How to Encrypt and Share Items on Google Drive

This tutorial is based on Windows 7 and GPG4Win, but the basic idea can be translated to any operating system and GPG Key Manager. The goal is to be able to encrypt the contents of your Google Drive. There are numerous ways to do this. For example, you could make a Truecrypt volume, but syncing this would be a nightmare. You could also use Visual Subst ) to map a Windows drive, then use TrueCrypt, but you'd still have the syncing issue.

 So, we're going to use GPG. GPG is the "free" version of PGP, and it's just as good. You can get more info here. GPG is a public key encryption system. Basically the way it works is users create a key pair -- one public key and one private key. The public key is published to a server where other users can access it. In order to encrypt something only viewable to you, a user would encrypt a document with your public key, and the only way to decrypt that would be with the corresponding private key (you MUST protect your private key).

A couple of caveats: 

* You will not be able to "preview" documents. You will have to download them.

* You will not be able to search encrypted documents -- but neither will Google ;) 

* You can "Backup" your private keys and sync them with your smart phone if there's GPG software available for your phone (if you trust your smart phone OS not to phone home with it). This will enable you to still read files that people share with you. I currently use an Android device, and there is no up to date free GPG software. There is a program that costs <$3, but I did not test that.

* Setup is not tedious. I've purposely tried to include as much info about setup as I could think to include, so this post looks a bit long-winded; but it took me a total of 10 minutes to download and install the software, set up and publish my keys. Once you encrypt files a couple of times before sharing them, it will just become second nature.

The first step is (obviously) to set up Google Drive. As this is not a Google Drive Setup tutorial, I'm going to assume that you've gotten that far, and have a local Google Drive folder that's syncing.

The next step is to download and install GPG4Win, located here. 

Once Installed, open GPA (if you used the defaults during install, this will be under Start -> All Programs -> GPG4Win -> GPA. Now we're going to set up our keys. Go to the "Keys" Menu and select "New key..."

You can leave the algorithm and key size set to the defaults. Enter your name and your email address, and a comment if you like. If you prefer, you can set your key to expire. In theory, this is a good idea, but it may not make sense for everyone to do this. Once the key is generated, it will show up in your Key manager shown below:

Now we have to publish our key (otherwise no one will know how to encrypt the items they wish to share):

Once you select "Send keys..." the default server is fine. A couple of seconds later, your public key is published, and folks can share and encrypt stuff that only you will be able to see (You'll need to be able to tell them your Key ID (It's in the first column in Key Manager) and server where your key is located.

So, now we've got our public key published. We're going to assume that someone you wish to share a file with has gone through something similar and has published their keys to the GPG key server. We need to download their public key into our key ring. Select the "Server" menu, and the "Retrieve keys..." Enter their Key ID, and it should be imported.

Now let's say that there's a document that we want to encrypt and share with a single person. We first need to import that file into GPA. In the Key Manager, on the top toolbar, there's an icon titled "Files." Click it, and your File Manager Window will open:

Go ahead and Click the "Open" icon and select the file you wish to encrypt and click the "Open" button:

Once the file is open, if it's the only file, it should be highlighted. If not, highlight it and click the "Encrypt" button on the toolbar. You'll be prompted with another window where you can select the public key of the person you wish to send share the file with:

Select their key, and click OK. By default, it will save the file in the same folder as the original, with the extension ".gpg" Here's what an encrypted file looks like in Notepad:

Don't worry. It didn't translate your precious document into Chinese and then send it off to China. Those characters are just the Windows way of translating extended ASCII characters.

If you want to encrypt files that only you can read at a later date, just encrypt them with your own public key (it should by default be in your keyring).

So, that's pretty much it. Again, as I said before, this isn't a Google Drive how to. I'm going to assume that you know how to upload and share documents via Google Drive. Using the built in access control that Google Drive provides (I have to safely assume that Google knows a little about access control and ensuring only the folks you select to share the document are the only ones able to actually see it), and GPG, you can safely encrypt and share documents in the "Cloud."

How is CISPA Dangerous

What's CISPA?

It's the Cyber Intelligence Sharing and Protection Act of 2011, and is technically an amendment to the National Security Act of 1947. It allows companies (ISPs) to share your information with the government for "national security purposes."

Why is it dangerous?

Numerous sources say that the wording of the bill is "painfully vague," and could allow for misuse and abuse under the guise of "cyber" security. As with SOPA and PIPA, your right to a reasonable expectation of privacy is obliterated. This bill will override any current privacy laws in place. One may argue that anything we do on the Internet is not private. While I might agree for certain things, I should have a reasonable expectation of privacy when surfing the Net. Oh, and they don't even have to tell you when there's been a request for your personal data.

I'm all for protecting our infrastructure against "cyber" (I really hate that word) attacks, but our forefathers put checks and balances in place for a reason. If you require my personal data, either I give you permission to access it, or you have just cause for a warrant, signed by a judge, to obtain it. None of this:

GOV:"Plz can we have sum dataz?"
CORP: "Sure! Herez some really juicy stuff on Joe Schmoe"
GOV: "Sweet! OMG! Look at all this cyber informashunz! You rock, CORP!"
CORP: "NP!"
GOV: "Kthxbai!"

How does it differ from SOPA?

Well, here's a link that explains a little about how it's different. Basically it boils down to CISPA being aimed at protecting against "cyber" attacks, while SOPA was aimed at protecting intellectual property. Second, it protects companies that share your data against lawsuits that one might bring against them for not protecting your private information. Lastly, the main difference is that it has the support of some of the corporations that were against SOPA, e.g. Google and Facebook.

Why are they for this bill?

Simple. It protects them from losing millions of dollars in a possible lawsuit brought against them for sharing your private information. It also takes the job of policing the Internet out of their hands as they would have had to do with SOPA -- again, saving them millions of dollars.

Want proof that our country is run by "we, the corporations" and not "we, the people?"

With the support of major corporations, and a massive protest by the people, SOPA was defeated. Without the support of major corporations, but with massive protests by the people, this bill will probably pass. Luckily, the Obama Administration is opposed to the bill in its current form, and has threatened to veto it.  Unfortunately, this bill has bipartisan support, and may be able to override a veto. It currently has 112 cosponsors, with more congress critters claiming support every day.

What the hell can I do to stop the bill from passing?

Go here to send a "TMI" Tweet to your representatives. Fun, but not really effective.

Go here to look up your congress critter and send them an email with your concerns; or call them.

Above all, if we continue to vote for the types of people who care more about corporations than they do about the people, then we deserve what we get. My email to my rep will clearly state that if he votes "yes" on this bill, he will not be getting my vote in the next election. I ask you to do the same.

Kthxbai!

How working in IT prepared me for being a dad

I've worked in IT for probably a decade. My wife and I have a 10 month old son. Looking back on the first 10 months of my son's life, and what in store for us in the future has shown me that there are a few parallels that can be drawn.

Troubleshooting:
That's what some IT folks do for a living. I've spent a few years as a sys admin, and that's what I did for a living. I like to think I was pretty good at fixing problems that sometimes seemed illogical. With computers, it's always a logical problem. It's either a "one" or a "zero." But looking at a problem, sometimes it's difficult to see the one or zero. My Bachelor's degree has nothing to do with systems administration. My degree is in Graphic Design and Computer Art -- which believe it or not has helped me see illogical solutions in logical problems. So, I like to think that I was pretty decent at troubleshooting. However, experience helps. The more you've seen, the better prepared you are to fix a problem, and you always do what you know first. Can't get to the Internet? Can't get email? Can't figure out why a server is being 'illogical?'

"Have you tried turning it off and back on again?"

Reboot. If all else fails, call in support.

How in the hell did this help prepare me for being a dad?

Baby won't stop crying. Is he hungry? Is he wet? Did he bump his head? Do what you know first. If that doesn't work, reboot the baby. It's amazing how sometimes the simplest solution is a nap. I wish I could take naps more often. I think I'd be more productive. And if that doesn't work, and you're lucky enough to have a great partner/wife/mother to your child like I do, call in support.

Knowledge:
Being a dad has also given me some insight into my life in IT. No one can fix every problem. No one knows everything. I've been fortunate enough in my profession to be a decent troubleshooter, but I do not kow everything -- far from it. I cannot fix every problem. Not every problem has an easy solution. Patience is key. There will be days when your kid wants to do nothing but be fussy, and there will be days when your servers will be 'illogical.' All you can do is what you can do. After that you're just winging it.

Security:
I've always been security-conscious as a sys admin, and my career path is moving in that direction (Master's degree expected very shortly). I think that's helped me as a father as well. Computer security is all about risk. What vulnerabilities and threats exist that create a risk to your operating environment? Essentially computer security is about risk awareness. While nothing is hack-proof (including your house and your kid), as long as you're aware of the threats to your environment, you're better off -- Remember the "unknown unknowns" comment from a past Defense Secretary?

Hack your kid? WTF!?! Sure (but don't take him apart). Hacking has gotten a bad rap lately, but hacking in its most simple form is about trying to find out how things work. Find out how he works. Find out what makes him laugh/cry/fuss/stare into oblivion. Will your kid hack you and the precautions you've put in place. Absolutely. There's nothing you can do about it. Just be aware of the threats and their associated risks.

My wife mentioned to me recently how every day she sees proof that she's a mom. She recently took our son to a party, and noticed how her priorities have shifted. When you walk into a room with a 10-month old and put him down, you evaluate the potential threats to your son, and what risks they pose. Floor-length curtains? Bad. Accessible wall outlets? Bad. Power cords? Bad. Raised floors / steps? Bad. Unsecured book shelves? Very bad. These all pose a risk to my son, but I'm secure in the knowledge that I'm aware of these risks. I've evaluated them, and I keep a close eye on him to ensure these threats do not interfere with his security.

Education:
I've also learned that whether it's about IT or about my kid, I'm going to be 'in school' for the rest of my life. If you work in IT, especially computer security, and you're not constantly learning, you will go extinct. The same goes for being a dad. You will be learning for the rest of your life, whether you like it or not. As one of my previous bosses put it, "It never gets easier. It just gets different."

Perspective:
Lastly, the most important thing my son has given me is a little perspective. I go to work. I do my job. I won't fix every problem, and that's okay. I'll go home and spend 10 minutes with my son, and completely forget about the dozens of problems I had at work, and how I wasn't able to fix them all. Someone will still not be getting email when I leave. That's okay. It's really not the end of the world.

Why McAfee is making my computer less secure...

So, my last couple of posts have been a little too political. Hopefully there's some info in this post that will come in handy, but what would really be great is if it 'learned you a little...'

Yes. I use McAfee. Yes, it's a pain in the ass. Unfortunately as of this moment in computer security, if you're using Windows (which for the moment I'm forced to), you need some sort of virus scanning software. Why McAfee? I don't know. I guess because I've had a subscription which I keep renewing rather than go out and research other products. (I'm a bit pressed for free time at the moment.)

So a couple of days ago, McAfee started to fail when trying to update definitions. Today, I finally had some time to figure out what the problem was (with a little help from McAfee tech support). The problem was that my computer was too secure to allow McAfee to update properly. Yes, you read that right. My computer was too secure to allow my security software to run properly. Well... that, plus there was an incorrect setting in my local hosts file. I'm not going to go into why I think McAfee needs to hard code IP addresses. I think that's a little ridiculous, but they may have a valid reason. Doubtful, but hey. Anything is possible.

What they don't have a valid reason for is the following options in IE "Internet Properties:"
--Disable "Check for publisher's certificate revocation."
--Disable "Check for server certificate revocation."
--Disable "Check for signatures on downloaded programs."
--Enable "Use SSL 2.0"

The most frightening one is the 3rd one, checking for signatures on downloaded programs. What's a signature? In the simplest of terms, it is a digital way of verifying that the file you're about to download (and possibly execute) comes from a trusted source. If you don't know that downloading and running programs from untrusted sources is a Bad Thing(TM), it would not at all surprise me if you've got a trojan on your computer, and you should stop doing it immediately. So...

First, don't download programs from untrusted sources. Second, if you can, keep this check enabled. At the very least, it may prompt you with an annoying warning banner. At the most, it might save you from having your computer become part of a botnet.

So, what are these certificate revocations you ask? It's simply a way of verifying you are connecting to the web site or server you think you're connecting to. Sometimes after a digital certificate has been issued to a web site or server, it must be marked as invalid, or revoked. Sometimes this is due to unforeseen errors. Sometimes it's due to the company that issued the certificate being hacked. If you are unaware that a certificate has been revoked, you may be redirected to a web site pretending to be a trusted web site, which (if you keep that "Check for signatures of downloaded programs" option disabled) may be able to install software on your computer without your knowledge. That's a Bad Thing(TM)

Lastly, we come to this SSL 2.0 thing. SSL stands for Secure Socket Layer, and it it as the heart of commerce on the Internet today. It's how you can securely log into your banking web site and transfer funds. It's how you can enter your credit card number into Amazon.com without worrying that a Bad Guy(TM) will get it and go buck wild on your dime. Well, there's different versions of SSL. SSL 2.0 is less secure than SSL 3.0. SSL uses weaker mechanisms to set up a secure connection, and is subject to what's called a man-in-the-middle attack. A man-in-the-middle attack is just how it sounds. Some Bad Guy(TM) gets between you and what you think is a trusted web site. What you don't know is that he can read and manipulate every piece of information sent to and from your computer. For the home user, this didn't used to be a big deal. But with the ubiquity of WiFi, a man-in-the-middle attack is very easy. I'll have a post coming up on some WiFi security measures (when I get some more free time).

So, McAfee, the company that I (for now, unwillingly) trust to keep me safe is in fact, making me less safe. Sure, I trust McAfee not to download Bad Things(TM) to my computer, but these settings don't affect just McAfee stuff. They affect every connection I make to any server in the world, and that's a...

Bad Thing(TM)

Sneaky Representatives

So, what is H.R. 1981? Basically it is a bill that would mandate our service providers keep track of nearly everything we do and everywhere we go online.

Who brought us this wonderful bill? It couldn't be the same jackass that brought us SOPA could it?

Wait. What? It is the same jackass? You gotta be kidding.

Nope. Not kidding.

In order to try to get something like this through Congress, the bill is titled "Protecting Children From Internet Pornographers Act of 2011." So, basically what this bill is trying to do is pit privacy against child porn, and if you're against this bill then you must be for child porn, right?

We're all against child porn, but we should also be against having our rights violated. This bill would enable the government to request your data, in secret, without any oversight.

Why can't the congress critters just write sensible bills that can stand on their merits? Write a bill that protects kids and doesn't violate our rights. Why do we continue to elect these people if they're not firing on all cylinders?

Against having your rights violated?

Go here, and write your congress person.
(For those of you in the same state as me, one of our representatives is a cosponsor of this bill.)

What the Eff is the EFF?

The EFF, or Electronic Frontier Foundation is associated by some to 'hackers' and trying to get hackers or other alleged criminals out of jail. However, they have a much more sinister motive -- To protect people just like you and me, and their digital rights. In the world we live in, most of our information whether public or private exists in digital format. Is it protected?

Well, there two ways of looking at protected; the first would be protected from the bad guys, and second would be protected from Big Brother. There's nothing we can do as individuals to help protect our data from the bad guys, so let's concentrate on the other.

The EFF works vigorously to help ensure that your data is protected from Big Brother -- usually by fighting for your 4th and/or 5th (among others) amendment rights. Look them up if you don't know what they are. Really. Look them up right now if you don't know what they are. These are your rights, and you should understand them. I'll wait...

Okay...

Some would say that "if you don't have anything to hide, you shouldn't be concerned by Big Brother looking into your data;" but really that's not the point. The point (as so graciously noted by the founders of this country) is that I should not have to fear anyone searching my data without just cause, nor should I fear torture or other means by which I may utter words to incriminate myself.

I attended a conference this past weekend in which there were two talks given by folks that work at the EFF. They are intelligent and well versed in both law and technology -- oh, and they're nice people too.

Do you have a 'rooted' smart phone? You can thank the people at EFF for working to ensure you're not arrested for playing with something you own. (Which by the way is up for debate again.)

Do you use a Tivo or DVR? You can thank the EFF.

In more complicated matters such as encryption, a woman in colorado (yes, an alleged criminal) is being forced to decrypt data that she encrypted. As I said, it's more complicated than that, but the underlying issue is privacy and encryption, Can we say "Slippery Slope?"

They are also staunchly opposed to SOPA/PIPA.

What's the point I'm getting at? Well. . .

Some of you have probably never heard of this organization, and they fight every day to protect your rights. I know it's easy to throw money at a corporation and get a song, playing device, phone, TV, etc. . . Also, might I ask what your congress critter has done for you lately -- or in the past decade for that matter?

How about giving some to the folks who are trying to help protect us from these corporations and greedy fools in congress.

I know it's a tough economy, but please join or donate to the EFF. They're good folks trying to help protect your rights.

What did the Blackout accomplish?

So, my wife has urged me to blog more, and I can think of no better opportunity than after a massive 'grassroots' effort took place to help show our Congressmen and Representatives we are not a silent mass that can be ignored. Reddit and Wikipedia led the effort to show the citizens how two proposed bills, one in the House, SOPA, and one in the Senate, PIPA. These efforts were also aided by Googles black bar; even Facebook's Mark Zuckerberg and Wil Wheaton weighed in.

In short, I'm amazed by the number of posts I saw from friends on the Social Networking sites. I've signed petitions, and written my Congress critters. In fact, according to EFF over 4.5 million people have signed Google's petition. What's more amazing is that it actually worked (for now). Both PIPA and SOPA have lost support in the House and in the Senate.

However, I'm left wondering, why did it get this far, and why was there such an amazing effect, and do people really understand what they were petitioning against, or were they just hopping on the bandwagon?

To begin, how did we get here? How did it come to Wikipedia putting a roadblock up? Well, To begin with, the Supreme Court of the United States has long upheld the notion that corporations are people, and that money is free speech. What does that really mean? It means corporations are free to lobby, and give 'donations' to the very representatives that are supposed to be looking out for our interests, and who's gonna win that fight, us, or (enter multi-billion dollar corporation here) . Congress is looking out for themselves. They're looking to stay in office. What's the easiest way to do that? Take 'donations' from corporations to aid in 'campaigning.' So. . .

Lamar Smith received over $60,000 in 'campaign contributions' in 2011-2012 from the TV/Movies/Music industry, e.g. "Here's 60k., can you push this legislation through?" This is only minor compared to the alleged $94 million that the MPAA has given to Congress. And I won't even go into the hypocracy of the MPAA's statement about the blackout. It's not worth the strain on my typing fingers.

These bills were introduced in May and October of 2011. Why did it take so long for people to get involved?

My initial guess is because, "ZOMG!11!, Wikipedia is down! I can't find out what a car is; which brings us to the effect the blackout had.

Well, a great effect. It made our congress critters stop and think, and eventually some withdrew their support. They were probably thinking more about staying in office rather than the ridiculous pieces of legilation before them, but hey; the intended outcome was achieved.

YAY!! Woohoo! We win the Internets! But what did we actually accomplish? We let congress know that if they push this legislation through, it might 'break the Internet.' However, Congress doesn't understand the Internet, nor do they have the technical savvy to understand what they were actually proposing. Think about it this way. Ask your parents and grandparents if they know what DNS is. Take a mental note of the blank stare you receive, then picture it on your congress critter, only with a bubble over his/her head that says "Must. Pass. SOPA/PIPA."

How might it 'break the Internet?' What did these bills set out to accomplish? Essentially this bill would allow a coporate entity to pressure the Attorney General to send to online service providers an action to block the 'infringing site.' Unfortunately, the term 'infringing site' is left up to interpretation by the corporate entity, and this 'infringing site' is immediately stricken from the Internet with no due process. There's more tech to it than that, but it's boring to most people.

The intention of the bills are to stop piracy -- which is not a bad thing. I'm against piracy as I'm sure most law abiding citizens are. I wouldn't want my Intellectual Property stolen and distributed to others for free. However, the effect that these bills would have is atrocious, and I'm appalled that any elected official would put forth any type of legislation that may infringe on our rights. Personally, I believe that any person that sponsors this bill should be at the very least voted out of office, and at the very most brought up on charges as should any corporation responsible for helping. What charges? I don't know. I'm not a lawyer. However, the Supreme Court ruled that corporations are people; thus, they should be held accountable to the same laws as people, and if necessary, jailed and fined like people.

So, do people really understand what happened, or were they just hopping on the bandwagon? Quite frankly, I don't care. I believe the overall purpose was to get the word out, and thanks to Reddit, Wikipedia, Google, that was accomplished...

But what's in store for the future? Well, fortunately large corporations like Google and Facebook were on our side this time. What happens next time when it's laws that Google and Facebook have lobbied for? What happens when SOPA and PIPA become riders to important legislation that needs to be passed (like the budget, for example) Will we still be able to get word out to everyone? Will there be legislation already in place that will not let us get word out? Will we hold our Congressmen and women responsible?

This fight isn't over. Corporations will continue to "speak to" (read pay) representatives and try their damnedest to make the Internet a media consumption device rather than the two-way street that it is today.

If that happens, we can say goodby to the most enlightening and educational period the Human race has ever witnessed.