Feed aggregator

How to Shoot Hyperlapse Videos Without Making People Sick

Wired - Wed, 27/08/2014 - 00:07
Hyperlapse has a ton of potential for creativity, but let's all master the basics before breaking the mold. Because in this case, the mold is a actually metaphor for not wanting to throw up, OK?






Appeals court knocks out computer bingo patents

Ars Technica - Wed, 27/08/2014 - 00:05
Leo Reynolds

Today, there's another signal that the days of "do it on a computer" patents may finally be numbered—at least if a defendant is willing to last through an appeal.

In an opinion (PDF) published this morning. the US Court of Appeals for the Federal Circuit upheld a lower court's decision to invalidate two patents, numbered 6,398,646 and 6,656,045, claiming to cover computerized bingo.

Yes, you read that right: bingo.

Read 10 remaining paragraphs | Comments

Chrome 64-bit browser finally available as a stable version

Ars Technica - Tue, 26/08/2014 - 23:45

Google today released a 64-bit stable version of its Chrome browser for Windows systems. The 64-bit support has been in testing since June, and as of Chrome version 37 it has made it to the mainstream version.

The 64-bit version offers three main advantages and one possible drawback. The browser's advantages are speed, security, and stability. Google claims that certain media and graphics workloads in particular are faster with 64-bit. It offers the example of VP9 video decoding—used for some YouTube high-definition streams—being 15 percent quicker compared to 32-bit.

Security is enhanced both through enabling new protection systems and making existing protection systems stronger. Windows has a built-in security feature called ASLR (address space layout randomization) that makes bug exploits harder to write by randomizing the location of things such as DLLs in memory. The 64-bit applications have much more memory available, thereby creating a much larger haystack in which to hide the needles that exploits look for. Google has its own protection systems that similarly try to separate different kinds of data in memory, and 64-bit likewise gives them more space to play with.

Read 5 remaining paragraphs | Comments

A newbie’s guide to why so many people are watching Twitch

Ars Technica - Tue, 26/08/2014 - 23:35

When I talk to people who don't follow gaming closely about the phenomenon that is Twitch, the response I get is usually along the lines of "Why do people spend so much time watching other people play a game they could just as easily play themselves?"

"Why do so many people watch the NFL when they could just as easily play a game of football in their yard?" I reply.

The analogy isn't perfect—you need good weather, a group of friends, a field, and decent physical fitness to play football, after all—but the basic relationship is the same. Twitch has become a phenomenon because watching the best players in the world is often more entertaining than participating as a relative novice.

Read 17 remaining paragraphs | Comments

The world's best mobile OS?

OS news - Tue, 26/08/2014 - 23:32
How do you determine what makes a good OS? What makes iOS vs. Android or Windows Phone vs. BB10, or any other such comparison not just about the fanboyism? Is it even possible to arrive at a scientific conclusion to this question? If we look at entire ecosystems, Android and iOS are obvious choices for buyers because of the sheer amount of apps they have available. However, what's that got to do with an answer to the question, "What's the best designed OS out of the box?" Not going to spoil it for you.

Too Many Secrets: A Court Ruling Spells Bad News for Anonymous Speech in Brazil

EFF Breaking News - Tue, 26/08/2014 - 23:28

Last week was a bad day for freedom of expression in Brazil. Judge Paulo César de Carvalho, in the state court of Espírito Santo, issued a preliminary injunction ordering the removal of Secret—an anonymous sharing application that lets people share messages with friends, friends of friends, or publicly—from the Apple App store and Google Play store, as well as Cryptic (Secret’s application for the Windows Phone) from Microsoft's store. The injunction also ordered the three companies to remove the applications from phones belonging to their Brazilian users.

What’s the problem? The prosecutor alleges:

“…people are falling victim to embarrassment and violations of their honor without being able to defend themselves, given the anonymity of the postings, since the application SECRET ‘allows the user to tell their own or friends' secrets to Facebook contacts anonymously through the application,’ and since its developers themselves claim that ‘it's impossible to determine who told the secret, since there's no data or photo of the user and they guarantee that ‘there's no risk of the secret leaking out on Facebook,’ since ‘the most information that's revealed is that the message was published by a friend or by the friend of a friend on the app.’”

Furthermore, the prosecutor argues that because any removal request must be sent in English to an American judge via the Brazilian foreign ministry, there is no effective way for Brazilians to defend themselves against defamation.

And why is anonymous speech a problem in Brazil? The judge cites two sections of the Brazilian Constitution:

Chapter I, article 5, section IV: The expression of thought is free, anonymity being forbidden; and

Chapter I, article 5, section X: Intimacy, private life, and the honor and image of persons are inviolable, ensuring the right to compensation for material or moral damages resulting from their violation.

The judge quoted, at length, Brazilian legal scholar Daniel Sarmento, explaining that the right to freedom of expression is not absolute and that “those who act in an abusive manner in their exercise of this right, and thereby cause damage to third parties, may be held responsible for their actions.”

Opposing counsel argued that Secret does not violate the constitution because it is technically possible for the company to trace who is posting anonymous messages through email and phone records. Representatives from Secret informed a Brazilian paper that they would comply with a valid court order to hand over user data if it received one.

Will Brazilians really be losing their Secret apps in just a few days? In some cases, yes. Apple has already complied. But Apple, Google, and Microsoft will have an opportunity to appeal.

While Brazil has led the way in government support of open source culture and explicitly condemning mass surveillance, its Constitutional ban on anonymous speech poses a tremendous danger to free expression in Brazil. Anonymity may make it more difficult to hold bullies accountable for their speech, but it also has a chilling effect on victims of all forms of violence and abuse, people with unpopular opinions, minorities, and vulnerable populations. Banning anonymous speech also chills dissent against the government. In 2011, Special Rapporteur on Freedom of Expression and Opinion, Frank LaRue, called upon states to ensure that individuals have the right to express themselves anonymously online. In 2013, in a landmark report, he explicitly made the link between anonymous speech and privacy:

“The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. … An infringement upon one right can be both the cause and consequence of an infringement upon the other.”

EFF will be keeping a close eye on this case as it develops


Share this:   ||  Join EFF

MenuetOS 0.99.71 released

OS news - Tue, 26/08/2014 - 23:25
A new version of MenuetOS has been released. Updates and improvements (httpc, ehci, picview, memcheck, menu, wallpaper, ohci, uhci, maps/streetview, icons, dhcp, freeform window, smp threads, smp init, onscreen keyboard, utf8 support, tcp/ip, keyboard layouts: western, cyrillic, hebrew, greek) MenuetOS is open source (MIT) and written entirely in 32/64 bit assembly. It's important to note that development is focused entirely on the 64bit version.

ISIS co-opts Twitter hashtags to spread threats, propaganda

Ars Technica - Tue, 26/08/2014 - 23:05
ISIS members and supporters find a new audience for their message by pushing their messages across unrelated hashtags on Twitter.

The militant group ISIS began a new campaign Sunday morning that hijacked popular and innocuous hashtags to spread its threats to execute American journalist Steven Sotloff. Campaigners organized on a forum and began posting to Twitter combining the hashtag #StevensHeadInObamasHand with other trending tags to gain visibility.

The campaign follows the execution of another American journalist, James Foley, which was documented in a video that circulated on social media. Twitter controversially scrubbed the video and screenshots of it from the service for its graphic imagery. ISIS is now threatening Sotloff's life in an effort to get a response from the US government.

One of the hashtags co-opted for the campaign was #AskRicky, which was intended to collect questions for YouTube star Ricky Dillon, reported Vocativ. The campaign's tweets included language like "11th September to happen, Don't come to Iraq unless you want another," "American Air Force kills innocent people in Iraq," and "As you kill us, we are killing you."

Read 1 remaining paragraphs | Comments

Supreme Court Tackles Online Threats

EFF Breaking News - Tue, 26/08/2014 - 22:58

When Sarah Palin placed crosshairs over political districts her political action committee was targeting in the 2010 midterm election, there was an outcry but she wasn’t arrested. Although some claimed the imagery was violent, no one believed Palin was actually intending to shoot anyone. But when Anthony Elonis posted some ugly speech on his Facebook account, fantasizing about killing his ex-wife and law enforcement agents, he was arrested, indicted for making Internet threats and sentenced to more than three and a half years in prison. Elonis claimed he was venting and that he didn’t mean what he said. The prosecutor explained to the jury that it didn’t matter what Elonis thought, and the Third Circuit Court of Appeals agreed, ruling the government only had to show a reasonable person felt threatened by the posts. 

With Elonis’ case now before the Supreme Court, we’ve joined an amicus brief filed by the Student Press Law Center and the PEN American Center to explain why the unique nature of the Internet and the First Amendment require the government prove a person actually meant to make a threat before he can be prosecuted.

This is especially important for youth who communicate through social media. One of the great things about the Internet is its ability to spread speech far and wide. But that also means speech may be misunderstood when it is received by an unintended audience or without the original context in which it was published, creating the risk that fiery rhetoric is transformed into criminal liability. We've already seen how one 18 year old who posted some ugly trash talk on Facebook is now facing ten years in prison. Obviously, there is no room in our society for true threats of violence, whether spoken online or offline. So requiring a subjective intent to threaten is the best way to balance First Amendment values with public safety. Speech that appears threatening but is clearly parody or a joke is protected, while true, violent threats meant to be threatening are punished.

The rapid growth of social media has clearly benefited society, enhancing the ability to connect with other people far and wide and with those both within and outside of our communities. Hopefully, the Court will help preserve this public resource by not unnecessarily extending criminal liability in overbroad ways.

Sean D. Jordan, Kent C. Sullivan, Peter Ligh and Travis Mock of Sutherland LLP, wrote the brief for EFF, SPLC and PEN American Center.

Related Issues: Free SpeechBloggers' RightsRelated Cases: Elonis v. US
Share this:   ||  Join EFF

How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law

Wired - Tue, 26/08/2014 - 22:50
Beginning next year, if you buy a cell phone in California that gets lost or stolen, you’ll have a built-in ability to remotely deactivate the phone under a new “kill switch” feature being mandated by California law—but the feature will make it easier for police and others to disable the phone as well, raising concerns […]






US courts trash a decade’s worth of online documents, shrug it off

Ars Technica - Tue, 26/08/2014 - 22:45
US Court of Appeals for the 11th Circuit in Atlanta. Kevin / flickr

The Administrative Office of the US Courts (AO) has removed access to nearly a decade's worth of electronic documents from four US appeals courts and one bankruptcy court.

The removal is part of an upgrade to a new computer system for the database known as Public Access to Court Electronic Records, or PACER.

Court dockets and documents at the US Courts of Appeals for the 2nd, 7th, 11th, and Federal Circuits, as well as the Bankruptcy Court for the Central District of California, were maintained with "locally developed legacy case management systems," said AO spokesperson Karen Redmond in an e-mailed statement. Those five courts aren't compatible with the new PACER system.

Read 12 remaining paragraphs | Comments

Rumors that just won’t die, gigantic iPad edition

Ars Technica - Tue, 26/08/2014 - 22:30
Maybe two screen sizes aren't enough anymore? Andrew Cunningham

Some rumors spring eternal, and today it's the one about the larger iPad. Sometimes dubbed the "iPad Pro" by Apple rumor sites, Bloomberg claims that a new 12.9-inch iPad could join the current 9.7- and 7.9-inch models at some point early next year.

This rumor has been floating around for a while now, though information has generally been gleaned from disreputable sources like DigiTimes. The most credible report dates back to July of 2013, when the Wall Street Journal reported that Apple was "testing" larger displays for the iPad and the iPhone. We've since seen plenty of proof that at least one larger iPhone is coming, though aside from a rumored split-screen display mode, we don't have much that points to a bigger iPad.

Some of Apple's competitors are already making tablets around 12 inches in size, including Samsung's Galaxy Note Pro and Tab Pro and Microsoft's Surface Pro 3. There's little indication that either is generating much consumer interest, however—Samsung's tablet sales are generally slowing down, and the entire Surface lineup generated $0.41 billion in revenue last quarter, compared to about $5.9 billion for the entire iPad lineup.

Read 2 remaining paragraphs | Comments

Disney wants a patent for drone-powered aerial antics

Ars Technica - Tue, 26/08/2014 - 21:40
Oh dear god.

Imagine the horrific sight of a giant, skeletal figure dancing in the sky, illuminated by garish laser light. That could soon be part of a child's dream vacation, based on patent applications filed by Disney. “Aerial display system with marionette articulated and supported by airborne devices” is just one of three patent applications filed by Disney Enterprises that look to use drones to add a little something extra to Disney’s theme park experience.

“The system includes a plurality of unmanned aerial vehicles (UAVs) and a ground control system… with a different flight plan for each of the UAVs,” reads the filing, published last week by the U.S. Patent and Trademark Office. “The system further includes a marionette with a body and articulable appendages attached to the body.” The example included with the application: a giant representation of Tim Burton’s Pumpkin King, Jack Skellington from The Nightmare Before Christmas.

The patent applications were filed under the names of three members of Disney’s “Imagineering” team—Robert Scott Trowbridge, Clifford Wong, and James Alexander Stark. The other applications filed by Disney cover “Aerial Display System with Floating Pixels” (a swarm of UAVs that project two or more light streams each) and “Aerial Display System with Floating Projection screens” (a quartet of drones suspending a mesh screen that can be used as a flying movie screen).

Read 1 remaining paragraphs | Comments

Comcast allegedly trying to block CenturyLink from entering its territory

Ars Technica - Tue, 26/08/2014 - 21:25
Reid Beels

CenturyLink has accused Comcast of trying to prevent competition in cities and towns by making it difficult for the company to obtain reasonable franchise agreements from local authorities.

CenturyLink made the claim yesterday in a filing that asks the Federal Communications Commission to block Comcast’s proposed acquisition of Time Warner Cable (TWC) or impose conditions that prevent Comcast from using its market power to harm competitors.

Comcast has a different view on the matter, saying that CenturyLink shouldn’t be able to enter Comcast cities unless CenturyLink promises to build out its network to all residents. Without such conditions, poor people might not be offered service, Comcast argues.

Read 19 remaining paragraphs | Comments

Wednesday Dealmaster has a 21.5” Dell monitor made for Web conferencing

Ars Technica - Tue, 26/08/2014 - 20:30

Greetings, Arsians! Our partners at LogicBuy are back with a ton of deal for the week. The top offer is a Dell 21.5" 1080p IPS monitor with an integrated webcam and speakers that are supposedly "optimized for Microsoft Lync." If you're big into Web conferencing, this is your perfect monitor. If not, well, there are more deals to dig through below.

Featured deal
Price Drop on Just-Released Model! Dell UltraSharp UZ2215H 21.5" 1080p Anti-glare IPS Monitor w/ 2MP Webcam, USB 3.0 Hub for $209.99 with free shipping (list price $279.99)

Laptops

Read 6 remaining paragraphs | Comments

Los Angeles school district halts $1B plan to give every student an iPad

Ars Technica - Tue, 26/08/2014 - 20:15
Jacqui Cheng

The Los Angeles Unified School District (LAUSD), the second-largest school district in the United States, has halted its proposed $1 billion plan to provide iPads for every student.

The abrupt change was announced late Monday evening after the Los Angeles Times reported that there were notable improprieties in the bidding process. This issue came amidst more fundamental questions about the efficacy and usefulness of the plan itself.

As the Times reported:

Read 3 remaining paragraphs | Comments

What’s Up With That: Your Fingernails Grow Way Faster Than Your Toenails

Wired - Tue, 26/08/2014 - 19:46
I like to clip my nails, because I’m addicted to the rewarding little tink of the clippers. Instead of being content with a finely manicured set of man hands, I crave more tinks. Without fail, I’ll kick off my sneakers in hopes of clipping away my toe talons, but instead of tinks, all I make is a loud sigh, because my toenails […]






Registered Lobbyists Elbow Their Way Back Into TPP Committees

EFF Breaking News - Tue, 26/08/2014 - 19:43

Hollywood and big publishers already have an alarming stranglehold over the US Trade Representative's objectives in trade agreements, leading to extreme copyright enforcement and privacy-invading policies in trade deals like the Trans-Pacific Partnership (TPP) agreement. But now, the White House is doing away with the remaining limits it has on lobbyists influencing federal policies.

Special interests won a federal court ruling earlier this year, where the judge in the case suggested that President Obama's ban on registered lobbyists serving on federal advisory committees violated those lobbyists' rights. In light of this ruling, the White House has sent a memo specifying new rules, permitting lobbyists to once again officially serve on federal agencies if they are representing a specific client (such as say, the Motion Picture Association of America).

These new relaxed rules on lobbyists mean that Hollywood will now be able to exercise their influence on US trade policy more than ever.

Since President Obama enacted the ban in 2010, only non-registered lobbyists were able to serve on these Trade Advisory Committees. These committees currently include hundreds of legal advisors for corporations, who can log in from their own computers to view and comment on the official drafts of trade agreements. Meanwhile, Congress members are only permitted to view the text in a specific room without the ability to take notes or be accompanied by legislative aides. Public representatives are afforded even less access to negotiations than corporate representatives.

It's no wonder that the TPP carries so many anti-user policies. Based upon what we've seen from the leaked Intellectual Property chapter, we know that this current arrangement already gives corporations undue influence over its terms. That's why the TPP includes provisions that criminalize the circumvention of DRM, expand the international standard of copyright terms to life of the author plus 70 years, and cement dangerous liabilities for websites and other Internet intermediaries that will force them to take down and censor users' content.

If you're a US voter, you can help us fix this broken, corporate-captured process. Senator Ron Wyden, who has been a vocal opponent to the TPP's secretive negotiations, has the unique opportunity to make things right. As Chair of the Finance Committee, he's under massive pressure from Hollywood to introduce a bill that will legitimize this whole undemocratic process.

We need your help to call on Sen. Wyden to bring Internet users' interests to the table. Let's ask him to bring real transparency and accountability to the trade negotiation process so our international laws protect, not impair, digital rights.

Related Issues: Fair Use and Intellectual Property: Defending the BalanceInternationalTrans-Pacific Partnership Agreement
Share this:   ||  Join EFF

China parties like it’s 2004, investigates Microsoft for browser bundling

Ars Technica - Tue, 26/08/2014 - 19:13

Microsoft is under investigation by Chinese regulatory authorities amid concerns about how it is distributing its Internet Explorer browser and Windows Media Player app, reports the Wall Street Journal.

This investigation explains in part the surprise visits made to Microsoft's China offices last month.

In a briefing, Zhang Mao, chief of China's State Administration for Industry and Commerce, announced that these products (as well as the sale of Office and Windows) were being examined. "Microsoft is suspected of incomplete disclosure of information related to Windows and Office software, as well as problems in distribution and sales of its media player and browser."

Read 4 remaining paragraphs | Comments

Simon Josefsson: The Case for Short OpenPGP Key Validity Periods

Planet Debian - Tue, 26/08/2014 - 19:11

After I moved to a new OpenPGP key (see key transition statement) I have received comments about the short life length of my new key. When I created the key (see my GnuPG setup) I set it to expire after 100 days. Some people assumed that I would have to create a new key then, and therefore wondered what value there is to sign a key that will expire in two months. It doesn’t work like that, and below I will explain how OpenPGP key expiration works; how to extend the expiration time of your key; and argue why having a relatively short validity period can be a good thing.

The OpenPGP message format has a sub-packet called the Key Expiration Time, quoting the RFC:

5.2.3.6. Key Expiration Time (4-octet time field) The validity period of the key. This is the number of seconds after the key creation time that the key expires. If this is not present or has a value of zero, the key never expires. This is found only on a self-signature.

You can print the sub-packets in your OpenPGP key with gpg --list-packets. See below an output for my key, and notice the “created 1403464490″ (which is Unix time for 2014-06-22 21:14:50) and the “subpkt 9 len 4 (key expires after 100d0h0m)” which adds up to an expiration on 2014-09-26. Don’t confuse the creation time of the key (“created 1403464321″) with when the signature was created (“created 1403464490″).

jas@latte:~$ gpg --export 54265e8c | gpg --list-packets |head -20 :public key packet: version 4, algo 1, created 1403464321, expires 0 pkey[0]: [3744 bits] pkey[1]: [17 bits] :user ID packet: "Simon Josefsson " :signature packet: algo 1, keyid 0664A76954265E8C version 4, created 1403464490, md5len 0, sigclass 0x13 digest algo 10, begin of digest be 8e hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 9 len 4 (key expires after 100d0h0m) hashed subpkt 11 len 7 (pref-sym-algos: 9 8 7 13 12 11 10) hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 2 len 4 (sig created 2014-06-22) hashed subpkt 25 len 1 (primary user ID) subpkt 16 len 8 (issuer key ID 0664A76954265E8C) data: [3743 bits] :signature packet: algo 1, keyid EDA21E94B565716F version 4, created 1403466403, md5len 0, sigclass 0x10 jas@latte:~$

So the key will simply stop being valid after that time? No. It is possible to update the key expiration time value, re-sign the key, and distribute the key to people you communicate with directly or indirectly to OpenPGP keyservers. Since that date is a couple of weeks away, now felt like the perfect opportunity to go through the exercise of taking out my offline master key and boot from a Debian LiveCD and extend its expiry time. See my earlier writeup for LiveCD and USB stick conventions.

user@debian:~$ export GNUPGHOME=/media/FA21-AE97/gnupghome user@debian:~$ gpg --edit-key 54265e8c gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 3744R/54265E8C created: 2014-06-22 expires: 2014-09-30 usage: SC trust: ultimate validity: ultimate sub 2048R/32F8119D created: 2014-06-22 expires: 2014-09-30 usage: S sub 2048R/78ECD86B created: 2014-06-22 expires: 2014-09-30 usage: E sub 2048R/36BA8F9B created: 2014-06-22 expires: 2014-09-30 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> expire Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 150 Key expires at Fri 23 Jan 2015 02:47:48 PM UTC Is this correct? (y/N) y You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 54265E8C, created 2014-06-22 pub 3744R/54265E8C created: 2014-06-22 expires: 2015-01-23 usage: SC trust: ultimate validity: ultimate sub 2048R/32F8119D created: 2014-06-22 expires: 2014-09-30 usage: S sub 2048R/78ECD86B created: 2014-06-22 expires: 2014-09-30 usage: E sub 2048R/36BA8F9B created: 2014-06-22 expires: 2014-09-30 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> key 1 pub 3744R/54265E8C created: 2014-06-22 expires: 2015-01-23 usage: SC trust: ultimate validity: ultimate sub* 2048R/32F8119D created: 2014-06-22 expires: 2014-09-30 usage: S sub 2048R/78ECD86B created: 2014-06-22 expires: 2014-09-30 usage: E sub 2048R/36BA8F9B created: 2014-06-22 expires: 2014-09-30 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> expire Changing expiration time for a subkey. Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 150 Key expires at Fri 23 Jan 2015 02:48:05 PM UTC Is this correct? (y/N) y You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 54265E8C, created 2014-06-22 pub 3744R/54265E8C created: 2014-06-22 expires: 2015-01-23 usage: SC trust: ultimate validity: ultimate sub* 2048R/32F8119D created: 2014-06-22 expires: 2015-01-23 usage: S sub 2048R/78ECD86B created: 2014-06-22 expires: 2014-09-30 usage: E sub 2048R/36BA8F9B created: 2014-06-22 expires: 2014-09-30 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> key 2 pub 3744R/54265E8C created: 2014-06-22 expires: 2015-01-23 usage: SC trust: ultimate validity: ultimate sub* 2048R/32F8119D created: 2014-06-22 expires: 2015-01-23 usage: S sub* 2048R/78ECD86B created: 2014-06-22 expires: 2014-09-30 usage: E sub 2048R/36BA8F9B created: 2014-06-22 expires: 2014-09-30 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> key 1 pub 3744R/54265E8C created: 2014-06-22 expires: 2015-01-23 usage: SC trust: ultimate validity: ultimate sub 2048R/32F8119D created: 2014-06-22 expires: 2015-01-23 usage: S sub* 2048R/78ECD86B created: 2014-06-22 expires: 2014-09-30 usage: E sub 2048R/36BA8F9B created: 2014-06-22 expires: 2014-09-30 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> expire Changing expiration time for a subkey. Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 150 Key expires at Fri 23 Jan 2015 02:48:14 PM UTC Is this correct? (y/N) y You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 54265E8C, created 2014-06-22 pub 3744R/54265E8C created: 2014-06-22 expires: 2015-01-23 usage: SC trust: ultimate validity: ultimate sub 2048R/32F8119D created: 2014-06-22 expires: 2015-01-23 usage: S sub* 2048R/78ECD86B created: 2014-06-22 expires: 2015-01-23 usage: E sub 2048R/36BA8F9B created: 2014-06-22 expires: 2014-09-30 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> key 3 pub 3744R/54265E8C created: 2014-06-22 expires: 2015-01-23 usage: SC trust: ultimate validity: ultimate sub 2048R/32F8119D created: 2014-06-22 expires: 2015-01-23 usage: S sub* 2048R/78ECD86B created: 2014-06-22 expires: 2015-01-23 usage: E sub* 2048R/36BA8F9B created: 2014-06-22 expires: 2014-09-30 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> key 2 pub 3744R/54265E8C created: 2014-06-22 expires: 2015-01-23 usage: SC trust: ultimate validity: ultimate sub 2048R/32F8119D created: 2014-06-22 expires: 2015-01-23 usage: S sub 2048R/78ECD86B created: 2014-06-22 expires: 2015-01-23 usage: E sub* 2048R/36BA8F9B created: 2014-06-22 expires: 2014-09-30 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> expire Changing expiration time for a subkey. Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 150 Key expires at Fri 23 Jan 2015 02:48:23 PM UTC Is this correct? (y/N) y You need a passphrase to unlock the secret key for user: "Simon Josefsson " 3744-bit RSA key, ID 54265E8C, created 2014-06-22 pub 3744R/54265E8C created: 2014-06-22 expires: 2015-01-23 usage: SC trust: ultimate validity: ultimate sub 2048R/32F8119D created: 2014-06-22 expires: 2015-01-23 usage: S sub 2048R/78ECD86B created: 2014-06-22 expires: 2015-01-23 usage: E sub* 2048R/36BA8F9B created: 2014-06-22 expires: 2015-01-23 usage: A [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson gpg> save user@debian:~$ gpg -a --export 54265e8c > /media/KINGSTON/updated-key.txt user@debian:~$

I remove the “transport” USB stick from the “offline” computer, and back on my laptop I can inspect the new updated key. Let’s use the same command as before. The key creation time is the same (“created 1403464321″), of course, but the signature packet has a new time (“created 1409064478″) since it was signed now. Notice “created 1409064478″ and “subpkt 9 len 4 (key expires after 214d19h35m)”. The expiration time is computed based on when the key was generated, not when the signature packet was generated. You may want to double-check the pref-sym-algos, pref-hash-algos and other sub-packets so that you don’t accidentally change anything else. (Btw, re-signing your key is also how you would modify those preferences over time.)

jas@latte:~$ cat /media/KINGSTON/updated-key.txt |gpg --list-packets | head -20 :public key packet: version 4, algo 1, created 1403464321, expires 0 pkey[0]: [3744 bits] pkey[1]: [17 bits] :user ID packet: "Simon Josefsson " :signature packet: algo 1, keyid 0664A76954265E8C version 4, created 1409064478, md5len 0, sigclass 0x13 digest algo 10, begin of digest 5c b2 hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 7 (pref-sym-algos: 9 8 7 13 12 11 10) hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 25 len 1 (primary user ID) hashed subpkt 2 len 4 (sig created 2014-08-26) hashed subpkt 9 len 4 (key expires after 214d19h35m) subpkt 16 len 8 (issuer key ID 0664A76954265E8C) data: [3744 bits] :user ID packet: "Simon Josefsson " :signature packet: algo 1, keyid 0664A76954265E8C jas@latte:~$

Being happy with the new key, I import it and send it to key servers out there.

jas@latte:~$ gpg --import /media/KINGSTON/updated-key.txt gpg: key 54265E8C: "Simon Josefsson " 5 new signatures gpg: Total number processed: 1 gpg: new signatures: 5 jas@latte:~$ gpg --send-keys 54265e8c gpg: sending key 54265E8C to hkp server keys.gnupg.net jas@latte:~$ gpg --keyserver keyring.debian.org --send-keys 54265e8c gpg: sending key 54265E8C to hkp server keyring.debian.org jas@latte:~$

Finally: why go through this hassle, rather than set the key to expire in 50 years? Some reasons for this are:

  1. I don’t trust myselt to keep track of a private key (or revocation cert) for 50 years.
  2. I want people to notice my revocation certificate as quickly as possible.
  3. I want people to notice other changes to my key (e.g., cipher preferences) as quickly as possible.

Let’s look into the first reason a bit more. What would happen if I lose both the master key and the revocation cert, for a key that’s valid 50 years? I would start from scratch and create a new key that I upload to keyservers. Then there would be two keys out there that are valid and identify me, and both will have a set of signatures on it. None of them will be revoked. If I happen to lose the new key again, there will be three valid keys out there with signatures on it. You may argue that this shouldn’t be a problem, and that nobody should use any other key than the latest one I want to be used, but that’s a technical argument — and at this point we have moved into usability, and that’s a trickier area. Having users select which out of a couple of apparently all valid keys that exist for me is simply not going to work well.

The second is more subtle, but considerably more important. If people retrieve my key from keyservers today, and it expires in 50 years, there will be no need to refresh it from key servers. If for some reason I have to publish my revocation certificate, there will be people that won’t see it. If instead I set a short validity period, people will have to refresh my key once in a while, and will then either get an updated expiration time, or will get the revocation certificate. This amounts to a CRL/OCSP-like model.

The third is similar to the second, but deserves to be mentioned on its own. Because the cipher preferences are expressed (and signed) in my key, and that ciphers come and go, I would expect that I will modify those during the life-time of my long-term key. If I have a long validity period of my key, people would not refresh it from key servers, and would encrypt messages to me with ciphers I may no longer want to be used.

The downside of having a short validity period is that I have to do slightly more work to get out the offline master key once in a while (which I have to once in a while anyway because I’m signing other peoples keys) and that others need to refresh my key from the key servers. Can anyone identify other disadvantages? Also, having to explain why I’m using a short validity period used to be a downside, but with this writeup posted that won’t be the case any more.

Syndicate content