Tag: Technology

Revealing the State’s War on Privacy

Bradley Manning collected a great deal of classified government information and released it to Wikileaks. In so doing he effectively stripped some of the state’s privacy and is now standing trial for his actions (although his trial is almost certainly for show not to determine guilt). As I said, I support Manning’s actions because the state is waging a war against our privacy. As time goes on we’re learning more and more about how extensive this war really is. Yesterday it was revealed that the National Security Agency (NSA), on of the most vicious combatants in this war, has been collecting the phone records of millions of Americans:

The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret court order issued in April.

The order, a copy of which has been obtained by the Guardian, requires Verizon on an “ongoing, daily basis” to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.

The document shows for the first time that under the Obama administration the communication records of millions of US citizens are being collected indiscriminately and in bulk – regardless of whether they are suspected of any wrongdoing.

Although we’ve known that the NSA has been spying on our phone calls for some time but the release of this court order gives us a better idea of how extensive its spying is. Once again I’ll iterate that a government that doesn’t trust the general population enough to respect their privacy should not be given the privilege of privacy itself. So long as the state continues to violate our privacy it is right to violate its privacy. I will also point out that extensive spying operations such as this are prime examples of why all communications should be encrypted, which is why I started the Encrypt Everything series. Increasing the number of people who use cryptographic tools to prevent prying eyes from seeing their communications will render large scale spying operations, such as those being performed by the state, far less effective.

Judge Rules Decryption Keys are Protected by the Fifth Amendment

Last month a federal magistrate in Wisconsin refused to order a suspect to decrypt his hard drive stating that such an order would violate the suspect’s Fifth Amendment rights. This week a federal judge ruled that such an order was, in fact, a violation of the Fifth Amendment:

A federal judge in Wisconsin today granted an emergency motion filed by Feldman’s attorney for additional time to establish that her client’s Fifth Amendment right to self-incrimination would be violated.

U.S. District Judge Rudolph Randa lifted the threat of contempt of court and jail time, at least temporarily, and asked for additional briefs from Feldman’s attorney and Justice Department prosecutors. A hearing is likely to take place this fall.

What makes this case particularly interesting is that the suspect, Jeffrey Feldman, is accused of possessing child pornography. Possession of child pornography is one of those crimes that instigates such a strong emotional response in people that they demand due process being tossed out the window and any suspects be immediately burned at the stake. There are a lot of arguments being made trying to argue that ordering a suspect to decrypt his hard drive isn’t a violation of the Fifth Amendment because the crime, in this case, is so heinous. Such an attitude, in my opinion, is extremely short sighted because it sets a precedence that allows the state to justify ordering anybody accused of any crime to decrypt their hard drive or be found in contempt of court (for which the punishment is being locked in a cage until you comply, effectively indefinite detention without due process).

At some point I predict that determining whether or not the Fifth Amendment protects suspects from court orders demanding their decryption keys will reach the Supreme Court. Regardless of whether or not that happens one thing is for certain, encrypting your hard drive is the best way to protect yourself against snooping state agents who come into possession of your devices.

Encrypt Everything: Installing Gpg4win for Windows

Last week I wrote a walk through explaining how to use OpenPGP to encrypt your e-mail on OS X. Today I’m going to write a walk through explaining how to install GNU Privacy Guard in Windows. GNU Privacy Guard is a collection of OpenPGP tools. GPGTools, which was covered in last week’s OS X tutorial, is actually built on GNU Privacy Guard. After installing GNU Privacy Guard in Windows you will be able to generate OpenPGP key pairs, import public OpenPGP keys, and encrypt and decrypt messages using OpenPGP. Furthermore, installing GNU Privacy Guard is needed for sending and receiving OpenPGP encrypted e-mails, which will be covered in a future tutorial.

The first thing you need to do is download Gpg4win from here. As of this writing version 2.1.1 is the latest and the version used to create this guide. Previous versions of Gpg4win may not work with this guide.

Now that you have Gpg4win downloaded it’s time to begin installing it. Installing Gpg4win is pretty straight forward. Just click the Next button five times and the Install button. After clicking the Install button you’ll get a progress bar informing you of what packages are being installed. Once everything is installed click the Next button again. Now you’ll be informed that Gpg4win needs a list of root certificates. Check the box labeled Root certificates defined or skip configuration and click the Next button again followed by the Finish button. Gpg4win is now installed.

Now you will need to generate your key pair. There are two ways you can do this. The first method is using Kleopatra, a graphical interface installed with the Gpg4win package and the second method is to use the command line tools. I will walk you through using the command line tools because Kleopatra only allows you to generate 3072 bit keys while the command line allows you to generate 4096 bit keys. Don’t worry, using the command line isn’t hard.

To create your key pair open the Command Prompt and issue the following command:

gpg --gen-key

You should get the following output:

gpg (GnuPG) 2.0.20; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?

Since you will want the ability to sign and encrypt e-mails using OpenPGP select 1. Now you will be asked to enter a key length:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Type 4096 and hit enter. You will now be asked to enter an expiration date:

Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)

I tend not to set expiration dates for OpenPGP keys because issuing new keys periodically is an inconvenience for the people I e-mail regularly. When you want your key pair to expire or not is entirely up to you so enter whatever you want. If you go with the default (no expiration date) you will be asked to verify that you don’t want to key pair to expire:

Key does not expire at all
Is this correct? (y/N)

Enter y if you don’t want an expiration date and N if you’ve changed your mind. It’s now time to enter your personal information. For this example I will enter my name in the Real name field, openpgptest@christopherburg.com in the Email address field, and leave the Comment field blank:

GnuPG needs to construct a user ID to identify your key.

Real name: Christopher Burg
Email address: openpgptest@christopherburg.com
Comment:

You will not be given one more chance to change things:

You selected this USER-ID:
"Christopher Burg "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Selecting O will result in a dialog box appearing asking you to enter a passphrase. This passphrase will be used to encrypt your private key. Whenever you want to use your private key you’ll need to enter your passphrase first in order to decrypt it:

Enter a strong passphrase[1] and click enter, which will result in you being asked to re-enter the passphrase:

That’s it, you now have an OpenPGP key pair that can be used to sign and encrypt e-mails. I will cover sending encrypted e-mails in a future tutorial because the method I use in Windows, Thunderbird with Enigmail, is the same method I use in Linux. Therefore, to make less work for myself, I will first write a tutorial explaining how to install GNU Privacy Guard in Linux before writing a tutorial on using Thunderbird and Enigmail.

[1] For example, the passphrase “passphrase” is very poor. It’s not only short, but it’s also easily guessed and commonly found in dictionary files. The passphrase “This is a random phrase that says nothing but probably isn’t easily guessed nor commonly found in most dictionary files.” is notably better since it’s not easily guessable or a commonly used phrase (although, now that it’s publicly published to the Internet, it’s worthless so don’t use it). Mixing in numbers and special characters will improve the passphrase even more.

Edit: 2013-06-13: 22:26: Corrected the command –key-get to be –gen-key. Thanks Luca for pointing it out.

The Implications of Hardware Attacks on Phones

A story has been circulating amongst the various Apple blogs regarding an iOS hardware exploit:

Careful what you put between your iPhone and a power outlet: That helpful stranger’s charger may be injecting your device with more than mere electrons.

At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple’s iOS.

Though the researchers aren’t yet sharing the details of their work, a description of their talk posted to the conference website describes the results of the experiment as “alarming. Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” their talk summary reads. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

Surprisingly most of the Apple blogs I’ve read have written this exploit off as a minor issue. I’m not sure if the people writing off this exploit are just zealous Apple fans who refuse to acknowledge any flaw in their favorite company’s products or if they lack imagination but the severity of this flaw, if it works as advertised, shouldn’t be understated.

While the risk of a hacker loading malicious software onto your phone through a physical cable are relatively low the risk of the state doing the same is relatively high. Various police departments have been advertising that they possess devices that can download data off of cell phones. In practice such a device can be used to obtain the contents of a person’s phone upon detainment but that’s about it. But Combining that concept with sneak and peek warrants and now you have an interesting issue. During the execution of a sneak and peek warrant law enforcement officers can enter your home, search it, and not inform you that they’ve performed the deed. It wouldn’t take much to use a hardware device to load surveillance software onto your mobile devices during one of these searches. Once that’s done it’s possible that the phone could be used as a remote monitoring system to capture conversations by turning on the microphone, images of the area you’re in by activating the camera(s), and everything you type via key logging software.

I still question whether this exploit works with every iOS configuration. The exploit could be reliant on either the 30-pin or Lightening connector, it may not operate at all if the device’s contents are encrypted, etc. But the exploit could be effective enough for state agents to load surveillance software onto most iOS devices, which makes it a notable threat that shouldn’t be written off as a minor issue.

On the less frightening side of things it will be interesting to see what the jailbreaking community does with this exploit. It’s possible that the exploit could offer an easy way for iOS users to jailbreak their devices. If that is the case I also expect Apple to fix the problem quickly since they’ve done a remarkable job at fixing holes used by the jailbreaking community.

Encrypt Everything: GPGTools for OS X

Yesterday I gave a high level overview of OpenPGP. Today I want to dive into the practical portion of OpenPGP by explaining how to use GPGTools on OS X to encrypt e-mail communications. The first thing you will want to do is get the latest version of GPGTools from here (versions prior to 2013.05.20 will not work with Apple’s Mail application in 10.8). Installing GPGTools is a straight forward affair, just click Continue, Install, and Close (for this tutorial it is assume that you performed the default installation, if you customized the installation all bets are off).

After installation has completed GPG Keychain Access will automatically open and, if this is your first installing it, ask you to generate a new key pair (click to embiggen):

For the duration of this tutorial I will be using the e-mail address openpgptest@christopherburg.com (it’s a junk address, don’t both spamming it). Besides your e-mail address I would recommend changing the Length field to 4096. When it comes to encryption keys you need to go big or go home. Since openpgptest@christopherburg.com is a junk address I set the key to expire but you may want to uncheck the Key expires box if you plan to use your key pair with your e-mail address on a permanent basis (reissuing keys to everybody you e-mail can be a pain in the butt so setting them to expire can be a notable inconvenience). The only other field you need worry yourself with is the Upload key after generation check box. If checked the key will automatically be uploaded to the keys.gnupg.net key server (whether you want to do this is an entirely personal matter).

Once you’ve entered your key pair information click the Generate key button, which will result in the following dialog appearing:

Feel free to muck about with your computer for a bit to increase randomness. While the application is waiting around on randomness a dialog asking you to enter a passphrase will appear:

The entered passphrase will be used to encrypt your private key. Even if somebody manages to steal a copy of your private key file it will remain useless to them unless they also have your passphrase or can brute force it. To prevent the latter it is recommended that you enter a long, complex passphrase that won’t be easily guessed or likely found in a dictionary file (which is a table of words and common phrases used to brute force passphrases quickly).[1] Remember this passphrase because you will need it to decrypt your private key in order to use it to decrypt e-mails. After clicking the OK button you will be asked to re-enter the passphrase:

It should be pretty obvious but you need to enter the passphrase again and click the OK button. If you left the Upload key after generation checkbox checked you will see this dialog box:

Once the file is uploaded you will see your key pair added to the GPG keychain and it will be displayed in GPG Keychain Access:

You are now able to decrypt messages encrypted with your public key however you don’t have any public keys for other users. Encrypted e-mail isn’t much fun when you don’t have anybody to talk to so you’ll want to import the public keys of the people you converse with via e-mail. For this tutorial I will be adding the public key for blog [at] christopherburg [dot] com to my GPG keychain. To do this click the Import button in the GPG Keychain Access toolbar. A dialog box will appear asking you to select an .asc file to import into your GPG keychain:

.asc files are simple text files with a different extension. As I explained in yesterday’s installment of Encrypt Everything, OpenPGP public keys are blocks of text. To create an .asc file from a copied public key you simply need to past the text into a new text file and save it as a name ending in .asc. After you click the Open button you will be notified that the public key was imported:

The public key will not appear in your GPG keychain in the GPG Keychain Access application:

Now you can encrypt e-mails with the blog [at] christopherburg [dot] com public key. E-mails encrypted with that public key can only be decrypted by the holder of the corresponding private key (which, in the case of blog [at] christopherburg [dot] com, is me).

Now you are ready to communicate over e-mail securely. Let’s send an encrypted e-mail to blog [at] christopherburg [dot] com. Open up the Mail application and start a new e-mail. When composing your e-mail you will notice two buttons sitting below the subject field on the right-hand side:

Clicking the left button will encrypt the e-mail and clicking the right button will sign the e-mail. Signing your e-mail allows the recipient to verify you sent it (so long as they have your public key). I always sign my e-mails so authenticity can be ensured by the recipient. For this test we will click both buttons so the e-mail will be encrypted and signed:

You’ve probably noticed the new button in the upper right-hand corner of the form. This button allows you to select whether you want to encrypt and/or sign the e-mail using OpenPGP or S/MIME. By default it’s set to OpenPGP, which is what we want. Upon click either the encrypt or sign button the OpenPGP button will turn green. When you click the send button you will be asked to enter the passphrase for your private key:

Unless you check the Save in keychain checkbox this dialog will appear every time you send a signed e-mail (since you use the recipient’s public key to encrypt the e-mail you won’t have to enter your private key passphrase when you encrypt but don’t sign an e-mail). I recommend not checking the Save in keychain checkbox because doing so will store the passphrase for your private key in OS X’s login keychain, which means anybody who obtains your login password will be able to decrypt your private key, which will allow them to decrypt encrypted e-mails send to you.

That’s it, you’ve just sent your first OpenPGP encrypted e-mail. Any e-mails sent to your account that have been encrypted with your public key will be automatically decrypted and their contents displayed in Mail. That wasn’t too bad, was it?

[1] For example, the passphrase “passphrase” is very poor. It’s not only short, but it’s also easily guessed and commonly found in dictionary files. The passphrase “This is a random phrase that says nothing but probably isn’t easily guessed nor commonly found in most dictionary files.” is notably better since it’s not easily guessable or a commonly used phrase (although, now that it’s publicly published to the Internet, it’s worthless so don’t use it). Mixing in numbers and special characters will improve the passphrase even more.

Encrypt Everything: OpenPGP

I firmly believe that all communications should be encrypted. Even if you have nothing to hide you can contribute to the greater good by encrypting your communications. How so? Simple, encrypted communications appear as garbage data to prying eyes that lack the keys necessary to decrypt them. The more encrypted communications flying across the wires the more garbage data prying eyes have to dig through. If all communications were encrypted spies in organizations such as the National Security Agency (NSA) would entirely ineffective.

Tools that enable users to encrypt e-mails have been around for ages but, sadly, few people take advantage of them. In the hopes of alleviating this problem I am going to provide guides to help people get this stuff encrypted. For the first entry in my Encrypt Everything series I’m going to discuss a tool that will allow you to communicate securely over e-mail, OpenPGP.

OpenPGP can be briefly summarized as a software package that allows users to generate public/private key pairs that can be used to securely communicate with other OpenPGP users.

The first question most people are likely to ask is, what the heck is a public/private key pair? Don’t worry, it’s not complicated. Public/private key pairs are used for asymmetric cryptography. Asymmetric cryptography is a fancy way of noting an encryption method that uses two keys, one public and one private. Data encrypted with the private key can only be decrypted with the public key and data encrypted with the public key can only be decrypted with the private key. After generating a public/private key pair you provide your public key to those who want to communicate securely with you. In turn they will provide you with their public key. When they want to send you a secure communication they will encrypt the message with your public key. That message can only be decrypted with your private key, which, as the name implies, is held by only yourself. When you want to reply to the secure communication you encrypt your response with their public key, which can only be decrypted by their private key.

OpenPGP allows you to generate a public/private key pair, encrypt messages with either your private key or another person’s public key, and decrypt messages sent by people who have provided their public key.

An OpenPGP keys looks something like this (which is the public key to blog [at] christopherburg [dot] com):


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

mQINBFGkG1IBEACa4FOajIwxUFdwC0C12c1DCg6+gmWcZBnQdfRtV6Z2d1yP9trM
AxdT0ZCSJP5MkEI1t3pvc+r79oPbyK0f4QVe1rJerOVAjEglZhdrWqDyf3Rp5rIH
Ukca7keZ+5Wf9dA+9B//LECzG4sj5qr6Kcssqb27PjK0XLq6O9963/6Lubkdomzj
R/fKjmM2WMLs/tBF0HEZp6sSEeoot+28QtXgzDIE0um2l/ccK4tTLR08NC43+uVu
dh7IJ6CX9bNoeCbmAEjOBONt0pKufvzTMsmGjMuFRc+cJnmXYeAjon9CitnUEXV9
Wmpw2K6XIKxo3PlDQcomKDV6inZySXnzXsOmomTR9XO1G4kaE9BYKdCaOdzCncPb
Au0JeTNu6eqTwrUfQZXuVdKhfRQsqrhxEAEZgpa5ojbseVNt3oOJnYXOYgl3JCku
naILz7hXMGKFQoGOojN6IpffJTjeWNiuj4KMDLTWuOKU1bX1yWJhz84U2HdhoI0L
bWiWVZDLHSjLareSJvXjtdi0v4CgvgF6b+xpIH8pfP+wqBnqZUGT96B5jRUOKuaI
MlHXHkfF070gOa4UbqJtjOHSwU9PcMUXcOxTqJen643+tAXAoqAEHLjIp2fNzmkc
6NB0T1h8JCmqHz+fv5rnKZM9lKkFO6eNPVYz2OoPb+4Zlu2pBvwsja0kBQARAQAB
tCtDaHJpc3RvcGhlciBCdXJnIDxibG9nQGNocmlzdG9waGVyYnVyZy5jb20+iQI4
BBMBAgAiBQJRpBtSAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAXquxa
uJ2eMegiEACWDIcNPQibNBNWQ5bBl/sCTxoeQvZrf0aFK4y5n1fLxqGhyZmTZdb2
IWyO5kSyEJ0Q3M3JwFIQOnl09aYT9g75omz3EAjtJCL3XKwc3DPYvKpPj/Zq9iiM
Ou4ClXXuR9mqbvu4JOCYVq2r+NZuoQ+mOvEPjp5zA5ARoJ/9r7nO3/foQZ/22PZZ
t7NMUfv+IYwlQ7vBun01gymC1u4ViBOgyl0DzlXKtUPmmPp8PB6E+I6OvnSmRLdt
tfxFzXYGLPZWva6/hGQeptvofYhv0kAvMgOmPtkCpf4RpUz4ebT2mr9vHgVH+VYc
BNFYJLXPdJmbqqD9KdesQ48YvAi50G/MaP8xxVaYI5YD004HO7h2lp9WX0CMWN/l
jRW1yHP/AW+5aw06/LohcDdG/HQjYYkzjX6qUSYg/U/Tky7hmDile9WkMUP22eOk
AkV7OBKly4c3uxqR5+fH5N9GcSbSk6avkbPU8w27t3E6m0PnKRkpUrn/2OFd7u7h
TuQGvfy3LqsVliTruHCOfIY5pmi3qcGeKkaXu7LCnNbNg86VEYYYTEHyoMw1cC99
9IMXKuvGtKaJ7mjj03n0e+7VpcRd646gw3KuQNRd0GTV2xOAJ/vEgoA30Of7Gxoa
PXRuyo67WATgU36kl9yVS5EfT3m1mMUihI5zeN1R1EJn6/tlMnyY/okCHAQTAQIA
BgUCUaQbnwAKCRADj+sE5VF3XY+TD/9jt3hgGyjFKjhRza9KTRJwBV6gFFcQU3MT
8j5evFtbMjZ1oNc5oongwJ7OtLHFVmst4cQMmupems1X7z8mj5we6MQd24CFChKf
xfJj5YwunIWXIpfilY1QznvZ1YlqNkSaQAFRFjdVY2ip4UxnRY4vf4LGT8+WO33j
gG9CXJ8VLjFs+vbXFtvsCabfJk2aNWgbaKMXzrlzlyaQokb7/tXVECNtpdBn454L
FkNMNK19pzgJcNyQMFl6ApxQJzXu8+vPTdZQCvPrEZOL28cNYU35IL3yZoz+CHR5
j123kJVdXOUyA3Z27S4qmJOC6RR9iAx+Us/W/LT03tyMrKyLZaPT90ZhCG9UDnIg
DDlXoLfPYEaVmXU5MfitwsWgtv/gSHNWTIIvc/5JB6U7XEReZw66oyngQdZSP/s3
uV670Yvvl3PaH7UvMRFmfeazqUG/+r+PFxfoMzfOFSixi+uwbT7nbBa7Iyw3F9A0
5HDP9+28PqJvfUTdGgISbvvPAB50rC2FRFhBtvoMYMROaGn87ANH96caKn8a4ynW
nJqwzCGj2l006BciJlWgvZ0jg4ndW2TJU/neuOHEoPkgdLmqaC6QeQNcWryIgX75
q0iZeqjvzWh8rhaQfPNGUS0yF2JxFU14muvvC55Ar0SKnF005Zs8Za8p9PKRfuTr
DQfVVQiAELkCDQRRpBtSARAA1W5yOTe3JxOLwjBBZeUPJjWn20HPk979593iiq6N
6GBqXNHtI8Vboeyq27qAjZoY9FXnibrIXaIJ40mcNj6yXc7n5tImpLByLPy8Ztyx
Jcpu+wC404Av879e8E8gqhbDhpQpMXHNtiuQHMwbN9kr/ohH0GgaKyJhRoJY4Rap
++CeO42v2nRYtAk9RhXehOCbXRF3szU1vdfqrL5LclqZ8rwksIqAjO6imFtvplwt
xcSXvP0slFtpEHVnY5KwUzMbgGsNuz6Fs1biyRzg9qePd2bDmZ7+/cMvasUvP2Qq
vUlxf9lyzx65i123ax4EgWDM14jWhiy+wLc+jjtXtmQ/EcDaNykoir9Gz+WPSYsp
NO6YZg4vDhGT/Afxd4Q5LNoRZ/lGfjXhmgQOgriMaKOTPAe2SgB8Qc0eYDUWO2qu
/bI3orUbeEsIMCZU3mNOhCNOhm/vhyAcdpXtnfMqQeKx4TkgZZO+lotzJa6KHhay
vCGxkZxzR3o8LP72wUke0apZprEoDymU5HSAoHv3o4aFV0AVBdjVCxcsMeCS0fJ3
aLZP9WZ0DrRktrLO8sjAsFutodInD99Ki+pYCjdS5/jixN6+R9EJ4Ud44PT84PtH
qwRVyzF+bC8Mc/QEY4PNl/698liscEe53WqPBelfR6UdvVEvKxI4jibqHwVjc6K8
e38AEQEAAYkEPgQYAQIACQUCUaQbUgIbLgIpCRAXquxauJ2eMcFdIAQZAQIABgUC
UaQbUgAKCRBAXiyJxWbQ4Zk7D/90MW3mf4tCP4yhBqc01FnZEqJuaeBQxBbK6qDw
fMPDYA1D0LRFfLoAxs40lExQQjAtwcxvuF59K0S1XoVQSPq1NyAcGyTUGwu/P7Lz
VCYsDOcBZgwFRzMZFIhSvEpBSTgnX+uKREXecoaI+MzfZbSCChnPYULIKMK3ONqD
pAfGxNIkHOYcIC93f7hB8ZFnszuyfRasgW7xyv26J4w9W0xPIRwH6dNFDpBXvQcx
JMl5jVb55u6tATGhNy7rXWAqgm5w70UNyUJFAmHfSJftfZKHAhvPmRWamnuZ22rH
cVoj9HeJgxO48BGt0tmRPu0XpCk6oSWzKU+STlSutw4DbpgCLwy+Y6Ll24ik2r+f
YpNp1t2jh/SkypLUK9YVxNGCJXtxom/awqND5QMxsziukqSptd2ltrTP4/jCdShU
FN1Srov/29ZXrM/VA7Jqf3HFOB31cHr1J+ftsqtdHsDFerw8emd9VJKSO0dHGh9f
wsZtBAz7MPS1q4qwVn8lYgrVkoohbhiSft6tHircvSX8pX78kTjUNXBkojx4FL3L
SKg9FoSYuC1nqaUobOyuy28hW5sA2FEoWVf/qb5g6lJSJ+u7zhJmis5b8aeuZ6qS
lE3KtCH35bhj63oRlCEgQUjaqTGFoueIbRrdy+wFbh7zqQuKIgQpwDo0SbvJbjfN
FEsXMemqD/947IjTloC0nFDjWJssLhNBaR1GIl0cQYktfrscCB8y+17jc7fymK3/
rnHYvjC1WpdLRHY4H30yyMutPawgnzjdViJW21sLmf/3HSDDP+0qvYRaq356FkpY
7SWj1wvS93B7UCs4A6VRvFnp5sHGPmIgSo5mqG4E36zrcnKQapPOdDfJ41Aj9l3i
f0I1Q0w+PVe6EZBHtYEOyNrT2OqAR9mq/hbM6HeZM+UilG1g6TLk11JJyKfA1V9Q
guzcjzockfePY+NQe7dy+Zc9l5TBIMBECX5YRa9A8OhZ5+q4SNMqM6itq7z1F66k
NWoFGkI+kx2e75tO7o8b5izueJbD7VPNUeE7T+WCSB8Pf4wBfuwuVbu69QpXH0XQ
WihGSJTHETqA1EoBRN6G6WKsq0affN3nO8GeSubwd3Ip/TPH4tfglxHAxegMqvLE
YLX96XueqzeCxyZroH9xqsFmUhszZz3BtuCO8h705Cv2DNprSZJah3+OTLwgMuLZ
GM2ogcvLzPTjZgib5h5j5Pp9tjBYrYnOE4/tctvQ26X2ipedV4/O1gBNTMY6ba+1
2HuLrhgrtbL698KhQahlSfTq9a0GO/GLHM+wtlrVlslSjnZt0eldQf4M+UFIEOxh
w38h55tSuK1XbKSuTpmTE5MIjebksHy6ynAco4ZQo7MLWciGcFbTQQ==
=3COR
-----END PGP PUBLIC KEY BLOCK-----

OpenPGP users can use that gobbledygook to encrypt messages that can only be decrypted by me. Generally people also post their public keys to key servers such as the one provided by the Massachusettes Institute of Technology (MIT) or Canonical, the creators of Ubuntu Linux. If you go to either of those key servers and enter my e-mail address into the search box you will be provided with my published public key.

Many OpenPGP applications can be configured to automatically check key servers for public keys. Later in this series, when I cover specific implementations of OpenPGP, I will explain who an e-mail client can automatically search OpenPGP key servers for public keys associated with e-mail addresses that have send OpenPGP encrypted e-mails. Suffice it to say publishing your public key to a key server makes life easier for other OpenPGP users but there is no requirement to do so (OpenPGP is a decentralized system).

OpenPGP public keys can also be signed by other OpenPGP users. When you sign a public key you are verifying that the person who holds the corresponding private key is who he claims to be. This establishes, what is referred to as, a web of trust. What is a web of trust? A web of trust is a decentralized alternative to the chain of trust system most of us use every day.

When you access this site through its secure connection you receive a public key that has been signed by StartCom. StartCom is a certificate authority, which is an organization that signs Secure Socket Layer (SSL) certificates (certificates used to provide secure connections to websites). StartCom’s public signing key is included in most major web browsers and operating systems so whenever you access a site secured by a certificate signed by StartCom your browser will trust it. By signing the certificate StartCom is verifying that your website is who it claims to be (in my case, blog.christopherburg.com). This system is highly centralized since it relies on a handful of certificate authorities.

Returning to the original question, what is a web of trust, the answer is that a web of trust is a system where individuals sign public keys instead of centralized authorities. If I sign your public key anybody who trusts my public key will see that I trust your public key. A person who trusts my judgement of character will then be more inclined to trust that your public key corresponds to a private key in your possession. This system becomes more effective as more people sign your public key, which is why key signing parties exist (yes, us geeks know how to party). When somebody sees your public key has been signed by several people they personally trust they can be reasonably sure that it is your key.

Now you have a general overview of OpenPGP. In the next installment of my Encrypt Everything series I am going to explain how to use GPGTools to encrypt your e-mails with OpenPGP on OS X (Why am I starting with OS X? Because that’s the operating system I generally use for e-mail. Don’t worry, I will cover other tools as the series progresses).

A Marvelous Engineer Mistake

Humans have been building submarines for many decades now. You would think after designing so many functional submarines most manufacturers would be able to get the basics right. As it turns out, not so much:

According to El Pais, the S-81 Isaac Peral — the first of four state-of-the-art new submarines commissioned for the Spanish Navy — is 75 to 100 tons overweight. That may not seem like a lot, considering the submarine’s full weight when submerged is 2,430 tons, but according to engineers at Navantia, the Spanish shipbuilding company responsible for its design, that excess bulk is enough to prevent the Isaac Peral from successfully resurfacing once submerged.

Emphasis mine. On the upside it does 50 percent of what is expected of a submarine!

Air Gaps Offer Better Security

If you have top secret designs for weapons of war perhaps it would be prudent not to place them on remotely accessible servers:

Designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers, according to a report prepared for the Pentagon and to officials from government and the defense industry.

Among more than two dozen major weapons systems whose designs were breached were programs critical to U.S. missile defenses and combat aircraft and ships, according to a previously undisclosed section of a confidential report prepared for Pentagon leaders by the Defense Science Board.

I do hope this information gets made publicly accessible so we can all find out what those secretive defense contractors and the military are up to.

OpenPGP Key

Many of you are aware that I can be reached by e-mail via blog [at] christopherburg [dot] com. Until now I haven’t published my OpenPGP public key, instead relying on people to first express interest in it before sending it. This isn’t a very effective policy so here is my OpenPGP public key for anybody interested in sending me encrypted e-mails:


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

mQINBFGkG1IBEACa4FOajIwxUFdwC0C12c1DCg6+gmWcZBnQdfRtV6Z2d1yP9trM
AxdT0ZCSJP5MkEI1t3pvc+r79oPbyK0f4QVe1rJerOVAjEglZhdrWqDyf3Rp5rIH
Ukca7keZ+5Wf9dA+9B//LECzG4sj5qr6Kcssqb27PjK0XLq6O9963/6Lubkdomzj
R/fKjmM2WMLs/tBF0HEZp6sSEeoot+28QtXgzDIE0um2l/ccK4tTLR08NC43+uVu
dh7IJ6CX9bNoeCbmAEjOBONt0pKufvzTMsmGjMuFRc+cJnmXYeAjon9CitnUEXV9
Wmpw2K6XIKxo3PlDQcomKDV6inZySXnzXsOmomTR9XO1G4kaE9BYKdCaOdzCncPb
Au0JeTNu6eqTwrUfQZXuVdKhfRQsqrhxEAEZgpa5ojbseVNt3oOJnYXOYgl3JCku
naILz7hXMGKFQoGOojN6IpffJTjeWNiuj4KMDLTWuOKU1bX1yWJhz84U2HdhoI0L
bWiWVZDLHSjLareSJvXjtdi0v4CgvgF6b+xpIH8pfP+wqBnqZUGT96B5jRUOKuaI
MlHXHkfF070gOa4UbqJtjOHSwU9PcMUXcOxTqJen643+tAXAoqAEHLjIp2fNzmkc
6NB0T1h8JCmqHz+fv5rnKZM9lKkFO6eNPVYz2OoPb+4Zlu2pBvwsja0kBQARAQAB
tCtDaHJpc3RvcGhlciBCdXJnIDxibG9nQGNocmlzdG9waGVyYnVyZy5jb20+iQI4
BBMBAgAiBQJRpBtSAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAXquxa
uJ2eMegiEACWDIcNPQibNBNWQ5bBl/sCTxoeQvZrf0aFK4y5n1fLxqGhyZmTZdb2
IWyO5kSyEJ0Q3M3JwFIQOnl09aYT9g75omz3EAjtJCL3XKwc3DPYvKpPj/Zq9iiM
Ou4ClXXuR9mqbvu4JOCYVq2r+NZuoQ+mOvEPjp5zA5ARoJ/9r7nO3/foQZ/22PZZ
t7NMUfv+IYwlQ7vBun01gymC1u4ViBOgyl0DzlXKtUPmmPp8PB6E+I6OvnSmRLdt
tfxFzXYGLPZWva6/hGQeptvofYhv0kAvMgOmPtkCpf4RpUz4ebT2mr9vHgVH+VYc
BNFYJLXPdJmbqqD9KdesQ48YvAi50G/MaP8xxVaYI5YD004HO7h2lp9WX0CMWN/l
jRW1yHP/AW+5aw06/LohcDdG/HQjYYkzjX6qUSYg/U/Tky7hmDile9WkMUP22eOk
AkV7OBKly4c3uxqR5+fH5N9GcSbSk6avkbPU8w27t3E6m0PnKRkpUrn/2OFd7u7h
TuQGvfy3LqsVliTruHCOfIY5pmi3qcGeKkaXu7LCnNbNg86VEYYYTEHyoMw1cC99
9IMXKuvGtKaJ7mjj03n0e+7VpcRd646gw3KuQNRd0GTV2xOAJ/vEgoA30Of7Gxoa
PXRuyo67WATgU36kl9yVS5EfT3m1mMUihI5zeN1R1EJn6/tlMnyY/okCHAQTAQIA
BgUCUaQbnwAKCRADj+sE5VF3XY+TD/9jt3hgGyjFKjhRza9KTRJwBV6gFFcQU3MT
8j5evFtbMjZ1oNc5oongwJ7OtLHFVmst4cQMmupems1X7z8mj5we6MQd24CFChKf
xfJj5YwunIWXIpfilY1QznvZ1YlqNkSaQAFRFjdVY2ip4UxnRY4vf4LGT8+WO33j
gG9CXJ8VLjFs+vbXFtvsCabfJk2aNWgbaKMXzrlzlyaQokb7/tXVECNtpdBn454L
FkNMNK19pzgJcNyQMFl6ApxQJzXu8+vPTdZQCvPrEZOL28cNYU35IL3yZoz+CHR5
j123kJVdXOUyA3Z27S4qmJOC6RR9iAx+Us/W/LT03tyMrKyLZaPT90ZhCG9UDnIg
DDlXoLfPYEaVmXU5MfitwsWgtv/gSHNWTIIvc/5JB6U7XEReZw66oyngQdZSP/s3
uV670Yvvl3PaH7UvMRFmfeazqUG/+r+PFxfoMzfOFSixi+uwbT7nbBa7Iyw3F9A0
5HDP9+28PqJvfUTdGgISbvvPAB50rC2FRFhBtvoMYMROaGn87ANH96caKn8a4ynW
nJqwzCGj2l006BciJlWgvZ0jg4ndW2TJU/neuOHEoPkgdLmqaC6QeQNcWryIgX75
q0iZeqjvzWh8rhaQfPNGUS0yF2JxFU14muvvC55Ar0SKnF005Zs8Za8p9PKRfuTr
DQfVVQiAELkCDQRRpBtSARAA1W5yOTe3JxOLwjBBZeUPJjWn20HPk979593iiq6N
6GBqXNHtI8Vboeyq27qAjZoY9FXnibrIXaIJ40mcNj6yXc7n5tImpLByLPy8Ztyx
Jcpu+wC404Av879e8E8gqhbDhpQpMXHNtiuQHMwbN9kr/ohH0GgaKyJhRoJY4Rap
++CeO42v2nRYtAk9RhXehOCbXRF3szU1vdfqrL5LclqZ8rwksIqAjO6imFtvplwt
xcSXvP0slFtpEHVnY5KwUzMbgGsNuz6Fs1biyRzg9qePd2bDmZ7+/cMvasUvP2Qq
vUlxf9lyzx65i123ax4EgWDM14jWhiy+wLc+jjtXtmQ/EcDaNykoir9Gz+WPSYsp
NO6YZg4vDhGT/Afxd4Q5LNoRZ/lGfjXhmgQOgriMaKOTPAe2SgB8Qc0eYDUWO2qu
/bI3orUbeEsIMCZU3mNOhCNOhm/vhyAcdpXtnfMqQeKx4TkgZZO+lotzJa6KHhay
vCGxkZxzR3o8LP72wUke0apZprEoDymU5HSAoHv3o4aFV0AVBdjVCxcsMeCS0fJ3
aLZP9WZ0DrRktrLO8sjAsFutodInD99Ki+pYCjdS5/jixN6+R9EJ4Ud44PT84PtH
qwRVyzF+bC8Mc/QEY4PNl/698liscEe53WqPBelfR6UdvVEvKxI4jibqHwVjc6K8
e38AEQEAAYkEPgQYAQIACQUCUaQbUgIbLgIpCRAXquxauJ2eMcFdIAQZAQIABgUC
UaQbUgAKCRBAXiyJxWbQ4Zk7D/90MW3mf4tCP4yhBqc01FnZEqJuaeBQxBbK6qDw
fMPDYA1D0LRFfLoAxs40lExQQjAtwcxvuF59K0S1XoVQSPq1NyAcGyTUGwu/P7Lz
VCYsDOcBZgwFRzMZFIhSvEpBSTgnX+uKREXecoaI+MzfZbSCChnPYULIKMK3ONqD
pAfGxNIkHOYcIC93f7hB8ZFnszuyfRasgW7xyv26J4w9W0xPIRwH6dNFDpBXvQcx
JMl5jVb55u6tATGhNy7rXWAqgm5w70UNyUJFAmHfSJftfZKHAhvPmRWamnuZ22rH
cVoj9HeJgxO48BGt0tmRPu0XpCk6oSWzKU+STlSutw4DbpgCLwy+Y6Ll24ik2r+f
YpNp1t2jh/SkypLUK9YVxNGCJXtxom/awqND5QMxsziukqSptd2ltrTP4/jCdShU
FN1Srov/29ZXrM/VA7Jqf3HFOB31cHr1J+ftsqtdHsDFerw8emd9VJKSO0dHGh9f
wsZtBAz7MPS1q4qwVn8lYgrVkoohbhiSft6tHircvSX8pX78kTjUNXBkojx4FL3L
SKg9FoSYuC1nqaUobOyuy28hW5sA2FEoWVf/qb5g6lJSJ+u7zhJmis5b8aeuZ6qS
lE3KtCH35bhj63oRlCEgQUjaqTGFoueIbRrdy+wFbh7zqQuKIgQpwDo0SbvJbjfN
FEsXMemqD/947IjTloC0nFDjWJssLhNBaR1GIl0cQYktfrscCB8y+17jc7fymK3/
rnHYvjC1WpdLRHY4H30yyMutPawgnzjdViJW21sLmf/3HSDDP+0qvYRaq356FkpY
7SWj1wvS93B7UCs4A6VRvFnp5sHGPmIgSo5mqG4E36zrcnKQapPOdDfJ41Aj9l3i
f0I1Q0w+PVe6EZBHtYEOyNrT2OqAR9mq/hbM6HeZM+UilG1g6TLk11JJyKfA1V9Q
guzcjzockfePY+NQe7dy+Zc9l5TBIMBECX5YRa9A8OhZ5+q4SNMqM6itq7z1F66k
NWoFGkI+kx2e75tO7o8b5izueJbD7VPNUeE7T+WCSB8Pf4wBfuwuVbu69QpXH0XQ
WihGSJTHETqA1EoBRN6G6WKsq0affN3nO8GeSubwd3Ip/TPH4tfglxHAxegMqvLE
YLX96XueqzeCxyZroH9xqsFmUhszZz3BtuCO8h705Cv2DNprSZJah3+OTLwgMuLZ
GM2ogcvLzPTjZgib5h5j5Pp9tjBYrYnOE4/tctvQ26X2ipedV4/O1gBNTMY6ba+1
2HuLrhgrtbL698KhQahlSfTq9a0GO/GLHM+wtlrVlslSjnZt0eldQf4M+UFIEOxh
w38h55tSuK1XbKSuTpmTE5MIjebksHy6ynAco4ZQo7MLWciGcFbTQQ==
=3COR
-----END PGP PUBLIC KEY BLOCK-----

Ron Paul Found Guilty of Reverse Domain Name Hijacking

Early this year Ron Paul decided to ignore the free-market principles he usually advocates and attempted to seize the domain names RonPaul.com and RonPaul.org from their current owners. The World Intellectual Property Organization (WIPO), the organization Ron Paul filed his complaint with, not only agreed that the current owners of RonPaul.com and RonPaul.org should be allowed to maintain their ownership but the organization also found Mr. Paul guilty of reverse domain name hijacking:

The owners had offered to sell RonPaul.com to Paul but also offered to give him RonPaul.org as an alternative if Paul didn’t want to buy the .com. Since Paul filed a UDRP against RonPaul.org after the owner offered to give it to him for free, the panel found the case to be reverse domain name hijacking.

Respondent has requested, based on the evidence presented, that the Panel make a finding of Reverse Domain Name Hijacking. In view of the unique facts of this case, in which the evidence demonstrates that Respondent offered to give the Domain Name ronpaul.org to Complainant for no charge, with no strings attached, the Panel is inclined to agree. Instead of accepting the Domain Name, Complainant brought this proceeding. A finding of Reverse Domain Name Hijacking seems to this Panel to be appropriate in the circumstances.

The panel did not find reverse domain name hijacking in the RonPaul.com case (pdf), but determined that Paul did not prove a lack of rights or legitimate interest in the domain by the respondent. As a result, the panel ruled the domain name should remain with its current owner.

Libertarian ethics usually grants property ownership to the first claimant. If you come across a piece of land that isn’t in use and hasn’t been “improved” by somebody you can mix your labor with the land to claim it as your own. Since Mr. Paul is a strong advocate of libertarianism it’s rather ironic that he decided to make an attempt to grab RonPaul.com and RonPaul.org from the first claimants. Free-market principles would state that Mr. Paul should have purchased the domain names for the asking price or negotiated a more favorable price. I commend the WIPO for ruling in favor of the current holders instead of the more famous individual.