Other articles

1. Rogue Waves

   The TSA agent had just finished running their fingers through my hair, and begun to pat down my shoulders and outstretched arms.

   “So… do you live in Washington D.C.?” they asked.

   I shook my head, no. They asked what I was doing in the capitol. I responded, in my politest, most innocent, most mousy-little-girl voice:

   “I’m just going to talk to some of our nation’s senators about my work.”

   The TSA agent jumped back a bit.

   “Oh? What do you do?”

   “I’m a programmer and computer security researcher.”

   “Oh! Are you like really smart? I saw things about this on TV. Do you like break code and stuff?”

   “Perhaps, sometimes. But, you know… I can’t really talk about it.”

   I forced my face into what I hoped was a kind and knowing half-smile.

   They seemed utterly shocked.

   “Well then, good luck with your talks, miss, and you’re free to go.”

   they said, forgetting to pat down the remainder of me, swab the baby blue latex gloves, and put the swab into the machine that purportedly checks for chemical compounds used in explosives.

   I coolly walked away, holding my nose up in the air, as if I believed I had every right in the world to not be humiliatingly groped, holding all my snickering giddiness inside until I got around the corner of a head-high dividing wall. Then I shook my head, shocked at myself and feeling somewhat bad and for the multiple lies² that had just fallen out of my mouth before I could even think about them, and I laughed out loud, wondering how long it would take for that person to realise they still hadn’t checked their gloves.

   · · ·

   That evening, arriving at the hotel in Washington D.C. for the Open Tech Fund summit meeting, I spotted Moxie in the lobby through the glass doors; I ran inside, dropping my backpack, and flung myself upwards at him to wrap my arms around his shoulders. Moxie had been talking with two others: Trevor from the Freedom of the Press Foundation, and Zooko of Tahoe-LAFS. I awkwardly waved a friendly hello at Trevor, and since I’d only “met” Zooko over videochat before, I awkwardly hugged them for the first time. Inwardly, I mentally kicked myself again for my shyness around people I should be able to call comrades and cohorts, yet haven’t interacted with as much AFK.

   We sat down in the hotel lobby, exhausted and idly chatting. Moxie and I, as usual, got to one of our lifelong favourite topics.

   “So I was down in Malibu, and I ran into Laird Hamilton… you know that guy?” Moxie asked.

   Yep. Dude surfs crazy huge waves. I’d run into him before. Moxie continued:

   “I just finished this book about rogue waves — they’re these monster waves, hundreds of feet tall, pretty much unpredictable. There’s whole conferences that people go to — people like us — but instead of talking about crypto …

   read more

2. Poor’s Mans Signature Count

   I recently agreed to be the maintainer for Tor’s BridgeDB — both the codebase and the server running the website. The poor thing needs a lot of ♥♥♥.

   One of the things we want to do is start signing emails from the BridgeDB email responder. As StrangeCharm and others have been complaining that I know to much about GnuPG — I blame writing this python module — and that I keep that knowledge all in my head, I figured at least that I should explain a silly trick I devised this morning.

   So, you have a server somewhere in “The Cloud”. You don’t have physical access to the hardware, so you can’t install a smartcard. You want this server to sign things, and you want to be able to carry trust over to a new signing key in the event that the server is compromised. Additionally, you’d like to be able to discover, as best and as soon as possible, if that server and its signing key have been compromised.

   So, you create an offline, certification-only keypair. To do this, I booted into TAILS on a modified Thinkpad running Coreboot. The modifications removed the microphone and wifi card, and removed/replaced hardware pertaining to VGA, PCI, Firewire, SD card reader, and boot flash EEPROM SPI, much thanks to my friends at Coreboot, who will hopefully be publishing their research soon. Sorry to keep secrets, but I would like to respect their request to allow them time to publish. UPDATE [2013-12-30]: Peter Stuge presented this research at 30c3 in his talk, “Hardening Hardware & Choosing a #goodBIOS”. Coreboot, by the way, whether you’re running on modified hardware or not, is fucking awesome. Then I attached an RJ45 cable and did:

   amnesia@amnesia: ~$ sudo apt-get update && sudo apt-get install pcscd gpgsm dpkg-repack
   […]
   amnesia@amnesia: ~$ cd /lib/live/mount/persistent/…/Persistent
   amnesia@amnesia: ~$ for p in gpgsm pcscd ; do sudo dpkg-repack $p ; done
   

   in order to download, install, and then repackage the .debs for the GnuPG X.509 certificate manager and smartcard reader driver allocation control daemon. Though it turns out this did me no good. I wanted to use all Open Source Hardware for my smartcards, and so (due to @ioerror‘s research from a year or so ago and recommendation) I went with using a Gemalto USB smartcard reader with an OpenPGP ID-000 smartcard (for purchase here and here). However, the documentation for the OpenPGP smartcard would lead one to believe that it supports three keyslots of 3072-bit length. As it turns out, this is extremely misleading, to the extent that — not only would I have to generate keys below my comfort level bitlength — the card is unusable for any serious key sanitation schema: you can’t store 3072-bit certification-only keys on these cards, not as far as I can tell. Normally, you want your primary key to be certification-only and kept offline, and then keep separated signing, encryption, and authentication subkeys online and rotate them every so often, using …

   read more

Page 1 / 3 » ⇉