Hey, been a while
I won’t waste my time explaining where I have been - the truth is very few people read this blog and those that do know that I have been fairly busy for the past month. I am attempting to get back into the swing of things, but to make an incredibly long story short I am currently coming over a pretty hard burnout.
PGP encryption, or encryption in general, has always been something the people that know me would probably feel comfortable assuming I know something about it. This is not an unfair assessment, I have for a very long time touted that anything that is not verifiably encrypted will become public knowledge. I am a strong advocate for the tools, and I use the tools indirectly, but I have never actually taken the straight-up dip into the self-sovereignty of owning my keys.
I did before this post have a Keybase account - Keybase is an amazing app, and for the normies out there who do not care about ownership of their data the way I do, I would say it would meet your encryption wants and needs in a way that raw-dogging the CLI wouldn’t. The truth is the CLI, and CLI tools are scary if you haven’t used them before - That is me saying that and I feel pretty comfortable using a terminal. If I can point my less tech-savvy friends towards a PGP manager that requires no terminal usage, then I am going to do it. All this being said, I do feel it’s worth mentioning that the people who mess around with PGP are usually a bit further down the nerd iceberg than others, and likely are tech savy. Due to this, I suppose Keybase serves as a very potent gateway drug into this landscape more than anything.
What is PGP
So the elephant in the room - Stands for pretty good privacy and is the standard for private/public key-based encryption nowadays. Anyone who has gone down the git rabbit hole knows about signing your commits, and this is usually the first taste people get of this landscape. In simple terms PGP is an encryption standard that allows you to encrypt and verify documents, in less simple terms your PGP is essentially your identity.
To oversimplify an incredibly complex topic PGP is a form of asymmetric encryption. Before the 1970’s almost all encryption was symmetric, meaning that you used the same “password” to both encrypt and decrypt. What this means is that both parties need to know the same “password” to encrypt/decrypt messages. This system works but the issue is that to encrypt/decrypt not only do you both need to know the password, but you also both need to protect the password to prevent others from prying in. Asymmetric encryption approaches this differently, rather than one “password” you have two keys
- A private key
- A public key The public key encrypts, and the private key decrypts. Typically you share your public key around and keep your private key private.
Now let’s suppose there are two people: Eddie and Frank. Both of these people have PGP keys. Eddie wants to send a message to Frank but make sure that no one else knows what he has said other than Frank. What he does is take Frank’s public key and encrypt the message with it, he then sends the message to her, and she decrypts it with her private key. At no point does Eddie or Frank have to worry about keeping a “password” a secret. Pretty cool right?
It gets cooler when you factor in the private key it also can encrypt (not really, but I’m trying to keep this simple). What this means is that you can essentially attach the cyphertext generated by the private key to confirm it is you who is sending that. What this ends up meaning is that you can verify that a message came from a particular public key by using that public key to decrypt the attached cyphertext.
Mental Outlaw amazingly explained this in his video about an exit scam - On the dark net you want to find a way to verify who you are without personal information, and this is where PGP keys are used. A PGP is used to sign messages and verify that you are the one who wrote them, this means in an abstract way the reputation points you gain aren’t being assigned to you, they are being assigned to that public key. You may be the person who has stewardship over the associated private key, but the distinction needed to be made. This is why exit scams are so common, because in the event you decide to leave the dark net that public key essentially will never be used again, and it makes sense to burn the reputation that it carried.
Why now
Following the recent takedown of Breach-Forums the guy who took over was using PGP sig’s to confirm that he was the one writing the messages. I was never an active member of that site but I understood its significance inside the cyber-security ecosystem, and I understand why people inside that ecosystem would want to keep their identities private. I have been a long-term advocate for privacy and security, and I am a firm believer in practising what I preach, however, this is not the full story. Asides from being a computer nerd, I am also a massive Maths nerd. I have autism, I do not attempt to hide it and I am not ashamed of it. I love maths because there is no grey area in it, no matter what happens 1 + 1 will always equal 2. Cryptography despite its complexity is maths, and when you can verify something cryptographically there is no grey area. You do not have to trust the person, you have to trust the underlying mathematics.
I firmly believe that the systems we depend on every day are held together with little more than duct tape and gum. I cannot fix the world, but I can attempt to fix my corner of it. I want people to trust that it is me who is talking to them, and for their information to be kept private in the event they want to send me encrypted information. For these reasons, I am going to start treating my PGP keys with the respect they deserve. When this next lot of posts come out they will be signed, and my site will have a new page explicitly stating my public key.
I wrote on the bottom of my laptop at some point “Encrypt like everyone is watching” and it’s time for me to start taking my advice.
note: Due to logistical issues with the way this blog is made, currently not this post not signed. There is a project to ensure this happens in the future