Domain: cryptnet.net
Stories and comments across the archive that link to cryptnet.net.
Comments · 20
-
Re:It's 2009
I'll let you make up your own mind:
- Kohei's story
- Sun rebuttal by Mathias Bauer.
Sun has a history of not playing nicely with other projects, however. A real culture of "not invented here", or just plain arrogance. Makes me wonder what's going to happen to MySQL.
-
What about all of the burned bridges?
It seems Sun is doing everything in its power to alienate a developer community.
-Wouldn't let the opensolaris board call the project opensolaris. Probably a legal quagmire of their own creation. The consequences of that lead to this resignation. http://mail.opensolaris.org/pipermail/ogb-discuss/2008-February/004488.html
-There's this gem, most of which I don't pretend to understand. The punchline is on the bottom. http://cryptnet.net/mirrors/texts/kissedagirl.html
-There's this gem, where even Ian Murdock links in suggesting the difficulty is happening above his level. http://ianskerrett.wordpress.com/2008/02/22/a-solution-for-suns-os-community-problems/#comment-17418 -
Psiphon looks good...
...and here are some more softwares and guides related to privacy, pseudo/ano-nymity and security:
tor.eff.orgonion routing anonymizer
www.i2p.netsecure/anonymous interactive network
freenetproject.orgsecure/anonymous distributed file system
www.turtle4privacy.orgf2f peer network
gnunet.orgsecure p2p infrastructure
www.cspace.insecure p2p infrastructure
www.openswan.orgVPN with opportunistic encryption
silcnet.orgsecure internet live chat
ihu.sourceforge.netp2p VoIP with crypto
wiki.noreply.orgHow to give anonymous talks
azureus.sourceforge.netazureus over p2p
cryptnet.netguerrilla software development how to -
Guerilla software development
http://cryptnet.net/fdp/crypto/guerrilla-devl.htm
l
Stop being censored, develop anonymously! ;-) -
Time to donate to the EFF.
I recommend people rant about this bill for a bit to blow off steam, then go to www.eff.org and donate. A donation to the EFF to help protect our rights will go a long way in this battle.
If you don't want this to be the law of the land, don't just rant about the evils of the Powers That Be, but take action. Get out there and take steps. Donate to the EFF. When the EFF has a form letter to send to your senator or rep, use it, if you are a US citizen. If you are not a US citizen, and know people who are, urge them to donate and write their reps and senators.
After donating to the EFF, tell people about this bill, and why its bad. Make your arguments lucid, and by all means avoid ranting. These days if you even appear to be fanatical about something, most people will go into "smile and nod" mode, and all your effort will be for zero if not counterproductive, as people will think you are just "another one of dem dam pirates stealing software." If possible, refer people to eff.org, or a website viewed as reliable. Cnet.com.com.com.yadda has its quirks, but they do put out some very fair articles, so link to them.
I am digressing from the article by recommending privacy tools, but this is important nontheless.
Take steps to guard your privacy. Get PGP or gnupg. Learn it, and then perhaps have a keysigning gathering or two. Good steps to host one can be found here. (http://www.cryptnet.net/fdp/crypto/gpg-party.html )
If you don't like PGP, get a S/MIME key from Verisign. They have 60 day "demo" keys for free, and all they really require is your E-mail address. The link for a personal E-mail certificate is buried somewhere on their web page, but it should be present.
Consider moving your main E-mail to hushmail, cyber-rights.net, or a secure email provider. Also, consider using a privacy service offered by a provider. Some good examples of privacy providers are SecurStar (www.securstar.com), FindNot (www.findnot.com), and the one I use and highly recommend, cotse.net (www.cotse.net).
Disclaimer: I don't work for any companies listed above. I also posted in plain text, so URLs will need to be copied and pasted. -
Re:Hate to say 'I told you so', but...Get GPG, GNU Privacy Guard installed and set up on your system; and it runs on about everything.
Then you generate a key pair one key is public and people who want to send you encrypted files or emails get it either from you or a keyserver (I think) and a private key that decrypt what the others have sent you and actually use it. If you need to know that the identity is really who you think they might be, then you need to set up a key signing party where you will;
as outlined at cryptnet.net. I've thought about telling people who send me email that my email filter thinks everything that's plain text is spam and to resend just to get to critical mass.
1. Generate A Key Pair (already done)
2. Send Public Key To Designated Keyserver (or Coordinator)
3. Send Public Key Info To Coordinator
4. Show Up At The Party
5. Verify Your Key Info
6. Verify Everyone Else's Key Info
7. Verify Everyone Identify for IDs You Will Sign
8. Sign All The Verified IDs On The Verified Keys
9. Send The Signed Keys Back Up To The Designated Keyserver (or to the key owner) -
You are ignoring the most important aspect...
...of public keys: that the public keys have been signed by numerous third parties (signing parties, trusted individuals, etc.) or handed over in person from the owner of the public key.
Afaik (IANACE) the above totally removes the possibility of the specific man in the middle attack you described and is basic knowledge about using for example GPG or PGP public key encryption: http://www.cryptnet.net/fdp/crypto/gpg-party.html# ss1.2
Nothing personal but it's pretty sad to see your claim modded up -- it shouldn't be hard to realize who did so (people without knowledge) and why (it made the puzzle of their worldview go "click!" and suddenly all the delusions made more sense to them). -
Re:Commercial programs
Amen to that.
Where is the Open Source anti-adware, anti-spyware stuff? I don't see a spyware removal tool for Linux. Oh ..... there wouldn't need to be one, would there? We could just comment out the spyware-ish bits before compiling, and distribute the resulting patchfile. On Gentoo, that would probably be part of the ebuild scripts. OK then, what about Open Source spyware removal for Windows?
But the point is that all the Open Source software available for Windows is there by accident. It wasn't written for Windows, it just was ported to Windows from some unix variant. Nobody writes GPL software with Windows in mind -- it's just that some Windows user manages, with more or less effort, to persuade it to compile, and is obliged by the licence to make the source available. {If anybody persuaded BSD-licenced code to compile under Windows, they probably would keep it closed-source -- and maybe even disable some options in an effort to extort money out of users}.
My computer is my property, and I have the right to determine what software runs on it. Installing software without my explicit consent is at least trespass {which is a civil offence and grounds to sue} and may constitute criminal damage {which is a crime, so dial 999 and let the police deal with it}. These things were already offences long before computer-specific legislation was passed. The use of confusing language to persuade someone to install software may additionally constitute Burglary Artifice. If it's a Crown Court, then the odds are in your favour -- out of a jury of 12 people, how likely do you think it is that none or only one have experienced PC trouble due to spyware?
You know, I often wonder what would life have been like if, way back in early 1976, some members of the Homebrew Computer Club had dragged Bill Gates {the author of that letter} into the gents' and given him a bloody good hiding. That has to be my second choice for an "if I could alter the course of history" fantasy. -
Parent's broken; Additional info and links!
See my other post with links on how to setup TLS for your mail server, more info on building the web-of-trust, and GPG downloads for your windows friends.
http://yro.slashdot.org/comments.pl?sid=132181&cid =11046941
Also note that the ======== http://link ======== at the end of the parent post has been mangled by Slashdot Submissions Co. and should be fixed before forwarding it on to your friends, or posting anywhere. Broken links have never impressed anybody.
WTF - Here are some links from the link above again. Sorry about the bandwidth wastage but I think it's worth people seeing as practices contained within are sure to benefit us all (in Utopia - yay!)
[--snip-- (abridged) ]
WinPT :: Windows Privacy Tray [sf.net] is a good place to direct your friends still using windows.
I think a resource for mail administrators on how to add TLS capabilities to their SMTP handlers could be healthy for the net as well. On there would be step by steps on how to TLS-enable sendmail, postfix, qmail, proprietary-this, and proprietary-gateway-that. :: Sendmail :: Exim :: Qmail
If you're running Postfix you've got little excuse to not be running TLS.
http://article.gmane.org/gmane.comp.encryption.gen eral/979
My SMTP traffic is opportunisticly TransportLayerSecure. Is yours?
Get a free server certificate from cacert.org If you haven't already you should add their Root Certificate to the list your browser accepts. They will also remotely sign your PGP/GPG keys and issue free S/MIME certificates as well. Very cool, totally free, and a distributed trust model rather than a top-down, it'll-cost-you-$199.00-for-an-SSL-cert model.
For more keysigning fun DO NOT MISS http://biglumber.com/! Find people nearby and extend your web-o-trust.
Host a keysigning party at] your next LUG [debian.org] meeting .
You can get a email-address-verified signature at http://www.imperialviolet.org/keyverify.html
Learn about using subkeys .
- - - - - - GPG keys -- The new web. - - - - - - -
[--snip-- (abridged) ] -
...future for PGP? YES! Here's Resources!?!?
Does anybody know of a good clearinghouse with information on plugins for a variety of mailers I could send my dad, high school friends, or grandmother to?
Anybody know of a list out there that collects information on how to secure your email, what's it's all about, and general key maintainence issues (for "the everyday net user")?
WinPT :: Windows Privacy Tray is a good place to direct your friends still using windows.
I'd like to be able to say to a friend: "Here's my key. Go to keepitprivate.com and find a plugin for the email software you use. Then next time you send me some email, just be sure to put it in an "envelope" (it just takes one extra click or can be set to happen automatically). You don't even need to lick a stamp! I value your privacy as much as I hope you value mine!"
I think a resource for mail administrators on how to add TLS capabilities to their SMTP handlers could be healthy for the net as well. On there would be step by steps on how to TLS-enable sendmail, postfix, qmail, proprietary-this, and proprietary-gateway-that. My SMTP traffic is opportunisticly TransportLayerSecure. Is yours?
Red Hat :: Sendmail
:: Exim
:: Qmail
If you're running Postfix you've got little excuse to not be running TLS.
http://article.gmane.org/gmane.comp.encryption.gen eral/979
Get a free server certificate from cacert.org If you haven't already you should add their Root Certificate to the list your browser accepts. They will also remotely sign your PGP/GPG keys and issue free S/MIME certificates as well. Very cool, totally free, and a distributed trust model rather than a top-down, it'll-cost-you-$199.00-for-an-SSL-cert model.
For more keysigning fun DO NOT MISS http://biglumber.com/! Find people nearby and extend your web-o-trust.
Host a keysigning party at your next LUG meeting.
You can get a email-address-verified signature at http://www.imperialviolet.org/keyverify.html
Learn about using subkeys.
- - - - - - GPG keys -- The new web. - - - - - - - -
Re:Can a central repository bring security?
A central repository of public keys can bring problems, for example, if the central repository is located in USA and the FBI want to do a man-in-the-middle attack? How can you be assured that the public key from the guy you want to send a encrypted message is realy the correct public key?
That's not how PGP works. Just because a key comes from a particular keyserver doesn't mean that it is the right one. A keyserver just provides a convenient place to stick keys. The web of trust (which is local to your machine) tells you if a particular key is to be trusted or not.
This new keyserver doesn't change that. It just provides a convenient way to weed out clearly invalid keys so you don't have to bother with them. It's also opt-in: if you don't like that feature, use one of the many other keyservers out there located across the world. -
Organize a local key-signing party!
I agree that would be ideal, but it's easier said than done. I've got no other signatures on my GPG key now. I want to get some, but I don't know anyone else around here who does that sort of thing. How would I go about getting some? I know they have key signing parties at conventions and such, but I'm a college student, which means I have no money or time to attend such things.
People take advantage of conventions to organize key-signing parties because diverse groups of people from many geographic locales end up at conventions, and having people sign each other's keys strengthens the PGP "web of trust". However, you don't need geographic diversity for this to be useful.
Organize a local key-signing party. Surely there are many other computer geeks at your college interested in using PGP/GPG. Start getting the geeks together and sign each other's keys. If you can, try to get someone to join the party who is already connected to the worldwide web of trust that most well-known PGP keys are part of. If you can't get anyone well-connected to your key-signing party, don't worry! Creating a local web of trust at your college is a good start, and all it takes is one person who signed your key to get a signature from a well-connected key to get you well-connected yourself. And that can happen after the fact.
The PGP web of trust is a beautiful thing. You start out by creating little webs of trust amongst people you know. Over time, the little webs get linked together into larger webs, eventually getting linked into a global web of trust. Even if you don't know anyone in the global web of trust now, remember the "six degrees of separation" thing. If your friend signs your key, and his friend signs his key, and so on, sooner or later a signature is bound to create a path from the global web of trust to you, and bang! Now you're part of the global web of trust too, and can help link other people into it. Actually, it's better than that, because nobody needs to be your friend to sign your key -- just anyone who can verify your identity, whether friend, enemy or complete stranger.
When you create your local web of trust from scratch, take it seriously and do it right. Remember, you sign someone's key to indicate that you've verified their identity and that it's truly their key -- it's not an endorsement of the person in any way. If you despise the person and everything they stand for, but you're certain they are who they say they are and that the key you're asked to sign is their key and not another, then go ahead and sign the key. If you admire and respect a person who asks you to sign a key, but you can't be 100% certain of the person's identity and the true ownership of the key, don't sign it.
Key signatures aren't a popularity contest, it's all about verifying identity, nothing more. Don't sign a key just because someone you know appeared to email it to you; that email could be forged. Verify the key with that person through real-world mechanisms first, to make sure you aren't duped into signing the wrong key. This is where key-signing parties are helpful -- people can gather in a room, look at ID cards (e.g. driver's licenses), get a verified key fingerprint from the person, and sign the key, fairly confident that the identity they're signing is correct -- even if the key belongs to a complete stranger.
By the way, next time you complain that you can't get anyone to sign your key, you might specify your geographical location. Someone in the global web of trust with a well-connected key might offer to sign your key (especially if you'll organize a local key-signing party to "share the wealth"), but such a person is likely not to know you personally, so they'd have to meet you in person to verify your identity. And without knowing where you are located, nobody is likely to offer... -
Did I violate the FDL?I made a one-page excerpt from the GPG Keysigning Party HOWTO, printed ten copies and handed them out at a keysigning party.
Did I violate the FDL? (If I did, I must apologize to V. Alex Brennen.)
What I've come to think about is that it seems the FDL requires that the full license text accompanies every copy. When you're making single-page excerpts, it is of course very inconvenient to include a four-page license... But is it really necessary to include the whole license, or is it sufficient to include a short copyright notice referencing the FDL?
-
Re:MD5 checksums....and replace the GPG signatures with keys that just have the same name and address. If there are two keys with the same name and address, which one would you trust?
We need to come together and paaaaaarty!
:-)Really, that's the only solution to this problem. Probably, this is something we are going to see more frequently, so frequently perhaps that it may undermine the free software community's credibility. Therefore, we must come together and meet, and exchange signatures, so that at least we can ensure that they software is signed by its maintainer.
Now, go and get registered at Biglumber, sign up to the keysignings list and start organizing keysigning parties. Also, make sure that you meet other hackers when you're out travelling.
-
How to run a keysigning party
This is in multiple FAQs, the best of which is the top match on Google for "keysigning party". Read it. But here's the basic idea.
- Pick a keyserver.
- Have everybody send it their public keys.
- Make a table of everybody's owner (name and email addr), fingerprint, keysize, and algorithm, along with a checkbox. Make 300 copies.
- Rent an opaque projector, a screen, a microphone, stand, amp, speakers, and 300 chairs.
- Have everybody show up with ID, a pencil, a writing surface, a copy of their fingerprint, and a writing surface. No computers needed; this is NOT to be done digitally! (That's a bad idea; see above link for why.)
- Put a copy of the key sheet on the opaque projector. Call out the first name on the list. Have the key's owner should come up and put their ID on the opaque projector, and attest to the correctness of their own key on the projected list.
- Each attendee verifies that the ID is okay, the projected key matches what's on their copy, and checks off the ID.
- Repeat the last two steps 300 times.
- Attendees go home.
- Make a keyring for your attendees. Put it somewhere publicly accessible. (This is so not everybody has to repeat this step.)
- Attendees import the keyring. For each key they checked off, they verify that the key in the keyring matches, and sign it.
- Attendees upload their signatures to the keyserver.
That's the basic idea. You can also do this as a mob, but for 300 attendees, that may be suboptimal.
-
Start Here
here.
But you're right, there ought to be a little bit more granularity in the trust specfications.
[Reminds me of when my brother in law sent me a Power of Attorney so I could act in his behalf for his minor son.
I didn't tell him that I was thereby enabled to do a lot financial transactions on his behalf, sell his house, etc.]
They need a few more questions, like:
"I'd trust Alice with a loaded gun pointed at me after she's had 8 drinks and I rear-ended her new car."
-
My free documentation projectI have a project that I'm going to launch soon at Learn-Orienteering.org.
I think that the FDL is the Free Documentation License which is most clearly formulated, so it is unlikely that one will run into trouble if using it.
However, it has it's problems too. My project is mostly about making tutorials, and one important part of it is to encourage people to make printed booklets and distribute freely.
The problem is that the FDL requires that you include a full copy of the License with any copy you make. That would defeat the purpose of the booklet: You can't make a 4-page booklet if you would have to include a 4-page copy of the license.
That's the main problem with the FDL. I've been communicating with FSF on this, and apparently, it is not really a problem with FDL, but with copyright law. You have to include a license, or people would have to assume the worst (i.e. you only have fair use rights. Besides, most people don't think they have fair use rights either, because of all the propaganda, so they will not make a copy even if you tell them to...)
The FSF's best suggestion is that I, as the copyright holder, grant an individual license to everyone who wants to make a booklet. I think this is a sub-optimal solution, because the people who join me in making content needs predictability too. They need to know under what conditions the stuff they write will be distributed.
Take, as an example, the GnuPG Keysigning Party HOWTO. It links the FDL. When I organized a keysigning party, I handed out a paper copy of parts of the HOWTO to every participant, without a copy of the licence. In doing that, I think I broke the FDL (I plead "not guilty" your honor, I didn't understand the FDL at that time!
:-) ). But, I think that is how everyone would do it, and in fact, I think it is how the author intended it to be. Actually, I don't think the author followed the instructions in the FDL either.I guess I have made this point: The FDL requires that you include a full copy of the License with every copy you make, but nobody is going to do that with simple handouts.
BTW, I'm having a bit of problem hosting this project for the next couple of months... Anybody have a web server with a little bandwidth to spare?
-
Re:The searchable index thing works great...
Depends on the keyserver, of course. Some are open (so you can look through the code and *see* what they do) and some aren't.
The CryptNet keyserver is one you may wish to browse if you're genuinely interested in such things. -
Improve your stats - Keysigning Party HOWTO
Here's a GnuPG Keysigning Party HOWTO
-
Re:Source code
I put GPL'd source out over a year ago for all the RC5 Challenges (40-128):
CryptNET RC5 Attacks
Why the hell isn't your Timex watch running it, slacker?