[lp-ca-on] Thanksgiving for F-Droid, Passwords and Encryption

[Logan Streondj]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi all,

Recently Andrew generously donated an older Android phone he had to me
to use for work.

I decided not to root it (at least until I have a better phone), since
rooting phones, or upgrading them has usually led to bricks (for me
personally).

However I did decide to make it's use as much liberty software (open
source) as possible.

F-Droid

To begin, don't need to sign up to a Google account. Instead can
download F-Droid (freedom-droid) https://f-droid.org/

One of the issues with living in this modern world of super exploiters
like
Mr. Robot (Indeed a large amount of hacking nowadays is done by robots
systematically exploiting vulnerabilities) is that we need to have a lot
of long passwords. Unfortunately many people do not follow the best
practice guidelines, as Elliot (the protagonist in Mr. Robot) aptly
noted, "he's too old to have a complicated password".

Passwords

Ha ha ha, well or so I thought.
"A look at the password habits of Americans showed that about 30% have
 used a pet's name, almost 25% have used a family member's name, 21% a
birthday, and 10% each have used an anniversary, a sports team, an
address, or a phone number. "
<http://www.huffingtonpost.com/entry/58360acee4b050dfe6187992?timestamp=
1479937849453>

If those are all different people then 85%+ of people have weak
passwords :-O (horror stricken face)!

Personally I knew I should have a random password, from the very
beginning (when I was a windows user), though I didn't know about
pwgen, so I just mashed the keyboard a few times, and picked some
sequences.  At that point I had two passwords, one 6 character, and
one 8 character, which I considered my "strong" password.

For years I got by with those two.  Though at some point I did give a
shadow hash to a friendly exploiter,  he told me that his 90's
hardware cracked it in less than a week. I didn't think much of it and
kept going.

But a couple years back, I got an unsettling message in my email
account.  "Someone attempted to log in to your account from Brazil,
and they were using your password". Uh oh! To me that was a wake up
call.  Recently a bunch of other people got other password wake up calls
:

"Google may have detected government-backed attackers trying to steal
your password."
http://www.ibtimes.co.uk/google-sends-state-sponsored-hack-warnings-nume
rous-journalists-professors-1593172
https://twitter.com/juliaioffe/status/801435745760186368

Of course, what requires government-backed attackers now, is going to
need a lot less backing in the near future as computing speed goes up,
and the number of devices does as well.  IoT herd for password
cracking anyone? (The internet of things (IoT) recently DDOSed a
significant portion of the internet
https://www.technologyreview.com/s/602713/how-the-internet-of-things-too
k-down-the-internet/
)

For instance could in theory get a million IoT devices to try a
different password for logging in to your account -- in parallel.
Munch munch munch, if the servers can handle it and don't stop
authenticating... they'll get through.

Anyways, so I hope that has whetted your appetite for password security.

After my password scare, I discovered pwgen, and researched various
password testing sites such as https://howsecureismypassword.net/
After which point I made a password that would take 1 trillion years
to crack with modern hardware. Another one for my bank, though due to
character and length limitations it is only 3 thousand years to crack,
the credit card one is 38 billion years -- though the bank only gives
three attempts before you have to call them to reset it.

Why have one that would take more than a lifetime to crack? because
every year computers get faster, super computers are already much
faster, and exploiters have many computers at their disposal.

The official recommendation for passwords is to have long hard to
crack passwords for each service. Google with two step authentication
gives people app passwords (to use on on a per app basis) which are
made of 16 all lowercase alphabetic, so 35 thousand years to crack.

So I guess that is good enough for today. I've thus made a  script
which makes 4 syllable passwords (16 alphabetic), making them easy to
remember, at the same time easy to enter on a phone, and secure enough
for google. It is partially based on pwgen, which also uses syllables,
but pwgen is vowel heavy, wheras I studied linguistics so can use
consonant clusters that conform to the sonority hierarchy. (it's
liberty software, I'll put it up on gitlab, if someone makes a request
for it).

As I've begun a company providing IT Services, I am also tasked with
dealing with a large number of passwords of various users. Obviously
much more than I could or should commit to memory.

The best password manager I've found so far is pass, which works on
all POSIX systems from command line, is integrated with git, is GPG
encrypted, and can have different GPG keys for different folders.

So for instance if/when I have employees that need to do a job on a
site, can give them a gpg sub decrypt key valid for the duration of
their job, that gives them access to the passwords relevant for that
site.

Pass is also available as "password store" on F-Droid, works in
combinations with OpenKeychain.

For a single user though, can simply use your own gpg key, I found a
good site on gpg best practices
https://riseup.net/en/security/message-security/openpgp/best-practices#r
efresh-your-keys-slowly-and-one-at-a-time

I've also read that a good practice is to print out the master secret
key, as a QR code and-or ASCII, make some sub-keys for your current
devices and then remove the master from all computers -- only scanning
it back in to refresh your keys. Otherwise storing the master key
printout in a safe of some kind.

Encryption

With recent events of Hillary Clinton's emails being fully exploited
and broadcast all over the internet. It goes to show that even people
in positions of power are vulnerable because of having plain text emails
.

The problem isn't just during transit as some people think, it is the
fact that they are kept in the archives in an unencrypted fashion. So
if any time in the future an exploiter gains access to your account,
they can download your archives, and broadcast them over the internet.

When sending an encrypted email on the other hand, even if the
exploiter downloads it, they wont be able to make sense of it unless
they have the private keys of the recipients.

In my IT Services company (LiberIT), I fully intend on making sure
that all internal communications are to be encrypted. Fortunately
F-droid makes that easy as even on a smartphone can encrypt email by
combining K-9 email client and OpenKeyChain.   K-9 does require that
you set up for google 2-factor authentication and get an app password
for it, but it is an interesting step in raising security anyways.

Also F-droid now has repositories for the Guardian project, so there
are lots of Tor and encryption things available. Such as OTR XMPP chat
(ChatSecure), and KonTalk (an encrypted alternative to SMS).

Anyways, just wanted to share the gratitude, for all these things
powered by liberty software!

Thanks,
- -- 
Logan Streondj,
A dream of Gaia's future.
website: http://joyfullifestyle.ca
twitter: https://twitter.com/streondj

You can use encrypted email with me,
how to: https://emailselfdefense.fsf.org/en/
key fingerprint:
BD7E 6E2A E625 6D47 F7ED 30EC 86D8 FC7C FAD7 2729

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYN7NEAAoJEIbY/Hz61ycpji4P/RIcRakZPOEd2r+5I6JMH7xU
ROIhhw1CkYzCs5d13U6GOOGYY2cLdBqx0h1PuL6zk5O1pc3TsGWR9WaPQSRJnJ8g
T0hysg1LxJdMKEisarUHsIU78/rswuN4lWkLrj6bwjm3fg1EG3k1UdZfnR16vWev
iMFshXMEi0B1T5MYszEuOnHwIYofIQEe8AF+3Juez85EwzHFQE6GV6J+SEBjZ6CF
9CrIXHxVIuDYA7/PqfXEGVikV7I7hq/I9Bl5Ih+7uMEKzlv10qkOWF+I1Vrp0WKs
O+FQgvd+8SJjitocuGTSChTA8Moji0bIi6OWFs3zOMHCJiayODZBfIXeaClgzx0H
BCEXeXnoZqzEI+azgBiQ5gfhqGiut5QlMUK44j+wlXMnO6TyXgo3UoE58nfVq56g
ApBYK0s44OamOmjvOuFFP8Cfhll36xhjXOFJI06bfKEIe/Bt3iJJu4ISKO08o4zD
sZamxQqFCZ8yVj87OOU3jnx9YHCD3kfro/q7qwZY2Yc6BhNBxVMFQHxnq8+ZI5TD
P3wskuvyEkhlGAIpI9iO6UcVVawhaz5aD2yVtk29mr0EId5p6TCPniwBbvbEVAMm
vKQEurOqh6F6Hu+6+RoqWA+9yn/olo8m4IhsnhnaoSIh8vLNh2QV3kX4x9k5Tsf0
YfJ7ZSfcUleP+omg3u9Q
=WeJB
-----END PGP SIGNATURE-----