Monthly Archives: September 2009

Google’s New Search Engine

Posted by Daniel on September 12, 2009 None comments

Thanks to a post by my friend Daryl, I’ve been looking at the improved Google search engine, codenamed Caffeine. Google has had a bunch of competition lately. Bing which is Microsoft’s new search engine recently launched, followed by an announcement that Yahoo will use Bing as its engine.

The current version of Google updates its index on a schedule. This means that sites that have only just been crawled will have to wait a while before being included in search results. I have experienced this with my site, only recently has Google started giving me hits, although they have been crawling my site for about a month.

Google’s new search engine use a new backend which not only improves the time required to perform a search but allows indexes to be easily updated. This means Google can now include real time sensitive results such as those from twitter or from my blog minutes after I post. This means that instead of searching the web of about an hour ago you are now searching what is on the web now.

Effectively Google is making a real time search engine. Where informatin is avaliable to you as it happens. Imagine the implications of having an auto updating search results page where new results dynamically appear as they are posted. This is thereason why Google is pushing the Pubsubhubbub protocol and blog pinging services.

Random Thought: Google Androids wpToGo application makes it easy to post from my mobile, but it’s a bit of a pain in the thumbs.

Setting Up GPG Keys

Posted by Daniel on September 9, 2009 None comments

Yesterday you may have read my GPG Symmetric Encryption Guide. The last tip on that page was that you should setup GPG keys and publish them on a keyserver. I say this because publishing GPG keys allows you to encrypt things for anyone else who has published their GPG keys without contacting them and exchanging a symmetric key first.

Generating a GPG key

If you haven’t had a GPG or PGP key before, or the one you previously has has expired you will need to generate a new keypair. A keypair consists of a private key, that you keep absolutely secret, and a public key, that you publish to the world.

You should generate a GPG key on your desktop and not on a server. Most likely a server will not have enough entropy in its random number generator and could take a while. All you then have to do is:

gpg --gen-key

You then answer the questions as follows:

  • The type of key that you want is ‘DSA and Elgamal’ this way you can both encrypt messages and sign them.
  • 1024 bits is probably enough, if you are planning a long expiry for your key you may want to choose 2048, and if your extremely paranoid use 4096.
  • I’d suggest a key expiry of two years for a 1024 bit key, but remember you can set an expiry later, and you can also revoke your key at any time if you believe it is compromised.
  • Then you fill in your details in the prompts
  • Never use a key without a passphrase, any compromise of your key will result in all data people have encrypted for you being compromised and people will be able to sign things as coming from you.

After you enter the details you computer will start generating some very large numbers using cryptographically secure random data, and checking if those numbers are prime. Once your computer has two prime numbers it will generate your keys and save them for you.

Add extra uids to the key

A key can contain many uids. For example your key may contain a work uid and a home uid. If you work at many different companies or have a large number of email addresses then you could have many uids. The uids are what people who sign your key are indicating they trust. So I might decide to indicate that I trust your work uid but because I don’t know you personally  To add new uids to the key you type:

gpg --edit-key
Command> adduid

Then just as before you enter all your details. You can list the uids on the key by typing ‘uid’ at that same prompt. When you are done type ‘save’ to save the key.

Entering the web of trust

The first thing you should do is decide what keyserver you would like to publish your keys to. Most keyservers sync with other ones so this is not really that important. I would suggest hkp://keys.gnupg.net but the choice is up to you. When you have decided what keyserver you want to use place an entry in your ~/.gnupg/gpg.conf file like that says ‘keyserver hkp://keys.gnupg.net’ or whatever server you would like to use.

Now you are ready to build the inner circle of your web of trust. To do this you need to get other people to sign your keys, and them to sign yours. The more signatures you build up the easier it is to find a common link between you that is trusted.

To download another persons key you use the receive key argument for GPG. For example to download my key you can use any of the following commands:

gpg --search-keys "Daniel Hall"
gpg --search-keys "smarthall@gmail.com"
gpg --recv-keys "A3A386ED"

The first two may produce multiple matches and may ask you to select which particular key to download. At this point you should contact the user and confirm their ID so you get the right key.

Now that you’ve downloaded your friends keys you need to confirm who they are and then if all check out sign their keys. When you sign somebodies key you need to be extremely careful, signing a key is your declaration to the world that you trust that this key represents this person. If you sign keys without checking you could end up trusting people who aren’t who they say they are and people will begin to stop trusting you. To verify somebody you should meet them personally (or at an absolute minimum talk over the phone) to get their key fingerprint. As you are signing check that this fingerprint matches the key you are about to sign. To sign my key you could use the following command:

gpg --sign-key "A3A386ED"

Then you upload their key to the keyserver again to ensure that your signature on that key is now visible for the world to see. It is polite to ask people before you sign their key as many spam like signatures on a key may look bad in the eyes of others. If you had just signed my key you would upload it with:

gpg --send-key "A3A386ED"

Now all you need to do is get other people to sign your keys. I’d suggest you start with those people whose keys you have just signed as they’ll be the most willing to help you. You aim is to get enough signatures so that everybody who will need to send an encrypted document to you can find someone they trust who trusts you. It is a little more complicated than that but its essentially the idea.

Random Thought: What should the random thought on my next blog post be? Hrmmmm.

GPG Symmetric Encryption

Posted by Daniel on September 8, 2009 2 comments

I often come into a situation where I have to exchange some important confidential file with somebody who doesn’t have GPG keys setup. Explaining how to setup keys can be a pain, especially if you believe that the user will lose them or simply forget how to use them. There are all manner of propriety software packages to deal with this but this post is about an easy free way using software that almost anyone has access to. I will be showing you how to do this using GPG on Unix operating systems. For windows you could follow this guide.

Encrypting

To encrypt a file symmetrically using GPG just run:
[code lang="shell"]gpg --symmetric <filename>[/code]
It will prompt you for a password twice and create a <filename>.gpg file in the current directory. If you want to put the encrypted text in an email then add the –armour flag. The –armour flag will cause gpg to instead output a <filename>.asc file which consists of ASCII text.

Decrypting

You decrypt it like any other GPG encrypted file:
[code lang="shell"]gpg -d <filename>.gpg[/code]
This will prompt you for the password and decrypt the file, printing it to standard out.

Tips

  • Don’t send the password and the attachment over the same medium, especially not in the same message. I suggest you send the email with the file and call and tell them the password.
  • GPG uses really strong encryption, much more secure than that used in zipfile encryption. That said if you set the password to ’123′ or ‘password’ no amount of encryption will help you. Your encryption is only as secure as the weakest point.
  • With enough time files like this can be cracked using brute force. You should still do all that you can to prevent the encrypted file falling into the wrong hands.
  • You really should setup GPG keys and publish them to a keyserver. That way you won’t have to worry about secure passphrase distribution.

Random Thought: How did people find the first search engine?

ATM Phishing

Posted by Daniel on September 2, 2009 2 comments

You’ve probably heard of ATM fishing by now. If you haven’t you should have. It typically involves placing a card reading device that is designed to blend in perfectly with the ATM. Then a camera or other device is placed that records the PIN of the user as they type it. So effectively while the user is entering their credentials into the ATM they are unwittingly entering them into a scammers database.

In a flash of inspiration last night I think I may have found a solution! My first instinct was to put a poster next to or on the ATM that shows what the ATM looks like. There are a few problems with this though. First, the scammer can simply replace the poster, secondly only the security concious will check it. So this is really a non solution.

So what if you placed pictures of critical parts in the software and display them when the user first puts in their card. Show a shot of the card insertion point, the keyboard and and overall picture. Scammers can’t simply place a poster over the screen as the user needs it to use the ATM. You ask the user to confirm all the pictures and if any don’t match you don’t let them enter their PIN, and possibly eat their card.

I’m not sure how this would work in practice. If the recent response to Vista’s UAC is anything to go by people will probably just click accept on anything. This may get the pictures in their face though. So after seeing this many pictures of ATMs they might more easily notice something amiss. Maybe its a bit ambitious, maybe its not quite scammer proof. What do my readers think?

Random Thought: I’m getting an Android phone because it runs on an ARM CPU. That and my Windows phone is on its last LEGS.

Fedora 12 Alpha

Posted by Daniel on September 1, 2009 None comments

So recently Fedora released the alpha of their latest OS. I’d been running rawhide for quite a while. Of particular interest is that my RS690 no longer flickers when I move a window that includes an alpha channel, and no longer randomly crashes. I’ve still got to disable modesetting but modesetting currently only stops me from enabling desktop effects.

Particular points I’m enjoying:

  • The desktop wallpaper that has squares on an angled surface is very appealing. The other new desktop wallpapers are very eye catching too.
  • Having 3D rendering working properly on my laptop.
  • The new Fedora 12 Login Theme is music to my ears (except when I have my laptop speakers turned up and it reverbs horribly).
  • EXT4 support seems a bit stronger. Of particular importance barrier based sync now works on LVM metadevices.
  • Dracut has made no discernible difference to boot times and ability to boot.
  • resize2fs is now able to shrink an ext4 partition. system-config-lvm now recognises ext4 and allows resizing it.

Particular points I’m not enjoying:

  • Eclipse is unstable and keeps crashing.
  • Turning off the menu icons in GNOME seems like a bad idea, it makes it harder to recognise each menu.
  • Modesetting stops me from using 3D effects.
  • You can’t drag icons from the menu to the panels or the desktop any more.