IT Support Small Medium Business

I bought a new Compaq Presario notebook. It came with Microsoft Vista Home Basic. Lifting up the cover, I found a one-page note saying the notebook will go through serious optimization for twenty some minutes and don’t panic if it goes dark screen or reboot.  Sure enough,  it did all that without prompting me for any input. This makes you wonder why they don’t finish this step at factory?! Circuit City actually have their Firedog technitians work on some of them and sell it for $50 more, since now the box is opened and marked with a sharpie saying ‘Optimized’.

Read the rest of this entry »

Although I subscribed to CentOS announce mailing list, I check CentOS’s official site every time I sit on my desk at home. After all, RHEL 5 had been released for nearly a month by now. Each every time, I was disappointed to find the CentOS 5 beta listed on the main page. Tonight, I was pleased to find CentOS 5 was released, finally, for both x86 and x86_64 architectures. The CentOS-announce mailing list post was stamped Thu Apr 12 22:36:44 UTC 2007. Up to now, I still didn’t see such a post in my gmail. Read the rest of this entry »

In his comment on my recent post asking why wordpress.org dev team didn’t opt to sign their popular blog server software package, Barry said it might be cool to actually spell out how to sign a file digitally. With my tax mailed out this afternoon (Yeah,  don’t have to wait in line with all other last-minute losers this year!),  I have some breathing time to actually take a stab using GnuPG as an example. GnuPG is an open-source counterpart of the PGP.

• To sign a file digitally, you first need to have a pair of keys. If you don’t have one yet, read my earlier post on how to generate one along with best practice recommendations.
• Quite a few ways to sign a file.  A file named ‘digital.signature.testfile’ has been created for illustration.
  • sign the file to generate a new file containing only its digital signature. The new file is known as the (detached) signature file.
    • in armor text.  The signature file’s name is the original file name appended with a .asc extension. It is reable by human.

                                gpg –detach-sign -a digital.signature.testfile

    • not in armor text. The signature file’s name is the original file name appended with a .gpg extension. It is NOT readable by human.

                                gpg –detach-sign digital.signature.testfile

  • sign it to generate a new file containing the original content as well as digital signature. This is known as the signed file.
    • clear-text signing, meaning the the original content can be read as clear text inside the new file. The signed file’s name is the original file name appended with a .asc extension. It is readable by human.

                                 gpg -s –clearsign digital.signature.testfile

    • non-clear-text signing, meaning the the original content can NOT be read as clear text inside the new file. The signed file’s name is the original file name appended with a .gpg extension. It is NOT readable by human.

                                 gpg -s digital.signature.testfile

• Most software packages need to be unpacked using unzip, tar, 7z, rar or alike, it is obvious the preferred way is not to touch the software packages, but to provide detached signature files in armor text. As a result, you often see on the download page, listed side by side are a package file named  popular.package-1.1.3.tar.gz and its signature file popular.package-1.1.3.tar.gz.asc.
• The contents of the original file, the signed file by clear-sign, the detached signature file via clear-sign are all appended below for your reference.

/home/experts8$  cat digital.signature.testfile # the original file
Wed Apr 11 23:46:07 EDT 2007
/home/experts8$ cat digital.signature.testfile.asc # the signed file by clear-sign
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Wed Apr 11 23:46:07 EDT 2007
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.1 (Cygwin)

iD8DBQFGHau1qVSbap/EkWYRAkQhAJ98vWY/peeVYW+sQ0JLXm1DWQuB+ACfXHoo
NGV2PrjRiyKJSN5mmmKm3IE=
=Axe4
—–END PGP SIGNATURE—–

/home/experts8$ cat digital.signature.testfile.asc  #detached signature file in armor text
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.1

iD8DBQBGHbBUqVSbap/EkWYRAtH/AJ9cPHrnz7s1HFIyiJrzxzEPuuPTAwCaAkyi
jvSor1JP4ODC5RW59Hue1f8=
=8+4g
—–END PGP SIGNATURE—–

A pair of GnuPG keys are needed to sign files digitally. Below, I’ll highlight the choices you made when generating a pair of GnuPG keys only to sign and not to encrypt, using the cygwin port of GnuPG. The entire key-generation session will be appended at the end(Appendix A). A list of best practice recommendations for digital signature security are provided as well.

A GnuPG key pair has two keys, one private and the other public. They are mathematically related, just like asymmetric keys used in other PKI programs. The two keys in a GnuPG key pair are born equal, however. The only difference between a public key and a private key is the designation of purpose and the resultant protection scheme or lack of.  It’s like you have a newborn twin. For no good reason, you name one of the twin brothers Jerry and the other Tom, instead of the other way around. From that point on, you feed and treat them according to their names.  Late comers may come to believe that Tom was born a Tom and Jerry was born a Jerry. That is simply not true. Read the rest of this entry »

I was rather perplexed when I read the latest wordpress 2.1.3 release post. Therein, the dev team reported that they’ve taken the trouble reviewing the code base for security enhancements and whatnot. In an eh-by-the-way style P.S.,  an update was provided for the recent code tainting led by server account compromise. Read the rest of this entry »