My thoughts on Slackware, life and everything

Tag: encryption

Transitioning to a new GPG key

 

I have generated a new GPG key to replace my old one which was based on a 1024-bit DSA primary key. The new primary key is 4096-bit RSA. I will be transitioning away from my old one.

The old key will continue to be valid, but i prefer all future correspondence to use the new key. I would also like this new key to be re-integrated into the web of trust. The online version of this message is signed by both my keys (old and new) to certify the transition.

The old key was:

pub 1024D/A75CBDA0 2003-01-17
 Key Fingerprint = F2CE 1B92 EE1F 2C0C E97E 581E 5E56 AAAF A75C BDA0

And the new key is:

pub 4096R/769EE011 2016-08-21
 Key Fingerprint = 2AD1 07EA F451 32C8 A991 F4F9 883E C63B 769E E011

To fetch the full key (including a photo uid, which is commonly stripped by public keyservers), you can get it with either of these two commands:

wget -q -O- http://slackware.com/~alien/alien.gpg.asc | gpg --import -
 wget -q -O- http://alienbase.nl/alien.gpg.asc | gpg --import -

Or, to fetch my new key from a public key server, you can simply do:

gpg --keyserver pgp.mit.edu --recv-key 769EE011

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg --check-sigs 769EE011

If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint 769EE011

If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key:

gpg --sign-key 769EE011

Lastly, if you could upload these signatures, i would appreciate it. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):

gpg --armor --export 769EE011 | mail -s 'GPG Signatures' alien@slackware.com

Or you can just upload the signatures to a public keyserver directly:

gpg --keyserver pgp.mit.edu --send-key 769EE011

Please let me know if there is any trouble, and sorry for the inconvenience.

Eric

Some reading material in case you too want to transition to a new key or even want to start using GPG:

Note:
The above text is based on a “gpg-transition-document” template which seems to be pretty widely used on the Internet for purposes of GPG key transitioning. My own text (the one of this blog post) can also be found here: http://www.slackware.com/~alien/gpg_transition_20160821.txt . That text file has been digitally signed with my old and new keys so that you can verify the correctness of my statements.

 

Update for VeraCrypt, new flaws in TrueCrypt

veraCrypt Recently TrueCrypt has been in the news again, because of a couple of new critical security issues that were found for its Windows version. You can read more in these articles at Engadget, Threatpost and  Extremetech. Windows computers with TrueCrypt installed can be taken over completely by a non-privileged user, and the computer does not even have to have mounted any TrueCrypt container.

These recently uncovered flaws were not found in last year’s code audit of TrueCrypt sources. Apparently this omission is due to the complexity of Windows drivers and “the kind of vulnerabilities that exist in many software on Windows and they are caused by lack of proper parameter validation in kernel mode code” according to Mounir Idrassi (VeraCrypt developer) in Threatpost.

Despite the fact that these new vulnerabilities are not affecting Linux, it is highly unwise to keep using TrueCrypt on Linux. The code is no longer maintained, it already has security issues and good alternatives exist.

The aforementioned VeraCrypt is a fork of the TrueCrypt code which is actively maintained, and the recent flaws found (to be disclosed next week) in TrueCrypt have already been patched in VeraCrypt 1.15 last weekend.

VeraCrypt is a drop-in replacement for TrueCrypt if you let it handle your encrypted container in “truecrypt mode”:

veracryptI have built new packages for VeraCrypt 1.15, updating it from the previous 1.13 which I had in my repository. You can get the packages (for Slackware versions 13.37 and newer) here: http://www.slackware.com/~alien/slackbuilds/veracrypt/ or at its primary mirror location http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/veracrypt/

Users of slackpkg+ merely have to run “slackpkg update && slackpkg upgrade veracrypt“, assuming that the repository mirror you are using is up to date.

Cheers! Eric

 

Securely browsing the net – using SOCKS

If you are using a public/open wireless access point (like, in an Internet Cafe), or if you live in a country where people are not all that happy or concerned about it’s citizens’ freedom, you sometimes find yourself in the position that you want to hide your browsing behaviour from others.

I will describe a setup which allows you to run your browser traffic through an encrypted tunnel. And using Firefox, even your DNS lookups will use that tunnel instead of talking to the local (possibly monitored) DNS server. There is one catch: you have to have a shell account on a remote SSH server.

This article uses a less-known feature of OpenSSH which is that the ssh client can create a SOCKS proxy.

Suppose you have a shell account “alien” on a remote server “safehaven.net”. Using ssh you can quickly setup a local SOCKS proxy using the following command (assuming you are running this command as non-root, you can only make your SOCKS proxy listen on non-privileged ports – anything higher than port 1024 is unprivileged):

$ ssh -D 8888 alien@safehaven.net

Once your ssh client connects to that remote server, your local computer’s port 8888 will now act as a SOCKS proxy which enables encrypted traffic to the Internet for all applications that can use SOCKS proxies.

You then configure Firefox to use a SOCKS proxy; the proxy’s hostname will be “127.0.0.1” and the port is of course “8888“.

This is enough to hide your browsing (the URLs you access as well as the data you retrieve in your browser) from any 3rd party. But… your computer is still consulting a local DNS server for the hostname lookups. Anyone can still sniff that traffic and guess what you are doing. Even if your computer uses one of the many “free” DNS services on the Internet (like Google’s public DNS addresses 8.8.8.8 and 8.8.4.4), your DNS lookups can possibly be monitored on the local network.

So, there is one more setting in Firefox which you have to to change in order to alter its DNS lookup behaviour. In your Firefox entry bar, type “about:config” which will show the low-level configuration options for the browser, most of which are not accessible through its “normal” GUI. Look for the entry:

network.proxy.socks_remote_dns

which will have the value of “false” by default. Change its value to “true” by double-clicking it. From then on, Firefox will use the DNS server at the remote end of the SOCKS proxy instead of the locally configured DNS server, thereby effectively hiding your browsing from anyone. If you happen to be in a situation where  you know that DNS lookups are being filtered or spoofed, this is your secure way out of this ugliness.

Eric

Dropbox

Dropbox Logo

Is your head in the clouds yet?

For years now, I have been waiting for Google’s promise of free online storage, called the “GDrive“. In the meantime Google (and it’s competitors) have made it much easier to store your data online in various ways (look at Picasa Web Albums, Google Docs, Gmail etc), but that is not quite the same.

With the current expansion of “cloud computing” –  yet another small step toward the Matrix becoming reality – it was just a matter of time to see new free cloud services emerging.

One of those cloud services made a click in my brain the moment I saw it. Dropbox gives you a free 2.5 GB of online “cloud” storage. As if this is not enough, the Dropbox folks increase your storage limit with 250MB increments – also for free – when you go through the Dropbox tutorial, and/or invide your friends to use the service as well. You can buy even more storage , if you need it.

What exactly does it do? Well, think of it as a two interconnected “boxes”, one on your own computer and the other on the Internet, in which you store your files. In fact, the manifestation of that “dropbox” is just a directory on your local computer. Everything in the local Dropbox is immediately synchronized with the server’s Dropbox. It is a real-time backup facility! Beware of modifying large files though – because any change to a file inside the Dropbox triggers it’s upload to the server. That will eat your bandwidth if the file would be hundreds of megabytes in size.

By installing Dropbox on another computer using the same account, you are able to access your online backup there as well. The Dropbox on the other computer will be synchronized with the server – i.e. all files on the server will be downloaded to that computer. Dropbox is intelligent enough to allow multiple people using the same Dropbox at the same time! If more than one person changes the same file (so that two versions of that file will be uploaded to  the server) you end up with all versions of the file being stored on the server with slightly changed filenames, nothing gets deleted. Bonus: the changed files that were uploaded to the server by the other person’s Dropbox, will find their way to your own local dropbox and vice versa. The synchronization works both ways.

I have been using Dropbox for a while now and it works very well for me. It is platform independent (clients for Linux, Windows and Mac are available).  It has built-in collaboration: you can share a directory in your Dropbox. When someone joins a shared folder, the folder appears inside their Dropbox, and syncs to their computers automatically. You can even make  files available to people who themselves have no dropbox account: one directory in your dropbox is considered “public”, and that is how it is named too. Every file in that directory is publicly accessible using a web browser.

In true alien tradition, I created a Slackware package which gives you the dropbox-client, a system tray applet. Depending on your DE, it will either start dolphin (in KDE4), or thunar (in XFCE), or whatever application is your default file manager when you click the applet’s icon. The first time this Dropbox client starts (from the system menu or by running /usr/bin/dropbox), you will be asked to fill in your account data and if you did not download the server component yourself, the client will proceed to download the binary closed-source dropbox server and install that to ~/.dropbox-dist/ (yes, the program lives in your homedirectory). Oh, I hear your “gulp!” but it is really basic stuff, and you will find it easy to setup.

If you do not care for a GUI because you run a server, you’re not left out in the cold. You can simply forget my package, and download the dropbox daemon yourself. There is a page on the Dropbox Wiki which explains the steps.

Enough talk! Get Dropbox at http://www.dropbox.com/ or even better, use my referral link http://db.tt/Rv5417bY to create your account. Using the referral gives you and me both an additional 500 MB of free online storage (up to a maximum of 16 GB bonus space).

And remember: backups are important! It can not be stressed enough. However, if you intend to save sensitive data in your dropbox, be sure to encrypt that first, for instance using KeePass or Truecrypt, both programs are cross-platform (Linux and Windows).

Take care,  Eric

© 2024 Alien Pastures

Theme by Anders NorenUp ↑