Messages

FYI, Ernesto has been trying to reproduce this but so far he hasn't been able to. One likely reason I'm guessing is b/c he's using 60GB worth of fake data (not real Mail). So we're going to try to modify Espionage to insert a fake delay upon launching Mail and see if we can reproduce that way.

In the meantime, please let Ernesto know the answer to his question, and also what operating system you're using (e.g. 10.9, 10.10, etc.). Sorry if you've already given this information to us, but I didn't see it in this thread!

[will]

Hi tomhomme13,

Having a terminal session open inside of an unlocked directory will prevent the folder from being locked. This is not a bug, it's just how the system works, and we cannot do anything about it (the folder is being "legitimately used").

The only thing to do is to cd out of that directory or close the terminal window.

If you have any other questions don't hesitate to send us a reply!

Kind regards,
Greg, Tao Effect

Dear nomolo,

I think we're going to need a few days, and then we'll have a build ready for you to test and verify that the problem has been fixed. Sorry about this, just right now there are too many things going on because of Yosemite (for example, Ernesto, the other dev, needs to update his apps for Yosemite) and other urgent items.

In the meantime, is there some type of workaround that you can use? Perhaps temporarily removing the app actions might help?

Kind regards,
Greg

I've created an issue for this in our internal issue system and assigned it a high priority (for next release).

Updated post above with a link to: https://www.taoeffect.com/espionage/support/reporting/

Note that's a very old video and the Console app has changed a bit since then.

What OS are you folks using? We need as much info as you can provide:

1. System log messages (open the Console app, and repeat what you did, then search for "Espionage" and copy/paste the stuff you see here)
2. OS details (10.7, 10.9, 10.10??)

FYI: Fixing this issue is getting bumped till after 3.6.1 as we're prioritizing releasing 3.6.1 for 10.10 compat.

Personally I find it easier to copy the text from the web page source, paste it into an editor, select it all and use the OpenPGP: Verify service from the app menu.  The use of services instead of the command line seems to be more consistent with the techniques encouraged in the gpgtools kb articles and I suspect a large proportion of your intended user community would find it easier too.

You should be able to just verify directly in the source (using the Service menu), but it might depend on whether the browser messes with the formatting or not.

By way of a bit of constructive feedback, I think an FAQ explaining how to "verify the signature of this watch zone" would be very helpful to newbies like me.  Especially if the answer to the question explains why verifying the signature should enhance one's trust in what is written.

I'll be honest: while that's a great suggestion, it is low on our priority list. If we had resources to spare, it would be done, but we are focusing right now, among other things, to make sure E3 doesn't break when Yosemite is released. :P

This situation, remember, was also my fault. You would have likely successfully verified the signature the first time around had I not made my silly Find/Replace-All mistake. We are counting on a small fraction of our users who are savvy enough to use GPG properly to verify it.

I make this point because it is the first time I've ever tried to verify a PGP signature and was lead into the exercise by the text on your page.  Instead of begin reassured as intended, I ended up confused and, bizarre at it might seem to you, I'm still not sure why I should now attach any increased level of belief to what is written there.  Particularly when the words "undefined trust" come up in the results of the verification.

Ah, yes, that is GPG-insanity right there. That whole concept is putrid IMO and confuses even GPG veterans (why I am working on an alternative, where you get a black & white answer: "Yes this is authenticated", or "You're being hacked").

(Incidentally, the page source link doesn't "work" on my standard installation of Safari 7.0.6.  I get a dialog with the error: "There is no application set to open the URL view-source:https://www.espionageapp.com/".)  I don't know if there is a way to overcome that or not.

Use Firefox! :D

Anyway, keep up the good work.  I really appreciate the effort you are making to simplify encryption for us.

Thank you!! :D

OK, Mr. gpgtoolsnewbie, problem should be fixed. I accidentally broke the signature doing a search/replace of the entire document (doh!).

Note that in the latest GPGTools nightlies it still fails to verify the signature for some reason (I've opened up an issue about this with their team), but I think GPGTools 2.1 (the current release) should verify it (let me know if it doesn't). You can also manually copy and paste that text (including the "ASCII guards"—the dashed parts that surround it) into a plain text file, save it, and run gpg -v on it, it should show it as a valid signature (e.g.: gpg -v path/to/textfile.txt).

Thank you for bringing this to our attention!  :)

It should also be noted that Espionage's PD in the Data folder actually extends somewhat to the external volumes already, without any action required from users. The reason is that if, say, the data is on a laptop, and only your laptop is stolen, the "real" data on your external drives might not even be known to exist (to whoever stole your laptops). So it's important to have decoy Folder Sets set up, and to encrypt some semi-incriminating data locally.

[*much*]

Hmm. Yes, that is an interesting use case. Keep in mind that this would require some additional plausible deniability (PD) logic fenangaling on the part of the user:

• The difference between the Data folder PD and the PD you're describing is that Espionage takes care of creating fake data for *everyone* for the Data folder.
• Therefore, it would be known that unlike every other Espionage user, you chose to manually run the assistant to generate fake data on the external drive.
• Therefore, it would be likely (depending on how you set things up) that on that drive you have one "real" disk image, one or more decoys that you manually created to show off, and one or more fake disk images that Espionage created.

That is still *much* better than having just one disk image on that drive. Also, you don't have to do it that way. You could, for example, create fake disk images on *all* of your external drives, increasing your PD even more.

To be honest, implementing this feature request is fairly low on our priority list, as I'm guessing it's not something most users will find themselves wanting to do.

For now, however, what you can do is quit Espionage and rename the com.taoeffect.Espionage3 folder to something else (*don't delete it or you will lose your data!*). The next time you start Espionage it will re-run the PD assistant and will create a new "fresh" (but randomly timestamped) batch of fake disk images for you in the Data folder. You can move these to your external drive as you desire. After you're done, quit Espionage and restore the original com.taoeffect.Espionage3 folder, making sure to place it where it was in ~/Library/Application Support.

Finally, make sure to create at least one decoy Folder Set and encrypt some semi-incriminating folders on your external drive (make of that what you will ;)). If the folders that you drag into Espionage are located on that external drive, it will ask you to choose where to save the disk image, so you can place it next to the fake disk images.

Hope that's helpful! Let us know if you have any other questions!

Forgive me if this question seems dumb but please would you explain how to use GPG Tools to verify the signed message in the page source from Safari? 

I've tried copying and pasting it to a text file but receive a verification error when I try to use the OpenPGP: Validate service.

Hmm, you are right, this is odd, I might need to speak with the GPGTools team about this, as it's not verifying on my end either now (it seems it was signed with a key that is a subkey of A884B988, but why it fails to verify even on *my* machine, even after re-signing, I do not fully understand).

Don't panic though: as of September 14, 2014 10:48PM PDT, we still haven't received a NSL letter or anything of the sort.

If this problem isn't fixed within two weeks of this message posting, consider that a sign that the FBI *has* been here (or I got hit by a bus).

[Go to Folder...]

What happens if you try to manually eject the folder? You can do this by choosing Go to Folder... from the Finder's Go menu, and pasting in: ~/Library

In there you should see a folder called Mail. Try right-clicking on it and choosing Eject, let us know what happens.

We introduced a fix for a related problem in 3.6 that is causing this. It can happen depending on your finder settings:



For now, try playing around with those setting until you get it how you like it. We'll work on addressing this situation on our end too (for a future update).

[better than the PD you get from TrueCrypt]

I think this is a very important point. I know Greg acknowledged it but I'd like to explore it a little more. Before its mysterious demise, I used TrueCrypt. When creating a hidden volume with it, there is zero trace on my computer of this hidden volume or its contents. It seems irrelevant to me to allow the creation of multiple folder sets if the a sparsebundle of the encrypted contents of these folders is located in plain site on my computer for all to see. That's not plausible deniability. In fact quite the opposite, there's zero deniability to the existence of encrypted contents in my Espionage folders. Or am I missing a trick?

It sounds like there's misunderstanding going on.

You have very strong Plausible Deniability with Espionage: better than the PD you get from TrueCrypt.