Category Archives: Security

GPG Expired Keys Cleanup – Howto

A lot of people leave their “expired”
public keys on the public key servers forever.
They even keep expired secret keys in their keys, or worst, they
delete expired secret keys from their keyring before revoking
according public keys and publishing this revokation to th key
servers.So did I….

…so, the correct way to take care of your keys is:

List your secret keys:

kobaans-computer:~ kobaan$
gpg –list-secret-keys
/Users/kobaan/.gnupg/secring.gpg
———————————
sec 1024D/9DC0387E 2006-02-21 [expires: 2007-02-21]
uid Andreas Kobara (privat)
ssb 2048g/E5122423 2006-02-21

sec 1024D/F373037D 2006-02-21 [expires: 2007-02-21]
uid Andreas Kobara
ssb 2048g/712EA6D2 2006-02-21

sec 1024D/5BD5E033 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/ACE9BC3A 2007-02-15

sec 1024D/06F5B3D4 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/B5A90C83 2007-02-15

As one can see, I have to keys, taht are already expired, and that
I have already created a follow-up key for.
As long as I do not revoke the expired public key, others can still
encrypt mails to me ignoring the expired key,
and I (or someone who has stolen my old secret key) will be able to
still decrypt an expired key encrypted mail.

Usually you should create a revocation certificate for a newly
generated key, to be able to revoke it later, in case it was
stolen, or just expired.
In my case, I will create a revocation certificate now, to revoke
my key from the keyservers.
kobaans-computer:~ kobaan$
gpg –gen-revoke 9DC0387E

sec 1024D/9DC0387E 2006-02-21 Andreas Kobara (privat)

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key is no longer used
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: “Andreas Kobara (privat) ”
1024-bit DSA key, ID 9DC0387E, created 2006-02-21

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory
gets
access to this certificate he can use it to make your key
unusable.
It is smart to print this certificate and store it away, just in
case
your media become unreadable. But have some caution: The print
system of
your machine might store the data and make it available to
others!

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow

iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj

2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
—–END PGP PUBLIC KEY BLOCK—–

Nothing happened so far, you can store your revocation certificate
now, or use it, based on your needs.
Lets check the status of my key before and after revocation:
kobaans-computer:~ kobaan$
gpg –check-sig 9DC0387E
pub 1024D/9DC0387E 2006-02-21 [expired: 2007-02-21]
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)

Now import the certificate:
kobaans-computer:~ kobaan$
gpg –import

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow

iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj

2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
—–END PGP PUBLIC KEY BLOCK—–
gpg: Total number processed: 1

And check the keyring again:
kobaans-computer:~ kobaan$
gpg –check-sig 9DC0387E
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust
model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f,
2u
gpg: next trustdb check due at 2008-02-20
pub 1024D/9DC0387E 2006-02-21 [revoked: 2007-04-08]
rev! 9DC0387E 2007-04-08 Andreas Kobara (privat)
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)

Now it shows “revoked”.

We can now publish this key back to the keyservers to tell everyone
that this key is not any longer valid for signing and
encryption.
kobaans-computer:~ kobaan$
gpg –send-key 9DC0387E
gpg: sending key 9DC0387E to hkp server
subkeys.pgp.net

Although, as long as I do not delete this key from my own secret
keyring, it will be always posible to open very old mail archives
which used that old key.

Useful for someone ? Winking

GPG Expired Keys Cleanup – Howto

A lot of people leave their “expired”
public keys on the public key servers forever.
They even keep expired secret keys in their keys, or worst, they
delete expired secret keys from their keyring before revoking
according public keys and publishing this revokation to th key
servers.So did I…….so, the correct way to take care of your keys is:

List your secret keys:

kobaans-computer:~ kobaan$
gpg –list-secret-keys
/Users/kobaan/.gnupg/secring.gpg
———————————
sec 1024D/9DC0387E 2006-02-21 [expires: 2007-02-21]
uid Andreas Kobara (privat)
ssb 2048g/E5122423 2006-02-21

sec 1024D/F373037D 2006-02-21 [expires: 2007-02-21]
uid Andreas Kobara
ssb 2048g/712EA6D2 2006-02-21

sec 1024D/5BD5E033 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/ACE9BC3A 2007-02-15

sec 1024D/06F5B3D4 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/B5A90C83 2007-02-15

As one can see, I have to keys, taht are already expired, and that
I have already created a follow-up key for.
As long as I do not revoke the expired public key, others can still
encrypt mails to me ignoring the expired key,
and I (or someone who has stolen my old secret key) will be able to
still decrypt an expired key encrypted mail.

Usually you should create a revocation certificate for a newly
generated key, to be able to revoke it later, in case it was
stolen, or just expired.
In my case, I will create a revocation certificate now, to revoke
my key from the keyservers.
kobaans-computer:~ kobaan$
gpg –gen-revoke 9DC0387E

sec 1024D/9DC0387E 2006-02-21 Andreas Kobara (privat)

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key is no longer used
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: “Andreas Kobara (privat) ”
1024-bit DSA key, ID 9DC0387E, created 2006-02-21

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory
gets
access to this certificate he can use it to make your key
unusable.
It is smart to print this certificate and store it away, just in
case
your media become unreadable. But have some caution: The print
system of
your machine might store the data and make it available to
others!

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow

iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj

2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
—–END PGP PUBLIC KEY BLOCK—–

Nothing happened so far, you can store your revocation certificate
now, or use it, based on your needs.
Lets check the status of my key before and after revocation:
kobaans-computer:~ kobaan$
gpg –check-sig 9DC0387E
pub 1024D/9DC0387E 2006-02-21 [expired: 2007-02-21]
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)

Now import the certificate:
kobaans-computer:~ kobaan$
gpg –import

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow

iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj

2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
—–END PGP PUBLIC KEY BLOCK—–
gpg: Total number processed: 1

And check the keyring again:
kobaans-computer:~ kobaan$
gpg –check-sig 9DC0387E
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust
model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f,
2u
gpg: next trustdb check due at 2008-02-20
pub 1024D/9DC0387E 2006-02-21 [revoked: 2007-04-08]
rev! 9DC0387E 2007-04-08 Andreas Kobara (privat)
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)

Now it shows “revoked”.

We can now publish this key back to the keyservers to tell everyone
that this key is not any longer valid for signing and
encryption.
kobaans-computer:~ kobaan$
gpg –send-key 9DC0387E
gpg: sending key 9DC0387E to hkp server
subkeys.pgp.net

Although, as long as I do not delete this key from my own secret
keyring, it will be always posible to open very old mail archives
which used that old key.

Useful for someone ? Winking

Mac – Eve of destruction

So less bytes and so deadly:
maceve
524946464407030057415645666D7420
1000000001000100007D000000000000
000000006461746120070300

I’m starting to get angry now, as I filed in this bug 1 year ago,
and there’s still no fix for such a trivial bug.
Also I filed it in as a security issue since you can crash every
Mac from remote with these little numbers, but Apple degraded it to
be cosmetic only as it is not possible to alter or execute
code.
I guess they’re not anymore interested in fixing Tiger, as the
Leopard is waiting for its victims…..

Hint: Check for zero values before dividing…..

Mac – Eve of destruction

So less bytes and so deadly:
maceve
524946464407030057415645666D7420
1000000001000100007D000000000000
000000006461746120070300

I’m starting to get angry now, as I filed in this bug 1 year ago,
and there’s still no fix for such a trivial bug.
Also I filed it in as a security issue since you can crash every
Mac from remote with these little numbers, but Apple degraded it to
be cosmetic only as it is not possible to alter or execute
code.
I guess they’re not anymore interested in fixing Tiger, as the
Leopard is waiting for its victims…..

Hint: Check for zero values before dividing…..

Good news, it works. Bad news, it works.

Bad awakening for Mac users, Apple
fixed a bug.
andy-scared
It took almost 2 years for Apple to release a security fix so that
it’s not anymore possible to hijack the builtin or even the
external USB camera from within a webpage.
At least everyone believed that this issue has been fixed in the
security update 2006-008, and people became already sad about
missing the feature to preview realtime effects on local video like
on this page: (only works for Mac people.)But there’s also good news. It still works.

Oh wait, or is it bad news ?

Anyway the good news is, that the bad news of a killed feature is
not true, and that the security fix works, as your realtime video
cannot be sent via ajax/javascript or a java applet to someone you
don’t even know by just accessing someone’s evil website.

How do we check that ?
Apple doesn’t say anything about it.

So the real good news is, enjoy the feature as long as you’re not
sitting naked in front of your mac. Winking

Oh, uhh, aehh did I mention the bad news is, we don’t know if its
really fixed, or apple became so much interested in your homevideos
that they patched something in your system to get much sharper
pictures of you than anyone else does. Winking

Good news, it works. Bad news, it works.

Bad awakening for Mac users, Apple
fixed a bug.
andy-scared
It took almost 2 years for Apple to release a security fix so that
it’s not anymore possible to hijack the builtin or even the
external USB camera from within a webpage.
At least everyone believed that this issue has been fixed in the
security update 2006-008, and people became already sad about
missing the feature to preview realtime effects on local video like
on this page: (only works for Mac people.)

But there’s also good news. It still works.

Oh wait, or is it bad news ?

Anyway the good news is, that the bad news of a killed feature is
not true, and that the security fix works, as your realtime video
cannot be sent via ajax/javascript or a java applet to someone you
don’t even know by just accessing someone’s evil website.

How do we check that ?
Apple doesn’t say anything about it.

So the real good news is, enjoy the feature as long as you’re not
sitting naked in front of your mac. Winking

Oh, uhh, aehh did I mention the bad news is, we don’t know if its
really fixed, or apple became so much interested in your homevideos
that they patched something in your system to get much sharper
pictures of you than anyone else does. Winking

Support privacy !

This time I want to encourage all
folks of you owning a router which is capable of running the
OpenWrt system.What you need:
OpenWrt can be installed on many different router-hardware.
See here for a list of supported devices.

What you get:
Compared to other router system-software, OpenWrt by default is a
very slim system. You can think of “minimalistic”=”more
secure”.

Almost everything you’ll ever need can be simply installed as
packages or compiled by yourself. (e.g. a webserver/VoIP-proxy
a.s.o.)

For GUI-enthusiasts the white-russian-release also offers the
possibility to update, and configure your router via web-interface,
although most of you people will be happy to have ssh-access and
therefore full control over you linux-routerdevice.

Getting even more:
Most of the listed hardware devices, can use external or internal
memory-sticks, sd-cards or at least nfs or samba shares, to install
more software or hold more data accessible from your router.

How you can help:
Back to my initial thought for this blogentry.
As your router is usually up 24/7, and most people have flatrates,
there’s a great possibility to support the TOR network by
installing a tor-server on your router and use it(or not) from
within your LAN by accessing privoxy on your router to browse the
web anonymously for example.

What is TOR:
TOR (The Onion Router network) is a concept to tunnel
networktraffic through multiple other nodes before connecting to
the final destination node. That way it will be harder for
evesdroppers to trace your origin IP-address, and for hosters more
safe to offer content without the danger of being shutdown when a
server-ip might get blocked by someone.

Further you can provide access to the whole internet, dedicated
services or even dedicated addresses through your own TOR
server.
If you don’t want others to use your router to access the internet,
you can just contribute as a tunnel-peer for other
TOR-servers.

Where to get:
All required packages for OpenWrt-capable routers can be found here
and a precompiled privoxy-package here.

I’m addicted:
Of course you can do even more crazy stuff with OpenWrt see
here.

Peace !

Support privacy !

This time I want to encourage all
folks of you owning a router which is capable of running the
OpenWrt system.

What you need:
OpenWrt can be installed on many different router-hardware.
See here for a list of supported devices.

What you get:
Compared to other router system-software, OpenWrt by default is a
very slim system. You can think of “minimalistic”=”more
secure”.

Almost everything you’ll ever need can be simply installed as
packages or compiled by yourself. (e.g. a webserver/VoIP-proxy
a.s.o.)

For GUI-enthusiasts the white-russian-release also offers the
possibility to update, and configure your router via web-interface,
although most of you people will be happy to have ssh-access and
therefore full control over you linux-routerdevice.

Getting even more:
Most of the listed hardware devices, can use external or internal
memory-sticks, sd-cards or at least nfs or samba shares, to install
more software or hold more data accessible from your router.

How you can help:
Back to my initial thought for this blogentry.
As your router is usually up 24/7, and most people have flatrates,
there’s a great possibility to support the TOR network by
installing a tor-server on your router and use it(or not) from
within your LAN by accessing privoxy on your router to browse the
web anonymously for example.

What is TOR:
TOR (The Onion Router network) is a concept to tunnel
networktraffic through multiple other nodes before connecting to
the final destination node. That way it will be harder for
evesdroppers to trace your origin IP-address, and for hosters more
safe to offer content without the danger of being shutdown when a
server-ip might get blocked by someone.

Further you can provide access to the whole internet, dedicated
services or even dedicated addresses through your own TOR
server.
If you don’t want others to use your router to access the internet,
you can just contribute as a tunnel-peer for other
TOR-servers.

Where to get:
All required packages for OpenWrt-capable routers can be found here
and a precompiled privoxy-package here.

I’m addicted:
Of course you can do even more crazy stuff with OpenWrt see
here.

Peace !