i've had a local SSL CA for my own porpoises for years, and this site did in fact provide https access with those non-globally-trusted certificates for a while now.

i haven't advertised this at all because subjecting every one of my few visitors to a 'warning - untrusted ca, dangerous connection, it's for the security!!!!' kind of crap experience is not my aim.

in the meantime let's encrypt has appeared on the scene, and it works sortakinda well - about as well as can be expected with the utterly untrustworthy 'trust' design that is X.509.
click here for the rest of the story...

[ published on Sun 04.03.2018 13:52 | filed in interests/crypto | ]

this is not quite the cipherpunk's creed...because there is no such jingoist thing. but still:

"this is my pgp key. there are many like it, but this one is mine. my key is my best friend. without me, my key is useless."

...except that there are assholes out there who spend time on engineering pgp short-id collisions.

so, this is my key, as is this really ancient one and also this work key (ignoring some revoked and expired old keys). my set of keys is of course also available on this very website.

but if you search the keyservers for keys with my email address or by short key id, then you'll find some very clashing crap that does not belong to me at all:

$ gpg --batch --search-keys --keyid-format short B963BD5F
4096 bit RSA key B963BD5F, created: 2014-06-16, expires: 2016-11-02 (revoked) (expired)
4096 bit RSA key B963BD5F, created: 2013-11-03, expires: 2019-07-02

$ gpg --batch --search-keys --keyid-format short 5B586291
1024 bit RSA key 5B586291, created: 2014-06-16 (revoked)
1024 bit RSA key 5B586291, created: 1996-08-03

$ gpg --batch --search-keys --keyid-format short 42BD645D
1024 bit DSA key 42BD645D, created: 1999-06-06, expires: 2015-09-11 (expired)
1024 bit RSA key 42BD645D, created: 2014-06-16, expires: 2015-09-10 (revoked) (expired)

in all three cases the key created on (or with the clock set to) 2014-06-16 is not mine, despite the short form of the key id matching mine. the long ids are different, just as expected.

morale: short key ids are passé, use the long ones and only the long ones.

morale 2: there's always some asshole somewhere who tries to wreck things just to wreck things.

[ published on Sat 05.11.2016 12:34 | filed in interests/crypto | ]

at work i have to use an outbound mail server that requires smtp auth. that's fine, except postfix expects that you save the password in a file for sasl. my paranoia level disagrees with passwords ending up on disk unencrypted, so i decided to improve matters by convincing postfix to use the kernel keystore for accessing passwords.
click here for the rest of the story...

[ published on Sat 12.09.2015 16:31 | filed in interests/crypto | ]

I use strong crypto wherever I can, and naturally for email also. All email I send is either PGP signed or signed and encrypted with one of my keys.

If you receive email from any of my addresses without signature you should doubt its authenticity!
click here for the rest of the story...

[ published on Sun 09.03.2014 02:44 | filed in interests/crypto | ]

The Linux in-kernel secret store (aka "key retention service") is a cool thing and not just useful to the AFS and Kerberos implementers. Actually, it works perfectly well as a general-purpose passphrase store, but the userland tools are somewhat idiosyncratic. Here are some extra bits and tricks that I use to make this more convenient.
click here for the rest of the story...

[ published on Sun 24.08.2008 18:17 | filed in interests/crypto | ]

Some time ago I wrote up my experiences with running gpg remotely. This post documents the most recent changes I've made to my setup, which finally make my gpg (and ssh) keys fully mobile and 'migratory'.

Like before I use the kernel key storage system to cache passphrases (and that won't change until I switch to gnupg2 with the agent). But now my keys are all stored on a usb stick, in an encrypted filesystem.

When I login the first time any day, I load the keys from the encrypted storage into a RAM disk. (A simple symlink in ~/.gnupg is sufficient to convince gnupg to find the secret ring.) When I leave for/from work I nuke the RAM disk - that way the keys are always only present where I physically am.

The big new change from the previous setup is that now I use sshfs when I need to use gpg for anything on a remote box: I ssh into the target box with a remote port forwarded back to a listening instance of sftp-server on the local box (which has the keys in RAM). With agent forwarding on, the sshfs connection doesn't require entering passwords, and the mount point is of course set to be the same as the RAM disk location for locally loaded keys, so to gpg it's totally transparent. (I'd never do any of this if not all machines in question were under my exclusive full control.)

sshfs is no speed daemon, but then the secret ring file isn't large. sshfs with -o directport on the forwarded port reuses the existing outbound ssh connection, so one single outbound ssh connection does it all - and another benefit of that setup is that the keys vanish from the remote machine as soon as the outbound ssh connection is shut down.

The one simple shell script doing all this setup is less than 60 lines long: simple, neat, sufficient.

[ published on Wed 13.07.2011 21:26 | filed in interests/crypto | ]

(that's the Gold Coast in QLD.au, not the region in Africa.)

The next Gold Coast Barcamp will be held at Bond on the 2.4.2011, and I will run a small keysigning session. If privacy and strong crypto interest you and you're in the region, have a look at the overview page here.

[ published on Tue 22.03.2011 19:40 | filed in interests/crypto | ]

This human universe is a mess, what with the authoritarian assholes always lusting after (& usually getting) control, and I for one am quite sick of it.

Therefore Tor appeals to me, a lot: no logs. decent crypto. grass-roots. hard to subvert completely. Good.

So in an attack of unwarranted altruism I'm doing my tiny bit to improve this bloody place. (mind you, with limited bandwidth and not as an exit router just yet, cause I want to monitor that experiment a bit longer before I extend the service)

Update (Sun 08.08.2010 15:46):

Just like owl - who knows how to spell its name: "wol" - wol.snafu.priv.at doesn't know much. More specifically it knows nothing about whom it is relaying Tor traffic for. Since today, wol also serves as an exit relay for a small number of well-known services.

[ published on Thu 21.01.2010 14:33 | filed in interests/crypto | ]

I'm quite paranoid and absolutely want my privacy. Hence I use encryption pretty much everywhere: disks, backups, email etc. On the other hand I'm a sysadmin and as such lazy: I want things efficient and elegant. This post is a quick rundown on how (& how far) I personally manage to combine those somewhat incompatible goals on a technical level.
click here for the rest of the story...

[ published on Wed 08.04.2009 15:52 | filed in interests/crypto | ]

From cryptome:

A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase. U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.
[ published on Mon 17.12.2007 10:51 | filed in interests/crypto | ]

As of 28.5., I'm the 3547th most paranoid geek on the planet.

One of the fringe benefits of the recent trip to Austria was that Werner Koch gave a keynote speech at the conference I was attending to, we had a chat and exchanged signatures (surprise, surprise; opportunities like that...). That has catapulted my paranoia ranking up a fair bit (from about 23500th place).

The newest analyses: by Henk Penning or Jason Harris

No comprendo? It's all about a type of modern voodoo, oddly-clothed weirdos sitting around in pubs mumbling numeric incantations to each other and the result of this worship of mathematical concepts. In short, not something normal people get excited about... but we're not normal and proud of it! grin

[ published on Thu 01.06.2006 15:38 | filed in interests/crypto | ]

These guys have no clue, and I hope Phil Zimmermann is not involved anymore.
click here for the rest of the story...

[ published on Mon 13.03.2006 13:25 | filed in interests/crypto | ]

These guys run an anonymous blog publishing service fed via MixMaster remailers.

[ published on Sun 08.02.2004 14:27 | filed in interests/crypto | ]

...but I like my privacy very much and am concerned about security, privacy and free speech issues. And I am not paranoid, noooo <shaking head vigorously>...
click here for the rest of the story...

[ published on Mon 12.01.2004 00:55 | filed in interests/crypto | ]

Debian Silver Server
© Alexander Zangerl