Matt's Musings

July 12, 2014

GPG Key Management Rant

Filed under: Debian,Linux,WLUG / LinuxNZ — Matt Brown @ 12:17 pm NZST

2014 and it’s still annoyingly hard to find a reasonable GPG key management system for personal use… All I want is to keep the key material isolated from any Internet connected host, without requiring me to jump through major inconvenience every time I want to use the key.

An HSM/Smartcard of some sort is an obvious choice, but they all suck in their own ways:
* FSFE smartcard – it’s a smartcard, requires a reader, which are generally not particular portable compared to a USB stick.
* Yubikey Neo – restricted to 2048 bits, doesn’t allow imports of primary keys (only subkeys), so you either generate on device and have no backup, or maintain some off-device primary key with only subkeys on the Neo, negating the main benefits of it in the first place.
* Smartcard HSM – similar problems to the Neo, plus not really supported by GPG well (needs 2.0 with specific supporting module version requirements).
* Cryptostick – made by some Germans, sounds potentially great, but perpetually out of stock.

Which leaves basically only the “roll your own” dm-crypt+LUKS usb stick approach. It obviously works well, and is what I currently use, but it’s a bunch of effort to maintain, particularly if you decide, as I have, that the master key material can never touch a machine with a network connection. The implication is that you now need to keep an airgapped machine around, and maintain a set of subkeys that are OK for use on network connected machines to avoid going mad playing sneakernet for every package upload.

The ideal device would be a USB form factor, supporting import of 4096 bit keys, across all GPG capabilities, but with all crypto ops happening on-device, so the key material never leaves the stick once imported. Ideally also cheap enough (e.g. ~100ish currency units) that I can acquire two for redundancy.

As far as I can tell, such a device does not exist on this planet. It’s almost enough to make a man give up on Debian and go live a life of peace and solitude with the remaining 99.9% of the world who don’t know or care about this overly complicated mess of encryption we’ve wrought for ourselves.

end rant.

November 24, 2011

How I’m voting in 2011

Filed under: General,Life,WLUG / LinuxNZ — @ 11:45 pm NZST

It’s general election time again in New Zealand this year, with the added twist of an additional referendum on whether to keep MMP as our electoral system. If you’re not interested in New Zealand politics, then you should definitely skip the rest of this post.

I’ve never understood why some people consider their voting choices a matter of national security, so when via Andrew McMillan, I saw a good rationale for why you should share your opinion I found my excuse to write this post.

Party Vote
I’ll be voting for National. I’m philosophically much closer to National than Labour, particularly on economic and personal responsibility issues, but even if I wasn’t the thought of having Phil Goff as Prime Minister would be enough to put me off voting Labour. His early career seems strong, but lately it’s been one misstep and half-truth after another, the remainder of the Labour caucus and their likely support partners don’t offer much reassurance either. If I was left-leaning and the mess that Labour is in wasn’t enough to push me over to National this year then I’d vote Greens and hope they saw the light and decided to partner with National.

Electorate Vote
I live in Dublin, but you stay registered in the last electorate where you resided, which for me is Tamaki. I have no idea who the candidates there are, so I’ll just be voting for the National candidate for the reasons above.

MMP Referendum
I have no real objections to MMP and I think it’s done a good job of increasing representation in our parliament. I like that parties can bring in some star players without them having to spend time in an electorate. I don’t like the tendency towards unstable coalitions that our past MMP results have sometimes provided.

Of the alternatives, STV is the only one that I think should be seriously considered, FPP and it’s close cousin SM don’t give the proportionality of MMP and PV just seems like a simplified version of STV with limited other benefit. If you’re going to do preferential voting, you might as well do it properly and use STV.

So, I’ll vote for a change to STV, not because I’m convinced that MMP is wrong, but because I think it doesn’t hurt for the country to spend a bit more time and energy confirming that we have the right electoral system. If the referendum succeeds and we get another referendum between MMP and something other than STV in 2014, I’ll vote to keep MMP. If we have a vote between MMP and STV in 2014 I’m not yet sure how I’d vote. STV is arguably an excellent system, but I worry that it’s too complex for most voters to understand.

PS. Just found this handy list of 10 positive reasons to vote for National, if you’re still undecided and need a further nudge. Kiwiblog: 10 positive reasons to vote National

June 26, 2009

GPG Keysigning Update

Filed under: Debian,WLUG / LinuxNZ — @ 12:56 pm NZST

From the better late than never category… I finally got around to signing keys from the LCA2006 key signing party, the verification sheet from which has travelled with me from NZ to Dublin and then sat on my desk for a few years. I inevitably lost a few of my notes and verifications along the way, so if you were still expecting a signature from me and didn’t get one let me know!

The main hold up for me has been that my previous key signing system, a home grown script, was overly complex and involved me sending an encrypted token to each UID that I waited to receive back before issuing the signature. Lots of work for me, and much hassle for those whose keys I am signing. I’ve reverted back to the more standard method of signing and encrypting the signature to each UID and then throwing my copy of the signature away. Unless the recipient controls the UID and can decrypt the message, the signature will never be released to the world.

I’ve adopted pius as my new signing tool of choice, with a few extra patches to help me maintain my database of signature details and the corresponding verification pages at which are linked from the Policy URL packet of each signature I make. I guess I’ll tidy up the patches over the next few days and see if there is any interest in getting them merged.

February 24, 2009

The government listened!

Filed under: Debian,General,WLUG / LinuxNZ — @ 1:07 pm NZST

I was very pleased to wake up this morning to the news that National has delayed the introduction of S92A via an order-in-council. It’s a nice short-term victory, but I’ll save the champagne until the law is fundamentally rewritten.

The most pleasing aspect of the decision is simply that it was made at all. Within two weeks, a small band of protesters were able to harness the power of the Internet to direct international attention and place enough pressure on a Government, whose Prime Minister admitted to not having read the bill prior, that he then took the time to understand the issues and personally announce the delay in implementation of the law. We owe much thanks to the Creative Freedom Foundation for all the effort they put into co-ordinating the protest and ensuring that a single coherent message was presented. Just a little bit of my cynicism and belief that politicians never listen to public opinion outside of election campaigns was chipped away today.

The reason I’m not breaking out the champagne yet is that we’ve only achieved a temporary reprieve in the commencement of the law. While those present at the press conference seem somewhat confident that John Key didn’t like what he found in the law and would have repealed it if given the chance, all that has actually been done is delay it in the hopes of an agreement between the TCF and the “rights holders” (aka big media companies) on how to implement the still fundamentally broken law. The Government has given until late March for that to occur.

To put this into a more global context. My happiness as I took the bus to work after reading about the decision to delay the law was short lived as the front page of the local paper declared that Eircom (Ireland’s equivalent of Telecom) has “voluntarily” agreed to block sites such as The Pirate Bay upon request by the media companies (this comes a week after they also announced an agreement to, again “voluntarily”, implement a 3-strikes S92A style policy). Now, with the biggest ISP in their pocket (so to speak), the media companies have sent threatening letters to the remaining ISPs in the country demanding they implement the same procedure.

To me, this illustrates one of the fundamental problems with S92. The concept that an ISP is liable for the conduct of its users, or for policing where on the Internet users should and shouldn’t be able to connect to does not belong in our laws. Most ISPs already have provision to disconnect customers for illegal activity in their terms and conditions. If an end-user is doing something illegal, that is an issue between the rights holder and the end-user to take up in the courts just like every other sector of society must do when wronged, at which point the existing ISP terms and conditions can be invoked and access terminated.

The big media companies, having decided that it is too expensive/hard/inconvenient to follow standard legal procedures to resolve their grievances are launching multi-pronged attacks to shift the playing field in their favour. In countries like New Zealand, where our politicians yearn for a Free Trade Agreement with America, they use their lobbyists to ensure that S92 style laws are part of the conditions. In other jurisdictions, like Ireland, they use strong-arm, divide and conquer style bully tactics outside of the political and legal process.

I don’t support copyright infringement. I rely on copyright to protect much of the work I place on the Internet, I want strong laws that protect me when my rights have been infringed. I don’t believe that such laws should come at the expense of due process, our legal tradition and the basic principle of fairness! I don’t believe that copyright infringement is such a heinous crime that it demands punishments stronger than those we deliver to paedophiles, stalkers or any other class of criminal who uses the Internet to enable their crimes.

To me, today’s (yesterday’s – depending on your timezone) decision is only the first step in clawing New Zealand back from the dangerous path that the big media companies have been leading our law makers down. From here we need to press on and demonstrate to the Government over the next month that even if the TCF and rights holders are able to come up with some sort of workable code of practice, the law is still fundamentally flawed. It is based on premise that we are guilty by accusation.

Even if guilt were to be proved by a competent legal body (eg. court or copyright tribunal) we don’t need laws placing further liabilites onto ISPs (and remember the definition of ISP under this amendment act includes businesses who provide Internet access to staff, libraries, schools and hospitals) when their existing terms and conditions already prohibit illegal activity.

Finally, and most importantly of all, we need to remember that laws exist to serve all sectors of society. Yes, copyright infringement is against the law and rights holders are reasonable in expecting the law to protect their content and allow them to make a fair profit. On the other side of the fence, average New Zealanders are not being unreasonable in their desire to have media available electronically, on demand and non-inhibited by DRM following a legal purchase. The failure of the media businesses to adequately cater to this change in market demand and usage of technology is obviously a contributing factor to the widespread copyright problems that they are facing today.

Obviously, I’m not condoning copyright infringement simply because the media companies are failing to address demand. Even stupid laws must be obeyed (and the concept of copyright is far from stupid). What I want to see is the Government acknowledging that the problem is not solely with consumers infringing copyright for malicious purposes, and therefore that the solutions do not lie solely in increasing the enforcement and punishments available.

Copyright has always been a balancing act between the rights of content producers and consumers. S92 and the act it is contained within are taking us far too far down the road of catering to big business and their outdated business models with far too little concern for the rights of the individual consumer.

Despite the many submissions made on this act last year when it was first passing through parliament, there was no comprehensive debate on what copyright means and how it should balance the rights of content producers and consumers in our digital century where copying is a zero-cost, zero-thought activity. Without such a debate we’re doomed to continue wasting time arguing over the symptoms of the problem, like S92.

So, I’m saving my champagne for the day when we as a country address these issues and come up with a fair and workable interpretation of what copyright means today.

February 18, 2009

Blacked Out – no “Guilt Upon Accusation”

Filed under: General,Linux,WLUG / LinuxNZ — @ 1:37 pm NZST

If you’re reading this post via the website rather than a feed/planet then you will notice that the site has gone completely black in support of the Creative Freedom Foundation’s campaign against S92A of the NZ Copyright Amendment Act which is due to come into effect on 28th February 2009. I’ve also joined the wave of people blacking out their “avatar” on Facebook/Jabber/MSN, etc.

S92A introduces “Guilt Upon Accusation” whereby if you are accused of copyright infringement (downloading music and movies, etc) “repeatedly” (likely 3 or more times) you are at risk of being disconnected from the Internet by your ISP. The law does not require any proof or substantiation of the accusations and the entire process would occur outside of the courts and the established legal system. Not only does it place every user at risk, the wording is very unclear on exactly what type of organisation is considered an ISP and there is significant concern that schools, businesses, libraries and hospitals will be placed in the difficult position of determining whether their users have broken the law and require disconnection.

Opposition to the law is not an attack on copyright, or a statement that we should be free to download all the movies and music that we desire. Those sorts of activities are clearly wrong, and I don’t have any issue with copyright holders wanting to enforce their rights when their content is illegally copied. However, disconnecting people upon accusation, with no proof or formal legal process to prove guilt is not the right way to go about it.

The fact that the law does not require proof of guilt is only the tip of the iceberg in terms of problems with it. For further background on the problems it causes for ISPs by placing them as the middle-man in copyright disputes you should refer to the following posts:

Finally, I think it is worth pointing out that S92A was removed from the proposed Amendment at the select committee stage, but was later reintroduced by Judith Tizard during the final reading of the bill. Mark Harris has an excellent post on the history of the amendment which includes facts such as the official report on the amendment also recommended removing S92A as it was unecessary given existing ISP terms and conditions which forbid illegal activity. The fact that the select committee (based on public submissions) recognised the problems with S92A and removed it, only to have it added back in again at the last stage when we no longer had any say on it really hacks me off and I cant’ help but feel the influence of the “big money” American media companies pressuring our politicians to pass a law that they don’t really understand the full consequences of.

So what is to be done? The Blacked Out campaign, being run by the Creative Freedom Foundation is gathering steam and international attention. Peter Dunne of United Future (who originally voted for the amendment) has declared that the amendment is wrong, and doesn’t do what they thought they were voting to do, we need to convince National and the rest of the house of the same. Time is running out for this to happen before the amendment comes into effect on Feb 28th, but there is still time to write to your local MP and sign the petition against S92A “Guilt Upon Accusation”. The Creative Freedom Foundation site has a nice easy list of what you can do to register your protest.

July 14, 2008

Ubuntu versions numbers on crack

Filed under: Debian,Linux,WLUG / LinuxNZ — @ 3:56 am NZST

On hardy after the latest round of updates:

matt@krypton:~$ dpkg -s flashplugin-nonfree | grep Version

Granted this package is in hardy-backports not hardy proper, but still, what on earth?!?!

April 13, 2008

The Australian Open Source Industry & Community Report

Filed under: Linux,WLUG / LinuxNZ — @ 4:34 am NZST

I highly recommend making some time to read the The Australian Open Source Industry & Community Report. Based on a census of the Australian Open Source community conducted at the end of last year, it presents a range statistics about the state of the Open Source community and industry in Australia.

The report seems to be aimed at demonstrating to Government and Businesses that Open Source has become a very viable business strategy in Australia and in particular how increased adoption of Open Source would reduce the Australian trade deficit. You don’t need to worry about being put to sleep. The report is relatively casual in tone and easy to read with lots of bright graphs to present the key statistics and findings. Including:

  • The Australian Open Source industry generates around AUD$500M in annual revenue. A small proportion of the AUD$54.4B total revenue for the Australian ICT Industry in 2004-2005. Lots of growth potential!
  • 70-80% of the industry is based on the traditional development, customisation, support and maintenance business model.
  • Most of the individuals making up the Australian Open Source community are working professionals, over half the community are in a relationship and a third of the community have children.

It would be fascinating to see a similar study of the New Zealand industry. I suspect that we would find that Open Source businesses are spread across the country similar to Australia. Obviously our community and financial figures would be smaller in absolute terms but would our proportion of Open Source based businesses be similar?

Maybe a good task for the current NZOSS committee would be to round up some of the larger Open Source businesses in New Zealand, along with the Ministry of Economic Development to sponsor a similar study for New Zealand!

July 9, 2007

POSIX/NFSv4 ACL Inheritance Problems

Filed under: Linux,WLUG / LinuxNZ — @ 4:23 am NZST

I (as root) have a directory hierarchy that I want a particular group to always have write access to. The files and folders inside the hierarchy are owned and manipulated by a wide variety of diffrent users.

Essentially I want to delegate ‘root’ access for a portion of the filesystem to a particular group.

My first attempt at implementing this was to use the standard POSIX ACLs that are available for almost every filesystem Linux supports.

I recursively set an ACL on the top-level directory to give the group write access to all files and directories that currently exist and then I recursively set a default ACL to give the group write access on all the directories. This default ACL should be inherited by any new files that are created ensuring that the group keeps write access to everything.

Problem solved? Unfortunately not.

The intricacies of complying with POSIX means that ACLs are implemented as an ACL plus a mask. To gain access to a particular file or directory the user or group must match an appropriate ACL granting the access and the mask for that file or directory must also allow the requested permission to be granted.

When you add an ACL to a file or directory, the ‘group’ bits of the standard Unix permissions magically switch from controlling group access to controlling the mask portion of the ACL, effectively providing an upper bound on the permissions that an ACL entry can grant. This prevents legacy POSIX applications that do not understand ACLs from unintentionally granting excessive permissions – arguably a good thing.

Unfortunately this also makes it very hard to preserve the ACL granting write access to the ‘root’ group which I legitimately intended to have in place on this portion of the filesystem.

Newly created files under the hierarchy generally inherit the ACL as intended, as most applications attempt to create files with as many permissions as possible, leaving it up to the umask to remove undesired permissions.

However any file that is copied into the hierarchy without the ‘group’ write bit set, or any file that has the ‘group’ write bit removed via chmod will actually remove the write bit from the ACL mask invalidating the ACL and leaving me back at square one!

After a bit of Googling I thought that NFSv4 ACLs might be the answer to this problem, as they are marketed as “very similar to Windows ACLs” and I’m sure that I vaugely recall Windows being able to properly inherit ACLs from parent directories. Unfortunately after downloading the NFSv4 ACL patches and trying all the various mount options I cannot find any combination that will offer the functionality I need. The implementation conforms to POSIX, so it still has a mask parameter and the same problems as the standard POSIX ACLs. The only benefit from using NFSv4 ACLs that I can see is that you have more permissions to grant.

So once again, I’m back to square one. I’m hoping that there is some fundamental point that I’m missing as this seems like a very common use-case that I would have thought would be well supported.

If a command-line example is clearer to you look at:

My current solution is to run a cronjob every X minutes to recursively ‘chmod -R g+w /dir’, however that’s far from optimal as it exposes all sorts of race conditions and just seems ugly!

Any suggestions or solutions will be gratefully received.

June 13, 2007

Back on the Intarnets

Filed under: WLUG / LinuxNZ — @ 9:34 am NZST

Now that we’ve settled into our new apartment in Dublin, the ADSL has been connected and I’m back on the net!

Obviously I’ve had Internet access at work during this time, but there has been so much new information to take in that I haven’t really had time to do any Debian or WLUG work.

I’m still waiting for the shipping company to deliver my computers, so it will be another week or two before I have a development environment that can build and test package. Once that’s setup again I have updates queued for the following:

  • PHPwiki – Upgrade to 1.3.13p1
  • libtrace – Upgrade to 3.0.2

Unfortunately I’m not going to make it to Debconf this year, despite being the closest geographically that I’ve ever been. 🙁

March 31, 2007


Filed under: General,WLUG / LinuxNZ — @ 11:26 am NZST

In just a few hours, I’m hopping on Emirates flight EK433 from Auckland to Singpore, to start the first leg of my trip to Dublin. I’ll be travelling for pretty much the next month, so if you’re trying to get hold of me please don’t be offended if I take several days to reply.

Kat and I have setup another blog to detail our travels, and I’ll try and keep this blog free of too much personal stuff so as to not clutter the various planets that it is syndicated to. If you’re interested in our travels and what we are up to then head over to

There is also a calendar at if you’re wanting to try and meet up with me for keysigning, etc.

Next Page »

Powered by WordPress