Never put anything in writing. Use trusted couriers like your brother in law. Don't use telephones.
I looked at this years back for a thread. There are court rulings going back to the 30s 40s over whether there is any expectation of privacy over a telecommunications carrier.
As I recall if there is a third party no privacy exists. Today cell phone records are not private. The act of the carrier maintaining records in the first place negates any expectation of privacy. Or so I remember it.
The issue goes back to the early days of telephones and wiretapping. It was called wiretapping because that is what you did, you tapped into the wires. Early devices were old style vinyl record recorders.
Back in the 90s there was a program called Dragon I believe. It was uncovered when a woman used the word bomb in an email describing her kids theatrical performance. The email had been scanned by an application and she was put on a list that caused her some problems.
Back in the 80 I attended an unclassified presentation on a system that could read any cell phone communications. They could break in and insert audio seamlessly. There was something in the 90s about China rerouting large numbers of emails through their servers transparently.
Anyone who thinks there has ever been any real privacy across all telecommunications just has not been paying attention. Who knows how secure the cloud really is.
This is just stupid technological illiteracy.
PGP and all manner of other encryption models are perfectly secure, and available as a layer on all manner of communications. Asymmetrical encryption is far more secure than sneakernet.
Nothing is perfectly secure on any key based system. A bigger key means more time for trial and error. The test is if the algorithm is know how long does it take to crack. Efficacy is based on how long it needs to be secret.
There are always weaknesses. Anyone who thinks they are safe from the intelligence services of the major powers I not paying attention. Brute force attacks require arrays of computers.
Turing devised an early computer for brute force attacks.
https://en.wikipedia.org/wiki/Public-key_cryptography
Weaknesses[edit]
As with all security-related systems, it is important to identify potential weaknesses.
Algorithms[edit]
All public key schemes are in theory susceptible to a "brute-force key search attack".[4] Such attacks are however impractical if the amount of computation needed to succeed – termed the "work factor" by Claude Shannon – is out of reach of all potential attackers. In many cases, the work factor can be increased by simply choosing a longer key. But other algorithms may have much lower work factors, making resistance to a brute-force attack irrelevant. Some special and specific algorithms have been developed to aid in attacking some public key encryption algorithms – both RSA and ElGamal encryption have known attacks that are much faster than the brute-force approach.[5]
Major weaknesses have been found for several formerly promising asymmetric key algorithms. The "knapsack packing" algorithm was found to be insecure after the development of a new attack.[citation needed] Recently, some attacks based on careful measurements of the exact amount of time it takes known hardware to encrypt plain text have been used to simplify the search for likely decryption keys (a "side-channel attack"). A great deal of active research is currently underway to both discover, and to protect against, new attack algorithms.
Alteration of public keys[edit]
Another potential security vulnerability in using asymmetric keys is the possibility of a "man-in-the-middle" attack, in which the communication of public keys is intercepted by a third party (the "man in the middle") and then modified to provide different public keys instead. Encrypted messages and responses must also be intercepted, decrypted, and re-encrypted by the attacker using the correct public keys for different communication segments, in all instances, so as to avoid suspicion.
This attack may seem to be difficult to implement in practice, but it is not impossible when using insecure media (e.g., public networks, such as the Internet or wireless forms of communications) – for example, a malicious staff member at an Internet Service Provider (ISP) might find it quite easy to carry out.[citation needed]
Public key infrastructure[edit]
One approach to prevent such attacks involves the use of a public key infrastructure (PKI); a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. However, this in turn has potential weaknesses.
For example, the certificate authority issuing the certificate must be trusted to have properly checked the identity of the key-holder, must ensure the correctness of the public key when it issues a certificate, must be secure from computer piracy, and must have made arrangements with all participants to check all their certificates before protected communications can begin. Web browsers, for instance, are supplied with a long list of "self-signed identity certificates" from PKI providers – these are used to check the bona fides of the certificate authority and then, in a second step, the certificates of potential communicators. An attacker who could subvert any single one of those certificate authorities into issuing a certificate for a bogus public key could then mount a "man-in-the-middle" attack as easily as if the certificate scheme were not used at all. In an alternate scenario rarely discussed[citation needed], an attacker who penetrated an authority's servers and obtained its store of certificates and keys (public and private) would be able to spoof, masquerade, decrypt, and forge transactions without limit.
Despite its theoretical and potential problems, this approach is widely used. Examples include TLS and its predecessor SSL, which are commonly used to provide security for web browser transactions (for example, to securely send credit card details to an online store).
Aside from the resistance to attack of a particular key pair, the security of the certification hierarchy must be considered when deploying public key systems. Some certificate authority – usually a purpose-built program running on a server computer – vouches for the identities assigned to specific private keys by producing a digital certificate. Public key digital certificates are typically valid for several years at a time, so the associated private keys must be held securely over that time. When a private key used for certificate creation higher in the PKI server hierarchy is compromised, or accidentally disclosed, then a "man-in-the-middle attack" is possible, making any subordinate certificate wholly insecure.
