Category Archives: Security

One step forward, two steps back

According to the powers that be end-to-end encryption as we know it might be one of those things like the prosperity of the 1990’s that we can only reminisce about in the near future. Now as, always the most secure way to transit messages over a secure channel (i.e. any sort of online service, even one which implements end-to-end encryption is to handle encryption yourself.) For those of you that use Mac OS X, there’s not a better, simpler way to do it than NouveauPG.

NouveauPG is a mature product that has been out for many years and is compatible with virtually all other PGP software on the market the one caveat (and I cannot stress this enough) you can not import private keys from another PGP program. There are really good reasons for doing so, not to get technical but PGP has been around since 1993. I’m not even young and I was in grade school back then. AES, the gold standard for symmetric encryption was not even invented back then! The patent for RSA didn’t expire until 1991. Most existing implementations are still under coded under the assumption that memory is far, far more expensive than it is now.

I’m planning a promotion in honor of this current attention given to crypto (I remember this came up in the Bill Clinton administration!) Stay tuned!

GPG Suite security even worse than imagined

Apparently there are security issues with GPGSuite beyond keeping track of users' IP addresses with an auto-updater. Apparently there are security issues with GPGSuite beyond keeping track of users’ IP addresses with an auto-updater.[/caption] The leading OpenPGP client for Mac OS X has recently pushed a security update due to a bug that allows a local user to execute shell commands with root privileges. As if it weren’t enough, by default, GPG Suite regularly contacts gpgtools.org to check for updates. So not only does gpgtools.org keep tabs on the IP addresses you use without explicitly getting permission, a carrier or state level entity could easily compile a list of GPG Suite users by monitoring requests to the gpgtools.org upgrade server (here and here). It doesn’t matter they are using SSL/TLS because the private information is your IP address. Think about it, after a few months, your upstream carrier (or whomever has access to their logs) could compile a list of every IP users of GPG Suite use. My opinion of GPG Suite users notwithstanding, I am sure they have more interesting data stored on their computers than the average person. NouveauPG is sandboxed, so it is entitled only to access files selected by the user using the system open and save dialog box. Absolutely no network access allowed. (The only autoupdate mechanism is through the App Store version, which is the same one used for OS X autoupdate. There is no way for a third-party other than Apple to know exactly what is being updated, and tracking IP’s to the Apple update servers will only give you a list of Macintosh users.) [caption id="attachment_186" align="aligncenter" width="1824"]Activity monitor showing all the unsandboxed processes from a GPG Suite installation. Activity monitor showing all the unsandboxed processes from a GPG Suite installation.[/caption] [caption id="attachment_185" align="aligncenter" width="1824"]Activity monitor showing the single sandboxed process for NouveauPG Activity monitor showing the single sandboxed process for NouveauPG.[/caption]]]>