[vox-tech] mutt, email, usb mini storage, dvorak...

Bill Broadley vox-tech@lists.lugod.org
Fri, 19 Dec 2003 01:50:11 -0800 

On Wed, Dec 03, 2003 at 07:24:54PM -0800, Jonathan McPherson wrote:
> 2. I am considering buying one of those USB keyring mini storage devices
>    (they're getting cheap; 128MB devices run $30 or so) and storing my
>    GPG private key on it.  This would let me both sign emails from any
>    computer and keep the key off my potentially vulnerable networked PC.

Er, why do you think your private key is any safer on a usb keychain when
connected to a vulnerable pc then it is on the disk.

The key to a secure private key is a good passphrase, this of course assumes
that the machine you use it on doesn't sniff your keystrokes.

So I'd keep your private key on a secure server somewhere and connect
via ssh (if you trust the machine not to keysniff) or via skey if you
don't.  Skey allows for one time passwords so they protect against
keystroke sniffing.  There are clients for java ibuttons, palm
pilots, and even dead tree methods.  So then you use skey to login
and send email from the secure environment on a machine you trust.
Ideally such a machine would be physically secure, and run a minimal
number of services (like just ssh).

>    Do you think that this is a good idea?  The main drawbacks I can see
>    is that if I lose the device, I would have to get a new key pair, and

Er, backup it up somewhere secure, say by printing it out and storing
it in a fairly secure place, like maybe in a random book at home, or
maybe your wallet.  1200 dpi printers and small fonts can get pretty decent
density.

>    the fact that my key will be in the RAM of the machine I am using.

There are java ibuttons that are actually capable of running encryption
on board, they are VERY physically secure (the highest classification
of physical security, even above say your average ATM machine), they
can be had for $50.00 ish.  Alas a driver needs to be installed to
send a text message to it, and get back a signed version.

>    How good is Linux support for these devices?  Is there a brand you
>    would recommend?

I've use number compact flash and SD devices with linux using usb-storage,
I'd expect the keys to be the same way.

> 3. It would also make sense to get a small, self-contained, GPG-capable
>    Windows e-mail program loaded on the device, and a similar one for
>    Linux.  Then I could securely e-mail from most systems.  Do you have

Securely?  I don't see any additional security, might as well just ssh
to a home machine and hope the os, or hardware isn't keysniffing.

>    any recommendations on e-mail programs for this purpose?  Good IMAP
>    and GPG support are the only feature requirements.
> 
>    Obviously another, cheaper, way to do this would be leave the machine
>    with my GPG key on it open to SSH connections.  The problem with this

Hrm, I trust ssh, I've no problems with leaving it open, seems much
less of a worry then other things your considering.

>    is that I don't necessarily want that port open; some firewalls block
>    it while allowing SMTP and IMAP traffic; slow, old dialup connections

ssh can run on any port.  Additionally there are java based ssh clients
that could sit on your machines port 80 based webserver, the client runs
local, it doesn't of course prevent sniffing.

>    make SSH painful to use; and most Windows machines don't have a SSH

See web-based java client above.


-- 
Bill Broadley
Mathematics
UC Davis