A Quick Guide to PGP/GPG

One of the interesting barriers we’ve encountered during the rewrite of Hacker High School has been the trickiness of using email security. It’s pretty bad for us as professionals not to be versed in using PGP and S/MIME, even though both are painful. Here’s my response to one of the contributors asking how to choose and use a PGP/GPG product:

For all practical purposes, take your OS, add your mail client, search thoroughly and you’ll likely find your range of choices limited. On Mac/Thunderbird, it seems to be OpenPGP or Die. Notice the conflation of “Open” and “PGP”? Underneath it’s Enigmail regardless.

Then follow instructions everywhere for generating your key(s).

Then you’ll need the keys of whomever you want to send encrypted email. Stir up thoroughly until recipient confusion eventually gets their key to you (coach them to pull down their GPG menu and check “sign this message” and “include my cert with the message”)

When you’ve got the key you need to email to a trusted recipient, you’ll need to follow the instructions found *nowhere* and *sign* that person’s key in order to be able to use it! I check the boxes “I have done casual checking” and “keep this signature locally only.” Fumble around until you achieve encryption, and voila! Elegant as scrambled eggs.

A Sweet Example of Using the OSSTMM

It’s a bit of a tangled web, but let me try to comb it out:

ISECOM is the parent organization for a whole cluster of projects, including the Monster that Ate My Summer, Hacker High School. One of their premiere products is the Open Source Security Testing Methodology Manual (OSSTMM), a handbook for testing network and organizational security that brings an entirely different mindset to the practice of information security.

I’ve been reading and re-reading the OSSTMM and gradually coming to understand how to use it, so it’s been particularly useful to see an example. Pablo Endres, a HHS contributor, recently released a short, concise and very clear paper on the subject of a common security practice: putting a “reverse proxy” server in between your web server farm and the Internet. This practice is so commonly accepted that I’ve never even seen a testing scenario that validates it. But Pablo put it to the test of the OSSTMM, and found that the answer to the question, “Is it effective?”, is “It depends.” Check out his blog here, where you can also download the PDF of Pablo’s paper.

The application of the OSSTMM is really simple and elegant. And it’s required reading for my security students now.

Amazing Mind-Reading Tricks Revealed

Working with the Hacker High School team has been a tremendous learning experience, because I’m honored to be Project Manager to a brilliant group of hackers, security consultants and the next generation of wildly talented young people.

Among them is Peter Houppermans, a long-time Swiss banking security expert and consultant to multiple royal families. He’s got an operation called the Privacy and Confidentiality Group (http://pncg.ch) that provides extremely high-end privacy services (and those of you in the security field know confidentiality is different than privacy). He’s been a gold mine of information like this:


“It was funded by the national organization of Belgian banks, and it is ab-so-lu-te-ly awesome,” as Peter puts it.

An ISECOM Linux Distro

Many of you know I’ve been devoting huge hours to the ISECOM Hacker High School rewrite for 2012 (hackerhighschool.org). Lots of people are working on terrific corollary project: a Linux distro branded for ISECOM to be used for, among other things, Hacker High School!

From the horse’s mouth:


Here’s a sneak-peak at the ever-improving OSSTMM Security Live Linux Distro that Joerg Simon is building for us.



Ten Thousand Cameras per Server

Many of us who are or have been sci-fi buffs have a deep inward cringe at things like the robot Cheetah that can outrun Usein Bolt:


Now the ever-watchful Herbbie makes me uncomfortable with news of Cisco’s grand new surveillance plan: a virtualized system in which each server can manage up to 10,000 cameras. Which makes me wonder, how many cameras are they getting ready to deploy? How can they be used or misused by their owner, and even more how they could be used or misused by anyone smart enough to hack into the system. Because there will be those, for dead certain.

Unfortunately, when I ponder this the word that comes to mind is Skynet.