6

"I fucked up" question

Submitted by noordinaryspider in Privacy

Hi,

I fucked up and trusted the wrong person, but have no reason to believe my encrypted emails were opened or read.....yet.

Can I just revoke the key? If so, can you link me to an "I fucked up and have been waiting for the foot to come through my door and the bullets to start flying for way too long"-friendly tutorial?

tia

Comments

You must log in or register to comment.

1

GrimWillow wrote

Does this person has access to your private key and passphrase?

1

noordinaryspider wrote

No, just some emails I wrote that weren't exactly "drunk posting", just very bad security culture.

They haven't read the emails. They are flagged and in a queue. The person is "weeks or even months behind" on other tasks besides reading and replying to email.

I fucked up.

2

GrimWillow wrote

So it was encrypted with using their public key? If you don't have access to the private key that can decrypt it, you wouldn't even have access to be able to revoke. You can only revoke your own key.

Otherwise, I'd say you would have to find a way to destroy the email from their side. If you can't do that, depending on how you feel about this person, you could try to lock them out of their account by guessing information in the "forgot password" dialogues to change the pass to their account or even just guess/crack their pass to delete the email yourself.

1

noordinaryspider wrote (edited )

No, it's not that important. That would have serious economic consequences for them and perhaps even affect their career options in the future. I'm not worth it. t an option for Prime Directive reasons. Damn.

I guess I can't unfuck this fuckup. Mitigation time:

Damn.

So.....I already cleaned out all the emails from that account. Riseup changed my username and left me my old one as an alias which should help a bit. I don't store my contacts in my email account, but I need to get better about using keepass instead of the ol' meat envelope to remember logins.

I don't store my friends' contact info on email servers intentionally but I'm not the sharpest tack in the box. Also my filters are based on people's addresses so those have to go.

What else am I forgetting to do?

2

Copenhagen_Bram wrote

keepass

meat envelope

I'm thinking about using paper and pencil for passwords. It doesn't need batteries and it isn't potentially online. (I suppose you could also encrypt passwords on an offline mobile device and that would be better) Use a simple cipher to encrypt your paper passwords, if you choose to go that route. Should slow an attacker down, unless they can copy it to their computer.

1

noordinaryspider wrote

I see this:

"Note that after you revoke your key you can still decrypt messages that were encrypted with that key (provided that you still have the private key, of course); this allows you to read old encrypted messages. You are also able to decrypt messages sent to you with the revoked key after the revocation. This should not happen as the revoked key is not supposed to be used to encrypt; however, people that haven't refreshed your key in their keyring in a while (and that therefore still have the old, non-revoked copy of your public key) will still be able to do so. "

here:

https://www.enigmail.net/documentation/Key_Management#Revoking_your_key_pair

and am pretty sure it means I'm fuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuucked but just wanted to borrow a more well-rested brain to confirm.

2

Copenhagen_Bram wrote

How fucked are you? Are you going to be okay?

1

noordinaryspider wrote (edited )

Or.....maybe if I sit perfectly still the armies will all pass by without even knowing I'm here....possibly/probably the emails will never be read and I need to calm the fuck down and hit Colonel McMarijuana's on the way home from the store.

We're talking about a https://www.youtube.com/watch?v=qNfucKAftB0 who has "read flagged emails" on their to-do list, ffs.

No need to waste your time security LARPing if you'd rather watch paint dry or something more interesting.

1

noordinaryspider wrote

No idea yet. That's the problem.

Not in the best circumstances to put the kids in the car, drive, and not look back any more.

You are probably not affected but yea, thanks for reminding me that I need to do the same with my "public" email account too.

Blecch. I hate cleaning. I'll be more careful from now on.