They will have access to metadata - otherwise they wouldn't be able to work as email service. That's sufficient to implement those protocols.
The client then would have to bring their own crypto, and you'd probably want the SMTP server to reject mails if delivered unencrypted (though their FAQ says you can send unencrypted mails).
The reason they claim they can't is probably trying to keep full control over what users are doing, in which case I agree - fuck them, don't use services like that.
Der Titel war explizit "Stolz auf Deutschland" - und das waere ich in dem Fall. Stolz Deutscher zu sein eher nicht - wobei ich denke dass das am ehesten auf jemand zutreffen sollte der den Einbuergerungstest geschafft hat.
Had to look that lawyer bit up as it just sounded too much like Gravenreuth - and indeed it was.
Funny timing, I'm currently going through a stack of Sun hardware in my garage to decide what to keep, and for what I'll try to find a good home (or eventually dispose of it).
I probably can use the GDP Pocket 3 (partially visible on one picture) for that. That thing is surprisingly robust.
This level of paranoia isn't really compatible with modern hardware, and requires a lot of effort.
You're pretty much limited to stuff that has open firmware available, and even then you have to hope there are no bugs or backdoors in the hardware.
For the intel world almost everything with open firmware is pretty old - some nowadays unsupported, which means no longer microcode updates. And those microcode updates also are a problem - you can't mitigate everything in kernel space, so usually you'd want them, but they'd also be an attack vector against you.
And even if you manage to trust the computer itself there are a lot of attack vectors surrounding it. Do you have anything capable of recording audio in the same room as your computer? If yes, not a good idea - it has been proven possible to extract passwords from audio recordings of a keyboard. Does the room have windows? That counts as an audio recording device.
If you got rid of that, do you have some other hardware with sensors? There's a high chance that a device placed on your desk containing an accelerometer would also be capable of extracting your password.
Easiest and most affordable is probably a security key like the Nitrokey or the https://www.yubico.com/. I personally don't like the company behind yubikey much, but if you want something small you can always leave in the device that's pretty much your only option.
For "cheaper, but a bit more effort" would be just getting a smartcard blank, a card reader (if you're not lucky enough to have a notebook or computer with one built in), and then either write your own applet, or use one of the available opensource ones, and upload it to the card. A variant of that would be the Fidesmo card, where you get a card and their applet.
Or you just use the TPM you may have in your system - though you'll need to be careful with that: Typically one reason for using a hardware token is to make sure keys can't get extracted, while TPMs often do allow key extraction. Software to make that work would be opencryptoki.
Generally you'd use PKCS#11 to have the various components talk to each other. On your average Linux pretty much everything but GnuPG place nice. with PKCS#11. Typically you end up with pcscd to interface with the smartcard (the above USB tokens are technically also just USB smartcards), OpenSC as layer to provide PKCS#11 on top, and software (like OpenSSH) then talks to that.
All of that should be available as packages in any Linux distribution nowadays - and typically will also provide p11-kit configured to use a proxy library to make multiple token sources easily available, and avoid blocking on concurrent access.
ssh-add supports adding keys from pkcs#11 providers to the SSH agent (search pkcs11 in ssh-add manpage), with some distribution (like RedHat) also carrying patches allowing you to only select individual tokens for adding.
If you're also using GnuPG it gets more complicated - you pretty much have two options: Stick with PKCS#11, in which case you'd replace GPGs own smartcard agent with gnupg-pkcs11-scd, or you use GPGs own card implementation, in which case you can forget pretty much everything I wrote above, and just follow the security key manual for setting up a GPG card, enable SSH agent support in the GPG agent, and just use that for SSH authentication.
I assume you mean "lookup", as import doesn't really make much sense.
I'm currently using this with wofi, though I'll eventually rewrite it as anyrun plugin, which provides a bit more control:
#!/usr/bin/env python3
from argparse import ArgumentParser
import subprocess
import json
import os
ssh_config_file = "~/.ssh/config"
ssh_known_hosts_file = "~/.ssh/known_hosts"
# Returns a list of all hosts
def get_hosts():
hosts = []
with open(os.path.expanduser(ssh_config_file)) as f:
content = f.readlines()
for line in content:
line = line.lstrip()
# Ignore wildcards
if line.startswith('Host ') and not '*' in line:
for host in line.split()[1:]:
hosts.append(host)
# Removes duplicate entries
hosts = sorted(set(hosts))
return hosts
def get_known_hosts():
hosts = []
with open(os.path.expanduser(ssh_known_hosts_file)) as f:
content = f.readlines()
for line in content:
line = line.lstrip()
host_entry = line.partition(" ")[0]
hosts.append(host_entry.partition(",")[0])
# Removes duplicate entries
hosts = sorted(set(hosts))
return hosts
# Returns a newline seperated UFT-8 encoded string of all ssh hosts
def parse_hosts(hosts):
return "\n".join(hosts).encode("UTF-8")
# Executes wofi with the given input string
def show_wofi(command, hosts):
process = subprocess.Popen(command,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE)
ret = process.communicate(input=hosts)
host, rest = ret
return host
# Switches the focus to the given id
def ssh_to_host(host, terminal, ssh_command):
if "]:" in host:
host, port = host[1:].split("]:")
command = "{terminal} \'{ssh_command} {host} -p {port}\'".format(terminal=terminal, ssh_command=ssh_command, host=host, port=port)
else:
command = "{terminal} \'{ssh_command} {host}\'".format(terminal=terminal, ssh_command=ssh_command, host=host)
process = subprocess.Popen(command,shell=True)
# Entry point
if __name__ == "__main__":
parser = ArgumentParser(description="Wofi based ssh launcher")
parser.add_argument("terminal", help='Terminal command to use')
parser.add_argument("--ssh-command", dest='ssh_command', default='ssh', help='ssh command to use (default=ssh)')
parser.add_argument("--mode", dest='mode', default='known_hosts', help='where to read from (default=known_hosts)')
parser.add_argument("--command", default='wofi -p \"SSH hosts: \" -d -i --hide-scroll', help='launcher command to use')
args = parser.parse_args()
if (args.mode == "config"):
hosts = get_hosts()
elif (args.mode == "known_hosts"):
hosts = get_known_hosts()
parsed_hosts = parse_hosts(hosts)
selected = show_wofi(args.command, parsed_hosts)
selected_host = selected.decode('utf-8').rstrip()
if selected_host != "":
ssh_to_host(selected_host, args.terminal, args.ssh_command)
There's a lot of other stuff where Wayland improves the experience. Pretty much everything hotplug works to some extend on X, but it's all stuff that got bolted on later. Hotplugging an input device with a custom keymap? You probably can get it working somewhat reliably by having udev triggers call your xmodmap scripts - or just use a Wayland compositor handling that.
Similar with xrandr - works a lot of the time nowadays, but still a compositor just dealing with that provides a nicer experience.
Plus it stops clients from doing stupid things - changing resolutions, moving windows around or messing up what is focused is also a thing of the past.
That's been a youtube trend for a while now. Most 10-20 minute videos should not have been longer than 2-5 minutes. It caused me to massively reduce the time I spend on youtube - and for me to watch a video longer than 5 minutes from somebody I don't know it needs to be about a very interesting topic and a description hinting at it not being just filler yet again.
In case you're already using emacs I wouldn't bother with a separate pdf viewer - pdf-tools for emacs is imo the best PDF viewer nowadays available on linux.
There was the 386DX and significantly cheaper SX - first was full 32 bit, second just 32bit instruction set with smaller external busses.
Then you could add the math coprocessor. And of course RAM and disks were expensive. 16MB RAM was way above normal for that time.