Re: security measures?

[Mica Mijatovic]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Was Sat, 15 Oct 2005, at 09:40:27 +0800,
when nidhog wrote:

> Do you have any suggestions as to what security measures can be
> implemented in the following conditions:

I'll give few ideas, if nothing else than to improve my "karma" for the
next week. (-: There are plenty actually.

> 1. key management
>   - how, where to keep keyrings

Encrypted "removable/mobile media" (diskette, CD-RW...) are quite fine.
Perhaps encrypted "containers" on them. (I have one small container of
1.44 MB for key rings.)

>   - how to backup (encrypt backup?)

You can keep a backup in another container? Encrypted (.zip or other)
file and similar. It's important for it to be "locked up" somehow.

>   - would it be safer to make separate keys to be used for different
> purposes (one for email and one for local file encryption, signing,
> etc)

That's quite good idea.

Even for local (not circulating on Internet) files is good to use some
other algorithm, not the "popular" one. (But about this one opinions
vary/diverge.)

> 2. frequency of changing passphrases
>   - in a user who accesses emails via net cafes (think keyloggers)

Also good idea. Let's say after each use via net cafes, as soon as
possible. Well, would be "ideally".

> A link of good/reliable secure computing practices would be much
> appreciated.

Uh, it's a wide area... It might go from specific/particular piece of
software to anthropology. I don't know if there is something like that
at one place...

We have to know...

+ the machine (hardware)
+ the OS
+ particular software

...and then...

+ how the Internet/a Network works (TCP/IP, specific software /
"utilities" used...)

...so I'll give just few titles, coming in mind now, for instance
"Securing & Optimizing Linux 2.0" (quite interesting book; file name for
the download/Google is "Securing-Optimizing v2.0.pdf"; there is chapter
dedicated to GnuPG too), then "Teach Yourself TCP/IP in 14 Days" at
, or "Learn TCP IP
from professionals" at
, then the Funny
Manuals related to particular OS (those for Linux are good, very good,
and those for...hm, Windows...I don't know, people often visit
, although I remember that the site
 was abounding with "WinDOwS Tricks ·
Secrets · Bugs · Fixes".

Well, basically all depends on your personal "model" of "security /
safety" you estimate you need/want. Then according to this you choose
what you will learn and how much.

I personally like to tend to be within some "reasonable" limits, that is
I choose the "middle path" between a "paranoia" and a "boobynoia". It is
because always will be someone around knowing more ("technicalities")
than you do, in general or in particular moment, and all your
_technical_ defence will...well, suck in no time, if you have no some
other ways, for instance to avoid an attack or a pestilent situation
_before_ it becomes actual. It relates, then, to this "anthropologic"
dimension, when our own _personal behavior_ (independently of any
software and technical knowledge) defines the situations we'll be
involved in. Once we are clear as to this behavior, it will define what
software and knowledge we'll (choose to) use.

- --
Mica
PGP keys nestled at: http://blueness.port5.com/pgpkeys/
~~~ For personal mail please use my address as it is *exactly* given
 in my "From|Reply To" field(s). ~~~
Consultants are mystical people who ask a company for a number and then
give it back to them.
-BEGIN PGP SIGNATURE-

iQEVAwUBQ1Gpp7SpHvHEUtv8AQNXRwgArl0pHruliVNInNXV+H6RiL9FRGtWDow+
P5ml3R8oVAIwT5+HUOn6OZSxel+B5ARQHzNvltAX3T1gHZLc3vEE6D0iAeWB8Blb
Iahb4H1VvLOMe00R2T4tpZNUkf9RCHZiXBxYr7meieNCtkCmW2YCTkgLeJqXehhr
vKRE4sB3H+IgVMHRDDul8yoHvAlsG2OxmbabsOwhzQ+q3XDo6kDRAaR1BViMEBdO
N7amDBj6MBQpJD6QiqT3sxGLiiuIxuvMaVX2xl50M4pZ8hxoL7BfH/XMlfgkwKk1
IqeZq+MYxGZlqMrDuRodpPobUe7j2qe7Zzs2huGnilFRUZYKMh2g+g==
=T7DS
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: security measures?

[John W. Moore III]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mica Mijatovic wrote:

>>>2. frequency of changing passphrases
>>> - in a user who accesses emails via net cafes (think keyloggers)
> 
> 
> Also good idea. Let's say after each use via net cafes, as soon as
> possible. Well, would be "ideally".

However, keep in mind this:  If a keylogger/spyware ensnares one's Key &
operable passphrase, then merely changing the passphrase once you get
home will not eliminate the "intruder" from now having a matching
combination for later use.

The "best/paranoid" practice would be to have a Key used only on one's
portable/Public PC device coupled with a "codeword" for each
correspondent to be inserted within each missive to confirm authenticity.

JOHN :)
Timestamp: Saturday 15 Oct 2005, 11:34 AM --400 (Eastern Daylight Time)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: http://www.gswot.org
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJDUSHVAAoJEBCGy9eAtCsPK2UH/R7Z0jvfkEkFgAE6hCi95ivb
fumRcg4IJzxIlueEc6kKVL2UppBPYjNIX8tCcTV31IsErDYN8ioijoci2fb15Sdl
qjSbVmkZ63SkePbfOeN9VvP4GhfSWEnOAOTV+T0b2xp8SsKFPomb12nmcnSKiWGJ
ouKPVBqNPLW5tTyfg54dHFl128JypRnvMwmLkEwvnNCfklTl1JVZso3sMZ0CtFCX
iYiMeKKpuMYqyoRUp6a9s34bJBQJhAL5L54hVEUI6xLSWQfM/9cwSRTZj7tqH52T
PnidQ9/UqSDFGM8xWnTdv2v4SekX4TI97N1G5zAX5ixctJ9toE5LfzKTiYd9eP0=
=u4a9
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Explain it again, Sam

[Wayne Chandler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would appreciate a few recommendations for online PGP primers.  PGP
for dummies, I guess.  I have OpenPGP on Thunderbird, and I would like
to understand purpose, usage, and best practices.  Again, I'm going
for learning and understanding, not just having another application on
my machine that isn't used.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDUTQFQyXBb+FvrgoRAoiSAJ0Q/13CM88FuK5+vonWWaN2oSdvlACggDRi
H15V0zES+8cADgZufz9/Gek=
=tep6
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Explain it again, Sam

[John Clizbe]

Wayne Chandler wrote:
> I would appreciate a few recommendations for online PGP primers.  PGP
> for dummies, I guess.  I have OpenPGP on Thunderbird, and I would like
> to understand purpose, usage, and best practices.  Again, I'm going
> for learning and understanding, not just having another application on
> my machine that isn't used.

Since you're using Thunderbird, I guess it's a safe assumption you're also
using Enigmail. There is a list of Useful Resources at the bottom of each of
the Monthly Newsletters. (most recent:
http://enigmail.mozdev.org/newsletters/2005-09.html)

Here is some of the one's that may be most useful.

OPENPGP CONCEPTS AND TUTORIALS

The GNU Privacy Handbook:
   http://www.gnupg.org/gph/en/manual.html

Michael Diagle's Web of Trust page:
   http://home.cogeco.ca/~mdaigle/trust/wot.html

USEFUL SITES

Tom McCune's PGP Page:
   http://www.mccune.cc/PGP.htm

Jim Willingham's PGP Site:
   http://www.cooke.net/~jwillingham/pgppg.htm

David S. Jackson's PGP Resources Page:
   http://www.dsj.net/pgp/resources.html

Rubin.ch PGP Page:
   http://www.rubin.ch/pgp/pgp.en.html

Gnu Privacy Guard (GnuPG) Mini Howto:
   http://webber.dewinter.com/gnupg_howto/english/GPGMiniHowto.html

German/Deutsche Pages:
Anleitungen und Einführungen:
   http://kai.iks-jena.de/misc/anleitung.html

Eric Howes Privacy & Security Page:
   https://netfiles.uiuc.edu/ehowes/www/main.htm

OTHER MAILING LISTS

Enigmail mailing list
   Enigmail@mozdev.org
http://mozdev.org/mailman/listinfo/enigmail

PGP-Basics mailing list:
   [EMAIL PROTECTED]
http://groups.yahoo.com/group/PGP-Basics/

-- 
John P. Clizbe  Inet:   John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A
"what's the key to success?"/ "two words: good decisions."
"what's the key to good decisions?" /  "one word: experience."
"how do i get experience?"  / "two words: bad decisions."

"Just how do the residents of Haiku, Hawai'i hold conversations?"



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Bogus Key on Keyservers

[Ivan Boldyrev]

On 9262 day of my life Tad Marko wrote:
>> You can't. That's like asking how you can stop other people from
>> printing out badges that say "I am Tad Marko" and pinning them to their
>> shirts.
>
> I'm not asking for that. I want them to not say that a given key goes
> to [EMAIL PROTECTED]

It is not keyserver-related, but you can sign your key with various
bots like  or
.

-- 
Ivan Boldyrev

   XML -- new language of ML family.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Explain it again, Sam

[Michael Daigle]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

In reply to John Clizbe's message sent 2005-10-15 15:33:

> Wayne Chandler wrote:
> 
>>I would appreciate a few recommendations for online PGP primers.  PGP
>>for dummies, I guess.  I have OpenPGP on Thunderbird, and I would like
>>to understand purpose, usage, and best practices.  Again, I'm going
>>for learning and understanding, not just having another application on
>>my machine that isn't used.

> Here is some of the one's that may be most useful.

> Michael Diagle's Web of Trust page:
>http://home.cogeco.ca/~mdaigle/trust/wot.html

I have had a recent change (Oct-01-2005) of service providers. That
location no longer exists. I have published that realm on my hosting
account. It needs some updating, but it is accessible.

http://www.mikedaigle.ca/trust/index.html


- --
Mike Daigle   http://www.mikedaigle.ca
My PGP Key mailto:[EMAIL PROTECTED]
Gossamer Spider Web of Trust  http://www.gswot.org

-BEGIN PGP SIGNATURE-
Comment: GSWoT - Gossamer Spider Web of Trust - www.gswot.org

iD8DBQFDUaaYrKiX3qpn5j8RA5grAKDLxIcQ00HgLhdOwHA7BflJm2F0xACgiii8
LXldoo1bPRwTg3UtePsBayU=
=iRWk
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: security measures?

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

John W. Moore III wrote:
> Mica Mijatovic wrote:
> 
> 
2. frequency of changing passphrases
- in a user who accesses emails via net cafes (think keyloggers)
>>
>>
>>Also good idea. Let's say after each use via net cafes, as soon as
>>possible. Well, would be "ideally".
> 
> 
> However, keep in mind this:  If a keylogger/spyware ensnares one's Key &
> operable passphrase, then merely changing the passphrase once you get
> home will not eliminate the "intruder" from now having a matching
> combination for later use.
> 
> The "best/paranoid" practice would be to have a Key used only on one's
> portable/Public PC device coupled with a "codeword" for each
> correspondent to be inserted within each missive to confirm authenticity.
> 

Create a seperate signing and encryption subkeys and export them,
disabling the secret part of the primary key when you do so. A good
tutorial on this is available at http://fortytwo.ch/gpg/subkeys

- --
Alphax  |   /"\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email & vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ1HEarMAAH8MeUlWAQgTVgf8CLHColEuJSIq+iweje1t/P1josJ5QoaK
fUgTAZkN/mTgNnHiiiRHqxwjU+eKvpwZyuyFntgkE3K0a2IpED+vuXZJ12BOQSfu
bKmERwmI3X6SWefndl8yqg7Wl3trX789mEzHVKEJYFDf7M2O+XyiwMiiHx6lXaWE
JibeefRXbheks558sKKi4QcmVMKWIItpxB0rBNMm9Rk0NVwK8npdLrVkPVpg9FVZ
Y8XGtCY3wyrPCBA5fApybMdw4CW9QY+SO21bVLBayehdx758+kJ98GIyFZGq/h6x
RT3UdnaYcY9CJjcBt269NHR+Rg0rPkTjwBRFsXpDXrxJWe1WkfWVTw==
=P85/
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users