NaN

Geek stuff from a french geek and photographer
Recent Tweets @lhirlimann
www.flickr.com
Posts tagged "security"

Over the years I’ve organized or tried to organize pgp key signing parties every time I go somewhere. I the last year I’ve organized 3 that were successful (eg with more then 10 attendees).

1. Have a venue

I’ve tried a bunch of times to have people show up at the hotel I was staying in the morning - that doesn’t work. Having catering at the venues is even better, it will encourage people to come from far away (or long distance commute). Try to show the path in the venues with signs (paper with PGP key signing party and arrows help).

2. Date and time

Meeting in the evening after work works better ( after 18 or 18:30 works better).

Let people know how long it will take (count 1 hour/per 30 participants).

3. Make people sign up

That makes people think twice before saying they will attend. It’s also an easy way for you to know how much beer/cola/ etc.. you’ll need to provide if you cater food.

I’ve been using eventbrite to manage attendance at my last three meeting it let’s me :

  • know who is coming
  • Mass mail participants
  • have them have a calendar reminder

4 Reach out

For such a party you need people to attend so you need to reach out.

I always start by a search on biglumber.com to find who are the people using gpg registered on that site for the area I’m visiting (see below on what I send).

Then I look for local linux users groups / *BSD groups  and send an announcement to them with :

  • date
  • venue
  • link to eventbrite and why I use it
  • ask them to forward (they know the area better than you)
  • I also use lanyrd and twitter but I’m not convinced that it works.

for my last announcement it looked like this :

Subject: GnuPG / PGP key signing party September 26 2014
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="t01Mpe56TgLc7mgHKVMajjwkqQdw8XvI4"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--t01Mpe56TgLc7mgHKVMajjwkqQdw8XvI4
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello my name is ludovic,

I'm a sysadmins at mozilla working remote from europe. I've been
involved with Thunderbird a lot (and still am). I'm organizing a pgp Key
signing party in the Mozilla san francisco office on September the 26th
2014 from 6PM to 8PM.

For security and assurances reasons I need to count how many people will
attend. I'v setup a eventbrite for that at
https://www.eventbrite.com/e/gnupg-pgp-key-signing-party-making-the-web-o=
f-trust-stronger-tickets-12867542165
(please take one ticket if you think about attending - If you change you
mind cancel so more people can come).

I will use the eventbrite tool to send reminders and I will try to make
a list with keys and fingerprint before the event to make things more
manageable (but I don't promise).

for those using lanyrd you will be able to use http://lanyrd.com/ccckzw.

Ludovic
ps sent to buug.org,nblug.org end penlug.org - please feel free to post
where appropriate ( the more the meerier, the stronger the web of trust).=

ps2 I have contacted people listed on biglumber to have more gpg related
people show up.

--=20
[:Usul] MOC Team at Mozilla
QA Lead fof Thunderbird
http://sietch-tabr.tumblr.com/ - http://weusepgp.info/

5. Make it easy to attend

As noted above making a list of participants to hand out helps a lot (I’ve used http://www.phildev.net/pius/ and my own stuff to make a list). It make it easier for you, for attendees. Tell people what they need to bring (IDs, pen, printed fingerprints if you don’t provide a list).

6. Send reminders

Send people reminder and let them know how many people intend to show up. It boosts audience.

Le 1er avril  (c’est à dire le 1er Avril 2014) prochain j’organise une séance de signature de clef pgp et d’assurance CACert dans les locaux de mozilla à Paris.

Afin de pouvoir gérer correctement cet évènement, je demande aux participants potentiels de s’inscrire via eventbrite pour ne pas exploser la capacité de la salle.

Venez nombreux se sera fun.

Always wanted to understand what cryptography is ? how to make your communications secured this guide http://techblog.rosedu.org/from-0-to-cryptography.html explains everything very nicely.

A nice project, worth giving a few bucks at http://www.indiegogo.com/calyx

Today I’ve received the following email in my inbox :

Return-Path: helpdesk@webmail.com
Received: from zimbra.xxxxx.mozilla.com (LHLO
 zimbra.xxxxx.mozilla.com) (x.x.x.x) by
 zimbra.xxxx..mozilla.com with LMTP; Thu, 8 Mar 2012 17:14:03 -0800
 (PST)
Received: from yyyy.mozilla.org (yyyyy.mozilla.org [x.x.x.x])
	by zimbra.xxxx.mozilla.com (Postfix) with ESMTP id AF01B251C05A;
	Thu,  8 Mar 2012 17:14:02 -0800 (PST)
Received: from psmtp.com (exprod5mx225.postini.com [64.18.0.84])
	by cccc.mozilla.org (Postfix) with ESMTP id A03E34AEDD1;
	Thu,  8 Mar 2012 17:13:53 -0800 (PST)
Received: from mail.kpoly.edu.gh ([41.204.38.3]) by exprod5mx225.postini.com ([64.18.4.10]) with SMTP;
	Thu, 08 Mar 2012 19:14:02 CST
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.kpoly.edu.gh (Postfix) with ESMTP id D1E655C8D294;
	Fri,  9 Mar 2012 00:40:39 +0000 (GMT)
X-Virus-Scanned: amavisd-new at kpoly.edu.gh
Received: from mail.kpoly.edu.gh ([127.0.0.1])
	by localhost (mail.kpoly.edu.gh [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id w-b-ioEMbIK1; Fri,  9 Mar 2012 00:40:39 +0000 (GMT)
Received: from [10.179.161.187] (unknown [41.203.64.131])
	by mail.kpoly.edu.gh (Postfix) with ESMTPSA id 559D55C8D5A2;
	Fri,  9 Mar 2012 00:40:19 +0000 (GMT)
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: Dear E-Mail User
To: Recipients <helpdesk@webmail.com>
From: "Webmail HelpDesk" <helpdesk@webmail.com>
Date: Fri, 09 Mar 2012 01:39:54 +0100
Reply-To: revalidation@webmail.md
X-Antivirus: avast! (VPS 120308-1, 03/08/2012), Outbound message
X-Antivirus-Status: Clean
Message-Id: <20120309004020.559D55C8D5A2@mail.kpoly.edu.gh>
X-pstn-neptune: 11/1/0.09/61
X-pstn-levels:     (S: 2.44222/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-dkim: 0 skipped:not-enabled

Dear E-Mail User.

Your Mail quota has reached limit, You might not be able to send or receive=
 new mail until you re-validate your mailbox .To re-validate your mailbox r=
eply to this mail and fill { Your E-Mail Address } { Username } { Password =
}:

Technical Support
192.168.0.1


I almost replied - as I know I have a big usage on the mail server. What made me not reply was the password - I would probably have not send the mail seeing where it woud go. What prompted me - thinking this was legit was the fact that it was caught between two other legitimate emails about desktop support. And the IP address below the signature was also helpful for me not to reply at all.

This picture is shows websites that are tracking my browsing habits. I browsed four or 5 websites and got tracked by 20. Scary !

Want to try it for yourself , run Firefox and install the Collusion extension.

khuey:

This evening I landed Bug 728429 on mozilla-central. Firefox will now refuse to load XPCOM component DLLs that do not implement ASLR. ASLR is an important defense-in-depth mechanism that makes it more difficult to successfully exploit a security vulnerability. Firefox has used ASLR on its…

This will probably hit any AV vendor or anybody adding toolbars (as many of them come with binary component). In Thunderbird land it probably means that some anti-spam extensions will have issue. This will affect only windows of course, but that’s what 95%+ computer user use.