Security Tutorials

[JohnBobSmith]

Here are my general security tips. These can also apply to other OS'es.

Tip # 1: Use a good firewall.
I can't stress this enough. A firewall is your best line of defence against attackers. While a firewall alone is not enough, it can significantly reduce the risk of being hacked. For Linux, a good firewall is propbably IPtables. For Windows, not too sure. The Windows firewall in itself is probably fine, as it is integrated into the OS. Never used a Mac for home use.

Tip # 2: Lock down your web browser.
This is very important, as it is the most likely point of intrusion, especially in a Linux system (since the rest of the OS is mostly secure). We all hear about Javascript exploits, or worse happening through a web browser. People can spy on you through the web browser too, through tracking cookies and other crapware. No OS is immune to browser exploits. The best things to do are the following:
-Install AdBlockPlus, or your preferred ad blocker. Make sure you configure it to not block ads on legitimate websites (like these forums) so as to support the website. What the ad blocker does is prevent advertisers (to some degree) from learning about your browsing habbits. It also removes the anoyances of ad's everywhere. A good ad blocker should also be able to prevent ad's from inserting malicious cookies into one's system. I will have to see if adBlockPlus has this feature.
-Install NoScript, or disable javascript all together. What noScript can do is prevent websites from running malicious scripts (javascript exploits mostly) hence hardening the web browser. For the best protection, one can simply disable javascript. To do this in firefox, type about:config in the URL bar. READ THE WARNING CAREFULLY. You could seriously mess up your web browser if you aren't careful. Now search for javascript.enabled of type boolean, and set it to false. This is a browser-wide configuration. Some websites may no longer work properly. All in all, noScript should be enough. But theres how to disable javscript completely, for the paranoid user.
-Set your firefox privacy settings acording to how private you want your web browsing to be. Always use private browsing, disabling cookies on a per-site basis, and many other settings can be found here. Play with them to suite your needs.
-Keep your web browser up to date. This is also very important. Since security fixes are released constantly, you too should be upgrading the browser constantly.
-Disable things like Flash and QuickTime. These are known to be vulnerable, and if you dont use them, disable them. I personaly am not that paranoid, so I dont worry about this too much.

All in all, avoid suspicious websites. Do not look at piracy, hacking, or other related illegal sites. Avoiding the dangers is much easier than cleaning up the mess after someone has hacked your system.

Tip #3: Keep your entire system up to date.
-This means upgrading your OS after it become unsupported. Or use an LTS release. Also, you should install most of what the update manager says to install. Levels 1-3 packages should always be installed. Levels 4-5 packages are to be installed at your own risk, as they are known to cause system instability. Keeping the whole system up to date prevents a known exploit in older software from, well, being exploited on your system.

Tip #4: Prevention is the best medecine.
-As mentioned in tip 2, preventing the attack is better than cleaning up after an attack has happened. One of the easiest ways to prevent yourself from being attacked is to keep a low pofile online, so to speak. This means do not have 10 email accounts, do not register for every single website you visit, etc. Remove old, unused accounts so that they cant be linked to you. One should also avoid illegal websites, like hacking and piracy. Use common sense when web browsing. Then again, common sense is not all that common...

Tip #5: Educate yourself
-You don't need to have a degree in network administration to know the basics of how a network works and what you can do to prevent yourself from becoming a victim. Educating yourself is easy. There are literally thousands of resources online. I'm curious to know how many people know what the Tor project is, what phishing is, or what a DDoS attack really does. Google all 3 if you dont know what they are. They are quite common and important! If you can outsmart an attacker, then they won't be able to pick on you. Its that simple. If you know how to harden your system, you are doing everything within your power to keep your important data safe.

Thats about it. Let me know what you guys think of my top 5 tips!

[patrice4419]

Don't disagree with the sentiments but perhaps a bit more of an explanation? Disabling javascript will also mean you won't be able to see most websites using it and that's a lot! If you are paranoid (like myself) you will agree a firewall is a must. Just so happens Linux Mint comes with UFW. It is already loaded but in its most basic format. Iptables are a hell of lot more difficult to set up properly. UFW and its GUI GUFW are somewhat easier by far and just as effective. There already are lots on this forum about setting it up. I use RKhunter (rootkit hunter) which shows if someone or someones are tampering with your set-up. Downloadable from the Software Manager or from the website for the latest stable issue. Relatively easy to set-up but you will be required to use the Terminal to operate it (not difficult). There is good advice as to how and what. A nice program for the ultra-paranoid - Tripwire, another IDS (intrusion detection system). Also available for Mint via the Software manager.
I have to say also that most I know use Firefox with the various security add-ons. You did not mention Ghostery - an add-on that allows one to block trackers, beacons and other stupid items placed on web-pages by companies (Yes, Facebook included) who want to know what you are doing and looking at. Frankly, there is no such thing as a safe browser, they all have their problems.
As time goes by, Linux too will become more liable to attacks. Those that pontificate about its super safety are simply deluded. As soon as anyone joins the web, basically you are putting up a flag stating - Yoohoo, here I am. Now, you are most probably quite safe, why? Because most of us are just not interesting enough and if using the aforementioned safety measures just a bit too difficult to bother with (for now!)
Stay vigilant and as said - don't surf willy-nilly trying to look for the end of the rainbow, there's no pot of gold.

Cheers

[RenatoZX5]

Best Linux Security is Using Peer Guardian & Use Firefox With Add-ons:
NoScript
https://addons.mozilla.org/en-US/firefo ... b-dl-users
Web of Trust, WOT
https://addons.mozilla.org/en-US/firefo ... b-dl-users
HTTPS Everywhere
https://addons.mozilla.org/en-US/firefo ... re/?src=ss
-----------------------------------------------------------------------
This Is how To Install Peer Guardian:
(copy & Paste Each Command At the terminal And press Enter)
sudo add-apt-repository ppa:jre-phoenix/ppa
gpg --keyserver keyserver.ubuntu.com --recv-keys C0145138
gpg --export --armor C0145138 | sudo apt-key add -
sudo apt-get update
sudo apt-get install pgld pglcmd pglgui

I Can Make a Video Tutorial How to Use It.
------------------------------------------------------------------------
I Made a Video Tutorial Using Linux Mint 17.3 Cinnamon & You Can SEE All In Action !
https://www.youtube.com/watch?v=W8T8X2zQ98s
------------------------------------------------------------------------------------
I Can Make a How To Video If requested !

[mike acker]

I'll 2d the motion for a Security Section

as we are all well aware electronic fraud is a huge problem

most of it originates from two basic shortcommings:

• too many good people using insecure operating software
• a general reliance on PII as a means of authenticating transactions

a secure o/s is one which will not allow itself to be compromised by the activity of an application program and which protects one application from snooping on another,-- think containers here -- like FIREJAIL;

"PII" -- personally identifyable information -- includes our common identification data: name, address, date of birth, soc.sec.nr, mother's maiden name, driver lic nr, -- &c . alll of these data are compromised and easilly available to attackers . none of these data are capable of authenticating a document as they do not become invalid when affixed to a forgery

general use of public key encryption seems to be the best option today although there is a serious obstacle to get around : getting everyone a key that can be lawfully recognized -- and not tampered with -- and usable for just about any transmittal .

the solution -- I think -- is to develop a "KEK" -- key encryption key device. this would hold the customers GnuPG system -- including keyrings. it would need to be authenticated -- at local facilities that are already involved in verifying IDs -- Credit Unions, DMV, County Clerks, Notaries, ...

the KEK would need to be a separate dedicated device so that updates cold be strictly controlled . perhaps a "security enclave" chip could be used in a SmartPhone -- . i notice AAPL has been thinking along this same line , ....

[mike acker]

Ever since Phil Zimmerman got in trouble with the Feds I've admired his PGP program,-- mainly for his beautiful handling of the keys which make it work.

"PGP" -- is a commercial implementation of Public Key Encryption;
GnuPG -- is the Gnu Privacy Guard -- an open-source implementation of Public Key Encryption;
( these should be inter-operable)

The important thing to recognize about Public Key Encryption is that it provides not only encryption but also authentication and integrity.

• Authentication provides the user the ability to be confident that a document really is from the person who says they sent it;
• Integrity provides the user the ability to be confident that a document has not been altered in transit -- either by error or by intent;
• Encryption provides the user the ability to be confident that the content of a document has not been disclosed in-transit to un-authorized parties -- either by error or by intent;

If you reflect on electronic fraud you realize that much fraud is managed by scamsters who pretend to be someone they are not. Examples of this include phishing e/mails -- that often transmit virus programs; tax fraud -- tax returns submitted by scamsters stealing billions; credit card fraud; Domain Name (DNS) Servers;

Today's computer crooks are like yesterday's train robbers: they study the flow of information looking for a weak spot -- where they can attack. One of their favorite points for attack was the Domain Name (DNS) Server. When you enter a URL ( such as https://forums.linuxmint.com/ ) into your web browser your DNS will look up the address of the server (computer) you want to connect to. if the computer crook can alter the look-up table in the DNS he can send you wherever he wants when you try to come here. this was possible -- and a lot of hacks made advantage of this -- because the DNS servers did not validate updates: they did not make sure updates were from authorized sources. And so the computer crooks -- "hackers" were able to send people down the wrong track -- onto a web page loaded with virus programs. And many good people didn't recognize they were being hijacked -- because the forgery website would have been made to look exactly like the proper one. HTTPS -- based on SSL or TLS and x.509 certificates has been developed in an effort to help people recognize good and bad web sites -- and this helps -- but has been less effective than we would want as x.509 certificates are simply broadcast by the Web Browser OEM's (Mozilla, Google, MSFT, AAPL...) . Most of us have no way of knowing which of our x.509 certificates are valid -- because we have never been asked to validate them. Too many computer users don't even know what an x.509 certificate is -- or where they come from -- let alone which ones they need to validate.

What happens if you are trying to log onto your credit union account and the computer crook sends you to a site under his control ? You'll have a MESS on your hands.

"phishing" has also been a favorite attack vector for computer crooks. In a "phishing" attack the crook typically sends you an e/mail that may look like it is from your boss, business partner, bank, -- even the IRS -- asking you to logon someplace and take certain actions. And the link provided leads straight to disaster. And most of this is made easy for the crooks because our computer systems don't help us validate who we are communicating with -- rather the opposite: they tend to facilitate impersonation and forgery -- the favorite tactics of the crooks.

Suggested Reading:
Why OpenPGP’s PKI is better than an X.509 PKI (Philip Zimmermann 27 Feb 2001)

Linux distributions may include a version of Public Key Encryption known as the Gnu Privacy Guard (GnuPG). To check for this open a terminal and issue the version command:

Code: Select all

gpg2 --version

you should get a response like this

Code: Select all

$ gpg2 --version
gpg (GnuPG) 2.0.26
libgcrypt 1.6.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Note: Your distribution may not have GnuPG Version 2 installed. If so the system may prompt you to install it:
Like this:

Code: Select all

sudo apt-get install gnupg2

this will work if gnupg2 is in your repository; otherwise you'll need to get a .deb or .rpm download;

Note: "apt-get" will install gpg2 in addition to gpg ( which is version 1; you need both versions )

after you have gpg2 installed there are several very good programs that you can work with while learning "the ropes"

• THUNDERBIRD -- With the ENIGMAIL plug-in addition this e/mail client provides user-friendly dialogs for working with PGP keys and for sending and receiving PGP secured e/mail;
• kpgp -- graphic "front end" which will allow you to work with your PGP keys
• CLAWS -- e/mail client works with GnuPG;
• Evolution -- e/mail client that works with GnuPG;
• Terminal (Command Line) GnuPG User Manual

So,-- this is a start,-- I'll continue work on this. It should give me something to do during the last of the nasty Mushigan Weather. This will be a "getting started" type guide: most of the serious documentation for this stuff is already done,-- people just need to know it exists -- and what to use it for.

[mike acker]

Using PGP -- e/mail -- Sample message

Example: What does PGP mail look like?

In the example Alice has sent an e/mail to Mike, signed and encrypted, using PGP:

this example is from the Thunderbird e/mail client. The message provided indicates:

Code: Select all

Decrypted message
Good signature from alice_lyn (computer tech) <alice_lyn@charter.net>
Key ID: 0xFD1D654C / Signed on: 02/27/2016 08:01 AM

this is a start, -- but -- what do we know about Alice -- and how do we know it ?

understanding the trust model used in PGP -- is the key to understanding how this software is used to authenticate transmittals.

[mike acker]

The topic that I wish to work on here is the PGP Trust Model:

How do we verify and validate the authenticity of PGP Keys?

E/mail -- has traditionally looked a lot like the following:

the problem with this is: Exactly who is Alice -- and why should I think she sent this message ?

in the previous post I showed what a PGP validated message will look like -- once you have completed the various details needed to make the system work. The "deliverables" here are -- authentication, integrity, and security.

• Authentication: we will be confident that we know who Alice is and that she sent us our message;
• Integrity: we will be confident that Alice's message has not been altered in-transit -- either by error or by intent;
• Security: we will be confident that the content of Alice message has not been disclosed -- intransit -- wither by error or by intent;

In order to move from the unsecured e/mail system to the PGP secure mail system we will need to have PGP or GnuPG installed on our client computers, and we will need to use e/mail clients that interface with PGP/GnuPG

I'm not going into the nitty-gritty of the software installs here; we can cover that elsewhere -- if there seems to be interest in this Security stuff;

What we do want to cover here is how the PGP Trust Model is established. That being said, -- we instruct Alice to install GnuPG Version 2 -- and an e/mail client,-- Thunderbird recommended, CLAWS, or Evolution -- alternates .

[mike acker]

Alice has complied with our request, and responds as follows:

In Thunderbird, when a key is attached -- you can just right-click it -- and T-Bird will offer to import it for you,--

There are other ways to do this: it can be done at the command line, or using the graphic interface to GnuPG -- KGpg

So far-- so good.

But: at this point, we have NOT established who Alice is. For that reason, her key is NOT VALID

In Thunderbird, from the Enigmail/Key Management dialog, select Alice' key, and display the PROPERTIES:

Her key is NOT VALID. This means we have not checked to be sure this key belongs to the person we expect it should;
Her key is NOT TRUSTED. This means we do not trust Alice to VALIDATE other keys

We better get Alice on the phone or meet her for Lunch;

[mike acker]

we call Alice but the call goes into Voice Mail and we know she doesn't do well with that
so, -- we send her a lunch date invite via an e/mail

Remember: at this point in our process we have not validated Alice' key --
we have e/mail with her -- that we think is properly connected --
but -- as we are all too well aware -- e/mail can be "spoofed" -- i.e. e/mail messages can be forged --
and made to look like they are from a legitimate source. this helps to enable targeted "phishing attacks"

in a targeted attack the scamster prepares an e/mail -- that looks legitimate -- and keys in the FROM address, in order to deceive the recipient.
and then he includes a Trojan Horse Virus

many good people have been "pwned" in this manner,--
F-Secure story on RSA Hack

while we're reflecting on this, Alice accepts our lunch invite

This brings us to the Critical Note: Alice' key is shown as NOT VALID (untrusted) on our computer:
this is because no one has signed her key attesting her identity to be correct

the terms trust and valid are used in a confusing manner not only by the pgp related programs but also in various documentation. The key properties -- shown in the prior post -- show both the Valid and Trust data properly labeled.

we can verify the ID on her key at lunch -- over the phone -- or via a Trusted Introducer and once we have done that -- we can sign her key -- which will make it valid -- and set a Trust Level for her

we'll discuss Trusted Introducers later. Before we get into that we need to understand what it means to VALIDATE Alice' key:
we have to be sure that the key we have for her -- really is -- her key

for that, PGP provides key fingerprints and key IDs. these can be displayed using the Key Management dialog on Thunderbird -- or by using gpg2 at the command line -- or by using the kgpg graphic key manager program .

Thunderbird makes all of this easy however as Alice has already signed her message. This allows Thunderbird to display the Key ID of the key she used:
it is 0xFD1D654C .

we make a note of this, and go to lunch!

[mike acker]

at lunch Alice has her key id written on the back of an envelop

on returning to the office we pull up Alice' message and check the Key ID:
( We could also display her key using the key manager dialog)

the Key ID she gave us matches her message so we will go ahead and sign her key:

Click on the DETAILS and the dialog opens

and we can sign Alice' Key:

if we re-display the properties of Alice' key at this point it will appears as follows:

[mike acker]

Notice that the key validity is shown as trusted -- this because we signed her key --

the Owner Trust -- remains UNDEFINED : we have not supplied a value

remember: VALID is YES|NO -- we either are or are not -- satisfied that we know who the owner of the key is -- in this case -- the owner of the key is Alice

now: do we trust Alice?

as author of this sequence -- I do, and will mark her accordingly -- using the Key Management Dialog

her key is now reported as follows:

the "Owner Trust" tells GnuPG whether I am willing to let Alice validate other keys for me --
there are various settings from Untrusted, to Marginal, then Fully Trusted. You assign Ultimate trust only to yourself.

It should be obvious that I cannot set Owner Trust -- until after I have established that I actually have Alice' key --

Sequence 1 Final Remarks

at this point we have established the GnuPG key so that we can have secure communication with Alice

Remember,-- we enjoy 3 security benefits from PGP / GnuPG e/mail:

• Authentication -- we can be sure we are talking to Alice;
• Integrity -- we can be sure Alice' messages have not been altered in-transit, either by error or by intent;
• Security -- we can be sure the content of Alice' message have not been disclosed in-transit, either by error, or by intent;

this is end-to-end security: the messages cannot be decrypted in-transit -- at one of the servers in the e/mail infrastructure.

it is critical to maintain physical security for end-point computers: ours, and hers.

In the next sequence we will explore additional uses for the GnuPG software, particularly how it may be used to protect documents.

the e/mail system is an excellent starting place; what you learn about keys and trust models will help in dealing with security for files, as well.

the IRS has recently admitting to losing tax information on some 700,000 tax payers. if we were using PGP to submit our tax reports -- it wouldn't matter that the crooks have our PII: they couldn't submit a forged 1040.

Think: Secure Computing in a Compromised Environment

the environment is already hopelessly compromised. the question which we need to answer is: what will we do about it ? just pay the bums? that will get expensive.

[mike acker]

More information

here are some links to GnuPG and original PGP Documentation

First: these are links to Phil Zimmerman's Original Documentation:

The Original documentation is some of the best ever written

Original Phil Zimmerman User Guide Vol.1 Essential Topics

Original Phil Zimmerman User Guide Vol.2 Speciall Topics

Next: links to Gnu Privacy Guard (GnuPG)

GnuPG Manuals

GnuPG Privacy Handbook

Be sure you have at least GnuPG version 2 installed -- Version 2.1 will include Eliptic Curve keys

be sure to vist the following: it is very insightful on Public Key Cryptography

A (relatively easy to understand) primer on elliptic curve cryptography

[Georgia boy]

Mike.
You keep mentioning to make sure when download that you get version gpg2. What if you already have TB fixed up in another distro with gpg/engimail?
For instance I already do. Did in with Debian awhile back in testing. It's 1.4.20. All setup already. Now I'm going to be doing this setup in Mint. Will there be any conflicts when I setup the keys etc? I'll be doing an import of keys.In fact already exported to the documents here on Debian. Will be sending to Mint and then using for import when I setup there. Any issues? Any big differences between the two?
Is there a newer version or is 2 the latest?

Never mind. I just redid the code and do show latest as 2.1.11. Was doing something else and came up with the other. Think might had been just gpg --version instead. Yep. That was it. So, as to what I really have installed.

[Georgia boy]

Too bad we can't use Linux to file the tax forms.
But can see the point of the security bit. Got to get Mint's side fixed up also. What about Gmail? I've heard various stories on this and Gmail. Some say you can and others says you can't.

[mike acker]

Too bad we can't use Linux to file the tax forms.
But can see the point of the security bit. Got to get Mint's side fixed up also. What about Gmail? I've heard various stories on this and Gmail. Some say you can and others says you can't.

you might read the threads on eMail clients --
viewtopic.php?f=58&t=217557

I'm going to discuss file handling here,-- hopefully during the next week -- and then 3d party introducers

the issue with putting GnuPG inservice for IRS Forms is not easy,-- participants will need access to the GnuPG software -- or the openPGP equivalent -- or the commercial Symantec PGP/Desktop --

for taxes this could be incorporated in the install process for Turbotax, HR Block, TaxAct ---

the hard part is getting folks' keys registered and authenticated -- and -- getting the IRS on board

we'll go through this with the files examples shortly

stopping computer fraud has to start when you press the power switch: you must have a secure operating system. a secure operating system will not allow itself to be compromised by the activity of an application program -- nor will it allow one application to steal data from another

for today: Turbotax installed successfully in my Virtualbox guest Windows 8.1 system; and my brother reports he was able to run the HR Block package using WINE.

[Georgia boy]

Too bad we can't use Linux to file the tax forms.
But can see the point of the security bit. Got to get Mint's side fixed up also. What about Gmail? I've heard various stories on this and Gmail. Some say you can and others says you can't.

you might read the threads on eMail clients --
viewtopic.php?f=58&t=217557

I'm going to discuss file handling here,-- hopefully during the next week -- and then 3d party introducers

the issue with putting GnuPG inservice for IRS Forms is not easy,-- participants will need access to the GnuPG software -- or the openPGP equivalent -- or the commercial Symantec PGP/Desktop --

for taxes this could be incorporated in the install process for Turbotax, HR Block, TaxAct ---

the hard part is getting folks' keys registered and authenticated -- and -- getting the IRS on board

we'll go through this with the files examples shortly

stopping computer fraud has to start when you press the power switch: you must have a secure operating system. a secure operating system will not allow itself to be compromised by the activity of an application program -- nor will it allow one application to steal data from another

for today: Turbotax installed successfully in my Virtualbox guest Windows 8.1 system; and my brother reports he was able to run the HR Block package using WINE.

Neat. I'd have to get a Windows .ISO for putting in VB. But was wondering about the programs for taxes and approval before. Ones I've seen a few years ago were for European countries at the time. Don't even remember where I had seen them at now. Has been way too long.

At moment setting up what I have on the Eginmail bit for both systems. Both are installed. Doing the trusts etc now.

[mike acker]

{ snip }

Neat. I'd have to get a Windows .ISO for putting in VB. But was wondering about the programs for taxes and approval before. Ones I've seen a few years ago were for European countries at the time. Don't even remember where I had seen them at now. Has been way too long.

At moment setting up what I have on the Eginmail bit for both systems. Both are installed. Doing the trusts etc now.

remember:

a key is VALID -- when you decide you are sure you know who owns it;

a key is TRUSTED -- if you trust that other person to validate keys ...

understanding these two definitions is the key to understanding the trust model

in the first example -- presented earlier -- we VALIDATED Alice' key -- by meeting her for lunch. that's fine for people you can meet for lunch -- but in many cases -- in today's network environment -- you need a better system

this is where we'll talk about introducers -- and finish by discussing problems in the x.509 / PKI systems .

[mike acker]

Important reading this morning :

KeRanger (Ransomware) attacks Apple Mac OS

EXCERPT

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

from the article it appears adequate respons is being made by AAPL and Transmission

nonetheless this is an important read. the discussion centers around introducing un-authorized programming ( aka "malware" or "computer virus" ) -- via the software supply chain

Transmission responded by removing the malicious version of its software from its website (http://www.transmissionbt.com). On Sunday it released a version that its website said automatically removes the ransomware from infected Macs.

The website advised Transmission users to immediately install the new update, version 2.92, if they suspected they might be infected.

N.B. it is entirely possible the un-authorized program, "KeRanger", was introduce via a software library and then linked into the production build of the application

remember: Zero Defects is something we DO not something we get: compilers and libraries -- need PGP signatures too!

remember: and x.509 certificate is just a bunch of fluff used to carry a PGP public key ...

[mike acker]

Using Public Key Cryptography to Protect Files

in many cases we will have files that require authentication. an obvious example is your IRS Forms 1040 Tax Returns. Scammers file forgeries of tax forms every year and rip us all off for billions -- as well as causing a lot of grief for honest taxpayers .

here's how to use GPG to AUTHENTICATE a file ( remember the file could be a .zip or .tar )

First, we need an example file. anything will do, how about this ( my favorite test.txt )

Code: Select all

this has been a test
had it been an actual alert you would not have received this message
luck for you it was only a test
next time
next time it could be the Big Bad Wolf
will you be ready
lets hope so

I may wish to AUTHENTICATE the file -- prove that it's mine -- while I may have no desire to encrypt it. in this case I can use a detached signature -- i.e. a PGP signature provided as additional information for the file

to do this I use GPG as follows:

Code: Select all

 $ gpg2 --local-user "Mike Acker" --armor --detach-sign test.txt

You need a passphrase to unlock the secret key for
user: "Mike Acker <mike_acker@charter.net>"
4096-bit RSA key, ID 4DEA0DAD, created 2015-09-02

remember: the complete guide to GPG is online: GPG Guide

the signature file looks like this:

Code: Select all

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJW3XsmAAoJEPbpQbFN6g2t0ZcP/iyw96XftuwpkIerbWqolhOJ
l2a1WVoSMt3Oik5F/LAltFco1h3hdhB8rvAKECSGDrvCEFY5WUMsGY4rZnAHpmzD
nOMYkW1nMJM4/E1cUIoXqhirvLRxlltFTAe6uCrMyw4Ty/XOGSduSjrRNw1/MXWe
uKK+oWTjHRRIF2q8bTXO3MrLG+d0f+HvIqOMYcC10iMpvT3JMKOaFHt3MRS13UOP
37G9zYE8f3HFZsKRISPeAY82JvVgYmUeJGAY6B9D+12JoneL8+ylbZPqxx2J/YgN
PkB7m/Ba92ISM9pm7qqItMc23MijmfMQtp6Tsj+MIRVdCa/LqWcgTnZVM6UaovYN
syCZ9o4g72fW5YpWmTIW/4OM7SPbWcls9BWUxKnMkCfttSFDAN6jeZybpDoaY3x9
SV8thbLDl3E/5tUXdJM4Dekv5BzFTpcoiljPB6TdWtDZswhB97bKgTExM2YO3i8B
yIp69StEEOAOuzEMHIk7oAFWxhMpYo5a5uY2xadGVyiNFC6fZIhGyFIzh1e1Egk0
N+3COCpvbOkRD4WbhcIoFFB4oMMCt7q/af42aAtacdTi2SJEr2g3I/CMqbKB9k9h
PW+rDgmNQ7o+90bQrvAHksSqvWoZMaYd7huO4MTepGi51MKlYwNF4WfgODWJ+eQU
X6ZpaCv24huWqOx2fQEz
=BN/r
-----END PGP SIGNATURE-----

when I produced the signature I used the --armor option . this causes the signature to be produced as 7-bit ASCII using only printable characters. this make the file easier to handle in programs that might not handle 8-bit characters that are used for control purposes. generally you should use the --armor option for pgp encrypted files and/or signatures .

here's the code to verify the signature:

Code: Select all

$ gpg2 --verify test.txt.asc test.txt
gpg: Signature made Mon 07 Mar 2016 07:59:18 AM EST using RSA key ID 4DEA0DAD
gpg: Good signature from "Mike Acker <mike_acker@charter.net>" [ultimate]

we are dealing with the AUTHENTICATION issue here: As long as we have VALIDATED Mike Acker's key we are now satisfied that:

• this file is from Mike Acker
• this file is as Mike sent it: it has not been altered in transit

If I were to change one tiny little bit in the file: the signature will not verify
Example: here: I'll alter the file, slightly:

Code: Select all

this has been a test
had it been an actual alert you would not have received this message
luck for you it was only a test
next time
next time it could be the Big Bad Wolf
will you be ready
let's hope so

can you spot the change ?

and now:

Code: Select all

$ gpg2 --verify test.txt.asc test.txt
gpg: Signature made Mon 07 Mar 2016 07:59:18 AM EST using RSA key ID 4DEA0DAD
gpg: BAD signature from "Mike Acker <mike_acker@charter.net>" [ultimate]

in this example I've been using a detached signature. the reason for this is that in many cases you may need to pack a whole bunch of stuff together -- a tax return, for example -- may include lots of documents. and so these would all be packed together and then .zipped or .tarred -- and then you can just sign the tar-ball and send the stuff along. Actual PGP distributions come this way: all the PGP material is zipped up and then that zip is signed; after that the .zip and the signature are zipped into a single file for transmission.

dealing with AUTHENTICATION may seme like Extra Trouble but it's TRIVIAL compared to cleaning up the mess that will result from skipping around this issue .

[mike acker]

3d Party Introducers

how can we validate keys without person-to-person contact? how can the IRS validate a tax-payer's key ?

for background on this we turn again to Whitfield Diffies comments as reported on Ars Technica recently

The problem was vast, Diffie explained—nothing less than how to keep things private in a networked world. He recalled a conversation with his wife in 1973, sitting on a New Jersey park bench. "I told her that we were headed into a world where people would have important, intimate, long-term relationships with people they had never met face to face," he said. "I was worried about privacy in that world, and that's why I was working on cryptography."

At that time, the only encryption happened within "closed systems." IBM could encrypt information within its own company's networks, and Texas Instruments could encrypt on theirs. But some kind of courier would have to carry encryption "keys" to both companies before they could do so.

That was the "key distribution" problem Diffie strove to solve. "It's arranging to provide keys to two people who have never met before, who suddenly find themselves with a need to communicate," he explained. "This is much the way we visit websites these days."

The examples we have worked thus far may help to shine some light on the issue Mr. Diffie was commenting on. He was right on target -- and -- as the industry has not made proper advantage of his thinking we see computer fraud and abuse today that makes advantage of impersonation -- the scamsters ability to impersonate someone he is not -- and to manipulate good people into making serious errors.

they will continue to do this until they are blocked.

in our next series we will examine how 3d party introductions work.

for this series "Alice" will be the Administrative Assistant in the Branch Office and Tom Beasley will be the new employee.

as you recall, we met Alice for lunch and VALIDATED her key by signing it.

remember the key status: VALID|NOT-VALID -- is calculated by PGP using their database. Since I signed Alice' key with my key -- which has ULTIMATE trust -- Alice key then becomes VALID. This means: I have satisfied myself that I have a correct copy of Alice' key.

Trust is another matter. I have to SET the trust level on her key -- to indicate whether or not I trust her to validate other keys.

in this example I have set Alice' key to FULL trust, -- after all, she's the Administrative Assistant at the branch office and has not mis-spelled a word or made a typo for over 2 years...

Code: Select all

$ gpg2 --list-key alice
pub   2048R/FD1D654C 2016-02-27 [expires: 2019-02-26]
uid       [  full  ] alice_lyn (computer tech) <alice_lyn@charter.net>
sub   2048R/7FEF91F6 2016-02-27 [expires: 2019-02-26]