Rubenerd

An ongoing work task has been to research options for email encryption. We want to be able to share sensitive information, without transmitting in the clear or later being retrieved by a MITM.

The initial option was to use PGP. It’s simple, and I have years of experience using it. Unfortunately, while Apple Mail, Thunderbird and Evolution support it either natively or with free extensions, Outlook for Mac 2011 does not. Exhaustive searches online and in newsgroups returned nothing, as previously explained.

So the solution was to research S/MIME. Outlook for Mac supports it, and from my previous experiments I was able to create a self-signed internal certificate authority, generate a private key and issue myself a cert.

I generated a key for my supervisor, and imported the CA and key into Keychain Access on his Mac. He was able to send me an encrypted message without problems.

Problem was, I couldn’t decrypt it on either Evolution or Mac Outlook. Despite importing his cert into my Mac keychain, Outlook appeared to not make the connection between the imported key and his email.

On a hunch, I figured if he send me a signed but unencrypted message, Outlook would see his cert. Sure enough, I was able to verify his signed email and click “Add Encryption Certificate to Contacts”. Once that was done, we could exchange encrypted messages.

This setup works. Next step is to research issuing genuine-CA signed messages to everyone in the company, among other options.

One of the primary reasons for choosing S/MIME was its ubiquity. Most people don’t use it, but almost all mail applications at least support it, especially clients developed in the last decade. It’s curious that PGP hasn’t managed a similar feat; the fact its competing with a RFC standard hasn’t stopped similar quasi-standards from winning in the past.

Meanwhile, this is helpful:

Opaque-Signed and Encrypted S/MIME messages: When S/MIME messages are received in Windows 8 Mail, it displays an email item with a message body that begins with “This encrypted message can’t be displayed.”

I don’t think anyone here (or anyone in their right mind) uses Windows 8 Mail, but keeping a link to OpaqueMail for future reference:

Windows 8’s Mail App does not natively support S/MIME. However, the OpaqueMail Proxy can add S/MIME protection to Windows 8 Mail.

Windows 8’s Mail App can be configured to use the OpaqueMail Proxy. It includes an option to allow “loopback” network traffic. In addition to signing and encrypting outgoing messages, the OpaqueMail Proxy can automatically import certificates from inbound messages.

Vyatta is a Debian-based software router and firewall that has a familar, hardware-router-like syntax. It’s rather nice.

This morning, VyOS was being discussed in the AusNOG mailing lists. From Wikipedia:

After Brocade Communications stopped development of the Vyatta Core Edition of the Vyatta Routing software, a small group of enthusiasts took the last Community Edition, and worked on building an Open Source version to live on in place of the end of life VC.

Seems there are some who aren’t too happy about the Brocade buyout. Regardless, it won’t be changing anything here, for the time being.

With the official Vyatta site now relegated to a redirect, the best documentation and information source seems to be the Unofficial Vyatta Wiki.

Having got used to the Debian package naming conventions, I thought I’d install APC with this:

# apt-get install php5-apc

Turns out, it’s actually this:

# apt-cache search apc  
==> php-apc - APC (Alternative PHP Cache) module for PHP 5

Install, and reload:

# apt-get install php-apc
# /etc/init.d/php-fpm reload

While installing a testing version of MediaWiki on a VM instance, the welcome page warned that an environment check had failed:

Warning: The intl PECL extension is not available to handle  
Unicode normalization, falling back to slow pure-PHP  
implementation.  
  
If you run a high-traffic site, you should read a little on  
Unicode normalization. 

I had been careful (as always) to use the following line in my nginx.conf:

use utf-8;

In this case though, php5-intl needed to be installed:

# apt-get install php5-intl

The resulting download was 22.5MB, which seemed a little large. Regardless, after downloading, the intl.ini mod was loaded and the PHP5 FastCGI Process Manager reloaded:

==> Setting up libicu48:amd64 (4.8.1.1-12+deb7u1) ...  
==> Setting up php5-intl (5.4.4-14+deb7u10) ...  
==> Creating config file /etc/php5/mods-available/intl.ini   
==>     with new version   
==> Processing triggers for php5-fpm ...  
==> [ ok ] Restarting PHP5 FastCGI Process Manager: php5-fpm.

Now the MediaWiki install environment check reported:

Using the intl PECL extension for Unicode normalization.

On autopilot, I generated a web server stack with nginx, PHP and MySQL. The company uses Postgres everywhere though, so I took that as a long, overdue excuse to use it myself.

# apt-get remove mysql-server mysql-client  
# apt-get install postgresql postgresql-client php5-pgsql

Then the requisite PHP packages:

# apt-get install php5-pgsql  
# apt-get remove 

The classic <?php phpinfo() ?> will still show MySQL capabilities though, so we need to remove the MySQL conf files from php-fpm:

$ ls /etc/php5/mods-available  
==> apc.ini  intl.ini  mysqli.ini  mysql.ini  pdo.ini  
==> pdo_pgsql.ini  pgsql.ini  
# rm mysql*ini

On Red Hat Enterprise Linux, CentOS and Fedora, I’d do this:

yum list installed

For Debian, it's:

dpkg –list

Things have been pretty quiet on Rubenerd of late. I’ve got a wonderful new job, this semseter has just started to wrap up, and I’ve been battling a persistent head cold. Seems like an appropriate time to talk about task managers!

Firstly, to the exciting news that shook the Apple world. A swift, Yosemite Sam change? Heavens no, after years of waiting, the next iteration of everyone’s favourite Swiss Army Chainsaw of GTD task managers has arrived. And from the screenshots, it looks gorgeous. To be fair, it wouldn’t have been hard to improve on the UI of v1, but it looks as though they took all our feedback and made something so much better.

Okay then, so why are you moving?

As much as I feel ashamed to admit, OmniFocus and I have had a strained relationship for the last few months. After using it to successfully manage university assignments and self employment, I recently caught myself “capturing” tasks in my memory or text files. In GTD parlance, I then lost trust in the system, which is toxic.

Still, I couldn’t bring myself to realise the system wasn’t working for me, largely because of the time and money I’d sunk into it. In other words, I refer to my beloved RationalWiki:

This sunk cost fallacy occurs when a person or company continues to pump resources into a failed project in hopes of rescuing it, or because they feel that the expended cost would otherwise be wasted.

With OmniFocus 2 for the Mac, I faced the prospect of upgrading, or using that money to try something new. I’ve elected to do the latter.

Challenges

I bought an OmniFocus licence a couple of years ago. I’d heard Merlin Mann discuss Getting Things Done on his Back To Work programme with Dan Benjamin; Daniel Jalkut had also discussed moving back to it on Core Intuition with Manton Reece. I adore all these guys, and decided to give it a try.

I wasn’t as intimidated by the UI as I thought I would be, given its reputation as being powerful but complex. Where I started having issues were in task capture, synching and contexts.

Task capture is a core component of the GTD system, but even with the extra iPhone app I found the barrier to entry too high. More often than not, I’d whip out Byword and add a line to a text file, rather than wait for OmniFocus to load, “optimise its database”, traverse its screens, press the right buttons, fill in the pertinent details and create the task. The desktop application was similarly convoluted; if you wanted to change something as simple as a due date, you’d need to launch a sidebar window with more controls than a space shuttle.

(Version 2 of the iPhone version was prettier and resembled iOS 7 visually, but didn’t address my concerns).

Once I’d created a task, I wanted it on my Mac and phone. Unfortunately, Omni’s Cloud Server would often time out, take glacically long to work or would often lose tasks to the ether. This may be a function of hitting a remote US server from Australia and Singapore, but it didn’t instill confidence. Local WiFi sync worked better, but that seems to have been removed in version 2 unless you want to roll your own unsupported server. This is par for the course for open source, but I expect more from paid software.

And finally, I found contexts a little inflexible. Despite strict GTD principles, I’d often want to assign several, particularly for larger projects. When I caught myself creating a complicated tree of contexts with dependencies that could act as complimentary contexts, I knew I was trying to use the program in the way it wasn’t intended.

It wasn’t mostly you OmniFocus, it was mostly me

Which gets me to my final point. Aside from synching, OmniFocus is technically excellent and very powerful. In the hands of a wizard, I have no doubt you could do amazing things. Perhaps because I’m not a strict GTD’er though, and because I need to enter tasks in rapidly, the solution was never a glove fit.

So I’ve decided to bid farewell. I do want to thank the Omni Group for their excellent support, and for getting me through some stressful times in my life, but for both of us I think its time to move on.

I think the Hon Leader of the Opposition pulled off a great performance. Looks like most of the people in the gallery agreed too.

I have nothing but respect for Ladar Levison. The founder of former secure email Lavabit, he shut his startup down when he was issued with court orders compelling him to install back doors into his system. His latest articles in The Guardian are Instapaper material; I encourage you to read them.

In a broader sense though, such cases demonstrate yet another disconnect between the expectations of end users, and the reality of system design.

In popular culture, we have the image in our minds of the phone tap. Whether by splicing a cable (as the name suggests) or listening in another room to someone’s private conversations, we can insert ourselves into the middle and eavesdrop on conversations. I get the feeling many in law enforcement and government are stuck in this 1970s cop movie mindset. If it worked for phones, why can’t secure communication providers just insert a back door or a tap?

One of the key problems with these demands is that the entire system would need to be rearchitected to comply. For those doing crypto right, there’s no way for an intermediary to access private keys or plaintext, as they are used and encrypted at the client side. For law enforcement, this sounds like techno babble, but its mathematical and algorithmic fact.

It’s almost as if PKI was designed this way. You don’t say.

Which leads us to an uncomfortable place. Whether intentional or otherwise, these requests are a disinsentive for secure system developers to place the locus of control with clients, as they may need to redesign their system at another stage to comply with secret court orders. Both providers and users suffer in this scenario.