Sunday, July 21, 2013

IT pro's must join the fight between regular users and the government

We've learned a lot over the last month about the massive surveillance program run by the United States government through the NSA. We've learned, in effect, that no one is safe. Whether you're an American or not, every single piece of information you send to the Internet is captured and stored and there is absolutely nothing you can do to stop it.

As IT pro's, we're often called upon to help friends, neighbors, and collegues with their technology problems. This is one of those times. We're being called upon and I think this offers us an unprecedented opportunity to be of service and value to others.

We need to help people protect themselves from surveillance and we need to make it easy for them to do so.

As an IT professional, we are users first line of defense against things like PRISM and other data collection tools. We know how to fight it, we know about encryption, and security, and how the Internet works. Normal users don't. It's our job to teach them.

If you've got the requisite knowledge, I challenge you to get out into your community and do something. Don't just sit by when you hear people complain about the snooping, actively engage them and teach them how to fight it. Set up community training on encryption, proxy use, Tor, and other tools that help protect users. Teach them good security protocol and let them know there is an answer to the question of how to protect their privacy.

You are being called out, my fellow IT pro's. It's time you step up and join the fight. It's time you stop sitting by the sidelines with a smug smile talking about how if people wanted to protect themselves they would. It's time you do your part.

Get involved! Create a movement. DO SOMETHING!

Tuesday, July 16, 2013

How to generate a revocation certificate in GPG

It surprises me how many people use PGP and GPG without ever creating a revocation certificate. These are the same people who wreak havoc on mailing lists when they either lose their private key or forget their passphrase and can no longer use the key. I know it wreaks havoc because I've been one of those people and, trust me, it's not a fun position to be in. People get irritated and it always brings up questions when you try to submit a new key.

Generating a revocation certificate in GPG (and I assume it's a similar process for PGP proper) is fairly easy. Here is the process:

$ gpg --output revocation-certificate.asc --gen-revoke 86C30530

sec  1024D/86C30530 2006-10-23 Your Name

Create a revocation certificate for this key? (y/N) y

Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)

Your decision? 0

Enter an optional description; end it with an empty line:

Reason for revocation: No reason specified
(No description given)

Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Your Name "
1024-bit DSA key, ID 86C30530, created 2006-10-23

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

It's really important that you take the warning GPG prints out at the end seriously. Protect your revocation certificate with the same care with which you protect your private key and passphrase. Anyone having your certificate can revoke your key and make it unusable.

What happens if you lose your private key or it's compromised?

If you ever need to revoke your key, for example you've lost your passphrase or your key has been compromised, simply import the revocation certificate into your keyring and send your key to your contacts and keyservers. When your contacts import your key into their keyrings, it will be revoked and become unusable. Just remember though: ANYONE with this certificate can revoke your key so keep it safe!