peelman.us

I love this comment from the OpenCongress link: Read more…

So I had an interesting challenge come my way today. I received an attachment I was supposed to look at, with the extension .pgp. Since I don’t use PGP regularly (with the exception of this time, I have never had to use it for any ‘production’ purpose) I went through the motions of re-learning how to decrypt PGP attachments, what I needed to download, etc. Fetching what I needed and digging around some, I recalled having to have a key of some kind. Right. Look me up on most keyservers and you’ll now find two entries ($20 says I’m the only Peelman in there, offer expires at the end of the week). One from 2005, one from 2008. What makes this funny/sad/aggrivating is the story behind the 2005 key, and the basis for why I hate PGP/GPG with most of my being.

So I’m roughly a junior in college, and finally in Purdue’s Computer Technology program, after a protracted experience trying to switch majors while the department continually moved the goal posts. I had recently gotten a Powerbook in the summer and my new geeky CPT friends and I were sitting around drinking beers, geeking out and talking about encryption (I supposed, how else we would have gotten here I’m not sure). The result of this is: at that point or sometime shortly thereafter I created a PGP key with some ridiculous passphrase. A passphrase that was forgotten soon thereafter. I’m pretty sure it was stored in the Keychain on my Powerbook for safe keeping (keep reading…) Later, while trying to retype it I confused myself so much that the mixture of letters, numbers, and symbols got lost in my mind, never to be found again. Regardless, its gone. No revocation key was created ahead of time (now I know that as a failsafe, you’re supposed to generate one and store it on a CD or something so that the key can be revoked in cases just like this. Pretty sure that wasn’t in any disclaimer i read at the time).

So the key was long forgotten, unused anyway, and 7 months after creation the hard drive on my Powerbook died (teaching me another painful lesson–now I back things up like some kind of freak). I can’t quite say that it was long forgotten, because last week, a peer sent the email in question and dug my public key out of some key repository. I always knew it would come back to bite me in the ass.

Let me pause a moment, for the uninitiated, and explain what PGP is. PGP is a form of Public Key Encryption. Through some mathematical wizardry that I can only hope I never have to deal with, you can generate a “pair” of keys, a public and a private. You post your public key out on various key servers, which then talk to each other and exchange the public keys they know about. You store your private key somewhere safe, this part is important since without the private key staying private and secure, your public key is useless (hence my dilemma). Through the magic of encryption algorithms, it is possible to take your public key, and encrypt the data in such a way that it can only be decrypted by your private key. Its a lot more complicated than that, but the basic idea is to be able to encrypt the data in such a way that only the intended recipient can decode it with his/her private key.

And here, my fellow geeks (and everybody else who has managed to make it through the tech jargon thus far), is where my reasoning for hating PGP lies. Unless you explicitly set them to, PGP keys never expire. They are eternal and forever and will live out on the netropolis of key servers until PGP ceases to exist and the last key server is shut down (not a likely event given its following). There is no way to revoke them without knowing the original pass phrase and having the original key. So 10 years from I might get another “secure” email that’s useless gibberish and undecipherable.

There are those who claim that this is the beauty of the system. That it prevents just some random Joe from revoking your key accidently or on purpose. Sorry, but I’m not buying. So for now I have a new key, that I have backed up in like 9 different places, with a memorable (but secure) pass phrase.

Short version

X509 PKI and S/MIME Digital Certificates FTW. Not only do you get a managed system, you get mandatory expiration dates, a web of trust that actually makes sense, encryption, and the best part: Integration with almost every major browser / mail client there is, with _no_ plugins, hacks, or third party plugins. Simply import the certificate file into the OS’s certificate manager (or if its Thunderbird, into your profile). www.thawte.com for more information. If you need/want a notary to get your name in your certificate, I’m good for 30 of the 50 points you have to get from the web of trust.

And I’ll say it again:

Read more…

Finally! 2008 is about over…what a hellacious year it has been. There have definitely been several high points, including getting engaged, getting a kitten, getting a Mac Pro, and getting a job!

Read more…

Article

Sadly, when the Supreme Court makes such a decision it becomes gospel for lower courts and few will stand to challenge it, even if the bench looks notably different from when the decision was made. That’s the bad thing about legal precedents, and they just set a big one.

My take is that if one was to rape a child, they know that they are raping a child, particularly a child under 12. If one is to undertake such an act, there is a small chance they don’t know the consequences, but regardless, it is effing WRONG on so many levels as to make distinctions not matter. The death penalty is a serious punishment, and should only be reserved for serious crimes, and I think that in this country we both overuse it and don’t use it enough. Rape can be proven via many means, and since this girl reportedly needed to have surgery afterwards to repair damage, not to mention the ridiculous amount of mental instability she might experience later in life, I can see it being justified here, given sufficient evidence, which the local and supreme courts of Louisiana apparently found.

This is the type of “legislating from the bench” that the courts should not be doing. What they just did may not have created a law for such cases, but it did create a precedent, which sadly in our time, is almost the same thing. They just overturned the laws governing this practice in 5 states. So because he just scarred her for life, and didn’t kill her, he gets to live. That’s fair?

Bravo to both presidential candidates for coming out against the ruling. It doesn’t make much difference at this point, but perhaps something can be done about it once Barack is in office

footnote: I’m not saying all legal precedents are bad, there area few that I am particularly fond of (Roe v Wade, Epperson v Arkansas, Miranda v Arizona, just to name a few), but as in all imperfect systems, mistakes are made (Dred Scott, and the case in question here, for instance).