Profile picture
Robert J. Hansen @robertjhansen
, 10 tweets, 2 min read Read on Twitter
Long thread. If you want to know the high-level details of the Efail attack, read. Yes, it was embargoed; yes, we were respecting the embargo; but links to the paper are now easy to get, so... here goes. 1/
This is at its heart a malleability attack on OpenPGP's cipher feedback mode. These attacks aren't new. The IETF OpenPGP Working Group first knew about them in 1999. By September 2000, GnuPG had a defense. 2/
The defense is called a Modification Detection Code, or MDC. Originally MDCs were optional. Today they're the default. The Efail attack requires an MDC either be missing or be invalid. 3/
You *can* manipulate a message with MDC into being one without MDC. The Efail authors are right there. So let's see what happens when GnuPG sees a message without an MDC.
As you can see in the last line, you get a very clear message. "WARNING: Message was not integrity protected."

After that, it's up to your email client to do the right thing. 5/
Your email client should refuse to render the message. If it ignores the warning or does the wrong thing in response to it, then yes, the Efail attack is very real. So it's really more fair to say this is an attack on poorly-written clients, not OpenPGP. 6/
The OpenPGP spec does technically allow for non-MDCed messages. It has to for backwards compatibility reasons. But no modern OpenPGP client should silently ignore missing/malformed MDCs. No modern email client should ignore the OpenPGP client's warnings. 7/
GnuPG has given warnings on missing/malformed MDCs for years. And although the Efail authors did find some problems in Enigmail -- for which we're deeply sorry, and plead that we're only human -- we fixed them months ago. 8/
If you're using a recent GnuPG and Enigmail 2.0 or later, you should be fine. If you're not, consider this an object lesson in the importance of upgrading your security-critical software. 9/
I encourage you to read the Efail paper. I've also shown you some GnuPG commands and outputs: please check me. As always, we welcome your feedback. If you're a trainer or working with vulnerable people, please DM/email with your questions. 10/10 (end)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robert J. Hansen
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @robertjhansen see all

Profile picture
When I entered an R&D lab in 2008, their rule #1 was written on the whiteboard: MOST OF IT IS WRONG. It was a good rule but incomplete, so I picked up a marker and added rule #2: WE FAIL FASTER.

On those two rules all R&D shops live or die. 1/
99% of all new ideas are failures, and yet new ideas have such appeal that often we get overly attached to them. You have to resist this temptation. Remind yourself constantly that most of it is wrong, even — especially! — the ideas you like. 2/
The only way to get to the 1% of good ideas is to plow your way through the 99% of bad ideas. Structure your lab so that bad ideas are detected as early as possible. Each second saved brings you a second closer to a good idea. Fail quickly! 3/
Read 4 tweets
Profile picture
"I don't know much about cyberwarfare—"

Nobody does. Welcome to the club.

"—but why don't you believe the Bloomberg story about the Chinese rooting, uh, well, everything?"

Economics, not technology. You don't need to understand tech: you just need to be able to multiply. 1/
Imagine you have a skeleton key that can open anything from a twelve-year-old's locked diary to a bank vault. The problem is as soon as you get caught using it everyone's going to change their locks. 2/
You have an expected maximum possible loot it'll help you steal. Billions upon billions. You're going after Fort Knox. So even if there's only a one in a thousand risk of getting caught, you can't justify using the key for anything less than a million bucks profit. 3/
Read 7 tweets
Profile picture
I got up at 6am yesterday. Shortly before going to bed last night, #Efail broke. Since then I've been deluged in messages from very scared people who have wanted and needed to hear things are not as bad as they're being made out to be. 1/
I am literally hallucinating from sleep deprivation. I'm still here. Still answering DMs, emails, Google Hangout messages, Signal messages, more. I'm talking to journalists who are trying to get another take.

I am *exhausted*. 2/
This is why responsible disclosure is so necessary. Irresponsible disclosure terrifies people. It might be good for clicks and pageviews, but we all pay the price for it in lost sleep. 3/
Read 7 tweets

Related threads

Profile picture
#Thread
CURSE OF KNOWLEDGE:
This is a powerful cognitive bias, and the one that's probably most responsible for you staying stuck in your dead-end way of doing things instead of breaking out.

What is it?
The mind's inability to remember what it was like to not know something.
At first glance you may think this is a relatively unimportant thing. Completely harmless.

But it's robbing you of your freedom. Here's how.

To understand, we're going to use an example from my life: Magic Tricks.

I'm a professional mentalist; I've performed in Vegas.
I know how the mind works, and I understand why the simple methods of magic are so powerful; they leverage exactly these kinds of mental hiccups. So, here's the example.

I do a trick, and you want to know how it works. You'll do ANYTHING. Pay me $100, even. Great! Pay up!
Read 18 tweets
Profile picture
Some of you may have noticed that I'm sporting a new tag in my screen name. It's not just a fad though, allow me to explain in this lil ol' #thread:
1/ As you (should) know, january 3rd marks the actual birthday of #Bitcoin, as it was the day that Satoshi mined the first blocks and hence set the Bitcoin story into motion. Upcoming jan 3rd will be the 10th anniversary and this would be an obvious time for celebrations.
2/ @TraceMayer took the initiative of a call-to-arms for all HODLers-of-last-resort, to join him and quite a few other prominent bitcoiners like @giacomozucco, @theonevortex and @CaitlinLong_, just to name some, and also sport the same tag in their screen name.
Read 27 tweets
Profile picture
Long thread warning. I want to connect a few dots. Some of this may get a little tin foil hat, so grains of salt and all that. Also, not everything has to be true for some of the connections to be relevant. Also, long thread. Long thread. 1/
Kavanaugh was one of the key players in getting SCOTUS to stop the 2000 Florida recount and anoint GWB (the same recount that would later prove GWB lost and the 2000 election was, effectively stolen). 2/
2000 was the first election where the GOP began to see fruit from the voter suppression trees they’d been planting. 12,000 FL voters were purged from the rolls under the guise that they’d been “confused” with felons. 3/
Read 39 tweets
Profile picture
#Thread on new features and updates announced in release notes of #MSDyn365 Oct'18: docs.microsoft.com/en-au/business…. This is an excellent longread. Thread is just #TLDR for #CE specific/related features

#PowerApps #CDS #Flow #USD #Sales #FieldService #USD #Portals #AzureML
Starting with #MSDyn365 #Sales updates:
1. Playbooks: Think of it as Barney Stinson's playbook. Basically set of "automated repeatable sales activities" that help in winning opportunities. Looks like it'll be a set of activities which could be assigned to users
2. #MSDyn365 #Sales will feature deeper integration with LinkedIn, including capability to send InMail and adding LinkedIn related step in Business Process Flows

3. Out of the box @MicrosoftTeams integration
Read 31 tweets
Profile picture
@hughhewitt @realDonaldTrump @POTUS Listen

Trump on Hugh Hewitt's radio show 9/21/15

"I called it my weekend in Moscow ... I was w the top level people, both oligarchs & generals & top of the gov people. I can’t go further than that, but I will tell you that I met the top people & ... "

@hughhewitt @realDonaldTrump @POTUS Transcript from 9/21/2015. Trump tells Hugh Hewitt about his terrific amazing weekend in Moscow. He loved it! Trump was w top level people, Russian oligarchs and generals, and top of the Russian government people. "The relationship was extraordinary"

hughhewitt.com/donald-trump-r…
@hughhewitt @realDonaldTrump @POTUS Alferova Yulya is Advisor to the Minister of economic development of the Russian Federation. She tweeted this photo of Trump in Moscow. It appears that Trump & others are gathered around a computer screen. Talking to someone by Skype?
Read 9 tweets
Profile picture
This will blow your mind! Trump's Russian admissions during Hugh Hewitt's interview of Trump on a radio show, September 21, 2015.

"2 yrs ago, I was in Moscow ... I called it my weekend in Moscow. But I was with the top level people, both oligarchs and generals & top of the gov"
Contrast that interview September 21, 2015, with this Trump press conference on February 16, 2017.
If you want to know some of the details / a timeline of Trump's 2013 Moscow trip during the Miss Universe page - this article uses links to Trump & Russian Twitter feeds & Instagram accounts

The Moscow Miss Universe Pageant Timeline - The Moscow Project

themoscowproject.org/dispatch/the-m…
Read 15 tweets

Trending hashtags

#MSDyn365 #digitaljobs #blockchain #makeitso #digitalmarketing #Sales #why #MindChallenge #Communication #SpencerAtUF #EpisodicContent #PowerQuery #NiravModi #GMO #DigitalNetworking #phew #ContentMarketing #PowerApps #MarketingStrategy #CVV #YPF #RichardSpencer #KeralaFloods #DworkinReport #maximalist

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!