S/MIME: You Can’t Stop Me

I’ll use it even if I have to become my own CA and sign my own certificates…which is what I did.

But back up.

3 years ago, I wrote about how and why to use S/MIME, and its numerous shortcomings:

S/MIME Email Encryption

The biggest inconvenience, aside from getting people to use it, is that it relies on a public key infrastructure.  Those familiar with web TLS no doubt already understand this.  In short, it’s a real pain to get a trusted certificate authority to issue a certificate.  And they cost money.  But the system worked nonetheless, until the day most major browser vendors decided to remove keygen support.  This meant that certificates could no longer be manufactured and signed in the user’s browser session.  But all was not lost, because some browsers hadn’t decided to fully deprecate the feature.  Notably, Safari:

S/MIME Revisited

Then that changed too.  I wondered then, why can’t I generate my own certificate and send it off on a certificate signing request the way one does with a TLS certificate?  I wish I knew, but no one offers that.  Probably because no one uses S/MIME anyway.  So I was left to reevaluate my needs:

  1. While it makes me feel all super official, I doubt any recipients of my general correspondence even notice that my emails are signed.
  2. There’s nothing stopping me from minting my own certificates.  They just won’t be trusted inherently.
  3. The main purpose of me using S/MIME is for encrypted information exchange with Liz.
  4. I can simply have Liz’s phone explicitly trust my certificate.

And so, using Apple’s keychain, I minted a general purpose master root certificate, trusted it explicitly, installed it on our phones, trusted it on the phones, then used it to sign an email certificate.  The certificate, now installed on my own devices, was then inherently trusted due to the explicitly trusted root certificate that signed it.  Problem solved.

Alas, I can’t feel all super official when I email other people, but oh well.  Such is the fate of a mostly unknown encryption system.

–Simon

Tactical

I have a strong disdain for anything marketed as “tactical”.  Here’s why:  tactical = meant for harming people = not meant for anything reasonably practical that you might actually use the item for.  Are you really prepping for the inevitable murder, or just making too much money that drugs and hookers aren’t doing it for you anymore?  Here’s some tactical examples:

Tactical firearm = AR-15.  Not practical because you can’t hunt with it (and you sure as hell shouldn’t).  A .223 is good for shooting people and some varmints, and if you hunt the latter, be a little more sporting and get a bolt action rifle.

Tactical knife = anything with serrations or an aptly-named tactical point.  Good for stabbing people and opening field rations.  Not effective at skinning animals or carving wood.

Tactical flashlight = overpowered and strobe function.  Too bright to maintain night vision and extraneous modes not useful for anything beyond blinding people.  And my favorite–the hard nub on the butt meant for bashing skulls.  I can’t even stretch my imagination on that one.

So, is there any reason to actually buy something tactical, if you’re not military/police?  I will tell you: probably not.  To do so is to believe that a weapon’s primary function should be to shoot people, presumably under the belief that doing so will become necessary under a societal collapse, and that roving bands of raiders will come to take your food.  I argue, however, that you’d be much better off buying a weapon whose primary function is to shoot animals (you know, to acquire food), with the understanding that it can still be effective for defense situations (are you really going to get off 12 shotgun rounds?), and can even be modified for that purpose were the need to arise (swap barrels/magazines).  See?  Survival first requires you to feed yourself, and a tactical weapon therefore will be of much less value.  If you don’t have any food to steal in the first place, no one’s going to come gunning for you.  And if they do and you shoot them, you still don’t have any fresh meat (cannibalism aside).  Sure, you might now point out that all your prepping supplies preclude the need to hunt, and you might be right, at least for the short-term.  But thinking long-term, you still need to hunt.  And thinking short-term, you’re not going to be able to defend yourself against a band of much younger men with more guns just because you bought the tactical variant.

Although, if you plan to be one of the roving raiders yourself, tactical weapons make more sense.  Then by all means, buy tactical, you sociopath.

I’m guessing we have video games to thank for the tactical obsession, because for a lot of people that’s their first encounter with a gun, albeit virtual, and so don’t know otherwise; and the fact that most shooting in games is of the people variety; and modding guns in games with tactical loadouts is just plain fun, too.

Google “tacticool” for more examples.  Yes, there’s an internet community of people laughing at you and your gun.

Okay, I had to get that out of the way.  Thanks for listening.  Now for the real post: I bought a gun.

Specifically, I bought a Remington 870 Express Ultramag.  12 gauge, wooden stock (no tacticool synthetic).

They grow up so fast

Why did I buy this?  Well, because I hunt.  The old single shot break action 20 ga. that dad bought me when I was 16 has certainly bagged its share of woodland creatures, but it did have some limitations.  Range was one of the bigger ones (I’ve been know to sprint across open clearings to make a shot).  Using anything smaller than #6 was pretty ineffective beyond 10 yards, and steel shot was nigh impossible.  #7 1/2 works for skeet, but squirrels don’t shatter if you accidentally drop them.  I also considered trying some waterfowl this year too.  So in order to be effective as well as humane, I wanted something more powerful.

I also wanted Remington over Mossberg.  Personal reasons there.  I won’t get into that flame war (I don’t care if the US military uses Mossbergs.  I’m not shooting people, remember?  Also, the military’s decision to use a particular weapon design doesn’t necessarily equate to reliability.  See the early deployments of M-16s in Vietnam, for instance.)

But I admit, I did mod it.  I didn’t tacticalize it, but I did make some additions.  Hunting-related additions, not tactical additions, to be clear.

Buttstock shell holder
Rifle glow sights
.715 vented choke

And tacticality aside, I keep it stored with 00 buck, so I can still shoot roving raiders if needed.

–Simon

S/MIME Revisited

This is more of a PSA than anything, but (unsurprisingly), with the lack of interest in general email encryption, apparently no one’s going to step up and offer us free email certificates anymore (why, LetsEncrypt?!).

Previous writeup:

S/MIME Email Encryption

Also, I discovered that Firefox removed keygen support, so you can’t use it anymore for certificate generation.  I missed that memo, and spent some time acquiring my domain-validated certificatewith Sectigo’s support team (being told repeatedly to use Internet Explorer, amusingly), before this detail was mentioned, and I was able to complete the process in Safari (this imports the certificate directly into Keychain, which then requires an export to send to other devices).

The formerly free COMODO (now part of Sectigo) certificates that I used to use now cost $20 per year (although the site now says $16.99, so they must have dropped it since).  Still, not bad, though irritating.  On the other hand, unlike COMODO’s free certificates, I did get actual support when things went awry, so you do seem to get what you pay for.  And, I was happy with their assistance in acquiring my domain-validated certificate earlier this year, so I’ll stick with them for now so long as they offer decent support.

Other than the company merger and the pricing structure change, and the fact that no one else on the internet appears to use S/MIME encryption, the installation at least remains the same on the various devices I use.  So, you know, encrypt away!  Except you won’t, because again, I’m the only person on the internet who appears to use S/MIME encryption.

Simon

DNS

Of all the digital glues holding the Internet together, the domain name system is probably  one of the most critical, yet also the weakest.  The current protocol as a whole is unencrypted, and if it goes down, or is interfered with, then that prevents communication to anything not a hard-coded IP address.  But even then, SSL PKI breaks down unless the certificate in question was specifically exempted.  In short, a DNS failure would break the Internet.

And it was exactly that scenario in which I found myself recently.  I, the security-minded sysadmin of the home, had long since switched my DNS provider over to what at the time I determined to be the most privacy-minded and secure: Quad9.  And I never had any issues since.  But I made an error with my configuration: I specified two Quad9 DNS IPs, rather than using a different party as fallback.  And when, for inexplicable reasons, Quad9’s DNS servers ceased to resolve my DNS queries, I found myself offline–sort of.

Certain devices bypassed DNS, notably my work laptop and the Ring cameras.  Liz’s work laptop did not, however, which is an interesting aside in that mine must have a hard-coded VPN IP and hers did not.

But back to the main story.  I had never experienced a DNS provider failure before, and it took some rather lengthy late-night testing to figure out the problem.  Ultimately, I ended up switching back to OpenDNS with a Google fallback–not my ideal configuration, but one I’m sure won’t experience any downtime.

Yet in the end, I’m left to wonder: What happened to Quad9?  The Internet community as a whole offered no information, which I’m sure would have been available anecdotally had Quad9 truly ceased to function.  Perhaps Spectrum was blocking it?  But why would they do that, only to allow me to use other DNS providers.  If forcing customers to user their own, why didn’t they block OpenDNS and Google?

I posit this query to universe.  In the meantime, know that you may have issues with a Quad9/Spectrum configuration.

–Simon

Desperate Times

I never would have predicted that Windows would have gotten so bad that my own wife would choose to abandon it, especially given her disdain for Apple.

But the OS world is not one of strict duality.  And upon my suggestion, she agreed to Ubuntu, convinced with my recommendation (in turn based upon my own recent experiences with it).

The process was essentially the same as the above linked post, so I won’t go into detail again here.  Instead, I’ll just share this picture, and again vouch for Ubuntu with yet another successful experience:

If Windows 10 has made you pine for an adult operating system, and Apple isn’t your cup of tea, then consider the latest Linux distros.  They’re far more user-friendly than they used to be.

–Simon