Notices by Mike Gerwitz (mikegerwitz)
EFF's Deeplinks (effio)'s status on Thursday, 20-Oct-2016 17:30:55 UTC EFF's Deeplinks Loopholes and Flaws in the Student Privacy Pledge - https://www.eff.org/deeplinks/2016/10/loopholes-and-flaws-student-privacy-pledge
Free Software Foundation (fsf)'s status on Tuesday, 18-Oct-2016 18:09:55 UTC Free Software Foundation Judge Mayer provides a strong case against software patents in Intellectual Ventures v. Symantec https://u.fsf.org/1yb
Mike Gerwitz (mikegerwitz)'s status on Tuesday, 18-Oct-2016 00:50:42 UTC Mike Gerwitz @bobjonkman A standalone password manager is indeed a better idea in any case.
I find, though, that nearly every password in my password manger (non-FF) is for an account on a website. I don't store passwords to anything very sensitive---that includes SSH keys (or smartcard pins), disk encryption, GPG passphrases (or smartcard pins), and others. Of course, I'm often afraid of forgetting them---I make sure that I enter them occasionally to keep them fresh in my mind. Hopefully I never enter a coma.
Mike Gerwitz (mikegerwitz)'s status on Sunday, 16-Oct-2016 06:34:55 UTC Mike Gerwitz @strypey For browser integration, you should trust FF's pw manager far more than others; anything that integrates with the browser directly is prone to terrible security disasters:
Using an in-browser pw manager does have a couple important benefits: the pw is never displayed on the screen (so, not vulnerable to Van Eck Phreaking), and is not copied to the clipboard. FF's pw manager is pretty good. I use it for many (less important) things. Its Sync feature, which I was highly skeptical of initially, is also pretty good:
On disk, FF's pw database is encrypted using 3DES with a key derived from the master pw. You must set a master pw, otherwise the key is static. But it's unlocked after you enter that pw; I use the Master Password+ addon for a timeout.
With that said, there's a larger attack surface---FF is a large and complex program, and it does interact with web pages (see CVE-2006-6077). Its parent process is networked. Ideally, you want a small, easily audited, _simple_, offline, standalone program. To avoid Van Eck Phreaking while also mitigating clipboard issues, you can e.g. pipe to `xclip -l1 -quiet`, which will quit after the first paste, allowing you to see if an attacker/process used it.
But for the average person, FF makes reasonably secure password management easy. And that's important.
Mike Gerwitz (mikegerwitz)'s status on Saturday, 15-Oct-2016 02:05:31 UTC Mike Gerwitz The Nitrokey is equipped with a TRNG, which it uses if you generate the keys on the device itself. I didn't do that, but it's possible to retrieve randomness from the TRNG in ISO 7816-4 smartcards:
What I like about scdrand is that it _contributes to_ the kernel entropy pool; this means that it's mixed into all other system randomness and subject to the same mitigations as all other sources of randomness---even if the HRNG was malicious, the random bits used for my key generation are likely safe. Assuming that the kernel in Tails itself hasn't been compromised, and that scdrand is not compromised and actively monitoring other sources of entropy.
Anyway: I did mix in randomness from the HRNG because of limited entropy sources given that it was a live system (Tails) without a seed stored from previous randomness, with no network activity or disk access.
Mike Gerwitz (mikegerwitz)'s status on Saturday, 15-Oct-2016 01:32:09 UTC Mike Gerwitz @bob But because of the build issues with VirtualBox, there's no way to reproduce it with free software, and no way to guarantee that the non-free compiler isn't doing anything malicious.
Mike Gerwitz (mikegerwitz)'s status on Saturday, 15-Oct-2016 01:30:21 UTC Mike Gerwitz @bob virt-manager does a fine job of replacing VirtualBox.
Mike Gerwitz (mikegerwitz)'s status on Friday, 14-Oct-2016 04:17:22 UTC Mike Gerwitz @lnxw48 At the very least, I'll put up some notes soon, even if it's not a detailed article. I'm finishing up my key transition (changing key references in various places, updating public keys, finalizing certain processes and scripts); maybe this weekend I can have something.
EFF's Deeplinks (effio)'s status on Thursday, 13-Oct-2016 06:31:04 UTC EFF's Deeplinks EFF Goes to Washington to Fight Against the Changes to Rule 41 - https://www.eff.org/deeplinks/2016/10/eff-goes-washington-fight-against-changes-rule-41
Mike Gerwitz (mikegerwitz)'s status on Friday, 14-Oct-2016 03:39:50 UTC Mike Gerwitz This is just silly.
I had other words, but I deleted them. I'll just leave it at "silly".
Mike Gerwitz (mikegerwitz)'s status on Friday, 14-Oct-2016 03:28:20 UTC Mike Gerwitz Michelle Obama's speech today is second only to her own speech at this year's DNC. She has put recent events into a perspective like nobody else, and has told it better than anyone could or possibly can.
This has nothing to do with partisanship (I have no party affiliation)---this woman knows how to speak.
Mike Gerwitz (mikegerwitz)'s status on Friday, 14-Oct-2016 03:17:10 UTC Mike Gerwitz I have changed my GPG key:
D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
vinzv (vinzv)'s status on Tuesday, 11-Oct-2016 20:10:29 UTC vinzv How to sell a smartphone:
• 4GB RAM
• QHD display
• 3.5mm headphone jack
• Doesn't explode
Mike Gerwitz (mikegerwitz)'s status on Wednesday, 12-Oct-2016 03:16:33 UTC Mike Gerwitz I have #GPG agent forwarding working with my Nitrokey such that I can sign/encrypt on my home server using the key plugged into my laptop. This is essential, since everything I do except for using my graphical web browser is done over SSH.
I had one hell of a time getting there, though. I'll have to document it for others.