Re: [PLUG] Vetting security apps?

[Louis Kowolowski]

Bleeding edge vs Established
new technology, new implementation, new user base(s), new bugs. even if the 
math is solid, implementation may not be. 
I'm not trying to suggest you shouldn't use new things. I'm pointing out the 
potential compromise in doing it.

If you want to play on the bleeding edge here, I'd suggest you start following 
(well known) security people (CSO, researchers, InfoSec). Listen to podcasts 
where these people talk about things. Don't jump in right away. Mostly listen 
and watch. After a while, you'll start seeing patterns, some things will be 
recommended, some will start that way and then stop. The bleeding edge is 
bumpy. The bleeding edge is also not where most people are, so your 
communication radius will be small if you're using bleeding edge tools.

This is a decent list to check out
https://digitalguardian.com/blog/best-information-security-podcasts

I like the security rabbit hole, and risky business.


> On Jan 9, 2019, at 12:40 AM, Mike C.  wrote:
> 
> I'm curious to know what others do in vetting security apps they use
> or may recommend to others.
> 
> I use a variety of fairly well known secure email & chat apps but just
> learned about an app called Keybase. https://keybase.io/docs
> 
> It's like encrypted Slack but also some really interesting things like
> an encrypted cloud based file system and secure digital identity
> management.
> 
> Also, this seems like they're using blockchain:
> "Every account on Keybase has a public history. "Sigchains" let
> Keybase clients reconstruct the present without trusting Keybase's
> servers. And when you "follow" someone on Keybase, you sign a snapshot
> of your view of the claims in their sigchain."
> 
> In the past I trusted apps that I use because of recommendations by
> the EFF, Edward Snowden, the general digital security community.
> 
> Currently, there doesn't seem to be too much written up about  Keybase
> other than an article on HackerNews from 2016.
> 
> The ask. Does anyone play a bit more on the bleeding edge with privacy
> & encryption apps and if so how do you go about vetting an a new app
> that's relatively unknown?
> 
> Thank you,
> 
> Mike
> ___
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

--
Louis Kowolowskilou...@cryptomonkeys.org 

Cryptomonkeys:   http://www.cryptomonkeys.com/ 


Making life more interesting for people since 1977

___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Vetting security apps?

[Russell Senior]

FWIW, I'm: https://keybase.io/rssenior

On Tue, Jan 8, 2019 at 10:57 PM Russell Senior 
wrote:

> I like the key validation part of keybase, which somewhat takes the place
> of crypto party in-person web-of-trust key exchange event thingies. For
> those unfamiliar, keybase uses various social media accounts or domain or
> website rights to demonstrate that a person that is able to post
> information to those places also has access to their private key. So, for
> example, if you know someone and follow their work on a social media
> account or can check their DNS information or a magical URL on a site they
> control, and you are reasonably confident they haven't been kidnapped and
> they haven't mentioned losing control of their private key, then you have
> some confidence you have a valid public key.
>
> I don't completely trust the keybase application (in fact I have it turned
> off) because "it's just some random binary a company gave me".  It does
> some cool things though, including the userfs where you can copy files and
> they are magically transported to a corresponding directory on another
> keybase users machine, and vice versa. I think the application is open
> source though, so you could presumably inspect the source code and build it
> yourself. I haven't tried that.
>
> To your specific question at the end, I don't have much to contribute,
> sadly.
>
> On Tue, Jan 8, 2019 at 10:42 PM Mike C.  wrote:
>
>> I'm curious to know what others do in vetting security apps they use
>> or may recommend to others.
>>
>> I use a variety of fairly well known secure email & chat apps but just
>> learned about an app called Keybase. https://keybase.io/docs
>>
>> It's like encrypted Slack but also some really interesting things like
>> an encrypted cloud based file system and secure digital identity
>> management.
>>
>> Also, this seems like they're using blockchain:
>> "Every account on Keybase has a public history. "Sigchains" let
>> Keybase clients reconstruct the present without trusting Keybase's
>> servers. And when you "follow" someone on Keybase, you sign a snapshot
>> of your view of the claims in their sigchain."
>>
>> In the past I trusted apps that I use because of recommendations by
>> the EFF, Edward Snowden, the general digital security community.
>>
>> Currently, there doesn't seem to be too much written up about  Keybase
>> other than an article on HackerNews from 2016.
>>
>> The ask. Does anyone play a bit more on the bleeding edge with privacy
>> & encryption apps and if so how do you go about vetting an a new app
>> that's relatively unknown?
>>
>> Thank you,
>>
>> Mike
>> ___
>> PLUG mailing list
>> PLUG@pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
>
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Vetting security apps?

[Nat Taylor]

Rocket Chat is another solution.  You can set up your own server fairly
easily with docker if you want.
I haven't seen a recent security audit for it.

On Tue, Jan 8, 2019 at 10:59 PM Russell Senior 
wrote:

> I like the key validation part of keybase, which somewhat takes the place
> of crypto party in-person web-of-trust key exchange event thingies. For
> those unfamiliar, keybase uses various social media accounts or domain or
> website rights to demonstrate that a person that is able to post
> information to those places also has access to their private key. So, for
> example, if you know someone and follow their work on a social media
> account or can check their DNS information or a magical URL on a site they
> control, and you are reasonably confident they haven't been kidnapped and
> they haven't mentioned losing control of their private key, then you have
> some confidence you have a valid public key.
>
> I don't completely trust the keybase application (in fact I have it turned
> off) because "it's just some random binary a company gave me".  It does
> some cool things though, including the userfs where you can copy files and
> they are magically transported to a corresponding directory on another
> keybase users machine, and vice versa. I think the application is open
> source though, so you could presumably inspect the source code and build it
> yourself. I haven't tried that.
>
> To your specific question at the end, I don't have much to contribute,
> sadly.
>
> On Tue, Jan 8, 2019 at 10:42 PM Mike C.  wrote:
>
> > I'm curious to know what others do in vetting security apps they use
> > or may recommend to others.
> >
> > I use a variety of fairly well known secure email & chat apps but just
> > learned about an app called Keybase. https://keybase.io/docs
> >
> > It's like encrypted Slack but also some really interesting things like
> > an encrypted cloud based file system and secure digital identity
> > management.
> >
> > Also, this seems like they're using blockchain:
> > "Every account on Keybase has a public history. "Sigchains" let
> > Keybase clients reconstruct the present without trusting Keybase's
> > servers. And when you "follow" someone on Keybase, you sign a snapshot
> > of your view of the claims in their sigchain."
> >
> > In the past I trusted apps that I use because of recommendations by
> > the EFF, Edward Snowden, the general digital security community.
> >
> > Currently, there doesn't seem to be too much written up about  Keybase
> > other than an article on HackerNews from 2016.
> >
> > The ask. Does anyone play a bit more on the bleeding edge with privacy
> > & encryption apps and if so how do you go about vetting an a new app
> > that's relatively unknown?
> >
> > Thank you,
> >
> > Mike
> > ___
> > PLUG mailing list
> > PLUG@pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> ___
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Vetting security apps?

[Russell Senior]

I like the key validation part of keybase, which somewhat takes the place
of crypto party in-person web-of-trust key exchange event thingies. For
those unfamiliar, keybase uses various social media accounts or domain or
website rights to demonstrate that a person that is able to post
information to those places also has access to their private key. So, for
example, if you know someone and follow their work on a social media
account or can check their DNS information or a magical URL on a site they
control, and you are reasonably confident they haven't been kidnapped and
they haven't mentioned losing control of their private key, then you have
some confidence you have a valid public key.

I don't completely trust the keybase application (in fact I have it turned
off) because "it's just some random binary a company gave me".  It does
some cool things though, including the userfs where you can copy files and
they are magically transported to a corresponding directory on another
keybase users machine, and vice versa. I think the application is open
source though, so you could presumably inspect the source code and build it
yourself. I haven't tried that.

To your specific question at the end, I don't have much to contribute,
sadly.

On Tue, Jan 8, 2019 at 10:42 PM Mike C.  wrote:

> I'm curious to know what others do in vetting security apps they use
> or may recommend to others.
>
> I use a variety of fairly well known secure email & chat apps but just
> learned about an app called Keybase. https://keybase.io/docs
>
> It's like encrypted Slack but also some really interesting things like
> an encrypted cloud based file system and secure digital identity
> management.
>
> Also, this seems like they're using blockchain:
> "Every account on Keybase has a public history. "Sigchains" let
> Keybase clients reconstruct the present without trusting Keybase's
> servers. And when you "follow" someone on Keybase, you sign a snapshot
> of your view of the claims in their sigchain."
>
> In the past I trusted apps that I use because of recommendations by
> the EFF, Edward Snowden, the general digital security community.
>
> Currently, there doesn't seem to be too much written up about  Keybase
> other than an article on HackerNews from 2016.
>
> The ask. Does anyone play a bit more on the bleeding edge with privacy
> & encryption apps and if so how do you go about vetting an a new app
> that's relatively unknown?
>
> Thank you,
>
> Mike
> ___
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] Vetting security apps?

[Mike C.]

I'm curious to know what others do in vetting security apps they use
or may recommend to others.

I use a variety of fairly well known secure email & chat apps but just
learned about an app called Keybase. https://keybase.io/docs

It's like encrypted Slack but also some really interesting things like
an encrypted cloud based file system and secure digital identity
management.

Also, this seems like they're using blockchain:
"Every account on Keybase has a public history. "Sigchains" let
Keybase clients reconstruct the present without trusting Keybase's
servers. And when you "follow" someone on Keybase, you sign a snapshot
of your view of the claims in their sigchain."

In the past I trusted apps that I use because of recommendations by
the EFF, Edward Snowden, the general digital security community.

Currently, there doesn't seem to be too much written up about  Keybase
other than an article on HackerNews from 2016.

The ask. Does anyone play a bit more on the bleeding edge with privacy
& encryption apps and if so how do you go about vetting an a new app
that's relatively unknown?

Thank you,

Mike
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] nVidia config issue

[Dick Steffens]

On 1/8/19 9:17 PM, Ben Koenig wrote:

Ah ok, so you got the driver going. Technically it is working the its
supposed to ;)

The config file lives in /etc/X11/xorg.conf. Only root has access to this
folder so when you try to "save" the config, it actually just saves a
temporary copy. I think it puts it in your home directory somewhere. You
are supposed to copy it as root to /etc/X11/xorg.conf


I've been running nvidia-settings as root and saving directly to 
/etc/X11. Just now I tried it as you suggested and saved xorg.conf to my 
home directory. I then started a terminal, logged in as root, cd'd to 
/etc/X11, renamed xorg.conf to back it up, and then copied 
/home/rsteff/xorg.conf to /etc/X11. Then I logged out of root, logged 
out of the current X session, and logged back in. Same result. Next I 
tried a restart. Same result.


BTW, when I start a terminal I expect to see a prompt that looks like:

rsteff@ENU-2:~$

But what I see is:

bash-4.3$

Is that normal?

When I log in via ssh I do get:

rsteff@ENU-2:~$





That said, I have no idea if it will work. creating a manual xorg.conf is
not really the official way to do this anymore. Modern X servers use
template configs to generate a complete xorg.conf on the fly. The
SlackBuild you installed actually includes a mini version of this config to
get X to "see" the driver.

You can create an entirely new xorg.conf and do it the old school way if
you still want, but if you don't get all the different sections in there it
can be pretty wonky.

Try to copy the file to /etc/X11/ as root and restart X. If you have an old
xorg.conf file that you know works from Ubuntu it might do exactly what you
want. Unfortunately Ed is the expert on doing this since he has the big
Nvidia multi-monitor setup, I never touch xorg.conf manually these days.


I tried that just now, changing the GeForce 210 to GeForce GT 610. Same 
result as all the other times.


I must be missing something.

--
Regards,

Dick Steffens

___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] nVidia config issue

[Ben Koenig]

Ah ok, so you got the driver going. Technically it is working the its
supposed to ;)

The config file lives in /etc/X11/xorg.conf. Only root has access to this
folder so when you try to "save" the config, it actually just saves a
temporary copy. I think it puts it in your home directory somewhere. You
are supposed to copy it as root to /etc/X11/xorg.conf

That said, I have no idea if it will work. creating a manual xorg.conf is
not really the official way to do this anymore. Modern X servers use
template configs to generate a complete xorg.conf on the fly. The
SlackBuild you installed actually includes a mini version of this config to
get X to "see" the driver.

You can create an entirely new xorg.conf and do it the old school way if
you still want, but if you don't get all the different sections in there it
can be pretty wonky.

Try to copy the file to /etc/X11/ as root and restart X. If you have an old
xorg.conf file that you know works from Ubuntu it might do exactly what you
want. Unfortunately Ed is the expert on doing this since he has the big
Nvidia multi-monitor setup, I never touch xorg.conf manually these days.



On Tue, Jan 8, 2019 at 9:02 PM Dick Steffens  wrote:

> On 1/8/19 8:22 PM, Ben Koenig wrote:
> > <...>
> >
> > I'm trying to figure out what's broken here and I just can't see it.
> >
> > The subject of this thread was something about problems logging in.
> >
> > Turned out to be an issue with having the wrong nvidia driver installed.
> >
> > And now you say that X launches the nvidia-settings program runs as
> > expected.
> >
> > Looks to me like everything is working the way it's supposed
>
> Except that the X configuration does not survive log out or restart.
>
> I can change the X configuration to put the screens where I want them,
> but when I restart the changes are gone. I've used the button on the
> nVidia window to save the settings to /etc/X11/xorg.conf. But they don't
> stick. As I read xorg.conf, I couldn't see where those changes are. Is
> there someplace else that holds the information about which screen is
> which, and how they're displayed?
>
> --
> Regards,
>
> Dick Steffens
>
> ___
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] nVidia config issue

[Dick Steffens]

On 1/8/19 8:22 PM, Ben Koenig wrote:

<...>

I'm trying to figure out what's broken here and I just can't see it.

The subject of this thread was something about problems logging in.

Turned out to be an issue with having the wrong nvidia driver installed.

And now you say that X launches the nvidia-settings program runs as
expected.

Looks to me like everything is working the way it's supposed


Except that the X configuration does not survive log out or restart.

I can change the X configuration to put the screens where I want them, 
but when I restart the changes are gone. I've used the button on the 
nVidia window to save the settings to /etc/X11/xorg.conf. But they don't 
stick. As I read xorg.conf, I couldn't see where those changes are. Is 
there someplace else that holds the information about which screen is 
which, and how they're displayed?


--
Regards,

Dick Steffens

___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Slackware login pain

[Dick Steffens]

On 1/8/19 8:22 PM, Ben Koenig wrote:

I'm trying to figure out what's broken here and I just can't see it.

The subject of this thread was something about problems logging in.

Turned out to be an issue with having the wrong nvidia driver installed.


I should have started a new thread. I'll do that now.

--
Regards,

Dick Steffens

___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Slackware login pain

[Ben Koenig]

I'm trying to figure out what's broken here and I just can't see it.

The subject of this thread was something about problems logging in.

Turned out to be an issue with having the wrong nvidia driver installed.

And now you say that X launches the nvidia-settings program runs as
expected.

Looks to me like everything is working the way it's supposed

On Tue, Jan 8, 2019 at 9:54 AM Dick Steffens  wrote:

> On 1/7/19 3:37 PM, Ben Koenig wrote:
> > Wait a second  why is nvidia-settings trying to create an xorg.conf
> > file? I thought the program was nvidia-xconfig ..
>
> It occurred to me that if I have a correct nVidia setup on my Ubuntu
> machine, which has a very similar monitor setup, I could compare the
> xorg.config files with each other and maybe edit the one on the
> Slackware machine to match as appropriate. With the exception of the
> nVidia model, the two files are identical. On the Ubuntu machine I have
> a GeForce 210.
>
> I hadn't heard of nvidia-xconfig, so I ran it.
>
> root@ENU-2:/etc/X11# nvidia-xconfig
>
> Using X configuration file: "/etc/X11/xorg.conf".
> Backed up file '/etc/X11/xorg.conf' as
> '/etc/X11/xorg.conf.nvidia-xconfig-original'
> Backed up file '/etc/X11/xorg.conf' as '/etc/X11/xorg.conf.backup'
> New X configuration file written to '/etc/X11/xorg.conf'
>
> root@ENU-2:/etc/X11#
>
> When I log out I'm back at run level 3. I run startx again and it comes
> up with mirrored screens. I run nvidia-settings from the menu and I can
> uncover the smaller screen, put it to the left, set it as the primary
> display, click apply, and I get what I want. The smaller monitor on the
> left with the menu bar at the top and the launcher bar at the bottom,
> and the larger monitor to the right with nothing but wallpaper. I can't
> save the configuration from this invocation, so I quit. open a terminal,
> log in as root, and it still shows the settings I set up as rsteff. I
> can save to xorg.conf. I log out, log back in, and the setting are back
> to mirrored, with the menu and launch bars back on the right hand monitor.
>
> I thought xorg.conf is where those settings were being stored. Is there
> somewhere else I need to be looking?
>
> --
> Regards,
>
> Dick Steffens
>
> ___
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Slackware login pain

[Dick Steffens]

On 1/7/19 3:37 PM, Ben Koenig wrote:

Wait a second  why is nvidia-settings trying to create an xorg.conf
file? I thought the program was nvidia-xconfig ..


It occurred to me that if I have a correct nVidia setup on my Ubuntu 
machine, which has a very similar monitor setup, I could compare the 
xorg.config files with each other and maybe edit the one on the 
Slackware machine to match as appropriate. With the exception of the 
nVidia model, the two files are identical. On the Ubuntu machine I have 
a GeForce 210.


I hadn't heard of nvidia-xconfig, so I ran it.

root@ENU-2:/etc/X11# nvidia-xconfig

Using X configuration file: "/etc/X11/xorg.conf".
Backed up file '/etc/X11/xorg.conf' as 
'/etc/X11/xorg.conf.nvidia-xconfig-original'

Backed up file '/etc/X11/xorg.conf' as '/etc/X11/xorg.conf.backup'
New X configuration file written to '/etc/X11/xorg.conf'

root@ENU-2:/etc/X11#

When I log out I'm back at run level 3. I run startx again and it comes 
up with mirrored screens. I run nvidia-settings from the menu and I can 
uncover the smaller screen, put it to the left, set it as the primary 
display, click apply, and I get what I want. The smaller monitor on the 
left with the menu bar at the top and the launcher bar at the bottom, 
and the larger monitor to the right with nothing but wallpaper. I can't 
save the configuration from this invocation, so I quit. open a terminal, 
log in as root, and it still shows the settings I set up as rsteff. I 
can save to xorg.conf. I log out, log back in, and the setting are back 
to mirrored, with the menu and launch bars back on the right hand monitor.


I thought xorg.conf is where those settings were being stored. Is there 
somewhere else I need to be looking?


--
Regards,

Dick Steffens

___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug