Weekly output: Google phones (x2), SXSL, e-mail encryption

I just watched the second presidential debate, and I was disappointed but not surprised by the lack of tech-policy banter. You?

yahoo-tech-google-phones-post10/3/2016: Why it matters that Google might be producing its own phones, Yahoo Finance

My suggestion at the end that Google might offer an installment-payment option for the new Pixel and Pixel XL phones–something analyst Jan Dawson suggested to me in an e-mail–panned out when Google introduced just that.

10/4/2016: Google’s new phones, WTOP

I spoke briefly about the Pixel and Pixel XL to the news station. One thing I wish I’d mentioned: These two new phones aren’t waterproof, unlike the iPhone 7 and the Galaxy S7.

10/4/2016: Obama gathers top tech to tackle US problems, Yahoo Finance

I spent most of Monday at the White House, which is not a bad way to while away an afternoon. This South by South Lawn event did not feature free beer (at least during the day) and so fell short of being a D.C. salute to Austin’s South by Southwest festival, but on the other hand SXSW has yet to allow me to see Rep. John Lewis (D.-Ga.) speak.

10/9/2016: How to protect your email from snooping, USA Today

Freelancing for multiple clients can sometimes lead to situations where one client asks you to write about an issue involving another.

Mail encryption has gotten less cryptic, but some usability glitches linger

I seriously underestimated you all late last year. In a Dec. 7 post about encryption, I wrote that I hadn’t gotten an encrypted e-mail from a reader in years and said I expected that streak to continue.

PGP keysIt did not. Within a week, a dozen or so readers had sent me messages encrypted with my PGP public key (under subject lines like “Have Faith!” and “Challenge Accepted”), and several others have done the same since. That’s taught me that the crypto user experience has, indeed, gotten pretty good in GPG Suite, the Pretty Good Privacy client of choice in OS X.

But at the same time, some awkward moments remain that remind me the woeful state of things in the late 1990s.

Most of the them involved getting a correspondent’s public key, without which I could not encrypt my reply. When it was attached as a file, dragging and dropping that onto the GPG Keychain app had the expected result, but when it came as a block of text in the decrypted message, I (like other users before me) wasted a few mental processor cycles looking for an import-from-clipboard command when I only had to paste that text into GPG Keychain’s window.

I should have also been able to search keyserver sites for a correspondent’s e-mail address, but those queries kept stalling out at the time. One reader did not appear to have a key listed in those databases at all, while I had to remove a subdomain from another’s e-mail address to get his key to turn up in a search.

One more reader had posted his public key on his own site, but line breaks in that block of text prevented GPG Keychain from recognizing it.

The GPGMail plug-in for OS X Mail is in general a pleasure to use. But its default practice of encrypting all drafts meant that I could no longer start a message on my computer and finish it on my phone–and one e-mail that I’d queued up in the outbox while offline went out encrypted, yielding a confused reply from that editor. I’ve since shut off that default.

It’s quite possible that the upcoming stable release of GPG Suite for OS X El Capitan will smooth over those issues. But that version was supposedly almost ready in late September, and there hasn’t been an update on that open-source project’s news page since. I suppose having to wonder about the status of a crucial software component counts as another crypto-usability glitch.


Weekly output: encryption explained, OS X autocorrect, DoubleClick dialog

Yes, I did get your CES PR pitch.

Yahoo Tech crypto FAQ12/7/2015: FAQ: How Encryption Works And Why People Are So Freaked Out About It, Yahoo Tech

The 1.0 version of this column was a detailed look at how encryption works in Pretty Good Privacy and in iOS 8; not for the first time, an editor said I’d gotten too far into the weeds and asked for a rewrite. After this 2.0 version ran, I was pleasantly surprised to have several readers send me PGP-encrypted messages.

If you’d like to know more about this issue, including some of the history behind this debate, see Andrea Peterson’s longer FAQ in the Washington Post.

12/11/2015: Tip: Best Way to Fix OS X’s Autocorrect? Turn It Off, Yahoo Tech

With my USA Today column no longer including a weekly tip at the end, Yahoo was happy to run this tip… which was really more of a rant.

12/13/2015: DoubleClick message should have prompted double take, USA Today

A brief snafu at Google’s advertising subsidiary may not have been sufficient material for a column, but I’d like to think that using it to remind people to be wary of strange requests from even familiar Web sites was a worthwhile exercise.

Weekly output: phone encryption, old browsers

I wrapped up this year’s business travel with a run out to the Bay Area for the Demo conference in San Jose, Calif. This year’s edition of that event was a little confusing: Although the quantity and quality of the startups presenting seemed as high as ever, the attendance had dropped significantly, and the catering (warning: first-world journalism problems) had fallen off a cliff. Is that a long-term problem? Don’t ask me, because events like that shouldn’t be all about me.

Yahoo Tech phone-encryption post11/18/2014: Why the Cops Hate the New Apple and Google Phones, Yahoo Tech

This was a column I could have written weeks ago, but instead I kept gathering string at various events in D.C. and elsewhere. I think that worked out okay.

Note that the headline got a rewrite after the first day. Did “Well-Encrypted Phones on Vulnerable Cellular Networks: Anxiety All Around” resonate more or less than the current hed?

11/23/2014: Thanksgiving tech support: Replace aging browsers, USA Today

After I filed this piece–for once, early–Mozilla announced that it would make Yahoo the default search engine in its Firefox browser. Updating the column to note that affiliation seemed like it would call too much attention to my client, as in the problem I try to avoid when I must mention Yahoo services at other sites. If you think I got that wrong, you’re welcome to explain why in a comment.

PGP and me

If you’ve received an e-mail from me in the past week or so, you may have noticed something extra in the message’s headers: an indication that it was digitally signed with my Pretty Good Privacy key.

GPGTools iconAs yet, no recipient has asked about that, much less complimented my digital hygiene or sent a reply encrypted with my PGP public key. Which is pretty much what I expected: The last time I had a PGP setup in operation, I had to ask Post readers to send me an encrypted message before I got any.

A few weeks later, my inbox once again featured only un-encrypted e-mail.

Then some fumbled corporate transitions and the switch to OS X left the open-source MacGPG as the most appealing option on my Mac–and a slow and slowing pace of updates left it an increasingly awkward fit. Without ever consciously deciding to give up on e-mail encryption, I gave up.

(I should have felt guiltier than I did when I offered a Post colleague a tutorial on crypto that I didn’t bother to operate on my own machine. On that note, if you have a key for robp@washpost.com or rob@twp.com in your own PGP keychain, please delete it.)

I finally returned to the fold two weeks ago, when I ducked into a “crypto party” tutorial at the Computers, Freedom & Privacy conference. Jon Camfield of Internews explained that things had gotten a lot better and pointed me to a newer, far more elegant open-source implementation called GPGTools. I downloaded it, installed it, and within minutes had a new set of public and private keys plugged into my copy of Mail (no need to copy and paste a message into a separate decryption app as I did in MacGPG), with my public key uploaded to a keyserver for anybody else to use to encrypt mail to me.

My key ID is 03EE085A, my key fingerprint is FD67 6114 46E8 6105 27C3 DD92 673F F960 03EE 085A, and the key itself is after the jump. Do I expect to get a flood of encrypted messages after this post? Not really. But if somebody does want to speak to me with that level of privacy, they now have an option I should have provided all along, and that’s what counts.

Continue reading “PGP and me”

Weekly output: e-mail security (x2), MacBook webcam

This week’s work involved the Virginia countryside, a space capsule, robots playing soccer, and some quality time with drones. And yet none of those things showed up in this week’s articles. But there’s always next week…

Yahoo Tech TLS post6/10/2014: Explained: How ‘TLS’ Keeps Your Email Secure, Yahoo Tech

I enjoyed crafting the photo for this, and not just because it gave me an excuse to flip through old postcards. I did not enjoy reading the comments as much: the repeated assertion there that nothing online can be made secure is both incorrect on a technical level and fundamentally defeatist.

6/10/2014: 4 Ways Your Email Provider Can Encrypt Your Messages, Yahoo Tech

I wrote a short sidebar–something we’ve taken to doing more often at Yahoo Tech–outlining how e-mail encryption has advanced over the last decade or so… at least at some providers.

6/15/2014: Revisiting a fix for your MacBook webcam, USA Today

Yes, you read about this topic earlier this year in my USAT column. But this time around the remedy may work a little more reliably. There’s also a tip about watching Netflix on a computer without Microsoft’s Silverlight plug-in–if you’re running Windows 8.1.

Potential exposure is not forced exposure

One of the foremost foes of intellectual-property extortion is shutting down. Groklaw founder and editor Pamela Jones announced this morning in a post, titled “Forced Exposure,” that the possibility of NSA surveillance of her e-mail means she can’t trust e-mail as a means of collaborative input, and therefore the blog must end.

Groklaw signoffThey tell us that if you send or receive an email from outside the US, it will be read. If it’s encrypted, they keep it for five years, presumably in the hopes of tech advancing to be able to decrypt it against your will and without your knowledge. Groklaw has readers all over the world.

This news bothers me deeply–because Groklaw has provided an immense public service in collecting and presenting evidence of grotesque IP abuse such as the SCO Group’s prolonged and mendacious attempt to claim copyright over code in the Linux operating system, and because I don’t like finding fault with somebody whose work I and so many other people admire.

But look: Potential exposure is not forced exposure. Or if it is, it’s always been there. Yes, the NSA might be reading my e-mail and PJ’s. But keyloggers planted by the Russian mob might be reading it too. The NSA might have the ability to crack PGP encryption in five years–or they could have had it all along and haven’t told us, or they could decide to ignore that five-year timeline. Your own computer might be airtight, but what about the machines of all your correspondents? For that matter, how can you be sure you’ve maintained your privacy offline without going into Kaczysnki-esque seclusion?

If your reaction to those possibilities is to declare that all is lost and that you should “get off the Internet to the degree that it’s possible,” as PJ wrote in this morning’s post, then how are you not tumbling into the same existential fear that the defenders of the surveillance state sometimes seem to think is the right and proper state of a compliant citizenry?

I don’t know PJ (friends whose judgment I trust do and profess a deep respect for her) and only have a vague notion of what her life has been like running Groklaw (it’s entailed being the target of an unhealthy dose of character assassination). But with my limited knowledge I can’t endorse her stance. I wish she’d at least found somebody else to run the site: While we’re having this hypothetical discussion, very real copyright and patent extortion is going on, and Groklaw was doing a damn good job of exposing it.