Advertisements
19 Dec

Content Api

Since I started use Hexo for my site allot of things have been easier. Like creating an API to access the site contents. It was a nightmare for me in Drupal 7 and in the end I gave up long ago but thanks to the work of John Wu and his plugin hexo-generator-api generating a REST-ful JSON API with read-only access to all the sites contents has been the the simplest things I’ve worked on so far.

There are some things I would like to do that aren’t available, but the code is released under the MIT license and I’ve got a fork on github I can work on.

In the mean time I’ve written up some documentation about what is available and how to start making use of it.

Even if you never plan on using my access points to access my own content, (to be fair I can’t see why you would, I just enjoy having it), I hope the documentation can help anyone else who is using the hexo-generator-api plugin on their own site.

agedu: Clean up wasted space in Linux
17 Dec

agedu: Clean up wasted space in Linux

In some situations a quick trip to get a drive is required but in many situations space can easily be reclaimed by removing the gunk that’s accumulated, but how do you determine what’s junk? Linux has the du command that will recursively search a director and list all files and there size but it still comes down to you to determine what should be kept and what should be removed.

In comes agedu (age dee you). Like du this new tool searches for files in all directories and lists there size, but it can also differentiate between files that are still in use and ones that haven’t been accessed less often.

From the man pages

agedu scans a directory tree and produces reports about how much disk space is used in each directory and sub-directory, and also how that usage of disk space corresponds to files with last-access times a long time ago.

In other words, agedu is a tool you might use to help you free up disk space. It lets you see which directories are taking up the most space, as du does; but unlike du, it also distinguishes between large collections of data which are still in use and ones which have not been accessed in months or years – for instance, large archives downloaded, unpacked, used once, and never cleaned up. Where du helps you find what’s using your disk space, agedu helps you find what’s wasting your disk space.

agedu has several operating modes. In one mode, it scans your disk and builds an index file containing a data structure which allows it to efficiently retrieve any information it might need. Typically, you would use it in this mode first, and then run it in one of a number of `query’ modes to display a report of the disk space usage of a particular directory and its sub-directories. Those reports can be produced as plain text (much like du) or as HTML. agedu can even run as a miniature web server, presenting each directory’s HTML report with hyperlinks to let you navigate around the file system to similar reports for other directories.

So, the install

Fedora 18, 19, 20 & 21

Ubuntu/Debian

Basic Usage

The first step is to let agedu scan a directory, bellow I’ve just scanned my Downloads folder:

To access the report you need run agedus built in web server:

Now just fire up your browser and go to the URL stated:

agedu Web Interface
agedu Web Interface

Conclusion

There are other options available such as --exclude and --include arguments which let you control what files are indexed, for example if you wanted to see what ISOs were taking up the most space you’d use:
agedu -s ./ --exclude '*' --include '*.iso'

This post was designed to written to give you a quick overview of agedu since I have only touched on the options available. Check out the man pages or read thru the developers website for more details.

Overclocking RaspberryPi
17 Dec

Overclocking RaspberryPi

By default the processor in the Raspberry Pi runs at 700MHz, but it can be overclocked without voiding your warranty. Basically a processor is designed to do one job at time, be it retrieving something from RAM or adding to numbers together, its limited to one task. But when we’re using them the idea of one thing at a time is hard to get our head around since it appears to be doing so much more. That’s because a processor can do that one task really, really, really, fast. The clock speed, 700MHz, give us an idea of how many tasks it can do per second; the higher the speed the better performance you get.

Overclocking simply means increasing the clock speed past its defaults. The problem there is if you overclock to much the processor becomes unstable and can lead to crashes or even burn its self out.

My Raspberry Pi is running Raspbian so to overclock it simple type sudo raspi-config
raspi-config

Go down to item 7 Overclock and press ENTER, press ENTER a second time to confirm the warning message.
raspi-config select frequency

raspi-config has five levels of over clocking: 700MHz (no overclocking), 800MHz (modest), 900MHz (medium), 950MHz (high) and 1000MHz (turbo). All of which are supported by the Raspberry Pi foundation and will not void your warranty, over clocking to anything other than what’s on this list or overvolting the Raspberry Pi will void the warranty.

Select the level of overclocking you want from the list, as bellow, and click on <Ok> to confirm your selection.
raspi-config select frequency

After that your Raspberry Pi will need to reboot for the new settings to take effect. After a reboot you can test your settings by looking in /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

If for any reason your Raspberry Pi fails to boot after you’ve overclocked it hold down the shift key at boot time to temporarily disable overclocking then just go back into sudo raspi-config and select a lower speed.

A Linux Security Checklist
16 Dec

A Linux Security Checklist

I recently came across this article about securing yourself on a Linux machine – Security Checklist for Linux System.

It’s equally true about Windows users as well:

  1. Keep the system updated with latest security patches
  2. Keep yourself updated with latest vulnerabilities through mailing lists, forums etc.
  3. Stop and disable unwanted services
  4. Use SUDO to limit ROOT Access
  5. SSH security settings
  6. Tunnel all of your XWindow sessions through SSH
  7. Create only a required number of users
  8. Maintain a good firewall policy
  9. Scan for viruses and other malware!
  10. Configure SSL/TLS if you are using FTP
  11. Secure your communication with GPG
  12. Check file permissions across filesystems
  13. Bootloader and BIOS security
  14. Enable remote Logging
  15. Keep a good password policy
From CMS To HTML
08 Dec

From CMS To HTML

As your can see for yourself I’ve rebuilt the site, again. I’ve code named this new iteration Alpe d’Huez, but it’s really version 8.

So NxFIFTEEN Alpe d’Huez, what’s the point? I’ve washed my hands of CMS installations. I started blogging almost from day one and used WordPress 1.0 then at some point switched to Drupal 5. The thing is, this site is so parse on content the over head of dynamically building pages for every visit isn’t required.

Over the years the requirements from my hosting provider has been steadily creeping up to get better and better performance from the site. At its worst, just part weekend, my Drupal home page took almost 80 seconds to load. That’s after implementing varnish and boost. For a site I update infrequently at best static HTML is perfect, so that’s what I went out to produce.

A long story short I’ve decided to use hexo.io which is a NodeJS static site generator. It works by combining markdown flavoured text file and a ejs tagged template file into static HTML that can then be distributed anyway that makes sense to you. The biggest advantage here for me, is since everything is now static it can all kept and managed with Git. Plus since I separated the source code and markdown files into two repositories I can also keep a copy of the content on my phone without without the rest of the JavaScript

Possibly the biggest reason for looking at a Node.js solution was that is not written in PHP. I’m not against PHP like some, it’s a language I’ve been using since 1998 and it’s always served me well, but it’s time I learnt something new and node.js is really not just now.

So that’s my introduction to NxFIFTEEN. As you can imagine the transition took time and there were a lot of obstacles to surmounted but I’ll save them for other posts.

Scheduled Server Downtime – June Fri 18th…
30 Nov

Scheduled Server Downtime – June Fri 18th…

Preamble

Regular users of NxFifteen will be aware I tend to give little or no warning about service downtime. In most cases this is because the setup I use is working the way it should and needs no messing with, but things go wrong and I scrabble to get everything back up and running. This time is different.

On Friday the 18th of July i am predicting an extended service outage. At the moment I can’t predict how long this will last, all I can do is assure you I will be working over the weekend to restore service and reduce the unavailability as much as I can.

Why is this happening

My upstream host, Bytemark, will be physically moving my server from Leeds to York. This is to allow them to continue providing the best service available.

That said, it was still my choice to allow them to do this and i set the date of my move.

What will be affected

Everything. The physical machine is being moved so it will be turned off and any service running on it will be unavailable.

This includes: emails, websites, jabber chat, nx15.at shortened links and the OpenPGP Key server.

How long will this last

I don’t know. Expect everything to be back online by the end of the weekend, but at this time i can offer no guarantee.

My priorities are email then websites and after that everything else.

I can’t keep you update from here, but i will post to Twitter, Google+ and Facebook as service returns of delays continue.

TrueCrypt
29 Nov

TrueCrypt

TrueCrypt is dead, long live TrueCrypt. In a move that shocked everyone on the internet TrueCrypt was taken down on May 28th 2014 and the official TrueCrypt website, truecrypt.org, began redirecting users to a page warning the software contained unfixed security issues.

This announcement caused a great amount of panic and speculation about one of the most popular cross platform encryption tools available. As the dust settled it’s become clear there are no known security problems with TrueCrypt but all development by the original authors has ceased and it is their opinion that to use unmaintained software would pose a security risk.

Don’t Panic

In part they might be right. If down the line a flaw in TrueCrypt is found they will not be fixing it, but as yet there is no such flaw and a full security audit is under-way. The audit is being carried out by iSECpartners and crowed funded by TrueCrypt users. While still in its infancy it has already completed work on the TrueCrypt boot loader and found nothing of concern. For those who don’t want to read the full report Steve Gibson of GRC.com did a fantastic breakdown for Security Now Episode 458.

Verifying the TrueCrypt v7.1a Files

Across this site I have used my OpenGPG key to digitally sign my downloads as a way of authenticating them. In this case I didnt want to sign the work of someone else and it would only have verified that the download was the one I intended for you to get.

Since paranoia is nothing to be ashamed of I’ve taken a leaf out of GRC’s book and provided SHA256, SHA1 and MD5 hashes for all my downloads which I have then digitally signed to prevent tampering.

Now, since I do not have another site I can host an independant copy of these hashes on I can only point you to the same place as GRC does. Taylor Hornby (aka FireXware) of Defuse Security is hosting a copy of the same files offered by GRC at https://defuse.ca/truecrypt-7.1a-hashes.htm. The best validation I can offer is the hashes of my files match exactly what is offered by GRC and serveral other independent archives.

TrueCrypt 7.1a Archive Repository

File Name Operating System
truecrypt-7.1a-linux-x64.tar.gz Linux/Unix [Download not found]
truecrypt-7.1a-linux-x86.tar.gz Linux/Unix [Download not found]
TrueCrypt 7.1a Mac OS X.dmg Mac OS X [Download not found]
TrueCrypt Setup 7.1a.exe Microsoft Windows [Download not found]
TrueCrypt User Guide.pdf N/A [Download not found]
truecrypt-7.1a-linux-console-x64.tar.gz Linux/Unix [Download not found]
truecrypt-7.1a-linux-console-x86.tar.gz Linux/Unix [Download not found]
TrueCrypt 7.1a Source.tar.gz N/A [Download not found]
TrueCrypt 7.1a Source.zip N/A [Download not found]

OpenPGP Signed Download Hashes

DynPi The Assembly
05 Sep

DynPi The Assembly

Well all the parts are now here and its time to assemble it. Primarily I want it to be neat and tidy and easy, it has to be as simple as possible and ready to pick up and go. The last thing I want is to spend twenty minutes hunting for all the parts.

After trying a few layouts and designs I’ve come up with what I think works best for me, this is what I have so far:

I decided to glue the PiHub straight onto the Raspberry Pi case. It makes everything much cleaner, and in future if I re-purpose the Pi I can’t really see a reason why a integrated USB and power hub wouldn’t be useful and if it wasn’t then I could just buy a new case or even another Pi.

However attaching the Pi to the hard drive encloure I’ve used 3M Command mounting strips since they are easy to remove if required and will not cause damage to the Pi case or enclosure.

The next thing to do setup Raspbmc along with the WiFi hotspot!

DynPi My Portable XBMC Device
03 Sep

DynPi My Portable XBMC Device

Almost all commercial media boxes, such as the AppleTV 2, have no internal storage. I want to build a fully portable, internet non-dependant media centre. As with all things the first step is a plan!

This is a new project I’m working on, so I wanted to share it with you as its going along rather than waiting till completion.

I’m a huge fan of TV and Movies, like most of us are, and I’ve transferred a large majority of my DVD collection to the PC – partly to protect the discs, but mostly because I hate having to keep changing disc when I’m the mood for a Doctor Who marathon. Now the problem is when you go on holiday you can’t realistically take your DVD collection with you. Since readers have kindles and can take several hundred books I decided this was a problem I needed to solve.

Almost all commercial media boxes, such as the AppleTV 2, have no internal storage – Apple having decided it could make more money streaming content instead. I’ve already setup my home NAS and have several Raspberry Pi with OpenElec XBMC installation through out the house but again these don’t have hard drives ether they are simply streaming content from my NAS. My first thought was to setup a system like Plex so I could stream my content from my home NAS to where ever I am, the downside of this being I would be come reliant on both my home internet and having free access where ever I go. Since most hotels charge you and set data limits this is a less than perfect solution.

So, braking it down, what am I trying to achieve:

  • Portability
  • Not relying on an internet connection
  • Plenty of content

My first idea was to simply put stuff on my Nexus 7 and watch it from there. After a few experiments it is useful, but watching stuff on a 7 inch screen is far from ideal. I know I could get an adaptor, but after wondering the shops around here no one stocks a SlimPort adaptor only HML and since SlimPort is really only being used on the Nexus range its not future proofing – nor is there allot of storage.

So I quickly decided on using a Raspberry Pi and XBMC, inspired in part by the Slice which could soon offer exactly what I’m looking for except the Slice want be on the market till at least November so I want to build my own. Once its all done I want to be able to connect to the Pi over ether the Cat5 or WiFi since I’m not assuming there will be a router I can plug a Cat5 into everywhere I go. That means the project, which I’m going to call DynPi as in Dynamic Pi, will need its own WiFi dongle I can connect to. I also want to setup an automatic solution for getting media on to the machine. I’m thinking about newest movies/TV or perhaps most watched and definitely a short-list of must have things – something like that.

Once I’m setup I’m going to use Raspbmc this time instead of OpenElec. OpenElec is a fantasicly simple XBMC setup and perfect for most set-top boxes, but because the OS has been stripped back so much allot of things aren’t available which includes the software required to setup the DynPi as a WiFi hotspot.

The shopping list:

  • 1 Raspberry Pi I already had a spare Pi
  • 1 PiHub This was harder to find, I wanted a hub that would port the Pi as well and this is the best one I could find, plus I think it looks cool
  • 1 Edimax EW-7811UN Wireless Nano USB Adapter
  • 1 Laptop Hard Drive This one is 500GB, but I had 230GB drive in the house so I’m using that for now
  • 1 Hard Drive Encloure You can obviously get external hard drives and use that instead. The reason I’ve got both items separately is, again, future proofing. I wanted a quick and easy way to upgrade the drive.

Okay, so that’s the shopping list. Next I need to put it all together. I’ll post that stage once its all done, stay tuned (updates are posted to my twitter account, so you don’t have to keep checking the site waiting on an update)

Run You Own Certificate Authority

Run You Own Certificate Authority

July 29 , 2014

I’ve wanted to write an article on how I became my own certificate authority for some time, but while doing some research on it I came across an article by CyberPunk that fill the gap I wanted to fill. So Instead I will just leave this link here.

http://n0where.net/certificate-authority

Install Oracle Java JDK or JRE 8u11
18 Jul

Install Oracle Java JDK or JRE 8u11

I do not format my desktop PC very often, I reinstall my laptop three or four times a month but not my primary machine. With almost every clean installation I have to lookup how to install Oracle’s Java instead of using the pre installed version OpenJDK.

Since I search for it so often I thought it was well past time I wrote a guide of my own.

What’s New in JDK 8

Java 8 is a major feature release on version 7. The updates are too many to go into great detail here, but Oracle have a full feature change log on their own site

Scope

This guide will tell you how to install Sun/Oracle Java JDK and/or JRE 8u11 on Fedora 20, 19, 18, 17, 16, 15, 14, 13 and 12 – I haven’t tested on all these version of Fedora, only 20 & 19, but Fedora haven’t change the process so much that this wouldn’t work on older versions. If you do find any problems, please let me know in the comments section and I will get the guide updated.

Install Sun/Oracle Java JDK/JRE 8u11

Download 32bit of 64bit RPM packages

Download the RPM files from Oracle’s download page. Depending on your system, 32 or 64bit, download:
* 32-bit JDK download jdk-8u11-linux-i586.rpm
* 64-bit JDK download jdk-8u11-linux-x64.rpm
* 32-bit JRE download jre-8u11-linux-i586.rpm
* 64-bit JRE download jre-8u11-linux-x64.rpm

Install the RPM packages

Next just install the RPM package you’ve just downloaded using one of these commands

Set the newly installed Java as the system default

Now that your Java 8u11 is installed you need to tell Fedora to use it by default. The alternatives simply created links from the system default paths to the new java installation directory

Install Browser plugin for Firefox

Most people do not need to do this, I never do. If you dont know you need java inside your browser skip this step – you can always come back to it later if you find you need to run java from within in Firefox.

Set up Java Development Kit

You only need this if you installed the JDK. These two commands, javac and jar, are just used to complie java code and package the result files for distribution.

If you need to run multiple versions set 8u11 to the default

In the steps above you have replace the already installed version of Java with 8u11, but you havent removed it. If in future you install 8u12, but still want 8u11 to be your default you can specifiy the version of java to pass to alternatives instead of using latest.

JRE Users

JDK Users

Make sure its all worked

Just a quick check to see its all work as you expect

Post Install

You now have Java installed, the last thing to you need to do is make sure you have the JAVA_HOME environment variable set on your system.

You can do this per user by adding the above to $HOME/.bash_profile or make it a system wide setting by adding it to /etc/profile

Switching JRE

Now you have installed Oracle Java, and used alternatives to set it as the system default, you may come across occasions when you need to switch the system back to OpenJDK. You can use the alternatives command with the –config argument to set things up the way you want.

java

javaws

libjavaplugin.so (32-bit)

libjavaplugin.so.x86_64 (64-bit)

javac

14 Jul

Revert to a previous Git commit

Preamble

I make heavy use of git for all my software development, when asked what the point is for a one man development team to something as powerful as git I always reply “universal undo”.

With a recent update to the site i finally got the chance to use it the way I’d always expected to, and it worked exactly as expected but the correct process was harder to find than expected. So here is how I was able to revert my master git branch after committing some bad code:

Reverting Working Copy to Most Recent Commit

To revert all uncommitted changes back to the previous commit: git reset --hard HEAD where HEAD is the last commit in your current branch

Reverting Working Copy to an Older Commit

This is a some what controversial step, but it was what I needed and the only thing I could find that would work. The better option is to avoid a hard reset if other people have copies of the old commits, because using a hard reset like this will force them to have to resynchronize their work with the newly reset branch. This isn’t a problem for me, but it is worth mentioning encase it would be for you.

To revert back to an already committed change:

18 Jun

Day 24 – Wake Up Call

No matter how hard I try today I can’t seem to stop snaking. Everyday this week I’ve been wasting 500 calories on snacks. I just wish I had any idea how to stop it since will power alone is getting me no where.

I also have to think about how I’m going to increase my activity levels. I’m in day two of my twelve week Fitbit programme and I’m hitting the targets but only just, so if I don’t change something soon I’m never going to reach my goals next week.

I know this is a long term goal and there are no quick fixes, but sometimes it’s just hard to see how I’m ever going to get there. I was doing really well last year and after only a few weeks of giving up on now in a worse starting point than I was last year.

16 Jun

Day 22 – What a week

Well I’ve not been doing to well of late. The last two weeks have seen me spend more time in front of one computer or another than is healthy. From turning Excel into a poor mans relational database, to doing some long over due homework and finally rebuilding my primary server after a failed Ubuntu 14.04 upgrade. The down side to all this had been snaking, and very little exercise. Now it’s time for change.

I spent the weekend updating my Drupal [Fitbit](http://nx15.at/myfitbit) plugin and adding more graphs and more importantly bringing the information I want most to the front page. So now for the hard part, filling up the progress bars.

I’ve started another Fitbit twelve well improvement plan, hopefully I will see myself increasing my admittedly terrible activity levels from abysmal to moderate – I am, if nothing else, realistic.

28 May

Day 3 – Another Shocker

Another shocker today, I’m over my budget but only by 301 calories. The surprise is I slipped badly at work and snacked my way thru another late night. If you take the 885 calorie snacks out of my day I could have ended with 584 calories.

People may be wondering why I’m focusing on the numbers so much. This week is about logging and nothing else. I’m trying to make the healthy choice but I’m also trying to be honest about what I’m actually eating. Its in this honestly I’m able to look back and with hindsight see the healthy choice I could have made. For example today I should have stayed away from the Boost bar and Rice Crackers!

27 May

Day 2 – The Saga Continues

Another full day under my belt and for reasons I may never understand I am under my calorie budget. Breakfast I can say was a good day but after that things went a little off the rails.

Lunch was delicious, but it was still a sausage roll and beans. Dinner fared no better. In fact I had two of them. What started as peanut butter sandwiches turned into lamb stew and bread, as well!

My weight and Body Fat trends are still on the rise but they are levelling out a bit. This is only day two and these things take time, the fact that breakfast was healthy is a big step for me. With one day down another day will start soon, just need to wait and see how that one goes.

26 May

Day 1 – My Silent Return

According to MyFitnessPal I was only a couple of weeks away from my first years, the problem was since I stopped logging I was only signing in to check other people status updates and reaching a year like that seemed to much like cheating so instead I decided to reset my counter. My new count starts from today.

My friend’s and family will know or have noticed I burnt out after my skiing trip this year, it’s hard to explain why but the best I can put it was coming home to find after a week of daily and intense exercise to find I weighed the same as when I started all this last may was possibly to much for what was a tired and possibly jet lagged mind. So I stopped trying. Of course after that it quickly became a self perpetuating cycle. Couple that with completing work on my Fitbit plug-in meant my drive and enthusiasm slipped away.

According to MyFitnessPal I was only a couple of weeks away from my first years, the problem was since I stopped logging I was only signing in to check other people status updates and reaching a year like that seemed to much like cheating so instead I decided to reset my counter. My new count starts from today.

The first thing to do is stop looking at my weight. For me it’s like clock watching between half five. The more you look the worse it becomes. I know I want to track my weight and I know to see progress, but I don’t want to be in the situation where a small hiccup spoils weeks of work. So how do I do it? Since my Fitbit scale syncs with their site I don’t need to see it each day, if I really want to know I can check on the site. If I use my own site or TrendWeight I’ll always see the bigger picture.

The blog has to start again. I used to post daily and at some point decided it was a ‘good idea’ to step down the frequency of posts, but it was a bad idea. I became complacent on days I didn’t post and on the days I supposed to post I skipped the bad days.

At this point I’m not sure of all the details and cant even admit to having a proper plan, just the intention of a plan

OpenPGP: How I Sign Keys
11 May

OpenPGP: How I Sign Keys

Signing is a very personal thing. You are telling the world you believe a key belongs to the person who is claiming it. The value of a web of trust comes from the fact you are willing to put your reputation behind this assertion.

Everyone will treat signing differently. Some may feel bumping into someone at a conference is sufficient, other may want a full DNA breakdown with supporting evidence from three expert witnesses. I like to think I’m somewhere in the middle and have documented my signing policy. This page is about how I sign a key and what you need to do next.

Prerequisite

In order to sign a key you need the master key, and as detailed in my key creation guide I keep my master key separate from my normal key store, so can not do any signing during events. Instead I sign all keys at home then get the signed public key back to you for you.

The Act

Like all repetitive tasks I have created a script for that which you can download from its project page. The script does five things:

  1. First download the key to be signed into my keystore
  2. Sign all key identity’s associated with that key
  3. Export the signed public key
  4. Encrypt it
  5. Finally the script deletes the signed public key from the keystore and re-download the unsigned version from the public key

Next

Now I have an encrypted file containing your key I have just signed, but I do not have a signed copy in my key store. My preferred way of getting a signed key to you is by email. Since I have encrypted the signed file you have to have access to the private key and email address in order to use it and I feel this adds a level of additional verification that you really do have control of the key I just signed, after all there are many reasons you might not – I mean I could have just signed the wrong key.

You have noticed my bash script now leaves without a signed copy for you key, this was a deliberate step. I said above by emailing you I am able to assure myself I have not only signed the right key but you have access to the correct email box. Once you import the key and push it back out to your key server I will retrieve a copy from there.

What do you do now?

If you receive a signed key from me you simple need to run the following command:

PGP will ask for your password and import the new signed key and verify the attachment was signed with my primary key fingerprint: BB2C EB25 BE05 16A7 A9C6 F2FB EEB4 96E6 1FA1 E814. It is now up to your to send your newly signed key back to a server for the rest of the world to see.

05 May

Install SSH Key In A Remote Linux Server

I’ve been setting up a new server and as always the first things to do is forbid root login using a password and install my SSH keys. Once again I had to Google for how to do this, so I thought I would write about it instead.

After creating a new SSH key, if you don’t already have one, you can install it into the target computer using the ssh-copy-id command to install you certificate directly onto the machine.

There are many ways to use the ssh-copy-id command:

  1. Create the SSH keys:

  1. (A) Install the public key:

  1. (A) I If you do not have ssh-copy-id installed on your PC this will also work:

OpenPGP: My Keys
03 May

OpenPGP: My Keys

Its May again and the sun has finally made an appearance. With summer comes the regular spring clearing and it seems as good a time as any to update my public encryption keys. My previous keys were cryptographically less secure, 2048-bit compared to 4096-bits. I have also learnt allot more about best practices when managing keys and feel its about time to put everything I’ve learnt into affect.

My Secondary key 0xB784045B remains the same. This key was and has always been stored off line in a TrueCrypt volume using a 4096-bit key so I always have been, and still remain, confident about its security. I am replacing my Primary key using the full key creation and cross signing guide. This new key is also covered by my signing policy.

My OpenPGP Keys

Bellow is listed my current PGP keys including my Primary-key and Secondary-key. The Key id is a short identifying mark for all keys. It is made up of two components separated by a slash. The first identities the strength and algorithm of the key, so 4096R means its a 4096-bit RSA key. The second is the last 8 digits of the key fingerprint. These are the short form of identification. The keys full identification is its fingerprint, 40 hexadecimal digits.

The key also publishes its creation and expiry dates. All my keys will expire – encase of loss or compromise – however it is my intention to continue extending the expiry date for as long as I feel confident of their security.

Primary OpenPGP Key

0x1FA1E814

The key mentioned bellow (and on /about/me) is my main key, for every day use. It can be considered acceptably-safe, as I take grate care in assuring it remains that way. However, since it is my main key it has to be store on other devices such as laptops, mobile phones and tablets. This opens the key to danger from theft.

Following the advice in the Debian Subkeys wiki I have created separate subkey for signing. This mean the key stored on my devices does not contain the master key – this is stored separately on a TrueCrypt volume in an offline laptop which doesn’t leave the house. Key signing is still done using the master key which means I can not do it during any key-signing events, I have to do it once I get home again – See my full key-signing policy for how I manage this.

The most recent version of this keys is available from the key server at sks.research.nxfifteen.me.uk or for PGP Key: 0x1FA1E814 (71 downloads) , it is also returned by my DNS server. If you issue the command dig +short stuart._pka.nxfifteen.me.uk. TXT the returned key should match that provided here.

If there ever comes a time when I can no-longer assure my self of this keys security/integrity I have revocation certificates stored in a number of safe locations.

pub 4096R/1FA1E814 Created: 2014-05-04
Key fingerprint = BB2C EB25 BE05 16A7 A9C6 F2FB EEB4 96E6 1FA1 E814

SmartCard OpenPGP Key

0xB7266A16

The most recent version of this keys is available from the key server at sks.research.nxfifteen.me.uk or for PGP Key: 0xB7266A16 (61 downloads) .

If there ever comes a time when I can no-longer assure my self of this keys security/integrity I have revocation certificates stored in a number of safe locations.

pub 2048R/B7266A16 Created: 2014-05-04
Key fingerprint = 0E06 2B0D 4E2D BE43 29B9 1C01 9FCD F90A B726 6A16

Secondary/Alternate OpenPGP Key

0xB784045B

A second key is also available, which can be considered extremely-safe and is never stored on any computer (the keys are located on a TrueCrypt protected USB drive stored in a safe location) or ever been transmitted over the any internet connections, so please be patient if you requires a reply.

This keys is available from the key server at sks.research.nxfifteen.me.uk or for PGP Key: 0xB784045B (61 downloads) .

For verification purposes my other keys is always cross-signed with my secondary key.

Feel free to use the following public key if you are concerned or paranoid about what you wish to send to me, however if you are in doubt you should probably use my primary key instead.

pub 4096R/B784045B Created: 2011-09-19
Key fingerprint = 2642 7F79 DA14 44C4 CBE9 23BB 22C7 2B37 B784 045B

Chairman of The Software Society OpenPGP key

0x69AA4946

Since April 2012 I have held the position of Chairman of The Software Society Ltd. On the 23th of March this year, 2013, it was decided that the board of directors and office bares (Chairman, Company Secretary and Chief Financial Officer) should all create an use OpenPGP keys for all official business.

It was also decided that each office barers key should last as long as they are in office, the new incumbent creating a new key apon their election.

To this end, during my time in the post my key will be 0x69AA4946 and will be subject to the same signing policy as I has been in use on my personal key.

pub 2048R/69AA4946 Created: 2013-03-24
Key fingerprint = CFAE 70BC 1735 BF50 C993 DACB 6415 6795 69AA 4946

Retired Keys

I have been using PGP on and off since about 2008, in that time many keys have come and gone and I did not set expiry dates on most of them and never thought to generate or use revocation certificates. The nature of OpenPGP and the Web-of-Trust means there is no way retrospectively to remove these keys. The best I can do now is list them here. Do not use any of the keys listed bellow. This is not a complete list, only the ones I can no longer revoke.

0x5DCC0296, 0x541784DD, 0x132DED8D, 0xC5751341, 0xCB52DED2, 0xC941927D, 0xDFA274F2, 0x9F9A8CE0,0x2DF1892D, 0x843D80BA, 0xA7EEB609

OpenPGP: How does PGP work?
03 May

OpenPGP: How does PGP work?

How does it work

The magic, and I call it magic because I freely admit I do not have the mathematical background to explain it better, of this system is that if you encrypt something using the Public-key only the Private-key can decrypt it and vice versa. So there is no way for someone holding the Public-key to decrypt something encrypted using the Public-key, only the Private-key will decrypt it. The same is true in reverse. If something is encrypted using the Private-key only the Public-key can decrypt it again – in practice you won’t have a problem here, because if you hold the Private-key you already hold the Public-key as well.

Now when I write an email and want to sign it PGP looks at the message or file (for simplicity I’ll stick to email as my example) then runs a mathematical hash such as SHA256. A hash is a one way process. If you hash a block of text, using SHA256, you will get a string of what appears to humans as gibberish. The important part is, it is always the same. No matter how many times you run the same block of text through the SHA256 algorithm you will always get the same gibberish. PGP then uses my Private-key to encrypt that hashed result and includes that ether as an attachment to the email or at the bottom of the body.

To verify the integrity of a email the receiving PGP aware application uses the Public-key to decrypt the attached signature and reads the included hash. At this point you have already verified the signature was created using the Private-key because if it had been altered in any way after encryption the Public-key would no longer work. The next step is for the receiving copy of PGP to run the email through the same hash as before, SHA256, and then compare the hash encrypted in the email with the hash it just created. If the two match the email has been verified and you can be sure it has not been altered in transit.

How about encrypted messages

The process for full message encryption is slightly different. The problem with Public-key cryptography is it is incredibly expensive in computational power and CPU time and far large messages it is impractical to encrypt the whole message using a Private-key, so instead we use Symmetric-key encryption. Unlike Public-key encryption Symmetric-key encryption uses the same key to encrypt and decrypt a message.

So now when I send an encrypted message PGP signs the message in the same way detailed above then generates a large random password then uses this to encrypt the message. Now we have an encrypted block of text and a key to decrypt it again and we have to get both to the recipient without the decryption key becoming public, so we call on Public-key cryptography again. Using the recipients Public-key we can no encrypt our generated Symmetric-key and include it in the email header. At the other end the recipient uses their Private-key to decrypt the start of the email then can use the Symmetric-key we provided them to decrypt the message. This actually allows you to send the same email to multiple recipients as well, all we have to do is use the public-key of each person to encrypt a copy of the Symmetric-key.

Why Isn’t It Used More

PGP key management is hard work. Generating key, managing them and adding support to email applications that do not already support them is not for the faint hearted and the process is quite geeky. So while support is there its not easy to use, in simple terms it doesn’t yet pass the granny test.

I hope this will change in future and by signing the majority of my messages and writing these posts I would like to think that I can make it a little easier to get involved. Cryptography and PGP technique in particular is a subject I am interested in. I have given several talks to The Software Society (my local LUG) on the topic and plan to give another over the summer in the hopes of increasing awareness to my little corner of the universe.

If you have any questions or struggle to implement PGP in your own corner please drop me a line and I will do the best I can to help. Even if, like me, you see no reason to encrypt your emails the advantages of being able to sign your emails is huge deal in a world of spam and viruses being distributed by email – often appearing to come from an address you know.

OpenPGP: How do I create a OpenPGP Key?
03 May

OpenPGP: How do I create a OpenPGP Key?

Creating a Secured Key

When you build a PGP key you going to start using that key to verify your identity, so like all other forms of identification you have to protect it. Unfortunately to make PGP usable you cant permanently store you private keys locked in a safe, you actually need a copy of it one your computer, phone, table, laptop, basically any place where you want to send verified emails or decrypt messages you receive.

So what do you do if you phone or laptop are stolen? Even if you have secured your private-key with a strong password it is still at risk from someone with direct access to it.

Protection Using Subkeys

There isn’t allot of information on web about how to secure your key in this situation. I was able to find a few reference sites most notably the Debian Wiki about Subkeys.

When you create a OpenPGP key you are creating one key for signing and another for encryption. Its the signing key that is your master key and the one you need to protect. So after creating a new OpenPGP key you can create a new subkey just for signing.

This way the only things stored on your mobile device are your encryption key and your signing-subkey. If you lose control of your laptop, but still retain control of you master key, you can revoke the sub signing and encryption keys and create replacements.

If an attacker were able to break your password they would get access to anything encrypted before you revoked the key but nothing after that point. They could also only sign emails and files using the subkey you just revoked and any receiving PGP application would see that the key used to sign the message had been revoked and not validate the signature.

So how do we do it?

Step-By-Step

Creating the Keypair

Use the gpg --gen-key command to create the new keypair

You will be prompted to enter a password, its a good idea to make this a secure one; hard to guess and one you want forget. Keep it safe. If you lose your password you could lose control over your key and will have to start again.

Preferred Hash

PGP uses hashes through the signing and encrypting process, I’ve better explained this on the “How is works” page. To strengthen your key you can set your preferred hashes. This is useful because as time moves on and computers become more powerful weaknesses are being discovered in previously thought secure hashes such as SHA-1.

Use the gpg --edit-key command and when prompted enter the commandsetpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed, then save.

Subkey for Signing

OpenPGP subkeys work the same as normal (master) keys, expect they are mathematical related to the master key and they can be used for signing or encrypting. What makes them special here is they can be revoked and store independently of the master key.

Again use the gpg --edit-key command and type addkey. Select a sign only key, ether 3 or 4 depending on if you want to use DSA or RSA. After the new key is ready type save.

Revocation Certificate

Since we are creating subkeys we do not have to worry about theft of a laptop or phone. In that case you could still use your master key to revoke only that subkey. What I describe bellow is when you lose your master key and must revoke everything.

If you ever lose your private key you will have no way of generating the revocation certificates needed to revoke your new key. So best practice is to generate those certificates now and store them in a safe place encase you need them later.

You can do this from the command line with the command:

However I has also worked on a bash script that can automate the process of creating these certificates. More information on this is available from the project page.

Export The Final Product

Now export your keypair. You can export both the private-key and public-key using these commands:

You should protect these two files. Do not keep them on your laptop of mobile. The private file we exported contains your master key. Losing this could compromise your entire keypair.

Creating your Laptop Key

Now that your master key is ready you can create your laptop key. GPG does not make this easy, but with a little trickery you can make it work. These instructions assume you have created your master key on your laptop, if you have created your key on your desktop machine you can just skip the step two and not delete your secret key.

  1. Start by exporting your subkeys gpg --export-secret-subkeys 1FA1E814 > 1FA1E814.sub.gpg
  2. Next delete the master key from your key ring gpg --delete-secret-key 1FA1E814
  3. Now reimport the subkeys back into your keyring, or if you are not working from your laptop just import the subkeys theregpg --import 1FA1E814.sub.gpg.

Using your new key

You can now use your laptop keypair to sign, decrypt or encrypt emails and files. If you want to sign someone else’s key or revoke a subkey attached to your mast key you need to use the original master key.

Now that your key is ready for public consumption your can start sharing it. You can distribute your key anyway you like, but the simplest solution is to send it to a key server:

There are hundreds of key servers online, but you don’t need to send your key to all of them. In most cases any key server you use will distribute your public key across all the others. This process is fully automatic but it can take a few days for your key to appear on them all.

OpenPGP: Encryption should be easier than this
02 May

OpenPGP: Encryption should be easier than this

Why I Digitally Sign My E-Mail

Most e-mails I send are digitally signed using a process called “Pretty Good Privacy”, commonly referred to as PGP or GnuPG. PGP has been around since 1991 yet still is not commonly supported by the majority of email clients, at least in the Microsoft echo system, or webmail applications like Gmail or Yahoo Mail. When a digitally signed email is displayed in applications that do not support PGP you may see one of two things; either there will be an attached PGP.sig file or the message may start with “BEGIN PGP SIGNATURE” and appended to the bottom of the text will be a block of gibberish text. These components are used by PGP aware applications to cryptographically verify the identity of the sender. If you also have or use PGP I could send you encrypted email so that only you can read it. Over the next few pages I will give some background on PGP and why I use it.

Email Attachments

Since implementing PGP in my in all my email clients I will no longer open attachments or click links in unsigned emails. Like all security mined people this rule will no doubt cause problems for some and will make the internet a less user-friendly place, but with the amount of spam and viruses delivered by email – often coming from addresses you know – there is no better protection available, likewise I will never send an attachment unsigned.

Background

In 1991 PGP was created by Phil Zimmermann as a way to digitally sign or encrypt messages and file. This is achieved using Public-key cryptography. When you create a PGP key you are creating two very large numbers that are mathematically related, but due to the size of these numbers it is not possible to derive one from the other. So you now have two keys, one considered private the other public and as the name suggests who must keep the Private-key secret from everyone but you can share the Public-key with the world.

I was planning to include a section on this page detailing how PGP works but as I started writing it quickly grew beyond the scope I had indented this introductory page to be. If you are interested in the propeller hat explanation of how PGP can encrypt and digitally verify messages you can find it on at the “How does it work” page.

My Keys

My public keys are published all over the net; on key servers, in my DNS records, on this site on my “OpenPGP Keys” page and on some mailing lists. That is the way you want your public keys after all.

Friday – Week 17 Day 5
21 Feb

Friday – Week 17 Day 5

Tomorrow I start my skiing holiday in France and by this time I’d hoped I would be better prepared, but I’m not. My last week dash to get ready was not enough time to make a difference.

Well I was able to make some difference. In the last week I was able to improve my diet but didn’t increase my activity level the way I wanted. Never mind. For the next week I will probably not be online the way I have before but we’ll see what happens over the next few days.

I will be around as much as I can, but it may be on and off

15 Feb

The Return – Week 16 Day 6

I’ve been away some time now. Not recording my meals and not really paying the attention I should and taking almost no exercise. In the last few days I’ve started coming around. I can see what is happening and what has happened.

I’ve no idea why this has happened. I know better than most what my mood swings can be like, if I could plot them out they’d look like a strange Sign graph, this week I hit the lower end and am now starting to climb up the other side. I think I’m somewhere here…

Today marks seven days before I go to France for a week skiing. I had hoped I would be allot fitter by now but I’m not and there is little point in dwelling on that. I still have seven days and that is enough to make a difference. If I really put in the effort I want to I can improve myself before I go, so while I’d wanted to have done more by now least I’m coming out the dip while there is still a week ahead.

When I stepped on the scales this morning I was 78.9 kg and had 22.5 % body fat. I would like to get both of these down, but not having done a full week routine I can’t say how much by. I will obviously be on the scales again before I leave so we will see what progress is made.

Shall we just say this, week 17, will be a better week than the weeks it precedes

05 Feb

Wednesday – Week 15 Day 3

Sadly I have very little report tonight. I still haven’t managed to recover from my day of last week, which has just gone to show my desire to be fit and healthy still hasn’t sunk to the level of routine but I still have faith. I was out on Monday so forgot to blog, and that bothered me more than I’d have expected, and in all honesty tonight blog is nothing to write home about ether.

The only upside is I have gone back to my diet and am eating sensibly again so my main focus now must be exercise, its always been my weakest point and so must be where I put the most attention.

I have a couple of days off work this week, so I am hoping to make up for some lost time then if I don’t before hand. I will keep my eye on this more closely than before.

Wednesday – Week 14 Day 3
29 Jan

Wednesday – Week 14 Day 3

This is a logging day but I am really struggling to put on together. Since getting back from work I’ve been working on a side project to put some heart rate data onto Fitbit from my Polar H7 Bluetooth Heart Rate Sensor which has kind of distracted me from blogging the way I wanted too.

However, I’ve had a good couple of days. Both this morning and yesterday I hit the treadmill and did some weights as well as other body weight exercises all in I’ve been spending at least an hour working out both mornings. My diet however isn’t working as well. I’ve been slipping at work but I’ve traced this down to my work load. My day job is a call centre and when no one is calling I started to nibble, eventually this just builds up so I’m not ending my days as much under budget as I would like. I am however pleased with what I’ve been eating, on the whole anyway.

Unfortunately my new found exercise hasn’t found its way to the scales yet. My weight is steadily climbing which is easy to put down to muscle gain but I’m sceptical this would happen so quickly when I still have weight to lose. For now my focus is completely on my body fat % which is decreasing, but looking at the graph this morning saw a huge plum-it and I really don’t believe that is here to stay. I really wary of any of these miraculous overnight changes, I am expecting these everything to be more gradual progressions and that is what I’m looking for, but I want object too much if the miracle sticks around.

Tomorrow is my day off, so no food logging only water. I’ll decide when I wake up if this is exclude a work out but part of me hopes it want. I still haven’t come up with a reward system to use though, and really feel I need one! What do you use?

Monday – Week 14 Day 1
27 Jan

Monday – Week 14 Day 1

It has gone well past the time I started paying more attention to my weight loss journey.

As you can see from the pictures I’ve uploaded I’ve really not been doing well since Christmas. I started a Fitbit twelve week plan and for the last five weeks I’ve not been hitting my goals and the only excuse I have is simple distraction and lack of focus. So how am I going to change things and get out of the rut I’m in? By shaking things up a bit.

First step is accountability and tracking. Until yesterday I had no idea how much I’d fallen, so once again the Blog will come back into play. In a previous post I said that perhaps a nightly Blog was no longer required, and its not, but structure is required. So I will post a blog three times a week, on Monday, Wednesday and Saturday. Since Thursday is now my day off each week this schedule will give me two days to blog about instead of trying to find content in just the one. While I might still blog thru the other days these are the days I am setting aside to always blog.

Second is harder to label. I am project driven and the problem with weight loss a fitness is they are long term at best. An even better description would be lifestyle changes. So I need to make it a project as well. I already have the Blog and I publish my Fitbit reports each week, the next step is recipes, which I am going to start added as well. I have no illusion this site will become the goto for anyone but it will become the first reference for me. A recipe will look like this Greek Style Salad demo and contains everything needed to replicate the meal.

Final step is reward. I’ve been looking for one that is free and does not include food, having a Mars bar to reward you for exercising isn’t of much use. Problem is now I am still stuck on this one. I really have no idea what reward system to use, although I know I need one.

Wednesday – Week 13 Day 3
22 Jan

Wednesday – Week 13 Day 3

Since I stated using my new scales yesterday I thought I would go the full hog and weigh anything that fit on them. This morning I started with breakfast.

Now I’ll be honest, I’ve always just scanned the barcode on food packages and left it as that. This morning proved that might be my problem. I’ve attached two cereal photos today, the first shows a suggested serving of 30 grams (how you’re expected to have 125mls of milk to that is a mastery to me) the second what I would normally eat. What surprised me most is I’m eating twice the suggested serving. Spread that over a 7 day week and it’s scary. The one up side is I don’t actually use 125mls of milk, I actually use barley 25mls.

The rest of my meals haven’t been bad for the first time in ages I avoided a pie and beans for lunch, but couldn’t skip the snacks. I’ll keep working on it although I think the only practical solution will be buying lots of grapes and carrots to eat at my desk but I keep forgetting to get supplies in. Dinner was home made macaroni cheese extremely good and all ingredients were properly weighed and measured so I’m happy.

Now pact. This was suggested to me yesterday so I thought I would give it a try. The basic premise is you set yourself a goal, mine is to log 4 meals a week in MFP. If I do that I’ll get $0.80, great, but for each of the four I don’t log it’ll cost me $5! At present I’m playing with the starter amount, so I want actually be allowed to withdraw anything unless I sign up to actually pledge my own money. I’ll probably give it a try, 2014 is my year of trying new things after all.

Today’s weigh in reported a 0.8 kg loss on yesterday, I’m not sure how excited I want to get about this yet till I see if it’s going back on tomorrow so I’ll hold back judgement.