12
Condor
198d

I've finally found a goldmine of accurate job listings that don't include Windows shit-administration... So I'm thinking of sending out applications to all of them. Problem is, as you might recall from my previous rants, I had a flash drive with my GPG keypair on it stolen from me. I still haven't fully replaced the key (I made another one and published it but I'm not using it yet), and because I'm fairly confident that this flash drive's data has never been used (so likely just plugged into Windows and formatted), it's unlikely that I'm gonna bother rotating all of the contents that were on that flash drive.

That said however, my emails now all have signatures underneath them as follows:
Met vriendelijke groet / Best regards,
[my name]

- My outbound email is usually signed with my private key. If not, please don't hesitate to ask me about it through a different communication platform.

IMPORTANT: My keys have possibly been compromised. An encrypted flash drive on which this GPG keypair was stored has been stolen from me. I'm in the process of phasing out and replacing this key. Please do not use it to encrypt any emails to me anymore.

Not entirely sure whether I should remove or keep that last bit. As a potential employer, would you see this as a red flag (he's got encrypted data stolen from him, wtf that's incompetent), or as a nice thing to know that it was properly disclosed (so no secrecy around potential data breaches)? Both seem equally likely so I'm a bit confused about what I should do.

Comments
  • 4
    It's not exactly a hack per se so I doubt any employer would care if that happened. I doubt the job includes being held at gunpoint and forced to give out the gpg keys.
  • 6
    That's a tough question. Personally, I'd rather hear a harsh truth than a nice lie, but both views have pros and cons.
  • 3
    I think full transparency is a good thing in general. Shit happens and you're responding accordingly.
  • 6
    IMO it's TMI. And not that useful.
    If I got my hands on someone's PGP keys and had to imitate that person, I surely would not add a sig "this email is signed with a stolen PGP key". I'll send an email with your usual sig or no sig at all.

    The recipient, unless you email him as well w/ your verbose sig, will never know I was sending on your behalf.

    I don't see a point in that additional part of the sig.

    As for managers' PoV - I don't think I'd care about it. Things get stolen, it happens. Is tells me nothing about your personality/skills.
  • 6
    If you care about "face" change your message to 'Since [date] I have updated my GPG keypairs. Please do not use older public keys to encrypt emails sent ot me.'.
    Why this is smart? Because it shows that:
    1. You update your keys (often considered best practice).
    2. You can keep that message. It reports your last update.
    3. It does not show any sign of "weakness". Yes, the reason you updated your keys is because they're compromised but you are not required to say that.
  • 0
    Also something like this https://n-o-d-e.shop/collections/... or a micro sd card mounted on the back of a watch might be worth looking into
  • 2
    @fuck2code The flash drive was one that I carried around on my keychain. The incident during which this happened was a drunk fight in which I had that flash drive taken from my keychain along with some other stuff. So for that kind of thing that wouldn't help. A micro SD card that's hidden away might be useful though.. I'll look into it.

    Currently I'm also considering making my next LUKS encrypted flash drive with a key instead of a password, so that I can leave the keyfile at home. This way stronger authentication could be achieved, and it'd allow me to have the flash drive stolen while remaining confident that it's unlikely that it'll ever be cracked.
  • 6
    @Condor drunk fight? Then you definitely do not want an employer to ask questions about the incident.
  • 0
    @Pickman 🤔 now that you mention it.. good point.
  • 1
    @Pickman I was about to say something similar to yours 🍻

    Most likely that last part of the mail won’t come up in the interviews but it might still affect their last decision. Even worse is that if it comes up you’ll have to disclose all the story behind it which is not a good first impression to talk about drunk bar fight on an interview. In any case I wouldn’t mention it.

    Also, good luck!
Add Comment