Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Crap.. got myself into a fight with someone in a bar.
Hospitalized, turns out that my knee is bruised and my nose is broken. For some reason the knee hurts much more than the nose though.. very weird.
Just noticed that some fucker there stole my keychain USB stick too. Couldn't care less about the USB stick itself, got tons of those at home and hard drive storage even more so (10TB) but the data on it was invaluable. It held on a LUKS-encrypted partition, my GPG keys, revocation certificates, server backups and everything. My entire digital identity pretty much.
I'm afraid that the thief might try to crack it. On the flip side, if it's just a common Windows user, plugging it in will prompt him to format it.. hopefully he'll do that.
What do you think.. take a leap with fate and see how strong LUKS really is or revoke all my keys and assume my servers' filesystems to be in the hands of some random person that I don't know?
Seriously though.. stealing a fucking flash drive, of what size.. 32GB? What the fuck is wrong with people?33 -
Them: "Could you send the password in an encrypted mail?"
Me: "Yea sure, what's your GPG public key?"
Them: "What's that? Can't you just encrypt it?"
Me: "Nvm, do you have Signal?"6 -
Will do a much-security.nl post with answering sent-in questions this weekend.
Please send them to concerns@much-security.nl 😊
Public GPG key can be found at either:
https://much-security.nl/concerns.a... or https://much-security.nl/concerns.h...
Oh and threats (including death threats) aren't much appreciated. They don't really keep me awake at night but if you're one of the people sending them, it's not much fun 😬)17 -
I have a confession to make....
I just started to use git two days ago.
But atleast I GPG sign my commits11 -
.. for the first time I permanently lost access to one of my GPG keys that were actually in use. No revocation certificates, nothing in the keychains on any of my hosts... Keychain flash drive that got stolen had a copy of both, my fileserver used to have a copy of that flash drive until I deleted it to make room for a filesystem migration, and my laptop used to have one.. until I decommisioned it and shredded its hard drive to be deployed somewhere else...
fuck
I can't sign my git commits anymore, and I can't revoke the key either.
(╯°□°)╯︵ ┻━┻15 -
Debian 9.3's gpg issue is driving me crazy! I can't install anything outside of the default apt repos no matter what I try.
No matter what, apt always does the exact same thing. It adds the repo; then finds, imports, and processes the key; and finally fails with "gpg: no valid OpenPGP data found."
I've spent hours looking this up and trying to fix it.
Just. ARGH!
☹11 -
Alright, i'm fucking done.
Fedora: Packages are self-referencial, using the system is like sprinting through a fucking minefield.
Linux Mint: "lol just don't update packages on the repo because shit can't break if it never updates! Don't add custom repos either or we'll just fucking break your PC."
Debian Raw: "We have all of 5 packages on our repos and GPG is fucking broken so you can't add more repos."
Arch: "Have fun modifying the boot disk for 30 hours so it'll boot, and let's tack on another 30 to make it install properly."
Gentoo: "LOL what is swap. Let's just pipe garbage into this partition as fast as the disk will let us for literally no reason. I'm sure you can still use the system for all of 30 minutes, at which point your SSD will give out. No big deal..."
when did Linux go to shit?
Windows isn't any better without billions of tweaks and then a build upgrade (in that order specific) to make it run properly.
Nor is OSX, as it runs on the model of "lol gotta hack your own PC to run custom unapproved binaries!"
Fuck it.
I'm installing DOS.52 -
Internal mail form CIO's office:
"Thank you for being part of the internal trial for NPMe, we have decided to remove this tool in favour of Artifactory because of its support for multiple platforms and tools. We are sorry for the inconvenience, here is a link to migration scripts ..."
Migration "script" readme, please clone this repo, create file A, and B, and install these 2 dependencies.
Dependency 1:
- "install via homebrew ..."
- .... homebrew needs to update, checking for updates
- 10 mins later = Update failed, please upgrade to Ruby version 2.3
- Installs ruby version manager
- GPG signature verification failed
- Install GPG v2 + accept keys
- Install ruby version manager
- "please execute this command before running rvm"
- execute command
- "rvm install ruby-2.3"
- Install failed, please see log file
- Opens log file
- "Xcode on its own is not sufficient, please install xcode cli tools"
- Install xcode tools
- 5 minutes later -> "rvm install ruby-2.3"
- 10 minutes later "brew install jq"
Ok back to read me, "login to Artifactory, go here and copy paste XXX."
- Login to Artifactory
- Eventually find repo
- Login again to actually see credentials for some reason
- Screen doesn't match instructions in readme
- Click around
- Back to readme
- Back to artifactory
- Login again
- Execute command auth / setup command
- Copy contents to npmrc file .... now all my scoped packages are going to point to 1 specific repo
Fuck the migration, Fuck these shitty instructions, i'll set them all up again manually. See tags below for further opinions on this matter.2 -
I seriously thought I was losing my mind this morning.
Loaded up my IDE and got to work.
Needed to find something in the project, so I hit the keyboard shortcut to find all usages in the project path.
The dialog pops up, but my selection is replaced with a long hex string. I thought it was weird, but I just installed the latest update of my IDE so I thought I'd found a regression. I grabbed the hex string and went over to Google to see if anything useful popped up.
The first result is the reddit post for my keybase key.
Wait. The "random" hex string was the fingerprint for my keybase public key? I double-checked to make sure that keybase wasn't running and I didn't have anything weird hanging out on my clipboard. Nothing amiss, but I still got my key whenever I searched for something.
This is the point where my brain got a little melty. I started running weird conspiracy theories in my head. My ever-helpful coworkers could only suggest to "stop using a Mac".
I saw that the app menu got highlighted when I opened the dialog, so I opened the menu and looked at the Services. Lo and behold, the GPG Suite update I installed recently very "helpfully" added a global shortcut to "Insert My Fingerprint" with the same keyboard shortcut as the IDE action.2 -
Well since vim & git has already been said gpg. you can use it as ssh keys and sign your commits to make sure nothing nasty is added to a git repo under your name
-
Ten ways to fail at public key cryptography, Today:
When encrypting a file for your coworker, encrypt for your own key instead of his/hers3 -
techie 1 : hey, can you give me access to X?
techie 2 : the credentials should be in the password manager repository
t1 : oh, but I don't have access to the password manager
t2 : I see your key A1B2C3D4 listed in the recipients of the file
t1 : but I lost that key :(
t2 : okay, give me your new key then.
t1 : I have my personal key uploaded to my server
t1 : can you try fetching it?
t1 : it should work with web key directory ( WKD )
t2 : okay
t2 : no record according to https://keyserver.ubuntu.com
t1 : the keyserver is personal-domain.com
t1 : try this `gpg --no-default-keyring --keyring /tmp/gpg-$$ --auto-key-locate clear,wkd --locate-keys username@personal-domain.com`
t2 : that didn't work. apparently some problem with my dirmgr `Looking for drmgr ...` and it quit
t1 : do you have `dirmngr` installed?
t2 : I have it installed `dirmngr is already the newest version (2.2.27-2)`
t2 : `gpg: waiting for the dirmngr to come up ... (5)` . this is the problem. I guess
t1 : maybe your gpg agent is stuck between states.
t1 : I don't recall the command to restart the GPG agent, but restarting the agent should probably fix it.
t1 : `gpg-connect-agent reloadagent /bye`
source : https://superuser.com/a/1183544
t1 : *uploads ASCII-armored key file*
t1 : but please don't use this permanently; this is a temporary key
t2 : ok
t2 : *uploads signed password file*
t1 : thanks
t2 : cool
*5 minutes later*
t1 : hey, I have forgotten the password to the key I sent you :(
t2 : okay
...
t2 : fall back to SSH public key encryption?
t1 : is that even possible?
t2 : Stack Overflow says its possible
t1 : * does a web search too *
t1 : source?
t2 : https://superuser.com/questions/...
t2 : lets try it out
t1 : okay
t2 : is this your key? *sends link to gitlab.com/username.keys*
t1 : yes, please use the ED25519 key.
t1 : the second one is my old 4096-bit RSA key...
t1 : which I lost
...
t1 : wait, you can't use the ED25519 key
t2 : why not?
t1 : apparently, ED25519 key is not supported
t1 : I was trying out the steps from the answer and I hit this error :
`do_convert_to_pkcs8: unsupported key type ED25519`
t2 : :facepalm: now what
t1 : :shrug:
...
t1 : *uploads ASCII-armored key file*
t1 : I'm sure of the password for this key
t1 : I use it everyday
t2 : *uploads signed password file*
*1 minute later*
t1 : finally... I have decrypted the file and gotten the password.
t1 : now attempting to login
t1 : I'm in!
...
t2 : I think this should be in an XKCD joke
t2 : Two tech guys sharing password.
t1 : I know a better place for it - devRant.com
t1 : if you haven't been there before; don't go there now.
t1 : go on a Friday evening; by the time you get out of it, it'll be Monday.
t1 : and you'll thank me for a _weekend well spent_
t2 : hehe.. okay.8 -
I've finally found a goldmine of accurate job listings that don't include Windows shit-administration... So I'm thinking of sending out applications to all of them. Problem is, as you might recall from my previous rants, I had a flash drive with my GPG keypair on it stolen from me. I still haven't fully replaced the key (I made another one and published it but I'm not using it yet), and because I'm fairly confident that this flash drive's data has never been used (so likely just plugged into Windows and formatted), it's unlikely that I'm gonna bother rotating all of the contents that were on that flash drive.
That said however, my emails now all have signatures underneath them as follows:
Met vriendelijke groet / Best regards,
[my name]
- My outbound email is usually signed with my private key. If not, please don't hesitate to ask me about it through a different communication platform.
IMPORTANT: My keys have possibly been compromised. An encrypted flash drive on which this GPG keypair was stored has been stolen from me. I'm in the process of phasing out and replacing this key. Please do not use it to encrypt any emails to me anymore.
Not entirely sure whether I should remove or keep that last bit. As a potential employer, would you see this as a red flag (he's got encrypted data stolen from him, wtf that's incompetent), or as a nice thing to know that it was properly disclosed (so no secrecy around potential data breaches)? Both seem equally likely so I'm a bit confused about what I should do.9 -
What's a good password manager for Linux?
A few (optional) conditions (in order of preference):
1. It's free
2. It supports ssh, gpg, etc.
3. It has a GUI (a nice one with gtk/qt support)
4. It's (properly) secure
5. It has FIDO U2FA support (i.e. supports physical security keys like Yubikey or Solo)
6. It has a browser extension
7. It's compatible/non-conflicting with gnome-keyring16 -
Dear debian package maintainers...
If you want me to add you PPA to my list please MAKE SURE IT FUCKING WORKS!
so after 1000 emails from Google baiting me to try Google cloud tools I did. 24 hours later apt-get is dead and I'm trying to remove the shit storm of gpg keys etc it added to my machine. -
I dug up my old ledger web app that I wrote when I was in my late twenties, as I realized with a tight budget toward the end of this year, I need to get a good view of future balances. The data was encrypted in gpg text files, but the site itself was unencrypted, with simple httpasswd auth. I dove into the code this week, and fixed a lot of crap that was all terrible practice, but all I knew when I wrote it in the mid-2000s. I grabbed a letsencrypt cert, and implemented cookies and session handling. I moved from the code opening and parsing a large gpg file to storing and retrieving all the data in a Redis backend, for a massive performance gain. Finally, I switched the UI from white to dark. It looks and works great, and most importantly, I have that future view that I needed.1
-
So Igot that Samsung DeX thing a while ago. So far, it was just a nice gadget to have at hand, but I didn't get to use it properly since my laptop was always the better option sort of.
Now.
My power adapter for the laptop died last friday. I have a second one at home, but of course, I pack the wrong one for work.
Ended up working the entire day on the DeX. Thankfully, I just needed to do some web and office based stuff, and all the necessary documents are online anyway.
So that thing just saved my butt today, which is nice. Took a while to get used to, but it does it's job quite nicely.
To be honest: Iam suprised it works the way it does. Oh what a time to be alive...
Now the question is...
Can I get Ubuntu on here somehow? I did find a Tmux? shell and was able to download some ubuntu onto it, but it had gpg issues.
Anyone got more references? Ubuntu on Android 8.13 -
DO NOT EXPORT GPG KEYS _TEMPORARILY_ AND ASSUME THAT THEY'LL BE IN THE ORIGINAL LOCATION AFTER EXPORT!
I learnt this lesson the hard way.
I had to use a GPG key from my personal keyring on a different machine ( that I control ). This was a temporary one-time operation so I thought I might be a smart-ass and do the decryption on the fly.
So, the idiotic me directly piped the output : `gpg --export-secret-key | scp ...`. Very cool ( at the time ). Everything worked as expected. I was happy. I went to bed.
In the morning, I had to use the same key on the original machine for the normal purpose I'd use it for and guess what greeted me? - *No secret key*
*me exclaims* : What the actual f**k?!
More than half a day of researching on the internet and various trials-and-errors ( I didn't even do any work for my employer ), I finally gave up trying to retrieve / recover the lost secret key that was never written to a file.
Well, to be fair, it was imported into a temporary keyring on the second machine, but that was deleted immediately after use. Because I *thought* that the original secret key was still in my original keyring.
More idiotic was the fact that I'd been completely ignorant of the option called `--list-secret-keys` even after using GPG for many years now. My test to confirm whether the key was still in place was `--list-keys` which even now lists the user ID. Alas, now without a secret key to do anything meaningful really.
Here I am, with my face in my hands, shaking my head and almost crying.5 -
9000 internet cookie points to whoever figures out this shit:
I'm trying to import a secret gpg key into my keyring.
If I run "gpg2 --import secring.gpg" and manually type each possible password that I can think of, the import fails. So far, nothing unusual.
HOWEVER
If I type the same passwords into a file and run:
echo pwfile.txt | gpg2 --batch --import secring.gpg
IT ACTUALLY FUCKING WORKS
What the fuck??? How can it be that whenever I type the pw manually it fails, but when I import it from a file it works??
And no, it's not typos: I could type those passwords blindfolded from muscle memory alone, and still get them right 99% of the time. And I'm definitely not blindfolded right now.
BUT WAIT, THERE'S MORE!!
Suppose my pwfile.txt looks something like this:
password1
password2
password3
password4
password5
password6
Now, I'm trying to narrow it down and figure out which one is the right password, so I'm gonna split the file in two parts and see which one succeds. Easy, right?
$ cat pw1.txt
password1
password2
password3
$ cat pw2.txt
password4
password5
password6
$ echo pw1.txt | gpg2 --batch --import secring.gpg
gpg: key 149C7ED3: secret key imported
$ gpg2 --delete-secret-key "149C7ED3"
[confirm deletion]
$ echo pw2.txt | gpg2 --batch --import secring.gpg
gpg: key 149C7ED3: secret key imported
In other words, both files successfully managed to import the secret key, but there are no passwords in common between the two!!
Am I going retarded, or is there something really wrong here? WTF!4 -
Cause there's no really safe solution for that right now, finally release my favorite and verifiable secure linux password management tool for the web and as apps for iOS, Android and Windows Phone - including online synchronization, so you can access your passwords anywhere. (Web and Android first, the other platforms later).
At the moment it is still a pure gpg based Linux terminal application.2 -
* ml wallpaper site with api (pandora for wallpapers)
* mmorpg like .hack/sao
* vr ai office (vr gear turn head to see screens and understands voice commands)
* gpg version of krypto.io2 -
I had to build a few packages today from a git source.
Everything just plain text or shell scripts - so no fancy shit, no buildsystem... Nothing.
I was painfully reminded why I had forgotten a lot about dpkg package builds.
Fun facts:
- seems like impossibro to define an output directory for debuild (../ from source which must be pwd/cwd)
- i used /opt/<vendor_name>... Purging the deb from system deletes opt too, as it is empty
- reprepro (or whateva it is called) fails with an "uncommon GPG error" instead of saying "I don't know which key to use"
- creating rolling release numbers (as the packages won't have a real versioning system...) is fun - when you remember that date isn't sufficient, as the time part is necessary to build multiple packages (versions) per day
Compared to an Gentoo ebuild, this was really rocket science....
Guess as soon as someone does not follow the debian way, he must be shunned and exiled. At least it felt like this ....
But it works now. Woohoo. *cries internally* -
I just stumbled across this post about signed-only mails: https://k9mail.github.io/2016/11/... (TL;DR: Signed-only mails are not worth it).
So far, I've been signing all my mails (as not that many people I know use OpenPGP, so I'm far from encrypting everything). I've got a few replies like “I can't open that attachment” and “What is that .asc file?” but I have seen it as doing my part in motivating more people to use encrypted mail with little effort.
I DDW for a bit but couldn't find any other comments on the usefulness of signed-only mail per se. Consequently, I'd like to ask you: How do you use OpenPGP?6 -
Yesterday and today combined I spent about 8 hours trying to get my PGP / GPG passphrase to work. Absolutely magically, somehow a newline character had gotten into the passphrase. Yes. That's possible. On macOS, that is.
On my Windows machine I have the same fucking private key protected with the same password. Now try and get a non-windows newline character into any Windows password field, be it a command line or some GUI input. WTF! You'll lose a year of your life with every passphrase error while you have the actual passphrase.
So after all these hours trying to hack my own GPG keystore without success, I remembered how the private key got on my Windows machine in the first place: see tags.4 -
I use cloud storage as one of my 3 backups for my gpg master key only protected by the password cause i don't want to have to restore from paper if hell freezes over.
-
Question about GPG:
So I understood the concept and successfully applied it to my Gitlab, but how helpful is it?
From what I understood it helps detecting which commits are from verified authors and which are from just someone who has access?
I'd appreciate if someone explains more on how helpful it is :)
5 -
Thought I would help the webdev find a memory leak so step one build a developer version of chromium. Problem one ncurses and libtinfo 😅 got to love the split! Problem two gpg keys on old nucurses compat libs 😅. Linux is not for the faint hearted 😎
-
Anybody that uses GPG for email encryption might want to read this:
https://lists.gnupg.org/pipermail/...
This sheds a bit more light on what's actually going on.
TLDR:
It's not really GPG that's affected but the E-mail client plugins.3 -
I fucking hate installing shit on Ubuntu via APT when it's not provided by Ubuntu itself. ONE HUNDRED PERCENT OF TIME this will create problems with outdated keys or whatever. Then, to solve the problems of software that was supposed to be transparent, I have to go learn about layers upon layers of its inner workings and waste my fucking time. I suppose this is the Linux experience in general. But I don't want to know about GPG whatever whatever because there's no need for me to learn it outside of solving this stupid-ass fucking problem. I don't want to learn that sources.list.d is a fucking directory. I never EVER want to touch any kind of keys or whatever shit, I just want to follow some instructions and fucking install software in a simple way. curl whatever | sh it is, I don't fucking care.
All I want is to develop software, not dive into problems with my operating system because it decided to shit the bed.7 -
Is there a way to recover a deleted GPG key on GitHub? My old key expired, I generated a new one and delete the old one. Now, all my old commits are unverified.5
-
"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4"
https://twitter.com/seecurity/...
Let's see how this unfolds. While there is chaos I trink some tea and laugh, because I never send critical information over e-mail. 🧐🍵4 -
!rant
Someone posted a link to a 30-day-security-challenge here on devRant some time ago and I just thought well, why not try to migrate away from the big companies - I've been using OneDrive as my only cloudstorage since the time when it was called SkyDrive and I've been hosting my Emails at outlook (via Live Custom Domains, a service that does not even exist anymore) for about 8 years now. Since I've always been lazy and since exchange activesync is a great feature if you have multiple calendars and want to sync them and your contacts to several devices I never tried to switch but now I am half done with migrating my data to my own nextcloud installation and my emails to my own mail server - since I don't want to loose the exchange functionality I am also setting up Z-Push and oh boy, this thing is bitching around but my webmail is already nicely integrated into nextcloud, IMAP / SMTP is up, configured and secured (still have to mess around with spamassassin as this email adress is floating around the web for about 10 years now). The only things to do is to get Z-Push work with STARTTLS and the card/caldav backend running and then the basic setup should be done.
I am just wondering if someone could hand me over a guide on how to sign / encrypt emails (GPG?) -
OpenPGP or GPG?
++ first comment for OpenPGP, second for GPG (shameless ++ farming as well)
Post relevant fingerprints in comments if desired <34 -
I'm planning to do an app with some personal data for a small community (Verein). I want to save the data somehow encrypted so not all people can just access them. There will be just 4 persons who need to access this data. I'm think about PGP/GPG, with encrypting the data for these 4 people with their different keys, but I am not sure about that. So every person would have its own keypair. This is just the first idea. So if you have any hints/links on some ideas/blog posts how to do this or do it another way, I'd be glad about a comment. Thanks ;)
Tech stack: I'm planning to create a Webapp, using Python and Flask...
Top Tags
Weekly Rant
View