Update: Might not actually be targeted. See Evil 32. Thanks to Ximin Luo for giving me more peace of mind!
Update: I’m not the only one hit by this. Here’s a conversation on GNU social with more people hit - though no one else reported yet having two keys faked and cross-signed.
Update: At the very least you should do this:
echo keyid-format long >> ~/.gnupg/gpg.conf
On the 29th of August a colleague asked me “which key should I use to encrypt to you?” I was confused, because I only have one key for that email address. So he showed me the keys he saw:
$ gpg2 --list-keys --fingerprint arne.babenhauserheide ------------------------------- pub 2048R/A70DA09E 2011-10-07 [expires: 2016-10-05] uid Arne Babenhauserheide <email@example.com> sub 2048R/39829E5F 2011-10-07 [expires: 2016-10-05] pub 2048R/A70DA09E 2014-06-16 [revoked: 2016-08-16] uid Arne Babenhauserheide <firstname.lastname@example.org>
Do you want to have secure passwords which are memorable and easy to type? Did you use diceware just to find out that the rate of typos when writing 6 words with 30 letters in total without seeing what you type can be aggravating — especially when you have to enter your password several times a day?
The algorithm here generates secure passwords which are easy to type and to remember.
A major part of this article is concerned with a security estimate of the generated passwords, but firstoff, here’s an example of a password which should survive an attack leveraging all smartphones on the planet until at least 2021 at the current development speed of technology:
Let’s ramp up password security while making them easier to remember.
Update Also see Keylength - ECRYPT II report on key sizes. The report provides a clean overview of several different recommendations. In short: Use 128 bits. With the method shown here this is equivalent to using 5 blocks of 4 letters (length 20).
npm install securepasswords
After 4 weeks of downtime my sites are online again.
→ In don't run 'strings' on untrusted files Michal Zalewski complained that running the strings-utility for computer forensics or other fields of information security could make you vulnerable yourself, so you should not use that. Given that strings is Free Software, I find a different conclusion from the vulnerability of tools used by professional forensics people.
I’d say if you’re actually using these tools to earn money, it is high time to go in and fix them.
in reply to You do know you can't rely on Gmail, right?
You're citing some of the reasons why I dislike SaaS, but there's one more:
Whenever I use a SaaS application, I trust someone whom I really can't reach, and I trust him without being able to exert any kind of control.