System Overlord

A blog about security engineering, research, and general hacking.

ALF 2008: SSH & GPG (Part 1: OpenSSH)

Yesterday I gave a talk at Atlanta Linux Fest 2008 on SSH and GPG.  I quickly received requests to post notes from my talk, so I'm going to try to write it up here.  If I miss anything, I'll try to keep it updated.

Slides are available here: SSH & GPG. They don't show everything, as a lot of it was Demo and Q&A, documented below.

This is Part 1 of a two part series.  I got far more questions about the OpenSSH content, so I'll be focusing on that here.  I'll add GnuPG content shortly, time permitting.


Mozilla Firefox EULA

There's been a lot of talk lately about Mozilla asking that Ubuntu display the Firefox EULA to protect their trademarks.

Mark Shuttleworth, the founder of Ubuntu, wrote:

Mozilla Corp asked that this be added in order for us to continue to call the browser Firefox. Since Firefox is their trademark, which we intend to respect, we have the choice of working with Mozilla to meet their requirements, or switching to an unbranded browser. [...]

I think it's perfectly reasonable for Mozilla to have requirements and guidelines for the use of their trademark [...] That said, I would not consider an EULA as a best practice. It's unfortunate that Mozilla feels this is absolutely necessary, but they do, and none of us are in a position to be experts about the legal constraints which Mozilla feels apply to them.[...]

Please feel free to make constructive suggestions as to how we can meet Mozilla's requirements while improving the user experience. It's not constructive to say "WTF?", nor is it constructive to rant and rave in allcaps. Your software freedoms are built on legal grounds, as are Mozilla's rights in the Firefox trademark. To act as though your rights are being infringed misses the point of free software by a mile.

I have to completely agree with this.  The reaction of the community is, in some cases, completely irrational.  People 'threaten' to fork Ubuntu if this EULA is displayed; people state they have to use another distribution because Ubuntu is not listening, etc., etc.  What people somehow don't get is that it's NOT Ubuntu's choice: they can either ship FF with the EULA popup or remove all branding and ship it under another name (ala Iceweasel), which would probably be a slight burden to Ubuntu adoption.  (People migrating from Windows would have no idea what Iceweasel is.) I do think it's somewhat shortsighted of Mozilla to feel that an EULA is necessary to call the browser 'Firefox', but that's the route they've chosen.  If you don't like the EULA, you can choose to install the 'abrowser' package or another browser.

Unfortunately for me, I don't see a lot of choice but to use Firefox or abrowser: I regularly use a half-dozen extensions (Ubiquity, NoScript, Ad Block Plus, Web Developer Toolbar, UnMHT, etc.), and I don't know of any other browser with that sort of flexibility.  Midori, the alternative browser in Gnome in Intrepid, seems to have a seriously hard time rendering some pages, and I haven't even thought about trying Flash in it.

It also makes me begin to think about alternative e-mail clients.  Can anyone recommend a client that supports GPG signing/encryption, multiple address books, and can import from Thunderbird?  It would also need to support something similar to Thunderbird's identities, as I use multiple e-mail addresses associated with a single account (as well as multiple accounts).

I'm a complete fan of open source, but I also realize that Mozilla has to protect its brand.  Mozilla is a business that has funded a great deal of Open Source Development, and that wouldn't have been possible without the partnership with Google and other aspects of the Firefox brand.  Software companies have to generate a stream of revenue somehow, and I think the people who are using the Launchpad bug as a forum are missing that.


SSH and GPG

This weekend I'm going to be presenting a demo on ssh/gpg (e.g., cryptography and secure communications on Linux) at the Atlanta Linux Festival.  Some of the things I intend to cover include:

  • Basic SSH usage.
  • Public Key Authentication
  • SSH Tunneling
  • SSH Socks Emulation
  • GPG key generation
  • GPG signing and encryption (command-line)
  • Thunderbird integration (enigmail)

If anyone has any input on additional points to be covered or anything of that nature, please drop me a comment here or send me an email at david -at- webgroup -dot- org.


Cross-Platform Photo Tagger

I'm apparently looking for the impossible.  I want a cross-platform photo manager/tagger that can support concurrent access to a network share.

Here's the backstory:
My girlfriend and I occasionally travel and we take a LOT of pictures.  (Hey, digital cameras make it so easy, right?)  In the 4 years we've been together, I would say we have ca. 10,000 images.  And they're all sitting on a shared drive off my desktop.  They're in directories on a per-trip basis, but not really organized beyond that, so finding a photo involves scrolling through thumbnails: sometimes as many as 1000.  What I'd like to be able to do is access this share and tag the photos and be able to search through the tags.  Seems relatively straightforward, but since my girlfriend uses Windows, it needs to be cross-platform.  And I'd like it if it was (semi) stable if both of us access it at the same time.  I don't need photo editing, though I'd like to be able to directly open a local photo editor for cropping/other work.

Anyone know of something that meets these requirements?  If nothing can be found, I may end up implementing something in, say, Python, but I don't like to reinvent the wheel.


What Civil Liberties do we have left?

I know my blog is long overdue for an update, so this issue really got me started again.

After the Senate's complete ignorance of anything remotely resembling the American Constitution, they voted 69-28 to grant telecom companies immunity for their role in illegal and unethical wiretaps.  Looks like it's now okay to monitor communications without a proper warrant.  (The lack of warrant, admittedly, has more to do with the USA Patriot act than the FISA amendment.)

Sen. Obama, the presumed Democratic nominee for President, voted for the amendment.  Looks like his campaign speeches about civil liberties in this country don't extend quite so far as the Senate floor.  Perhaps he thought that he would be labeled as un-patriotic for supporting the Constitution.  In any case, I had been prepared to support Sen. Obama, however his vote on this issue and changes in his speeches since Sen. Clinton dropped out of the race has made me significantly question that.  Maybe he'd like to use the Constitution for White House toilet paper, if he makes it there.

Also notable is that Sen. McCain couldn't even be bothered to vote.  I guess he had better things to do, like the never-ending presidential campaign.  Or, perhaps, it just escaped his elderly mind, as things like the Bill of Rights and your job as a United States Senator tend to do once you reach his age.

In any case, it's a shame that there's no Presidential candidate who wants to support the people.  Instead, we will continue to have a country driven by a fear of 3rd-world people hiding in caves and remote villages in the Middle East.