Security – Page 30 – A Geek With Guns

The War on Privacy Explodes

After Wednesday’s reveal that the National Security Agency (NSA) has been indiscriminately spying on all of Verizon’s customers things have exploded. Yesterday morning the White House came out and justifed the NSA’s actions:

A senior administration official said the court order pertains only to data such as a telephone number or the length of a call, and not the subscribers’ identities or the content of the telephone calls.

Such information is “a critical tool in protecting the nation from terrorist threats to the United States,” the official said, speaking on the condition of not being named.

“It allows counter terrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities, particularly people located inside the United States,” the official added.

The revelation raises fresh concerns about President Barack Obama’s handling of privacy and free speech issues. His administration is already under fire for searching Associated Press journalists’ calling records and the emails of a Fox television reporter as part of its inquiries into leaked government information.

That justification, to put it frankly, is weak. A subscriber’s phone number is their identity because each phone number is unique and is almost always associated with only one person. Saying that the NSA is only collecting phone numbers but not identifying information is no different than saying the NSA is collecting Social Security numbers but not identifying information. When you’re collecting data that is associated with a specific person you are collecting identifying information.

Even if we assume the statement is true and the NSA has no idea who possess what phone number we’re still left wondering how they can tell whether or not somebody is calling a known terrorist if they don’t know what the known terrorist’s phone number is. If they only know the terrorist’s number then they can easily obtain the identities of the terrorist’s contacts by asking Verizon for the identities of the persons who possess the called numbers. In other words the NSA is collecting identifying information no matter how you look at it.

Furthermore, any terrorist possessing even a minute amount of intelligence isn’t going to use a phone number tied to their person. Instead they will use another person’s phone (either by asking to borrow their phone or by using a cloned SIM card) or buy a disposable phone with cash. Either way the identity of the terrorist won’t be associated with the phone number so it will be almost impossible to identify who the terrorist is calling. At most the NSA will be able to identify extremely stupid terrorists, bust them, and give the remaining terrorists a reason to educate themselves and, in so doing, become far more difficult to capture or, in all likelihood, kill (that’s what the current administration enjoys doing most).

The White House is, as usual, feeding us bullshit. But that’s not the end of the bullshit train. In order to keep up the appearance that strong disagreement exists between the Republicans and Democrats you would think a powerful Republican would come forth and criticize the Obama administration for allowing indiscriminate spying on Americans. Instead one of the more influential Republicans came forward and defended the NSA’s actions:

Sen. Lindsey Graham said Thursday that he is “glad” that the National Security Agency is collecting millions of telephone records — including his own — from one of the nation’s largest telecommunications companies in an attempt to combat terrorism.

Mr. Graham said that he is a Verizon customer and has no problem with the company turning over records to the government if it helps it do its job. The South Carolina Republican said that people who have done nothing wrong have nothing to worry about because the NSA is mining the phone records for people with suspected ties to terrorism.

I’m not surprised to hear a state agent saying he’s OK with the state collecting his information. He is on the safe side of the gun pointed at our heads after all. I’m even less surprised to see Dianne Feinstein is in favor of the NSA’s expansive spying operations:

“As far as I know, this is the exact three-month renewal of what has been in place for the past seven years,” Feinstein asid. “This renewal is carried out by the [Foreign Intelligence Surveillance Court] under the business records section of the PATRIOT Act. Therefore, it is lawful. It has been briefed to Congress.

Feinstein said she could not answer whether other phone companies have had their records sifted through as Verizon has.

“I know that people are trying to get to us,” she said. “This is the reason why the FBI now has 10,000 people doing intelligence on counterterrorism. This is the reason for the national counterterrorism center that’s been set up in the time we’ve been active. its to ferret this out before it happens. “It’s called protecting America.”

What makes Feinstein’s comment interesting is her admittance that Congress was briefed on the operation. If any members of congress feign surprise we now know to call them on their bullshit.

Being a nation of laws somebody is obviously going to perform an investigation into this matter, right? Although it sounds like there will be an investigation it doesn’t sound like it will be an investigation into the NSA:

NEW YORK –- The U.S. Department of Justice may try seeking out the source of a bombshell article that revealed National Security Agency surveillance of millions of Americans, according to NBC News Justice correspondent Pete Williams.

[…]

Williams, a well-sourced reporter who just interviewed Attorney General Eric Holder last night about the leak investigations, jumped in with an answer.

“I was told last night: definitely there will be a leak investigation,” he said.

Before the state ascertained the identity of the person who leaked what is now referred to as the Collateral Murder video there was plenty of opportunity to investigate the pilots of the gunship that killed those Iraqi civilians and Reuters reporters. Instead the current administration moved to investigate the source of the leak. The person who leaked the video was Bradley Manning and, once identified, he was arrested, held in solitary confinement, and is now being put on trial for aiding the enemy. If the source that leaked the court order that revealed the NSA’s indiscriminate spying is discovered I’m sure he or she will be arrested, held in solitary confinement, and tried for aiding the enemy as well.

Bitching about this isn’t going to accomplish anything so we must ask what can be learned from this. I think there are several lessons. First, it’s obvious that the current administration is corrupt to the core. While Obama promised the most transparent government in history his administration has been shrouded in secrecy and embroiled in continuous scandals. His administration has also demonstrated that they prioritize hunting down people who leak classified information above hunting down criminals within the government’s employ. Second, we can no longer afford to communicate through unsecured channels. Every piece of data we send to each other must be encrypted and anonymized to prevent the government’s prying eyes from violating our privacy. Third, those crazy conspiracy theorists who have been telling us that the government is spying on our every communication aren’t so crazy. We must now assume that they are correct and that the government is spying on our every communication because, as this most recent leak shows, the government’s spying operations are vast and giving absolutely no regard to due process. Fourth, there is another war being waged by the federal government, a war against our privacy. The only way to defend ourselves in this war is to violate the government’s privacy in turn. Our violations of the government’s privacy will be met with arrests, imprisonments, and possibly executions but will also cause its legitimacy to erode.

The government will continue to use technology to suppress us but that very same technology can be used to suppress the government. We must wield technology more effectively than the government in order to keep our privacy.

Encrypt Everything: Installing Gpg4win for Windows

Last week I wrote a walk through explaining how to use OpenPGP to encrypt your e-mail on OS X. Today I’m going to write a walk through explaining how to install GNU Privacy Guard in Windows. GNU Privacy Guard is a collection of OpenPGP tools. GPGTools, which was covered in last week’s OS X tutorial, is actually built on GNU Privacy Guard. After installing GNU Privacy Guard in Windows you will be able to generate OpenPGP key pairs, import public OpenPGP keys, and encrypt and decrypt messages using OpenPGP. Furthermore, installing GNU Privacy Guard is needed for sending and receiving OpenPGP encrypted e-mails, which will be covered in a future tutorial.

The first thing you need to do is download Gpg4win from here. As of this writing version 2.1.1 is the latest and the version used to create this guide. Previous versions of Gpg4win may not work with this guide.

Now that you have Gpg4win downloaded it’s time to begin installing it. Installing Gpg4win is pretty straight forward. Just click the Next button five times and the Install button. After clicking the Install button you’ll get a progress bar informing you of what packages are being installed. Once everything is installed click the Next button again. Now you’ll be informed that Gpg4win needs a list of root certificates. Check the box labeled Root certificates defined or skip configuration and click the Next button again followed by the Finish button. Gpg4win is now installed.

Now you will need to generate your key pair. There are two ways you can do this. The first method is using Kleopatra, a graphical interface installed with the Gpg4win package and the second method is to use the command line tools. I will walk you through using the command line tools because Kleopatra only allows you to generate 3072 bit keys while the command line allows you to generate 4096 bit keys. Don’t worry, using the command line isn’t hard.

To create your key pair open the Command Prompt and issue the following command:

gpg --gen-key

You should get the following output:

Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?

Since you will want the ability to sign and encrypt e-mails using OpenPGP select 1. Now you will be asked to enter a key length:

RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)

Type 4096 and hit enter. You will now be asked to enter an expiration date:

Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0)

I tend not to set expiration dates for OpenPGP keys because issuing new keys periodically is an inconvenience for the people I e-mail regularly. When you want your key pair to expire or not is entirely up to you so enter whatever you want. If you go with the default (no expiration date) you will be asked to verify that you don’t want to key pair to expire:

Key does not expire at all Is this correct? (y/N)

Enter y if you don’t want an expiration date and N if you’ve changed your mind. It’s now time to enter your personal information. For this example I will enter my name in the Real name field, openpgptest@christopherburg.com in the Email address field, and leave the Comment field blank:

GnuPG needs to construct a user ID to identify your key.

Real name: Christopher Burg Email address: openpgptest@christopherburg.com Comment:

You will not be given one more chance to change things:

You selected this USER-ID: "Christopher Burg "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Selecting O will result in a dialog box appearing asking you to enter a passphrase. This passphrase will be used to encrypt your private key. Whenever you want to use your private key you’ll need to enter your passphrase first in order to decrypt it:

Enter a strong passphrase[1] and click enter, which will result in you being asked to re-enter the passphrase:

That’s it, you now have an OpenPGP key pair that can be used to sign and encrypt e-mails. I will cover sending encrypted e-mails in a future tutorial because the method I use in Windows, Thunderbird with Enigmail, is the same method I use in Linux. Therefore, to make less work for myself, I will first write a tutorial explaining how to install GNU Privacy Guard in Linux before writing a tutorial on using Thunderbird and Enigmail.

[1] For example, the passphrase “passphrase” is very poor. It’s not only short, but it’s also easily guessed and commonly found in dictionary files. The passphrase “This is a random phrase that says nothing but probably isn’t easily guessed nor commonly found in most dictionary files.” is notably better since it’s not easily guessable or a commonly used phrase (although, now that it’s publicly published to the Internet, it’s worthless so don’t use it). Mixing in numbers and special characters will improve the passphrase even more.

Edit: 2013-06-13: 22:26: Corrected the command –key-get to be –gen-key. Thanks Luca for pointing it out.

The Implications of Hardware Attacks on Phones

A story has been circulating amongst the various Apple blogs regarding an iOS hardware exploit:

Careful what you put between your iPhone and a power outlet: That helpful stranger’s charger may be injecting your device with more than mere electrons.

At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple’s iOS.

Though the researchers aren’t yet sharing the details of their work, a description of their talk posted to the conference website describes the results of the experiment as “alarming. Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” their talk summary reads. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

Surprisingly most of the Apple blogs I’ve read have written this exploit off as a minor issue. I’m not sure if the people writing off this exploit are just zealous Apple fans who refuse to acknowledge any flaw in their favorite company’s products or if they lack imagination but the severity of this flaw, if it works as advertised, shouldn’t be understated.

While the risk of a hacker loading malicious software onto your phone through a physical cable are relatively low the risk of the state doing the same is relatively high. Various police departments have been advertising that they possess devices that can download data off of cell phones. In practice such a device can be used to obtain the contents of a person’s phone upon detainment but that’s about it. But Combining that concept with sneak and peek warrants and now you have an interesting issue. During the execution of a sneak and peek warrant law enforcement officers can enter your home, search it, and not inform you that they’ve performed the deed. It wouldn’t take much to use a hardware device to load surveillance software onto your mobile devices during one of these searches. Once that’s done it’s possible that the phone could be used as a remote monitoring system to capture conversations by turning on the microphone, images of the area you’re in by activating the camera(s), and everything you type via key logging software.

I still question whether this exploit works with every iOS configuration. The exploit could be reliant on either the 30-pin or Lightening connector, it may not operate at all if the device’s contents are encrypted, etc. But the exploit could be effective enough for state agents to load surveillance software onto most iOS devices, which makes it a notable threat that shouldn’t be written off as a minor issue.

On the less frightening side of things it will be interesting to see what the jailbreaking community does with this exploit. It’s possible that the exploit could offer an easy way for iOS users to jailbreak their devices. If that is the case I also expect Apple to fix the problem quickly since they’ve done a remarkable job at fixing holes used by the jailbreaking community.

Encrypt Everything: GPGTools for OS X

Yesterday I gave a high level overview of OpenPGP. Today I want to dive into the practical portion of OpenPGP by explaining how to use GPGTools on OS X to encrypt e-mail communications. The first thing you will want to do is get the latest version of GPGTools from here (versions prior to 2013.05.20 will not work with Apple’s Mail application in 10.8). Installing GPGTools is a straight forward affair, just click Continue, Install, and Close (for this tutorial it is assume that you performed the default installation, if you customized the installation all bets are off).

After installation has completed GPG Keychain Access will automatically open and, if this is your first installing it, ask you to generate a new key pair (click to embiggen):

For the duration of this tutorial I will be using the e-mail address openpgptest@christopherburg.com (it’s a junk address, don’t both spamming it). Besides your e-mail address I would recommend changing the Length field to 4096. When it comes to encryption keys you need to go big or go home. Since openpgptest@christopherburg.com is a junk address I set the key to expire but you may want to uncheck the Key expires box if you plan to use your key pair with your e-mail address on a permanent basis (reissuing keys to everybody you e-mail can be a pain in the butt so setting them to expire can be a notable inconvenience). The only other field you need worry yourself with is the Upload key after generation check box. If checked the key will automatically be uploaded to the keys.gnupg.net key server (whether you want to do this is an entirely personal matter).

Once you’ve entered your key pair information click the Generate key button, which will result in the following dialog appearing:

Feel free to muck about with your computer for a bit to increase randomness. While the application is waiting around on randomness a dialog asking you to enter a passphrase will appear:

The entered passphrase will be used to encrypt your private key. Even if somebody manages to steal a copy of your private key file it will remain useless to them unless they also have your passphrase or can brute force it. To prevent the latter it is recommended that you enter a long, complex passphrase that won’t be easily guessed or likely found in a dictionary file (which is a table of words and common phrases used to brute force passphrases quickly).[1] Remember this passphrase because you will need it to decrypt your private key in order to use it to decrypt e-mails. After clicking the OK button you will be asked to re-enter the passphrase:

It should be pretty obvious but you need to enter the passphrase again and click the OK button. If you left the Upload key after generation checkbox checked you will see this dialog box:

Once the file is uploaded you will see your key pair added to the GPG keychain and it will be displayed in GPG Keychain Access:

You are now able to decrypt messages encrypted with your public key however you don’t have any public keys for other users. Encrypted e-mail isn’t much fun when you don’t have anybody to talk to so you’ll want to import the public keys of the people you converse with via e-mail. For this tutorial I will be adding the public key for blog [at] christopherburg [dot] com to my GPG keychain. To do this click the Import button in the GPG Keychain Access toolbar. A dialog box will appear asking you to select an .asc file to import into your GPG keychain:

.asc files are simple text files with a different extension. As I explained in yesterday’s installment of Encrypt Everything, OpenPGP public keys are blocks of text. To create an .asc file from a copied public key you simply need to past the text into a new text file and save it as a name ending in .asc. After you click the Open button you will be notified that the public key was imported:

The public key will not appear in your GPG keychain in the GPG Keychain Access application:

Now you can encrypt e-mails with the blog [at] christopherburg [dot] com public key. E-mails encrypted with that public key can only be decrypted by the holder of the corresponding private key (which, in the case of blog [at] christopherburg [dot] com, is me).

Now you are ready to communicate over e-mail securely. Let’s send an encrypted e-mail to blog [at] christopherburg [dot] com. Open up the Mail application and start a new e-mail. When composing your e-mail you will notice two buttons sitting below the subject field on the right-hand side:

Clicking the left button will encrypt the e-mail and clicking the right button will sign the e-mail. Signing your e-mail allows the recipient to verify you sent it (so long as they have your public key). I always sign my e-mails so authenticity can be ensured by the recipient. For this test we will click both buttons so the e-mail will be encrypted and signed:

You’ve probably noticed the new button in the upper right-hand corner of the form. This button allows you to select whether you want to encrypt and/or sign the e-mail using OpenPGP or S/MIME. By default it’s set to OpenPGP, which is what we want. Upon click either the encrypt or sign button the OpenPGP button will turn green. When you click the send button you will be asked to enter the passphrase for your private key:

Unless you check the Save in keychain checkbox this dialog will appear every time you send a signed e-mail (since you use the recipient’s public key to encrypt the e-mail you won’t have to enter your private key passphrase when you encrypt but don’t sign an e-mail). I recommend not checking the Save in keychain checkbox because doing so will store the passphrase for your private key in OS X’s login keychain, which means anybody who obtains your login password will be able to decrypt your private key, which will allow them to decrypt encrypted e-mails send to you.

That’s it, you’ve just sent your first OpenPGP encrypted e-mail. Any e-mails sent to your account that have been encrypted with your public key will be automatically decrypted and their contents displayed in Mail. That wasn’t too bad, was it?

Encrypt Everything: OpenPGP

I firmly believe that all communications should be encrypted. Even if you have nothing to hide you can contribute to the greater good by encrypting your communications. How so? Simple, encrypted communications appear as garbage data to prying eyes that lack the keys necessary to decrypt them. The more encrypted communications flying across the wires the more garbage data prying eyes have to dig through. If all communications were encrypted spies in organizations such as the National Security Agency (NSA) would entirely ineffective.

Tools that enable users to encrypt e-mails have been around for ages but, sadly, few people take advantage of them. In the hopes of alleviating this problem I am going to provide guides to help people get this stuff encrypted. For the first entry in my Encrypt Everything series I’m going to discuss a tool that will allow you to communicate securely over e-mail, OpenPGP.

OpenPGP can be briefly summarized as a software package that allows users to generate public/private key pairs that can be used to securely communicate with other OpenPGP users.

The first question most people are likely to ask is, what the heck is a public/private key pair? Don’t worry, it’s not complicated. Public/private key pairs are used for asymmetric cryptography. Asymmetric cryptography is a fancy way of noting an encryption method that uses two keys, one public and one private. Data encrypted with the private key can only be decrypted with the public key and data encrypted with the public key can only be decrypted with the private key. After generating a public/private key pair you provide your public key to those who want to communicate securely with you. In turn they will provide you with their public key. When they want to send you a secure communication they will encrypt the message with your public key. That message can only be decrypted with your private key, which, as the name implies, is held by only yourself. When you want to reply to the secure communication you encrypt your response with their public key, which can only be decrypted by their private key.

OpenPGP allows you to generate a public/private key pair, encrypt messages with either your private key or another person’s public key, and decrypt messages sent by people who have provided their public key.

An OpenPGP keys looks something like this (which is the public key to blog [at] christopherburg [dot] com):

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

mQINBFGkG1IBEACa4FOajIwxUFdwC0C12c1DCg6+gmWcZBnQdfRtV6Z2d1yP9trM AxdT0ZCSJP5MkEI1t3pvc+r79oPbyK0f4QVe1rJerOVAjEglZhdrWqDyf3Rp5rIH Ukca7keZ+5Wf9dA+9B//LECzG4sj5qr6Kcssqb27PjK0XLq6O9963/6Lubkdomzj R/fKjmM2WMLs/tBF0HEZp6sSEeoot+28QtXgzDIE0um2l/ccK4tTLR08NC43+uVu dh7IJ6CX9bNoeCbmAEjOBONt0pKufvzTMsmGjMuFRc+cJnmXYeAjon9CitnUEXV9 Wmpw2K6XIKxo3PlDQcomKDV6inZySXnzXsOmomTR9XO1G4kaE9BYKdCaOdzCncPb Au0JeTNu6eqTwrUfQZXuVdKhfRQsqrhxEAEZgpa5ojbseVNt3oOJnYXOYgl3JCku naILz7hXMGKFQoGOojN6IpffJTjeWNiuj4KMDLTWuOKU1bX1yWJhz84U2HdhoI0L bWiWVZDLHSjLareSJvXjtdi0v4CgvgF6b+xpIH8pfP+wqBnqZUGT96B5jRUOKuaI MlHXHkfF070gOa4UbqJtjOHSwU9PcMUXcOxTqJen643+tAXAoqAEHLjIp2fNzmkc 6NB0T1h8JCmqHz+fv5rnKZM9lKkFO6eNPVYz2OoPb+4Zlu2pBvwsja0kBQARAQAB tCtDaHJpc3RvcGhlciBCdXJnIDxibG9nQGNocmlzdG9waGVyYnVyZy5jb20+iQI4 BBMBAgAiBQJRpBtSAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAXquxa uJ2eMegiEACWDIcNPQibNBNWQ5bBl/sCTxoeQvZrf0aFK4y5n1fLxqGhyZmTZdb2 IWyO5kSyEJ0Q3M3JwFIQOnl09aYT9g75omz3EAjtJCL3XKwc3DPYvKpPj/Zq9iiM Ou4ClXXuR9mqbvu4JOCYVq2r+NZuoQ+mOvEPjp5zA5ARoJ/9r7nO3/foQZ/22PZZ t7NMUfv+IYwlQ7vBun01gymC1u4ViBOgyl0DzlXKtUPmmPp8PB6E+I6OvnSmRLdt tfxFzXYGLPZWva6/hGQeptvofYhv0kAvMgOmPtkCpf4RpUz4ebT2mr9vHgVH+VYc BNFYJLXPdJmbqqD9KdesQ48YvAi50G/MaP8xxVaYI5YD004HO7h2lp9WX0CMWN/l jRW1yHP/AW+5aw06/LohcDdG/HQjYYkzjX6qUSYg/U/Tky7hmDile9WkMUP22eOk AkV7OBKly4c3uxqR5+fH5N9GcSbSk6avkbPU8w27t3E6m0PnKRkpUrn/2OFd7u7h TuQGvfy3LqsVliTruHCOfIY5pmi3qcGeKkaXu7LCnNbNg86VEYYYTEHyoMw1cC99 9IMXKuvGtKaJ7mjj03n0e+7VpcRd646gw3KuQNRd0GTV2xOAJ/vEgoA30Of7Gxoa PXRuyo67WATgU36kl9yVS5EfT3m1mMUihI5zeN1R1EJn6/tlMnyY/okCHAQTAQIA BgUCUaQbnwAKCRADj+sE5VF3XY+TD/9jt3hgGyjFKjhRza9KTRJwBV6gFFcQU3MT 8j5evFtbMjZ1oNc5oongwJ7OtLHFVmst4cQMmupems1X7z8mj5we6MQd24CFChKf xfJj5YwunIWXIpfilY1QznvZ1YlqNkSaQAFRFjdVY2ip4UxnRY4vf4LGT8+WO33j gG9CXJ8VLjFs+vbXFtvsCabfJk2aNWgbaKMXzrlzlyaQokb7/tXVECNtpdBn454L FkNMNK19pzgJcNyQMFl6ApxQJzXu8+vPTdZQCvPrEZOL28cNYU35IL3yZoz+CHR5 j123kJVdXOUyA3Z27S4qmJOC6RR9iAx+Us/W/LT03tyMrKyLZaPT90ZhCG9UDnIg DDlXoLfPYEaVmXU5MfitwsWgtv/gSHNWTIIvc/5JB6U7XEReZw66oyngQdZSP/s3 uV670Yvvl3PaH7UvMRFmfeazqUG/+r+PFxfoMzfOFSixi+uwbT7nbBa7Iyw3F9A0 5HDP9+28PqJvfUTdGgISbvvPAB50rC2FRFhBtvoMYMROaGn87ANH96caKn8a4ynW nJqwzCGj2l006BciJlWgvZ0jg4ndW2TJU/neuOHEoPkgdLmqaC6QeQNcWryIgX75 q0iZeqjvzWh8rhaQfPNGUS0yF2JxFU14muvvC55Ar0SKnF005Zs8Za8p9PKRfuTr DQfVVQiAELkCDQRRpBtSARAA1W5yOTe3JxOLwjBBZeUPJjWn20HPk979593iiq6N 6GBqXNHtI8Vboeyq27qAjZoY9FXnibrIXaIJ40mcNj6yXc7n5tImpLByLPy8Ztyx Jcpu+wC404Av879e8E8gqhbDhpQpMXHNtiuQHMwbN9kr/ohH0GgaKyJhRoJY4Rap ++CeO42v2nRYtAk9RhXehOCbXRF3szU1vdfqrL5LclqZ8rwksIqAjO6imFtvplwt xcSXvP0slFtpEHVnY5KwUzMbgGsNuz6Fs1biyRzg9qePd2bDmZ7+/cMvasUvP2Qq vUlxf9lyzx65i123ax4EgWDM14jWhiy+wLc+jjtXtmQ/EcDaNykoir9Gz+WPSYsp NO6YZg4vDhGT/Afxd4Q5LNoRZ/lGfjXhmgQOgriMaKOTPAe2SgB8Qc0eYDUWO2qu /bI3orUbeEsIMCZU3mNOhCNOhm/vhyAcdpXtnfMqQeKx4TkgZZO+lotzJa6KHhay vCGxkZxzR3o8LP72wUke0apZprEoDymU5HSAoHv3o4aFV0AVBdjVCxcsMeCS0fJ3 aLZP9WZ0DrRktrLO8sjAsFutodInD99Ki+pYCjdS5/jixN6+R9EJ4Ud44PT84PtH qwRVyzF+bC8Mc/QEY4PNl/698liscEe53WqPBelfR6UdvVEvKxI4jibqHwVjc6K8 e38AEQEAAYkEPgQYAQIACQUCUaQbUgIbLgIpCRAXquxauJ2eMcFdIAQZAQIABgUC UaQbUgAKCRBAXiyJxWbQ4Zk7D/90MW3mf4tCP4yhBqc01FnZEqJuaeBQxBbK6qDw fMPDYA1D0LRFfLoAxs40lExQQjAtwcxvuF59K0S1XoVQSPq1NyAcGyTUGwu/P7Lz VCYsDOcBZgwFRzMZFIhSvEpBSTgnX+uKREXecoaI+MzfZbSCChnPYULIKMK3ONqD pAfGxNIkHOYcIC93f7hB8ZFnszuyfRasgW7xyv26J4w9W0xPIRwH6dNFDpBXvQcx JMl5jVb55u6tATGhNy7rXWAqgm5w70UNyUJFAmHfSJftfZKHAhvPmRWamnuZ22rH cVoj9HeJgxO48BGt0tmRPu0XpCk6oSWzKU+STlSutw4DbpgCLwy+Y6Ll24ik2r+f YpNp1t2jh/SkypLUK9YVxNGCJXtxom/awqND5QMxsziukqSptd2ltrTP4/jCdShU FN1Srov/29ZXrM/VA7Jqf3HFOB31cHr1J+ftsqtdHsDFerw8emd9VJKSO0dHGh9f wsZtBAz7MPS1q4qwVn8lYgrVkoohbhiSft6tHircvSX8pX78kTjUNXBkojx4FL3L SKg9FoSYuC1nqaUobOyuy28hW5sA2FEoWVf/qb5g6lJSJ+u7zhJmis5b8aeuZ6qS lE3KtCH35bhj63oRlCEgQUjaqTGFoueIbRrdy+wFbh7zqQuKIgQpwDo0SbvJbjfN FEsXMemqD/947IjTloC0nFDjWJssLhNBaR1GIl0cQYktfrscCB8y+17jc7fymK3/ rnHYvjC1WpdLRHY4H30yyMutPawgnzjdViJW21sLmf/3HSDDP+0qvYRaq356FkpY 7SWj1wvS93B7UCs4A6VRvFnp5sHGPmIgSo5mqG4E36zrcnKQapPOdDfJ41Aj9l3i f0I1Q0w+PVe6EZBHtYEOyNrT2OqAR9mq/hbM6HeZM+UilG1g6TLk11JJyKfA1V9Q guzcjzockfePY+NQe7dy+Zc9l5TBIMBECX5YRa9A8OhZ5+q4SNMqM6itq7z1F66k NWoFGkI+kx2e75tO7o8b5izueJbD7VPNUeE7T+WCSB8Pf4wBfuwuVbu69QpXH0XQ WihGSJTHETqA1EoBRN6G6WKsq0affN3nO8GeSubwd3Ip/TPH4tfglxHAxegMqvLE YLX96XueqzeCxyZroH9xqsFmUhszZz3BtuCO8h705Cv2DNprSZJah3+OTLwgMuLZ GM2ogcvLzPTjZgib5h5j5Pp9tjBYrYnOE4/tctvQ26X2ipedV4/O1gBNTMY6ba+1 2HuLrhgrtbL698KhQahlSfTq9a0GO/GLHM+wtlrVlslSjnZt0eldQf4M+UFIEOxh w38h55tSuK1XbKSuTpmTE5MIjebksHy6ynAco4ZQo7MLWciGcFbTQQ== =3COR -----END PGP PUBLIC KEY BLOCK-----

OpenPGP users can use that gobbledygook to encrypt messages that can only be decrypted by me. Generally people also post their public keys to key servers such as the one provided by the Massachusettes Institute of Technology (MIT) or Canonical, the creators of Ubuntu Linux. If you go to either of those key servers and enter my e-mail address into the search box you will be provided with my published public key.

Many OpenPGP applications can be configured to automatically check key servers for public keys. Later in this series, when I cover specific implementations of OpenPGP, I will explain who an e-mail client can automatically search OpenPGP key servers for public keys associated with e-mail addresses that have send OpenPGP encrypted e-mails. Suffice it to say publishing your public key to a key server makes life easier for other OpenPGP users but there is no requirement to do so (OpenPGP is a decentralized system).

OpenPGP public keys can also be signed by other OpenPGP users. When you sign a public key you are verifying that the person who holds the corresponding private key is who he claims to be. This establishes, what is referred to as, a web of trust. What is a web of trust? A web of trust is a decentralized alternative to the chain of trust system most of us use every day.

When you access this site through its secure connection you receive a public key that has been signed by StartCom. StartCom is a certificate authority, which is an organization that signs Secure Socket Layer (SSL) certificates (certificates used to provide secure connections to websites). StartCom’s public signing key is included in most major web browsers and operating systems so whenever you access a site secured by a certificate signed by StartCom your browser will trust it. By signing the certificate StartCom is verifying that your website is who it claims to be (in my case, blog.christopherburg.com). This system is highly centralized since it relies on a handful of certificate authorities.

Returning to the original question, what is a web of trust, the answer is that a web of trust is a system where individuals sign public keys instead of centralized authorities. If I sign your public key anybody who trusts my public key will see that I trust your public key. A person who trusts my judgement of character will then be more inclined to trust that your public key corresponds to a private key in your possession. This system becomes more effective as more people sign your public key, which is why key signing parties exist (yes, us geeks know how to party). When somebody sees your public key has been signed by several people they personally trust they can be reasonably sure that it is your key.

Now you have a general overview of OpenPGP. In the next installment of my Encrypt Everything series I am going to explain how to use GPGTools to encrypt your e-mails with OpenPGP on OS X (Why am I starting with OS X? Because that’s the operating system I generally use for e-mail. Don’t worry, I will cover other tools as the series progresses).

Air Gaps Offer Better Security

If you have top secret designs for weapons of war perhaps it would be prudent not to place them on remotely accessible servers:

Designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers, according to a report prepared for the Pentagon and to officials from government and the defense industry.

Among more than two dozen major weapons systems whose designs were breached were programs critical to U.S. missile defenses and combat aircraft and ships, according to a previously undisclosed section of a confidential report prepared for Pentagon leaders by the Defense Science Board.

I do hope this information gets made publicly accessible so we can all find out what those secretive defense contractors and the military are up to.

OpenPGP Key

Many of you are aware that I can be reached by e-mail via blog [at] christopherburg [dot] com. Until now I haven’t published my OpenPGP public key, instead relying on people to first express interest in it before sending it. This isn’t a very effective policy so here is my OpenPGP public key for anybody interested in sending me encrypted e-mails:

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

Be Afraid

Reporters from The Daily Mail demonstrated, what they thought to be, the danger 3D printed firearms pose to society at large:

The Mail On Sunday today exposes the massive international security risk posed by a gun that can be easily made with new 3D printers.

We built the weapon, which is capable of firing a live round, from blueprints available on the internet – then smuggled it on to a packed Eurostar train.

Two reporters passed completely unchallenged through strict airport-style security to carry the gun on to a London to Paris service in the weekend rush-hour, alongside hundreds of unsuspecting travellers.

The reaction you’re supposed to have is, “Oh. My. God. Violent psychopaths are going to board our trains and planes with 3D printed guns and kill us all! Quick, government, save us!”

The reaction you should have is, “So? New technological advances have always outpaced current security measures.”

What the reporters discovered was an inherit danger in 3D printed firearms, it was an inherit danger in relying on security measures to protect you from evildoers. We humans, being creative creatures, have a knack of bypassing every security measure we implement. Did you put a lock on your door? No problem, a determined burglar will merely pick it open. Did you put a very secure lock on your door? No problem, a determined burglar will kick in one of your basement windows. Did you install a security system that automatically alerts the police if somebody enters your home? No problem, a burglar can be in and out before the police have a chance to respond.

We see this with airport security. Violent criminals have tried all manners of devious methods to bypass airport security. Metal detectors are ineffective at finding explosives. Bag checks can work if explosives are in a bag but fail if the explosives are concealed in a shoe. Body scanners can work to see concealed weapons, unless that weapon is smuggled in a body cavity.

Do 3D printed firearms really pose a great threat to passengers of trains and planes? Potentially, but not because the device can bypass security at gates. The threat comes from the centralized security models usually implemented on mass transit systems. Once you’re beyond the gate you’re almost entirely defenseless because it’s assumed that the train is a secured because passengers were required to go through the designated security checkpoint. In reality a clever person can either bypass those checkpoints or smuggle weapons through them.

There is no such thing as a “secured area.” Whatever mechanisms are used to secure the “secured area” can be bypasses, which will make that “secured area” and “unsecured area.” The only real option when it comes to implementing security is to decentralize is. Relying on a security checkpoint is akin to relying on police protection. Both systems have a handful of major failure points. If I can get a weapon beyond a security checkpoint I will likely enjoy free reign. So long as I can commit my crime before the police arrive I have a good chance of escaping, or at least completing my intended goal.

Being able to smuggle a 3D printed gun past security is only a threat because the people in the “secured area” are almost entirely defenseless.

Gun Sales Up, Homicide Rate Down, Few Paying Attention Surprised

Once again reality has proven harsh to the advocates of gun control that have been warning us that blood will run through the streets whenever firearm laws are repealed or liberalized. As it turns out gun homicides are down 49% since their peek in 1993:

National rates of gun homicide and other violent gun crimes are strikingly lower now than during their peak in the mid-1990s, paralleling a general decline in violent crime, according to a Pew Research Center analysis of government data. Beneath the long-term trend, though, are big differences by decade: Violence plunged through the 1990s, but has declined less dramatically since 2000.

Compared with 1993, the peak of U.S. gun homicides, the firearm homicide rate was 49% lower in 2010, and there were fewer deaths, even though the nation’s population grew. The victimization rate for other violent crimes with a firearm—assaults, robberies and sex crimes—was 75% lower in 2011 than in 1993. Violent non-fatal crime victimization overall (with or without a firearm) also is down markedly (72%) over two decades.

As Robert Heinlein wrote in Beyond This Horizon, “An armed society is a polite society. Manners are good when one may have to back up his acts with his life.” Advocates of gun control believe that the only way to reduce violence in society is to give the state a monopoly on gun ownership. Somebody holding a less authoritarian view on society would point out that centralizing power has, historically, be ineffective at reducing violence. Decentralizing power, on the other hand, has been far more effective at reducing violence. Even the year with the highest homicide rate in the United States can’t compare to the millions upon millions killed in countries where power is or was centralized.

Nobody should be surprised by this news. Deductive logic would lead one to understand that having more armed people in a society increases the overall cost of initiating violence. Much like predatory animals that prey on the weak and sickly, violent people prefer to prey on the unarmed.

What if the Boston Bombers Used Rifles Instead of Improvised Explosives

The New Yorker posted an article asking if things would have been different if Boston bombers used rifles instead of bombs. Although the author tries to appear as though he’s not trying to write an anti-gun post he states:

Well, for one thing, the brothers would probably have killed a lot more than three people at the marathon. AR-15s can fire up to forty-five rounds a minute, and at close range they can tear apart a human body. If the Tsarnaevs had started firing near the finish line, they might easily have killed dozens of spectators and runners before fleeing or being shot by the police.

What the author doesn’t note is the other side of the coin. If the Boston bombers used rifles the death toll may have been lower because the police, who had a strong presences at the marathon, would have had identifiable targets and been able to engage them quickly. If the event happened in a state with less gun control the aggressors may could have been engaged even faster.

Engaging bombers is difficult because you need to catch them before they can plant their explosive devices. Once the explosives are in place it’s very difficult to intervene, especially in a crowded area. Aggressors using firearms on the other hand can be engaged during their act. The engagement time can also be reduced by increasing the number of armed individuals in the area.

In an unrelated subject I would also like to point out a pet peeve of mind:

Here’s a little mental experiment. Imagine, for a moment, that the Tsarnaev brothers, instead of packing a couple of pressure cookers loaded with nails and explosives…

The author, like so many others, has apparently judged the Tsarnaev brothers as guilty even though the trial hasn’t begun. Claiming somebody is guilty of a crime before a trail has concluded is one of those things that annoys me. One should always been presumed innocent until they have either confessed to the crime (without being coerced into it or offered a sweetheart plea bargain designed to get a confession without establishing guilt) or have been found guilty by a jury trial. This is why I used the term “Boston bombers” instead of “the Tsarnaev brothers.”