[gardenbreak] 1: Put a face on
March 7, 2016
``` —–BEGIN PGP SIGNED MESSAGE—– Hash: SHA256
Sitting here with my carefully written triplicate hardcopies, I feel more than a bit better. I back-of-envelope calculated the bits of entropy in my old shallows-of-imagination passphrase, and it came out to somewhere between 23 and 44 bits. Ouch.
Then I try to actually make the relevant move… And find I can’t bring myself to click the ‘change passphrase’ button. All of human psychology rebels. This is my most intimate connection to my computer, the secret only it and I know. The thing I’ve told to it and to no human ever. And I mean to wipe that away with an utterly impersonal text string? A machine generated nonsense? Blasphemy! I won’t even remember it fully until I’ve used it for a week. I’ll be tied to a piece of paper, constantly afraid of losing that and all my access with it.
Plot 1: You are you. Not whoever you say you are, but… A crypto key. Just that. Not an email address, not a face, not a URL, or a username. Welcome to the wide wonderful world of PGP. (Not that it’s the only horse in this race, but out of the gate it’s the simplest way to get things working.) What you signed, you wrote. Everything else is questionable. Normally this alone is a rabbit hole of almost unbearable proportion for the average user. But normally people attempt software ‘integration’ at a level that is frankly infeasible right now. I’m taking a different tack, at least temporarily.
This seems like overkill, doesn’t it? We’re used taking a combination of acts-like-them and centralized authority to mean identity online. But that means doing a big old “I here am me there” dance for every occasion of platform drift and risking impersonation at most turns. AND that the only verification on what you post is the site authentication. Faked emails, faked FB posts, apps we didn’t remember authorizing, … it’s not a small problem. Also I’m philosophically opposed to ‘acts like them’ as an identity measure, since it inhibits change.
Step 1: Rabbit, meet hole. Build a GPG key attached to a good passphrase. If you already have a GPG key, any decent client should let you change the passphrase. If you don’t… I’m sorry, this will be an annoying part.
Go here: https://www.gnupg.org/ Linux: apt-get or yum install or whatever you do ‘gpg’. Windows: install gpg4win
And I’m sorry, but it’s probably going to be really annoying. I don’t have a nice answer to that. Take a deep breath and follow tutorials; thankfully you only need to get as far as generate a key.
Once you have a key, upload it to keybase.io. (And at least one old-fashioned keyserver, but still, keybase is a good place to start for this.) But do everyone a MUCH bigger favor and DO NOT put a private key on keybase.io. Ever. Which also means not using keybase to generate the key. Yes it’s a neat tool, and so very convenient, … and takes your private key out of your hands. Your private key is your most personal data-possession. Don’t let it out. It should only touch computers that are trusted to act as you, to speak as you.
So far so normal… This is the point at which most people talk about installing enigmail, which leads down a thunderbird rabbit hole, and suddenly your entire infrastructure is one giant headache of new problems, because you touched /mail/ and that always goes wrong. Besides, we want to deal easily with crypto on /everything/, not just mail, and preferably without hitting the command-line all the time. Or trusting keybase.io with privkeys. I use enigmail, I like it fine, but:
I was looking for a seahorse-to-gedit plugin. And apparently there used to be one, but… bitrot. So. Looks like for a text editor that handles gpg operations relatively cleanly, the choice atm is http://www.geany.org/ with geany-plugin-pg. I like it better than fighting with a command-line or trying to find plugins that work in Firefox for more than ten minutes between website updates before someone gets tired of trying to ‘support’ gmail. The plain old text input box never changes. I can cut-paste just fine. So an editor that can handle encrypt/decrypt/sign/verify is enough. Install, enable plugin, click Tools->GeanyPG->Sign. Yay! (Turning on Document->Linewrapping helps too.)
As much as I would love everything scripted and integrated and pretty… This works. The requirement that every (large) thing I write be signed as written by me can thus be covered. (Although it temporarily won’t be, realistically, because iPad and Android need covering.) Making the results of that non-ugly and taking care of signatures for smaller items (like tweets) is another problem for another day.
—–BEGIN PGP SIGNATURE—– Version: GnuPG v2
iQIcBAEBCAAGBQJW5zSDAAoJENnrcPCV5+y/RVUQAK4ZT1mBpDvOi3m8wSdyjfGJ My991GUXtWDynEtU1uWYCt46jV1vlTwBO8LJ19QfY8KwsZej0PWmU9Bt450FLOyV 4yq8gijcrvPjTR0lbjr38YxZOao0bRoVh+gxuGNJhNuu1PXVoixkQx62IFojSt0P wr9tOZ5/NdYUrzhgZLVjYYP6RhdpptkrI2ilSxMEtNR6g4GbZ3uZFA5R0ZUv40TS rgj6KZxDhlVwcbROB6XE9YvxQc4e83J7AmTWXM7P1ZZozDUxgORgYjRY56CNTdLA /933DuVR6O2YNZSp6kT+97ro+Z3flKdKkj84x7Z/0+ImOI2tZgFk7kekEyUXqoya parU5nMz/NSQ8NU1+LJU1zNSMVG9zgLyltwhekVaa3oY/O0cx+4g0cixyQYgqWVD JyuUQ/Xg3NSCDUXamIM8j1sKuRzSmGrVWV2Obg6+ywEpTS4FYrKLPOrNfldjyA69 nCm3SVLYfkSrW8PVhan+RroCKq5X9jKrtiXHIA57xd28ETyS1gCoVBUAVAQRxjQC T17XVa2KBQRA0qcjKEfhL7L9fJEA5DcaO3r+1oxRnI6+ExeDMapdkpo/fkDrujQ/ yBEK+vKXkpOUwEfivZWnu9FYqHs28Yen/oUA78rBLrwgA+TCv8+XuDeBKeoPVb1u fY4u4SBiEy4svuuR/RPc =jJVP —–END PGP SIGNATURE—–