PGP and me

If you’ve received an e-mail from me in the past week or so, you may have noticed something extra in the message’s headers: an indication that it was digitally signed with my Pretty Good Privacy key.

GPGTools iconAs yet, no recipient has asked about that, much less complimented my digital hygiene or sent a reply encrypted with my PGP public key. Which is pretty much what I expected: The last time I had a PGP setup in operation, I had to ask Post readers to send me an encrypted message before I got any.

A few weeks later, my inbox once again featured only un-encrypted e-mail.

Then some fumbled corporate transitions and the switch to OS X left the open-source MacGPG as the most appealing option on my Mac–and a slow and slowing pace of updates left it an increasingly awkward fit. Without ever consciously deciding to give up on e-mail encryption, I gave up.

(I should have felt guiltier than I did when I offered a Post colleague a tutorial on crypto that I didn’t bother to operate on my own machine. On that note, if you have a key for robp@washpost.com or rob@twp.com in your own PGP keychain, please delete it.)

I finally returned to the fold two weeks ago, when I ducked into a “crypto party” tutorial at the Computers, Freedom & Privacy conference. Jon Camfield of Internews explained that things had gotten a lot better and pointed me to a newer, far more elegant open-source implementation called GPGTools. I downloaded it, installed it, and within minutes had a new set of public and private keys plugged into my copy of Mail (no need to copy and paste a message into a separate decryption app as I did in MacGPG), with my public key uploaded to a keyserver for anybody else to use to encrypt mail to me.

My key ID is 03EE085A, my key fingerprint is FD67 6114 46E8 6105 27C3 DD92 673F F960 03EE 085A, and the key itself is after the jump. Do I expect to get a flood of encrypted messages after this post? Not really. But if somebody does want to speak to me with that level of privacy, they now have an option I should have provided all along, and that’s what counts.

Continue reading

About these ads

Mail merge? Work, home and other e-mail addresses

I keep telling myself that one of ways I maintain what’s left of my work/life balance is to have separate home and work e-mail addresses. And yet I have to ask who I’m kidding when these two Google Apps accounts, each at its own domain name, constitute separate lines or windows in a mail client, and when I’m sometimes corresponding with the same person from each address on alternate days. Meanwhile, many people I know seem to function perfectly fine with one all-purpose e-mail address.

MailboxIn a prior millennium, it was an easier call. After having lost a bunch of messages from friends during a transition from one e-mail system to another at the Post–and then discerning the dreadfulness of the new Lotus Notes system–I had little interest in trusting personal correspondence to my employer’s IT department.

I also figured that I would have less trouble staying on top of friends-and-family e-mail if it weren’t competing for space and attention in the first screen of my inbox with random PR pitches, interoffice memos and chit-chat with other journalists. And the address that wasn’t listed on a major newspaper’s Web site should, in theory, get vastly less spam.

(Because I am this persnickety about my communications tools, I also have a regular Gmail account that I use for almost all of my online commerce, financial transactions and other things that are neither personal- nor work-related. I don’t mind the ads there, while my Google Apps inboxes have no such distractions, courtesy of Google ending ad scanning for Apps users–even those on the free version it no longer offers to new users.)

It’s been years since I’ve had to worry about IT-inflicted mail misery. What about the other virtues of this split setup?

  • Being able to flag messages for follow-up means I’m now less likely to forget to answer an important message, whatever address it was sent to.
  • But I don’t need 11 different folders to sort my home e-mail after I’ve dealt with it. Less cognitive load is a good thing.
  • Having to ask myself nit-pick questions like “since I’m asking a friend about something that may lead to him being quoted in a story, should I send this message from my work address?” increases my cognitive load.
  • Searching for messages and then looking over the results is faster when I’m excluding an entire account’s worth of e-mail. But when I ask Mail for OS X to query all of the gigabytes of messages that have accumulated at both addresses… ugh.
  • My anti-spam strategy has been a total bust. When I checked earlier this morning, Google had quarantined almost 1,500 spam messages in my home account, about 100 of which were messages on my neighborhood mailing list that shouldn’t have been screened as junk.

On that last note, here’s a question for you all to ponder: That mailing list will soon be moving to a commercial hosting service subsidized by ads, and of course I haven’t yet read its privacy policy. Should I switch my subscription to my Gmail address, where I can read those messages alongside those from my neighborhood’s smaller Nextdoor group, or should I keep using my home address there?

 

Heartbleed and bleeding-heart open-source advocacy

For at least the last decade, I’ve been telling readers that open-source development matters and helps make better software. If everybody can read the code of an application or an operating system, there can’t be any hidden backdoors; if anybody can rewrite that code to fix vulnerabilities and add features, the software’s progress can’t be thwarted by any one company’s distraction, fraud or bankruptcy.

OpenSSL pitchMy glowing endorsement of Mozilla Firefox 1.0 in November 2004 set the tone:

…the beauty of an open-source product like this is that you can participate in its evolution. Firefox’s code is open for anybody to inspect and improve...

Since then, I’ve recommended open-source operating systems, office suites, anti-virus utilitiessecure-deletion tools, file-encryption software, two-factor authentication apps, PDF exporters, DVD rippers and video-playback toolkits. And I’ve had one phrase in mind each time: Given enough eyeballs, all bugs are shallow.

My experience using open-source software tells me this is true–even if that doesn’t guarantee a constant rate of improvement or an elegant interface.

And if any genre of software should benefit from this method of development, it ought to be code that Web sites use to secure their interactions with users from eavesdropping: Everybody sending or storing private information needs this feature, billions of dollars of transactions are at stake, and you don’t even have to worry about wrapping a home-user-friendly UI around it.

True, right? Except Heartbleed happened. Two years ago, an update to the widely-used OpenSSL encryption library added a “heartbeat” function that made it easier for sites to keep an encrypted session going. But it also harbored an disastrous vulnerability to buffer-overflow attacks that would cause a site to return 64 kilobytes of whatever happened to be adjacent in the server’s memory to an attacker: usernames, passwords, e-mail content, financial transactions, even the private key the site uses to encrypt the session. And the attacked site can’t check afterwards to see if it got hit. I defy the NSA to script a better hack.

And despite buffer overflows being a well-known risk with documented defenses, nobody caught this for two years. Two years! It took a Google researcher and engineers at the Finnish security firm Codenomicon to find the bug separately and report it to the OpenSSL team.

How bad is this? Ask security researcher Bruce Schneier:

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

It seems that everything that could go right in open source development went wrong in this case. As an excellent story from Craig Timberg in the Post outlines, the free nature of OpenSSL made it an obvious choice for hundreds of thousands of sites and something of a natural monopoly, that same enormous deployment of OpenSSL encouraged people to assume that they themselves didn’t need to inspect the code that carefully, and OpenSSL developers got so little financial support from the corporations relying on their work that they couldn’t even subject their code to a proper security audit.

The stupid thing is, we knew this could happen. See John Viega’s 2000 essay, “The myth of open source security,” in which he outlines how thousands of users failed to catch “a handful of glaring security problems” in code he’d contributed to the Mailman mailing-list manager:

Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had.

That doesn’t mean that closed-source development suddenly looks better. (When all this is done, Microsoft’s proprietary and hideous Internet Explorer 6 may still have greased the skids for more successful attacks than OpenSSL.) But it does mean that selfishness/laziness/distraction and open source can become a toxic mix, one we should have seen coming.

Updated, 10:25 a.m., to add a link to Viega’s prescient article.

I don’t like sketchy ads either

Almost two years ago, I got invited to join WordPress.com’s WordAds program, and for the most part it’s worked well–aside from these advertisements failing to earn me truckloads of money, as opposed to enough for a nice dinner every now and then.

Walmart voucher adBut a week or so ago, a few of the ads sent here by this program started looking distinctly sketchier. One made diet claims unlikely to survive scrutiny by the Food and Drug Administration, while another made the economically implausible offer of a free $1,000 Walmart voucher. And sometimes the appearance of these ads was followed by one of those spammy pop-up ads for the MacKeeper app–also served by the same Tribal Fusion ad network.

That’s not the “high quality” content WordPress promised when it launched this partnership with Federated Media. So I posted a cranky tweet about it and then followed up with a complaint sent through the appropriate form, saying that “If you don’t kick these garbage advertisers out of WordAds, I’ll drop out of the program.” (That was an easy threat to make, since I don’t have that much money at stake.)

I got a quick acknowledgment saying that my gripe was legitimate, followed the next day by a report that the advertiser had removed the offending items and pledged to clean up its act.

I haven’t seen any objectionable ads since; it appears the system worked. But if you see ads making a pitch that looks dodgy, let me know about it. Bad ads are a Web-wide problem, and the least I can do is not have my little corner of the Web contribute to it.

Potential exposure is not forced exposure

One of the foremost foes of intellectual-property extortion is shutting down. Groklaw founder and editor Pamela Jones announced this morning in a post, titled “Forced Exposure,” that the possibility of NSA surveillance of her e-mail means she can’t trust e-mail as a means of collaborative input, and therefore the blog must end.

Groklaw signoffThey tell us that if you send or receive an email from outside the US, it will be read. If it’s encrypted, they keep it for five years, presumably in the hopes of tech advancing to be able to decrypt it against your will and without your knowledge. Groklaw has readers all over the world.

This news bothers me deeply–because Groklaw has provided an immense public service in collecting and presenting evidence of grotesque IP abuse such as the SCO Group’s prolonged and mendacious attempt to claim copyright over code in the Linux operating system, and because I don’t like finding fault with somebody whose work I and so many other people admire.

But look: Potential exposure is not forced exposure. Or if it is, it’s always been there. Yes, the NSA might be reading my e-mail and PJ’s. But keyloggers planted by the Russian mob might be reading it too. The NSA might have the ability to crack PGP encryption in five years–or they could have had it all along and haven’t told us, or they could decide to ignore that five-year timeline. Your own computer might be airtight, but what about the machines of all your correspondents? For that matter, how can you be sure you’ve maintained your privacy offline without going into Kaczysnki-esque seclusion?

If your reaction to those possibilities is to declare that all is lost and that you should “get off the Internet to the degree that it’s possible,” as PJ wrote in this morning’s post, then how are you not tumbling into the same existential fear that the defenders of the surveillance state sometimes seem to think is the right and proper state of a compliant citizenry?

I don’t know PJ (friends whose judgment I trust do and profess a deep respect for her) and only have a vague notion of what her life has been like running Groklaw (it’s entailed being the target of an unhealthy dose of character assassination). But with my limited knowledge I can’t endorse her stance. I wish she’d at least found somebody else to run the site: While we’re having this hypothetical discussion, very real copyright and patent extortion is going on, and Groklaw was doing a damn good job of exposing it.

How a hidden OS X process made my old employer think my Mac had been hacked

A slow Monday that I’d hoped would ease my way back into a semi-normal workweek was interrupted by a note from an old Post colleague–specifically, somebody in the IT department–with the never-good subject line of “virus?”

The security guys are reporting that someone is attempting to logon to VPN with your old credentials.

I replied saying that it was probably something spurious unless it was coming from the IP address my home currently had assigned from Verizon. He wrote back to say “turns out that IP is what is pinging the VPN server.”

Well, crap.

Little Snitch network monitorI updated my Mac’s ClamXav malware-scanner for the first time in months and got it started on a tedious inspection of my Mac, then downloaded the trial version of a network monitor called Little Snitch.

The virus scan found nothing, and Little Snitch didn’t report any oddball apps trying to send out data either. I also checked the settings of apps that I’d once configured to log into the newsroom remotely, but found nothing there.

Then I thought to try searching for the Post VPN address in Little Snitch’s network monitor. That revealed that Safari–to be exact, its WebProcess component–had pinged it only a few hours ago. A search for that address in Safari’s bookmarks and history located an old bookmark for the site that I’d misplaced in an unrelated, rarely-opened folder. Since deleting that, Little Snitch hasn’t recorded any more access attempts, and I haven’t gotten any other reports of those from the Post’s IT people.

WebProcess itself seems remarkably undocumented on Apple’s customer and developer sites, aside from references to it by users in the company’s tech-support forums. A further inquiry confirmed my initial hunch that this process updates Safari’s “Top Sites” view of pages you’ve visited recently–how else will the browser know to provide current previews of them?

What I still don’t get is why WebProcess would have kept on checking a site I hadn’t visited in close to two years–and which I don’t remember seeing in Top Sites anytime since. But I’ve witnessed enough weird behavior lately from individual Apple apps that I can’t put this past Safari… which is to say, I hope that’s all this is and that I haven’t missed something else.

Belated updates to this year’s stories

You don’t have to run a correction when a story changes after you’ve written about it–but it is polite to follow up. Here’s a not-so-short list of updates to stories I’ve done this year.

Old stories sepia toneWhen I wrote that Google’s new, unified privacy policy would almost certainly be recast to let users opt out of having the company assemble a detailed portrait of them based on their use of separate Google services, I was wrong; that has yet to happen.

Sonic.net’s groundbreaking fiber-to-the-home service–a steal at $69.95 a month for 1 billion bits per second–seems to be off to a fine start in Sonoma County, but the planned expansion to San Francisco’s Sunset District is still on the way. It hasn’t shown up as an advertised offering on this Santa Rosa, Calif., Internet provider’s home-services page either.

Remember when adjacent-friend-discovery apps were going to blow up after their moment in the sun at SXSW in March? Didn’t happen. Facebook bought Glancee (and has yet to do much publicly with its technology), while Highlight seems to have fallen off the map (maybe I’m not hanging out with the right crowd?).

The ethics of outsourced manufacturing, fortunately, have stayed in the headlines since I wrote about them in March for CEA. And we may even be seeing legitimate progress, to judge from the New York Times’ story earlier this week recounting upgrades in pay and working conditions at contract manufacturers Foxconn and Quanta’s Chinese factories.

I’m still waiting to see comparable progress in liberating e-books from “digital rights management.” The sci-fi publisher Tor/Forge–a subsidiary of Macmillan–went DRM-free in July, but other branches of the major publishing houses have clung to this self-defeating measure. 

After saying so many good things about the car2go car-sharing service–and seeing that story get picked up in a few other places–I have to confess that I, ahem, haven’t used the service since. Capital Bikeshare is even more convenient and cheaper for trips under two miles, plus I need to make my way into the District to jump into one of car2go’s Smart fortwo vehicles.

I tempered my praise for Sprint’s Evo 4G LTE by wondering how long its users would wait to get Google’s software updates. Answer: almost six months, the time it took HTC and Sprint to deliver the Android 4.1 release Google shipped in June.

I was pretty sure I’d buy a Nexus 7 tablet after liking it as much as I did in July. But now that I own an iPad mini, that purchase seems like it would be redundant. Am I making a mistake there?

After teeing off on Apple Maps in the first chapter of my iPhone 5 review for CNNMoney.com, I have to give Apple credit for fixing the two worst flaws I called out. It now lists the correct address for the Kennedy Center as its first search result and provides a route to Dulles Airport that don’t cross any runways. But it still doesn’t know about Yards Park or the new 11th Street Bridges across the Anacostia–and the latter omission means its directions will now send you on a closed stretch of freeway.

My upbeat review of Samsung’s $249 Google Chromebook noted some build-quality concerns, in the form of a loose corner of the screen bezel. I found out the hard way that it’s more delicate than that; its LCD is now broken, and I don’t even know how. (We do have a two-year-old at home, but it’s also possible that I dropped something on it.)

My advice about enabling multiple-calendar Google Calendar sync on an iOS device by setting up your Google account as a Microsoft Exchange account will soon be obsolete. Effective January 30, Google will no longer support Exchange syncing on new setups (although existing ones will still work). Fortunately, it’s also posted instructions to enable multiple-calendar sync without the Exchange workaround.

3/23/2013: Updated the link for the car2go review after the post vanished in a site redesign and, for CMS-driven reasons that escape me, could not be re-posted at the same address.