GnuPG

16 results back to index


Linux Security Cookbook by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

Debian, GnuPG, MITM: man-in-the-middle, web of trust

DROP, refusing packets with disabling TCP service invocation by remote request inserting firewall rules in particular position listing firewall rules logging and dropping certain packets permitting incoming SSH access only preventing pings protecting dedicated server restricting telnet service access by source address simulating packet traversal through to verify firewall operation testing firewall configuration ipchains-restore loading firewall configuration ipchains-save checking IP addresses saving firewall configuration viewing rules with IPSec iptables --syn flag to process TCP packets blocking access for particular remote host for a particular service blocking access for some remote hosts but not others blocking all access by particular remote host blocking all incoming HTTP traffic blocking incoming HTTP traffic while permitting local HTTP traffic blocking incoming network traffic blocking outgoing access to all web servers on a network blocking outgoing Telnet connections blocking outgoing traffic blocking outgoing traffic to particular remote host blocking remote access, while permitting local blocking spoofed addresses building chain structures controlling access by MAC address default policies deleting firewall rules disabling reverse DNS lookups (-n option) disabling TCP service invocation by remote request DROP and REJECT, refusing packets with error packets, tailoring inserting firewall rules in particular position listing firewall rules permitting incoming SSH access only preventing pings protecting dedicated server restricting telnet service access by source address rule chain for logging and dropping certain packets testing firewall configuration website iptables-restore loading firewall configuration iptables-save checking IP addresses saving firewall configuration viewing rules with IPv4-in-IPv6 addresses, problems with ISP mail servers, acceptance of relay mail issuer (certificates) self-signed [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] John the Ripper (password-cracking software) dictionaries for download site wordlist directive [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] kadmin utility adding Kerberos principals to IMAP mail server adding users to existing realm modifying KDC database for host running on new host setting server to start at boot kadmind command (Kerberos) kaserver (Andrew Filesystem) kdb5_util command (Kerberos) KDC [See Key Distribution Center] KDE applications, certificate storage Kerberos authentication in /etc/pam.d startup file hosts, adding to existing realm IMAP, using with Key Distribution Centers (KDCs) ksu ksu command PAM, using with without passwords POP, using with setting up MIT Kerberos-5 KDC sharing root privileges via SSH, using with debugging SSH-1 protocol Telnet, using with users, adding to existing realm web site (MIT) KerberosTgtPassing (in sshd_config) kernel /proc files and collection of messages from by system logger enabling source address verification IP forwarding flag ipchains (Versions 2.2 and up) iptables (Versions 2.4 and up) process information recorded on exit runtime integrity checkers source address verification, enabling Key Distribution Center (KDC), setting up for MIT Kerberos-5 keyring files (GnuPG) adding keys to viewing keys on information listed for keys keys, cryptographic [See also cryptographic authentication] adding to GnuPG keyring backing up GnuPG private key dummy keypairs for imapd and pop3d encrypting files for others with GnuPG generating key pair for GnuPG GnuPG, viewing on your keyring key pairs in public-key encryption keyring files for GnuPG keys obtaining from keyserver and verifying OpenSSH programs for creating/using PGP keys, using in GnuPG revoking a public key sharing public keys securely Tripwire viewing on GnuPG keyring keyserver adding key to informing that a public keys is no longer valid obtaining keys from uploading new signatures to killing processes authorizing users to kill via sudo command pidof command, using terminating SSH agent on logout kinit command (Kerberos) 2nd 3rd -f option (forwardable credentials) klist command (Kerberos) 2nd known hosts database (OpenSSH server) kpasswd command (Kerberos) krb5.conf file, copying to new Kerberos host krb5.keytab file krb5kdc kstat (integrity checker) ksu (Kerberized su) authentication via Kerberos sharing root privileges via [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] last command 2nd lastb command lastcomm utility bugs in latest version lastdb command lastlog command databases from several systems, merging multiple systems, monitoring problems with ldd command libnet (toolkit for network packet manipulation) libnids (for TCP stream reassembly) libpcap (packet capture library) 2nd binary files Snort logging directory, creating in logging Snort data to libpcap-format files network trace files, ngrep Snort, use by libwrap, using with xinetd Linux /proc filesystem differing locations for binaries and configuration files in distributions encryption software included with operating system vulnerabilities Red Hat [See Red Hat Linux] supported distributions for security recipes SuSE [See SuSE Linux] ListenAddress statements, adding to sshd_config listfile module (PAM) ACL file entries local acces, permitting while blocking remote access local facilities (system messages) local filesystems, searching local key (Tripwire) creating with twinstall.sh script fingerprints, creating in secure integrity checks read-only integrity checking local mail (acceptance by SMTP server) local password authentication, using Kerberos with PAM localhost problems with Kerberos on SSH SSH port forwarding, use in unsecured mail sessions from logfile group configuration file (logwatch) logger program writing system log entries via shell scripts and syslog API logging access to services combining log files firewalls, configuring for nmap -o options, formats of PAM modules, error messages rotating log files service access via xinetd shutdowns, reboots, and runlevel changes in /var/log/wtmp Snort 2nd to binary files partitioning into separate files permissions for directory stunnel messages sudo command remotely system [See system logger] testing with nmap stealth operations loghost changing remote logging of system messages login shells, root logins adding another Kerberos principal to your ~/.k5login file Kerberos, using with PAM monitoring suspicious activity printing information about for each user recent logins to system accounts, checking testing passwords for strength CrackLib, using John the Ripper, using logouts, history of all on system logrotate program 2nd 3rd logwatch filter, defining integrating services into listing all sudo invocation attempts scanning log files for messages of interest scanning Snort logs and sending out alerts scanning system log files for problem reports lsh (SSH implementation) lsof command +M option, (for processes using RPC services) -c option (command name for processes) -i option (for network connections) -p option (selecting processes by ID) -u option (username for processes) /proc files, reading IP addresses, conversion to hostnames network connections for processes, listing [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] m4 macro processor MAC addresses controlling access by spoofed mail [See email IMAP POP] Mail application (Mozilla) mail clients connecting to mail server over SSL support for secure POP and IMAP using SSL mail facility (system messages) mail servers receiving Internet email without visible server support for SSL testing SSL connection locally Mailcrypt mc-deactivate-passwd to force passphrase erasure official web site using with GnuPG mailpgp (script for encrypting/sending email) mailsnarf command -v option, capturing only unencrypted messages malicious program, /tmp/ls man-in-the-middle (MITM) attacks dsniff, proof of concept with self-signed certificates, risk of services deployed with dummy keys manual integrity checks mask format, CIDR Massachusetts Institute of Technology (MIT) Kerberos matching anything (ALL keyword) 2nd max_load keyword (xinetd) 2nd mc-encrypt function MD5 checksum verifying for RPM-installed files merging system log files MH (mail handler) mirroring a set of files securely between machines MIT Kerberos MITM [See man-in-the-middle attacks] modules PAM CrackLib listfile 2nd pam_stack Perl Sys::Lastlog and Sys::Utmp Sys::Syslog XML::Simple monitoring systems for suspicious activity account use checking on multiple systems device special files directing system messages to log files displaying executed commands executed command, monitoring filesystems searching effectively finding accounts with no password finding superuser accounts finding writable files insecure network protocols, detecting local network activities log files, combining logging login passwords logins and passwords logwatch filter for services not supported lsof command, investigating processes with network-intrusion detection with Snort 2nd decoding alert messages logging output partitioning logs into files ruleset, upgrading and tuning networking observing network traffic with Ethereal GUI open network ports, testing for packet sniffing with Snort recovering from a hack rootkits rotating log files scanning log files for problem reports search path, testing searching for strings in network traffic security incident report, filing sending messages to system logger setuid and setgid programs, insecure syslog configuration, testing syslog messages, logging remotely tracing processes writing system log entries shell scripts with C with Perl scripts monitoring tools for networks NIH page web page information on morepgp (script for decrypting/reading email) mount command -o nodev (prohibiting device special files) grpid option noexec option nosuid option setuid and setgid programs, protecting against misuse mounts file (/proc) Mozilla certificate storage encrypted mail with Mail & Newsgroups Muffet, Alec (Crack utility) multi-homed hosts firewall for SSH client, problems with canonical hostname multi-homed server machines, socket mail server is listening on multicast packets multithreaded services (in inetd.conf) mutt mailer home web page securing POP/IMAP with SSL [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] NAMEINARGS flag for xinetd NAT gateway, canonical client hostname and National Infrastructure Protection Center (NIPC) (U.S.)

To retain this information in your backups, copy the attributes from the original files to the encrypted files, before the links to the original files are deleted: # find newdir -type f -exec gpg -e '{}' \; \ -exec chown --reference='{}' '{}.gpg' \; -exec chmod --reference='{}' '{}.gpg' \; -exec touch --reference='{}' '{}.gpg' \; -exec rm '{}' \; Method 2 and the CD-ROM variant of method 1 use disk space (at least temporarily) for the encrypted files. 7.25.4 See Also gpg(1), tar(1), find(1), cdrecord(1). Recipe 7.26 Using PGP Keys with GnuPG 7.26.1 Problem You want to use PGP keys in GnuPG operations. 7.26.2 Solution Using PGP, export your key to a file called pgpkey.asc. For example, using freeware PGP 6.5.8, you export a public key with: $ pgp -kxa my_key pgpkey.asc or a private key with: $ pgp -kxa my_key pgpkey.asc my_secret_keyring.skr Then import the key into your GnuPG keyring. For public keys: $ gpg --import pgpkey.asc For private keys: $ gpg --import --allow-secret-key-import pgpkey.asc Now you can use the key in normal GnuPG operations. 7.26.3 Discussion Keys are really abstract mathematical objects; this recipe simply converts a key from one representation to another so that GnuPG can use it. It's similar to converting an SSH key between the SSH2 and OpenSSH formats.

You'll be prompted for the recipient, whose public key must be on your GnuPG keyring: Recipients: jones@example.com and then asked whether you want to sign the message, which is an optional step and requires your GnuPG passphrase. Sign the message? (y or n) Then voilà, your message becomes GnuPG-encrypted for that recipient: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 and Gnu Privacy Guard hQEOAxpFbNGB4CNMEAP/SeAEOPP6XW+uMrkHZ5b2kuYPE5BL06brHNL2Dae6uIjK sMBhvKGcS3THpCcXzjCRRAJLsquUaazakXdLveyTRPMa9J7GhRUAJvd8n7ZZ8iRn ... -----END PGP MESSAGE----- Finally, send the message normally. If you receive an encrypted message, and you already have the sender's key (indexed by her email address) on your GnuPG public keyring, simply invoke: M-x mc-decrypt for the buffer containing the message.


pages: 274 words: 58,675

Puppet 3 Cookbook by John Arundel

Amazon Web Services, cloud computing, continuous integration, Debian, defense in depth, DevOps, don't repeat yourself, GnuPG, Larry Wall, place-making, Ruby on Rails, web application

ff Installs the Percona APT key with which the packages are signed ff Configures the Percona repo URL as a file in /etc/apt/sources.list.d ff Runs apt-get update to retrieve the repo metadata ff Adds an APT pin configuration in /etc/apt/preferences.d First of all, we install the APT key: exec { 'add-percona-apt-key': unless => '/usr/bin/apt-key list |grep percona', command => '/usr/bin/gpg --keyserver hkp://keys.gnupg.net --recvkeys 1C4CBDCDCD2EFD2A && /usr/bin/gpg -a --export CD2EFD2A | apt-key add -', notify => Exec['percona-apt-update'], } The unless parameter checks the output of apt-key list to make sure that the Percona key is not already installed, in which case we needn't do anything. Assuming it isn't, the command runs: /usr/bin/gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A && /usr/bin/gpg -a --export CD2EFD2A | apt-key add - This command retrieves the key from the GnuPG keyserver, exports it in the ASCII format, and pipes this into the apt-key add command, which adds it to the system keyring. You can use a similar pattern for most third-party repos which require an APT signing key.

See also ff Using ERB templates, in this chapter 97 Working with Files and Packages Using GnuPG to encrypt secrets We often need Puppet to have access to secret information, such as passwords or crypto keys, for it to configure systems properly. But how do you avoid putting such secrets directly into your Puppet code, where they're visible to anyone who has read access to your repository? It's a common requirement for third-party developers and contractors to be able to make changes via Puppet, but they definitely shouldn't see any confidential information. Similarly, if you're using a distributed Puppet setup like that described in Chapter 1, Puppet Infrastructure, every machine has a copy of the whole repo, including secrets for other machines that it doesn't need and shouldn't have. How can we prevent this? One answer is to encrypt the secrets using the GnuPG tool, so that any secret information in the Puppet repo is undecipherable (for all practical purposes) without the appropriate key.

One answer is to encrypt the secrets using the GnuPG tool, so that any secret information in the Puppet repo is undecipherable (for all practical purposes) without the appropriate key. Then we distribute the key securely to the people or machines who need it. Getting ready First you'll need an encryption key, so follow these steps to generate one. If you already have a GnuPG key that you'd like to use, go on to the next section: 1. Run the following command. Answer the prompts as shown, except to substitute your name and e-mail address for mine. When prompted for a passphrase, just hit Enter: ubuntu@cookbook:~/puppet$ gpg --gen-key gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?


Multitool Linux: Practical Uses for Open Source Software by Michael Schwarz, Jeremy Anderson, Peter Curtis

business process, Debian, defense in depth, GnuPG, index card, indoor plumbing, Larry Wall, MITM: man-in-the-middle, optical character recognition, publish or perish, RFC: Request For Comment, Richard Stallman, SETI@home, slashdot, web application

Generating Keys Before you can use GPG, you must generate a key. The first time you ever run GPG, it will probably say this: [bubba@mars bubba]$ gpg —gen-key gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: /home/bubba/.gnupg: directory created gpg: /home/bubba/.gnupg/options: new options file created gpg: you have to start GnuPG again, so it can read the new options file Unless your system administrator has a .gnupg directory set up for new accounts automatically, GPG must create a .gnupg directory and set it up with default configurations and empty private and public keyrings. A keyring is simply a file that stores keys.

If you don't want your command results being returned to you in plain text, you will have to encrypt the results. For these two tasks, encryption and authentication/authorization, we'll use another very handy Linux tool, GnuPG. Securing Everything We are now entering the part of this chapter where it starts to get really funky. Encryption and digital signatures are not new, but when it comes to your use of this technology, you might be new to it and not quite sure of how to go about using it. Don't panic! Chapter 10, Secure Your E-Mail with GPG, discusses everything you need to know about GnuPG. Using GnuPG to Handle Authorizations One small problem with this version of the e-mail console is that anyone is able to send an e-mail to your system and execute commands from your user account. To prevent this, we'll modify the Perl script to include support for digital signature detection and verification.

The default is to have two: pubring.gpg and secring.gpg. Your private keys are kept in secring.gpg, and your public key and the public keys of any of your correspondents are in pubring.gpg. The other file in the .gnupg directory is options. This file may be modified to change the default settings for GPG. In its default state, it is configured to interoperate with the commercial PGP 5 software. I recommend leaving these defaults alone until the whole world wakes up and starts using GPG instead! Once the .gnupg directory is set up, you generate a key as follows: [bubba@mars bubba]$ gpg —gen-key gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details.


pages: 678 words: 159,840

The Debian Administrator's Handbook, Debian Wheezy From Discovery to Mastery by Raphaal Hertzog, Roland Mas

bash_history, Debian, distributed generation, do-ocracy, en.wikipedia.org, failed state, Firefox, GnuPG, Google Chrome, Jono Bacon, MITM: man-in-the-middle, NP-complete, QWERTY keyboard, RFC: Request For Comment, Richard Stallman, Skype, SpamAssassin, Valgrind, web application, zero day, Zimmermann PGP

=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-============-==============-==============-================================ un backupninja <none> (no description available) un base <none> (no description available) un base-config <none> (no description available) ii base-files 7.1 amd64 Debian base system miscellaneous ii base-passwd 3.5.26 amd64 Debian base system master passwo [...] $ dpkg -c /var/cache/apt/archives/gnupg_1.4.12-7_amd64.deb drwxr-xr-x root/root 0 2013-01-02 19:28 ./ drwxr-xr-x root/root 0 2013-01-02 19:28 ./usr/ drwxr-xr-x root/root 0 2013-01-02 19:28 ./usr/share/ drwxr-xr-x root/root 0 2013-01-02 19:28 ./usr/share/doc/ drwxr-xr-x root/root 0 2013-01-02 19:28 ./usr/share/doc/gnupg/ -rw-r--r-- root/root 3258 2012-01-20 10:51 ./usr/share/doc/gnupg/TODO -rw-r--r-- root/root 308 2011-12-02 18:34 ./usr/share/doc/gnupg/FAQ -rw-r--r-- root/root 3543 2012-02-20 18:41 ./usr/share/doc/gnupg/Upgrading_From_PGP.txt -rw-r--r-- root/root 690 2012-02-20 18:41 ./usr/share/doc/gnupg/README.Debian -rw-r--r-- root/root 1418 2012-02-20 18:41 ./usr/share/doc/gnupg/TODO.Debian [...] $ dpkg -I /var/cache/apt/archives/gnupg_1.4.12-7_amd64.deb new debian package, version 2.0. size 1952176 bytes: control archive=3312 bytes. 1449 bytes, 30 lines control 4521 bytes, 65 lines md5sums 479 bytes, 13 lines * postinst #!

.] $ dpkg -I /var/cache/apt/archives/gnupg_1.4.12-7_amd64.deb new debian package, version 2.0. size 1952176 bytes: control archive=3312 bytes. 1449 bytes, 30 lines control 4521 bytes, 65 lines md5sums 479 bytes, 13 lines * postinst #!/bin/sh 473 bytes, 13 lines * preinst #!/bin/sh Package: gnupg Version: 1.4.12-7 Architecture: amd64 Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> Installed-Size: 4627 Depends: libbz2-1.0, libc6 (>= 2.4), libreadline6 (>= 6.0), libusb-0.1-4 (>= 2:0.1.12), zlib1g (>= 1:1.1.4), dpkg (>= 1.15.4) | install-info, gpgv Recommends: libldap-2.4-2 (>= 2.4.7), gnupg-curl Suggests: gnupg-doc, xloadimage | imagemagick | eog, libpcsclite1 Section: utils Priority: important Multi-Arch: foreign Homepage: http://www.gnupg.org Description: GNU privacy guard - a free PGP replacement GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 4880. [...]

→ http://www.debian.org/devel/people → http://www.debian.org/intro/organization → http://wiki.debian.org/Teams TOOL Developer's database Debian has a database including all developers registered with the project, and their relevant information (address, telephone, geographical coordinates such as longitude and latitude, etc.). Some of the information (first and last name, country, username within the project, IRC username, GnuPG key, etc.) is public and available on the Web. → http://db.debian.org/ The geographical coordinates allow the creation of a map locating all of the developers around the globe. Debian is truly an international project: its developers can be found on all continents, although the majority are in “Western countries”. Figure 1.1. World-wide distribution of Debian developers Package maintenance is a relatively regimented activity, very documented or even regulated.


pages: 562 words: 153,825

Dark Mirror: Edward Snowden and the Surveillance State by Barton Gellman

4chan, A Declaration of the Independence of Cyberspace, active measures, Anton Chekhov, bitcoin, Cass Sunstein, cloud computing, corporate governance, crowdsourcing, data acquisition, Debian, desegregation, Donald Trump, Edward Snowden, financial independence, Firefox, GnuPG, Google Hangouts, informal economy, Jacob Appelbaum, job automation, Julian Assange, MITM: man-in-the-middle, national security letter, planetary scale, private military company, ransomware, Robert Gordon, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Saturday Night Live, Silicon Valley, Skype, social graph, standardized shipping container, Steven Levy, telepresence, undersea cable, web of trust, WikiLeaks, zero day, Zimmermann PGP

For my part, I did not want an editor or publisher to be capable of making the decision for me. even experts foundered: Disheartening proof is easy to find in the GnuPG-users listserv, an email forum populated exclusively by geeks, where hundreds of thousands of words have been spilled on the software’s mysteries. See the GnuPG-users Archives, http://lists.gnupg.org/pipermail/gnupg-users/. manual could swallow: The horror classic runs to about twenty-five thousand words. GPG boasts a sixteen-thousand-word manual and eleven thousand words of “frequently asked questions.” See Robert Louis Stevenson, The Strange Tale of Dr. Jekyll and Mr. Hyde, www.gutenberg.org/files/42/42.txt; “The GNU Privacy Handbook,” www.gnupg.org/gph/en/manual.html; and “GNUPG FREQUENTLY ASKED QUESTIONS,” www.gnupg.org/faq/gnupg-faq.txt. After drafting this comparison, I found a fine blog post with a similar comparison to the forty-thousand-word novel Fahrenheit 451.

Today’s Tor Project (originally an acronym for “The Onion Router”) offers a free, easy-to-use anonymous browser at www.torproject.org. GPG, the gold standard of email and file encryption: GPG, also known as Gnu Privacy Guard and GnuPG, is a free, open-source implementation of the encryption standard pioneered by Phil Zimmermann in the commercial software package called Pretty Good Privacy, or PGP. (Already we have four names for the same basic product, five if we add OpenPGP.) The original author of GPG remains sole custodian of the code. He marked its first decade in a post to an email listserv, archived here: Werner Koch, “GnuPG’s 10th birthday,” December 20, 2007, https://lists.gnupg.org/pipermail/gnupg-announce/2007q4/000268.html. See also Julia Angwin, “The World’s Email Encryption Software Relies on One Guy, Who Is Going Broke,” ProPublica, February 5, 2015, http://propub.li/223gPN8.

., 311–12 Goodlatte, Bob, 163 Google, 76, 111, 336 foreign facilities of, 282, 286 hacking of BG’s accounts on, 232 illegal spying by, 198 PRISM and, 283, 285, 300 Google cloud, 317, 352 boundary between public internet and, 281–82 GCHQ in penetration of, 299, 301 NSA’s penetration of, 279–88, 297–302, 408 Google Front End, 284–85 governing norms, 248–49, 347–48 government: secrecy and, see secrecy, government in standoff with ES, 352–53 trust and, 180–84 GPG (GnuPG), 8, 365, 366 Graham, Don, 103 Graham, Katharine, 92, 379 Graham, Lindsey, 158 Graham, Mary, 263 Granick, Jennifer, 339, 342, 343 Graph-in-Memory, 174, 177, 179, 180, 181 Greenberg, Karen, 4 Greenwald, Glenn, 213, 241, 255, 325 Alexander’s proposed raid on, 245–46, 247–48, 249 BG on contributions to NSA story by, 141 BG’s view of, 12 in claims about ES’s unreleased files, 257–58 in decision not to publish some material from Pandora, 269 ES’s decision to leak documents to, 16 ES’s first approaches ignored by, 12, 366–67 ES’s first contact with, 66 ES’s interviews with, 138, 346 ES’s relationship with, xiii and ES’s wiretapping claims, 327 exaggerated claims of, 139 false accusations against BG by, 138, 140–41, 387–90 first Snowden leaks story of, 142, 144 Poitras on, 138 as possessing NSA documents not seen by BG, 330 Post denigrated by, 139, 390 Guardian, 387 Ellsberg’s piece on ES in, 290 ES’s leaks published in, 77, 142, 144 Guare, John, 159 Gulf War (1990–1991), 15, 223 Gunn, Ben, 175 hacking: of BG’s computers and devices, 229–35 by China, 34–35, 83 NSA and, see National Security Agency (NSA), hacker culture of Hanssen, Robert, 247, 404 Hardy, David M., 278 Harrison, Sarah, 293, 307 Hawaii Technical Directorate, Office of Information Sharing at, 35 Hayden, Caitlin, 270 Hayden, Michael V., 165, 234 BG’s relationship with, 141–42 government secrecy defended by, 325 on journalists’ disclosure of classified information, 222 on power of active SIGINT, 309 on secrets revealed by metadata, 163 STELLARWIND overseen by, 26, 70–71, 169–70 Heartbeat, 36, 72–79 conceived as one-stop portal to worldwide data systems, 74–76 ES’s creation and supervision of, 72–73 PKI digital identity certificate of, 77 PKI of ES’s supervisor used by, 77–79 Holder, Eric, 96–97, 234, 249 Homeland (TV series), ES’s virtual chat with cast and crew of, 303–9, 320 Hong Kong: ES in flight to, 27, 84, 88 Poitras and Greenwald’s interview with ES in, 138, 251 Hoover, J.


pages: 422 words: 104,457

Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance by Julia Angwin

AltaVista, Ayatollah Khomeini, barriers to entry, bitcoin, Chelsea Manning, Chuck Templeton: OpenTable:, clean water, crowdsourcing, cuban missile crisis, data is the new oil, David Graeber, Debian, Edward Snowden, Filter Bubble, Firefox, GnuPG, Google Chrome, Google Glasses, informal economy, Jacob Appelbaum, John Markoff, Julian Assange, Marc Andreessen, market bubble, market design, medical residency, meta analysis, meta-analysis, mutually assured destruction, Panopticon Jeremy Bentham, prediction markets, price discrimination, randomized controlled trial, RFID, Robert Shiller, Ronald Reagan, security theater, Silicon Valley, Silicon Valley startup, Skype, smart meter, Steven Levy, Upton Sinclair, WikiLeaks, Y2K, zero-sum game, Zimmermann PGP

And they had a dashboard of statistics: Brian Kennish, in discussion with author, August 16, 2012. “I think that might be why I’m into data”: Ibid. 13. LONELY CODES First, I downloaded free encryption software: “The GNU Privacy Guard,” Free Software Foundation, Inc., http://gnupg.org/. a program called Enigmail: “A Simple Interface to OpenPGP Email Security,” The Enigmail Project, https://www.enigmail.net/home/index.php. designed to run with: GnuPG, “GnuPG Frequently Asked Questions,” http://www.gnupg.org/faq/GnuPG-FAQ.html. The Postbox support page said: Postbox, Inc., “Extending Postbox,” http://www.postbox-inc.com/extensions. The Enigmail support forums said: SourceForge, Inc., “PostBox 3.0.7 and Enigmail 1.2.3 Freezing Problem” (forum), http://sourceforge.net/p/enigmail/forum/support/thread/bfd56f75/?

Off-the-Record is a volunteer project: Off-the-Record Messaging, “The OTR Development Team,” http://www.cypherpunks.ca/otr/people.php. It turned out he was: Evan Schoenberg, in discussion with author, November 25, 2012. When the antinuclear activist Phil Zimmermann: Phil Zimmermann, “Creator of PGP and Zfone: Background,” Philzimmermann.com (personal blog), http://www.philzimmermann.com/EN/background/index.html. The software I was using: “The GNU Privacy Guard,” GnuPG, http://gnupg.org/. On March 9, 1993, Eric Hughes published: Eric Hughes, “A Cypherpunk’s Manifesto,” March 9, 1993, http://www.activism.net/cypherpunk/manifesto.html. The U.S. Customs Service began investigating whether: Phil Zimmermann, “Testimony of Philip R. Zimmermann to the Subcommittee on Science, Technology, and Space of the US Senate Committee on Commerce, Science, and Transportation,” philzimmermann.com (personal blog), June 26, 1996, http://www.philzimmermann.com/EN/testimony/.

Later, at a conference after-party, I lamented my GPG incompetence to David Robinson, a law and technology consultant who helped found Princeton University’s Center for Information Technology Policy. Robinson showed me a website that made me feel better. It was the personal website of Karl Fogel, a leading software developer. It displayed his public key and this disclaimer: “I don’t trust my ability to use GnuPG.… Guarding against [possible attacks on GPG] would require constant vigilance, and I’m not up to the task. Therefore, if it’s important that your message to me be truly secret, please contact me before you send it, and we’ll work something out.” * * * The fatal flaw of public key encryption is that it relies on individuals to protect their keys. Back in the days of physical codebooks, specially trained messengers ferried codebooks between spies and military operatives.


PostgreSQL Cookbook by Chitij Chauhan

database schema, Debian, fault tolerance, GnuPG, Google Glasses, index card

The following are a series of steps that are used to demonstrate the usage of public and private key pairs to encrypt and decrypt data using the previously described functions: First, create the table in which you are going to store data:CREATE TABLE testuserscards( card_id SERIAL PRIMARY KEY, username varchar(100), cc bytea ); Next, insert records in the table and encrypt the data:INSERT INTO testuserscards(username, cc) SELECT robotccs.username, pgp_pub_encrypt(robotccs.cc, keys.pubkey) As cc FROM (VALUES ('robby', '41111111111111111'), ('artoo', '41111111111111112') ) As robotccs(username, cc) CROSS JOIN (SELECT dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK----- ') As pubkey) As keys; You might then see the records in the table:SELECT username, cc FROM testuserscards; Now, you can use pgp_keyid to verify which public key you used to encrypt your data:SELECT pgp_key_id(dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK-----')); The output of this query shows that the following public key was encrypting data: pgp_key_id ------------------ 2C226E1FFE5CC7D4 (1 row) The next step is to verify whether the public key that you got was used to encrypt the data in the table:hrdb=# SELECT username, pgp_key_id(cc) As keyweused FROM testuserscards; username | keyweused ----------+------------------ robby | 2C226E1FFE5CC7D4 artoo | 2C226E1FFE5CC7D4 Finally, decrypt the data using the private key that matches the public key you used to encrypt the data with:SELECT username, pgp_pub_decrypt(cc, keys.privkey) As ccdecrypt FROM testuserscards CROSS JOIN (SELECT dearmor('-----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) lQG7BELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6awAAn2F+iNBElfJS 8azqO/kEiIfpqu6/DQG0I0VsZ2FtYWwgMjA0OCA8dGVzdDIwNDhAZXhhbXBsZS5v cmc+iF0EExECAB4FAkLIIgoCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQSOnN Vv6maNvTwwCYkpcJmpl3aHCQdGomz7dFohDgjgCgiThZt2xTEi6GhBB1vuhk+f55 n3+dAj0EQsgiIhAIAJI3Gb2Ehtz1taQ9AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D 29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMXMhoWyw8ZF5Zs1mLIjFGVorePrm94N3MN PWM7x9M36bHUjx0vCZKFIhcGY1g+htE/QweaJzNVeA5z4qZmik41FbQyQSyHa3bO kTZu++/U6ghP+iDp5UDBjMTkVyqITUVNgC+MR+da/I60irBVhue7younh4ovF+Cr VDQJC06HZl6CAJJyA81SmRfi+dmKbbjZLF6rhz0norPjISJvkIqvdtM4VPBKI5wp gwCzpEqjuiKrAVujRT68zvBvJ4aVqb11k5QdJscAAwUH/jVJh0HbWAoiFTe+Nvoh frA8vPcD0rtU3Y+siiqrabotnxJd2NuCbxghJYGfNtnx0KDjFbCRKJVeTFok4Unu VYhXdH/c6i0/rCTNdeW2D6pmR4GfBozRPw/ARf+jONawGLyUj7uq13iquwMSE7Vy NuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0RQsetMq/iNBWraayKZnWUd+eQqNzE+NUo 7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiFZ1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qun fGW00ZMMTCWabg0ZgxPzMfMeIcm6525AYn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/R dWYAAVQKFPXbRaxbdArwRVXMzSD3qj/+VwwhwEDt8zmBGnlBfwVdkjQQrDUMmV1S EwyISQQYEQIACQUCQsgiIgIbDAAKCRBI6c1W/qZo25ZSAJ4sgUfHTVsG/x3p3fcM 3b5R86qKEACggYKSwPWCs0YVRHOWqZY0pnHtLH8= =3Dgk -----END PGP PRIVATE KEY BLOCK-----') As privkey) As keys; username | ccdecrypt ----------+------------------- robby | 41111111111111111 artoo | 41111111111111112 (2 rows) There's more...

The following are a series of steps that are used to demonstrate the usage of public and private key pairs to encrypt and decrypt data using the previously described functions: First, create the table in which you are going to store data:CREATE TABLE testuserscards( card_id SERIAL PRIMARY KEY, username varchar(100), cc bytea ); Next, insert records in the table and encrypt the data:INSERT INTO testuserscards(username, cc) SELECT robotccs.username, pgp_pub_encrypt(robotccs.cc, keys.pubkey) As cc FROM (VALUES ('robby', '41111111111111111'), ('artoo', '41111111111111112') ) As robotccs(username, cc) CROSS JOIN (SELECT dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK----- ') As pubkey) As keys; You might then see the records in the table:SELECT username, cc FROM testuserscards; Now, you can use pgp_keyid to verify which public key you used to encrypt your data:SELECT pgp_key_id(dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK-----')); The output of this query shows that the following public key was encrypting data: pgp_key_id ------------------ 2C226E1FFE5CC7D4 (1 row) The next step is to verify whether the public key that you got was used to encrypt the data in the table:hrdb=# SELECT username, pgp_key_id(cc) As keyweused FROM testuserscards; username | keyweused ----------+------------------ robby | 2C226E1FFE5CC7D4 artoo | 2C226E1FFE5CC7D4 Finally, decrypt the data using the private key that matches the public key you used to encrypt the data with:SELECT username, pgp_pub_decrypt(cc, keys.privkey) As ccdecrypt FROM testuserscards CROSS JOIN (SELECT dearmor('-----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) lQG7BELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6awAAn2F+iNBElfJS 8azqO/kEiIfpqu6/DQG0I0VsZ2FtYWwgMjA0OCA8dGVzdDIwNDhAZXhhbXBsZS5v cmc+iF0EExECAB4FAkLIIgoCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQSOnN Vv6maNvTwwCYkpcJmpl3aHCQdGomz7dFohDgjgCgiThZt2xTEi6GhBB1vuhk+f55 n3+dAj0EQsgiIhAIAJI3Gb2Ehtz1taQ9AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D 29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMXMhoWyw8ZF5Zs1mLIjFGVorePrm94N3MN PWM7x9M36bHUjx0vCZKFIhcGY1g+htE/QweaJzNVeA5z4qZmik41FbQyQSyHa3bO kTZu++/U6ghP+iDp5UDBjMTkVyqITUVNgC+MR+da/I60irBVhue7younh4ovF+Cr VDQJC06HZl6CAJJyA81SmRfi+dmKbbjZLF6rhz0norPjISJvkIqvdtM4VPBKI5wp gwCzpEqjuiKrAVujRT68zvBvJ4aVqb11k5QdJscAAwUH/jVJh0HbWAoiFTe+Nvoh frA8vPcD0rtU3Y+siiqrabotnxJd2NuCbxghJYGfNtnx0KDjFbCRKJVeTFok4Unu VYhXdH/c6i0/rCTNdeW2D6pmR4GfBozRPw/ARf+jONawGLyUj7uq13iquwMSE7Vy NuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0RQsetMq/iNBWraayKZnWUd+eQqNzE+NUo 7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiFZ1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qun fGW00ZMMTCWabg0ZgxPzMfMeIcm6525AYn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/R dWYAAVQKFPXbRaxbdArwRVXMzSD3qj/+VwwhwEDt8zmBGnlBfwVdkjQQrDUMmV1S EwyISQQYEQIACQUCQsgiIgIbDAAKCRBI6c1W/qZo25ZSAJ4sgUfHTVsG/x3p3fcM 3b5R86qKEACggYKSwPWCs0YVRHOWqZY0pnHtLH8= =3Dgk -----END PGP PRIVATE KEY BLOCK-----') As privkey) As keys; username | ccdecrypt ----------+------------------- robby | 41111111111111111 artoo | 41111111111111112 (2 rows) There's more...

The following are a series of steps that are used to demonstrate the usage of public and private key pairs to encrypt and decrypt data using the previously described functions: First, create the table in which you are going to store data:CREATE TABLE testuserscards( card_id SERIAL PRIMARY KEY, username varchar(100), cc bytea ); Next, insert records in the table and encrypt the data:INSERT INTO testuserscards(username, cc) SELECT robotccs.username, pgp_pub_encrypt(robotccs.cc, keys.pubkey) As cc FROM (VALUES ('robby', '41111111111111111'), ('artoo', '41111111111111112') ) As robotccs(username, cc) CROSS JOIN (SELECT dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK----- ') As pubkey) As keys; You might then see the records in the table:SELECT username, cc FROM testuserscards; Now, you can use pgp_keyid to verify which public key you used to encrypt your data:SELECT pgp_key_id(dearmor(' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6a7QjRWxnYW1hbCAy MDQ4IDx0ZXN0MjA0OEBleGFtcGxlLm9yZz6IXgQTEQIAHgUCQsgiCgIbAwYLCQgH AwIDFQIDAxYCAQIeAQIXgAAKCRBI6c1W/qZo29PDAKCG724enIxRog1j+aeCp/uq or6mbwCePuKy2/1kD1FvnhkZ/R5fpm+pdm25Ag0EQsgiIhAIAJI3Gb2Ehtz1taQ9 AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMX MhoWyw8ZF5Zs1mLIjFGVorePrm94N3MNPWM7x9M36bHUjx0vCZKFIhcGY1g+htE/ QweaJzNVeA5z4qZmik41FbQyQSyHa3bOkTZu++/U6ghP+iDp5UDBjMTkVyqITUVN gC+MR+da/I60irBVhue7younh4ovF+CrVDQJC06HZl6CAJJyA81SmRfi+dmKbbjZ LF6rhz0norPjISJvkIqvdtM4VPBKI5wpgwCzpEqjuiKrAVujRT68zvBvJ4aVqb11 k5QdJscAAwUH/jVJh0HbWAoiFTe+NvohfrA8vPcD0rtU3Y+siiqrabotnxJd2NuC bxghJYGfNtnx0KDjFbCRKJVeTFok4UnuVYhXdH/c6i0/rCTNdeW2D6pmR4GfBozR Pw/ARf+jONawGLyUj7uq13iquwMSE7VyNuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0R QsetMq/iNBWraayKZnWUd+eQqNzE+NUo7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiF Z1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qunfGW00ZMMTCWabg0ZgxPzMfMeIcm6525A Yn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/RdWaISQQYEQIACQUCQsgiIgIbDAAKCRBI 6c1W/qZo25ZSAJ98WTrtl2HiX8ZqZq95v1+9cHtZPQCfZDoWQPybkNescLmXC7q5 1kNTmEU= =8QM5 -----END PGP PUBLIC KEY BLOCK-----')); The output of this query shows that the following public key was encrypting data: pgp_key_id ------------------ 2C226E1FFE5CC7D4 (1 row) The next step is to verify whether the public key that you got was used to encrypt the data in the table:hrdb=# SELECT username, pgp_key_id(cc) As keyweused FROM testuserscards; username | keyweused ----------+------------------ robby | 2C226E1FFE5CC7D4 artoo | 2C226E1FFE5CC7D4 Finally, decrypt the data using the private key that matches the public key you used to encrypt the data with:SELECT username, pgp_pub_decrypt(cc, keys.privkey) As ccdecrypt FROM testuserscards CROSS JOIN (SELECT dearmor('-----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.1 (GNU/Linux) lQG7BELIIgoRBAC1onBpxKYgDvrgCaUWPY34947X3ogxGOfCN0p6Eqrx+2PUhm4n vFvmczpMT4iDc0mUO+iwnwsEkXQI1eC99g8c0jnZAvzJZ5miAHL8hukMAMfDkYke 5aVvcPPc8uPDlItpszGmH0rM0V9TIt/i9QEXetpyNWhk4jj5qnohYhLeZwCgkOdO RFAdNi4vfFPivvtAp2ffjU8D/R3x/UJCvkzi7i9rQHGo313xxmQu5BuqIjANBUij 8IE7LRPI/Qhg2hYy3sTJwImDi7VkS+fuvNVk0d6MTWplAXYU96bn12JaD21R9sKl Fzcc+0iZI1wYA1PczisUkoTISE+dQFUsoGHfpDLhoBuesXQrhBavI8t8VPd+nkdt J+oKA/9iRQ87FzxdYTkh2drrv69FZHc3Frsjw9nPcBq/voAvXH0MRilqyCg7HpW/ T9naeOERksa+Rj4R57IF1l4e5oiiGJo9QmaKZcsCsXrREJCycrlEtMqXfSPy+bi5 0yDZE/Qm1dwu13+OXOsRvkoNYjO8Mzo9K8wU12hMqN0a2bu6awAAn2F+iNBElfJS 8azqO/kEiIfpqu6/DQG0I0VsZ2FtYWwgMjA0OCA8dGVzdDIwNDhAZXhhbXBsZS5v cmc+iF0EExECAB4FAkLIIgoCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQSOnN Vv6maNvTwwCYkpcJmpl3aHCQdGomz7dFohDgjgCgiThZt2xTEi6GhBB1vuhk+f55 n3+dAj0EQsgiIhAIAJI3Gb2Ehtz1taQ9AhPY4Avad2BsqD3S5X/R11Cm0KBE/04D 29dxn3f8QfxDsexYvNIZjoJPBqqZ7iMXMhoWyw8ZF5Zs1mLIjFGVorePrm94N3MN PWM7x9M36bHUjx0vCZKFIhcGY1g+htE/QweaJzNVeA5z4qZmik41FbQyQSyHa3bO kTZu++/U6ghP+iDp5UDBjMTkVyqITUVNgC+MR+da/I60irBVhue7younh4ovF+Cr VDQJC06HZl6CAJJyA81SmRfi+dmKbbjZLF6rhz0norPjISJvkIqvdtM4VPBKI5wp gwCzpEqjuiKrAVujRT68zvBvJ4aVqb11k5QdJscAAwUH/jVJh0HbWAoiFTe+Nvoh frA8vPcD0rtU3Y+siiqrabotnxJd2NuCbxghJYGfNtnx0KDjFbCRKJVeTFok4Unu VYhXdH/c6i0/rCTNdeW2D6pmR4GfBozRPw/ARf+jONawGLyUj7uq13iquwMSE7Vy NuF3ycL2OxXjgOWMjkH8c+zfHHpjaZ0RQsetMq/iNBWraayKZnWUd+eQqNzE+NUo 7w1jAu7oDpy+8a1eipxzK+O0HfU5LTiFZ1Oe4Um0P2l3Xtx8nEgj4vSeoEkl2qun fGW00ZMMTCWabg0ZgxPzMfMeIcm6525AYn2qL+X/qBJTInAl7/hgPz2D1Yd7d5/R dWYAAVQKFPXbRaxbdArwRVXMzSD3qj/+VwwhwEDt8zmBGnlBfwVdkjQQrDUMmV1S EwyISQQYEQIACQUCQsgiIgIbDAAKCRBI6c1W/qZo25ZSAJ4sgUfHTVsG/x3p3fcM 3b5R86qKEACggYKSwPWCs0YVRHOWqZY0pnHtLH8= =3Dgk -----END PGP PRIVATE KEY BLOCK-----') As privkey) As keys; username | ccdecrypt ----------+------------------- robby | 41111111111111111 artoo | 41111111111111112 (2 rows) There's more...


pages: 549 words: 134,988

Pro Git by Scott Chacon, Ben Straub

Chris Wanstrath, continuous integration, creative destruction, Debian, distributed revision control, GnuPG, pull request, remote working, revision control, web application

If you decide to sign the tag as the maintainer, the tagging may look something like this: $ git tag -s v1.5 -m 'my signed 1.5 tag' You need a passphrase to unlock the secret key for user: "Scott Chacon <schacon@gmail.com>" 1024-bit DSA key, ID F721C45A, created 2009-02-09 If you do sign your tags, you may have the problem of distributing the public PGP key used to sign your tags. The maintainer of the Git project has solved this issue by including their public key as a blob in the repository and then adding a tag that points directly to that content. To do this, you can figure out which key you want by running gpg --list-keys: $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 1024D/F721C45A 2009-02-09 [expires: 2010-02-09] uid Scott Chacon <schacon@gmail.com> sub 2048g/45D02282 2009-02-09 [expires: 2010-02-09] Then, you can directly import the key into the Git database by exporting it and piping that through git hash-object, which writes a new blob with those contents into Git and gives you back the SHA-1 of the blob: $ gpg -a --export F721C45A | git hash-object -w --stdin 659ef797d181633c87ec71ac3f9ba29fe5775b92 Now that you have the contents of your key in Git, you can create a tag that points directly to it by specifying the new SHA-1 value that the hash-object command gave you: $ git tag -a maintainer-pgp-pub 659ef797d181633c87ec71ac3f9ba29fe5775b92 If you run git push --tags, the maintainer-pgp-pub tag will be shared with everyone.

Signing Your Work Git is cryptographically secure, but it’s not foolproof. If you’re taking work from others on the internet and want to verify that commits are actually from a trusted source, Git has a few ways to sign and verify work using GPG. GPG Introduction First of all, if you want to sign anything you need to get GPG configured and your personal key installed. $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 2048R/0A46826A 2014-06-04 uid Scott Chacon (Git signing key) <schacon@gmail.com> sub 2048R/874529A9 2014-06-04 If you don’t have a key installed, you can generate one with gpg --gen-key. gpg --gen-key Once you have a private key to sign with, you can configure Git to use it for signing things by setting the user.signingkey config setting. git config --global user.signingkey 0A46826A Now Git will use your key by default to sign tags and commits if you want.

All you have to do is use -s instead of -a: $ git tag -s v1.5 -m 'my signed 1.5 tag' You need a passphrase to unlock the secret key for user: "Ben Straub <ben@straub.cc>" 2048-bit RSA key, ID 800430EB, created 2014-05-04 If you run git show on that tag, you can see your GPG signature attached to it: $ git show v1.5 tag v1.5 Tagger: Ben Straub <ben@straub.cc> Date: Sat May 3 20:29:41 2014 -0700 my signed 1.5 tag -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAABAgAGBQJTZbQlAAoJEF0+sviABDDrZbQH/09PfE51KPVPlanr6q1v4/Ut LQxfojUWiLQdg2ESJItkcuweYg+kc3HCyFejeDIBw9dpXt00rY26p05qrpnG+85b hM1/PswpPLuBSr+oCIDj5GMC2r2iEKsfv2fJbNW8iWAXVLoWZRF8B0MfqX/YTMbm ecorc4iXzQu7tupRihslbNkfvfciMnSDeSvzCpWAHl7h8Wj6hhqePmLm9lAYqnKp 8S5B/1SSQuEAjRZgI4IexpZoeKGVDptPHxLLS38fozsyi0QyDyzEgJxcJQVMXxVi RUysgqjcpT8+iQM1PblGfHR4XAhuOqN5Fx06PSaFZhqvWFezJ28/CLyX5q+oIVk= =EFTF -----END PGP SIGNATURE----- commit ca82a6dff817ec66f44342007202690a93763949 Author: Scott Chacon <schacon@gee-mail.com> Date: Mon Mar 17 21:52:11 2008 -0700 changed the version number Verifying Tags To verify a signed tag, you use git tag -v [tag-name].


Producing Open Source Software: How to Run a Successful Free Software Project by Karl Fogel

active measures, AGPL, barriers to entry, Benjamin Mako Hill, collaborative editing, continuous integration, corporate governance, Debian, Donald Knuth, en.wikipedia.org, experimental subject, Firefox, GnuPG, Hacker Ethic, Internet Archive, iterative process, Kickstarter, natural language processing, patent troll, peer-to-peer, pull request, revision control, Richard Stallman, selection bias, slashdot, software as a service, software patent, SpamAssassin, web application, zero-sum game

Approval is not simply a matter of inspecting the release for obvious flaws; ideally, the developers download the package, build and install it onto a clean system, run the regression test suite (see the section called “Automated testing” in Chapter 8, Managing Participants), and do some manual testing. Assuming it passes these checks, as well as any other release checklist criteria the project may have, the developers then digitally sign each container (the .tar.gz file, .zip file, etc) using GnuPG (gnupg.org), PGP (pgpi.org), or some other program capable of producing PGP-compatible signatures. In most projects, the developers just use their personal digital signatures, instead of a shared project key, and as many developers as want to may sign (i.e., there is a minimum number, but not a maximum). The more developers sign, the more testing the release undergoes, and also the greater the likelihood that a security-conscious user can find a digital trust path from herself to the release.

You should send pre-notification only to people you trust to be discreet with the information, and with whom you can communicate securely. That is, the qualification for receiving pre-notification is threefold: the recipient must run a large, important service where a compromise would be a serious matter; the recipient must be known to be someone who won't blab about the security problem before the go-public date; and you must have a way (such as via GnuPG-encrypted email) to communicate securely with the recipient, so that any eavesdroppers between you and your recipient can't read the message.[67] Pre-notification should be done via secure means. If email, then encrypt it, for the same reasons explained in the section called “Receive the report”, but if you have a phone number or other out-of-band secure way to contact the administrator, use that.


pages: 282 words: 79,176

Pro Git by Scott Chacon

Chris Wanstrath, continuous integration, creative destruction, Debian, distributed revision control, GnuPG, pull request, revision control

All you have to do is use -s instead of -a: $ git tag -s v1.5 -m 'my signed 1.5 tag' You need a passphrase to unlock the secret key for user: "Scott Chacon <schacon@gee-mail.com>" 1024-bit DSA key, ID F721C45A, created 2009-02-09 If you run git show on that tag, you can see your GPG signature attached to it: $ git show v1.5 tag v1.5 Tagger: Scott Chacon <schacon@gee-mail.com> Date: Mon Feb 9 15:22:20 2009 -0800 my signed 1.5 tag -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEABECAAYFAkmQurIACgkQON3DxfchxFr5cACeIMN+ZxLKggJQf0QYiQBwgySN Ki0An2JeAVUCAiJ7Ox6ZEtK+NvZAj82/ =WryJ -----END PGP SIGNATURE----- commit 15027957951b64cf874c3557a0f3547bd83b3ff6 Merge: 4a447f7... a6b4c97... Author: Scott Chacon <schacon@gee-mail.com> Date: Sun Feb 8 19:02:46 2009 -0800 Merge branch 'experiment' A bit later, you’ll learn how to verify signed tags. Lightweight Tags Another way to tag commits is with a lightweight tag.

If you decide to sign the tag as the maintainer, the tagging may look something like this: $ git tag -s v1.5 -m 'my signed 1.5 tag' You need a passphrase to unlock the secret key for user: "Scott Chacon <schacon@gmail.com>" 1024-bit DSA key, ID F721C45A, created 2009-02-09 If you do sign your tags, you may have the problem of distributing the public PGP key used to sign your tags. The maintainer of the Git project has solved this issue by including their public key as a blob in the repository and then adding a tag that points directly to that content. To do this, you can figure out which key you want by running gpg --list-keys: $ gpg --list-keys /Users/schacon/.gnupg/pubring.gpg --------------------------------- pub 1024D/F721C45A 2009-02-09 [expires: 2010-02-09] uid Scott Chacon <schacon@gmail.com> sub 2048g/45D02282 2009-02-09 [expires: 2010-02-09] Then, you can directly import the key into the Git database by exporting it and piping that through git hash-object, which writes a new blob with those contents into Git and gives you back the SHA–1 of the blob: $ gpg -a --export F721C45A | git hash-object -w --stdin 659ef797d181633c87ec71ac3f9ba29fe5775b92 Now that you have the contents of your key in Git, you can create a tag that points directly to it by specifying the new SHA–1 value that the hash-object command gave you: $ git tag -a maintainer-pgp-pub 659ef797d181633c87ec71ac3f9ba29fe5775b92 If you run git push --tags, the maintainer-pgp-pub tag will be shared with everyone.


pages: 349 words: 114,038

Culture & Empire: Digital Revolution by Pieter Hintjens

4chan, airport security, AltaVista, anti-communist, anti-pattern, barriers to entry, Bill Duvall, bitcoin, blockchain, business climate, business intelligence, business process, Chelsea Manning, clean water, commoditize, congestion charging, Corn Laws, correlation does not imply causation, cryptocurrency, Debian, Edward Snowden, failed state, financial independence, Firefox, full text search, German hyperinflation, global village, GnuPG, Google Chrome, greed is good, Hernando de Soto, hiring and firing, informal economy, intangible asset, invisible hand, James Watt: steam engine, Jeff Rulifson, Julian Assange, Kickstarter, M-Pesa, mass immigration, mass incarceration, mega-rich, MITM: man-in-the-middle, mutually assured destruction, Naomi Klein, national security letter, Nelson Mandela, new economy, New Urbanism, Occupy movement, offshore financial centre, packet switching, patent troll, peak oil, pre–internet, private military company, race to the bottom, rent-seeking, reserve currency, RFC: Request For Comment, Richard Feynman, Richard Stallman, Ross Ulbricht, Satoshi Nakamoto, security theater, selection bias, Skype, slashdot, software patent, spectrum auction, Steve Crocker, Steve Jobs, Steven Pinker, Stuxnet, The Wealth of Nations by Adam Smith, The Wisdom of Crowds, trade route, transaction costs, twin studies, union organizing, wealth creators, web application, WikiLeaks, Y2K, zero day, Zipf's Law

You subscribe to some topics, and then receive posts on those topic, asynchronously, as your local server chats with other servers. Usenet is where FAQs and spam originated. Anonymous broadcasting -- using the Usenet protocols or something very much like them -- also solves the problem of how to avoid flooding the Cellnet. Social Networks There are ways to communicate that are considered secure. People do still trust Tor, "Off-the-record" (OTR) chatting, and cryptographic layers like GnuPG. However, as I've explained, these are still vulnerable in various ways. Even if you do wrap your messages in unbreakable end-to-end security, so no server in the middle can ever see the unencrypted data, you are still providing that metadata, which can be sufficient to build a case against you. Simply talking to a person of interest, no matter what you say, can make you a person of interest in turn.

Agreed, the very notion of the spy state watching and perhaps hunting us, the idea that we live in mortal fear of our own elected governments is highly uncomfortable, close to paranoia. However, why even take the risk? We can build social networks over the Cellnet. They will be asynchronous and distributed and impossible to trace, except by physical seizure or brute-force hacking of individual devices, the most costly and impractical of surveillance options. We would want end-to-end security, as GnuPG or ZeroMQ provides, and some form of anonymous routing across nodes, as I've already described. We could exchange security keys by touching our phones together, using the near-field communications, or NFC, feature that many smartphones have. Then we could share data privately, and securely, over multiple hops, whether we're still in the same city, or half-way around the world. As a user experience, it's simple.


pages: 296 words: 86,610

The Bitcoin Guidebook: How to Obtain, Invest, and Spend the World's First Decentralized Cryptocurrency by Ian Demartino

3D printing, AltaVista, altcoin, bitcoin, blockchain, buy low sell high, capital controls, cloud computing, corporate governance, crowdsourcing, cryptocurrency, distributed ledger, Edward Snowden, Elon Musk, Ethereum, ethereum blockchain, fiat currency, Firefox, forensic accounting, global village, GnuPG, Google Earth, Haight Ashbury, Jacob Appelbaum, Kevin Kelly, Kickstarter, litecoin, M-Pesa, Marc Andreessen, Marshall McLuhan, Oculus Rift, peer-to-peer, peer-to-peer lending, Ponzi scheme, prediction markets, QR code, ransomware, Ross Ulbricht, Satoshi Nakamoto, self-driving car, Skype, smart contracts, Steven Levy, the medium is the message, underbanked, WikiLeaks, Zimmermann PGP

At the time of this writing, Valhalla and AlphaBay are two of the most popular and reputable, but their status could change at any time. Deepdotweb.com and Reddit’s subforums r/Darkmarkets and r/DarkmarketNoobs are great resources for individuals looking to order something from the Deep Web. Ordering from these sites requires PGP and Bitcoin. Guides on how to use Bitcoin can be found in this book and countless places online. GnuPG (or GPG for short, often still referred to as PGP) is the open-source version of PGP, which was the world’s most popular and arguably powerful personal encryption software until GPG was released. It was invented by Phil Zimmerman and owned by the PGP Corporation until 2010, when it was purchased by Symantec.15 Since Windows is extremely unsecure and Tor has been shown to be compromised, it has been suggested that users with particularly strong concerns about privacy and anonymity should take the extra steps of using TailsOS, which I mentioned earlier.


pages: 360 words: 96,275

PostgreSQL 9 Admin Cookbook: Over 80 Recipes to Help You Run an Efficient PostgreSQL 9. 0 Database by Simon Riggs, Hannu Krosing

business intelligence, business process, database schema, Debian, en.wikipedia.org, full text search, GnuPG, MITM: man-in-the-middle, Skype

If for some reason, you don't have openssl or just don't want to use it, it is possible to compile a version of pg_crypto without it, with a smaller number of supported encryption algorithms, and slightly reduced performance. 150 Chapter 6 See also PgCrypto page in postgreSQL online documentation at the following website: http://www.postgresql.org/docs/9.0/static/pgcrypto.html The OpenSSL web page at the following website: http://www.openssl.org/ The GNU Privacy Handbook at the following website: http://www.gnupg.org/gph/en/manual.html 151 7 Database Administration In this chapter, we will cover the following: ff Writing a script that either all succeeds or all fails ff Writing a psql script that exits on first error ff Performing actions on many tables ff Adding/removing columns on tables ff Changing data type of a column ff Adding/removing schemas ff Moving objects between schemas ff Adding/removing tablespaces ff Moving objects between tablespaces ff Accessing objects in other PostgreSQL databases ff Making views updateable Introduction The Tables & Data chapter spent time looking at the contents of tables and various complexities.


pages: 398 words: 107,788

Coding Freedom: The Ethics and Aesthetics of Hacking by E. Gabriella Coleman

activist lawyer, Benjamin Mako Hill, commoditize, crowdsourcing, Debian, Donald Knuth, dumpster diving, en.wikipedia.org, financial independence, ghettoisation, GnuPG, Hacker Ethic, informal economy, Jacob Appelbaum, Jaron Lanier, Jason Scott: textfiles.com, Jean Tirole, knowledge economy, laissez-faire capitalism, Larry Wall, Louis Pasteur, means of production, Paul Graham, peer-to-peer, pirate software, popular electronics, RFC: Request For Comment, Richard Stallman, rolodex, Ronald Reagan, Silicon Valley, Silicon Valley startup, slashdot, software patent, software studies, Steve Ballmer, Steven Levy, Ted Nelson, The Hackers Conference, the scientific method, The Structural Transformation of the Public Sphere, web application, web of trust

Given the deep, bodily pleasures of laughter, the jovial atmosphere overcame most social barriers and sources of social discomfort, and allowed me to feel welcome among the hackers. It soon became clear to me, however, that this was not done for my benefit; humor saturates the social world of hacking. Hackers, I noticed, had an exhaustive ability to “misuse” most anything and turn it into grist for the humor mill. Once I began to master the esoteric and technical language of pointers, compilers, RFCs, i386, X86, AMD64, core dumps, shells, bash, man pages, PGP, GPG, gnupg, OpenPGP, pipes, world writeable, PCMCIA, chmod, syntactically significant white space, and so on (and really on and on), a rich terrain of jokes became sensible to me. My enjoyment of hacker humor thus provided a recursive sense of comfort to a novice ethnographer. Along with personally enjoying their joshing around, my comprehension of their jokes indicated a change in my outsider status, which also meant I was learning how to read joking in terms of pleasure, creativity, and modes of being.


Version Control With Git: Powerful Tools and Techniques for Collaborative Software Development by Jon Loeliger, Matthew McCullough

continuous integration, Debian, distributed revision control, GnuPG, Larry Wall, peer-to-peer, peer-to-peer model, pull request, revision control, web application, web of trust

Although Git implements only one kind of tag object, there are two basic tag types, usually called lightweight and annotated. Lightweight tags are simply references to a commit object and are usually considered private to a repository. These tags do not create a permanent object in the object store. An annotated tag is more substantial and creates an object. It contains a message, supplied by you, and can be digitally signed using a GnuPG key according to RFC4880. Git treats both lightweight and annotated tag names equivalently for the purposes of naming a commit. However, by default, many Git commands work only on annotated tags, because they are considered “permanent” objects. You create an annotated, unsigned tag with a message on a commit using the git tag command: $ git tag -m "Tag version 1.0" V1.0 3ede462 You can see the tag object via the git cat-file -p command, but what is the SHA1 of the tag object?


Engineering Security by Peter Gutmann

active measures, algorithmic trading, Amazon Web Services, Asperger Syndrome, bank run, barriers to entry, bitcoin, Brian Krebs, business process, call centre, card file, cloud computing, cognitive bias, cognitive dissonance, combinatorial explosion, Credit Default Swap, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Debian, domain-specific language, Donald Davies, Donald Knuth, double helix, en.wikipedia.org, endowment effect, fault tolerance, Firefox, fundamental attribution error, George Akerlof, glass ceiling, GnuPG, Google Chrome, iterative process, Jacob Appelbaum, Jane Jacobs, Jeff Bezos, John Conway, John Markoff, John von Neumann, Kickstarter, lake wobegon effect, Laplace demon, linear programming, litecoin, load shedding, MITM: man-in-the-middle, Network effects, Parkinson's law, pattern recognition, peer-to-peer, Pierre-Simon Laplace, place-making, post-materialism, QR code, race to the bottom, random walk, recommendation engine, RFID, risk tolerance, Robert Metcalfe, Ruby on Rails, Sapir-Whorf hypothesis, Satoshi Nakamoto, security theater, semantic web, Skype, slashdot, smart meter, social intelligence, speech recognition, statistical model, Steve Jobs, Steven Pinker, Stuxnet, telemarketer, text mining, the built environment, The Death and Life of Great American Cities, The Market for Lemons, the payments system, Therac-25, too big to fail, Turing complete, Turing machine, Turing test, web application, web of trust, x509 certificate, Y2K, zero day, Zimmermann PGP

, Marc Conrad, Tim French, Wei Huang and Carsten Maple, Proceedings of the 1st International Conference on Availability, Reliability and Security (ARES’06), April 2006, p.482. [191] “Graphical Representations of Authorization Policies for Weighted Credentials”, Isaac Agudo, Javier Lopez and Jose Montenegro, Proceedings of the 11th Australasian Conference on Information Security and Privacy (ACISP’06), Springer-Verlag LNCS No.4058, July 2006, p.87. [192] ”Vulnerability analysis of certificate graphs”, Eunjin Jung and Mohamed Gouda, International Journal of Security and Networks, Vol.1, No.1/2 (2006), p.13. [193] “Towards a Precise Semantics for Authenticity and Trust”, Reto Kohlas, Jacek Jonczy and Rolf Haenni, Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, October 2006, Article No.18. [194] “A Hybrid Trust Model for Enhancing Security in Distributed Systems”, Ching Lin and Vijay Varadharajan, Proceedings of the 2nd International Conference on Availability, Reliability and Security (ARES’07), April 2007, p.35. [195] “A Probabilistic Trust Model for GnuPG”, Jacek Jonczy, Markus Wűthrich and Rolf Haenni, presentation at the 23rd Chaos Communication Congress (23C3), December 2006, https://events.ccc.de/congress/2006/Fahrplan/attachments/1101-JWH06.pdf. [196] “Trust-Based Recommendation Systems: an Axiomatic Approach”, Reid Andersen, Christian Borgs, Jennifer Chayes, Uriel Feige, Abraham Flaxman, Adam Kalai, Vahab Mirrokni and Moshe Tennenholtz, Proceedings of the 17th World Wide Web Conference (WWW’08), April 2008, p.199. [197] “An Adaptive Probabilistic Trust Model and Its Evaluation” Chung-Wei Hang, Yonghong Wang and Munindar Singh, Proceedings of the 7th Conference on Autonomous Agents and Multiagent Systems (AAMAS’08), May 2008, p.1485. [198] “Trust*: Using Local Guarantees to Extend the Reach of Trust”, Stephen Clarke, Bruce Christianson and Hannan Xiao, Proceedings of the 17th Security Protocols Workshop (Protocols’09), Springer-Verlag LNCS No.7028, April 2009, p.189. [199] “Trust Is in the Eye of the Beholder”, Dimitri DeFigueiredo, Earl Barr and S.Felix Wu, Proceedings of the Conference on Computational Science and Engineering (CSE’09), August 2009, Vol.3, p.100.