security

I w̶a̶s̶ t̶a̶r̶g̶e̶t̶e̶d̶ got hit by an attack on GnuPG/PGP

Update: Might not actually be targeted. See Evil 32. Thanks to Ximin Luo for giving me more peace of mind!

Update: I’m not the only one hit by this. Here’s a conversation on GNU social with more people hit - though no one else reported yet having two keys faked and cross-signed.

Update: At the very least you should do this: echo keyid-format long >> ~/.gnupg/gpg.conf

On the 29th of August a colleague asked me “which key should I use to encrypt to you?” I was confused, because I only have one key for that email address. So he showed me the keys he saw:

$ gpg2 --list-keys --fingerprint arne.babenhauserheide
-------------------------------
pub   2048R/A70DA09E 2011-10-07 [expires: 2016-10-05]
uid                  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>
sub   2048R/39829E5F 2011-10-07 [expires: 2016-10-05]

pub   2048R/A70DA09E 2014-06-16 [revoked: 2016-08-16]
uid                  Arne Babenhauserheide <arne.babenhauserheide@kit.edu>

letterblock passwords: secure, memorable, easy to type

Update 2021: An improved version that is viable for analog password creation can be found at Letterblock Diceware Passwords.

Do you want to have secure passwords which are memorable and easy to type? Did you use diceware just to find out that the rate of typos when writing 6 words with 30 letters in total without seeing what you type can be aggravating — especially when you have to enter your password several times a day?

The algorithm here generates secure Letterblock passwords which are easy to type and to remember. Try it:

Length:   Password:
Get this code via npm install securepasswords
There is also a version in Python and one in wisp Scheme.

 

A major part of this article is concerned with a security estimate of the generated passwords, but firstoff, here’s an example of a password which should survive an attack leveraging all smartphones on the planet until at least 2021 at the current development speed of technology:

hXFV!4Vgf-LrgS

And here’s one which should outlast a type II civilization:

HArw-CUCG+AxRg-WAVN-5KRC*1bRq.v9Tc+SAgG,QfUc

Let’s ramp up security of passwords while making them easier to remember.

Update Also see Keylength - ECRYPT II report on key sizes. The report provides a clean overview of several different recommendations. In short: Use 128 bits. With the method shown here this is equivalent to using 5 blocks of 4 letters (length 20).

My server was breached - sorry for the downtime

After 4 weeks of downtime my sites are online again.

don’t change your habits - fix your tools!

→ In don't run 'strings' on untrusted files Michal Zalewski complained that running the strings-utility for computer forensics or other fields of information security could make you vulnerable yourself, so you should not use that. Given that strings is Free Software, I find a different conclusion from the vulnerability of tools used by professional forensics people.

I’d say if you’re actually using these tools to earn money, it is high time to go in and fix them.

Don't completely rely on something you don't control (SaaS)

in reply to You do know you can't rely on Gmail, right?

You're citing some of the reasons why I dislike SaaS, but there's one more:

Whenever I use a SaaS application, I trust someone whom I really can't reach, and I trust him without being able to exert any kind of control.

Inhalt abgleichen
Willkommen im Weltenwald!
((λ()'Dr.ArneBab))



Beliebte Inhalte

Draketo neu: Beiträge

Ein Würfel System

sn.1w6.org news