how users manage their PGP keys. Key management is a pain in the ass, people lose their keys or forget their passwords, they leave old keys sitting around, they don't rotate keys often enough or EVER, so if your passphrase DOES get cracked, they have access to EVERYTHING you've EVER done, or the user writes the password down somewhere or stores it in clear text somewhere on their computer that, during an investigation, the feds can easily find...THAT is the real issue here.
The key here is NOT using any "built-in" encryption from email clients like tuta or protonmail, or even Gmail and the like, you MUST use an actual PGP client on your own PC--and preferably a burner PC that you never, ever connect to your home network so it is not linked to you in any way.
Hopefully this settles it. Using PGP IS beneficial, 100%, this is NOT debated within the IT Security community at all. What it comes down to is HOW its used and how high profile of an actor you are in any given investigation.
Edit: I am going to post this in my
privacy guide thread as well. I think it'd be beneficial to have it there.
Edit 2:
IMPORTANT: one other thing people fuck up with is storing their drafts in clear text and leaving them there. Once your message is encrypted and sent. DELETE THE FUCKING DRAFT: the best thing to do is to open that same file, erase all the text, then just store is as a blank file. That way, so long as file versions are turned OFF, nobody could recover the file with a disk recovery tool.
The ABSOLUTE best thing to do is to use a non-persistent OS like Tails. As I said in the original post on my
privacy guide, google darknet privacy guide for more info on this as well as more intense privacy tips.
