Lately I’ve had security on my mind. Somewhere in the midst of peeking at how adware works so hard to masquerade in the background radiation of Windows, peeking at some mundane C code packaged with Metasploit while wondering how it is allegedly easy to exploit, I got to thinking about how much the element of trust is involved in everything we do. For example, I trust wikipedia for the information on Dr. Martin Luther King, Jr. I read today about how the FBI tapped his phone in an attempt to incriminate him and force him to cease his un-American activities. I don’t know if that trust is misplaced: I trust wiki enough to think it’s not all hearsay, but I wouldn’t stake my life on the details. Now think of the things I think about!
Anyways, I looked up PGP because it’s popped up enough to bother me for not knowing it. Here is a two part tutorial:
- http://www.kuro5hin.org/story/2000/5/1/17058/47630
- http://www.kuro5hin.org/story/2000/5/9/193916/2290
You get started by typing
gpg --gen-key
And choose some options, then it generates some random bytes, which reminds me of the bit in Cryptonomicon where the program asks for random keystrokes to feed the entropy pool. No clue about that.
You sign stuff with:
gpg --clearsign < message
And you can encrypt stuff for a certain someone(s):
gpg [-r id] --armour --sign --encrypt < message
The trick is getting the other guy’s key into your keyring so you have their id to put in that last line of code. They make a big deal about trust.
