[Bender]

I believe they are referring to using GPG to encrypt data before putting it into Slack, much like using the out of band OTR. In that case all the data shared between those using GPG or OTR would only be accessible to those with the right out of band keys. There are probably not a lot of people doing this, or not enough for governments to care. I do this in IRC using irssi-otr [1].

If that ever became illegal because encryption then groups of people could simply use scripts or addons to pipe through different types of encoding to make AI fuzzy searches harder. They can try to detect these chains of encoding but it will be CPU expensive to do every combination at scale given there are literally thousands of forms of encoding that could be chained in any order and number.

Mon -> base64 -> base2048 [2]

Tue -> base2048 -> base131072 [3]

...and so on.

[1] - https://irssi.org/documentation/help/otr/

[2] - https://github.com/qntm/base2048

[3] - https://github.com/qntm/base131072

[palata]

> I believe they are referring to using GPG to encrypt data before putting it into Slack

In good approximation, nobody does that.

And anyone who is capable of communicating over PGP won't be covered by ChatControl anyway. They can keep using PGP over whatever they want, or just compile Signal from sources.

> If that ever became illegal because encryption then groups of people could simply use scripts or addons to pipe through different types of encoding to make AI fuzzy searches harder.

I don't think that this makes any sense at all. This is some kind of poor encryption. Either you honour the law and you send your messages in plaintext, or you don't and you use proper encryption. There is nothing worth anything in-between.

If encryption is illegal, those who really need it can still use steganography.

[Bender]

This is some kind of poor encryption.

In fact it is exactly zero encryption both technically and legally. By using encoding I would not be breaking the law at all assuming encryption itself is actually outlawed. Encryption is mathematical obfuscation. This is only useful for text to/from the server of course. Local storage is still being scanned which means one still have to use a device that does not have local scanning if the files are sensitive such as financial documents or those files would also have to be encoded. Encoding may not have value to some people but it has value to me. Obviously if I am trying to hide something that is highly sensitive like a master password database then I would probably do something a tad bit stronger, maybe 64 to 256 chains of encoding. This is still sufficient to break fuzzy scanning.

Here's an easy one:

    MDExMTAxMTEwMDExMDAwMDAwMT
    EwMDAwMDExMTAxMDAwMTExMDEx
    MTAwMTEwMDAwMDAxMTAwMDAw
    MTExMDEwMDAwMTAwMDAwMDEwMA
    oxMDAxMDAxMDAwMDAwMTEwMDAw
    MTAxMTAxMTAxMDAxMDAwMDAw
    MTEwMDAwMTAwMTAwMDAwMDExMT
    AwMTEwMTEwMTAwMTAxMTAxMTAw
    CjAxMTAxMTAwMDExMTEwMDEw
    MDEwMDAwMDAxMTEwMTExMDExMD
    ExMTEwMTEwMTEwMTAxMTAwMDEw
    MDExMDAwMDEwMTExMDEwMAo=

Zero encryption but it might take people a while to figure this out. The commands I used are installed by default to most Linux distributions. If I wanted to get really crazy I would add different levels and types of compression in the middle of the chain.

[palata]

> In fact it is exactly zero encryption both technically and legally.

I am not a lawyer (are you?), but technically you're wrong.

"In cryptography, encryption (more specifically, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode."

A caesar cipher is encryption. I don't see why chaining encodings wouldn't be. Technically and legally.

[Bender]

That's for lawyers and judges to work out. I will not concern myself with it.

Here is a legal definition: [1]

Making text or code unreadable to secure it for transmission or transport. Both the sender, the encryptor, and the receiver, the decryptor, have the means to translate text or code from source language to unreadable, undecipherable gibberish and back. The devices used have a key that is unique to the sender and receiver.

They used the word key. Our court case will have to decide if chained commands are legally equivalent to a "key". It's not even clear to me that is the universal legal definition. Time and grey wigs will tell. If they decide chained commands are a key that could have an interesting precedence on cases involving protecting users data, banking, military secrets, etc...

[1] - https://thelawdictionary.org/encryption/

[palata]

I get your point, we disagree.

[luxcem]

If you really want to use encryption under a state where it's forbidden and communication are monitored you rather want to hide your encrypted messages inside cat pictures and tiktok videos. Because blatant obfuscation might trigger warning and draw attention.

In the end it's not about making encryption technically impossible but illegal, and if you use it you'll be prosecuted.

[Bender]

Me personally, I will use chained encoding because technically and legally that is not encryption. I am fine with drawing attention. If my adversaries wish to spend a gazillian mega-bucks to try to win the arms race of decoding my chained encoding to see my mid-wit comments and pictures of a moose then I am doing a good job. When they change the laws to prevent encoding then we move on to another technique. There are nearly infinite ways to limit communication to a group of people and evade fuzzy scans.

[palata]

Respectfully, you completely miss the point. You personally, you will still be able to use proper encryption.

It's mainstream platforms who won't be. Those platforms will be mandated to scan their own communications.

There is absolutely no reason to do this weird encoding stuff. Nobody says that it is illegal to encrypt stuff properly.

[Bender]

Well in that case I will use my silly chained encoding and their fuzzy scans of files on the mainstream platforms will have to figure out what to do with it.

For what it's worth I myself do not use these platforms. I just want to get people thinking about mitigating options. I use my own self hosted forums, chat servers, sftp servers, chan servers, voice chat servers and so on. Even then it can be useful to obfuscate text and files in the event someone is using a fondle-slab. I try to discourage fondle slabs.

[palata]

> I just want to get people thinking about mitigating options.

You should refrain from making dangerous suggestions, I think. Some people may actually need proper encryption.

[Bender]

My suggestion has always been to use PGP or OTR for individual messages or individual files. dm-crypt plain with a random cipher/hash/mode combo for filesystems using a 240 to 480 character passphrase which can also be layered and chained.

This is just an alternative if people believe they are not permitted to encrypt something. The threat vector in this topic is fuzzy scanning local and remote. ChatControl uses fuzzy scanning. Encoding can do just as good a job of mitigating fuzzy scans as any level of encryption. Even manual intervention should take a lot of effort just as much as brute forcing a simple encryption password. If we are being honest encrypted files are most often protected by a weak password and the cipher/hash are already disclosed and the key space is usually small. LUKS for example discloses cipher, hash, mode making brute force just a factor of compute power. If an app is chain-encoding and the chain is shared out of band I suspect it will take orders of magnitude more compute time to cycle through every possible combination of encoding and compression.

For fun has anyone decoded my simple message in the thread?

[1718627440]

I fear when its become illegal to not have a remote scanner on my computer broadcasting file contents, invoking GPG will be of much less use.