Tuesday, August 8, 2023

Steam on Linux Mint Cinnamon

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

There was an update to the Steam client program that broke Steam on my particular Linux installations. The UI would load but any context menus would effectively become transparent to the mouse. Basically, if you opened a drop down menu or a right-click menu, anything you clicked on in the menu would pass right through into the window below. I suppose I could give in and switch to the more mainstream Ubuntu Linux, or switch to Mac or Windows, but I am quite pleased with my Linux Mint with the Cinnamon desktop interface.

The solution is to go to Steam settings, navigate to Interface, and then flip the switch that says "Enable context menu focus compatibility mode". This seems to work on my Linux Mint 21.1 Cinnamon systems which allows me to not have to switch to Gnome3 or Unity.

That's it. See below for background and rambling if you choose.

Steam support said that Steam is only supported on Gnome3 and Unity interfaces. But both those interface programs have issues that prevent me from using them. The support staff were kind and polite, but had no real solution other than to switch to a supported Linux platform (Ubuntu Linux with Unity or Gnome3 interface)... but at least Steam supports some Linux installations.

While the Unity desktop looks beautiful and astonishes anyone I show it too, it's not the most stable nor is it as configurable as I would prefer... though the available settings are still plenty enough for most users.

Gnome3 is a usable interface, and it has some interesting design decisions like moving away from the traditional desktop metaphor. My issue is that it's very mouse driven, and it's not designed for users like me who grew up with traditional desktop metaphor interfaces. Although, users who grew up with tablets and phones instead of computers may not see this as a problem since they did not depend on the desktop metaphor. I just cannot get used to Gnome3 and it seems to have issues with color management which manifests as tinting my desktop a warm yellow color, pleasant to look at, easy on the eyes, but not so great for color accuracy.

For those who don't know, Linux based systems have so many desktop interfaces available because the desktop interface can be installed, removed, and swapped like any other program on Linux. Basically, if you don't like a desktop interface program, you can install a different one with only a few keystrokes... something that seems foreign to many Mac and Windows users since their desktop interface program is nearly impossible to change.

Since I could not find the solution to this issue anywhere online, I posted in here in the hope that someone else with this issue will find it. I'm not sure what causes this to happen, it seemed to start when Steam made their UI look like the image below.
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCZNL/TAAKCRCDGTsp04R9
U3OwAP9U2QcEEOqvJHPhvMIZ2bh7WE+httlEYrLmnppFJErvMAEAlc+erUWAZiF/
egl55eALTfHW/VGiW6GsTLUhyvDppwg=
=xop6
-----END PGP SIGNATURE-----

Steam settings screenshot
The problems started when they made the UI look like this, to fix it, check the switch on the bottom of this page.

Saturday, March 18, 2023

Upgrading Linux and DisplayCAL

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I recently re-installed one of my Linux machines. I did this because some software I need would only run on newer versions of Linux, some problems happened with my old Linux install (probably from badly timed power failures), and I wanted to upgrade to a release with a longer support period.

The issue is that some software I used would not work on newer versions of Ubuntu based Linux, and this is what initially delayed my upgrade. Eventually I found new programs that are still in active development, using old software just to avoid changing to a program that was abandoned is not a wise decision. I know people that have machines dating from the 1990's that they keep running so they can run one specific program that they refuse to replace with a modern equivalent. Ideally, our software would move to new hardware with us, but in times when it does not, there are two possible decisions that I support. First is to replace with a new program, and the second is to use emulation or virtual machines to run that one program on a modern system. Running another PC that cannot be upgraded just to remain compatible with one program is not a wise idea, and it also opens the door to security issues down the line.

DisplayCAL is a program used to calibrate monitors. Most people don't realize just how out to lunch most monitors are with regards to color. Most monitors are unable to display colors as they were intended to be, this is why people who want their screens to be accurate will use a special device that checks their monitors for color accuracy. Photographers and web designers can benefit from accurate color on their monitors. Even an expensive monitor wont be accurate, even two monitors of the same model will look different when placed next to each other. The way to fix this issue is to use a color calibration program and a colorimeter device to tell the computer how to compensate for the differences in each screen. DisplayCAL is one of the better programs for this task that is also easy to use.

The problem with DisplayCAL is that it's written to use an older version of Python that has since been deprecated. Thankfully, DisplayCAL is open source, and someone else rewrote it to use a newer version of Python that is still supported.

To anyone having the same issue as I did with DisplayCAL, head to this repository https://github.com/eoyilmaz/displaycal-py3 which holds a more up to date version of DisplayCAL. Following the directions to build and install this program worked on my system.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCZBaTnQAKCRCDGTsp04R9
UzffAQCqaNf2+kDUe3ZOT199xt51ocG8qwJ/RYoAKQmMrNMo4AD/YabV6OXWUvVd
rIn7Qkwq0Mjt6Y4XeIrQCsofmaOgogo=
=WlDE
-----END PGP SIGNATURE-----

Friday, March 17, 2023

Helping a project

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

While programming micro-controller chips that will eventually control a semi-custom radio for a friend of mine, I was browsing for a library for the radio chip we are using. We eventually found a library and decided that it might not work for us due to memory usage and the limited memory available on the micro controllers we are using.

Still, the library is well made, and easy for a beginner to use. The choice to use object oriented programming makes it far easier for someone coming from other areas to utilize since object orientated programming is quite popular these days.

Our main issue was that the library's documentation could use a little cleaning up from a native English speaker. Rather than complain about it, I forked the repository on Github and I started working on said documentation. Sometimes the best solution is to just offer to lend a hand rather than expect someone else to volunteer their time to make your life easier.

The beauty of open source software is that if you see a problem and you either know how to fix it or you know someone who knows how to fix it, you can fix the issue even if it otherwise would not get fixed. With closed source software, you would be at the mercy of whatever company is writing the software, most people cannot program and therefore don't care, but they should still care since they could ask someone else they know to fix their issue without waiting for the company. The same applies to security software, open source code may not help the non-programmers in ways they can see directly, but they still benefit from people who can program being able to verify the integrity of the code on their behalf.

To the writer of the Arduino library for SI47XX radio chips, your library is great and has given me the resources I need to write my own library that matches the particular edge-case that I have to contend with. Though, if I needed to use all the features of the SI4731 based module I have been tasked with programming, I would definitely be using your library.

Check out his repository: https://github.com/pu2clr/SI4735

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCZBUOyQAKCRCDGTsp04R9
U563AP9vxSuidCxTrrefuV605Ewj/+V3YVbKXOBC1jAUU3J+8QEA0cx/hKTSK2nT
sw+FrC7O2wgaaiHqqKCLd4/wW4huEgA=
=x5Wp
-----END PGP SIGNATURE-----

Saturday, July 9, 2022

There is a better way to handle online logins.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

    Recently, there has been a trend towards attempting to increase the security of online login processes on many websites. I say "attempted" because most of the time, the security they are trying to achieve is never reached. I support the effort, but I urge these companies to re-think their methods because there is a better way forward. For customers and users, our responsibility is to show these companies what we want and also to know what we want rather than taking them at their word.

    The "go-to" technique to secure online logins is to use something called "two factor authentication" or "2FA" for short. There are three main "factors" that a machine can use to determine if you are who you say you are: something you know (PIN/Password), something you physically have (phone/card/key-chain), and something you are (face/fingerprint/voice). Of the main factors, something you know and something you have are the easiest for services to implement and are also the most secure factors. The main issue is that not all systems are equally secure or convenient.

    I will outline the "bad way" and then the "good way" and explain why the "good way" is cheaper (for you and the service), faster (less time to sign in), more secure (self explanatory), and more convenient... at the same time.

    First, the "bad way": In this scenario, the user will typically enter their password, then the service will then send a one-time-code via text message, and then the user must enter the one-time-code within a given time window while the code is still considered valid. The security of this model assumes that the user is the only one who has their cellphone and that the user is the only person with their password. This model assumes that when a text message is sent, the user's phone both will get the message to the user in a timely manner, and that the message will go to the correct user... both of which are false, I will explain why this is the case later.

   Now for the "good way": This model starts the same, the user is asked for their password, and then the service will check if the user has something unique to them as it would in the previous example. The difference is in how and what it checks for. So the user can be asked for a physical USB key or for their phone. By far, the USB key is the fastest, safest, most secure, and most convenient option, but since almost everyone has a phone, the phone is the default option. In this example, the service has shared a code with the user, this code is usually a QR code the user scans into an app like Google Authenticator, FreeOTP, or andOTP, and the app will generate a one-time-code for the user to present whenever the user desires a code. This model does not require the user to have a phone number or internet connection, all they need is a code generated on-demand by a simple app on their phone. Alternatively, the user may have a USB key that will simply blink when the service requests the user to sign-in, the user merely touches the sensor on the key and the process happens in a split-second. This model is much harder to attack since the one-time-codes are generated directly on the user's phone while the "bad way" has to send a code to the user and hope that it gets to them.

    Many people assume their text messages are safe and can therefore be used for authentication, but that is absolutely false. There are several high-profile cases where someone famous has had account breaches because they were using the "bad way" to do two factor authentication. One such person is Jack Dorsey, the (at the time) CEO of Twitter. His account was breached because a scammer was able to divert his text messages to their phone, and thus not only take his account but also prevent him from noticing because he never got the authentication message. Typically, this attack is done via the "SIM Swap" method, the easiest and most effective way to to ask the underpaid worker at a cellphone kiosk to change your SIM card because you lost or damaged your old phone and SIM card. Some employees of these establishments are going to do their due-diligence and check your ID, but some are overworked, underpaid, and just want to get things done so they can go on break... hence they may take shortcuts or cut corners which... well... ask Mr. Dorsey how that went for him. This is also ignoring all the technical attacks that could be used to steal a text message mid-flight using technological means, while these attacks are possible, it's easier to understand how someone can just waltz into a cellphone store and get your phone number assigned to their phone than it would be to explain how an attacker would nab said message mid-flight using more technical means.

    The "good way" relies only on your hardware, you devices that you bought, you control, and you trust. The best method is the USB key because it has been designed to use robust mathematics to protect you from both an attempt to clone your key and also from phishing links since the website's address is used as part of the process.

    If you are a company that is using text message based authentication to reduce your liability, please use the "good way", ask your team to build in support for two standards: TOTP (that is the phone apps like Google Authenticator), and U2F (that is the USB key). There is a strong likelihood that your team understands what those terms are and how to put them into your service so that the user experience will be seamless. I understand that some stubborn users will insist on using their phone number, but every user that takes the option of using an authenticator app or a USB key is going to save you sending costly text messages and is going to have fewer issues which means less time that your support staff has to spend aiding them in setting up their account.

    If you are a user, the same thing as a company applies. Urge you chosen service to use or at least allow the use of the authenticator phone apps (technically called TOTP apps) and/or the use of a USB key (these leverage a standard called U2F or Universal Second Factor). The only reason that a company would insist on using a phone number is either because they do not understand just how low the security is, or they do know that there are better options but they prefer to use the phone number to invade your privacy... more users requesting or insisting on the use of anything other than a text message means more pressure to change which means a more secure internet for all of us.

If the PGP signature lines are something you have not seen before, then check out my post on the subject.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCYskuCQAKCRCDGTsp04R9
U7fFAP93NsVKpqr7ujVhM4Ab4gu6pmaHZbKh6lRzBMXm1DmbUAEAhj2v90vAucfc
E0bpw14riSHbKWQiUEDxFMNd1VsvxAE=
=bT/g
-----END PGP SIGNATURE-----


How do you start? Start by downloading the free authenticator app. All of them use the same standards as Google Authenticator and Microsoft authenticator, so they all work on the same websites, here are some links:

Apple iOS users: FreeOTP from the Apple App Store.

Android users: Both andOTP and FreeOTP are good options, pick whichever you like better as they both work the same.

The reason I recommend using FreeOTP and andOTP is that they are easier to backup and are more transparent so you do not need to trust the developers to know that they are safe.


If you really want the best security, fastest logins, and worry-free usage, then I suggest a good USB key.

Yubico has a few models that are fairly good, Yubikey 5 NFC and a cheaper model are good options. They also have a quick quiz that will suggest a good model for your needs.

Solokey is another player to watch as their new key is very promising and user-friendly, once they begin selling to retail customers that is.

Sunday, July 3, 2022

Modern photography



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Here are some photos I took of the recent fireworks display for Canada Day (July 1, the official birthday of Canada). I have made images available for purchase from DepositPhotos, but I also negotiate individually if you want to buy them directly. I enjoyed the fireworks, and because I had my camera set up before the show, I was able to watch the show with my own eyes and trigger the camera when I thought something cool was about to go off. My camera sees slightly different things than I do, and this is how it can be used to reveal things that the eye cannot see. These long exposures show multiple explosions all as one single image.
 
If the PGP signature lines are something you have not seen before, please refer to my post about using PGP. 
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCYse/ugAKCRCDGTsp04R9
UxjrAP9QL4ztKqFInhfx3dgnD9X/JqaGc1PimR5fAjr+pF98DgEAsE5x/WQfjIX2
EDcAlfcKuqXGLsNrbjF2IolDesC8PwM=
=Ul07
-----END PGP SIGNATURE-----

Thursday, June 2, 2022

Noting to hide means you have nothing to fear?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

"I have nothing to hide so I have nothing to fear." is something often said by those ignorant of how the world works when topics like encryption or mass surveillance come up. This statement bothers me on a deep level because of how incorrect it is, how dangerous it is to everyone including themselves, and how often people believe it when they hear it. It's dead wrong, allow me to explain why. For this I will over simplify slightly.

I've been using a system called OpenPGP for email and file encryption and signing to ensure confidentiality and integrity of my communications. The system works about as well as can be expected considering all the functions that it handles and all the difficulties of making it work across any medium. The main issue with my system is that if I am the only one in the group who uses OpenPGP, then it's as if I am not using it at all. I understand that not everyone cares about their security enough to do anything about it... but I feel it is time we collectively move on from the lazy state we are in and start to take responsibility for our own security.

First issue with this idea is that you do actually have things that you want to keep private... even if you do not realize it. Would you want everyone, or even just any one person to personally rifle through your entire history? Every page you have visited, every click/tap you made, every single word you wrote to anyone (including the embarrassing rant you wrote and deleted that you do not agree with anymore), and the entire contents of every device you own? Most people would cringe at the idea since we all have data we would rather not become public record... and yet, this is almost what happens to your data every day.

You may agree with your government today, you may think that anyone who wants to keep data secret is "hiding something"... as if privacy itself were a crime. I do not agree however. In order to have freedom, you must first have privacy, you must be free to be yourself in private without being on display for anyone. Or would you prefer to live in a house made entirely of glass (including bathrooms and bedrooms)? You also have to remember that governments (especially democratically elected ones) tend to change politics quite frequently... next election you may not be so eager to hand over all your personal data to them.

 Your data is valuable, using just the data on a single device a person owns, I could piece together the vast majority of any person's life... with scary precision. I am one, single, individual man, I have only good intentions, and I do not have the funding of a large company or government... If I can track down someone based on a few files, imagine how much more effective someone that has government resources can do...

If someone is able to observe all your internet traffic, emails, messages, social media private messages, etc. then they can build a really accurate picture of who you are and anything else they want to know about you... including who you *ahem* had relations with last night.

You do have something to hide. You may not think you care if a faceless government is passively harvesting your data... but that is only because you do not know precisely how personal that data really is. You should not feel bad about having things you want kept private... we all have things we prefer to keep confidential, this is part of why we have things like doctor-patient confidentiality, or doors on bathrooms and bedrooms. Even if by "nothing to hide" you mean that you are not in violation of the law, well, you are in violation of at least one law today... there are so many laws that you don't know about that you have violated several without realizing it... several times per day. And even if you somehow managed to memorize the entirety of your nation's law and managed to never violate any of them... you still have things to fear. Data about you is often used by criminals to steal your identity, or blackmail you. And what a government might do, whether by mistake or by choice is even more damaging than anything a cyber crook can dream up.

I do not wish to stir your fears. I merely grow tired of the statement "I have nothing to hide so I have nothing to fear" because it's false on both the "I have nothing to hide..." part and the "...so I have nothing to fear" because you do have things to fear even if you had "nothing to hide" and you do have things to hide just like every other human on this planet. When you hear this statement, it is usually someone who is either very ignorant of what really happens in the real world and in cyberspace, or this person is super lazy and prefers to bury their head in the proverbial sand rather than take the tiny amount of time and effort to become more private. I hear this statement all the time from people when the topic of why I am using OpenPGP comes up. A scary number of people do not realize how much of their life is available to anyone to snoop through... even if they are not Google or Amazon... and then they assume that anyone using encryption must be "hiding something". I would like to remind them that literally every good website these days uses encryption that is remarkably similar to OpenPGP in order to secure the channel between them and the website.
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCY9YEFQAKCRCDGTsp04R9
U+9sAP9hrrq+CNH2pHW+c+gqeAgpMJ6KDe4G0AU/dEGWaFRJIwD9Ff9TMv1ZhQnw
CvR/nHM/i2XNxS7TtRgUd+EsGi8qQQw=
=5WFZ
-----END PGP SIGNATURE-----


Saturday, February 5, 2022

OpenPGP Keysigning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

 I'm sure some people still use OpenPGP since it is one of the few good ways to encrypt emails and also handles file encryption and signing.

If anyone in the Edmonton, Alberta area in Canada wishes to exchange keys, I am willing to meet up with you.

One thing the recent events should have taught us is that since the health agencies in my area have started mass surveillance via tools like tracking cell phones, privacy should be protected by math and not by laws of man. Hence anyone that happens to be near this area and wants to have their key signed by me should reach out and we if there is interest we may all have to meet up to exchange said keys. Another thing we should do is discuss how to make this process easier and more foolproof for the layman. OpenPGP is one of many things that gains more usefulness as the number of people using it increases.


OpenPGP should be replaced with something better but as of writing this I am unaware of anything that can fully replace OpenPGP, even S/MIME which is supposed to be easier and more robust due to it's resemblance to HTTPS which everyone knows how to use is - in my opinion - much more difficult to use than OpenPGP and also costs around $20 USD per year while OpenPGP is totally free to use thanks to projects like Gnu Privacy Guard (GnuPG or GPG for short). For the foreseeable future, OpenPGP is here to stay and I wish to get more people using it. Frankly, if I can teach my grandmother - who is not a very technically minded person - to use OpenPGP then it should be possible to teach to almost anyone close to my age bracket.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCYsku5AAKCRCDGTsp04R9
Ux58AQDDtN4dYi/7DNnnci585WDFabdU6g0Dgi5TgtIUcx41/gEAvPw4tdcSX7Xz
jvt1BzsMHB347/INmOCRhYTke06bUgI=
=6iBL
-----END PGP SIGNATURE-----

Wednesday, January 19, 2022

A partial solution to email scams.

Email is not secure... I have written on this before. Many will falsely believe that Email is secure enough to use it to sign up to services with and that emails come from who they claim to have come from. This is a false sense of security that leads to a vast array of issues which less-than-honest actors will take advantage of.

First and simplest solution to this issue is to assume that Email is insecure and easily "spoofed". What I mean by this is that spoofing is a technique that - among other thing - is used to trivially alter the appearance of the message. In this way, a scammer can pretend to come from a different address by "spoofing" the email header to appear like the message is coming from someone else. Email was never designed to be secure, it simply was not intended to be used for security when it was invented. As such one must always assume that Emails can be trivially altered and faked with minimal effort. Once this assumption is made then one will be harder to scam since the usual scams will become obvious once the false assumption of security is no longer in effect.

Second and more secure option is to use a very old and very strong technology to protect email the same way we protect websites. HTTPS (the lock in the corner of the browser's window) uses something called strong cryptography to mathematically scramble the webpage and all traffic so that only you and the website can understand it. The technology works very effectively, and in the case of websites is totally transparent to the user so that the user does not need to understand anything about cryptography to make this work. Something similar exists for email. There are two competing standards for securing email communications, they are called S/MIME and OpenPGP. While S/MIME has one advantage over OpenPGP, it has many disadvantages that make OpenPGP far more suited to fill this roll.

What OpenPGP does is it outlines a common "language" of sorts that several different programs can understand and utilize. OpenPGP relies on the concept of keys. To protect data and/or identities there must be something that you know or that you have that no other person has access to. This is called the "key". When an OpenPGP compatible program generates a key it takes some random numbers and runs them through some fancy math equations that create a set of two large numbers. One of these numbers is the "public key" and the other is the "private key". How this works is people publish and share the public key which is mathematically linked to the private key which they keep secret. Sending a message works by encrypting some data with someone's public key, because the keys are linked only the private key can decrypt the data and no one can reverse to process to figure out the private key... at least not in any kind of meaningful timescale (less than ten thousand years).

This sounds complex but the programs do all the heavy lifting for you. All you do is create a key, this key is stored as a file and is called the "master key". The master key can then be linked to "subkeys" that can be changed at a later data if desired. The primary uses of the master key and any subkeys are:

  1. Encryption - the ability to scramble and unscramble data for privacy
  2. Signing - to say that a chunk of data like a file or message was sent by you and is unaltered since you sent it
  3. Authentication - yes they can replace passwords with a digital key, this is rarely used but is still kind of cool

Typically, a good way to generate a key is to generate a master key, and then generate two subkeys, one subkey can sign data while the other one encrypts data.

The master key has a fingerprint which is basically a mathematical function that takes the data of the key and converts it into a short and human-readable series of digits that allow a person to tell if a key is really from the person that has their name on the key. Here are the fingerprints for my two keys:

  1. 167E 19AC B8E5 38F3 2FD2  2766 81C9 678A 0987 8230
  2. 1F32 5206 DE34 CFCF 0022  D045 48A7 3B8C 8920 7930

Typically, the fingerprints are written with spaces so that humans can look at them in chunks and verify them that way. The fingerprints are very secure, and it's practically impossible to fake a fingerprint. The use of the fingerprint is if you get a key with my name on it, you would check that its fingerprint is the same as one of the two above.

Due to the laws of mathematics, I do not need to defend my identity if people ask for signatures from my keys. The reason is there is no known way to fake a signature from OpenPGP and the keys are considered to be so strong as to be resistant even against attackers with the resources of nation-states... and if a nation-state is after you, cryptography cannot help you since they can just seize your phone and computer.

I sign all my email messages with my key, and unless someone steals my key and coerces the password that protects the key file... yeah they're not going to be able to fake my signature.

An OpenPGP signature is millions of times harder to forge than a physical - pen on paper - signature, and it's far easier to verify an OpenPGP signature than a physical one because the programs do not require a hand-writing expert in order to operate... just a computer manufactured sometime in the last 30 years. This is becasue a regular signature is based on the assumption that no other human has the muscle memory that you have to produce the pen-on-paper movements that make up the signature. This is only valid if the signature is done before a trusted witness who has seen your signature and if no one else is able to practice and reproduce a convincing set of pen movements... a tall ask these days.

An OpenPGP signature works by turning the data to be signed into a mathematical hash. So for a document like a file, the file's content is processed into that hash, any alterations to even a single character will completely change the hash and to generate a hash that matches the original is something that simply cannot be done with any known or even theoretical technology. This hash is the document, or at least a fingerprint of the document. The hash is then encrypted with your private key so that it can be decrypted with your public key. This means that when someone checks the signature, their computer will decrypt the hash with the public key and thus it will know that the only way that hash could have been made is with your private key... which only you have. It then will hash the file, raw text, email message, or anything else that was signed and if the hashes match then the signature proves that you signed that file/data/message/etc. and that the contents were not in any way altered since you signed them.

Again this does sound complex, but all modern cryptography which you rely on does something like this. Your credit and debit cards do the same math to secure your money, your web browser does the same thing to check of the web page is actually from the proper person and to keep it hidden in transit for your privacy. The difference is that OpenPGP keys are not issued by some central authority which can be hacked or legally compelled to disclose their keys... including yours... without your knowledge. People like authorities to tell them who and what to trust, but that system is open to abuse and failures take down all of their customers. OpenPGP keys are generated on hardware you own (your personal devices), they are much harder to mass compromise since each key is stored by an individual user and no one else. A traditional "certificate" like for S/MIME is stored both on your machines and on the machines of the certificate issuing authority... that is two points of failure while OpenPGP only has one point of failure.

OpenPGP is based on a web of trust" which closely mimics how we humans interact. You know people which you use to validate an unknown person. The way we do this is by asking our circles of friends if they know about this new person, they will tell you if they know of them and what they think of them. OpenPGP works is a similar manner, only it uses mathematics and nothing else. The way it works is your OpenPGP program will check a new key for signatures, these signatures are made by people that have signed the key as a statement of "I <person> have met and confirmed that this person is who they claim to be". Your program checks its database for keys that you have marked as "trusted" such as the keys that your friends and family have given you. It then checks if any of your "trusted" keys have signed the new key and will tell you which of them match. So if you know me somehow and you trusted me enough to mark my key as "trusted", and you met someone like one of my friends. Your computer would alert you that their key was signed by me and therefore is likely to be trustworthy. This is handy because you may not be able to ask me if this person truly is someone I know becasue maybe there are time constraints or perhaps it's a person I do not remember anymore.

OpenPGP is not as hard as it appears to be. But most tutorials show a very hard way to use it and manage the keys. I am trying different ways to manage my keys and will soon release a tutorial that shows a reasonably easy way to use them. The reason I claim that my way is relatively easy is I have gotten my grandma using OpenPGP despite her relative lack of computer related experience. I figure that if I can teach this to a senior citizen, then I can teach this to anyone who cares about their privacy. This would be a video tutorial with a text blog post to back it up though.


Here are some examples of a signed PGP message that anyone can verify came from me. The first one is signed with an RSA key, the second one is signed by my Ed25519 key. The difference is which branch of math they use to operate. Ed25519 is something called elliptical curve cryptography, boasting faster performance and smaller keys for the same security as compared to the older RSA algorithm... RSA's advantage is that more programs understand it. Given the size difference is minimal for something like an email, I use RSA because more programs can verify it, but for certain devices such as networking equipment there is a significant interest in the Ed25519 method.

This one is signed using my RSA key, notice how the signature is larger than the one below it which is signed with my Ed25519 key.

Key fingerprint:  167E 19AC B8E5 38F3 2FD2  2766 81C9 678A 0987 8230

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is an example of text that is signed using OpenPGP.
The way this works is that PGP supports a "clear text signature"
which is composed of the raw text I typed along with a digital signature.
I have typed this and pressed the enter key to keep the lines from being
inconveniently long for the purpose of blog readability but that is not
really necessary most of the time.

Below this is the signature which looks like random characters.
Digital signatures are just long numbers, so those numbers are written
by using letters and other characters instead of the raw binary data.
Something similar happens to email attachments due to the way email works
which is why your email attachments get 30% larger in an email than they are
when stored on you machine.

Also note that this typo: "tpyo" cannot be corrected without making the signature
no longer match. This is handy because if even a single letter is altered, even invisibly,
the signature will detect it and the message will be shown to be no longer the exact
thing that I typed.

Whatever text you sign cannot be altered by anyone without the signature detecting a
mismatch. And since only you have the private part of the key, only you can update the
signature after a typo correction by creating a new signature for the new text.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEv2bZCEdTpZFfQZcqP0TIvZ+kF+kFAmHohNEACgkQP0TIvZ+k
F+nFzhAAvAZ2s2nMJse36et4uCw/kDjmRpBu92D+DEnsWNT9FmP/S0jgFfeidtK1
4LRX4u+cH+mueqPQk/+QkE9SW6FXvMBphtN3VH4uW1uR8GyNXUEGHOBdFMBzwD23
QlBnmj2XsMpoCAfBZAkML16vI/wgtArGgfLh58cLb1VLB2P4cpt340Q+3jWnty0j
AB6yZgvS/zli+9Aiac68ODDhRBG7f64otsh9FK2yiVWGQJIrKS+5VukeU0dVyc/R
y4eDl42vjALS70YnzVgxYtC0MEO3FsgxGdb1EiEYnSJt9eiWnmN0B8Z71HV1JeB5
vZpoGQPgJldUKSveuBgZJk5jDUuH17EOqMvimAnIJIH4We1QPBVdW4jRfSXpRW+7
1iJx2yGn8n0s2Tb23luH5DpUHWaVOt/XU4WYHnCm5jw+iXk8hc0bUkVjTvJpoJQ9
jMbPd9lCGv2VrkadRyCjreRVRHMQCxDu5/Sf6mVHcwyJKl4xjg+84yG/JWgIMzIs
UVBXliDIQ13QwwPSZIOkXOgg9WGJtgWzhbX3OOT393XVMlia0PONIoImvz50zvFx
an7KtXPK20BoJm/Zrh3TEFXnzaMRlf1dTBRe5Vr7lhB8cBsqYZT5vnh9fj60Fyhp
4JNXIF6UZw1BLA+vJp558VuwsjAwDH9RH8so62162oRzDDwQt2o=
=Vq6E
-----END PGP SIGNATURE-----

This one is signed with my Ed25519 key. The signature is smaller, yet the level of security is actually fairly close to the one made with the RSA key. This is why some cryptography enthusiasts love elliptical curve cryptography. The speed and size benefits cannot be overlooked. For OpenPGP the difference isn't that large compared to an entire email message but for say a web-server's certificate that serves thousands of clients per second... the difference is more noticeable.

Key Fingerprint: 1F32 5206 DE34 CFCF 0022  D045 48A7 3B8C 8920 7930

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is an example of text that is signed using OpenPGP.
The way this works is that PGP supports a "clear text signature"
which is composed of the raw text I typed along with a digital signature.
I have typed this and pressed the enter key to keep the lines from being
inconveniently long for the purpose of blog readability but that is not
really necessary most of the time.

Below this is the signature which looks like random characters.
Digital signatures are just long numbers, so those numbers are written
by using letters and other characters instead of the raw binary data.
Something similar happens to email attachments due to the way email works
which is why your email attachments get 30% larger in an email than they are
when stored on you machine.

Also note that this typo: "tpyo" cannot be corrected without making the signature
no longer match. This is handy because if even a single letter is altered, even invisibly,
the signature will detect it and the message will be shown to be no longer the exact
thing that I typed.

Whatever text you sign cannot be altered by anyone without the signature detecting a
mismatch. And since only you have the private part of the key, only you can update the
signature after a typo correction by creating a new signature for the new text.
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCYeiFFgAKCRCDGTsp04R9
U8WvAQDRnuS/wzYG6brzyJivLEBrMg8z+9eiVu+FPD/QI92MHgEA0R/fLblqvB9b
p1khptQJM15dYWh9/OsidXPuIJx1cg0=
=VuVl
-----END PGP SIGNATURE-----

A while ago people would use these signature texts to sign their words on some old forums on the early internet... it still has use today for me. I recently used it to sign an informal survey for one of the classes I am taking. The survey comment might go into a large collection with one comment from every student, and I wanted to be sure that if my words were altered that I could prove that there was an alteration... hence I used OpenPGP to protect my words from alteration.

Thursday, December 30, 2021

LibreOffice PGP key

I had a somewhat difficult time tracking down the LibreOffice OpenPGP signing key. The signing public key is handy for verifying the integrity and authenticity of a download such as an installation or update to the office suite. I am still unsure of which key is the right one since there does not seem to be a note of their key fingerprint on their website that I can see.


So if anyone is looking for their key to check if your download is authentic, then here is what I found.


I searched until I found this forum page: https://ask.libreoffice.org/t/where-is-the-signing-public-gpg-pgp-key-the-libreoffice-webpage/11606

That lead me to this mailing list archive: https://listarchives.libreoffice.org/global/users/2013/msg00712.html

Then the referenced key-server page would not connect securely due to some SSL error so I searched here: https://pgp.mit.edu/

I searched for the referenced keyID... not the full fingerprint because that was not something I could find. Here is the key ID and search result:

The file you can download has the fingerprint:  C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3

Which with spaces is: C283 9ECA D940 8FBE 9531  C3E9 F434 A1EF AFEE AEA3

 


If anyone has any confirmation of this fingerprint belonging to the LibreOffice people then please let me know so I can revise this post and show that it can be trusted.

If anyone has a trusted fingerprint and thinks this one is bogus or forged... then DEFINETLY let me know so I can revise this page and show which one is real


However, it did verify a GPG signature of my last download from the LibreOffice website so it's probably a legitimate key.

Saturday, October 16, 2021

Email was never, is never, and can never be secure... OpenPGP can help with some of that.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

 Most people do not think about security or privacy when using email. Email was never designed for security or privacy. From the beginning, email was not secure and was not designed for privacy. OpenPGP will make email more secure, but it cannot encrypt the subject or the metadata (essentially data about data, like who sent the message, and to whom it was sent).

 What OpenPGP does is it can encrypt the message body so that only the intended recipients will be able to read the message. OpenPGP uses public key encryption. This is different from symmetric key based systems in that symmetric encryption relies on the recipients (all of them) having a shared secret that the all know... obviously this means on would have to physically meet all of the recipients to securely share the secret... kind of difficult to do that for people you cannot physically meet with. OpenPGP uses a system more like what is used by your web browser to securely download this post (HTTPS). Asymmetric or public key encryption relies on very complex math that is really, really, really hard to reverse compared to how much effort is needed to calculate the function normally. Essentially you keep a set of numbers, these numbers are kept in a special file so you don't have to remember them. The special numbers are mathematically related so that if I encrypt with the public set of numbers as the key, only your private numbers can be used to decrypt the message and vice versa. In a nutshell, OpenPGP leverages some clever math and programming to scramble data that you wish to protect in a manner than can only be reversed by people who know the secret key used to encrypt the message. This means that if someone wants to read anything protected by OpenPGP without the secret part of the key files, they would need an insane amount of effort to understand the message. This is not effort needed to crack a vault... actually a vault would be about a trillion times less difficult to crack than an OpenPGP key. The amount of work a computer would need to do to reverse engineer your keys would use enough energy to bring the oceans to a boil... Hence the name Open Pretty Good Privacy.

 Using OpenPGP is actually fairly easy. The most difficult part is finding out how to use it... PGP users are not always good at explaining how and why to do things... though there are a few really good tutorials out there. Linux users usually already have an OpenPGP compatible program on their systems, their systems actually use OpenPGP to verify the integrity and source of their updates and installations of programs. OpenPGP can still be used on Mac and Windows based computers as well as most smartphones but it usually is not pre-installed on them like it is on many Linux systems. OpenPGP is not a program that you can install, this can be confusing to some but OpenPGP is the name of the standard that many good programs use. The program I would recommend is the Gnu Privacy Guard or GPG for short. The GPG website has a list of programs for most platforms that are fairly good as well as detailed instruction on how to safely and securely install their program.

 GPG like any other security program is best installed directly from trusted sources such as the repository on Linux systems (like an "App Store" but everything is free) or in the case of GnuPG (GPG) the developer's website is sufficiently trustworthy since the developers are trustworthy. The other thing that makes GPG trustworthy is that the source code is open to be viewed by the public, and there are people who are far smarter than anyone that most people will ever meet who do look at this code and verify that nothing suspicious is happening. OpenPGP also does not have any central key signing authority so there is no company one must pay to become verified, instead it relies on a model known as the web-of-trust which is a little like asking a trusted friend if someone online really is who they claim to be. Basically you may need to know if someone claiming to be someone really is that person and you have not been able to meet in-person to verify their identity... if someone you trust has met this person then they can vouch for this person's identity.

 This is slightly oversimplified and so sounds more complex than it is in practice. Many people may not think they need the security that OpenPGP can provide but another reason to use it is that there are users that genuinely need the security this system can provide and they can use OpenPGP with more success if more people can use OpenPGP. OpenPGP is like a telephone... it works best if you have someone else to converse with. One major example of a legitimate use for OpenPGP would be people communicating with journalists, not all countries are tolerant of journalism and a free press so they may use heavy handed tactics such as dispatching their police forces on perfectly peaceful civilians if they learn of their identities. If everyone or at least a large number of people are using OpenPGP then the one person needing the security it provides for life and death matters can more easily stay safe since they cannot be singled out of the crowd.

 Please consider using OpenPGP, programs exist that can integrate with most email providers and it can also be used for a vast array of privacy and security related tasks. Considering all the functionality OpenPGP provides it really is not that difficult to use. OpenPGP is far more than just email encryption, it also has the ability to function like a digital identity that is decentralized by design and still really secure. OpenPGP can be used to protect sensitive documents and also to and and remove something called ASCII Armour... which is a way to transform any file into a format that uses nothing but letters and numbers for transmission over mediums that cannot handle normal files (email usually does this internally because some email services will corrupt files that are not transformed this way).

 Given how long OpenPGP has been available, I am somewhat disappointed that most people have never heard of it. Even if you have not heard of OpenPGP until today, you can be sure that it was one of the technical inventions that make the modern world possible since it was one of the foundations that allowed us civilians to use strong encryption that we take for granted such as the HTTPS standard that most websites support, and is a necessity for things like online banking. Encryption is not just for the so called "bad guys" but instead is the best tool (and often only tool) to protect the general public from said "bad guys". With strong cryptography, even the full power of an enemy nation-state cannot break even the keys of the average civilian in any reasonable time frame (reasonable being in less than 100 000 years running the attack on a large super computer).
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCY9YGbwAKCRCDGTsp04R9
Uy2CAP9pysEVL/MxQmeXK13chEATu7UVQ+vtNbJb6SR2SPJSqwD/YEOkT+J1TA55
7dQ3rx/RoFc4I3+JuGjk3usiyGoNsA4=
=/OW1
-----END PGP SIGNATURE-----

Monday, August 30, 2021

Dell XPS 7590 review after one year of usage.

Last summer I bought a new laptop because my ASUS K501UX was literally falling apart. This new laptop was the Dell XPS 7590. Good but has some room for improvement. I flashed the SSD to an external image file on an external drive so that I would be able to flash the machine back to factory defaults if I ever needed to. This is my personal standard practice when getting a new laptop. I am happy with the machine and while it is not the very best of machines it was the best decision I could have made at the time given the constraints I had to work with. I hope someone at Dell sees this and will consider some of my suggestions.


I installed Linux Mint 20 on the machine immediately after confirming it all worked and that I would not be sending it back for any defective parts related reasons. It actually ran Linux mostly fine but the graphics chip just would not shut down and was burning through a battery in less than two hours that normally lasts for eleven hours. Oddly enough I solved this power draw issue when I installed the Nvidia drivers and set the GPU to maximum performance... not sure why. The best battery life I get is when the laptop has the graphics driver set to "ondemand" mode and for some reason the GPU starts drawing its full power whenever constantly whenever the "powersave" mode is selected that should in theory power off the Nvidia GPU and only use the Intel one.


Compatibility is good. It runs Linux almost the way I want and this unit has been a far better experience than my ASUS K501UX has ever been... though it did cost a lot more to buy so that might have something to do with that. However, the number of USB ports could be improved because I only have three ports total if I include the USB type C port. I would have liked to see a second USB A port or USB C port on the right hand side of the machine where the battery meter is located (love that meter though, quite handy).


I have a few issues I want to see on future models moving forward if they're not already in current XPS models.

  1. The display while not bad for color once calibrated should - ideally -  not have a strong green tint to it. Displaycal was not happy with me about that... but it does look alright once calibrated.
  2. The display in the base model is really slow for a modern laptop. Fine for office work or photography but anything with significant motion is going to show slight streaks on the display even at the relatively slow but standard 60hz refresh rate. Please make the display pixels a little faster because even at 60hz the mouse makes trails rather than discrete images of the pointer.
  3. Cleaner audio circuitry would have been nice to have, the included headphone jack is not bad and not exactly to be taken for granted these days but I would like to not be able to hear a hissing in the background when a quiet but not silent sound is playing (the amp cuts out during silence to mask its hissing, clever but I can hear it cut in and out a little too much)
  4. Ports. We need ports. USB A is not yet dead which is why I got the last model with both USB C and USB A (both the rounded and square USB ports for the less tech savy). Please add another USB port either type A or type C for a total of four ports because that makes things so much easier when trying to keep a mouse dongle plugged in.
  5. CPU. The Intel CPU was king in laptops for a while but now they have fallen behind AMD for power usage and performance. If at all possible please make a model with either an AMD or ARM CPU even if that means scrapping the Nvidia graphics for those models.
  6. Graphics. The GPU from Nvidia is not slow and performs well in my limited use case but there is a huge amount of lag on the screen. This is not present when something is running on the Intel graphics. Please either wire the GPU to either the HDMI or to the USB C DisplayPort Alt mode or use a MUX chip (allows both GPUs to talk to all displays and switches them for you) so the GPU can draw directly to the screen and there will be no noticeable lag.
  7. Linux. The 13 inch version has a "developer edition" model that ships with Linux preloaded. Even if price is the same I would love to see officially supported Linux preloaded on the 15 inch version preferably with some basic optimizations for the graphics and battery life.
  8. Keyboard. It's not bad but I would prefer more key travel and some slight tweaks even at the cost of one more millimetre extra thickness.
  9. Basic ability to tune the fan curves would be nice since I would prefer to have the fans more aggressively ramp up for more performance when plugged in but keep their current and quiet profile when on battery.
  10. If possible I would like some Ethernet port even if its a folding port or something. I rarely use Ethernet when not gaming because the Wifi 6 card is really fast but there are rare times where Ethernet makes my life so much easier but if I forget my dongle then I cannot use Ethernet... Even a low quality connector for Ethernet would suffice for me for the once a month I need Ethernet.

Overall this machine is not bad even though it does not have a Linux preloaded option. I have not tested on Windows nor do I intend to run Windows on it ever again. My next machine will likely be a gaming machine though for their superior cooling systems that allow the CPU to run faster for longer and also for their usually slightly better keyboards with more travel due in part to the thicker case they have to make room for airflow. I may buy another Dell in the future because I like to support them releasing a service manual and selling parts like the battery. The ability to repair a device even in theory makes the device feel like it's yours rather than a leased unit the belongs to someone else. I like that it can charge on USB C PD power adapters so I can leave the full power charger at home and save on weight and space in my bag. Even though it only does 60 watt USB Power Delivery from a non-Dell adapter, just having the option to use a universal power adapter than can replace my phone charger is really handy. Mind you it still uses the old style barrel jack for most of the charging which I really don't mind so long as it has 30 or 60 watt USB Power Delivery compatibility for those times I am unable to lug around the included charger.


I did not mention the webcam because like most laptops it is unusably bad. I have been on video calls with others using their laptop webcams from all different manufacturers and they are generally low quality thanks in part to their pitiful size optics and sensor along with the generally poor lighting that most people have near their PC... I never use the included webcam in my devices and generally disable them in the BIOS settings so the system and programs are not even aware there is a webcam. I plan to remove the wires powering the webcam if I ever find out where they are in the machine at some point.I recommend using your phone camera instead of a webcam since everyone has a phone these days and their cameras have smarter computer algorithms and better optics behind them than a laptop webcam. Personally I use a Nikon Z5 mirrorless camera with its massive full frame sized sensor (FX format in Nikon land means full frame). Because the sensor is the size of a 35mm film exposure and the lenses were made to specs that professional photographers can use, my camera will decimate any and all webcams in any and all lighting. However I do not recommend people drop a few grand on photography gear just to do a video call... even if everyone notices how much clearer and cleaner my video feed is compared to their phone's "selfie" camera or their laptop webcam. The rear camera on a modern phone is good enough for most video conferences and doesn't cost you anything extra to use since you already bought the cell phone for other reasons. I use the large camera so I can get away with dimmer lights that I find more comfortable and also because I already bought the camera because I got interested in photography so for me the cost to use the camera was essentially zero.


I would have preferred Dell add a second NVMe slot for a second SSD so I could maybe keep a copy of Windows on a small SSD and keep Linux on the main SSD or keep a Windows virtual machine on the second SSD and Linux of the main SSD or even just use the second SSD as a media and bulk storage slot with a cheap SSD to keep my main (and expensive) SSD free from my media library thus allowing more write cycles on the main SSD before failure. SSD drives last a long time but each cell wears out a little each time it get written to, most SSDs have a ton of cells due to being hundreds of gigabytes to a few terabytes in size and also have smart wear leveling programming that extends their lifespan by spreading out all the wear so no one area fails before the entire drive is pooched. Empty SSDs can spread wear out easier and thus will be able to write data faster than a full drive and will also survive more data being written before they wear out... it also allows me to keep my media and games on one drive and just move that from laptop to laptop without having to actually copy anything over... even with my network where files are stored on a local NAS and not on "the cloud" this is a significant time savings because most of my network is standard gigabit speeds... or Wi-Fi which is even slower than normal Ethernet, but most people store their files on "the cloud" which is really just a fancy way to say their data is stored on some server farm somewhere in the world and would have to be downloaded at the painfully slow speeds most people call residential internet. A local NAS is faster than the traditional cloud but even it is far slower than the time it takes me to transfer the data that could be stored on a large secondary SSD by physically moving the SSD into the new machine.


Dell was not my first choice but they were an okay choice. Lets hope they improve their line up in the future. The XPS is good but not as great as I would have wanted for the price I paid... though its not like there were any better options for me at the time... at least in the under $4000 CAD price bracket. I prefer not to spend four grand on a laptop if I can avoid doing so. I would rather save that money for something more meaningful like a camping trip with friends or something.

Latest Post

Steam on Linux Mint Cinnamon

Most viewed