Xinophobia

My blog aches, and a dull heavy wail
My sense, as though in idiots I now drown,
Or some nether sewage from beyond the vale,
One minute passes and another sinks down

Tis not through envy of thy happy blog
But being too removed from my page
That thou, foul-mouthed asshats,
   in some frenzied, incomprehensible plot
Of viagra cheap and refinance now,
Buries the truth ‘neath idle chats

O for a draught of clarity! that hath been
Cool’d a long age in deep-delved site,
Tasting of brilliance and insights-rare,
Wit and humor and secrets revealed,
Come to me, Akismet! saviour reputed,
Lash the hideous and lance the obese,
fat with useless words

One click! A promise delivered,
One click, a spectre dismissed,
Here, where men sit and happiness unknown,
Akismet delivers and finds its home.

I’ve long sang the praises of PGP for secure email and data storage.

The question is: how do I send secure email from a computer where I can’t install any programs?

The answer: PGP on a USB drive!*

The method below will allow you to use all of the GnuPG functions without installing anything on the host computer. In fact, besides file access, there are no any traces that GnuPG was in use.

Ingredients:

- empty, formatted USB drive >128MB – the faster, the better!

- GnuPG 1.4.9 Windows binary – http://www.gnupg.org/download/

- GPGShell 3.73 – http://www.jumaros.de/rsoft/index.html

- Copy2USB 1.05 – http://www.jumaros.de/rsoft/download/Copy2Usb.exe.gpg

- FireFox Portable – http://portableapps.com/apps/internet/firefox_portable

- FireGPG – http://getfiregpg.org/s/home (after FireFox Portable installed)

- SHA1sum – ftp://ftp.gnupg.org/GnuPG/binary/

Directions:

0) Use SHA1sum to check the integrity of the files you downloaded.

1) Install GPGShell on your computer. Install GnuPG in the GPGShell directory. This does not give the cleanest installation but makes everything much easier.

2) Use GnuPG (or some other PGP program) to extract Copy2USB. (Hint: use the decrypt function.)

3) Run Copy2USB. It should be fairly self explanatory. The target directory is a folder on the USB drive.

4) Test the install! Try opening GPGtray and accessing the key manager. If successful go to a command line and check the version “gpg –version” If the home directory is point at C:\Documents and Settings\… then you will need to reset the home folder. This can be done from the gpgconfig program.

Note: Use a fast USB drive. Otherwise, it will seem as if the very paws of Slowcat himself are haplessly fumbling with your instructions.

5) Install FirefoxPortable on the USB drive. Set it up however you like.

6) Install FireGPG as an extension. It may complain about an old library, I haven’t found a way to solve that. However, everything seems to work out fine in the end.

6a) Disable the Gmail integration. At the very least, test it before you rely on it. It doesn’t seem to work properly.

6b) Set the paths. Specify the path to the GPG exectuble. Add a command line option to set the home directory to the proper place on the USB drive. %CD%\..\.. will help here to start the path in your current directory and then go up a couple levels. Not particularly elegant but it works!

7) Test integration with FirefoxPortable. Start GPGTray and create a new keypair. Make the passphrase STRONG! A sentence that is easy for you to remember and difficult for someone to guess is ideal. Throw in some l33t or dirty words. Close the key manager and open the key manager from within FireGPG. If you can see the key, you’ve done things correctly!

Use: Gmail Example

0) Create a new keypair called “Test”. Set the passphrase to something very simple.

1) Open FirefoxPortable. Login to your Gmail account and type a message into the body of the email.

2) Select the entire plaintext message and right click. Choose FireGPG->Encrypt and Sign. In this example. you will encrypt the message with Test’s public key and sign with your private key. You will be asked to enter your passphrase for the private key.

3) Paste the entire PGP message block including headers into the body of the email. You will want to either paste over or delete the plaintext. Send the email to yourself.

4) To decrypt the cyphertext you just sent to yourself, select the cyphertext and right click. Choose FireGPG->Decrypt. You will then be asked to enter the passphrase for the Test private key. If successful, a new window should open up revealing the original message you typed.

Key Points:

1) To Send: Encrypt with the recipient’s public key. Sign with your private key using your passphrase.

2) To Read: Decrypt with your private key using your passphrase.

Of course, you cannot encrypt a message if you don’t know a person’s public key. To find someone’s public key, you can either have them give it to you (via email, paper, telepathy, etc.) or you can search for it on a keyserver like cryptonomicon.mit.edu.

I’ve been holding off any “oh no, the swine flu is going to get us all. run for your lives.” type posts. Not that any kind of influenza is a joke. If I recall correctly, influenza as a whole regularly kills some 150,000 people in a normal year.

However, just because I’m not very concerned doesn’t mean that others aren’t. Given the popular media’s fear-mongering to which many have succumbed, I would not be surprised to see serious disruptions in otherwise robust systems.

From an IT perspective, I urge people to consider how they will keep their systems running in the event of widespread absenteeism. If you already have a business continuity plan, good for you. If not, now is the time to quickly get one together. Copy from your neighbor if that’s what it takes.

Map out your critical goals for the time period you anticipate experiencing abnormal behavior. Everything on this list takes top priority. For example:
1) Maintain service on all mission-critical systems
2) Continue to monitor and respond to security events
3) Continue regular patch testing and implementation cycle
4) Contain any spread of potential infection internally
5) Identify and maintain contact with chain of command for executive decisions and alternates in chain

Then, identify what activities/resources will be necessary in order to accomplish those goals. For example:
1) Require at least two admins on call with remote access capability at all times. Require at least  one security admin on call
2) Enable remote monitoring on mission-critical systems
3) Confirm hot standbys functional. Consider upgrading warm or cold standbys
4) Bring up out-of-band communications channels (IRC, Jabber, etc.)
5) Produce and circulate copies of critical daily reports on out-of-band channels
6) Enforce policies restricting employees with high fever from the office
7) Agree upon and establish secondary command chains in case primary is unreachable

Finally, educate everyone on the plan and test it! It’s generally accepted that reduce service levels will result from activation of any contingency plan. The idea is that you will be able to set that service level ahead of time.

Ask your vendors about their business continuity plans and share yours with them.

There may or may not be a pandemic but that doesn’t mean there won’t be overreactions. Control variability now while it’s still easy to do so.

Huzzah! We have successfully returned from four harrowing and fantastic days in the Chisos Mountains. Adventures sprung forth from behind every rock and bush.

A full story will be posted soon but for now, a quick backpacking quiz:

Q: How much water do you need?

—- A: More than you have! Especially if your hydration system separates in two on the first day!

Q: How close can you get to 2000′ drop without realizing it?

—- A: About 3 inches!

Q: Which animal is the most dangerous: Packs of Vicious and Bloodthirsty Mule Deer, Desert Fox(en), El Stupidos, Hungry Hungry Javelinas, or Big Black Bears?

—- A: Actually, it’s a trick question. It’s javelinas wearing deer suits!

The advice you hear is good:

1) Use strong passwords/passphrases for every account. (Strong = mix of letters, numbers, cases and special characters.)

2) Use different passwords for every account.

3) Never write down your password. Ever.

4) Never tell anyone your password. Ever.

The results are bad. All of this quickly adds up to dozens of accounts you have no idea how to get back into two weeks later. So how is any mortal man or woman supposed to follow these security best practices without looking like a doofus and constantly popping “Login attempts exceeded” screens?

There is a certain art to creating memorable passwords. I recommend two methods:

Look at the Titlebar Method: Create a password that uses some parts of the website name or function. For example, an eBay password could be {B1dd1ng0n-Junk-} or {L0s1ng@uct10nzzz}. A combination of l33t, poor spelling and your own personal touch can help greatly while staring at the eBay login page. Incidentally, you may want to look up on game theory and especially The Winner’s Curse. If you absolutely must have that priceless doodad, you can just look up at the titlebar and remember why you’re there.

Almost the Same Method: Say you are an auction fiend with accounts on eBay, uBid and auction.com. You’re passwords could be {J0n3s1n’3B@y}, {J0n3s1n’uB1d} and {J0n3s1n’@uct10n.c0m}. Now this does present one problem. If the username and password to one account is compromised, it would not take a great stretch of imagination to figure out the other ones.

When composing password remember your friends: complexity and length. This may seem imposing at first. It is certainly more challenging than {password123}  but the learning curve is not too bad. For example, my facebook password is more than 10 characters long and I can bang it out in about a second and half consistently. I am also notorious for not checking my fb either so it can’t take that much practice. Good luck! (and with strong passwords, you won’t need nearly as much of it!)

—> Please take this survey! <—

(Thanks to everybody who has already completed the survey! Great results so far!)

This 2-3 minute survey on internet usage will greatly help a technology startup company in the Austin area.

First, you will have a big thanks from me. More importantly, your responses will help guide the efforts of this company as they work to get to market!

p.s. My next post (already written) will lead the responses too much so I’m holding it until I collect the data. Sorry for the wait!

And I will post fresh content…soon.

In the meantime, I’m taking suggestions for what you would like to see. Drop me an email and let me know!

A hint: I am working on a pretty exciting project that could very well turn into a viable business. Hopes are high. Funds are low. :)

If anyone knows some good developers for enterprise level business software looking to work with a startup, send them my way!