Guns and Privacy : sample use case/tutorial effort

Guns and Privacy : sample use case/tutorial effort

[Richard Riley]

Would some variation of this be potentially useful in the gnus manual?
This crops up a lot in the #emacs irc channel and I have had a few
emails about it too. I will gladly tweak/tidy as appropriate if you feel
it has a place - very first draft and in need of polish. Having
searched, I dont *think* there is such a howto in the gnus manual
... and email is where it's particularly relevant especially with
account validation information so I kind of feel it could be beneficial
to have a gnus specific section. That said I never cease to be amazed at
my own inability to find things in the gnus manual so apologies if this
is already adequately covered.. First long winded draft ..

Securing Your Gnus Information

Possibly you wish your gnus email/nntp access configuration to remain
"secretive". This can be a problem when its more and more popular to use
online repos for inter machine sync (e.g using github to hold your emacs
config files). It can be easy to accidentally open the repo or make a
mistake with the file permissions. Or you might even lose your laptop!
Emacs integration with Epa/gnupgp make securing this a doddle. The more
traditional .authinfo file used to mean storing your password in
plaintext : something many people dont like to do.  One option is to
merely resave the .authinfo as .authinfo.gpg. emacs/Gnupg will prompt
you for a signing key and away you go. epa/epg usage is covered
elsewhere in the emacs manual. Dont forget to remove the original
.authinfo.. Configure your auth-sources and Emacs will detect the .gpg
as a default if it exists. The usage and format of authinfo is discussed
in the emacs/gnus manuals. My setting is

,----
| (setq auth-sources (quote ((:source "/home/me/.emacs.d/.authinfo.gpg"
| 	:host t :protocol t))))
`----

We can extend this to storing the more secretive part of your Gnus
online life (and any other emacs subset) in a .gpg file.

Lets create a file "my-config.gpg". Line 1 tells emacs which key to use
and that it contains elisp :-

,----
| ;; -*- mode:emacs-lisp -*- epa-file-encrypt-to: ("86E37324********") -*-
`----

In it you can store private information such as a your erc password and gnus posting styles maybe:-

,----
| (setq erc-password "123456")
| 
| (add-to-list `gnus-posting-styles  `( ,(rx(or "INBOX.trolling" ""))
| 				      (from "Tommy <tommy@trollsrus.net>")
| 				      (name "Tommy Troll"))t)
| 
| (add-to-list `gnus-posting-styles `(,(rx(or "serious"))
| 				    (name "Serious")(address "serious@xxx-yyy-zzz-.com")
| 				    (from  "Simon Serious<serious@xxx-yyy-zzz-.com>")
| 				    (eval (setq mml2015-signers '("12349876")))
| 				    (organization "http://www.gnus.com")
| 
| 				    (signature-file "~/.emacs.d/.sigs/serious.sig")) t)
| (provide 'my-config)
`----

The loading of this file would cause emacs or the system to prompt you
for a password to decrypt the file if the agent (gpg-agent) or emacs
hasnt already cached the password for that key. This prompt can be an
issue if you're using the emacs daemon especially if starting the
process at system login. When to prompt? One nice way is to only load
the gpg file when you create an emacs frame. e.g

,----
|    (defun load-secure-config(frame)
|      (require 'my-config "my-config.gpg"))
| 
|    (add-hook 'after-make-frame-functions 'load-secure-config)
`----

Here we see that the private configuration information is only loaded and
decrypted when you actually bring up an emacs frame - generally that
would be sufficient in the case of gnus.


 

Re: Guns and Privacy : sample use case/tutorial effort

[Lars Ingebrigtsen]

Richard Riley <rileyrg@googlemail.com> writes:

> Would some variation of this be potentially useful in the gnus manual?

It seems useful, but it might be more natural to put that on the Emacs
Wiki than in the Gnus manual.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: Guns and Privacy : sample use case/tutorial effort

[Philipp Haselwarter]

Richard Riley <rileyrg@googlemail.com> writes:

---8<---[snipped 61 lines]---8<---
>
> The loading of this file would cause emacs or the system to prompt you
> for a password to decrypt the file if the agent (gpg-agent) or emacs
> hasnt already cached the password for that key. This prompt can be an
> issue if you're using the emacs daemon especially if starting the
> process at system login. When to prompt? One nice way is to only load
> the gpg file when you create an emacs frame. e.g
>
> ,----
> |    (defun load-secure-config(frame)
> |      (require 'my-config "my-config.gpg"))
> | 
> |    (add-hook 'after-make-frame-functions 'load-secure-config)
> `----
>
> Here we see that the private configuration information is only loaded and
> decrypted when you actually bring up an emacs frame - generally that
> would be sufficient in the case of gnus.

Just wondering, how does this prevent emacs from prompting when there's
no frame?

I used to start emacs-daemon on system start, and ran into this problem,
but that was in conjunction with desktop.el. Opening pdf's asks if you
want to show the converted text if you don't have a display, so I
banned them too.

(setq desktop-files-not-to-save
      (concat "newsrc-dribble$\\|\\.pdf$\\|\\.gpg\\>"
              (if (boundp 'desktop-files-not-to-save)
                  (concat "\\|" desktop-files-not-to-save) "")))


-- 
Philipp Haselwarter

Re: Guns and Privacy : sample use case/tutorial effort

[Richard Riley]

Philipp Haselwarter <philipp.haselwarter@gmx.de> writes:

> Richard Riley <rileyrg@googlemail.com> writes:
>
> ---8<---[snipped 61 lines]---8<---
>>
>> The loading of this file would cause emacs or the system to prompt you
>> for a password to decrypt the file if the agent (gpg-agent) or emacs
>> hasnt already cached the password for that key. This prompt can be an
>> issue if you're using the emacs daemon especially if starting the
>> process at system login. When to prompt? One nice way is to only load
>> the gpg file when you create an emacs frame. e.g
>>
>> ,----
>> |    (defun load-secure-config(frame)
>> |      (require 'my-config "my-config.gpg"))
>> | 
>> |    (add-hook 'after-make-frame-functions 'load-secure-config)
>> `----
>>
>> Here we see that the private configuration information is only loaded and
>> decrypted when you actually bring up an emacs frame - generally that
>> would be sufficient in the case of gnus.
>
> Just wondering, how does this prevent emacs from prompting when there's
> no frame?

This is aimed at the initial load : it only loads after the initial
frame. It then assumes that the password is cached. Clearly if the
password is then needed again (cache expiry)  in something involving gnus then there is
generally a frame available anyway.

>
> I used to start emacs-daemon on system start, and ran into this problem,
> but that was in conjunction with desktop.el. Opening pdf's asks if you


I stopped using desktop.el for related reasons.

Re: Guns and Privacy : sample use case/tutorial effort

[Philipp Haselwarter]

Richard Riley <rileyrg@googlemail.com> writes:

> Philipp Haselwarter <philipp.haselwarter@gmx.de> writes:
>
>> Richard Riley <rileyrg@googlemail.com> writes:
>>
>> ---8<---[snipped 61 lines]---8<---
>>>
>>> The loading of this file would cause emacs or the system to prompt you
>>> for a password to decrypt the file if the agent (gpg-agent) or emacs
>>> hasnt already cached the password for that key. This prompt can be an
>>> issue if you're using the emacs daemon especially if starting the
>>> process at system login. When to prompt? One nice way is to only load
>>> the gpg file when you create an emacs frame. e.g
>>>
>>> ,----
>>> |    (defun load-secure-config(frame)
>>> |      (require 'my-config "my-config.gpg"))
>>> | 
>>> |    (add-hook 'after-make-frame-functions 'load-secure-config)
>>> `----
>>>
>>> Here we see that the private configuration information is only loaded and
>>> decrypted when you actually bring up an emacs frame - generally that
>>> would be sufficient in the case of gnus.
>>
>> Just wondering, how does this prevent emacs from prompting when there's
>> no frame?
>
> This is aimed at the initial load : it only loads after the initial
> frame. It then assumes that the password is cached. Clearly if the
> password is then needed again (cache expiry)  in something involving gnus then there is
> generally a frame available anyway.
>

But this opens the encrypted file for any emacs instance that creates a
frame, even if you don't want to use gnus at all. Which is not very much
in the spirit of securing your personal data.

>>
>> I used to start emacs-daemon on system start, and ran into this problem,
>> but that was in conjunction with desktop.el. Opening pdf's asks if you
>
>
> I stopped using desktop.el for related reasons.
>
I just use `emacsclient -a="" -nw' (aliased) as editor now, the prevents
starting emacs unnecessarily (okay, I rarely don't have emacs open) and
is Really Simple to set up. No problems since.

Another desktop.el-related PITA is when files that have auto-save data
around are restored (user gets queried too), haven't found a way around
that yet..


-- 
Philipp Haselwarter

Re: Guns and Privacy : sample use case/tutorial effort

[Richard Riley]

Philipp Haselwarter <philipp.haselwarter@gmx.de> writes:

> Richard Riley <rileyrg@googlemail.com> writes:
>
>> Philipp Haselwarter <philipp.haselwarter@gmx.de> writes:
>>
>>> Richard Riley <rileyrg@googlemail.com> writes:
>>>
>>> ---8<---[snipped 61 lines]---8<---
>>>>
>>>> The loading of this file would cause emacs or the system to prompt you
>>>> for a password to decrypt the file if the agent (gpg-agent) or emacs
>>>> hasnt already cached the password for that key. This prompt can be an
>>>> issue if you're using the emacs daemon especially if starting the
>>>> process at system login. When to prompt? One nice way is to only load
>>>> the gpg file when you create an emacs frame. e.g
>>>>
>>>> ,----
>>>> |    (defun load-secure-config(frame)
>>>> |      (require 'my-config "my-config.gpg"))
>>>> | 
>>>> |    (add-hook 'after-make-frame-functions 'load-secure-config)
>>>> `----
>>>>
>>>> Here we see that the private configuration information is only loaded and
>>>> decrypted when you actually bring up an emacs frame - generally that
>>>> would be sufficient in the case of gnus.
>>>
>>> Just wondering, how does this prevent emacs from prompting when there's
>>> no frame?
>>
>> This is aimed at the initial load : it only loads after the initial
>> frame. It then assumes that the password is cached. Clearly if the
>> password is then needed again (cache expiry)  in something involving gnus then there is
>> generally a frame available anyway.
>>
>
> But this opens the encrypted file for any emacs instance that creates a
> frame, even if you don't want to use gnus at all. Which is not very much
> in the spirit of securing your personal data.

Clearly if you dont want to load it earlier then you do this on a more
limited hook. some sort of "gnus start hook" or somesuch

This is not just for Gnus, Hence I included an erc-password example. I
will clarify that (but I'm not a big fan of the emacs wiki approach
tbh). My .gpg file contains senstive passwords for other apps and, in
addition, org data too.

I dont feel its much of a security leak opening it earlier rather than
later when used in conjunction with the gpg-agent. The file is still a
gpg encrypted file. But yes someone could open it in emacs and save it
as plain text in that session at that keyboard.

>
>>>
>>> I used to start emacs-daemon on system start, and ran into this problem,
>>> but that was in conjunction with desktop.el. Opening pdf's asks if you
>>
>>
>> I stopped using desktop.el for related reasons.
>>
> I just use `emacsclient -a="" -nw' (aliased) as editor now, the prevents
> starting emacs unnecessarily (okay, I rarely don't have emacs open) and
> is Really Simple to set up. No problems since.

I use this set up but in conjunction with an xmonad scratchpad toggle. I
documented the technique yonks ago when the daemon start methods
improved:-

http://splash-of-open-sauce.blogspot.com/2010/10/emacs-23-emacs-daemon-and-emacsclient_7756.html

The daemon is pretty damn cool ;)

I also used -nw for a while but it clashed with function keys and what
have too often so I reverted back to the gtk version. termcap beats Gnus
splitting for making my brain melt.

>
> Another desktop.el-related PITA is when files that have auto-save data
> around are restored (user gets queried too), haven't found a way around
> that yet..

-- 
☘ http://www.shamrockirishbar.com, http://splash-of-open-sauce.blogspot.com/ http://www.richardriley.net

Re: Guns and Privacy : sample use case/tutorial effort

[Philipp Haselwarter]

Richard Riley <rileyrg@googlemail.com> writes:

---8<---[snipped 43 lines]---8<---
>
> This is not just for Gnus, Hence I included an erc-password example. I
> will clarify that (but I'm not a big fan of the emacs wiki approach
> tbh). My .gpg file contains senstive passwords for other apps and, in
> addition, org data too.
>
I don't like setq's in my .authinfo, it contradicts the whole
not-storing-plaintext-passwords-in-variables idea.
Somewhat unrelated; someone might find this useful:

--8<---------------cut here---------------start------------->8---
(defadvice erc-nickserv-call-identify-function (around advice-erc-temp-authinfo activate)
  "load irc server data from `authinfo' for authentication only, then forget it."
  ;; (message "pws: %S" erc-nickserv-passwords)
  (let* ((nick (car (ad-get-args 0)))
         (srv (erc-network))
         (erc-nickserv-passwords
          (list
           (list srv
                 (list (cons nick
                             (auth-source-user-or-password "password"
                                                           (symbol-name srv) 'irc nick t)))))))
    ad-do-it))
--8<---------------cut here---------------end--------------->8---

Then you can simply put your user name into your regular config and the
password in the encrypted authinfo.

--8<---------------cut here---------------start------------->8---
(setq erc-nickserv-passwords '((freenode (("jdoe" . nil))))
      erc-nick "jdoe")
--8<---------------cut here---------------end--------------->8---

Similar hack for jabber.el:
http://pastebin.com/2ykAfSMM


---8<---[snipped 13 lines]---8<---
>> I just use `emacsclient -a="" -nw' (aliased) as editor now, the prevents
>> starting emacs unnecessarily (okay, I rarely don't have emacs open) and
>> is Really Simple to set up. No problems since.
>
> I use this set up but in conjunction with an xmonad scratchpad toggle. I
> documented the technique yonks ago when the daemon start methods
> improved:-
>
> http://splash-of-open-sauce.blogspot.com/2010/10/emacs-23-emacs-daemon-and-emacsclient_7756.html
>
> The daemon is pretty damn cool ;)

Definitely!
---8<---[snipped 9 lines]---8<---

cheers,

-- 
Philipp Haselwarter

Re: Guns and Privacy : sample use case/tutorial effort

[Richard Riley]

Philipp Haselwarter <philipp.haselwarter@gmx.de> writes:

> Richard Riley <rileyrg@googlemail.com> writes:
>
> ---8<---[snipped 43 lines]---8<---
>>
>> This is not just for Gnus, Hence I included an erc-password example. I
>> will clarify that (but I'm not a big fan of the emacs wiki approach
>> tbh). My .gpg file contains senstive passwords for other apps and, in
>> addition, org data too.
>>
> I don't like setq's in my .authinfo, it contradicts the whole
> not-storing-plaintext-passwords-in-variables idea.
> Somewhat unrelated; someone might find this useful:

>


You have kind of lost me.

This isn't a .authinfo.

It's a gpg customisation file containing private information about
passwords etc and is why epa/epg exists.

Re: Guns and Privacy : sample use case/tutorial effort

[Francis Moreau]

Richard Riley <rileyrg@googlemail.com> writes:

> Would some variation of this be potentially useful in the gnus manual?

Definitely yes !

I didn't have time to read this entirely but this was one open point in
my config that I need to fix.

I don't know if that belongs to emacs or gnus documentation but I would
expect at least a pointer in the gnus documentation to this. Maybe put
this pointer in a 'Privacy' section.

Will definitively try.

Thanks
-- 
Francis

Re: Guns and Privacy : sample use case/tutorial effort

[Ted Zlatanov]

On Tue, 01 Feb 2011 09:33:23 +0100 Richard Riley <rileyrg@googlemail.com> wrote: 

RR> Would some variation of this be potentially useful in the gnus manual?

I don't think so.  Using EPA and EPG is IMO in the scope of the Emacs
Wiki or the EPA/EPG manuals.

In addition, the code is usually not a secret.  The passwords and other
authentication tokens are.  So I think it's better to keep the passwords
in the .authinfo.gpg file (as (info "auth") suggests) than to encrypt
the source code so it can't be versioned or shared.  This is my opinion,
of course, and I'm sure many feel differently.

RR> One option is to merely resave the .authinfo as
RR> .authinfo.gpg. emacs/Gnupg will prompt you for a signing key and
RR> away you go. epa/epg usage is covered elsewhere in the emacs
RR> manual. Dont forget to remove the original .authinfo.. Configure
RR> your auth-sources and Emacs will detect the .gpg as a default if it
RR> exists. The usage and format of authinfo is discussed in the
RR> emacs/gnus manuals. 

This is not the case since I wrote the (info "auth") manual for
auth-source.el.  It should be widely available with Emacs 24.

On Tue, 01 Feb 2011 14:23:36 +0100 Philipp Haselwarter <philipp.haselwarter@gmx.de> wrote: 

PH> Somewhat unrelated; someone might find this useful:
PH> (defadvice erc-nickserv-call-identify-function (around advice-erc-temp-authinfo activate)
PH>   "load irc server data from `authinfo' for authentication only, then forget it."
PH>   ;; (message "pws: %S" erc-nickserv-passwords)
PH>   (let* ((nick (car (ad-get-args 0)))
PH>          (srv (erc-network))
PH>          (erc-nickserv-passwords
PH>           (list
PH>            (list srv
PH>                  (list (cons nick
PH>                              (auth-source-user-or-password "password"
PH>                                                            (symbol-name srv) 'irc nick t)))))))
PH>     ad-do-it))

PH> Then you can simply put your user name into your regular config and the
PH> password in the encrypted authinfo.
PH> (setq erc-nickserv-passwords '((freenode (("jdoe" . nil))))
PH>       erc-nick "jdoe")

PH> Similar hack for jabber.el:
PH> http://pastebin.com/2ykAfSMM

It would be better to add auth-source support to ERC and jabber.el
directly.  It's pretty easy to do.  I am rewriting auth-source.el[1] and
while the old `auth-source-user-or-password' API will still work, the
new `auth-source-search' API is much more flexible so I will be pushing
packages within Emacs and externally to adopt it.

Ted

[1] ETA this weekend