DSA keys deprecating/ELIMINATING DSA keys in in openssl 7.0

https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys

You don’t have to take my word for it, but when I was begin developing NouveauPG years ago I found that, 1.) DSA is just hours of testing debugging, etc. with little return on invest. Don’t get this twised, this was never designed to make me a millionaire but I thought is was something that should exist. We’re only here for a short time and we really have to think beyond the fleeting riches which so many in the current tech industry base their self worth. Just sort of proud that I saw that coming years ago. ūüôā

pgp instractructure under attact

https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem

Apart from the due to the limited role of NouveauPG’s ‘eco-system’ it is safe for the secure transmission of text messages of any length across insecure medium. Social media etc. NouveauPG was written from the ground up and shares no code with the c. 1994 code-base. Apart from myself accessing this site via Tor which could be AWS nonsense, all is secure.

domain

For the time being, nouveaupg.info is the internet address. There are some very strange things happening with nouveaupg.com. I’m hoping to have everything back up ASAP, but for the meantime nouveaupg.info is the temporary address.

UPDATE: well this is weird, I can access nouveaupg.com via Tor, but not my home connection. I’m sure it’s nothing. I have more pressing matters, just thought this was interesting.

Well this is weird, I can access http://nouveaupg.com through Tor.

E-Fail attack against GPGTools

Another day another attack against GnuPGP tools. I have long believed that the complicated integration mechanism that¬†GPGTools use to integrate with the Mail client are vulnerable to attack. Not too long ago Internet Explorer browser extensions were the attack vector into Windows PC’s.

https://it.slashdot.org/story/18/05/25/189253/in-apple-mail-theres-no-protecting-pgp-encrypted-messages

Remember with NouveauPG, the entire app is sandboxed. The only way to get data in or out is by selecting a file using the system file dialog box, or using the clipboard. No internet access, third party plug-ins or anything. The only reason encryption is not ubiquitous by now is the trade-off between usability. More ‘convenient’ schemes always seem to backfire. NouveauPG is as simple as I know how to make it.

 

Compiling and Installing GnuPG Classic v1.4.20 on Mac OS X

Compiling from source code is a straightforward way to ensure that you have a genuine copy of GnuPG on your machine. Since GnuPG may be used to verify other software packages, it is important that your copy is not tampered with.

This post will outline the steps for compiling GnuPG classic v1.4.20 from source for Mac OS X rather than the latest version of GnuPG (v2.0.x) because it is much simpler to compile. Compiling GnuPG from source is certainly not any more difficult that using GnuPG, which is a command line program.

1.) Install command line developer tools for Mac OS X. This is dead simple on recent versions of Mac OS X 10.9 and up, simply open the Terminal and type “xcode-select –install”. The dialog below will appear and allow you to install the command line tools.xcode-select

For older versions of Mac OS X, the procedure outlined here may work.

2.) Download the source code archive for GnuPG v1.4.20 here and the signature here. The signature is a text file that we will use to verify the source code archive.

3.) Decompress and extract the source code archive.

bzip2 -d gnupg-1.4.20.tar.bz2
tar -xvf gnupg-1.4.20.tar

4.) From the source code directory, run the configure script to make sure your command line tools are installed.

cd gnupg-1.4.20
./configure

5.) Assuming there are no errors, from the same directory run make to compile gnupg.

At this point, if everything went correctly, you should find the gpg executable in the g10 subfolder.

6.) If you wish to install GnuPG 1.4.20 as your default gpg:

sudo make install

You must uninstall other versions of gpg (including those installed by other software packages) before installing.

Anonymous activation finally arrives

I finally have the Bitcoin activation system up and running. Now if you want to purchase NouveauPG, you don’t need to go through the Mac App Store. The first time NouveauPG is run on a Mac, it generates a random UUID. When you provide a valid¬†UUID to the activation page, you will be assigned a Bitcoin deposit address. When you deposit enough Bitcoin, a signature will be generated that can be copied and pasted into NouveauPG to unlock it. No network access is necessary.

NouveauPG for iOS removed from App Store

A few years ago, I swore to myself that I would not publish apps that I didn’t use myself. NouveauPG for iOS has some issues I don’t have the time to fix in the near future. I hope to have it back and better than ever in 2016, but I will not publish it until it is in good enough shape that I have it on my phone.

I use NouveauPG for OS X on a regular basis, so I want to concentrate on that for the time being.

GPG Suite security even worse than imagined

Apparently there are security issues with GPGSuite beyond keeping track of users' IP addresses with an auto-updater.
Apparently there are security issues with GPGSuite beyond keeping track of users’ IP addresses with an auto-updater.

The leading OpenPGP client for Mac OS X has recently pushed a security update due to a bug that allows a local user to execute shell commands with root privileges.

As if it weren’t enough, by default, GPG Suite regularly contacts gpgtools.org to check for updates.¬†So not only does gpgtools.org keep tabs on the IP addresses you use without explicitly getting permission, a carrier or state level entity could easily compile a list of GPG Suite users by monitoring requests to the gpgtools.org upgrade server (here and here). It doesn’t matter they are using SSL/TLS because the private information is your IP address.

Think about it, after a few months, your upstream carrier (or whomever has access to their logs) could compile a list of every IP users of GPG Suite use. My opinion of GPG Suite users notwithstanding, I am sure they have more interesting data stored on their computers than the average person.

NouveauPG is sandboxed, so it is entitled only to access files selected by the user using the system open and save dialog box. Absolutely no network access allowed. (The only autoupdate mechanism is through the App Store version, which is the same one used for OS X autoupdate. There is no way for a third-party other than Apple to know exactly what is being updated, and tracking IP’s to the Apple update servers will only give you a list of Macintosh users.)

Activity monitor showing all the unsandboxed processes from a GPG Suite installation.
Activity monitor showing all the unsandboxed processes from a GPG Suite installation.

Activity monitor showing the single sandboxed process for NouveauPG
Activity monitor showing the single sandboxed process for NouveauPG.