Matt's Musings

July 12, 2014

GPG Key Management Rant

Filed under: Debian,Linux,WLUG / LinuxNZ — Matt Brown @ 12:17 pm NZST

2014 and it’s still annoyingly hard to find a reasonable GPG key management system for personal use… All I want is to keep the key material isolated from any Internet connected host, without requiring me to jump through major inconvenience every time I want to use the key.

An HSM/Smartcard of some sort is an obvious choice, but they all suck in their own ways:
* FSFE smartcard – it’s a smartcard, requires a reader, which are generally not particular portable compared to a USB stick.
* Yubikey Neo – restricted to 2048 bits, doesn’t allow imports of primary keys (only subkeys), so you either generate on device and have no backup, or maintain some off-device primary key with only subkeys on the Neo, negating the main benefits of it in the first place.
* Smartcard HSM – similar problems to the Neo, plus not really supported by GPG well (needs 2.0 with specific supporting module version requirements).
* Cryptostick – made by some Germans, sounds potentially great, but perpetually out of stock.

Which leaves basically only the “roll your own” dm-crypt+LUKS usb stick approach. It obviously works well, and is what I currently use, but it’s a bunch of effort to maintain, particularly if you decide, as I have, that the master key material can never touch a machine with a network connection. The implication is that you now need to keep an airgapped machine around, and maintain a set of subkeys that are OK for use on network connected machines to avoid going mad playing sneakernet for every package upload.

The ideal device would be a USB form factor, supporting import of 4096 bit keys, across all GPG capabilities, but with all crypto ops happening on-device, so the key material never leaves the stick once imported. Ideally also cheap enough (e.g. ~100ish currency units) that I can acquire two for redundancy.

As far as I can tell, such a device does not exist on this planet. It’s almost enough to make a man give up on Debian and go live a life of peace and solitude with the remaining 99.9% of the world who don’t know or care about this overly complicated mess of encryption we’ve wrought for ourselves.

end rant.

June 26, 2009

GPG Keysigning Update

Filed under: Debian,WLUG / LinuxNZ — @ 12:56 pm NZST

From the better late than never category… I finally got around to signing keys from the LCA2006 key signing party, the verification sheet from which has travelled with me from NZ to Dublin and then sat on my desk for a few years. I inevitably lost a few of my notes and verifications along the way, so if you were still expecting a signature from me and didn’t get one let me know!

The main hold up for me has been that my previous key signing system, a home grown script, was overly complex and involved me sending an encrypted token to each UID that I waited to receive back before issuing the signature. Lots of work for me, and much hassle for those whose keys I am signing. I’ve reverted back to the more standard method of signing and encrypting the signature to each UID and then throwing my copy of the signature away. Unless the recipient controls the UID and can decrypt the message, the signature will never be released to the world.

I’ve adopted pius as my new signing tool of choice, with a few extra patches to help me maintain my database of signature details and the corresponding verification pages at which are linked from the Policy URL packet of each signature I make. I guess I’ll tidy up the patches over the next few days and see if there is any interest in getting them merged.

February 24, 2009

The government listened!

Filed under: Debian,General,WLUG / LinuxNZ — @ 1:07 pm NZST

I was very pleased to wake up this morning to the news that National has delayed the introduction of S92A via an order-in-council. It’s a nice short-term victory, but I’ll save the champagne until the law is fundamentally rewritten.

The most pleasing aspect of the decision is simply that it was made at all. Within two weeks, a small band of protesters were able to harness the power of the Internet to direct international attention and place enough pressure on a Government, whose Prime Minister admitted to not having read the bill prior, that he then took the time to understand the issues and personally announce the delay in implementation of the law. We owe much thanks to the Creative Freedom Foundation for all the effort they put into co-ordinating the protest and ensuring that a single coherent message was presented. Just a little bit of my cynicism and belief that politicians never listen to public opinion outside of election campaigns was chipped away today.

The reason I’m not breaking out the champagne yet is that we’ve only achieved a temporary reprieve in the commencement of the law. While those present at the press conference seem somewhat confident that John Key didn’t like what he found in the law and would have repealed it if given the chance, all that has actually been done is delay it in the hopes of an agreement between the TCF and the “rights holders” (aka big media companies) on how to implement the still fundamentally broken law. The Government has given until late March for that to occur.

To put this into a more global context. My happiness as I took the bus to work after reading about the decision to delay the law was short lived as the front page of the local paper declared that Eircom (Ireland’s equivalent of Telecom) has “voluntarily” agreed to block sites such as The Pirate Bay upon request by the media companies (this comes a week after they also announced an agreement to, again “voluntarily”, implement a 3-strikes S92A style policy). Now, with the biggest ISP in their pocket (so to speak), the media companies have sent threatening letters to the remaining ISPs in the country demanding they implement the same procedure.

To me, this illustrates one of the fundamental problems with S92. The concept that an ISP is liable for the conduct of its users, or for policing where on the Internet users should and shouldn’t be able to connect to does not belong in our laws. Most ISPs already have provision to disconnect customers for illegal activity in their terms and conditions. If an end-user is doing something illegal, that is an issue between the rights holder and the end-user to take up in the courts just like every other sector of society must do when wronged, at which point the existing ISP terms and conditions can be invoked and access terminated.

The big media companies, having decided that it is too expensive/hard/inconvenient to follow standard legal procedures to resolve their grievances are launching multi-pronged attacks to shift the playing field in their favour. In countries like New Zealand, where our politicians yearn for a Free Trade Agreement with America, they use their lobbyists to ensure that S92 style laws are part of the conditions. In other jurisdictions, like Ireland, they use strong-arm, divide and conquer style bully tactics outside of the political and legal process.

I don’t support copyright infringement. I rely on copyright to protect much of the work I place on the Internet, I want strong laws that protect me when my rights have been infringed. I don’t believe that such laws should come at the expense of due process, our legal tradition and the basic principle of fairness! I don’t believe that copyright infringement is such a heinous crime that it demands punishments stronger than those we deliver to paedophiles, stalkers or any other class of criminal who uses the Internet to enable their crimes.

To me, today’s (yesterday’s – depending on your timezone) decision is only the first step in clawing New Zealand back from the dangerous path that the big media companies have been leading our law makers down. From here we need to press on and demonstrate to the Government over the next month that even if the TCF and rights holders are able to come up with some sort of workable code of practice, the law is still fundamentally flawed. It is based on premise that we are guilty by accusation.

Even if guilt were to be proved by a competent legal body (eg. court or copyright tribunal) we don’t need laws placing further liabilites onto ISPs (and remember the definition of ISP under this amendment act includes businesses who provide Internet access to staff, libraries, schools and hospitals) when their existing terms and conditions already prohibit illegal activity.

Finally, and most importantly of all, we need to remember that laws exist to serve all sectors of society. Yes, copyright infringement is against the law and rights holders are reasonable in expecting the law to protect their content and allow them to make a fair profit. On the other side of the fence, average New Zealanders are not being unreasonable in their desire to have media available electronically, on demand and non-inhibited by DRM following a legal purchase. The failure of the media businesses to adequately cater to this change in market demand and usage of technology is obviously a contributing factor to the widespread copyright problems that they are facing today.

Obviously, I’m not condoning copyright infringement simply because the media companies are failing to address demand. Even stupid laws must be obeyed (and the concept of copyright is far from stupid). What I want to see is the Government acknowledging that the problem is not solely with consumers infringing copyright for malicious purposes, and therefore that the solutions do not lie solely in increasing the enforcement and punishments available.

Copyright has always been a balancing act between the rights of content producers and consumers. S92 and the act it is contained within are taking us far too far down the road of catering to big business and their outdated business models with far too little concern for the rights of the individual consumer.

Despite the many submissions made on this act last year when it was first passing through parliament, there was no comprehensive debate on what copyright means and how it should balance the rights of content producers and consumers in our digital century where copying is a zero-cost, zero-thought activity. Without such a debate we’re doomed to continue wasting time arguing over the symptoms of the problem, like S92.

So, I’m saving my champagne for the day when we as a country address these issues and come up with a fair and workable interpretation of what copyright means today.

September 9, 2008

New Gadgets

Filed under: Debian,General,Linux — @ 10:11 am NZST

It’s been a while since I last acquired new gadgets but I think I’ve made up for lost time with my last weeks purchases.

You may remember that I’ve had my eye on the Openmoko phones since early 2007, but in between shifting across the world and starting a new job I never got around to purchasing one of the first versions. The second version, the “Freerunner”, was released in June this year and I placed an order with Pulster, a local distributor, shortly after. The phones have been in hot demand, so I only received my phone last week, a wait of of almost 2 months, and it turned up missing one of the cables that was meant to come with it. Still some distribution kinks to be worked out.

Distribution kinks are the least of Openmoko’s worries at the moment though. As advertised, the phone is definitely not ready for primetime distribution yet. I’ve tried three different software images on it: the original “stable” 2007.2 image, the current “devel” 2008.8 image and the latest completely rebuilt SHR release which is the most promising yet. With the SHR image I’ve been able to send and receive calls and text messages, although the interface is somewhat arcane. I’m most interested in the GPS which looks to be working reasonably well at this stage.

After almost a week with the phone I’m glad I purchased it, and I’m having fun hacking on it, but there is a huge way to go before I’ll be able to use it as my primary phone. So that’s gadget #1.

The second gadget is a new Digital SLR camera. I’ve been thinking about getting back into photography for a while (I last took photos seriously in high school) and when I saw how affordable digital SLRs had become I couldn’t resist. There isn’t much between Canon and Nikon when comparing mid-range SLRs these days, so after about a week of deliberation I decided on the Canon 450D, primarily because most of my workmates also have Canon SLRs!

I only got the camera on Friday, and spent half the weekend playing with the GPS on the phone (I want to set them up so I can geo tag all my photos), so I haven’t had quite as much time to play with it yet. I expect to spend plenty of quality time with it on our holiday in Malta next week. First impressions are favourable, although I’m fast discovering camera viewfinders were not really designed for people who wear glasses. I may have to consider wearing contacts again.

Once we get back from Malta I’d like to find a local (or online) photography club with some good weekly assignments to fire my creativity and motivate me to get the most out of my new toy.

July 14, 2008

Ubuntu versions numbers on crack

Filed under: Debian,Linux,WLUG / LinuxNZ — @ 3:56 am NZST

On hardy after the latest round of updates:

matt@krypton:~$ dpkg -s flashplugin-nonfree | grep Version

Granted this package is in hardy-backports not hardy proper, but still, what on earth?!?!

March 30, 2007

My DPL Vote

Filed under: Debian,WLUG / LinuxNZ — @ 2:57 am NZST

- - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
[ 6 ] Choice 1: Wouter Verhelst
[ 6 ] Choice 2: Aigars Mahinovs
[ 3 ] Choice 3: Gustavo Franco
[ 3 ] Choice 4: Sam Hocevar
[ 2 ] Choice 5: Steve McIntyre
[ 4 ] Choice 6: Raphaël Hertzog
[ 1 ] Choice 7: Anthony Towns
[ 6 ] Choice 8: Simon Richter
[ 5 ] Choice 9: None Of The Above
- - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-

My rationale follows, if you care...

I've been pondering how to vote for well over a week, and I'm still not entirely happy that the ballot I've chosen accurately expresses my wishes, but it's the best approximation of them that I can come up with at this time.

My dilemma has two parts

  1. I don't think the current office of the DPL is effective, due to how it is viewed by a significant proportion of the project (if not an outright majority), so regardless of how much I might like the goals and ideas proposed by an individual candidate I'm very pessimistic that being electing as DPL will actually bring those things to pass.
  2. Much of what will make a good DPL is about how a specific set of ideas and goals will be put into action, and how interpersonal relationships between the DPL and various parties will be managed. This comes down to the personal character, experience and leadership skills of the candidate While I can form some level of an opinion about each of these aspects from mailing list archives, and IRC, etc. I don't really feel comfortable making judgements in these areas until I've actually met them in real life. Too many people come across badly in the (severely limited) online communication methods we use, and are actually very decent reasonable people in real life. Out of the candidates, AJ is the only one that I've ever actually met and talked to.

Given these problems, my first step in choosing how to vote was to eliminate those candidates who I will rank below NOTA based on their published platforms. I have nothing personal against any of these three people, but given the other possible candidates I think that we'd be better off having another election than just electing one of these three for the sake of it.

  • Wouter Verhelst - Wouter's platform lacks any detail that tells me what he stands for or where he wants to see Debian go. Wouter's platform also seems very conflict averse, it favours discussion and agreement over making hard decisions. I think Debian needs to make some hard decisions and the project leader needs to be someone who is able to willing handle (civilised) conflict.
  • Aigars Mahinovs - Most of the topics that Aigars proposes to work on do not make my list of the most important issues for Debian to solve, and as others have pointed out, are possible better dealt with by other organisations.
  • Simon Richter - Simon doesn't actually state what he wants to achieve as DPL or where he sees Debian's future direction as being, other than some vague hints that he is against projects that are similar to 'dunc-tank' and that we need a common goal. Stating what that common goal should be, would have lifted this above NOTA.

That leaves five remaining candidates:

  • Anthony Towns - AJ gets my top ranking because I think that having some consistency in the DPL is a worthwhile goal. While I think that the whole Dunc-tank fiasco could have been managed much, much better, there were obviously hostile factions that would have made anything AJ did look bad. AJ's platform seems to mostly involve him leading infrastructural improvements (good) and encouraging others to work on things that they want to see changed (also good). The one area where I possibly disagree with Anthony is around what the DPL role should look like. Anthony appears happy with the current state of the DPL office, I think that some significant changes are needed. However that's going to require constitutional changes, so I'm not going to rank Anthony down on that basis alone.
  • Steve McIntyre - Steve comes second primarily because he's implicitly endorsed by AJ and everything that I've seen online related to Steve suggests that he is a level-headed, decent individual with good leadership skills. If I can't have consistency in the DPL office via AJ, then Steve would definitely be the next choice. Steve's platform also doesn't contain anything that I disagree with.
  • Sam Hocevar and Gustavo Franco - Sam and Gustavo are ranked equally based purely on the basis of their (relatively similar) platforms containing lots of great ideas and vision for Debian that I agree with. I don't for a minute think that they will be able to achieve all of it, but at least by providing clear goals and a mandate for implementing them we might be able to start down the track of regaining some common purpose as a project. I have some reservations about Sam's style based on what I've read in archive, but seeing as I'm giving the benefit of the doubt to people I haven't personally met, I'm going to assume, that if elected Sam will be a great DPL.
  • Raphaël Hertzog - Raphaël gets my final vote above NOTA to indicate that I support the idea of a board governing Debian, but that I don't think his particular proposal is the correct way for the board to run. If Raphaël were to win, I wouldn't object to him placing his suggested board in 'office' for the upcoming year, but I hope that a major piece of their workload would be to lead the discussion, drafting and passing of a constitutional change to replace the DPL with an elected board with rotating terms of reasonable length (2-3) years.

*yawn* It's made me tired writing all of that out. Maybe sometime soon I should explain in more detail exactly what parts of Debian's governance model I think need changing or maybe I need to wait until I've achieved a few more technical things and gained enough respect before anyone will listen to my opinions...

Powered by WordPress