Two Factor authentication and general improvement of my security infrastructure was long on my todo list. Some month ago I finally purchased a Yubikey NEO from Yubico and try to consistently use it as second factor, as well as gpg signing/encrypting device.
I am trying to get the best out of my Yubikey NEO by using as many of its functionality, in particular: Smartcard for my GNuPG keys, OTP similar to Google Authenticator and similar, as well as challenge-response for additional login security, as well as all that over NFC to not keep keys/passwords on my mobile phone.
While there are loads of guides (see the previous article on GnuPG for some of them), many of them are out-of-date for current distributions and GnuPG etc. So I tried to collect all I could find – not the least to have a place to look it up in case I forget it again. Continue reading
Switching from one GnuPG master key to the usage of subkeys was long on my list of things I wanted to do, but never came around. With the advent of a YubiKey NEO in my pocket I finally took the plunge: reading through lots of web pages (and adding one here for confusion), trying to understand the procedures, and above all, understanding my own requirements!
To sum up a long story, it was worth the plunge, and all over the security level of my working environment has improved considerable. Continue reading
Today I committed a set of changes to the TeX Live subversion repository that should pave the way for better security handling in the future. Work is underway to use strong cryptographic signatures to verify that packages downloaded and installed into a TeX Live installation have not been tinkered with.
While there is still a long way to go and to figure out, the current changes already improve the situation considerably.
Status up to now
Although we did ship size and checksum information within the TeX Live database, these information were only considered by the installer when re-starting an installation to make sure that the downloaded packages are the ones we should use.
Neither the installer nor tlmgr did use the checksum to verify that the downloaded packages is correct, relying mostly on the fact that the packages are xz-compressed and would create rubbish when there is a transfer error.
Although none of us believes that there is a serious interest in tinkering with the TeX Live distribution – maybe to steal just another boring scientific paper? – the door was still open. Continue reading
I recently moved and consolidated the web presence (photos, blog, etc), see this blog entry, to www.hostpapa.eu. Up till a few days ago they provided sftp, that is secure ftp upload options. This has been cancelled now, and that means at the current moment there is no way to upload stuff to their servers without using a browser. All that is provided is plain, unencrypted, ftp.
This is technology and security attitude from the last century. I fully doubt that the whole company has any security awareness or concern at all. Thus, here is a big WARNING: Do not use HostPapa if you want even a basic level of security.
As a consequence, although it will hurt and take time, I will have to move again. I am currently considering greengeeks.com, as it also provides compensation for energy usage. The negative point is that they are situated in the US.
A short comparison (should have done that earlier, I know):
||Yes with private IP
||Yes (private IP needed?)
Well, I will keep you posted on how it goes.