I use strong crypto wherever I can, and naturally for email also.
All email I send is either PGP signed or signed and encrypted with
one of my keys.
If you receive email from any of my addresses without signature you
should doubt its authenticity!
click here for the rest of the story...
[ published on Sun 09.03.2014 02:44
| filed in
interests/crypto
|
]
i've had a local SSL CA for my own porpoises for years, and this site
did in fact provide https access with those non-globally-trusted
certificates for a while now.
i haven't advertised this at all because subjecting every one of my
few visitors to a 'warning - untrusted ca, dangerous connection, it's
for the security!!!!' kind of crap experience is not my aim.
in the meantime let's encrypt has appeared
on the scene, and it works sortakinda well - about as well as can be
expected with the utterly untrustworthy 'trust' design that is X.509.
click here for the rest of the story...
[ published on Sun 04.03.2018 13:52
| filed in
interests/crypto
|
]
this is not quite the cipherpunk's creed...because there is
no such jingoist thing. but still:
"this is my pgp key. there are many like it, but this one is mine.
my key is my best friend. without me, my key is useless."
...except that there are assholes out there who spend time on
engineering pgp short-id collisions.
so, this is my key, as is this really ancient one and also this work key (ignoring some revoked
and expired old keys). my set of keys is of course also available
on this very website.
but if you search the keyservers for keys with my email address or
by short key id, then you'll find some very clashing crap that does
not belong to me at all:
$ gpg --batch --search-keys --keyid-format short B963BD5F
...
4096 bit RSA key B963BD5F, created: 2014-06-16, expires: 2016-11-02 (revoked) (expired)
...
4096 bit RSA key B963BD5F, created: 2013-11-03, expires: 2019-07-02
$ gpg --batch --search-keys --keyid-format short 5B586291
...
1024 bit RSA key 5B586291, created: 2014-06-16 (revoked)
...
1024 bit RSA key 5B586291, created: 1996-08-03
$ gpg --batch --search-keys --keyid-format short 42BD645D
...
1024 bit DSA key 42BD645D, created: 1999-06-06, expires: 2015-09-11 (expired)
1024 bit RSA key 42BD645D, created: 2014-06-16, expires: 2015-09-10 (revoked) (expired)
in all three cases the key created on (or with the clock set to) 2014-06-16
is not mine, despite the short form of the key id matching mine. the
long ids are different, just as expected.
morale: short key ids are passé, use the long ones and only the long ones.
morale 2: there's always some asshole somewhere who tries to wreck things
just to wreck things.
[ published on Sat 05.11.2016 12:34
| filed in
interests/crypto
|
]
at work i have to use an outbound mail server that requires smtp auth.
that's fine, except postfix expects that you save the password
in a file for sasl.
my paranoia level disagrees with passwords ending up on disk unencrypted, so
i decided to improve matters by convincing postfix to use the kernel keystore
for accessing passwords.
click here for the rest of the story...
[ published on Sat 12.09.2015 16:31
| filed in
interests/crypto
|
]
The Linux in-kernel secret store (aka "key retention service") is a cool
thing and not just useful to the AFS and Kerberos implementers. Actually,
it works perfectly well as a general-purpose passphrase store, but
the userland tools are somewhat idiosyncratic. Here are some extra
bits and tricks that I use to make this more convenient.
click here for the rest of the story...
[ published on Sun 24.08.2008 18:17
| filed in
interests/crypto
|
]
Some time ago I wrote up my experiences with running gpg remotely.
This post documents the most recent changes I've made to my setup, which
finally make my gpg (and ssh) keys fully mobile and 'migratory'.
Like before I use the kernel key storage system to cache passphrases
(and that won't change until I switch to gnupg2 with the agent). But now
my keys are all stored on a usb stick, in an encrypted filesystem.
When I login the first time any day, I load the keys from the encrypted
storage into a RAM disk. (A simple symlink in ~/.gnupg is sufficient to
convince gnupg to find the secret ring.) When I leave for/from work I
nuke the RAM disk - that way the keys are always only present
where I physically am.
The big new change from the previous setup is that now I
use sshfs when I need to
use gpg for anything on a remote box: I ssh into the target box
with a remote port forwarded back to a listening instance of sftp-server
on the local box (which has the keys in RAM). With agent forwarding on, the
sshfs connection doesn't require entering passwords, and the mount point is of
course set to be the same as the RAM disk location for locally loaded keys,
so to gpg it's totally transparent. (I'd never do any of this if not all
machines in question were under my exclusive full control.)
sshfs is no speed daemon, but then the secret ring file isn't large.
sshfs with -o directport on the forwarded port reuses the existing outbound
ssh connection, so one single outbound ssh connection does it all - and
another benefit of that setup is that the keys vanish from the remote
machine as soon as the outbound ssh connection is shut down.
The one simple shell script doing all this setup is less than 60 lines long:
simple, neat, sufficient.
[ published on Wed 13.07.2011 21:26
| filed in
interests/crypto
|
]
(that's the Gold Coast in QLD.au, not the region in Africa.)
The next Gold Coast Barcamp
will be held at Bond on the 2.4.2011, and I will run a small keysigning
session. If privacy and strong crypto interest you and you're in the region,
have a look at
the overview page here.
[ published on Tue 22.03.2011 19:40
| filed in
interests/crypto
|
]
This human universe is a mess, what with the authoritarian assholes
always lusting after (& usually getting) control, and I for one
am quite sick of it.
Therefore Tor appeals to me, a lot: no
logs. decent crypto. grass-roots. hard to subvert completely. Good.
So in an attack of unwarranted altruism
I'm doing my tiny
bit to improve this bloody place. (mind you, with limited bandwidth and not
as an exit router just yet, cause I want to monitor that experiment a bit
longer before I extend the service)
Update (Sun 08.08.2010 15:46):
Just like owl - who knows how to spell its name: "wol" -
wol.snafu.priv.at doesn't know much. More specifically it knows nothing
about whom it is relaying Tor traffic
for.
Since today, wol also serves as an exit relay for a small number of well-known services.
[ published on Thu 21.01.2010 14:33
| filed in
interests/crypto
|
]
I'm quite paranoid and absolutely want my privacy. Hence I
use encryption pretty much everywhere: disks, backups, email etc.
On the other hand I'm a sysadmin and as such lazy: I want things efficient
and elegant. This post is a quick rundown on how (& how far)
I personally manage to combine those somewhat incompatible goals on
a technical level.
click here for the rest of the story...
[ published on Wed 08.04.2009 15:52
| filed in
interests/crypto
|
]
From cryptome:
A federal judge in Vermont has ruled that prosecutors can't force a
criminal defendant accused of having illegal images on his hard drive
to divulge his PGP (Pretty Good Privacy) passphrase.
U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with
transporting child pornography on his laptop across the Canadian
border has a Fifth Amendment right not to turn over the
passphrase to prosecutors. The Fifth Amendment protects the right
to avoid self-incrimination.
[ published on Mon 17.12.2007 10:51
| filed in
interests/crypto
|
]
As of 28.5., I'm the 3547th most paranoid geek on the planet.
One of the fringe benefits of the recent trip to Austria was
that Werner Koch gave a keynote speech
at the conference I was attending to, we had a chat and exchanged signatures
(surprise, surprise; opportunities like that...). That has catapulted my
paranoia ranking up a fair bit (from about 23500th place).
The newest analyses: by Henk Penning or Jason Harris
No comprendo? It's all about a type of modern voodoo, oddly-clothed weirdos sitting
around in pubs mumbling numeric incantations to each other and the result of this worship of
mathematical concepts. In short, not something normal people get excited about... but we're
not normal and proud of it! grin
[ published on Thu 01.06.2006 15:38
| filed in
interests/crypto
|
]
These guys have no clue, and
I hope Phil Zimmermann is not involved anymore.
click here for the rest of the story...
[ published on Mon 13.03.2006 13:25
| filed in
interests/crypto
|
]
These guys run an anonymous blog
publishing service fed via
MixMaster remailers.
[ published on Sun 08.02.2004 14:27
| filed in
interests/crypto
|
]
...but I like my privacy very much and am concerned about security, privacy
and free speech issues. And I am not paranoid, noooo
<shaking head vigorously>...
click here for the rest of the story...
[ published on Mon 12.01.2004 00:55
| filed in
interests/crypto
|
]