Tag Archives: crypto

Why Keybase Is Interesting

Unless you are a programmer, it mostly isn’t. Yet. However, if you are a programmer or if you want to send and receive secure messages, then it is kind of interesting. One interesting thing (for programmers) is that it gives you free encrypted git repos. That’s rad. Also, if you want to start sharing the repo with someone, that’s pretty easy, too. Another really neat-o thing is that you can send an encrypted message to a keybase user without having to figure out how to install PGP, how to integrate it with your email client, or how to look up your recipient’s PGP key. That’s pretty cool.

Why I Don’t Write Native Apps

Xcode sucks. That’s why.

Seriously.

This evening I thought, “Hmm, maybe for my next project I’ll see about writing an iOS client for my turn based game server.” So I started looking at a Swift tutorial (the language irritates me so far, but that’s just because so far all the syntactic sugar is solving problems I don’t actually have) and it didn’t seem too difficult. So then I went looking for a PGP library that would work with Swift, and I found one.

So then I cloned the project to my Mac and tried to build it. Build failed. Why? Well, it turns out that I needed to install a utility called xcpretty. No idea why, but that was easily solved. Then the build failed again. Why? Because some $@%! Ruby script wouldn’t execute. (Ruby? WTF? I thought this was an Objective C or maybe Swift compiler!) So then I had to get all comfortable looking for what Ruby wanted. Three scenes of Thor: Ragnarok later, I figured out to gem install xcodeproj and now the build goes a bit farther, but now I’ve got another cryptic error message about how the link failed because the linker couldn’t find the OpenPGP ObjectivePGP framework. The framework that the project is supposed to build.

You know what happens if I have a project open in IDEA and it’s missing a dependency? The missing dependency is underlined in red and the IDE will pop open a window where I could locate the missing thing. You know what happens in Eclipse, with the same situation? Same thing. MPW? Xcode? Nah. Apple’s developer tools reckon that it’s enough just to say, “Nah, that didn’t work.” User-hostile and user-abusive interface.

So.

Xcode sucks.

Decent Encryption Is Getting Easier

I just found out a thing that makes using PGP with GMail on a Mac easier.

The problem: PGP encrypting an email means that, at the time of hitting the “send” button, the computer where the plain text message is stored needs to have your secret key and the public key of the recipient, and in general webmail (like GMail) means that the message is actually resident on a computer that is far away from the one that’s attached to your keyboard. There’s a manual workaround for this, but it’s a pain in the neck and anyone using it will not wonder why PGP isn’t more common.

Also, I love the way that with GMail (and other webmail services) I can get to my email messages even when I’m far away from my computer. That’s why I have never hooked the Mail app up to my GMail account; because I didn’t want to download my mail and then have it unavailable on the web. But I accidentally hooked it up last night and nowadays it uses IMAP instead of POP, which means that the messages can stay on Google’s servers but I can now use the GPG plugin to encrypt and sign my emails with ease. And you can, too:

  1. First, get GPGTools. You’ll want that.
  2. If you don’t already have a key pair, generate one.
  3. Hook up Mail.app to your GMail account:
    mail_acct
  4. Feel good about the security of your shit.

Going Anonymous

A friend posted a link to this story about the crypto and anonymity tools Edward Snowden used to communicate with journalists before his big reveal. It’s an interesting read, by itself, with lots of links out to various privacy tools. One that especially caught my attention was Tails, an operating system that, “you can start on almost any computer.” I had to check that out. Sure enough, after a couple of failed attempts, I was able to get it going on my MacBook Pro. It’s exciting!

But what does it really do? Well, it doesn’t actually solve any of my problems. I don’t have any secrets that need protecting in that degree. The evil guys who can get at my data are governments, and the data they can get at are things that they could get anyway, whether I use Tor or not. Still, I like that Tails exists. I like that there’s an operating system that I can run on a Mac or a PC, whatever’s to hand. It’s an operating system and application suite assembled for paranoid/secure operations. I like that if I ever should need such a system, I’ve got it handy.

If you want to try it out yourself, here’s some advice that isn’t on the Tails website: have a recordable DVD handy. The thing that you download from the Tails website is a disk image and you need to burn that onto the recordable DVD. There are instructions on how to install that image directly onto a USB drive, but they didn’t work for me. The way I got it to work was to burn the image onto a DVD, boot from the DVD, then use the Tails installer that’s part of the system tools to install Tails onto a USB drive. Note that although the image is about 1 gigabyte, the installer won’t work unless the USB drive you’re installing onto is at least 16 gigabytes.

Security Is Not a Compiler Flag

With the ongoing brouhaha surrounding the NSA’s surveillance of everyone, everywhere, I’ve got a few friends who are getting excited about figuring out how to secure their email. I kind of want to tell them that their questions, which boil down to, “How can I send secure email,” are, in the words of Mr. Norrell, “Wrong questions.” Sure, you can use a program like GPG to encrypt your messages. But you couldn’t be bothered to use it before now; why will you use it now?

Anything that goes over the public Internet could be intercepted and looked at by Bad Guys. That’s always been true. The trust that meant we didn’t use HTTPS for most things was founded on this idea that “the government” wasn’t going to sniff everything unless someone went to a judge and convinced the judge that you were doing something nefarious. Or at least that there was some compelling reason to violate your right to privacy and security in your person and property. What the NSA has demonstrated is that the U.S. government, at least, doesn’t give a shit about that civil liberty. Going for a technical fix – making your email communications really secure and private – isn’t doing anything to address that breach of trust. You may have secure email (but I bet you won’t, or not for long) but the government is still cast in the role of “Bad Guy.”

The right question is, “How can we trust the government, any government, not to be a Bad Guy?” GPG isn’t going to fix that, and neither is Javascript encryption of your webmail. Yes, if you actually care about the secrecy of your messages, you should encrypt them. But beyond that, you should be telling your government to get back to doing the right thing, which is protecting your civil liberties, not violating them. For me, the real question, the one beyond email privacy, is, “What other rights do you think you have but which the government doesn’t agree?” Like, for instance, your right to free speech, a speedy trial, right to counsel, trial by jury, freedom from quartering soldiers, or right to due process. You aren’t going to get the answer to that question from Javascript. You’re going to get that answer by pinning your representative down and insisting that your government do what it’s supposed to do and stop doing what it’s not supposed to do.

Talk to your representatives. Support organizations that advocate for your rights. Like, for instance, the EFF and the ACLU.

Nothing New under the Gubmint

So, this week people are getting pretty exercised about how the NSA, in some super secret operation code named “PRISM,” has been watching everything people are looking at on the web and keeping track of what phone calls are being made and received. Wil Wheaton posted on Google+ that he’s gonna cancel all his Verizon phone lines. Lemme know how that works out for you, Wil, I wanna know what company you’re going to find that isn’t going to turn their data over to the NSA.

I am an old fogey, apparently. I remember when folks on alt.cypherpunks were all exercised about the NSA monitoring Internet traffic back in the late 1980s. Back then, people were talking about using crypto to hide the contents of their email, using steganography to hide messages in images, and even more stuff. Now people try to use TOR to hide the endpoints of their web surfing. But here’s the deal: back then, crypto only worked for making the contents of the email opaque. The surveillance being done under PRISM isn’t concerned with content; it’s looking at the fact that a message was sent from one person to another. This isn’t new. That doesn’t make it okay — I still think it’s creepy — but I’m kind of surprised that people are surprised that this information is being gathered and looked at.

We’ve already got this notion of contagion in American law: if you live with or associate with a person who’s a gang member, you’re a gang member according to the police. I don’t know for sure but it’s not too big a stretch for me to imagine some creative DA making the step from “gang contagion” to “terrorism contagion.” Given how the politicians are all beating the terrorism drum, I see this as a natural move.

Bottom line: Edward Snowden was not wrong when he talked about the security apparatus being the Panopticon. What are you gonna do about it? Gonna stop making and receiving telephone calls, gonna stop sending and receiving email, gonna stop using the Internet? Gonna go completely off the online grid?