-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all,
Recently Andrew generously donated an older Android phone he had to me to use for work. I decided not to root it (at least until I have a better phone), since rooting phones, or upgrading them has usually led to bricks (for me personally). However I did decide to make it's use as much liberty software (open source) as possible. F-Droid To begin, don't need to sign up to a Google account. Instead can download F-Droid (freedom-droid) https://f-droid.org/ One of the issues with living in this modern world of super exploiters like Mr. Robot (Indeed a large amount of hacking nowadays is done by robots systematically exploiting vulnerabilities) is that we need to have a lot of long passwords. Unfortunately many people do not follow the best practice guidelines, as Elliot (the protagonist in Mr. Robot) aptly noted, "he's too old to have a complicated password". Passwords Ha ha ha, well or so I thought. "A look at the password habits of Americans showed that about 30% have used a pet's name, almost 25% have used a family member's name, 21% a birthday, and 10% each have used an anniversary, a sports team, an address, or a phone number. " <http://www.huffingtonpost.com/entry/58360acee4b050dfe6187992?timestamp= 1479937849453> If those are all different people then 85%+ of people have weak passwords :-O (horror stricken face)! Personally I knew I should have a random password, from the very beginning (when I was a windows user), though I didn't know about pwgen, so I just mashed the keyboard a few times, and picked some sequences. At that point I had two passwords, one 6 character, and one 8 character, which I considered my "strong" password. For years I got by with those two. Though at some point I did give a shadow hash to a friendly exploiter, he told me that his 90's hardware cracked it in less than a week. I didn't think much of it and kept going. But a couple years back, I got an unsettling message in my email account. "Someone attempted to log in to your account from Brazil, and they were using your password". Uh oh! To me that was a wake up call. Recently a bunch of other people got other password wake up calls : "Google may have detected government-backed attackers trying to steal your password." http://www.ibtimes.co.uk/google-sends-state-sponsored-hack-warnings-nume rous-journalists-professors-1593172 https://twitter.com/juliaioffe/status/801435745760186368 Of course, what requires government-backed attackers now, is going to need a lot less backing in the near future as computing speed goes up, and the number of devices does as well. IoT herd for password cracking anyone? (The internet of things (IoT) recently DDOSed a significant portion of the internet https://www.technologyreview.com/s/602713/how-the-internet-of-things-too k-down-the-internet/ ) For instance could in theory get a million IoT devices to try a different password for logging in to your account -- in parallel. Munch munch munch, if the servers can handle it and don't stop authenticating... they'll get through. Anyways, so I hope that has whetted your appetite for password security. After my password scare, I discovered pwgen, and researched various password testing sites such as https://howsecureismypassword.net/ After which point I made a password that would take 1 trillion years to crack with modern hardware. Another one for my bank, though due to character and length limitations it is only 3 thousand years to crack, the credit card one is 38 billion years -- though the bank only gives three attempts before you have to call them to reset it. Why have one that would take more than a lifetime to crack? because every year computers get faster, super computers are already much faster, and exploiters have many computers at their disposal. The official recommendation for passwords is to have long hard to crack passwords for each service. Google with two step authentication gives people app passwords (to use on on a per app basis) which are made of 16 all lowercase alphabetic, so 35 thousand years to crack. So I guess that is good enough for today. I've thus made a script which makes 4 syllable passwords (16 alphabetic), making them easy to remember, at the same time easy to enter on a phone, and secure enough for google. It is partially based on pwgen, which also uses syllables, but pwgen is vowel heavy, wheras I studied linguistics so can use consonant clusters that conform to the sonority hierarchy. (it's liberty software, I'll put it up on gitlab, if someone makes a request for it). As I've begun a company providing IT Services, I am also tasked with dealing with a large number of passwords of various users. Obviously much more than I could or should commit to memory. The best password manager I've found so far is pass, which works on all POSIX systems from command line, is integrated with git, is GPG encrypted, and can have different GPG keys for different folders. So for instance if/when I have employees that need to do a job on a site, can give them a gpg sub decrypt key valid for the duration of their job, that gives them access to the passwords relevant for that site. Pass is also available as "password store" on F-Droid, works in combinations with OpenKeychain. For a single user though, can simply use your own gpg key, I found a good site on gpg best practices https://riseup.net/en/security/message-security/openpgp/best-practices#r efresh-your-keys-slowly-and-one-at-a-time I've also read that a good practice is to print out the master secret key, as a QR code and-or ASCII, make some sub-keys for your current devices and then remove the master from all computers -- only scanning it back in to refresh your keys. Otherwise storing the master key printout in a safe of some kind. Encryption With recent events of Hillary Clinton's emails being fully exploited and broadcast all over the internet. It goes to show that even people in positions of power are vulnerable because of having plain text emails . The problem isn't just during transit as some people think, it is the fact that they are kept in the archives in an unencrypted fashion. So if any time in the future an exploiter gains access to your account, they can download your archives, and broadcast them over the internet. When sending an encrypted email on the other hand, even if the exploiter downloads it, they wont be able to make sense of it unless they have the private keys of the recipients. In my IT Services company (LiberIT), I fully intend on making sure that all internal communications are to be encrypted. Fortunately F-droid makes that easy as even on a smartphone can encrypt email by combining K-9 email client and OpenKeyChain. K-9 does require that you set up for google 2-factor authentication and get an app password for it, but it is an interesting step in raising security anyways. Also F-droid now has repositories for the Guardian project, so there are lots of Tor and encryption things available. Such as OTR XMPP chat (ChatSecure), and KonTalk (an encrypted alternative to SMS). Anyways, just wanted to share the gratitude, for all these things powered by liberty software! Thanks, - -- Logan Streondj, A dream of Gaia's future. website: http://joyfullifestyle.ca twitter: https://twitter.com/streondj You can use encrypted email with me, how to: https://emailselfdefense.fsf.org/en/ key fingerprint: BD7E 6E2A E625 6D47 F7ED 30EC 86D8 FC7C FAD7 2729 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYN7NEAAoJEIbY/Hz61ycpji4P/RIcRakZPOEd2r+5I6JMH7xU ROIhhw1CkYzCs5d13U6GOOGYY2cLdBqx0h1PuL6zk5O1pc3TsGWR9WaPQSRJnJ8g T0hysg1LxJdMKEisarUHsIU78/rswuN4lWkLrj6bwjm3fg1EG3k1UdZfnR16vWev iMFshXMEi0B1T5MYszEuOnHwIYofIQEe8AF+3Juez85EwzHFQE6GV6J+SEBjZ6CF 9CrIXHxVIuDYA7/PqfXEGVikV7I7hq/I9Bl5Ih+7uMEKzlv10qkOWF+I1Vrp0WKs O+FQgvd+8SJjitocuGTSChTA8Moji0bIi6OWFs3zOMHCJiayODZBfIXeaClgzx0H BCEXeXnoZqzEI+azgBiQ5gfhqGiut5QlMUK44j+wlXMnO6TyXgo3UoE58nfVq56g ApBYK0s44OamOmjvOuFFP8Cfhll36xhjXOFJI06bfKEIe/Bt3iJJu4ISKO08o4zD sZamxQqFCZ8yVj87OOU3jnx9YHCD3kfro/q7qwZY2Yc6BhNBxVMFQHxnq8+ZI5TD P3wskuvyEkhlGAIpI9iO6UcVVawhaz5aD2yVtk29mr0EId5p6TCPniwBbvbEVAMm vKQEurOqh6F6Hu+6+RoqWA+9yn/olo8m4IhsnhnaoSIh8vLNh2QV3kX4x9k5Tsf0 YfJ7ZSfcUleP+omg3u9Q =WeJB -----END PGP SIGNATURE-----
