Posts Tagged "security"

GPG Key Transition

GnuPG Logo

My current PGP/GnuPG key is expiring, so I've rolled a new one. The ID of the new key is 0x3C7775DD37811E62 (full fingerprint: 1ED5 E5A3 01C3 D109 9040 2289 3C77 75DD 3781 1E62) and it should be in your favorite keyservers, cross-signed by my old key. You can also find it at https://files.roguelazer.com/roguelazer.gpg. It has also been attached to my keybase.io account and my Github profile. My previous key (0xAEE8F2454A41B87D) has not been revoked and has not been compromised, but you should still stop using it if possible. The new key is a 4096-bit RSA key with SHA-2 digest signatures — I'm not quite bold enough to switch to ECC for a long-lived key yet.

My signed transition document is below, and can also be found at 2019-04-27-key-transition-statement.txt.asc if you prefer to download it directly.

Additionally, I have generated a separately-signed key with ID 0x233E5EAF0EC3ABA9 (full fingerprint: 14E8 9660 188D BC9B 2C17 67AA 233E 5EAF 0EC3 ABA9). This key should not be used for communication, but will only be used to sign VCS commits/tags/&c (in Git and perhaps in Pijul1). It's going to be on my [managed] work computer2, so treat it with a grain of salt.

read more

Gsuite Phishing?

I received an e-mail today at my work address with the subject [Feature Ideas [Customers Only]] - [Survey] The G Suite Admin Experience team wants to learn your needs around data/resource access boundaries which looked like the following:

sketchy email

Quick — is this real or is this spam? What would you look for?

read more

Thoughts on the Moves Privacy Policy

For a while, I've been using the Moves app for iOS. It's a little application that uses the accelerometer and GPS data from your phone to tell you where you've been and how many steps you've taken and so on and so forth. I've been using it in no small part because of their strong third-party privacy policy, which said:

We do not disclose an individual user’s data to third parties unless (1) you have given explicit consent to each such disclosure, (2) we are required to comply with a legal obligation or (3) if our business or assets …

read more

Interesting SSL Issue

Shortly after I upgraded to OS X 10.9.2, I was connecting to battle.net, and I got an SSL error. At the time, I didn't think anything of it (after all, sites have bad SSL certificates all the time). However, I noticed it again today when looking at the page for Reaper of Souls, and decided to look into it again. When I did, I found something very unusual: my system has a second copy of the DigiCert root CA certificate in the "login" keychain. For those of you who aren't familiar, OS X uses a hierarchy of …

read more

GPG (2013 Update)

In light of all of the hullabaloo about PRISM and other spying technology, I thought it'd be good to remind all of your dear readers that we've had the technology to ensure private communications on the Internet for 22 years in the form of Pretty Good Privacy (and the much-more-commonly-used implementation, GnuPG). Ars Technica had an okay article about e-mail encryption with PGP which I recommend reading, although you should keep in mind that most security professionals would consider infrastructural PKI like SSL and S/MIME to be compromised by nation-state-level adversaries (and all associated MIC contractors).

Anyhow, my GPG …

read more

*nix Tip of the Day: Dynamic DNS

Bonjour logo

It's nice to have DNS records for all of your computers. It's a giant pain in the ass to remember IP addresses, especially if you're on something like a cable connection, where the IP address is dynamic (but only changes every month or two). Now, you could go ahead and use DynDNS or No-IP or something. But those are lame. You have to use a subdomain of one of their domains, and you have to use their software to update. You might be wondering if there's a better way. Well, there is. Standard DNS supports updating, it turns out. In BIND, this is managed through the allow-update parameter. I had some free time this week after I finished finals, so I went ahead and set it up, along with the other trimmings required for Wide-Area Bonjour. It's cool, so I thought I'd post a bit.

The most important resource for all of this stuff is dns-sd.org. Aside from a couple of minor errors that I corrected and an update for OS X 10.5+, this Tip will be based off of the guides from that site. So credit to them.

read more