Tag Archives: privacy

Software

Quick Guide to Configuring GnuPG on your Mac (OS X)

13 Comments

This is a quick-and-dirty guide to installing and configuring GnuPG (PGP) on you Mac. If you want a more detailed guide, explaining every step, visit http://fiatlux.zeitform.info/en/instructions/pgp_macosx.html

For a detailed explanation of how PGP works, visit the Getting Started page of the GNU Privacy Handbook at http://www.gnupg.org/gph/en/manual/c14.html

For a nice tutorial on selecting a strong passphrase, read http://fiatlux.zeitform.info/en/instructions/passwords.html

Step 1: Download all the necessary software

You’ll need to download the following software (or packages) which will allow you to create encrypted messages on your Mac, import and export encryption keys, and configure everything through a GUI (Graphical User Interface).

Mac GnuPG

GPG Keychain Access

GPG Preferences

Step 2: Install and configure

Double-click on the Mac GnuPG file you downloaded to launch the installer. Launch the “GnuPG for Mac OS X 1.4.7” package (this was the version at the time of writing this article) and follow the instructions to install GnuPG on your computer.

Launch the Terminal application and open a command-line window. Type:

gpg --gen-key

and follow the instructions to generate your keypair. Choose “1” for the kind of key (DSA and Elgamal), “4096” for the key size, “0” to make your keypair valid indefinitely (if you think your key should expire after a certain length of time, you may use the following code: 2 for 2 days, 3w for 3 weeks, 6m for 6 months, or 12y for 12 years).

For your User-ID, enter your name, your e-mail address (this is the address you’ll use to send and receive encrypted emails) and an optional comment. You may use the optional comment field to state an opinion (“Live Free or Die”), to further identify yourself (“Company Name”) or however else you see fit – just remember that the comment field will be tied to your User ID and will show up in your public key. Enter “0” to okay all the information.

You must now enter your passphrase. Your passphrase is the one thing standing between your private key and anyone keen on misusing it or learning your secrets, so choose it wisely.

  • Do not use ordinary words that appear on any dictionary.
  • Do not use the names of your loved ones, hated ones, pets or family members.
  • Do not use personal dates such as birthdays or anniversaries.
  • Do not use short passphrases.
  • Use upper- and lower-case letters.
  • Use numbers.
  • Use punctuation marks.
  • Use something you can remember.

For a nice tutorial on passphrases, read http://fiatlux.zeitform.info/en/instructions/passwords.html

You must now enter your passphrase twice (it’ll be hidden from view) and generate your keypair (it’ll take a long time).

Congratulations… you’re now ready to communicate securely (well, almost ready).

Now install GPG Keychain Access and GPG Preferences.

GPG Keychain Access will let you manage your private and public keys through a nice GUI interface. It also allows you to manage your contacts’ public keys, import and export keys, and publish your public key to a key server.

GPG Preferences installs into the System Preferences panel and lets you select the key server to use to search for public keys. If someone sends you an encrypted messages, you’ll need to know their public key to decrypt it. They can send you this key or you can search for it on a key server (if they published it).

Step 3: Configuring GnuPG to work with your applications

Ok, so now that you have GnuPG installed and a keypair, you need a way to use GnuPG from within your applications.

The following applications will let you seamlessly use GnuPG:

ABKey

ABKey will integrate GnuPG with your Address Book, adding fields for public keys to every address card.

GPGMail

GPGMail will let you encrypt, decrypt and sign messages from within Apple Mail. It’ll automatically recognize if a contact has a corresponding public key.

GPG DropThing

GPG DropThing allows you to encrypt and decrypt chunks of text and files through a drag-and-drop interface.

Enigmail

Enigmail will let you encrypt, decrypt and sign messages from within Thunderbird, Mozilla or Netscape email.

EntourageGPG

EntourageGPG will let you encrypt, decrypt and sign messages from within Microsoft Entourage.

EudoraGPG

Eudora GPG will let you encrypt, decrypt and sign messages from within the Eudora email program.

FireGPG

FireGPG will let you access GnuPG functions from within the Firefox browser. It’s great if you use Gmail for email as it’ll let you encrypt and decrypt messages from within Gmail and even adds buttons to Gmail’s interface to access common encryption functions. It’s still a little buggy, but works well enough.

Sometimes, FireGPG’s options dialog takes forever to appear or won’t appear at all. You need to indicate the path to the GPG executable file. If the options dialog does not appear, simply type “about:config” on a new tab, filter on “firegpg” and change the following keys:

  • Set “extensions.firegpg.specify_gpg_path” to “true“.
  • Set “extensions.firegpg.gpg_path” to “/usr/local/bin/gpg

and restart your browser.

That’s it… you’re now ready to send and receive private messages.

If you want to send me a private message, look for my public key on the key servers. My email address is “granier” at Google’s Gmail service.

Feel free to add comments, suggestions or corrections via the comments form below.

Technorati Tags: ,

Software

Hacking at Apple Stores

2 Comments

Data security is one of my favorite subjects… and I’m always amazed at how careless some people (and major corporations) are with their digital identities.

I recently did a simple, non-scientific study at the local Apple Store. No elite hacking skills are needed (that’s L337 for you H4X0R5). Walk to any computer and pretend to be familiarizing yourself with the user interface. Load the Safari browser and check the History menu. You’ll immediately find a list of recently accessed websites. Usually this list is full of webmail visits: every computer at an Apple Store is internet enabled and people love to take advantage of Apple’s friendly, air-conditioned stores to check their email, blogs, bank accounts and even iWeb profiles.

Most of them forget to logout or clear the browser’s cache. Simply select any address from the history list and Safari will take you there. Most of the times you’ll still have access to a user’s account. On my last visit to the Apple Store I was able to access a webmail account on one iMac, a Hotmail account on another and a complete iWeb profile on a third one (this one even included an easy to click desktop icon to access the user’s account).

But the most shocking was the one that prompted this article in the first place: a security company’s confidential PDF document. Right there on the Mac’s desktop, below the hard drive icon, stood a lonely Adobe PDF file. Out of curiosity I clicked on it and found a one-page document addressed to a high-level executive at a very high profile international security firm from a market leading auditing firm. I’d hate to have this firm in charge of my personal security.

It’s been said that the definition of privacy is a situation in which we’re able to spy on our peers but refrain from doing so. I agree, but I certainly don’t live my life as if that Utopian statement is true. It’s most certainly a great starting point to begin discussing privacy issues and policy, but don’t go around believing it’s the way the world works.

Unfortunately, common sense is not at all common. If you feel the need to check your webmail, work mail, bank account or whatever on a public computer (which I highly discourage), at least make sure you logout, clear the browser’s history cache and delete any temporary files after you’re done. It’s really the least you can do.

What do you think? Have any careless-user stories to share? Leave a comment, let me know.