Saturday, July 9, 2022

There is a better way to handle online logins.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

    Recently, there has been a trend towards attempting to increase the security of online login processes on many websites. I say "attempted" because most of the time, the security they are trying to achieve is never reached. I support the effort, but I urge these companies to re-think their methods because there is a better way forward. For customers and users, our responsibility is to show these companies what we want and also to know what we want rather than taking them at their word.

    The "go-to" technique to secure online logins is to use something called "two factor authentication" or "2FA" for short. There are three main "factors" that a machine can use to determine if you are who you say you are: something you know (PIN/Password), something you physically have (phone/card/key-chain), and something you are (face/fingerprint/voice). Of the main factors, something you know and something you have are the easiest for services to implement and are also the most secure factors. The main issue is that not all systems are equally secure or convenient.

    I will outline the "bad way" and then the "good way" and explain why the "good way" is cheaper (for you and the service), faster (less time to sign in), more secure (self explanatory), and more convenient... at the same time.

    First, the "bad way": In this scenario, the user will typically enter their password, then the service will then send a one-time-code via text message, and then the user must enter the one-time-code within a given time window while the code is still considered valid. The security of this model assumes that the user is the only one who has their cellphone and that the user is the only person with their password. This model assumes that when a text message is sent, the user's phone both will get the message to the user in a timely manner, and that the message will go to the correct user... both of which are false, I will explain why this is the case later.

   Now for the "good way": This model starts the same, the user is asked for their password, and then the service will check if the user has something unique to them as it would in the previous example. The difference is in how and what it checks for. So the user can be asked for a physical USB key or for their phone. By far, the USB key is the fastest, safest, most secure, and most convenient option, but since almost everyone has a phone, the phone is the default option. In this example, the service has shared a code with the user, this code is usually a QR code the user scans into an app like Google Authenticator, FreeOTP, or andOTP, and the app will generate a one-time-code for the user to present whenever the user desires a code. This model does not require the user to have a phone number or internet connection, all they need is a code generated on-demand by a simple app on their phone. Alternatively, the user may have a USB key that will simply blink when the service requests the user to sign-in, the user merely touches the sensor on the key and the process happens in a split-second. This model is much harder to attack since the one-time-codes are generated directly on the user's phone while the "bad way" has to send a code to the user and hope that it gets to them.

    Many people assume their text messages are safe and can therefore be used for authentication, but that is absolutely false. There are several high-profile cases where someone famous has had account breaches because they were using the "bad way" to do two factor authentication. One such person is Jack Dorsey, the (at the time) CEO of Twitter. His account was breached because a scammer was able to divert his text messages to their phone, and thus not only take his account but also prevent him from noticing because he never got the authentication message. Typically, this attack is done via the "SIM Swap" method, the easiest and most effective way to to ask the underpaid worker at a cellphone kiosk to change your SIM card because you lost or damaged your old phone and SIM card. Some employees of these establishments are going to do their due-diligence and check your ID, but some are overworked, underpaid, and just want to get things done so they can go on break... hence they may take shortcuts or cut corners which... well... ask Mr. Dorsey how that went for him. This is also ignoring all the technical attacks that could be used to steal a text message mid-flight using technological means, while these attacks are possible, it's easier to understand how someone can just waltz into a cellphone store and get your phone number assigned to their phone than it would be to explain how an attacker would nab said message mid-flight using more technical means.

    The "good way" relies only on your hardware, you devices that you bought, you control, and you trust. The best method is the USB key because it has been designed to use robust mathematics to protect you from both an attempt to clone your key and also from phishing links since the website's address is used as part of the process.

    If you are a company that is using text message based authentication to reduce your liability, please use the "good way", ask your team to build in support for two standards: TOTP (that is the phone apps like Google Authenticator), and U2F (that is the USB key). There is a strong likelihood that your team understands what those terms are and how to put them into your service so that the user experience will be seamless. I understand that some stubborn users will insist on using their phone number, but every user that takes the option of using an authenticator app or a USB key is going to save you sending costly text messages and is going to have fewer issues which means less time that your support staff has to spend aiding them in setting up their account.

    If you are a user, the same thing as a company applies. Urge you chosen service to use or at least allow the use of the authenticator phone apps (technically called TOTP apps) and/or the use of a USB key (these leverage a standard called U2F or Universal Second Factor). The only reason that a company would insist on using a phone number is either because they do not understand just how low the security is, or they do know that there are better options but they prefer to use the phone number to invade your privacy... more users requesting or insisting on the use of anything other than a text message means more pressure to change which means a more secure internet for all of us.

If the PGP signature lines are something you have not seen before, then check out my post on the subject.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCYskuCQAKCRCDGTsp04R9
U7fFAP93NsVKpqr7ujVhM4Ab4gu6pmaHZbKh6lRzBMXm1DmbUAEAhj2v90vAucfc
E0bpw14riSHbKWQiUEDxFMNd1VsvxAE=
=bT/g
-----END PGP SIGNATURE-----


How do you start? Start by downloading the free authenticator app. All of them use the same standards as Google Authenticator and Microsoft authenticator, so they all work on the same websites, here are some links:

Apple iOS users: FreeOTP from the Apple App Store.

Android users: Both andOTP and FreeOTP are good options, pick whichever you like better as they both work the same.

The reason I recommend using FreeOTP and andOTP is that they are easier to backup and are more transparent so you do not need to trust the developers to know that they are safe.


If you really want the best security, fastest logins, and worry-free usage, then I suggest a good USB key.

Yubico has a few models that are fairly good, Yubikey 5 NFC and a cheaper model are good options. They also have a quick quiz that will suggest a good model for your needs.

Solokey is another player to watch as their new key is very promising and user-friendly, once they begin selling to retail customers that is.

Sunday, July 3, 2022

Modern photography



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Here are some photos I took of the recent fireworks display for Canada Day (July 1, the official birthday of Canada). I have made images available for purchase from DepositPhotos, but I also negotiate individually if you want to buy them directly. I enjoyed the fireworks, and because I had my camera set up before the show, I was able to watch the show with my own eyes and trigger the camera when I thought something cool was about to go off. My camera sees slightly different things than I do, and this is how it can be used to reveal things that the eye cannot see. These long exposures show multiple explosions all as one single image.
 
If the PGP signature lines are something you have not seen before, please refer to my post about using PGP. 
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCYse/ugAKCRCDGTsp04R9
UxjrAP9QL4ztKqFInhfx3dgnD9X/JqaGc1PimR5fAjr+pF98DgEAsE5x/WQfjIX2
EDcAlfcKuqXGLsNrbjF2IolDesC8PwM=
=Ul07
-----END PGP SIGNATURE-----

Thursday, June 2, 2022

Noting to hide means you have nothing to fear?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

"I have nothing to hide so I have nothing to fear." is something often said by those ignorant of how the world works when topics like encryption or mass surveillance come up. This statement bothers me on a deep level because of how incorrect it is, how dangerous it is to everyone including themselves, and how often people believe it when they hear it. It's dead wrong, allow me to explain why. For this I will over simplify slightly.

I've been using a system called OpenPGP for email and file encryption and signing to ensure confidentiality and integrity of my communications. The system works about as well as can be expected considering all the functions that it handles and all the difficulties of making it work across any medium. The main issue with my system is that if I am the only one in the group who uses OpenPGP, then it's as if I am not using it at all. I understand that not everyone cares about their security enough to do anything about it... but I feel it is time we collectively move on from the lazy state we are in and start to take responsibility for our own security.

First issue with this idea is that you do actually have things that you want to keep private... even if you do not realize it. Would you want everyone, or even just any one person to personally rifle through your entire history? Every page you have visited, every click/tap you made, every single word you wrote to anyone (including the embarrassing rant you wrote and deleted that you do not agree with anymore), and the entire contents of every device you own? Most people would cringe at the idea since we all have data we would rather not become public record... and yet, this is almost what happens to your data every day.

You may agree with your government today, you may think that anyone who wants to keep data secret is "hiding something"... as if privacy itself were a crime. I do not agree however. In order to have freedom, you must first have privacy, you must be free to be yourself in private without being on display for anyone. Or would you prefer to live in a house made entirely of glass (including bathrooms and bedrooms)? You also have to remember that governments (especially democratically elected ones) tend to change politics quite frequently... next election you may not be so eager to hand over all your personal data to them.

 Your data is valuable, using just the data on a single device a person owns, I could piece together the vast majority of any person's life... with scary precision. I am one, single, individual man, I have only good intentions, and I do not have the funding of a large company or government... If I can track down someone based on a few files, imagine how much more effective someone that has government resources can do...

If someone is able to observe all your internet traffic, emails, messages, social media private messages, etc. then they can build a really accurate picture of who you are and anything else they want to know about you... including who you *ahem* had relations with last night.

You do have something to hide. You may not think you care if a faceless government is passively harvesting your data... but that is only because you do not know precisely how personal that data really is. You should not feel bad about having things you want kept private... we all have things we prefer to keep confidential, this is part of why we have things like doctor-patient confidentiality, or doors on bathrooms and bedrooms. Even if by "nothing to hide" you mean that you are not in violation of the law, well, you are in violation of at least one law today... there are so many laws that you don't know about that you have violated several without realizing it... several times per day. And even if you somehow managed to memorize the entirety of your nation's law and managed to never violate any of them... you still have things to fear. Data about you is often used by criminals to steal your identity, or blackmail you. And what a government might do, whether by mistake or by choice is even more damaging than anything a cyber crook can dream up.

I do not wish to stir your fears. I merely grow tired of the statement "I have nothing to hide so I have nothing to fear" because it's false on both the "I have nothing to hide..." part and the "...so I have nothing to fear" because you do have things to fear even if you had "nothing to hide" and you do have things to hide just like every other human on this planet. When you hear this statement, it is usually someone who is either very ignorant of what really happens in the real world and in cyberspace, or this person is super lazy and prefers to bury their head in the proverbial sand rather than take the tiny amount of time and effort to become more private. I hear this statement all the time from people when the topic of why I am using OpenPGP comes up. A scary number of people do not realize how much of their life is available to anyone to snoop through... even if they are not Google or Amazon... and then they assume that anyone using encryption must be "hiding something". I would like to remind them that literally every good website these days uses encryption that is remarkably similar to OpenPGP in order to secure the channel between them and the website.
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCY9YEFQAKCRCDGTsp04R9
U+9sAP9hrrq+CNH2pHW+c+gqeAgpMJ6KDe4G0AU/dEGWaFRJIwD9Ff9TMv1ZhQnw
CvR/nHM/i2XNxS7TtRgUd+EsGi8qQQw=
=5WFZ
-----END PGP SIGNATURE-----


Saturday, February 5, 2022

OpenPGP Keysigning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

 I'm sure some people still use OpenPGP since it is one of the few good ways to encrypt emails and also handles file encryption and signing.

If anyone in the Edmonton, Alberta area in Canada wishes to exchange keys, I am willing to meet up with you.

One thing the recent events should have taught us is that since the health agencies in my area have started mass surveillance via tools like tracking cell phones, privacy should be protected by math and not by laws of man. Hence anyone that happens to be near this area and wants to have their key signed by me should reach out and we if there is interest we may all have to meet up to exchange said keys. Another thing we should do is discuss how to make this process easier and more foolproof for the layman. OpenPGP is one of many things that gains more usefulness as the number of people using it increases.


OpenPGP should be replaced with something better but as of writing this I am unaware of anything that can fully replace OpenPGP, even S/MIME which is supposed to be easier and more robust due to it's resemblance to HTTPS which everyone knows how to use is - in my opinion - much more difficult to use than OpenPGP and also costs around $20 USD per year while OpenPGP is totally free to use thanks to projects like Gnu Privacy Guard (GnuPG or GPG for short). For the foreseeable future, OpenPGP is here to stay and I wish to get more people using it. Frankly, if I can teach my grandmother - who is not a very technically minded person - to use OpenPGP then it should be possible to teach to almost anyone close to my age bracket.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCYsku5AAKCRCDGTsp04R9
Ux58AQDDtN4dYi/7DNnnci585WDFabdU6g0Dgi5TgtIUcx41/gEAvPw4tdcSX7Xz
jvt1BzsMHB347/INmOCRhYTke06bUgI=
=6iBL
-----END PGP SIGNATURE-----

Wednesday, January 19, 2022

A partial solution to email scams.

Email is not secure... I have written on this before. Many will falsely believe that Email is secure enough to use it to sign up to services with and that emails come from who they claim to have come from. This is a false sense of security that leads to a vast array of issues which less-than-honest actors will take advantage of.

First and simplest solution to this issue is to assume that Email is insecure and easily "spoofed". What I mean by this is that spoofing is a technique that - among other thing - is used to trivially alter the appearance of the message. In this way, a scammer can pretend to come from a different address by "spoofing" the email header to appear like the message is coming from someone else. Email was never designed to be secure, it simply was not intended to be used for security when it was invented. As such one must always assume that Emails can be trivially altered and faked with minimal effort. Once this assumption is made then one will be harder to scam since the usual scams will become obvious once the false assumption of security is no longer in effect.

Second and more secure option is to use a very old and very strong technology to protect email the same way we protect websites. HTTPS (the lock in the corner of the browser's window) uses something called strong cryptography to mathematically scramble the webpage and all traffic so that only you and the website can understand it. The technology works very effectively, and in the case of websites is totally transparent to the user so that the user does not need to understand anything about cryptography to make this work. Something similar exists for email. There are two competing standards for securing email communications, they are called S/MIME and OpenPGP. While S/MIME has one advantage over OpenPGP, it has many disadvantages that make OpenPGP far more suited to fill this roll.

What OpenPGP does is it outlines a common "language" of sorts that several different programs can understand and utilize. OpenPGP relies on the concept of keys. To protect data and/or identities there must be something that you know or that you have that no other person has access to. This is called the "key". When an OpenPGP compatible program generates a key it takes some random numbers and runs them through some fancy math equations that create a set of two large numbers. One of these numbers is the "public key" and the other is the "private key". How this works is people publish and share the public key which is mathematically linked to the private key which they keep secret. Sending a message works by encrypting some data with someone's public key, because the keys are linked only the private key can decrypt the data and no one can reverse to process to figure out the private key... at least not in any kind of meaningful timescale (less than ten thousand years).

This sounds complex but the programs do all the heavy lifting for you. All you do is create a key, this key is stored as a file and is called the "master key". The master key can then be linked to "subkeys" that can be changed at a later data if desired. The primary uses of the master key and any subkeys are:

  1. Encryption - the ability to scramble and unscramble data for privacy
  2. Signing - to say that a chunk of data like a file or message was sent by you and is unaltered since you sent it
  3. Authentication - yes they can replace passwords with a digital key, this is rarely used but is still kind of cool

Typically, a good way to generate a key is to generate a master key, and then generate two subkeys, one subkey can sign data while the other one encrypts data.

The master key has a fingerprint which is basically a mathematical function that takes the data of the key and converts it into a short and human-readable series of digits that allow a person to tell if a key is really from the person that has their name on the key. Here are the fingerprints for my two keys:

  1. 167E 19AC B8E5 38F3 2FD2  2766 81C9 678A 0987 8230
  2. 1F32 5206 DE34 CFCF 0022  D045 48A7 3B8C 8920 7930

Typically, the fingerprints are written with spaces so that humans can look at them in chunks and verify them that way. The fingerprints are very secure, and it's practically impossible to fake a fingerprint. The use of the fingerprint is if you get a key with my name on it, you would check that its fingerprint is the same as one of the two above.

Due to the laws of mathematics, I do not need to defend my identity if people ask for signatures from my keys. The reason is there is no known way to fake a signature from OpenPGP and the keys are considered to be so strong as to be resistant even against attackers with the resources of nation-states... and if a nation-state is after you, cryptography cannot help you since they can just seize your phone and computer.

I sign all my email messages with my key, and unless someone steals my key and coerces the password that protects the key file... yeah they're not going to be able to fake my signature.

An OpenPGP signature is millions of times harder to forge than a physical - pen on paper - signature, and it's far easier to verify an OpenPGP signature than a physical one because the programs do not require a hand-writing expert in order to operate... just a computer manufactured sometime in the last 30 years. This is becasue a regular signature is based on the assumption that no other human has the muscle memory that you have to produce the pen-on-paper movements that make up the signature. This is only valid if the signature is done before a trusted witness who has seen your signature and if no one else is able to practice and reproduce a convincing set of pen movements... a tall ask these days.

An OpenPGP signature works by turning the data to be signed into a mathematical hash. So for a document like a file, the file's content is processed into that hash, any alterations to even a single character will completely change the hash and to generate a hash that matches the original is something that simply cannot be done with any known or even theoretical technology. This hash is the document, or at least a fingerprint of the document. The hash is then encrypted with your private key so that it can be decrypted with your public key. This means that when someone checks the signature, their computer will decrypt the hash with the public key and thus it will know that the only way that hash could have been made is with your private key... which only you have. It then will hash the file, raw text, email message, or anything else that was signed and if the hashes match then the signature proves that you signed that file/data/message/etc. and that the contents were not in any way altered since you signed them.

Again this does sound complex, but all modern cryptography which you rely on does something like this. Your credit and debit cards do the same math to secure your money, your web browser does the same thing to check of the web page is actually from the proper person and to keep it hidden in transit for your privacy. The difference is that OpenPGP keys are not issued by some central authority which can be hacked or legally compelled to disclose their keys... including yours... without your knowledge. People like authorities to tell them who and what to trust, but that system is open to abuse and failures take down all of their customers. OpenPGP keys are generated on hardware you own (your personal devices), they are much harder to mass compromise since each key is stored by an individual user and no one else. A traditional "certificate" like for S/MIME is stored both on your machines and on the machines of the certificate issuing authority... that is two points of failure while OpenPGP only has one point of failure.

OpenPGP is based on a web of trust" which closely mimics how we humans interact. You know people which you use to validate an unknown person. The way we do this is by asking our circles of friends if they know about this new person, they will tell you if they know of them and what they think of them. OpenPGP works is a similar manner, only it uses mathematics and nothing else. The way it works is your OpenPGP program will check a new key for signatures, these signatures are made by people that have signed the key as a statement of "I <person> have met and confirmed that this person is who they claim to be". Your program checks its database for keys that you have marked as "trusted" such as the keys that your friends and family have given you. It then checks if any of your "trusted" keys have signed the new key and will tell you which of them match. So if you know me somehow and you trusted me enough to mark my key as "trusted", and you met someone like one of my friends. Your computer would alert you that their key was signed by me and therefore is likely to be trustworthy. This is handy because you may not be able to ask me if this person truly is someone I know becasue maybe there are time constraints or perhaps it's a person I do not remember anymore.

OpenPGP is not as hard as it appears to be. But most tutorials show a very hard way to use it and manage the keys. I am trying different ways to manage my keys and will soon release a tutorial that shows a reasonably easy way to use them. The reason I claim that my way is relatively easy is I have gotten my grandma using OpenPGP despite her relative lack of computer related experience. I figure that if I can teach this to a senior citizen, then I can teach this to anyone who cares about their privacy. This would be a video tutorial with a text blog post to back it up though.


Here are some examples of a signed PGP message that anyone can verify came from me. The first one is signed with an RSA key, the second one is signed by my Ed25519 key. The difference is which branch of math they use to operate. Ed25519 is something called elliptical curve cryptography, boasting faster performance and smaller keys for the same security as compared to the older RSA algorithm... RSA's advantage is that more programs understand it. Given the size difference is minimal for something like an email, I use RSA because more programs can verify it, but for certain devices such as networking equipment there is a significant interest in the Ed25519 method.

This one is signed using my RSA key, notice how the signature is larger than the one below it which is signed with my Ed25519 key.

Key fingerprint:  167E 19AC B8E5 38F3 2FD2  2766 81C9 678A 0987 8230

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is an example of text that is signed using OpenPGP.
The way this works is that PGP supports a "clear text signature"
which is composed of the raw text I typed along with a digital signature.
I have typed this and pressed the enter key to keep the lines from being
inconveniently long for the purpose of blog readability but that is not
really necessary most of the time.

Below this is the signature which looks like random characters.
Digital signatures are just long numbers, so those numbers are written
by using letters and other characters instead of the raw binary data.
Something similar happens to email attachments due to the way email works
which is why your email attachments get 30% larger in an email than they are
when stored on you machine.

Also note that this typo: "tpyo" cannot be corrected without making the signature
no longer match. This is handy because if even a single letter is altered, even invisibly,
the signature will detect it and the message will be shown to be no longer the exact
thing that I typed.

Whatever text you sign cannot be altered by anyone without the signature detecting a
mismatch. And since only you have the private part of the key, only you can update the
signature after a typo correction by creating a new signature for the new text.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEv2bZCEdTpZFfQZcqP0TIvZ+kF+kFAmHohNEACgkQP0TIvZ+k
F+nFzhAAvAZ2s2nMJse36et4uCw/kDjmRpBu92D+DEnsWNT9FmP/S0jgFfeidtK1
4LRX4u+cH+mueqPQk/+QkE9SW6FXvMBphtN3VH4uW1uR8GyNXUEGHOBdFMBzwD23
QlBnmj2XsMpoCAfBZAkML16vI/wgtArGgfLh58cLb1VLB2P4cpt340Q+3jWnty0j
AB6yZgvS/zli+9Aiac68ODDhRBG7f64otsh9FK2yiVWGQJIrKS+5VukeU0dVyc/R
y4eDl42vjALS70YnzVgxYtC0MEO3FsgxGdb1EiEYnSJt9eiWnmN0B8Z71HV1JeB5
vZpoGQPgJldUKSveuBgZJk5jDUuH17EOqMvimAnIJIH4We1QPBVdW4jRfSXpRW+7
1iJx2yGn8n0s2Tb23luH5DpUHWaVOt/XU4WYHnCm5jw+iXk8hc0bUkVjTvJpoJQ9
jMbPd9lCGv2VrkadRyCjreRVRHMQCxDu5/Sf6mVHcwyJKl4xjg+84yG/JWgIMzIs
UVBXliDIQ13QwwPSZIOkXOgg9WGJtgWzhbX3OOT393XVMlia0PONIoImvz50zvFx
an7KtXPK20BoJm/Zrh3TEFXnzaMRlf1dTBRe5Vr7lhB8cBsqYZT5vnh9fj60Fyhp
4JNXIF6UZw1BLA+vJp558VuwsjAwDH9RH8so62162oRzDDwQt2o=
=Vq6E
-----END PGP SIGNATURE-----

This one is signed with my Ed25519 key. The signature is smaller, yet the level of security is actually fairly close to the one made with the RSA key. This is why some cryptography enthusiasts love elliptical curve cryptography. The speed and size benefits cannot be overlooked. For OpenPGP the difference isn't that large compared to an entire email message but for say a web-server's certificate that serves thousands of clients per second... the difference is more noticeable.

Key Fingerprint: 1F32 5206 DE34 CFCF 0022  D045 48A7 3B8C 8920 7930

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is an example of text that is signed using OpenPGP.
The way this works is that PGP supports a "clear text signature"
which is composed of the raw text I typed along with a digital signature.
I have typed this and pressed the enter key to keep the lines from being
inconveniently long for the purpose of blog readability but that is not
really necessary most of the time.

Below this is the signature which looks like random characters.
Digital signatures are just long numbers, so those numbers are written
by using letters and other characters instead of the raw binary data.
Something similar happens to email attachments due to the way email works
which is why your email attachments get 30% larger in an email than they are
when stored on you machine.

Also note that this typo: "tpyo" cannot be corrected without making the signature
no longer match. This is handy because if even a single letter is altered, even invisibly,
the signature will detect it and the message will be shown to be no longer the exact
thing that I typed.

Whatever text you sign cannot be altered by anyone without the signature detecting a
mismatch. And since only you have the private part of the key, only you can update the
signature after a typo correction by creating a new signature for the new text.
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCYeiFFgAKCRCDGTsp04R9
U8WvAQDRnuS/wzYG6brzyJivLEBrMg8z+9eiVu+FPD/QI92MHgEA0R/fLblqvB9b
p1khptQJM15dYWh9/OsidXPuIJx1cg0=
=VuVl
-----END PGP SIGNATURE-----

A while ago people would use these signature texts to sign their words on some old forums on the early internet... it still has use today for me. I recently used it to sign an informal survey for one of the classes I am taking. The survey comment might go into a large collection with one comment from every student, and I wanted to be sure that if my words were altered that I could prove that there was an alteration... hence I used OpenPGP to protect my words from alteration.

Latest Post

Steam on Linux Mint Cinnamon

Most viewed