Notices by Mike Gerwitz (mikegerwitz@social.mikegerwitz.com), page 4
-
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 25-Mar-2019 14:37:53 EDT 
Mike Gerwitz
@mnw Oh and when accessing my password database remotely over SSH, e.g. at a hotel, I use Tor for additional privacy (`torify ssh`); I posted about that a couple of days ago. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 25-Mar-2019 14:36:26 EDT
Mike Gerwitz
@mnw Thanks for the feedback.
I keep a master copy on a server hosted at my house. This also makes it easy to share a password database with my wife (encrypted with both my key and a key I generated for her). But I just have her open it with Emacs over SSH, which decrypts it automatically. Obviously there are more risks associated with that, but it's easy for her to manage, meaning she'll actually use it (it's an Org mode document).
Regarding trust: you don't need to trust the host if we change the pipeline a little bit. If you just run `ssh your-host cat db.gpg | gpg --decrypt | ...`, the plaintext is never visible to the server because it's decrypted client-side. This uses more bandwidth, but it means that you can host it anywhere. Also note that if your device is compromised, it'll have access to the entire plaintext of the database.
Just be mindful that you'll have to make sure you choose a strong passphrase or use a randomly generated symmetric key that you store on your local device. If you're using asymmetric encryption, then your database may become compromised in the future, which may or may not matter depending on the secrets. For example, I don't think GnuPG supports any post-quantum secure asymmetric algorithms yet (and they're still an area of research), but maybe other command line utilities do. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 25-Mar-2019 12:44:48 EDT
Mike Gerwitz
As an errata of sorts to my #LibrePlanet2019 talk---I think I said "GNU/Linux running on the proprietary Windows kernel", when Linux isn't involved---it's GNU/kWindows. Microsoft wrote a compatibility layer that translates Linux syscalls, so programs compiled _for_ GNU/Linux run atop of the Windows kernel. See https://mikegerwitz.com/2016/04/gnu-kwindows for more information.
I also forgot to mention for the 2FA password manager example that storing long-term secrets using asymmetric ciphers isn't a good idea; you should use symmetric keys for that. Fortunately, pass{words,phrases} (as I demonstrated in the talk) aren't long-term secrets---they're easily changed. But you can easily do _both_ asymmetric for 2FA with a smartcard and symmetric by adding another GPG invocation to the pipeline.
More to come (including repository of the source code for the slides, as well as notes) within the next day or so. Slides are at https://mikegerwitz.com/talks/cs4m.pdf. Thanks to all those who attended and watched online. Feedback/criticism welcome. I simplified my talk a lot in case the audience wasn't technical but I also didn't want to simplify it too much in case the audience was full of hackers. The intent was to just provide some exposure to the concepts for further research by attendees. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 25-Mar-2019 00:05:50 EDT
Mike Gerwitz
It was a pleasure meeting everyone again at #LibrePlanet2019. I hope to see you all again next year! -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 23-Mar-2019 19:21:16 EDT
Mike Gerwitz
Congratulations to Deb Nicholson and Open Street Map as recipients of the free software awards! -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 23-Mar-2019 07:50:55 EDT
Mike Gerwitz
Since I'm on hotel Wifi, a reminder to travelers: consider using a VPN or Tor. I use the latter, both for my web browsing and for SSH to my home server, for privacy reasons.
It's not just about data collection on guests by the hotel or network operator---some networks, like my hotel, aren't even encrypted, so any non-encrypted traffic can be sniffed. There's a lot of metadata that can be sniffed even from encrypted connections, including domains that you're accessing, and traffic analysis can get a pretty good idea of what it is you're looking at depending on the sites you're visiting. So any guest or anyone else within range (or any users of long-range antennas, even) could sniff data from guest connections.
Be safe!
#LibrePlanet2019 #privacy -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 19-Mar-2019 21:45:17 EDT
Mike Gerwitz
#LibrePlanet is quickly approaching!
My flight unfortunately arrives later than I'd like on Friday, so I'll do my best to make it to the office party at the FSF...maybe I'll get there in time to greet people as they're walking out... -
Free Software Foundation (fsf@status.fsf.org)'s status on Friday, 15-Mar-2019 11:30:50 EDT 
Free Software Foundation
The exhibit hall at #LibrePlanet 2019 is going to be loaded with interesting free software projects and businesses: CivicActions, GNOME, Purism, Technoethical, Tor, and more. Register for LibrePlanet today: https://u.fsf.org/lp19regmb -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 11-Mar-2019 21:48:26 EDT
Mike Gerwitz
"Lockdown Mode on the Librem 5: Beyond Hardware Kill Switches":
https://puri.sm/posts/lockdown-mode-on-the-librem-5-beyond-hardware-kill-switches/ -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Sunday, 10-Mar-2019 03:12:24 EDT
Mike Gerwitz
The past three years I've observed the daylights savings shift while working on LibrePlanet talks. And I feel cheated each time.
I also noticed that Org mode properly does the date arithmetic in the time log, which is incredibly confusing to look at:
CLOCK: [2019-03-09 Sat 23:41]--[2019-03-10 Sun 03:07] => 2:26 -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 09-Mar-2019 23:38:50 EST
Mike Gerwitz
@dthompson Hm I finally received a message from you (from toot.cat) for the first time in quite a while. I was going to try unsubscribing and re-subscribing when I noticed that @cwebber was replying to messages from you that I couldn't see on my instance.
It could be my instance, it could be because I'm using GNU Social (OStatus), or it could be toot.cat, but I just wanted to let you know just in case others may not be seeing your messages. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Friday, 08-Mar-2019 21:01:33 EST
Mike Gerwitz
This is interesting, and I'll be curious to see it presented:
"From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic"
https://social.mikegerwitz.com/url/72535
I used to stare at the little hole in the tops of the HDD enclosures when I was younger and wonder how slight of pressure variances could be detected by the hardware, wondering how loud I'd have to scream at it (or if I'd have to put my lips on it and hum) to have a detectable level of vibration. I guess that answers my question.
The bottom of the article links to a video of prior research on the topic, but I don't have the time to look at it right now. -
Free Software Foundation (fsf@status.fsf.org)'s status on Thursday, 07-Mar-2019 16:09:22 EST
Free Software Foundation
The schedule for #LibrePlanet 2019 is live! What talks will you attend? https://u.fsf.org/2rw If you're not already registered, register for LibrePlanet today: https://u.fsf.org/lp19regmb -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 04-Mar-2019 23:11:20 EST
Mike Gerwitz
Every year, I wait until I'm actually working on my #LibrePlanet talk to learn just a little bit more about Beamer. And every year, I have very limited time to do so, since I need to be working on the actual talk and slides, not screwing around with Beamer settings.
One of these years I'll choose to limit my suffering by actually studying a few months in advance... -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 04-Mar-2019 22:26:47 EST
Mike Gerwitz
My sons and I also enjoy using Minetest for 3d home modelling, though it's a bit less precise. ;)
But I agree with Sweet Home 3D! I used it with my wife for some remodelling ideas when we first bought our home (...and sadly one that we almost bought but lost the bid on). -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 04-Mar-2019 21:48:51 EST
Mike Gerwitz
ACLU: "Student Surveillance Versus Gun Control: The School Safety Discussion We Aren’t Having"
https://social.mikegerwitz.com/url/72405 -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Sunday, 03-Mar-2019 10:37:43 EST
Mike Gerwitz
In my 404 logs for my website, I noticed an automated attack attempting to compromise various URLs. My site is static, so no harm done, but one thing I noticed was an injection attempt with a script at z e d . x s s . h t (added spaces to prevent generating links to it).
The header of the script at that URL states: "This is a payload to test for Cross-site Scripting (XSS). It is meant to be used by security professionals and bug bounty hunters. If you believe that this payload has been used to attempt to compromise your service without permission, please contact us using https://xsshunter.com/contact."
Okay, so I attempt to load the URL, via Tor, as all my web traffic is. It redirects me to the Internet Archive for that page, and it's not even archived. I archive it. It then masks the contact email address on the page. I click on it. It directs me to a CloudFlare page saying that I have to enable JavaScript in order to unmask the email address.
So in order to report abuse of this XSS testing service I have to allow non-free CloudFlare malware to run on my computer. Nope. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Wednesday, 27-Feb-2019 22:53:58 EST
Mike Gerwitz
"It’s Time to Make Sure Our Kids Are No Longer Bound, Shackled, or Locked Away When They’re at School"
https://social.mikegerwitz.com/url/72240
Issues like these take on a whole new light when you're a parent. In all the things in my life that are important to me, including all of my activism, the only thing that triggers instant, deep, almost irrational emotion is the thought of someone harming one of my children. And that's something I would have never been capable of understanding before becoming a parent.
I haven't had a chance to review the proposed bill or even the cases that it references. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 26-Feb-2019 22:17:55 EST
Mike Gerwitz
M-x donuts!
https://news.ycombinator.com/item?id=19254852
All Jonkman Microblog content and data are available under the