Author Archives: niq
PGP is not broken. It has long been the best framework most of us have for digital identity, and a secure means of communication.
Sadly the same cannot be said for certain popular PGP tools, nor for vast numbers of tutorials out there. The usage we enjoyed and became accustomed to for a quarter century will now lead at best to confusion, and at worst to mistakes that could defeat the entire purpose of PGP and leave users wide open to spoofing. That applies both to longstanding users who understand it well, and to the newbie who has read and understood a tutorial.
The underlying problem is that 32-bit (8 hex character) key IDs are comprehensively broken. The story of that is told at evil32.com, by (I think) the people who originally demonstrated the issue. It’s developed further since I last paid attention to it (and drew my colleagues’ attention to the need to stop using those 32-bit key IDs), in that an entire ‘shadow strong set’ has now been uploaded to the keyservers. Those imposters were revoked by the evil32 folks, but with the idea being out there, anyone could now repeat that exercise and generate their own fake identities and fake Web of Trust. And when a real malefactor does that, they’ll have the private keys, so there’ll be no-one to revoke them.
Let’s take a look at a recent sequence of events, when I rolled a release candidate for an Apache software package, and PGP-signed it. Bear in mind, this is all happening in a techie community: people who have been happily using PGP for years.
[me] Signs a software bundle, upload it with the signature to web space.
[colleague] Checks the software, comes back with a number of comments. Among them:
- Key B87F79A9 is listed as "revoked: 2016-08-16" in key server
Where does that come from? I take great care of my PGP keys, and I certainly don’t recollect revoking that one. To have revoked it, someone needs to have had access to both my private key and my passphrase, which is kind-of equivalent to having both the chip and the PIN to use my bank card (and that’s ignoring risks like someone tampering with my post on its way from the bank). This is … impossible … alarming!
Yet this is exactly what happens if you RTFM:
% gpg --verify bundle.asc gpg: Signature made Sun 16 Apr 2017 00:00:14 BST using RSA key ID B87F79A9 gpg: Can't check signature: public key not found
We don’t have the release manager’s public key ( B87F79A9 ) in our local system. You now need to retrieve the public key from a key server.% gpg --recv-key B87F79A9 gpg: requesting key B87F79A9 from HKP keyserver pgpkeys.mit.edu gpg: key B87F79A9: public key "Nick Kew <me>" imported gpg: Total number processed: 1 gpg: imported: 1
That’s a paraphrased extract from a real tutorial (which I intend to update, if noone else gets there first). It was fine when it was written, but now imports not one but two keys. Here they are:
$ gpg --list-keys B87F79A9 pub 4096R/B87F79A9 2011-01-30 uid Nick Kew <niq@apache...> uid Nick Kew (4096-bit key) <nick@webthing...> sub 4096R/862BA082 2011-01-30 pub 4096R/B87F79A9 2014-06-16 [revoked: 2016-08-16] uid Nick Kew <niq@apache...>
Both appear to be me; one is really me, the other an imposter from the evil32 set. It’s easy to see when we know what we’re looking for, but could be confusing if unexpected!
The problem goes away if we use 64-bit Key IDs, or (nowadays strongly recommended) the full 160-bit (40 character) fingerprint. It is computationally infeasible anyone could impersonate that, and indeed, they haven’t.
$ gpg --fingerprint B87F79A9 pub 4096R/B87F79A9 2011-01-30 Key fingerprint = 3CE3 BAC2 EB7B BC62 4D1D 22D8 F3B9 D88C B87F 79A9 uid Nick Kew <niq@apache...> uid Nick Kew (4096-bit key) <nick@webthing...> sub 4096R/862BA082 2011-01-30 pub 4096R/B87F79A9 2014-06-16 [revoked: 2016-08-16] Key fingerprint = C74C 8AA5 91CB 3766 9D6F 73C0 2DF2 C6E4 B87F 79A9 uid Nick Kew <niq@apache...>
The imposter’s fingerprint is completely different from mine. It’s not PGP that’s broken, it’s the use of 32-bit/8-character key IDs in our tools, our tutorials, and our minds, that’s at fault.
However, the problem is a whole lot worse than that. It’s not just my key (and everyone else in the Strong Set at the time of the evil32 demo) that has an imposter, it’s the entire WoT. Let’s see if WordPress will let me present these side-by-side if I truncate the lines a bit. The commandline used here is
$ gpg --list-sigs [fingerprint] |egrep ^sig|cut -c14-50|sort|uniq|head -5
which lists me:
010D6F3A 2012-04-11 dirk astrath (mo 02D1BC65 2011-02-07 Peter Van Eynde 0AA3BF0E 2011-02-06 Christophe De Wo 16879738 2011-02-07 Markus Reichelt 1DFBA164 2011-02-07 Bernhard Wiedema
010D6F3A 2014-08-05 dirk astrath (mo 02D1BC65 2014-08-05 Peter Van Eynde 0AA3BF0E 2014-08-05 Christophe De Wo 16879738 2014-08-05 Markus Reichelt 1DFBA164 2014-08-05 Bernhard Wiedema
The first field there is the culprit 8-hex-char Key IDs for my signatories and their evil32 doppelgangers. The only clue is in those dates, which would be easy to overlook. Otherwise we have a complete imposter WoT. Those IDs offer no more security than a checksum (such as MD5 or SHA) if used without due care, and without a chain of trust right back to the user’s own signature (which is something you probably don’t have if you’re not a geek).
There are a lot of tools and tutorials out there that need updating to prevent this becoming yet another phisher’s playground. Tools should not merely stop displaying 8-character key IDs, they shouldn’t even accept them. I don’t think mere disambiguation is enough when an innocent user might thoughtlessly just select, say, the first of competing options.
I’ve already been diving in to some of those tutorials where I have write access to update them, but the task is complicated by having to work in the context of a document that deals with more than just the one thing, and without adding too much complexity for readers. So I decided to work through the story here first!
I’ve just taken delivery of my first physical bitcoin. I hadn’t realised it was topologically single-sided: you think of more complex shapes like the Möbius Strip or Klein Bottle as being interesting, but seeing it in this simply-connected coin came as a surprise to me.
Tom Stoppard was ahead of his time. Rosencrantz and Guildenstern didn’t need an Infinite Improbability Drive to toss 92 consecutive Heads (or whatever it was): it was a single-sided bitcoin, and every toss is heads. Impressive to have written about that 50 years ago.
And so much for all the hype around the new British pound coin!
Enough of that. The genre of April 1st jokes has gone distinctly stale in our times, as the mass of weak and contrived stories fail to fool anyone. Especially online, where most readers of anything I write will be seeing it outside today’s time window. Even those who get it by live feed or aggregator.
Every comment bears the grinning troll icon!
This is clearly just for today or this morning, depending on how they interpret the tradition (maybe it’s really elaborate, and sniffs your timezone for a best guess of when to display them)? But the ingenious thing is that this applies not just to the feeble joke article, but every article, through the history of El Reg. Suddenly the Reg every day is April 1st tradition really comes into its own, as tall stories like yesterday’s one about World Backup Day display all grinning trolls.
And suddenly the seeds of doubt are sown over all the serious stories. This is surreal, and turns it into a brilliant new twist on an old tradition!
Today’s terrorist attack in London seems to have been in the worst tradition of slaughtering the innocent, but pretty feeble in its token attempt on the more noble target of Parliament. This won’t become a Grand Tradition like Catesby’s papists’ attack.
But if we accept that the goal was slaughter of the innocent, then today’s perpetrator made a better job of it than most have done, at least since the days of the IRA, with their deep-pocketed US backers and organised paramilitary structure. His weapon of choice was the obvious one for the purpose, having far more destructive power than many that are subject to heavy security theatre and sometimes utterly ridiculous restrictions. Even some of those labelled “weapons of mass destruction”.
The car. The weapon that is available freely to everyone, no questions asked. The weapon no government dare restrict. The weapon that kills more than all others, yet where it’s so rare as to be newsworthy for any perpetrator to be meaningfully punished. Would the 5/11 plotters have gone to such lengths with explosives if they’d had such effective weapons to hand?
With this weapon, the only limit on terrorist attacks is the number of terrorists. No need for preparation and planning – the kind of thing that might attract the attention of police or spooks – just go ahead.
And next time we get a display of security theatre – like banning laptops on flights – we can point to the massive double-standards.
Just noticed: Sunrise 06:25 Sunset 18:26. Starting today, we are into the season of daylight!
We’ve had some spring weather too, though nothing dramatic. What is looking impressive is the wide range of spring flowers and blossom all around. Not just the Usual Suspects like daffodils and primroses, but even later flowers like the tulips in the front garden are peeping through. And we have the appearance of other spring wildlife, like the bumblebees servicing the flowers in the garden.
Also mildly bemused by the white heather at the bottom of the garden. I’ve seen heather ranging from red/pink through to blueish, but pure white is new to me.
OK, no big deal: just a few minutes of my time. Dumb bots attack websites all the time. Whatever vulnerabilities my server has (and I’m sure there are some), that kind of bot probing my contact form is no threat – except insofar as it could become a DoS.
This morning, another 740 messages. From an even briefer probe: all at 03:59 and 04:00. Checked the IP they all came from, and firewalled it off. With a DROP rule, of course. If it recurs from elsewhere, I’ll have to take a view on whether this approach can be extended or is useless.
If I can be arsed, maybe I’ll stay up and tail the log tonight, starting 03:50 or so. Wonder if the perpetrator can be pwned while in action? On second thoughts, maybe not at that hour, doubly not after the couple of pints I regularly enjoy on a Thursday evening.
Some months ago, Apache PR (aka Sally) launched a monthly series under the generic title “Success at Apache”, and solicited volunteers to write articles on topics of relevance to the Apache Way and how things work. I was one of many to reply, and she put me down for this month’s piece. A few days ago it went live, here.
The original proposal was to discuss the Just Do It and Scratch Your Own Itch aspects of Apache projects and how, with the checks and balances provided by the meritocratic and democratic elements of project governance, that Just Works. Some (linguistically) very ugly words for this have been floating around, so I’ve made an attempt to improve on them with a new coinage to avoid muddling English and Greek. Pratocracy: the Rule of the Makers.
Sometime before I started writing, a question came up on the Apache Members list about any guidelines for companies looking to get involved with an Apache project. It appears most of what’s been written is on the negative side: things not to do! This seems to be a question that dovetails well with my original plan, so I decided to try and tackle it in my article. This became the longest section of the article, and may hopefully prove useful to someone out there!
Sadly I was recovering from a nasty lurgy at the time I was writing it, and I can’t help feeling that the prose falls short of my most inspired efforts. I’ve avoided repeating Apache Way orthodoxy that’s been spoken and written before by many of my colleagues, but in doing so I may have left too much unsaid for a more general readership. At times I may have done the opposite and blathered on about the perfectly obvious. Ho, hum.
I didn’t make it to FOSDEM last weekend.
This time I could perfectly well have done so: there was nowhere else I had to be, no deadline I was pressed to meet, no travel difficulties. No such excuse. I just didn’t go.
My loss. Certainly in terms of who I didn’t meet (old friends and new), what I didn’t learn, how my mind didn’t get stimulated, what projects and ideas haven’t excited me. Damn.
So what kept me away? Obviously it’s that bit harder work than higher-budget conferences. The venue is a bit hit-and-miss, with some of the rooms being quite an ordeal. On the other hand, the big lecture theatre with the keynotes and the smaller ones where most talks happen are perfectly good, the room with the “lightning talks” (always a good default place if there’s a time when you have nothing scheduled) likewise, and the better project rooms are good for a session – at least when there’s something in that limited space of interesting but not too overcrowded and stuffy.
No, what really put me off was the prospect of once again running the gamut of the smokers. The stench of it in the lobby and corridors, exhibition space and coffee area, coupled with the crowds that prevent getting from A to B on a single breath. The good reasons to go to FOSDEM are at an intellectual level, but the feeling of a descent into filth when I think about going is overwhelming at a basic, Proustian level.
On that analysis, I may never go again. That’s sad.
Now transcriptions of Trump’s inaugural speech are available, I can confirm the historic echo I thought I heard.
We are one nation – and their pain is our pain. Their dreams are our dreams; and their success will be our success. We share one heart, one home, and one glorious destiny.
Wow! That is surely too close to be pure coincidence. His own words, or a speechwriter?
But will he do as well as his role model in rebuilding his country’s infrastructure and industries? History tells us where that eventually leads.
Back from Brighton a couple of days ago.
That’s kind-of more newsworthy than a simple journey should be. Travel to Brighton has been disrupted, first by a lot of general disruption on Southern Railways, and more recently by strikes adding to travel problems. Brighton’s commuters have a lot of horror stories about their troubles.
By planning my journey at specific times of day, I can travel from here to Brighton on just two trains, both operated by First Group, and changing at Westbury. So I can easily avoid the disrupted trains. However, that puts me on a short train of just three coaches for the Westbury-Brighton journey. And from Southampton, it’s a stretch served also by much longer Southern trains, many of them eight coaches. So the worry was that my train might be overwhelmed with refugees from disrupted Southern services.
So I took a few precautions. I booked in advance, and avoided not just any Southern services, but also their strike days. Booking in advance still seems to be a nightmare, but I eventually managed. Phew!
Come the actual travel, everything is far better than I’d dared hope. Not only are the trains running smoothly and on-time, but I find I have ample space to spread out. Indeed, a double-seat to myself throughout both outward and return journeys. Even in January low season, that’s unusual!
I can only infer that the news of disruption has driven potential passengers away. People with a choice about it are avoiding travel, not merely in the regions affected by disruption, but also on the mainline service from London to southwest England, well clear of the disruption. All the better for those of us who do travel!
Someone from the Red Cross describes our NHS as a humanitarian crisis. Oh dear. OK, bit of commentary in the media, politicians spin it. No big deal.
But then someone from the NHS denies it, thus invoking the Power of Denial to make it a much more serious story, less likely to be relegated to a footnote in Current Affairs by next week. And it’s not even an unqualified denial. Whoops!
My first reaction: how silly to rise to the bait. But was it deliberate? One shouldn’t attribute to Conspiracy what can be explained by Cockup, but in this case I’m not at all sure.