[HOT] Computer Security / GPG - First do no harm

Trevor Ellermann trevor at ellermann.net
Mon Jan 28 19:49:21 GMT 2013 

Hey Peter,

That's a good point. GPG and the like is completely worthless for
mailing lists and in fact basically does not work. But it's super
useful for private communications. So the idea is that you would use
gpg and a CC list for any sensitive emails. I did not mean to imply we
should use it for the list.

As to the inclusiveness, I see what you are getting at but I think
there is more to it then that. Encryption does not have to be
exclusive of working on a project. It's usually a good idea to
designate a limited number of points of contact on things like this
anyways. So those points of contact can be responsible for maintaining
any sensitive information and such. Anyone can still work on the rest
of the project, which will be the majority of it. Not everyone really
needs to know the names of the people we are working with in Syria for
it to all work out.

The other thing about it is that whole first do no harm concept. While
I totally believe in the importance of inclusiveness, I think doing no
harm takes precedence. In the situation we are talking about with
Syria people could be tortured and die if we leak the wrong
information. I'm ok with sacrificing a little inclusiveness in order
to make sure that does not happen. In fact not just ok, doing no harm
is an absolute requirement for any project I am involved in. I'm going
to take a leap and say that pretty much everyone here feels the same
way.

It's totally worth thinking about and discussing though, thanks for
bringing it up.

--Trevor

___________________________
Trevor R. Ellermann
@trevorellermann
K0DMA
GPG Key: https://ellermann.net/trevor-gpg-public-key.asc


On Mon, Jan 28, 2013 at 11:04 AM, Peter Wendorff
<wendorff at uni-paderborn.de> wrote:
> Hi Trevor.
> I agree that this is an issue, but what should GPG be good for in a public
> mailinglist everybody might join without any barrier?
> Anyone from any government, regime, rebell group, terrorists group or
> whatever wherever and in whose point of view ever might join the list and
> therefore get the decrypted emails.
> Using GPG here does not keep the individuals reading/writing mails safe as
> long as you use E-Mail as a medium and don't close the group to a trusted
> p2p group (where everybody trusts everybody to exchange a key).
>
> Of course:
> Nothing refering to individuals in any case where that might be an issue
> should be posted publicly over the Mailinglist, but encryption in general
> would strictly contradict the openness of everybody-can-join, which is one
> core feature of the osm mailing list system, this list included.
>
> regards
> Peter
>
> Am 28.01.2013 17:37, schrieb Trevor Ellermann:
>>
>> Hey All,
>>
>> As HOT talks about getting involved in Syria I want to take a moment
>> to talk about security. Email is unencrypted by default and very easy
>> to intercept. The Syrian regime is known to be snooping on all
>> internet traffic in Syria. They have arrested, tortured and killed
>> people and in some cases their families based on emails they have
>> intercepted.
>>
>> I want to highlight the public-ness of this email list. You don't even
>> have to intercept an email to read it and with the blog post, we
>> likely have brought attention to it. So before you post anything at
>> all to this list about Syria, please think first about the safety of
>> the people on the ground over there.
>>
>> Here is a page with information on basic computer security. I highly
>> recommend that everyone at least glance at it and hopefully learn how
>> to use gpg.
>>
>> http://www.patternsinthevoid.net/security.html
>>
>> A separate email account for encrypted communications is sometimes
>> preferred. I recommend riseup for that (https://riseup.net/en).
>>
>> If you have any questions, thoughts or comments please don't hesitate to
>> ask.
>>
>> --T
>>
>> _______________________________________________
>> HOT mailing list
>> HOT at openstreetmap.org
>> http://lists.openstreetmap.org/listinfo/hot
>>
>
>
> _______________________________________________
> HOT mailing list
> HOT at openstreetmap.org
> http://lists.openstreetmap.org/listinfo/hot

More information about the HOT mailing list