2014 and it’s still annoyingly hard to find a reasonable GPG key management system for personal use… All I want is to keep the key material isolated from any Internet connected host, without requiring me to jump through major inconvenience every time I want to use the key.

An HSM/Smartcard of some sort is an obvious choice, but they all suck in their own ways:

• FSFE smartcard – it’s a smartcard, requires a reader, which are generally not particular portable compared to a USB stick.
• Yubikey Neo – restricted to 2048 bits, doesn’t allow imports of primary keys (only subkeys), so you either generate on device and have no backup, or maintain some off-device primary key with only subkeys on the Neo, negating the main benefits of it in the first place.
• Smartcard HSM – similar problems to the Neo, plus not really supported by GPG well (needs 2.0 with specific supporting module version requirements).
• Cryptostick – made by some Germans, sounds potentially great, but perpetually out of stock.

Which leaves basically only the “roll your own” dm-crypt+LUKS usb stick approach. It obviously works well, and is what I currently use, but it’s a bunch of effort to maintain, particularly if you decide, as I have, that the master key material can never touch a machine with a network connection. The implication is that you now need to keep an airgapped machine around, and maintain a set of subkeys that are OK for use on network connected machines to avoid going mad playing sneakernet for every package upload.

Continue reading...

A stumbled across Start Com a few months ago, an Israeli company that run a Certificate Authority (CA) called StartSSL with a root certificate in all the modern browsers and operating systems. Best of all they don’t participate in the cartel run by the rest of the SSL certificate industry and offer domain validated certificates at the price it costs them to issue them – nothing.

I had the first opportunity to use their services today when I needed an SSL cert to secure the IMAP server I run for my parents and I was very pleased with the experience. The web interface is a bit weird and you have to jump through some strange hoops, but to save paying more money to the SSL certificate cartel it seemed more than worthwhile.

Continue reading...

IPv6 adoption is increasing, and along with it come a new set of behaviours and defaults that system administrators and users must learn and become familiar with. I was recently caught out by Linux’s handling of IPv6 router advertisements (RAs) when forwarding is also enabled on the interface. It took me a while to figure out and searching for obvious terms (such as those in the first half of the title of this post) didn’t immediately yield useful answers, so here is my attempt to help shed some light on the subject.

Continue reading...

For my birthday back in October, my wonderful wife gave me a Kindle 3 from Amazon. I’d been considering other e-book readers for quite some time, but I had mostly ignored the Kindle due to the lack of EPUB support and a general dislike of Amazon’s DRM enforcement. In the end, the superior hardware and ecosystem of the Kindle overpowered those concerns and overall I’m very pleased with the purchase. The screen is amazing, literally just like reading off a piece of paper and the selection of books is OK. I’ve been buying almost all my books from Amazon to date since it’s so easy (the Whispernet is amazingly quick!) but it’s not terribly difficult to get EPUBs from elsewhere onto the device after a quick run through Calibre to turn them into a MOBI file, so I keep telling myself I’ve still got some flexibility.

Continue reading...

If you’re reading this post via the website rather than a feed/planet then you will notice that the site has gone completely black in support of the Creative Freedom Foundation’s campaign against S92A of the NZ Copyright Amendment Act which is due to come into effect on 28th February 2009. I’ve also joined the wave of people blacking out their “avatar” on Facebook/Jabber/MSN, etc.

S92A introduces “Guilt Upon Accusation” whereby if you are accused of copyright infringement (downloading music and movies, etc) “repeatedly” (likely 3 or more times) you are at risk of being disconnected from the Internet by your ISP. The law does not require any proof or substantiation of the accusations and the entire process would occur outside of the courts and the established legal system. Not only does it place every user at risk, the wording is very unclear on exactly what type of organisation is considered an ISP and there is significant concern that schools, businesses, libraries and hospitals will be placed in the difficult position of determining whether their users have broken the law and require disconnection.

Continue reading...

It’s been a while since I last acquired new gadgets but I think I’ve made up for lost time with my last weeks purchases.

You may remember that I’ve had my eye on the Openmoko phones since early 2007, but in between shifting across the world and starting a new job I never got around to purchasing one of the first versions. The second version, the “Freerunner”, was released in June this year and I placed an order with Pulster, a local distributor, shortly after. The phones have been in hot demand, so I only received my phone last week, a wait of of almost 2 months, and it turned up missing one of the cables that was meant to come with it. Still some distribution kinks to be worked out.

Continue reading...

On hardy after the latest round of updates:

matt@krypton:~$ dpkg -s flashplugin-nonfree | grep Version
Version: 10.0.1.218+10.0.0.525ubuntu1~hardy1+really9.0.124.0ubuntu2

Granted this package is in hardy-backports not hardy proper, but still, what on earth?!?!

Comments

Comment by Philipp Kern on 2008-07-14 05:05:38 +1200

Well, it’s documented in the changelog on https://edge.launchpad.net/ubuntu/+source/flashplugin-nonfree. Ubuntu more or less refrains from using epochs unilaterally[0]. This upload was done to undo a bad backport to hardy, i.e. an old version (9.0.124.0ubuntu2) was uploaded to supersede one with a higher version number (10.0.1.218+10.0.0.525ubuntu1~hardy1).

Continue reading...

I highly recommend making some time to read the The Australian Open Source Industry & Community Report. Based on a census of the Australian Open Source community conducted at the end of last year, it presents a range statistics about the state of the Open Source community and industry in Australia.

The report seems to be aimed at demonstrating to Government and Businesses that Open Source has become a very viable business strategy in Australia and in particular how increased adoption of Open Source would reduce the Australian trade deficit. You don’t need to worry about being put to sleep. The report is relatively casual in tone and easy to read with lots of bright graphs to present the key statistics and findings. Including:

Continue reading...

I (as root) have a directory hierarchy that I want a particular group to always have write access to. The files and folders inside the hierarchy are owned and manipulated by a wide variety of diffrent users.

Essentially I want to delegate ‘root’ access for a portion of the filesystem to a particular group.

My first attempt at implementing this was to use the standard POSIX ACLs that are available for almost every filesystem Linux supports.

Continue reading...