Secuity Bug in Linux APT

I’m in the process of testing Whonix ( like tails but runs in VMs) and saw a major security notice that affects all Debian based Linux like Ubuntu and Mint.

Apparently, the redirect wrapper does not sanitize the input and could allow a man in the middle attack. It’s been patched, so to stop the possible redirect and get the new version using these commands:

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade

Check your apt version with:

apt -v
Fixed Versions

Debian 9 Stretch – 1.4.9
Ubuntu 18.10 “Cosmic” – 1.7.0ubuntu0.1
Ubuntu 18.04 “Bionic” – 1.6.6ubuntu0.1
Ubuntu 16.04 “Xenial” – 1.2.29ubuntu0.1
Ubuntu 14.04 “Trusty” – 1.0.1ubuntu2.19
Mint 18 is Ubuntu 16.04 ‘Xenial’.
Mint 19 is Ubuntu 18.04 ‘Bionic’.

More Reading


Using 4096 bit PGP keys with Protonmail

While on on the subject of Protonmail and PGP keys. You should upgrade your Protonmail PGP keys. The default key size at Protonmail is 2048 bits, which is fine now, but may not be in a few years. The current recommendation by security experts is to use 4096 bit keys.

Most importantly, you should change it to 4096 before sending your keys to everyone so they store the newest key.

To see your current keys and upgrade them if necessary, go to Settings, then Keys. The middle column shows the key type and size.

If yours is not 4096-bit, click “Add New Key”. Then select which email address is getting the new key. On the next screen, select “Highest security (4096-bit)” and click “Generate”. Enter your login password (the first password you enter when login in to Protonmail) After a minute, your new key will show on the web page.

Now we need to make the new 4096-bit key your primary key. Under the Actions column, next to your new 4096-bit key, click the down arrow (∨) next to Export. Select “Make Primary”. Leave the old 2048-bit key active so older key users still work.

Your Protonmail is more more secure. If you have multiple addresses on your account, you may want to upgrade them too.

True End to End Encryption with Protonmail

Protonmail is great. I’ve been using the service for a few years and am quite satisfied with it’s usability and security. Protonmail encrypts my email at rest so the email admin can’t see my mail and encrypts email sent to any other Protonmail user.

However, by default, Protonmail does not encrypt your email when you send it to other email services or decrypt encrypted emails from outside.

I discovered today, its not difficult to setup Protonmail to work like Thunderbird with Enigmail to use PGP encryption across the board for true end to end encryption to anyone, regardless of who they use for email. For this discussion, I’ll assume you’re familiar with PGP encryption of email and what are public and private keys. If not, read this.

You can send your Protonmail public key to anyone using a drop down menu when creating an email message. Click on the drop down menu and make sure the “Attach Public Key” option is activated. Then click send and your public key will be attached.

You can also set Protonmail to always send your public key. Go to Settings, then Security and scroll down to External PGP Settings. Enable ‘Sign external messages’ to prevent tampering of your emails. Enable ‘Automatically attach public key’ to automate sending your public key every time you send a message in Protonmail.


Now external email users can send you encrypted emails and Protonmail will automatically decode them.

When someone sends you their public key, Protonmail should recognize an attached key and ask if you want to trust it. Click Trust Key to add the key to your account.

Protonmail will display the fingerprint of the key and ask if you want to always use the key to encrypt email to this address. Turn ‘Use for encryption’ to on. Now when you send emails to this user, your emails will be encrypted even after leaving Protonmail’s system. The knowledge base article on PGP details how you can import keys into Protonmail.

The Lock icon next to the From address will show you the encryption status. Gray for plain emails, green for encrypted emails.

Now your emails are secure to and from non Protonmail email users. Once you set it up, it works on the Android and Apple iOS apps.

Learn more at Protonmail’s help page on PGP —

WARNING – Check your Protonmail key size. You should be using 4096-bit PGP keys. Read my post about upgrading your key size before sharing your key with everyone.




Book Review – COMSEC

ComSec: Off-The-Grid Communication Strategies for Privacy Enthusiasts, Journalists, Politicians, Crooks, and the Average Joe

By Justin Carroll & Drew M

Justin Carroll is the co-host of one of my favorite privacy podcasts,  The Complete Privacy & Security Podcast. That podcast, their websites, and various books they have authored cover the full spectrum of security and privacy issues, so when I saw Justin had a new book out for communication security, I ordered it immediately.

The book is a good tutorial on implementing a secure, portable, communications device – aka a phone. They explain the privacy issues with carrying and using modern smart phones, specifically how they are always tracking you. They compare issues with Android and iPhones and cover what technologies you should  implement to protect against these privacy issues.

The focus of the book is on implementing a strategy of privately procuring a iPhone and setting up private communications:

  • Pay cash for a iPhone away from home
  • Get prepaid cell service
  • Never use the cell number on the phone
  • Get VoIP Phone service
  • Add secure chat services like Wire (my fav)
  • Compartmentalize numbers and chat accounts

They also address using a iPod Touch instead of a iPhone and the issues that they experienced testing that route.

One issue I wish they covered more in the book is defining your threat model. Determining your threat model helps you to understand how far your should take the privacy steps.  Driving 2 hours to a Wal-Mart in the next state to purchase a iPod with cash might be too extreme, unless your threat model says you need that level. They covered threat modeling in their podcast episode #079.

I had hoped the book covered more COMSEC strategies and platforms, the title made me think it would have. At 100 pages the book is a little thin for the topic, but they do a good job explaining one of the most discussed topics on their blog, how to setup a private phone.

Overall, I recommend the book, but understand it’s not as broad as it’s title suggests.

NOTE: The book links to Amazon are affiliate links.

Credit Freezes – Now Free

Get ’em while they’re hot!

This summer, congress passed a bill requiring credit rating companies to provide credit freezes for free. If you don’t have your credit frozen yet, now is the time. A credit freeze is a lock on your credit file that prevents new credit from being opened. If your credit file is frozen and you want to apply for new credit, you’ll need to call the credit company and provide your pin to unfreeze your file. Previously, getting a freeze would cost you up to $10 on each credit file to freeze, but because of the big Equifax breach last year, congress made them free. Visit the links below, fill out your information and secure your credit history. Experian  Main Phone 1 888 EXPERIAN. Equifax Phone- 800-685-1111 or 888-298-0045 TransUnion Main Phone -800-680-7289 I just did my freezes (I was too cheep before). Experian couldn’t verify my info, so they asked me to mail in a request. Equifax wanted me to create an account, but failed. I was using a VPN (with US-East exit point) and my account. I called and they froze my account, so calling might be the best  and more private option. I’ll follow up if they don’t allow email. TransUnion didn’t have a phone number published for freezes, but they do have a ‘app’ (groan). I was able to create an account with VPN and 33mail email.

PIA VPN Linux Client

Private Internet Access (PIA) has a nice Linux VPN client. I’ve been using it for the past month and like the way it works on Linux. Much easier than using OpenVPN scripts.

The client puts a icon in the menu bar that lets me know the status quickly. Red for off, Orange for connecting, and Green for protected.

Screenshot from 2018-08-28 09-21-36

The client stores your username and password and will connect automatically at startup. It also supports a VPN kill switch and a few other features including IPv6 leak protection (OpenVPN will leak your IPv6 address).


Screenshot from 2018-08-28 09-28-41

One feature I like is the ability to select the port used for VPN. Many places with free Wi-Fi block VPN, but usually only on the standard OpenVPN port 1194. Using an alternative port allows you to bypass that block. The PIA Client allows you to choose auto or:

  • 1194-OpenVPN
  • 8080-Web alternative
  • 9201-WAP session
  • 53-DNS

They also take bitcoin for payment. Overall, I’m happy with the service.

If you’d like to try them, please use my affiliate link to sign up.


Passwords are like underwear

The folks over at Private Internet Access (a VPN provider) has a great blog about passwords that I completely agree with — longer is better and complexity doesn’t matter. But most importantly, passwords are like underwear.

Passwords are like underwear

Read the full post here, but to summarize:

  • 8 character passwords, even with upper, lower, numbers, & punctuation can be cracked in 5.5 hours
  • A 20 character password would take 9 billion years to crack.
  • Use a password manager (I use KeepassXC & recommend LastPass)


Obligatory XKCD comic