Building the Web of Trust – the First Baby Step

Posted on by
Reply

A few weeks ago I wrote about the way secure connections on the Web are set up and why the system as it stands is vulnerable to abuse — or total collapse. I’d like to spend a little time now devoted to specific things we can all do to make the Web safer for everyone. This attempt to turn the ocean liner before it hits the iceberg may well be futile, which will inevitably lead to governments being the guardians of (and privileged to) almost all our private conversations and transactions.

So, I have to try.

Security and privacy are related and a key tool for both is encryption. A piece of data is scrambled up and you need a special key (which is a huge number) to unscramble it. Modern systems use two keys, and when the data is scrambled with one, it can be unscrambled with the other.

When I get a message from Joe, I can use the public half of his pair of keys to unscramble it. If that works, then only someone who has Joe’s secret key could have sent the message. Joe has effectively “signed” the message and I can tell he wrote it and that it hasn’t been tampered with since.

The catch is, if someone gave me a bogus key and said it came from Joe, then all those messages that supposedly came from Joe actually came from someone else. These days most of the certificates (the files that contain the keys) out there are created and confirmed by a handful of companies and governments, and the software we use trusts these certificates implicitly. You are not even asked if you think Comodo is trustworthy, diligent, and none of its subsidiaries has been hacked (which happened), the decision has been made for you.

It is conceivable that we can replace this centralized authority system, but so far it’s not simple. Practically speaking, nothing big is going to change until things are much more obvious. Still, one of the first stepping-stones is in place, so we may as well get that part into common use, which would accelerate the rest of the process.

Here’s my thesis: With technology today, all emails should be signed, and any email to someone you know should also be encrypted. I look forward to the day I can reject all unsigned email, because it will be spam. As a side effect, jerssoftwarehut.com won’t get blacklisted in spam filters because some other company used that address in the “from” field of an email they sent. Email is fundamentally flawed, the big companies are too busy arguing about how to fix it, and it’s time to do it ourselves.

How do we get to this happy place? It’s actually pretty simple. It takes two steps: create a pair of keys for yourself and turn on S/MIME in your email program. If everyone did those things, the Internet world would be a much happier place. Plus, once we all have our keys, the next phase in revamping Web security, building the Web of Trust, will be much simpler (once the software manufacturers realize people actually want this — another reason we should all get our keys made).

If it’s so easy, why isn’t everyone doing it already?

All the major email programs support S/MIME, but they don’t seem to think that ordinary folks like you and me want it. All the documentation and tools are aimed at corporate IT guys and other techno-wizards.

I’m going to go through the process in general terms, then show specific steps for the operating system I know best. I borrowed from several articles which are listed at the bottom, but my process is a little different.

Step 1: Get your keys. Some of the big Certificate Authorities offer free keys, and while that route is probably easier and absolutely addresses our short-term goals, it does nothing to address the “what if the CA system breaks?” problem. So, for long-term benefits, and getting used to our new “I decide whom I trust” mentality, I recommend that we all generate our own certificates and leave the central authority out of it.

The catches in Step 1:

  1. It’s not obvious how one generates a key in the first place, gets it installed correctly, and copies the key to all their various devices.
    1. For Windows, it may depend on what software you use to read your email. Here’s an article for Mozilla (Firefox and Thunderbird): Installing an SMIME Certificate.
    2. For Mac, read onI’ll be publishing instructions soon.
  2. I’ve read (but not confirmed) that Thunderbird (the Mozilla email app) requires that certificates be signed by a CA.
    1. You can create your own CA – basically you just make your certificate so it says “Yeah, I’m a Certificate Authority”.
    2. If I know you personally, you can use my CA, which I created just yesterday for my own batch of certificates. If you’re interested let me know and I’ll tell you how. It’s pretty simple.
  3. When you generate your own keys, they won’t be automatically trusted by the world at large. That’s the point. The people you interact with will have to decide whether to trust your certificate. In the near term, this could be a hassle. It’s something people just haven’t had to deal with before. You can:
    1. Educate them, get them on board, and not worry too much if people get an “untrusted signature” message and don’t know what to do about it. That way they’ll at least notice there’s a signature at all.

For all those catches, there’s an alternative: go back to using a trusted Certificate Authority like Comodo to generate your certificate, and at least get used to signing and encrypting everything. Maybe later you can switch to a self-signed certificate.

Ironically, in the case of these free certificates from the big companies, they’re probably less trustworthy than one you generate yourself. All the CA confirms is that they sent the cert to the associated email address after they made it. But, our software trusts them for better or worse, and if that makes adoption of secure communication happen faster, then I’m good with that.

The catches in Step 2:
Really, there aren’t any. Somewhere in the preferences of your email reader you can turn on S/MIME (on Mac, installing your certificate seems to do that). You can probably set it to sign everything — and you should. The next step is to learn how to interact with the signed messages you receive. Do you trust the signature? (Don’t take this lightly – if possible confirm the email you got through another means. You only have to do this once.) If so, you can tell your computer and it will save your friend’s public key. Now you can send an encrypted message back to that person, and they’ll be able to trust your key, too. Between you two, you’ll never have to think about it again. Your communications will simply be secure, with no added effort at all.

Note:
I intended to put the step-by-step instructions for Mac here, but it’s a beautiful Sunday afternoon and even though I’m sitting outside, I have the urge to go do something besides type technical stuff into a computer, prepare a list of references, and all that stuff. So, that will have to wait a day or two. It’s time to let this episode run free!

1

Thanks!

Pretty Sure the Cyberspace Open is Dead

Posted on by
Reply

It’s too bad; the contest had a lot going for it. One of those things that worked great in theory but not in practice. It’s easy to calculate the cash the organizers reaped (rather a lot), but even though the contest was about meeting deadlines, they could not hit their own.

I once ran a contest at writing.com, and as with Cyberspace Open, I promised a thoughtful review to each entrant. Let me tell you, that’s not trivial. Though my reviews were much more detailed, I still only had to do a few of them, and it took forever.

I bitched about the contest even as I participated, but I’m sorry to see it gone. It really was a fun challenge that helped me develop as a writer.

Cyberspace Open had a good run for a few years, before getting crushed by its own popularity. The organizers then added a new marketing element—they got mediocre actors to read the top three entries and let the public vote. Perhaps the contest was already doomed, but that killed it sure. That, and a failure to enforce adherence to their own rules.

I miss the contest. It was right for me. Should it come back, I’d jump in in a heartbeat.

2

Thanks!

Howdy, Neighbor!

Posted on by
7

As the Information Age plunges on, we find the definition of “neighbor” changing. We have our geographic neighbors, but more and more our closest neighbors are people who might be thousands of miles away. It’s kind of cool.

One of the great things about neighbors is that they watch out for you. When bad things happen, your neighbors are there to help. The people who live near my house seem like a good bunch; ol’ George sits at the top of the list (based on charisma) but Lois is not far behind. If they need a hand I’ll give it, no questions asked.

I’d like to extend that to my online neighbors. I have a big-ass hard drive (well, medium-ass) and I can back you up. CrashPlan makes it easy and it’s free. Your data will be strongly encrypted so I can never figure out what it is I’m backing up for you. But if a meteor (or a power surge) strikes your home, at least your data will be safe.

Don’t think too hard about this. Just say, “Yeah, Jer, I wouldn’t mind having my most important stuff backed up outside these walls.” There’s really no reason not to.

1

Thanks!

I’m Not Making This Up

Posted on by
1

So I sent my fourth tweet ever today. While I had my tweeting-software fired up I noticed that the Calgary Flames were selling used equipment. I perused the list, and there are a few interesting things there. But nothing that matches THIS:

Ferland Goalie Jock @$39.99
Size: SR
Uniform/Color: N/A
Used/New: Used
Final Cost:$20
Quantity: 1

Remember, those are Canadian dollars, so it’s an even better bargain!

1

Thanks!

Gone is the Village, and the Hero Thereof

Posted on by
Reply

As I write this, I’m watching a girl in hot-pink ice skates take instruction from a portly woman who moves like she never takes her skates off. The girl is doing well, arms held so, feet working the drills, and my instant assessment is that this kid can be pretty good.

But, honestly, not great. I hope she’s in the whole figure-skating game for the right reasons: because she loves the challenge, the discipline, and feels great when she gets the toe-thingie just right.

Once upon a time (was it Vonnegut who first pointed this out to me? Maybe. Probably not.) a pretty-good singer could be the pride of a village. “She has the voice of a nightingale,” her neighbors would say. They would ask her to sing at all the village events, and she would, without any compensation beyond the appreciation of her friends.

It was electricity that broke this relationship. Curse that devil’s magic! The villagers could hear the broadcast from New York, then buy records, and before long our village chanteuse is being compared to the best in the whole damn world.

But it didn’t end there, especially in sport. First there’s a tournament in town. The winner of that goes on to face the winners in the nearby towns. That winner goes on to face a group from farther away. Somewhere on this sleigh-ride our hero loses. All the heroes lose but one, out of thousands. Tens of thousands. “He lost at regionals.” “She lost at state.”

OK, that’s an exaggeration, there’s plenty of celebration when a local athlete gets to state. But as the world gets smaller we just can’t let someone be a local champion.

And so, back to the girl on the pink skates. She’s working hard, dong things slowly that seem like they’d be easier fast. I hope she’s having fun. (I think back to trumpet lessons when I was a kid. I wanted to be good, but honestly the lessons weren’t fun. That’s about me, not the teacher. I wasn’t hungry.) I hope there’s a village where Miss Pink-Skates can be the best, but even if there isn’t, that’s not a disaster. The worst part about being the best in the village is the sudden arrival of the world outside.

1

Thanks!

Idly Pondering Redesign

Posted on by
1

I was staring blankly at my blog earlier and I thought maybe it’s time to redo the banner. I decided to mention my musings here on the off chance that someone out there cares at all, and has ideas I could mooch. Weighing the good and the bad of the current banner:

  • things move and fade in
  • there's a new haiku every fifteen seconds
  • there's a theme song for the clicking
  • it breaks out of its box
  • never got that wow factor
  • stylistically all over the place
  • Flash - doesn't work everywhere

The last one is the biggie. Flash does not now and never will work on some mobile devices. The number of devices where Flash works is declining now that Microsoft has decided to give up on Flash as well. So… time to move on. Eventually.

One impediment: I don’t know what I want the new header to look like. Something geeky. Gears turning? That would be cool, and could fall back to static gears on older browsers. Maybe some kind of machine that spits out the haiku? Or does a duck poop them out? What should the typesetting look like? How should it reveal?

Maybe a way to pop up a form and submit new guest poems?

Should there be an elevator? An ocelot? A rutabaga?

Frankly, I’m completely stumped.

These sorts of solicitations haven’t met with much response in the past, but if anyone out there has thoughts on the whole design thing, I’d love to hear them.

Thanks!

The Suburban Dream

Posted on by
Reply

Three Home Depot visits into home ownership finds me on the back patio, a dog at my side, a fine beer next to my laptop on the glass-topped patio “dining table”. The umbrella is deployed for the first time and is doing its job admirably; my laptop screen is plenty bright enough and WiFi signal is strong. Across from me is my fancy new grill, just waiting for propane. To my left I see the new little push-mower and other garden tools.

My sweetie is around front right now; she spent yesterday pulling out some of the old landscaping to replace it with stuff more our style. Today’s Home Depot visit was to pick out the first wave of colorful flora for the front bed.

The Round Mound of Hound has forsaken my side to find a sunny patch of grass to lounge in. She seems pretty content.

This is pretty good.

2

Thanks!

Round Mound of Hound… Rebound

Posted on by
3

Sad news for fans of the Official Muddled Dog: We’ve been busted. You see, the ol’ gal is substantially larger than the nominal limit for our neighborhood. Even at her ideal weight she would be quite a bit too big.

The rule is very inconsistently enforced, however; so as long as no one complains, management is willing to not see the big dog. Well, we’re getting new neighbors and before they moved in they complained. Management has notified us that our quiet, gentle, well-behaved dog must go.

Looking for a home, once again.

To my new neighbors I say, “The next time your &*$#^*@ fence is on fire, there won’t be a dog around to alert people to the trouble.” (True fact: OMD raised the alarm a few days ago when a fence was burning. Just like in Reader’s Digest.) But, I remind myself, we were the ones breaking a rule, we knew we were breaking it, and the neighbors have every right to be jerks and rat on our dog before talking to us. They don’t know us, they don’t know how we would react. The era of neighborliness is sadly over. How long ago was it that when something bothered a neighbor they just went and knocked on the door before calling in higher authority?

Now there’s someone who’s bed is maybe thirty feet from mine, whom I’ve never met, that has pissed me off. Part of me wants to get a new dog that fits the regulations and barks nonstop.

But that’s not constructive. What is constructive is helping to find this fine animal her permanent home. Apparently our role in her life is an interim stop between old and new homes, so we can make sure she lands in a good place.

Please, especially if you’re in the Bay Area, put the word out that there’s eighty pounds of unconditional love just looking for someone who needs her.

It’s going to be really tough to say goodbye.

Thanks!

Pop Quiz

Posted on by
6

You have a pile of chips and a bowl of guacamole. You’re hungry. Life is pretty good.

Except… there are about three times as many chips as the bowl of guac can support at ideal dip levels. Don’t forget, you’re hungry. Do you:

  • Enjoy chips with ideal guacamole levels while it lasts, then eat the rest of the chips dry
  • OR
  • Stretch the guacamole to make every bite a little better than a dry chip

No going Kobayashi Maru here and ordering more guacamole.

Thanks!

A Quick Tip for Would-Be Hockey Goalies

Posted on by
1

If you follow hockey at all, you’ve heard of the five-hole. It’s the space between a hockey goalkeeper’s legs, and it’s a popular place to shoot at.

All NHL goalies that I know of use the ‘butterfly‘, a ligament-stretching move in which the knees are pushed together and the lower legs are parallel to the ice, forming a solid barrier to any pucks skidding along the surface. Why shoot for the five-hole, then, when it is so easily turned into an impenetrable wall? It’s all about time.

When a player slaps the puck toward the net, the time it takes a goaltender to close the hole is limited by the acceleration of gravity. Even after he recognizes the threat his body must fall into position, and no amount of strength or conditioning can make it happen faster.

I just watched in slow motion as the Rangers goaltender let a puck through his five-hole, and I had to cringe. You see, a lot of five-hole goals are preventable, and pretty easily, too. As the goalie collapsed into position, his stick was off to the side, pointing directly at the shooter, and completely useless. Had he simply kept his stick in front of him as he went into the butterfly, the goal would have bounced harmlessly away. His sloppiness might mean his team will not compete for the Stanley cup this year.

This failing is frightfully common. I often see keepers lift their sticks as they move down, and while that will get their legs into position a couple of milliseconds earlier, they lose their most important interim defense. It is a completely natural reaction to throw your arms up to get your body down faster. Don’t do that!

So, kids who want to be the next great net minder, when you’re practicing dropping into the butterfly long into the night (you are practicing long into the night, right?), always, always have your stick and always keep it in position. Watch video of yourself or have someone watch your stick as you work, and watch your GAA go down. I don’t think there’s any more easily correctable habit in all of hockey that can make such a difference.

Thanks!

More is Better

Posted on by
2

In the Official Muddled Dog’s mind, there are three things more awesome than anything else. Food, belly rubs, and tennis balls. I don’t know who invented the modern tennis ball, but if dogs had a museum his statue would be out front. As any tennis player will tell you, however, it’s only a matter of time before a tennis ball is nothing more than a tattered pile of rubber fragments and colored fuzz. It pays, therefore, to buy in bulk.

My sweetie came home from Tennis Balls R Us yesterday with a 12-pack of the fuzzy toys and OMD did not need any prompting to claim the entire bag for herself. Hilarity (and pictures) ensued.

My sister asked if Official Muddled Dog had any positions besides “prone”. I’m happy to answer yes, as long as there’s a tennis ball around. The third shot of the set demonstrates that maybe shooting at f/1.2 isn’t always the right choice — could have used a bit more depth of focus there.

2

Thanks!

Penfinal?

Posted on by
1

I just received a document named “XXX_final_v2”.

4

Thanks!

Alert for the Sports Media

Posted on by
1

I’m hanging out at a local drinkery, waiting for friends, and on the TV is Tiger Woods, who is doing pretty well in the latest tournament, but not great. As usual. THIS IS NOT NEWS!

I don’t follow golf, but even so I get all sorts of breathless “Tiger was in the middle of the pack!” articles before I can click through to actual sports. Tiger is in the middle of the pack. It’s not news anymore. Move on.

Thanks!

How Stupid do you Think I Am?

Posted on by
5

So I was looking around for a Web service that could take a string of text and return an MD5 Hash of that string, and I found something disturbing.

An MD5 Hash is a big number that is generated by doing crazy math on the original information. It has two good qualities – when you start with the same text you always get the same result, and it’s pretty much impossible to tell what the text was from the number.

A lot of places store the hash of your password, rather than the password itself. When you type in your password, it’s hashed, and the resulting number is sent over the wire. If the number matches the one in their database then you’re in.

But there is one way to crack the hash I hadn’t considered: keep a database of known strings and the resulting hash. It had never occurred to me to try to keep a table so huge, but with access to this information you could pretty easily crack passwords that lots of people use.

In my search for a hashing service, I came across one such Web site. Also on that site: a service to generate a hash for you. The message: “Hey! We keep a database of hashes to render them useless! You want us to calculate a hash for you?”

Um… No thanks?

At this point, I have to advise, stay away from Web-based hash generators. I know you were about to go and use one.

Thanks!

The Round Mound of Hound

Posted on by
2

It’s a little difficult to get a blog episode out when there’s a largish dog begging for your attention. The dog in question is Chiquita, our newest resident. Chiquita’s owner died suddenly and the ol’ gal was was looking for a new home.

She may be the sweetest-tempered dog I’ve ever met, happy to see anyone. She didn’t bark at repair men and delivery guys today, even though she’s starting to get the feel of her new territory.

The first thing we did when we got home was give her a bath; she’s been living outside for the last few weeks. She put up with the water and shampoo stoically, but we missed a few spots.

People over in Facebookland have been asking for pictures, so here for your delight are a few snaps. (You can click to see them larger.)

We had bought a package of rawhide bones for her; after she showed no interest in a tennis ball we gave her one of those. She walked around with it for a while, relaxed in the shade with it firmly between her teeth, but never chewed it. After a while, she found a corner of the yard and buried it. In the second photo she’s pushing more dirt on top of the burial site. Of course I’ve heard about dogs burying bones, but I’ve never seen it before.

As you can see our new doormat could stand to shed a few pounds. Her hip stiffens up and stairs are particularly difficult for her. We’ll be putting he on a diet.

3

Thanks!