FreeBSD 12.1 + Alpine with GPG

Intro:
I decided to install GPG on FreeBSD with alpine. What does this do? It’s the old days, using pgp to encrypt your email before sending. This is a howto so everyone can start encrypting their emails. Why do it? Back in the 90s when I was sitting in computer science class it was common courtesy and etiquette to always provide people with your PGP key when sending emails. So by not providing people with your PGP key, it’s considered disrespectful among the computer professionals. This is a tribute to my old classmates Isaac Eaglestone and Jason Barlow, I wish I could find them again. Especially Isaac who would bitch me out every other day for not using it 🙂 To be fair it was a headache to get anything working back then with an email client, considering all we had to work with was Slackware Linux back then, so I decided let’s go through FreeBSD, pull our hair out fixing any errors that pop up and let’s get a reliable Alpine + GPG setup going!

Can this stop quantum computers?

By now we all know Shor’s algorithm is set to break all asymmetric encryption. So what we will do is use best encryption we can with GPG using symmetric encryption, GPG supports AES256, so we will use that along with using RSA for compatibility. For all said purposes we will use the strongest that makes sense and stay compatible with other people’s keys as well.

Why use alpine?

If you ssh into systems on a regular basis, it makes no sense to download your email to an insecure device at home. If your using openvpn to download over VPN to a client such as Kmail to your Google Pixel Phone, it should be ok. What makes a phone insecure is trusting to many app developers. FaceBook for instance has been known to go behind people’s backs and upload your contacts to their servers. FaceBook also owns whatsapp. If you want to keep your phone secure, don’t put these on your phone.

FreeBSD Prerequisites: PART 1

Firstly I prefer using alpine with Postfix and Maildir support, since the Maildir patch is not available with standard pkg system. Off to the ports we go:

Let’s install alpine from ports, lock it from package manager updating it, install alpine gpg addon from pkg system, and see what directories it used for installing it.

cd /usr/ports/mail/alpine
make config #(Select Maildir patch)
make
make install
pkg lock alpine
pkg install ez-pine-gpg 
pkg list ez-pine-gpg

(Assuming your using bash for your shell and nano for your editor)
Next we want to get rid of any “pinentry” errors that may come up, the first problem I ran into, the following will solve it next login:

alias pico='nano -w'
pico ~/.bash_profile #(add the following next line,save and exit)
export GPG_TTY=$(tty)

At this point at least run alpine once to get your .pinerc created if its not already, then let’s open .pinerc and REPLACE display-filters and sending-filters with the following:

# This variable takes a list of programs that message text is piped into
# after MIME decoding, prior to display.
display-filters=_BEGINNING("-----BEGIN PGP")_ /usr/local/bin/ez-pine-gpg-incoming

# This defines a program that message text is piped into before MIME
# encoding, prior to sending
sending-filters=/usr/local/bin/ez-pine-gpg-sign-and-encrypt _INCLUDEALLHDRS_ _RECIPIENTS_,
        /usr/local/bin/ez-pine-gpg-encrypt _RECIPIENTS_,
        /usr/local/bin/ez-pine-gpg-symmetric _RECIPIENTS_,
        /usr/local/bin/ez-pine-gpg-sign _INCLUDEALLHDRS_

Alright we are getting closer, now we want to actually create our gpg key if you don’t have one already, now we run into the ssh X11 forwarding headache if you have it enabled when you su to another user, so to make sure we have no issues ssh to localhost as that user without X manually so we don’t get any end of file errors creating our brand new key. This generally happens because when you su to another user, the tty is still owned by user who logged in on tty device and permissions are generally 600 on it. You can get around it by chowning the tty device or using tmux, but honestly why go through the trouble, just ssh as user you want to create the key with:

ssh -x localhost #(disable X forwarding for this user)
gpg --full-generate-key

Enable encrypted swap space if you have newer hardware and your CPU supports AES-NI, here is a quick test:

swapoff -a
kldload -n aesni
swapon -a
dmesg #this should show if CPU supports it or not

If above is supported, put aesni_load=”YES” in /boot/loader.conf and append the “.eli” suffix to all swap devices. Enjoy your encrypted swap space.

Ok now let’s create our gpg.conf file, so we can remove unsecure memory errors if you don’t have secure memory space and set some defaults for encryption. You remembered to run gpg at least once so ~/.gnupg directory got created right? Just type in random crap and hit CTRL-D.

pico ~/.gnupg/gpg.conf #add following to the file, save and exit:
no-secmem-warning
cipher-algo AES256
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
keyid-format 0xlong
with-fingerprint
use-agent
charset utf-8

Now let’s edit our keyserver daemon’s config file, this always goes through tor, so unless you want to be waiting 30 seconds for it to timeout all the time, just install tor! Yes, you could just set option for it not to use tor, but only thing that is going to do is make it start faster, after process forks it will try tor anyways, so trust me save yourself the hours of headache and just install tor so your not always waiting on dirmngr to timeout using tor, unless of course you enjoy sitting there waiting 30+ seconds for a simple command like gpg –search-key <KEYID>. This dirmngr.conf file and daemon is only used when dealing with public internet keyservers.

There is nothing wrong with using Tor, just as long as you aren’t an exit node, if you can run one awesome! Is Tor secure? Absolutely not, NSA pulled 2 people out of DefCon conference when 2 researchers from university found a way to exploit TLS in there, then they have been in talks with source code developers of Tor as well. If that is not enough they are known to run honeypots all over the system. If you want secure, your best to run a VPN, then run that through Tor. Personally I think of having Tor on my system just like enabling IPV6 on it, just another network I can talk to. For our purposes we are going to use it just so dirmngr doesn’t piss us off 🙂 Besides we can just do “service tor stop” anytime we not talking to a keyserver if we like.

pico ~/.gnupg/dirmngr.conf #add following to the file, save and exit:
keyserver hkps://keys.openpgp.org

#now setup Tor if you haven't already
pkg install tor
pico /etc/rc.conf  #add the following, save and exit
tor_enable="YES"

#I am not going through configuring tor in this article, at least go into
#/usr/local/etc/tor and configure torrc and torsocks.conf so port 9050 is #working, just make sure your not running an exit node!

service start tor  #start tor

Now you may be asking why I am using keys.openpgp.org instead of sks key servers. The reason is simple, there is a DOS attack that has been known for decades that still works on all internet key servers. The DOS is quite simple, sign someone’s key 150k+ times and upload it to keyserver effectively destroying their gpg installation once they refresh their keys. The key server I have picked for us today, is only one on internet as of this date that at least attempts to mitigate this attack. So do yourself a favor and use it! As of recent versions of gpg all keyserver lines go in this file now,  not gpg.conf anymore.  As of this date I am using version 2.2.21.

Great now let’s get on with the real stuff, playing with gpg itself. First we want to generate our key. I suggest leaving things at defaults, but you can set RSA key to 4096, there really not much security between 2048, maybe 40 bits, according to gpg website, trade off in performance not really worth it.

I am saying use defaults just to be compatible with other people, in future what we really want to do is just replace RSA with elliptical curve bitcoin uses by selecting secp256k1 in expert mode down the road. (ie: selecting 10 and 9 with next command) Let’s not do that now. We still using AES256, even with quantum computers with 4096 qubits would only knock that down to AES128, by time they have that 1 million qubit computer hopefully the quantum algorithm is out. Pick a good password! With today’s technology they can brute force 2.8 billion tries a day, that is enough to try every lower case character a-z of a 10 character password in one day! Mix it up with upper case, numbers, special characters and use 4 words if you can!

Back in 90s, I used sentences with pgp, then I always forgot what it was cause I wasn’t using it that frequently like a password you would use to login with email or ssh, so keep it to something you can remember!

gpg --full-generate-key --expert #generate our key!

You will notice it put a revocation certificate in: ~/.gnupg/openpgp-revocs.d/
You will need this to revoke your key down the road if you loose it.

Ok at this point go test it, go into alpine, send an email to yourself, hit CTRL-x like usual to send, but before typing “Y” to send, hit CTRL-p instead to scroll through sending filters, select something like sign and encrypt, then hit “Y” to send.

If all goes well, you should get prompted for your password, gpg-agent will then store this password in shared memory for a set amount of time, which you can actually specify for how long in config file, or until server is rebooted or gpg-agent is killed and restarted. You’ll notice in “ps aux” every time you deal with gpg in anyway, that gpg-agent is running.

This is how gpg works. Try thinking gpg as a key-ring management tool. Everytime we use gpg we are mostly just a client talking to that gpg-agent server process running. We can list keys in there, tell it to remember our password in shared memory for X amount of time, sign things, encrypt and de-crypt files and much more. So now just sending email to our self is not very useful.

At this point I want you to add another user to your system, I want you to repeat all these steps and do it for this second user. Send email to itself, and when you got that working and ready to send to each other, let’s continue… Remember when using su – $USER you cannot create a key if he does not have his own tty, make sure to ssh -x $USER@localhost so he get his own tty so you have no issues!

PART 2 – Actually working with GPG (our key manager)

OK if you made it this far, congratulations! The hard part is done! You completed the setup! Give yourself a pat on the back. Only things we are going to do now is play with gpg command itself, that’s about it and learn what cool things we can do with it.

Let’s start off by continuing where we left off, I told you to create another user on system and setup his .gnupg directory. So at this point let’s send our practice emails to that user back and forth.

First Step: Let’s export our public keys for each of these accounts:

cd /tmp
gpg --armor --output user1@example.com.public-key.gpg --export user1@example.com
#now for other user:
cd /tmp
gpg --armor --output user2@example.com.public-key.gpg --export user2@example.com
#I like to keep copies of these in my .gnupg directory so let's do that
#for each user do following:
cd ~/.gnupg
cp /tmp/user1@example.com.public-key.gpg .
cp /tmp/user2@example.com.public-key.gpg .
#now for user1:
gpg --import user2@example.com.public-key.gpg
gpg --sign-key user2@example.com
#now for user2:
gpg --import user1@example.com.public-key.gpg
gpg --sign-key user1@example.com

Ok great, what we did was import the key, then signed the keys for each user because we trust them. Great now jump in alpine on each user and send emails back and forth with the CTRL-p filters. Play with it for a bit, you will notice gpg-agent daemon starts asking you for your password. Pinentry program runs here to ask for it, which is

sunsaturn:~/.gnupg # ls -al /usr/local/bin/pinentry
lrwxr-xr-x 1 root wheel 12 Oct 11  2019 /usr/local/bin/pinentry -> pinentry-tty
sunsaturn:~/.gnupg # 

gpg-agent keeps your password in shared memory approx 2 hours, unless you change that in config file or you restart gpg-agent. You can kill gpg-agent and dirmngr daemons anytime you want with “gpgconf –kill all”. Or the old school reliable way of “ps aux” “kill -9 <pid1> <pid2>”

Wonderful you have done it! But wait we probably want to submit our key for at least ourselves to the internet keyservers! We don’t have to but it would be nice if we could link our email address to a PGP key on internet so people could find us easily.

Ok what we will do is submit our key to SKS keyservers as well as our default openpgp key server. Then we will add our key to our .signature file in alpine so whole world now knows we have a PGP key. We will even put a copy of our public PGP in our .signature file so people can grab it anytime through a website, sound cool? Great let’s do it…

 

gpg --list-keys #let's start by listing the keys and find our 

pub   rsa2048/0xFF6F49977311C386 2020-07-17 [SC]
      Key fingerprint = A1A7 6E84 FB0B 8994 C3B5  A1BA FF6F 4997 7311 C386
uid                   [ultimate] Dan The Man (Dan @ SunSaturn)

For example above here is my key, my <KEYID> is the numbers/letters after the pub rsa2048/0x string. So here my <KEYID> is FF6F49977311C386. The reason we have 0x in front of it is because in our gpg.conf file we have “keyid-format 0xlong”. It’s just to prevent problems really, had I done just “keyid-format long” then it would not have the “0x” in front of it. Also you can see the fingerprint of my public key. So since we are using 0xlong I can use 0xFF6F49977311C386 as my <KEYID> here.

Alright let’s submit our key to keys.openpgp.org, since that is in our dirmngr.conf file as the keyserver that is what we will default to.

gpg --send-key 0xFF6F49977311C386     #use your KEYID!
gpg --search-key 0xFF6F49977311C386   #use your KEYID!

Great if all went well we submitted our key to keys.opengpg.org and then searched it and got it back. Now wouldn’t it be cool to search by our email address instead? Go in your browser now to : https://keys.openpgp.org follow instructions in your email and this site to verify your email address so people can search for your key by your email address. Once you are done that awesome let’s see if it worked:

gpg --search-key user@domain.com #use your email now!
gpg: data source: https://keys.openpgp.org:443
(1) Dan The Man (Dan @ SunSaturn) 
2048 bit RSA key 0xFF6F49977311C386, created: 2020-07-17

Good job, now let’s submit our key to SKS servers as well:

gpg --send-key --keyserver pool.sks-keyservers.net 0xFF6F49977311C386
gpg --search-key 0xFF6F49977311C386 #use your KEYID for both!
gpg --search-key user@domain.com    #use email to if you like

Now you have to realize pool.sks-keyservers.net is a pool of addresses, it may take time for them all to sync, if you ran command “host -t A pool.sks-keyservers.net”, you can see IP address is going to rotate each time, but if you ran those 2 commands above quickly you may have gotten same IP address twice and it successfully searched the key. Don’t worry about this, check back in in 24 hours. One good thing is we don’t have to do any email verification checks to list our key on SKS servers, so we are done. For a list of pools visit : https://sks-keyservers.net/overview-of-pools.php

Almost there, last thing we want to do is tell the world in our .signature file on alpine we are able to use PGP/GPG if people wish to add our public key to their keyring to encrypt emails/files to us. For that we want our public key on our website somewhere, and we want our fingerprint for the file so we can include that for people so they know it was not tampered with.

gpg --armor --output /path/to/website/root/pgp.txt --export user@example.com
gpg --list-keys

In first command above we exported our public key to directory of our website, or just copy pgp.txt to your website on another server if needed. In the second command we looking for “Key fingerprint” line so in my case:

gpg --list-keys
pub rsa2048/0xFF6F49977311C386 2020-07-17 [SC]
Key fingerprint = A1A7 6E84 FB0B 8994 C3B5 A1BA FF6F 4997 7311 C386

My fingerprint is “A1A7 6E84 FB0B 8994 C3B5 A1BA FF6F 4997 7311 C386”. By putting a link to pgp.txt file and giving them this fingerprint in .signature file this gives people 3 ways now they can find us. Through openpgp keyserver, through SKS keyservers, and also our emails. So let’s edit our .signature:

pico ~/.signature #add something as follows:
PGP Key: https://SunSaturn.com/pgp.txt
A1A7 6E84 FB0B 8994 C3B5 A1BA FF6F 4997 7311 C386

For reference here is my .signature with my email address/phone number removed for this blog, obviously put your pgp.txt and fingerprint ID in it’s place 🙂


Dan The Man
CEO & Founder
Websites, Domains and Everything else
PGP Key: https://SunSaturn.com/pgp.txt
A1A7 6E84 FB0B 8994 C3B5 A1BA FF6F 4997 7311 C386

That’s it we are done! Congratulations for doing the entire setup! For now on all you will ever have to do is remember to hit CTRL-p to send with PGP/GPG and your password. I hope to god you can remember your password. Place a file somewhere giving you hints what it is if needed.

Closing Thoughts:

Keep your private key secure. We all know by now intelligence agencies store encrypted data to save at a later date when technology gets better to decrypt. That being said your emails should be fine until they have quantum computers with millions of qubits. If your really paranoid, create an advanced key with elliptic curves from this setup, it just won’t be compatible with most people at this point for anyone running older versions of gpg. For any important files you need to encrypt, always use the best you can. When quantum algorithms come out, unencrypt your files, then encrypt them again with newest standard. If your key ever becomes compromised revoke the keys on both keyservers we submitted to and go through creating new key again. You can also do a shared password between the both of you using one of the sending filters, cool right?

If you have really sensitive information to send someone, both of you agree to access the file over a vpn/ssh connection to download the PGP file. Gives you a double later of protection. Even better yet, ssh over a VPN connection for a third layer 🙂 Someone storing encrypted data would have to break your VPN key, your SSH key and then your PGP key, you’ll most likely be dead by then, should be good 🙂 For advanced users: create a cronjob that switches your vpn key and ssh secret/public keys at regular intervals, ultimate protection. Store your encrypted files in an encrypted filesystem preferably on an SSD with many layers of 4 or more like QLC with trim support, more layers there are, harder it is for forensics teams to grab deleted data, they will give up. Personally I don’t have any sensitive data, but if I did those are avenues I would use. For me I use VPN’s for what they were made for, accessing internal machines on remote servers like I was there.

Encrypt files: (create files with .gpg ending)

#have a friends public key imported? 
#this method you cannot decrypt .gpg file after
#only his secret key can
gpg --encrypt --recipient myfriend@gmail.com myfile.txt
ls -al myfile.txt* #decide what to do with myfile.txt
#even better way, encrypt with yours and your friends secret keys
#this way you can both decrypt myfile.txt.gpg
gpg --encrypt --recipient myemail@domain.com --recipient myfriend@gmail.com myfile.txt
rm -f myfile.txt #send him myfile.txt.gpg
#or share same password between you both
gpg --symmetric myfile.txt
rm -f myfile.txt #send him myfile.txt.gpg

Decrypt file:

gpg -d myfile.txt.gpg > myfile.txt

Enjoy your new setup!

Dan.

Updates 2020- PART 1

Introduction

I think I’m about due for an update as it is SunSaturn’s 15 year anniversary since it was first created. HAPPY BIRTHDAY SUNSATURN! I personally took a lot of time last 5 years soul searching, but in end I’ve decided SunSaturn is way to go. I think SunSaturn will be now taking a new approach in 2020 offering hosting, VPN service as well as a few new services by the end of 2022. I have a lot of catching up to do! World has changed a lot now, 2020 marks the era of 5G networks, artificial intelligence, smart homes, robots, drones, flying cars(300k for one! Time to get pilots license to fly to my brothers place!), virtual reality, star link internet from Elon Musk, and every country in world will soon be implementing their own digital currencies like Bitcoin! Ok that is a very long list, so lets break down each one shall we and see where people should be focusing on for 2021 and 2022!

Quantum computers and new encryption

In previous article I talked a lot about Shor’s Algorithm being able to break all current encryption. So what has been done about it? Only thing they could of course, increased the bits in encryption keys. Will it help? Not if someone builds a 1 million qubit computer like a company is currently promising by 2022 for US Government. They are coming up with a quantum resistant algorithm now, so in mean time best bet is still to use symmetric encryption. Algorithms like AES512 should be fine, backed up with elliptical curve instead of RSA/DSA routines.

What about email? World has now moved to open source project GNUPG, so if you haven’t already, setup gpg for your email client and submit your public key to internet servers. This will be first step in order to do anything for 2021/2022, so I will write a separate article on this alone how I implement it as it is way to in-depth to setup something like that for first time. But rest assured once it is setup, people will finally take you seriously on the internet if you can sign your own emails.It’s important! Plus as an added bonus, GPG finally supports elliptic curves, so you may actually learn a thing or two about how Bitcoin works in the process!

5G networks and virtual reality

Here we go, what everyone truly wants to know about. All the 5G propaganda during the COVID-19 where people thought it caused it and started burning town 5G towers over it even, completely hilarious. 5G does NOT hurt you in any way or cause COVID lol. The old saying is people fear what they do not understand, rest assured, it was complete nonsense.

Think of 5G like when we went from 3G then to 4G then to LTE. What they are doing is just paying for another spectrum to use so they can offer faster internet in BIG CITIES. Yes, generally it will only be offered in BIG CITIES, because this new spectrum has limited range. Think of how your router at home was once A,B or N then went to AC. We sure get good range on 2.4ghz routers at home, but when we close to the 5ghz connection it is way faster(ie transferring a 8 gig movie to your phone from computer on your home network).

What about people not in big cities? This is where Elon Musk comes in with Star Link. If you have looked up in sky at all in last year you might have seen them. Satellites 500km above the earth that promise to offer high speed internet to rural people. Star Link cannot provide to big cities, because it would flood the bandwidth available. So if your in an urban setting, look for fiber or 5G networks.

The PROS of 5G: virtual reality will become a thing! Google has acquired a new google glass company, perhaps glasses won’t be $1500, how they flopped last time, other companies have them for $1000, but that price tag will eventually come down. Google needs to take a hit on glasses for developers worldwide, because if developers all over the world don’t own a pair, there is no point in offering them to public with nothing built for them, google can’t do this alone, needs worldwide developer support. So google, offer them to developers world wide for $300, then sell to general public for 1k down the road!

Self-driving cars will become a thing, as well as drones flying around cities. These are 2 things that would absolutely need 5G to be effective. Another PRO is cell phone companies may compete for your home internet business, giving you more options for internet in the city. Yes, this means all our phones should be placed in antique shop currently. Yes, even my Google Pixel 4XL belongs there within 2 years as they only making phones with 5G chips now. If you live in rural area, no big rush.

The CONS of 5G: Government control of course. Before the pandemic happened protesters in the UK were already upset with facial recognition and painting their faces. I will say this again and again, stop putting your pictures on FACEBOOK and STOP USING IT! Everyone knows by now NSA has backdoor access to all your pictures on there, they will use them to facial ID you. Has Edward Snowden still not gotten through to everyone? He had to become a fugitive of the USA because he cared enough about you to let you know what was happening and your still not listening to him?

Artificial intelligence is here, if you need to post your picture/data publicly all the time, use SnapChat or Signal. For love of god just put them anywhere where company won’t share your data to be thrown in an AI database! They should be paying you to share your data, your just giving them free data to feed their artificial intelligence programs and not giving you a cent! If you absolutely need to use Facebook, run your pictures through an image manipulation program first to throw off their AI. If they give you money, then maybe consider submitting your unedited pictures. Click like on things you hate, dislike on things you love, screw them right up. Post messages encrypted if you can, and give your friends the keys to unlock your messages, this is how internet was meant to be! If google started sharing your data, we wouldn’t buy android anymore. We shouldn’t even be using our real names on the internet, internet was made for freedom of speech and that is why anonymity was needed in first place, people will fight with their last dying breath to protect that. In the future governments will be crying otherwise, as artificial intelligence programs begin talking with each other, and they have no way to stop it after. Programmers control the internet, not governments, always remember that.

Social Media Internet Draft Proposal

I propose an internet draft for social media, where everyone has 2 copies of their own blockchain they created, one for public keys and storage of media, and the other for private keys to decrypt each message on public chain. I propose every post be encrypted with a new key.I propose a new algorithm where on unix servers we have permissions such as :

-rwxrwxrwx   1 dan  dan    380 Jul 16 04:05 file.conf

That at any time a given owner can allow Owner Group or Others to have access to a given post. Service providers such as FaceBook, Google if forced to remove a post can set the “Other” “rwx”(read,write,execute) flags off and only be able to see the message if owner does in fact set the “Other” bit flags. The “Group” flag can be set to everyone in their circle of friends to be viewed by encrypting post with each of their friends public keys. If “Group” flag was removed from said post, then owner with their secret key could remove friends public keys from post, but also a mechanism to add keys back if “Group” flag was set again.

The idea here, is social media providers may not view posts if only group and owner flags set, as we have seen how destructive internet becomes when that happens and the many privacy breeches of normal users. Governments back-doors into these systems as well as companies profiting putting users data in their artificial intelligence programs. The providers may continue profiting on ads beside each post, but may no longer retain data on/of normal users. I also propose mechanism in place where any photos posted online, users have option of tossing them through a program to mangle the bits in the image enough to take AI facial recognition capabilities away.

The Social Media companies MUST use a decentralized blockchain to pull in data, normal users would be able to feed data into providers decentralized blockchain with users public blockchain with appropriate bits set. This is important otherwise providers could read and steal the said data. Terms of Service must be in place where they do not store the data when the “Other” bit is set. Social media companies could compete to mine blocks with other miners or join a mining pool. I propose mining should be done on IP addresses connected for longest amount of time, mine a block, then they get thrown to bottom of list, so everyone in the world can have a part of the mining process. This ensures if said provider abandons the chain, another one could start up in its place with all data in tact. We would say encrypt next block in chain with next X amount of IP addresses that have been there the longest hosting the chain. I propose the block chain itself be split into A-Z, a-z, 0-9(8 char usernames) for anonymous usernames. This allows miners to only host a part of the data for rewards, as storage may become expensive to hold to big of a blockchain.

As world currently stands, block-chains are worthless unless they contain data that people feel is valuable, allowing investors to invest in them. The exception being Bitcoin itself, the grandfather of digital currency set to be the new Gold if any government digital currencies fail. IF a social media company did a nice interface to a social media block-chain, investors have a digital currency to invest in that is worthwhile. It is then not just a bunch of useless numbers, but actual data that they could download to mine blocks or day trade. It then has a purpose, not just a bunch of numbers and a promise for a company to do well. Prices on crypto currency then would reflect size of blockchain, current price of storage medium, and cost of hardware to pull queries from that storage. This is a long-term solution to this problem in the world.

What will make people switch to government digital currencies in the long-term will be exactly that, more people they have in their country, bigger blockchain(s) will be, making them more valuable to investors. So think USD and China. If someone was actually able to crack an address on the said blockchain, everything from social security numbers to passports could be exposed, thus why it would have so much value in the future. This of course could be protected by governments by forcing end users to do a password change every month by giving them a new one and re-encrypting that block on chain keeping chain brute force proof from its own employees.

What is discerning about governments having centralized block-chains, is let’s say you have a million dollars, they could essentially just break the chain like it never existed. That is why regulations must be in place through central banks. IF they are able to simply reverse transactions on blockchain, the blockchain will have less value to investors on the exchanges, as was the case with Ethereum. Currently central banks are using digital currency, as well as Russia and a few other countries, so it’s just a matter of time before mastercard and visa are on the chain making this a reality. They are already hiring block-chain developers as we speak.

Profit: Social media companies after establishing a block-chain could in fact profit more with this model. Users are not afraid to use their systems, providers are no longer afraid of governments. Providers have more user retention instead of running to every competitor every time their is a security breach. Providers could apply for ICO with cryptocurrency exchanges, have shares in the digital currency, and offer users that cryptocurrency in exchange for another digital currency through current exchange rates at crypto currency providers such as Binance.

This is enough for Part 1, until next time….

Dan.

Quantum technology, artificial intelligence and privacy

Today I would like to talk to you about what is going to happen in next few years and direction world is going to go. To start off with quantum computers will arrive. With INTEL submitting their first 16 qubit chip to research lab in Europe a few weeks ago from time of this writing, technology is near. Quantum chips won’t replace traditional chips think of them more like an add-on like a graphics card. Example: people use graphics card for artificial intelligence as they are faster than normal CPU’s so instead people use GPU’s and when quantum computers arrive they will use quantum instead. There are still difficulties in technology with it requiring a set temperature to operate efficiently when they can overcome that, then perhaps we can have a 50 qubit chip, at 50 qubits it could finally challenge traditional chips. Although places like D-Wave etc have 2000 qubit implementations, they are WAY to big for a normal user!

 

Quantum computers when they arrive will pose a lot of new challenges with technology today. First of lets talk about the pros: encryption will be better, medical research will be way better, artificial intelligence will be able to take on tasks they could not before, number crunching and data prediction in general will be faster and more feasible, your toilet will speak to you letting you know how to change your diet before you get a disease! The cons: where there is power it is always abused: while we submit our DNA to health agencies, governments will steal that for their own purposes, stock markets will collapse till code on exchanges are rewritten to delay buying and selling of stocks to create fair market advantage again, big companies like Facebook and Google will control AI for the most part and that will starve off competition. To create fair competition for AI, all researchers need all the data google and Facebook have to train programs.

 

Protecting yourself in a quantum world. When browsing the internet whenever possible use the Tor Browser. This will protect you against Google etc being able to record everything you search for. Artificial intelligence exists for image recognition, speech recognition, tone recognition, and a lot of difference technologies. In the future to protect yourself against them using AI against you, never put a picture of yourself on any of these sites. After all we have no problems in them detecting images of cats and what not, but having a camera on street one day be able to recognize you because you uploaded your picture to Facebook or Google is not a good idea. Currently image recognition is only good at detecting for about 10 years because of the aging process, this is why drivers license wants a new photo before that, typically every 5 years. Technology with GPS has advanced to pinpoint you very accurately with smart phones. Companies like Google etc can trace you by everywhere you bring your smartphone, in fact they have made it so you cannot pull battery out anymore on all recent phones, just shutting the phone off is not enough. One solution is to install Fake GPS app so you can always appear from Christmas Island and only disable it when you need it. Another issue is credit card companies showing all your purchases, embrace crypto-currencies for their anonymity. After all the purpose in crypto-currencies is to put these credit card companies out of business in first place as they having been ripping off businesses for years with transaction fees and passing on the cost to you, its time you fought back against them as well to keep more money in your pocket. While its not possible to remain completely anonymous, ie: your drivers license and passport pictures, doing your best to protect your privacy beyond that is left as an exercise to the reader.

 

Enhancing AI the safe way is easier said than done. One solution would be for example to create a free dating website for people where they can remain anonymous with their real names, however researchers could pull all characteristic data into their AI programs for training. Social media site the same thing, allow people to remain anonymous. Facebook unfortunately if not knowing your real name will go behind your back and ask friends on your list for real identifiable information, so your not safe period associating your pictures with this company, also history has shown them in bed with the NSA. Essentially what Facebook is is a FBI database for the public and your just adding to it for them. So keep posts away from things like what you go to everyday, or to much of your likes or dislikes, remain neutral on everything by not clicking like on anything. Another solution could be opening an account where noone knows you originally under your real identity and keep family and friends to other apps that don’t invade your privacy and use encryption with a respected trustable company. Facebook info on you is viewable on you by anyone in position of authority with or without your consent, they have backdoors to the system to view anyone, keep this in mind especially when crossing borders.

 

AI research after all is about things like taking someones foot size and matching it with another characteristic to say determine if person is male or female. Never should it reach a point of knowing real names and addresses of people, this is a safety concern and a privacy concern everyone should be fighting against. When people say they don’t fear surveillance because they have nothing to hide, Edward Snowden says he tells them: “Arguing that you don’t care about privacy because you have nothing to hide is like arguing that you don’t care about free speech because you have nothing to say.” Words of wisdom.

 

Also the legal system is flawed in general, all it takes is hearsay to put anybody away without any scientific evidence. All it takes is a few people to collaborate their stories on a lie about someone at a trial to put innocent people away. You can see why you should fight for your privacy, less info people have on you, less believable people will be.

 

Until next time,

SunSaturn

SSL certificates + yoga quote of the day

SSL certificates where installed Friday, all is working perfectly now.
Like to leave everyone with a wonderful quote:

What if our religion was each other
If our practice was our life
If prayer, our words
What if the temple was the Earth
If forests were our church
If holy water—the rivers, lakes, and ocean
What if meditation was our relationships
If the teacher was life
If wisdom was self-knowledge
If love was the center of our being.” ~ Ganga White

Dan.

SSL certificate

Looks like another 2 years has passed and time to renew SSL certificate for SunSaturn. I expect to have expired SSL certificate replaced within 2 weeks, for now just use something like Firefox where it is easy to add exception to site to access billing and CPANEL easily.

Dan.

Quantum Computers and Encryption

I should make a note on quantum mechanics and encryption to people having come from a computer science background. You really believe encrypting your data is safe? Read on…All numbers stored in a computer are 0’s and 1’s. This has traditionally meant on and off in electronics. In assembly language or binary, here is what a byte really looks like 0000 1111. It is 8 bits, so there are in essence 2 to the power of 8= 256 possible combinations in a byte, each of those bits can be 1 or 0. Encryption for today is based on an old math concept you may remember from school. A prime number has exactly two factors, 1 and itself. Any number can be written as a product of prime numbers. If you multiply two large prime numbers, you get a huge non-prime number with only two (large) prime factors. So concept of today’s encryption is it will be REALLY hard for a computer to figure out the 2 prime numbers when a large number is involved. Here is problem with this encryption: with quantum computing, there are 2 concepts called superposition and entanglement. Entanglement you can think of as 2 objects in space and time can be in same place at same time and do 2 completely different things. Einstein use to call this “spooky”. A mathematician named Peter Shor came up with a quantum algorithm that if a quantum computer exists, then all today’s encryption could be broken easily. The university of waterloo in canada already has a quantum computer prototype. All they really need to do to complete it is come up with enough “qubits”(these are particles we have that currently can do entanglement), so 2 objects can be in 2 places at same time, and all encryption is broken. Current record is 12 qubits. When quantum computers exist we will need a new algorithm that superimposes bits to make encryption sound again, but nothing you have right now cannot be broken, and when quantum hits, all your SSL, and non-symmetric encryption keys will be rendered useless, unless your already on board with an algorithm such as lattice for example. So this a quick note on where science is, fact we can make particles be in 2 places at one time now, and making sure you don’t believe your encyption is safe. As soon as scientists figure out how to make more qubits by studying decoherence, quantum computers are officially here.

Here is a reference for formula that will break all encryption when quantum computers have enough qubits: Shor’s Algorithm

And here is waterloo’s status where they are at with there current quantum computers: Waterloo University …. go CANADA!

Till Next Time,

Dan.

Adding webdisk to CPANEL

At times people are asking me is it better to use filezilla, ssh etc for building their websites with CPANEL. Wouldn’t it be nicer if your working on windows to just be able to open up “My Computer” or “This PC” icon and just access your files like a drive letter like C:\. You can do this, and it will be so much easier. It won’t be a drive letter, but it will be under “Network Locations” just like a regular drive.

First of all under windows 8.1 if you do not have “My Computer(This PC)” icon on your desktop, this is how to add it. On your desktop screen right click on empty spot and select “Personalize” -> “Change desktop icons” -> now check “Computer” and anything else you want then click “Apply”.

Now let’s map the network drive.
In Windows 8.1 just right click “This PC” on your desktop and click “Map Network Drive”. In previous windows versions,
To connect a drive from My Computer, click Start, right-click My Computer, and then click Explore.
To connect a drive from Windows Explorer, right-click Start, and then click Explore.
On the Tools menu, click Map Network Drive.

In the Drive box, click a drive letter.
In the Folder box type the following:
\\cpanel.sunsaturn.com@SSL@2078
Next click on “Connect using different credentials”, click “Finish”

Enter your username and password for CPANEL, click box to remember your credentials, and now you can access all your files from just a drive letter.
(ps. Make sure your reconnect at startup box is checked, should be default on windows 8.1)

Till Next time,

Dan.

RJ45 to DB9 Cisco console cable

If you need to make your own cisco console port cable, RJ45 to DB9, here are the pinouts for your reference.

If you have 568A ethernet cable:

CAT 5                                              DB9
Pin 1: Green Stripe                          Pin 8
Pin 2: Green                                    Pin 6
Pin 3: Orange Stripe                        Pin 2
Pin 4: Blue                                       Pin 5
Pin 5: Blue Stripe                            Pin 5
Pin 6: Orange                                  Pin 3
Pin 7: Brown Stripe                         Pin 4
Pin 8: Brown                                    Pin 7

If you have 568B ethernet cable:

CAT 5                                             DB9
Pin 1: Orange Stripe                       Pin 8
Pin 2: Orange                                 Pin 6
Pin 3: Green Stripe                         Pin 2
Pin 4: Blue                                      Pin 5
Pin 5: Blue Stripe                            Pin 5
Pin 6: Green                                   Pin 3
Pin 7: Brown Stripe                         Pin 4
Pin 8: Brown                                   Pin 7

Notes:
a)DB9 Pins 1 and 9 not connected.
b)The “Blue Stripe” and “Blue” must connect to pin 5 on DB9
c)If using Startech DB9 to RJ45 Adapter(GC98FF)for example, what matters is standard they wired RJ45 with, as Ethernet cable then would not matter as long as both sides were the same standard.

References:

http://www.ciscoconsole.com/wan/cisco-general/cisco-console-rj45-to-db9-cable-pinout-details.html/

http://www.instructables.com/id/Simple-RJ45-DB9-Cisco-console-cable/

Till Next Time,

Dan.

Linux DHCP IPV6 Host Server

I will do a very basic walkthrough of how to setup a Linux server to act as DHCP6 server for your network. Before we begin, we need to understand a few things that are different from IPV4. First thing is we cannot send a gateway with DHCP6.
Second we can only send IP address and DNS servers with DHCP6. So to accomplish both, we use radvd along with DHCP, the former sends the gateway, the latter sends the IP address and DNS servers to client. I will assume here you know how to install radvd and dhcp in linux so I won’t get into linux server administration. In order to be DHCPV6 stateful so we can assign addresses, both M and O Flags need to be set to 1 in radvd advertisement so clients know to go get the IP address from DHCP6 server. So for radvd our objective is simply to set advertisements on, and set the M and O flags bits.

My /etc/radvd.conf contains following:

interface br0
{
    AdvSendAdvert on;
    AdvManagedFlag on;
    AdvOtherConfigFlag on;
};

This is all you need. We are advertising, and setting the M and O bits here. Now radvd will send our clients our link-local gateway and tell them to go get their IPV6 information from DHCP. This is probably the most confusing part about this setup, there is NO way to send our real IPV6 gateway, clients only get the LINK-LOCAL gateway and from that must be able to get out to the internet. AGAIN I WILL REPEAT, they get your “Link-Local” gateway ie: “fe80::226:5aff:fe6b:ca8d”, not your real “2001:aaaa:bbbb::1” gateway. This is a limitation of the protocal, but it is not a big deal, we can still forward clients out a link-local gateway.

Ok now clients have our routers link-local gateway, now we can setup our dhcpd6.conf, and perhaps assign some static IPV6 addresses to some dhcp clients to since we like to know who is who. Only issue with IPV6 and static addresses is we can no longer use MAC Address, we need to use DUID of the client. This is also problematic since DUID is the same for all ethernet cards on each host. To solve that problem you can look into using DHCPv6 IAID, but since we only have 1 ethernet per client, we will only focus on DUID. Let us assume
we have a 2001:aaaa:bbbb::/48 to assign to clients.

Let us look at the bottom of my /etc/dhcp/dhcpd6.conf:

authoritative;

subnet6 2001:aaaa:bbbb::/48 {
  #lets range last octet from decimal 1000-65535 which in hex is : 3e8-ffff
  range6 2001:aaaa:bbbb::3e8 2001:aaaa:bbbb::ffff;
  option dhcp6.name-servers 2001:aaaa:bbbb::3,2001:aaaa:bbbb::4;
  option dhcp6.domain-search "sunsaturn.com";
} 

#you get this by typing "ipconfig /all" on windows machine and look for "DHCPv6 Client DUID"
#just separate with : instead of -        
host dandesktop { #unfortunately, same client-id for each ethernet card in same host, so only 1 will get an IPV6 address here
  host-identifier option dhcp6.client-id 00:01:00:01:1B:67:B6:C3:58:5B:39:45:07:90;
  fixed-address6 2001:aaaa:bbbb::5;
} 
host laptop { #unfortunately, same client-id for each ethernet card in same host, so only 1 will get an IPV6 address here
  host-identifier option dhcp6.client-id 00:01:00:01:1A:F5:AF:22:48:5B:39:3A:06:38;
  fixed-address6 2001:aaaa:bbbb::17; 
} 

So what I started doing was a standard catchall block, setting DNS servers and IPV6 addresses for clients I did not assign statically giving them an IPV6 address in range 2001:aaaa:bbbb::3e8 – 2001:aaaa:bbbb::ffff.

Then I assign 2 static IPV6 addresses to my desktop and my laptop. I ran “ipconfig /all” on the two Windows 8.1 machines and collected their DUID’s. Then used a search and replace program on the DUID to change all “-” characters with “:” characters to match format in the dhcpd6.conf file.

Now after we start dhcpd, make sure it is running:

router:/etc/dhcp# ps aux|grep dhcpd6
dhcpd    19531  0.0  0.0  47252  2640 ?        Ss   May04   0:00 /usr/sbin/dhcpd -6 -user dhcpd -group dhcpd -cf /etc/dhcp/dhcpd6.conf
root     22152  0.0  0.0 105304   880 pts/1    S+   00:05   0:00 grep dhcpd6
router:/etc/dhcp# 

Now if all goes well from radvd, clients will get the link-local “fe80::226:5aff:fe6b:ca8d” gateway, run off and check UDP port 546 on IPV6 to get our settings from dhcpd6.conf file for an IP address and the DNS servers, and voila we are done! If you have issues with clients, please checkout my other how to on setting up a windows dhcp client.

Until Next Time,

Dan.