Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > alt.cypherpunks > #1184 > unrolled thread

AEC - Air Gapped Encrypted Communications released

Started byAnne Frank <bounce.me@n2n.oc2mx.net>
First post2026-06-03 15:32 +0200
Last post2026-06-04 22:42 +0000
Articles 20 on this page of 21 — 3 participants

Back to article view | Back to alt.cypherpunks


Contents

  AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-03 15:32 +0200
    Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-03 23:48 +0200
      Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 00:02 +0200
        Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 00:59 +0200
          Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 01:45 +0200
            Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 02:06 +0200
              Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 02:17 +0200
                Re: AEC - Air Gapped Encrypted Communications released Ch1ffr3punk <ch1ffr3punk@gmail.com> - 2026-06-04 07:24 +0000
              Re: AEC - Air Gapped Encrypted Communications released Ch1ffr3punk <ch1ffr3punk@gmail.com> - 2026-06-04 07:20 +0000
                Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 12:25 +0200
    Re: AEC - Air Gapped Encrypted Communications released Ch1ffr3punk <ch1ffr3punk@gmail.com> - 2026-06-04 10:18 +0000
      Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 12:58 +0200
        Re: AEC - Air Gapped Encrypted Communications released Ch1ffr3punk <ch1ffr3punk@gmail.com> - 2026-06-04 11:32 +0000
          Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 13:52 +0200
            Re: AEC - Air Gapped Encrypted Communications released Ch1ffr3punk <ch1ffr3punk@gmail.com> - 2026-06-04 12:06 +0000
        Re: AEC - Air Gapped Encrypted Communications released Ch1ffr3punk <ch1ffr3punk@gmail.com> - 2026-06-04 11:51 +0000
          Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 14:08 +0200
            Re: AEC - Air Gapped Encrypted Communications released Ch1ffr3punk <ch1ffr3punk@gmail.com> - 2026-06-04 12:12 +0000
              Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 15:10 +0200
                Re: AEC - Air Gapped Encrypted Communications released Anne Frank <bounce.me@n2n.oc2mx.net> - 2026-06-04 18:11 +0200
                  Re: AEC - Air Gapped Encrypted Communications released Gabx <mail2news@virebent.invalid> - 2026-06-04 22:42 +0000

Page 1 of 2  [1] 2  Next page →


#1184 — AEC - Air Gapped Encrypted Communications released

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-03 15:32 +0200
SubjectAEC - Air Gapped Encrypted Communications released
Message-ID<fac3c6eb89fb22946269@n2n.oc2mx.net>
Hi all,

https://github.com/Ch1ffr3punk/AEC

-- 
Regards
Stefan

[toc] | [next] | [standalone]


#1185

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-03 23:48 +0200
Message-ID<64202228c0d8696907b3@n2n.oc2mx.net>
In reply to#1184
No forward secrecy: long-term Curve25519 key reused for all messages.
Compromise of ~/.aec/identity decrypts entire message history.

Retroactive decryption of all archived ciphertexts if key is stolen.

[toc] | [prev] | [next] | [standalone]


#1186

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 00:02 +0200
Message-ID<6fe2b4fa26d2852d0176@n2n.oc2mx.net>
In reply to#1185
Anne Frank wrote:
> 
> No forward secrecy: long-term Curve25519 key reused for all messages.
> Compromise of ~/.aec/identity decrypts entire message history.

The key pair can be changed, no need to keep it for a long time, like
one keeps OpenPGP key pairs on his online Linux PC.
 
> Retroactive decryption of all archived ciphertexts if key is stolen.

AEC, like the name suggests, is used on secure air gapped (Windows)
PCs and not on online OpenPGP Linux boxes.

Regards
Stefan

-- 
https://oc2mx.net

[toc] | [prev] | [next] | [standalone]


#1187

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 00:59 +0200
Message-ID<e5bcd608eb002936b7f7@n2n.oc2mx.net>
In reply to#1186
Anne Frank wrote:

> The key pair can be changed, no need to keep it for a long time, like
> one keeps OpenPGP key pairs on his online Linux PC.

Relying on user discipline for forward secrecy is poor security design.

> AEC, like the name suggests, is used on secure air gapped (Windows)
> PCs and not on online OpenPGP Linux boxes.

Air-gap reduces risk but doesn't eliminate it.
USB malwares and electromagnetic side-channels still apply.

Moreover windowz closed-source firmware and telemetry
add unnecessary attack surface compared to minimal Linux deployments.

Better isolation: 
Debian/Proxmox VM LXC container (Alpine Linux) with no
default gateway—network-level air-gap, minimal attack surface, no telemetry,auditable stack. 

For high-threat scenarios, ephemeral keypairs (one-time use,
wiped after) should be default, not user-optional.

[toc] | [prev] | [next] | [standalone]


#1188

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 01:45 +0200
Message-ID<7512873075c0cd9639a3@n2n.oc2mx.net>
In reply to#1187
Anne Frank wrote:
> Anne Frank wrote:
> 
> > The key pair can be changed, no need to keep it for a long time, like
> > one keeps OpenPGP key pairs on his online Linux PC.
> 
> Relying on user discipline for forward secrecy is poor security design.
> 
> > AEC, like the name suggests, is used on secure air gapped (Windows)
> > PCs and not on online OpenPGP Linux boxes.
> 
> Air-gap reduces risk but doesn't eliminate it.
> USB malwares and electromagnetic side-channels still apply.
> 
> Moreover windowz closed-source firmware and telemetry
> add unnecessary attack surface compared to minimal Linux deployments.
> 
> Better isolation: 
> Debian/Proxmox VM LXC container (Alpine Linux) with no
> default gateway—network-level air-gap, minimal attack surface, no telemetry,auditable stack. 
> 
> For high-threat scenarios, ephemeral keypairs (one-time use,
> wiped after) should be default, not user-optional.

The current rig looks like this:

Air gapped little GPD MicroPC with Windows 11, no Bluetooth or WiFi.
Can be shielded with view-through Faraday fabric.

Encrypted QR-Codes are transferred via webcam and no USB or network is used.

The receiving party for Hermes Nym Mixnet usage:

Android smartphone with PlugOS hardware, Camera2 app etc. where PlugOS uses
NymVPN. Screenshots from PlugOS can not be taken, when for example used in
an Internet Café, with a Windows 11 PC.

So, as you see no Linux box is needed.

Regards
Stefan

-- 
https://oc2mx.net

[toc] | [prev] | [next] | [standalone]


#1190

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 02:06 +0200
Message-ID<edee26ec1b4698ea6497@n2n.oc2mx.net>
In reply to#1188
Faraday shielding mitigates EM side-channels but not supply-chain compromise
(IME, firmware backdoors). 

Windows 11 telemetry persists in hibernation/swap even without network, 
data exfiltrated on next online boot unless disk is wiped.

Webcam firmware is a soft air-gap.
USB controller sees all camera data.

Alpine LXC in a proxmox VM, with no internet gateway is *objectively* smaller attack
surface.

*5MB*

[toc] | [prev] | [next] | [standalone]


#1191

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 02:17 +0200
Message-ID<b8a66819b57dcc899326@n2n.oc2mx.net>
In reply to#1190
GPD MicroPC 450€
Faraday box 50€/100€
plugos 200€

android phone ???

[toc] | [prev] | [next] | [standalone]


#1193

FromCh1ffr3punk <ch1ffr3punk@gmail.com>
Date2026-06-04 07:24 +0000
Message-ID<10vr973$3j7in$2@news.tcpreset.net>
In reply to#1191
Anne Frank wrote:
> 
> GPD MicroPC 450€
> Faraday box 50€/100€
> plugos 200€
> 
> android phone ???
> 
> 

Android phone starting at 135 € and transparent
Faraday fabric from China only a few Euros, per
squaremeter.

Privacy costs money and can't be obtained with
an online Linux box and OpenPGP as some people
may think.

Regards
Stefan

-- 
https://oc2mx.net

[toc] | [prev] | [next] | [standalone]


#1192

FromCh1ffr3punk <ch1ffr3punk@gmail.com>
Date2026-06-04 07:20 +0000
Message-ID<10vr90a$3j7in$1@news.tcpreset.net>
In reply to#1190
Anne Frank wrote:
> 
> Faraday shielding mitigates EM side-channels but not supply-chain compromise
> (IME, firmware backdoors). 
> 
> Windows 11 telemetry persists in hibernation/swap even without network, 
> data exfiltrated on next online boot unless disk is wiped.
> 
> Webcam firmware is a soft air-gap.
> USB controller sees all camera data.
> 
> Alpine LXC in a proxmox VM, with no internet gateway is *objectively* smaller attack
> surface.
> 
> *5MB*

People can use AEC with an air gapped Linux box, as I provided
the binary for it under Releases.

Regards
Stefan

-- 
https://oc2mx.net

[toc] | [prev] | [next] | [standalone]


#1195

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 12:25 +0200
Message-ID<354e49d782ad57efb467@n2n.oc2mx.net>
In reply to#1192
Privacy for Windows users costs money *and isn't privacy*. 
Windows 10/11 has built-in telemetry, Defender uploads samples to Microsoft, 
and the OS itself is a black box you can't audit. 

Wrapping a Windows laptop in Faraday fabric stops RF exfiltration, 
but doesn't stop the OS from logging keystrokes to encrypted storage 
that an attacker can dump after physical seizure.

Now, back to the original point: Forward Secrecy

Forward secrecy means: 

even if an attacker gets your long-term key today, they can't decrypt past messages. 
AEC doesn't have this property. 

AEC reuses the same Curve25519 key for all messages stored in `~/.aec/identity`.

There's no technical reason AEC couldn't add ephemeral key rotation for stored messages.

and again

Relying on user discipline for forward secrecy is poor security design.

[toc] | [prev] | [next] | [standalone]


#1194

FromCh1ffr3punk <ch1ffr3punk@gmail.com>
Date2026-06-04 10:18 +0000
Message-ID<10vrjek$3u8fi$1@news.tcpreset.net>
In reply to#1184
Anne Frank wrote:
> 
> Hi all,
> 
> https://github.com/Ch1ffr3punk/AEC
> 

Added GL2AEC (Google Lens to AEC) for Android,
so that people can capture with an Android
smartphone the AEC QR-Codes from an air gapped
PC.

-- 
https://oc2mx.net

[toc] | [prev] | [next] | [standalone]


#1196

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 12:58 +0200
Message-ID<f67c74527abfa8346707@n2n.oc2mx.net>
In reply to#1194
Ch1ffr3punk wrote:
> Anne Frank wrote:
>>
>> Hi all,
>>
>> https://github.com/Ch1ffr3punk/AEC
>>
> 
> Added GL2AEC (Google Lens to AEC) for Android,
> so that people can capture with an Android
> smartphone the AEC QR-Codes from an air gapped
> PC.
> 

GL2AEC (Google Lens on Android → Windows air-gap) is the opposite of privacy.

You're running:
  - Google Lens (proprietary blob, sends image data to Google servers for OCR)
  - On Android (Google telemetry, proprietary firmware, unauditable)
  - Capturing QR codes from Windows 10/11 (Defender uploads, telemetry, keylogging to encrypted storage)

This isn't an air-gap. This is *security theater wrapped in Faraday fabric.*

Even if you disable network on the Windows machine:
  - Defender logs are still written to disk (readable after physical seizure)
  - Windows Event Log records every process execution
  - The OS itself is a black box you cannot audit

Even if you airplane-mode the Android phone:
  - Google Play Services runs in the background
  - Camera metadata is logged
  - You're trusting Google's blob stack with your crypto QR codes

**A €135 Android phone in a Faraday bag + Windows laptop ≠ privacy.** It's just expensive non-privacy.

[toc] | [prev] | [next] | [standalone]


#1197

FromCh1ffr3punk <ch1ffr3punk@gmail.com>
Date2026-06-04 11:32 +0000
Message-ID<10vrno4$26rf$1@news.tcpreset.net>
In reply to#1196
Anne Frank wrote:
> Ch1ffr3punk wrote:
> > Anne Frank wrote:
> > > 
> > > Hi all,
> > > 
> > > https://github.com/Ch1ffr3punk/AEC
> > > 
> > 
> > Added GL2AEC (Google Lens to AEC) for Android,
> > so that people can capture with an Android
> > smartphone the AEC QR-Codes from an air gapped
> > PC.
> > 
> 
> GL2AEC (Google Lens on Android → Windows air-gap) is the opposite of privacy.
> 
> You're running:
>   - Google Lens (proprietary blob, sends image data to Google servers for OCR)
>   - On Android (Google telemetry, proprietary firmware, unauditable)
>   - Capturing QR codes from Windows 10/11 (Defender uploads, telemetry, keylogging to encrypted storage)
> 
> This isn't an air-gap. This is *security theater wrapped in Faraday fabric.*
> 
> Even if you disable network on the Windows machine:
>   - Defender logs are still written to disk (readable after physical seizure)
>   - Windows Event Log records every process execution
>   - The OS itself is a black box you cannot audit
> 
> Even if you airplane-mode the Android phone:
>   - Google Play Services runs in the background
>   - Camera metadata is logged
>   - You're trusting Google's blob stack with your crypto QR codes
> 
> **A €135 Android phone in a Faraday bag + Windows laptop ≠ privacy.** It's just expensive non-privacy.

Why Linux users, who are not trustworthy, must always complain?

This rig *is* secure, as one carries it with him, while on the road and
I do not give the slightest f*ck, if Google Lens captures encrypted
content on PlugOS, from an *air gapped* portable mini PC. Linux sucks,
as we all know, period.

-- 
https://oc2mx.net

[toc] | [prev] | [next] | [standalone]


#1199

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 13:52 +0200
Message-ID<012049d9f71876577600@n2n.oc2mx.net>
In reply to#1197
Ch1ffr3punk wrote:
> Why Linux users, who are not trustworthy, must always complain?
> 
> This rig*is*  secure, as one carries it with him, while on the road and
> I do not give the slightest f*ck, if Google Lens captures encrypted
> content on PlugOS, from an*air gapped*  portable mini PC. Linux sucks,
> as we all know, period.

"Linux users not trustworthy" is an interesting way to avoid answering a technical question for the third time.

You've now admitted Google Lens captures your encrypted QR codes. 
That's a metadata leak: Google knows *when* you communicate, *how often*, and can correlate that with other Android telemetry.

Forward secrecy would protect you even if:
  - Border agents seize your device and extract ~/.aec/identity
  - Supply chain attack compromises the mini PC before you bought it

Signal has forward secrecy. Pond had forward secrecy. OTR has had it since 2004. AEC does not. 
That's a design choice, not a technical limitation.

If "I don't give a fuck about Google metadata" and "Linux sucks" is your security posture, we're optimizing for different adversaries. 

Good luck on the road.

[toc] | [prev] | [next] | [standalone]


#1200

FromCh1ffr3punk <ch1ffr3punk@gmail.com>
Date2026-06-04 12:06 +0000
Message-ID<10vrpoq$26rf$3@news.tcpreset.net>
In reply to#1199
Anne Frank wrote:
> Ch1ffr3punk wrote:
> > Why Linux users, who are not trustworthy, must always complain?
> > 
> > This rig*is*  secure, as one carries it with him, while on the road and
> > I do not give the slightest f*ck, if Google Lens captures encrypted
> > content on PlugOS, from an*air gapped*  portable mini PC. Linux sucks,
> > as we all know, period.
> 
> "Linux users not trustworthy" is an interesting way to avoid answering a technical question for the third time.

I must admit I do not like the majority of OpenPGP Linux users as they
have proven publicity in the past on GnuPG ML etc., that they are stubborn
and think their hobby OS has more privacy value, when used online.

I always try to be polite and like to answer questions, and regarding forward
secrecy in Signal etc., why would you need that when Pegasus/FinSpy captures
your Signal communications from a central server in the US? AEC is a much much
better solution than Crypto Messenger solutions you all use and you know that.

Same complaining as before when I invented the Onion Courier Mixnet...

-- 
https://oc2mx.net

[toc] | [prev] | [next] | [standalone]


#1198

FromCh1ffr3punk <ch1ffr3punk@gmail.com>
Date2026-06-04 11:51 +0000
Message-ID<10vroru$26rf$2@news.tcpreset.net>
In reply to#1196
Anne Frank wrote:
 
> **A €135 Android phone in a Faraday bag + Windows laptop ≠ privacy.** It's just expensive non-privacy.

What you Linux nerds who are using outdaded OpenPGP fail to understand
is that my invention is easy to use for non-tech, elderly people and
can now been used *securely* with a portable *air gapped* mini PC (with
Faraday fabric) and a cheap Android smartphone *on* social media too,
like X etc. where third parties, like NSO from Israel, FinSpy from Germany
or the NSA can not get hold of the encryption process, unless they visit
each user. This is *public* key Cryptography par excellence!!!

-- 
https://oc2mx.net

[toc] | [prev] | [next] | [standalone]


#1201

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 14:08 +0200
Message-ID<c64e826ff04446ab85c3@n2n.oc2mx.net>
In reply to#1198
You've demonstrated that you're not interested in technical discussion. 
You want validation, not critique.

Enjoy your google account with flowcrypt.

[toc] | [prev] | [next] | [standalone]


#1202

FromCh1ffr3punk <ch1ffr3punk@gmail.com>
Date2026-06-04 12:12 +0000
Message-ID<10vrq44$26rf$4@news.tcpreset.net>
In reply to#1201
Anne Frank wrote:
> 
> You've demonstrated that you're not interested in technical discussion. 
> You want validation, not critique.

I am always open to constructive critism and listening to suggestions.

AEC uses NaClbox which is very good for public key Cryptography.
> 
> Enjoy your google account with flowcrypt.

I enjoy Google very much, because Cypherpunks from the '90s are
engineers at Google too... I no longe use FlowCrypt, it was more
a test with OpenPG, which I do not like and do not recommend.

-- 
https://oc2mx.net

[toc] | [prev] | [next] | [standalone]


#1203

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 15:10 +0200
Message-ID<96c977ad5cf8ef2c810c@n2n.oc2mx.net>
In reply to#1202
<10mta0t$2oe8o$1@news.tcpreset.net>

> I am always open to constructive criticism

I've raised the forward secrecy issue five times. 
You've acknowledged NaCl box is good crypto, but haven't addressed the lack of ephemeral key rotation.

If forward secrecy isn't in scope for AEC's design, that's a valid choice. 

Just be clear with users: 
AEC protects against network surveillance, but not retrospective decryption after key compromise.
 
**I've asked this question six times. You've deflected to:**

  1. "Linux users are untrustworthy"
  2. "Cypherpunks work at Google"
  3. "OpenPGP UX is bad"

**None of these answer the question: Does AEC have forward secrecy? If not, why not?**

> Cypherpunks from the '90s are engineers at Google too...

Google was founded in 1998. 
The Cypherpunk Mailing List started in 1992. 
No cypherpunk from the '90s founded Google or worked there in the early days.

**Real cypherpunks from the '90s and where they are now:**
  - Phil Zimmermann (PGP) → Silent Circle (encrypted communications)
  - Adam Back (Hashcash) → Blockstream (Bitcoin core developer)
  - Hal Finney (remailer, PGP) → Bitcoin early adopter, died 2014
  - John Gilmore (EFF co-founder) → Privacy activism, never corporate
  - Julian Assange (contributor) → WikiLeaks (enemy of Google/US gov)
  - Jacob Appelbaum (Tor) → Exiled from US, persecuted for privacy work


I'm done with this thread. 

Good luck with AEC development.

[toc] | [prev] | [next] | [standalone]


#1204

FromAnne Frank <bounce.me@n2n.oc2mx.net>
Date2026-06-04 18:11 +0200
Message-ID<697f85edf504322ab75a@n2n.oc2mx.net>
In reply to#1203
Anne Frank wrote:

> **Real cypherpunks from the '90s and where they are now:**
>   - Phil Zimmermann (PGP) → Silent Circle (encrypted communications)
>   - Adam Back (Hashcash) → Blockstream (Bitcoin core developer)
>   - Hal Finney (remailer, PGP) → Bitcoin early adopter, died 2014
>   - John Gilmore (EFF co-founder) → Privacy activism, never corporate
>   - Julian Assange (contributor) → WikiLeaks (enemy of Google/US gov)
>   - Jacob Appelbaum (Tor) → Exiled from US, persecuted for privacy work

It seems you haven't used Usenet back in the `90s, otherwise you should have known Raph Levien.

http://www.levien.com/
<https://mailing-list-archive.cryptoanarchy.wiki/authors/raph_levien_raph_at_cs_berkeley_edu_/>

[toc] | [prev] | [next] | [standalone]


Page 1 of 2  [1] 2  Next page →

Back to top | Article view | alt.cypherpunks


csiph-web