Initial commit: HPR Knowledge Base MCP Server
- MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
213
hpr_transcripts/hpr1500.txt
Normal file
213
hpr_transcripts/hpr1500.txt
Normal file
@@ -0,0 +1,213 @@
|
||||
Episode: 1500
|
||||
Title: HPR1500: Key Signing
|
||||
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1500/hpr1500.mp3
|
||||
Transcribed: 2025-10-18 04:18:06
|
||||
|
||||
---
|
||||
|
||||
music
|
||||
Hello, welcome to another exciting episode of Hacker Public Radio.
|
||||
I'm Ahuka, but I have a guest today.
|
||||
My friend is Tony Beemis from the Sunday Morning Linux Review.
|
||||
Hello, Tony.
|
||||
Hey.
|
||||
Oh, good.
|
||||
Thanks for inviting me on.
|
||||
This is going to be some interesting talk today.
|
||||
Yeah, I'm really looking forward to this.
|
||||
And, you know, I'm hoping that Tony's voice is a familiar one to most of you,
|
||||
because you really do need to be listening to that Sunday Morning Linux Review.
|
||||
It's a fabulous podcast.
|
||||
I appreciate that.
|
||||
Yeah, we've been doing it for over two years now.
|
||||
And it's a lot of fun and glad that a lot of people get enjoyment from it too.
|
||||
Yeah.
|
||||
And I think people at Hacker Public Radio may recall when you first got started.
|
||||
A few of the early shows were also put out on our feed as part of our showcase of new podcasts.
|
||||
Oh, yeah.
|
||||
And that was it was key to us getting some, you know, getting some exposure out there because without Hacker Public Radio,
|
||||
I don't know if we really would have gotten as much as we would have before.
|
||||
So this is great.
|
||||
Thank you.
|
||||
Right.
|
||||
So this is part of our ongoing series on security and privacy.
|
||||
And one of the reasons I asked Tony to come on is that we've been working together a little bit on getting encryption up and running.
|
||||
And how to use it in mail and things like that.
|
||||
And if you listen to Sunday morning Linux review, you've probably heard Tony talk about some of the things he's doing there as well.
|
||||
Yeah, I've gone through and decided to do a security bed on our show and talking about using public keys and and signing and encrypting documents.
|
||||
Great.
|
||||
So the last couple of programs we've looked at how to implement key signing.
|
||||
Well, we've implemented public key encryption on two different kinds of mail client.
|
||||
One of them Thunderbird is a standalone client that you just run off of your local computer.
|
||||
And then we showed how you can do the same thing using Gmail, which is an example of a web mail client and showed how with appropriate plugins, you can send encrypted mail.
|
||||
But the thing that we want to talk about there's an interesting problem and that problem when you think about security is how do you know who it is you're exchanging mail with.
|
||||
So if someone sends me an email and says they're Tony Beamus, how do I know that it's Tony Beamus?
|
||||
That's right, and that's where the signing key comes in.
|
||||
Yeah, exactly. Now in this particular case, you know, Tony and I don't live that far from each other.
|
||||
You know, I know his voice, you know, there's a number of reasons why I would have confidence in that.
|
||||
But you know, if it was someone else, you know, we've talked about how important it is to have security around your key that it is something that other people cannot get a hold of.
|
||||
We've talked about how you can revoke a key if you think it's been compromised.
|
||||
But how do we start making these connections? And I think one of the first things we might want to talk about are the servers that hold these Tony, you have got yours on a server, right?
|
||||
That's right. So when we go through and you create your key.
|
||||
Tony, we'd lose you there.
|
||||
I'm back. Sorry about that. Yeah. So when you go through and create a key, then you want people to be able to get your key like we're talking like you're saying.
|
||||
And so you want to send your key to or publish it to a key server.
|
||||
And the key servers are servers out there. And you're only publishing your public key.
|
||||
So that's what the difference with GNU PG. It's a asymmetric keys, meaning that you have your public in your private key.
|
||||
You publish your public key to a key server. And then somebody else can be able to find your public key off of there to be able to verify that you're signing with your proper keys.
|
||||
Yeah, and there's a number of those out there, right there.
|
||||
That's right. There's there's a ton of key servers out there. There's a few that are really popular.
|
||||
SKSK servers is one of them. PGP key servers is another one.
|
||||
And I think Ubuntu has one that they have for their developers, but all these key servers synchronize between each other.
|
||||
So if you publish your key to one key server, then it's going to synchronize across to others. So even if somebody else doesn't use the same key server that you do, then they can still grab your key off of another server.
|
||||
Oh, great. So this is kind of like DNS in that I might use the DNS server of my ISP, but I can find all my web addresses there because they synchronize with central servers.
|
||||
Yeah, I can see how it's using it similar to that.
|
||||
Oh, that's great. So I guess what what that means is it doesn't really matter which server you go to.
|
||||
That's right. You just choose one and stick it up there. I like to use the SKS key servers.
|
||||
And that's just the one that I started with and it really doesn't matter either way what you go with.
|
||||
Yeah, and I think the first time I created a key I was using the KDE client and I think they were something like a GPG server or something that was their default server. So that's where mine ended up.
|
||||
Now the fact that this is a public key means we're not really concerned about security, right.
|
||||
It's not like you've got something on the server that has to be locked down and protected. Does it?
|
||||
No, you're right. You don't have to worry about security with this public key because it's public. That's what the one everybody should be able to see it and read it.
|
||||
It's only with the combination of the public key and the private key is where the decryption happens.
|
||||
Right. So if I wanted to send you a message and let's say for the moment that I didn't already have your key.
|
||||
I mean, you and I obviously exchanged keys early on, but let's say I just decided out of the blue.
|
||||
Gee, I want to send a message to Tony at Sunday morning Linux review.
|
||||
And I go to a server and if I just look your name up, I'll get your key and I can use your public key, right.
|
||||
That's correct. Yeah. And then what happens is it encrypts using your private key and my public key.
|
||||
And then it sends the message to me. Then I decrypted with my private key and verify it with your public key.
|
||||
Right.
|
||||
So the public key is something that is completely public, you know, you could take out an ad and publish it in the newspaper and it wouldn't make any difference.
|
||||
Exactly. Yep. And that's actually I've done something similar to that.
|
||||
I've published my key on my on the sml website, you know, just say, hey, this is who I am.
|
||||
So you guys can go ahead and send my key if you'd like.
|
||||
And this you can verify anything I said to you, it's going to be with this key.
|
||||
Yeah, I think a number of people have done that. I was thinking maybe I should do the same thing on my site.
|
||||
I think I was the other day I was listening to a podcast with Leo Laporte. And I think he said he has his key on his website.
|
||||
Now, one of the questions that occurs to me.
|
||||
If I go to a site and I look up and I see, yes, there's there's someone here named Tony Bemis who has a key.
|
||||
How do I know you're the person that I'm trying to communicate with and that it's your key.
|
||||
Yeah, and that's where key signing comes in that you can see like other people have signed it.
|
||||
So if you know, it's kind of like friends of friends kind of idea, where if you know a couple of my friends that have signed it, then you can look at it and say, yes, I know that's him.
|
||||
There's also the key fingerprint.
|
||||
So if you have my name plus the fingerprint, then you can go through and look to see all the Tony Bemis is out there.
|
||||
And find the one with my fingerprint, which is a it's a eight character hex decimal number that will you can bear or match up to make sure that's still me.
|
||||
Yeah, and the reason this this matters.
|
||||
If you follow the Snowden revelations and similar things that have been coming out.
|
||||
You know, there was a thing recently what they call watering hole attacks, you know, impersonate a website that you think a lot of people are going to go to.
|
||||
And some of the intelligence agencies would like redirect traffic from a public site to one that they controlled and.
|
||||
So you thought you were at this public place, you thought you were dealing with a website you knew, but in fact you weren't and what's to stop some intelligence agency.
|
||||
I'm guessing Tony, you're not a target.
|
||||
You're not what they would call a person of interest, but, you know, what would stop them from publishing something saying this is Tony Bemis's key.
|
||||
And hoping that I would write to you using that and then they'd say, aha, we can get in there and see that encrypted communication that that shady O'Brien character is sending to this shady Tony Bemis character.
|
||||
Yeah, that's that is a good question. And the reason that it's not going to work is because either I won't be able to decrypt it. So if you grab their key and you send it to me, then I wouldn't be able to decrypt it.
|
||||
But then you're looking at those keys and you want to verify, you know, that's where those key, those, like I said, the fingerprint comes in that you can tell who is who.
|
||||
And then there's also key signing parties where you need face to face.
|
||||
And you say, this is my fingerprint. And that's where everybody exchanges their.
|
||||
And your prints and not your physical fingerprint, but the fingerprint of your key.
|
||||
And that's where you exchange that and then people can go through and sign it at a later time.
|
||||
Right. So the idea of getting together in this face to face, let's say we had and we probably will do this fairly soon, because I've been talking to you about doing something for a penguin, but let's say we have a key signing party and you and I are both there.
|
||||
And someone who knows me could say, hey, Kevin, is this guy really Tony? And, you know, I could say, well, yeah, you know, I've known Tony for years. This is the real Tony. And then based on that, he would accept your key and add it to his key ring.
|
||||
That's right. And then another thing that they suggest is to have some kind of identification, you know, something that's publicly or commonly accepted, like a driver license or a passport.
|
||||
Right. You want to be able to demonstrate you, you are who you say you are at one of these.
|
||||
Right. You could go to a key signing party and maybe there's no one there who knows you to vouch for you. But if you've got the documents, people might say, well, okay, I've looked at this guy's driver's license and it had his picture on it. And yeah, this really looks like the right person.
|
||||
And then there's also different levels of signing. So you can sign somebody's key and say, I'm just tentatively signing them saying that they say they're this person. I don't know them personally, but, you know, I'm going to tentatively sign, but then there's also you can sign them with, you know, saying full permissions like I, I know this person, I'm sure this is the right person.
|
||||
Right. So if we were both at a key signing party and I wanted to sign your key and I'd say, well, yeah, I mean, I've known Tony for years. There's no doubt in my mind. This is Tony.
|
||||
So I could give that very high level of trust.
|
||||
But if it was just someone who I've never seen before, you know, gives me their college ID, I could say, you know, this might be the person. I mean, he had some kind of ID that looked like it was him.
|
||||
But I wouldn't give it a high level of trust. I'd give it a fairly low one.
|
||||
Yeah, that's some great examples of how that would go about.
|
||||
So how does one organize? I think you've done this a few times. How do you organize a key signing party?
|
||||
Actually, I have not done one yet. But from what I've read up and whatever other people have done is you, you just get people together.
|
||||
So, you know, at a conference is a great place to do it. You know, so you're talking about we're going to do this over at Penguin Con.
|
||||
And we're going to have just a whole load of, you know, tech people there. So it's a great time. Everybody's already there. Let's have a key signing party.
|
||||
You know, another way to get people together is at your log meeting, you know, say yearly or every six months have a key signing party.
|
||||
So when you people come in, you can teach them about the, you know, keys and GPG and get that all set up so that, you know, it gets it more aware and everybody starting to learn about this.
|
||||
Okay, that sounds good. And yeah, we are going to be doing something at Penguin Con. And I think a lot of Linux conventions and technology places open source conventions.
|
||||
Your someone is going to be setting up a key signing party somewhere.
|
||||
One of the things that that I'm seeing last year I saw it at Ohio Linux Fest and I'm seeing it now in the talks because I'm involved with setting up the tech track for Penguin Con.
|
||||
And I'm just seeing that there are a lot of talks being submitted that talk about different aspects of security and privacy. This really has everyone's attention.
|
||||
Yeah, it's interesting how the, how much node and it's really impacted the social life of, you know, computer people in general and then getting it out, you know, further that the average person is now thinking about these things.
|
||||
Yeah, so if you go to a key signing party, one of the things is bring good documentation at the very least, something like a driver's license or a passport, having both might even be a good idea, right.
|
||||
That's right. I mean, it's really it's what other people are going to accept as your ID. So I would just accept the driver's license because that's, you know, that's what Michigan does. And that's, you know, mostly US does drivers license.
|
||||
But I don't know what a Canadian driver's license looks like. So that's where a passport would be something that I'm familiar with Canadian passport. So, you know, I would accept a Canadian passport.
|
||||
Right. And even in the United States, which is a big place, if someone came in with a driver's license from Nevada, I have no idea what a Nevada driver's license looks like.
|
||||
So let's the other thing you mentioned that there's an eight character fingerprint.
|
||||
So you'd want to bring that with you as well, right.
|
||||
Yeah, that's right. And what you do is it's suggested to print off little sheets of all your fingerprints.
|
||||
You have multiples of them say you'll carry 20 with you. And then you can hand those out because, you know, back in the days when they first started key signing parties, people didn't have their laptops and they didn't have their phones that they could just sign the key right then.
|
||||
So you would hand out your your fingerprint in like maybe in a business card or sheet of paper. And then people can take that later back to their computer and then verify that you are, you know, say, yes, I remember hearing or meeting him. This is his key.
|
||||
So here's the fingerprint that matches the key I'm going to sign.
|
||||
So what's the signing process like it's not like you're whipping out a pen and putting your signature on a piece of paper. There's something different here, right.
|
||||
Yeah, that's right. And there's that you can do it by the command line. If you're a command line person, but you can also do it by your gooey interfaces. So I use a seahorse, which is the default for no and also there's a KGP that you can use and probably that's what you use.
|
||||
Okay, right.
|
||||
Yep, that's the one I use on a KDE guy.
|
||||
Yeah, so what you do is you look up their public key and within like I use seahorse and you can say search the public server for this key.
|
||||
You can type in either a person's name, email address or their fingerprint and it'll bring up whatever keys are similar or matches your search.
|
||||
And then you can go through and find that specific key that is on the public server.
|
||||
And then you then say that to your computer or in your key ring, you can go into the properties of that key and you can say sign it and then with whatever how level you want to sign it.
|
||||
And then in seahorse, I know then you have to click another button to say sync your keys and it goes through and it'll take you at that public key you just signed and sync it back to the key servers, which then says that you have signed it.
|
||||
Ah, so if I go to a public key server and let's say I looked up Matt Enders your co-host on the Sunday morning Linux review.
|
||||
And I wonder, is this the Matt Enders I know if I saw it had been signed by Tony Beamus and I already know your key ID, I would then be confident about it.
|
||||
Exactly. Yeah, because there's a lot of Enders out there. And so when I first started looking for his, I had to really start through a lot.
|
||||
So having multiple points to match your search makes it a lot easier to make sure you're finding and doing the right or signing the right key.
|
||||
Yeah, and as I recall back when I first was getting going with this, I looked up Tony Beamus and then I think I sent you an email with the fingerprint and said Tony is this you because I knew your email address we've exchanged emails over the years.
|
||||
So yeah, yeah, that's right. I remember going through a process and that that's another good way to do it. Yeah, if you're not face to face with the person, then you can look up and make sure that you're going to be grabbing the right one.
|
||||
So the next question I have there's you can do this on a command line. You can do it with a gooey client.
|
||||
But I'm guessing if you're going to a key signing party, most people are not bringing their laptop.
|
||||
I mean, these days you tend to do everything on a smartphone. Let's say an Android phone. How do you do that?
|
||||
Yeah, so you would use whatever program, you know, there's an app for that. And I use one called AGP.
|
||||
And what you have to do is your key that you created on your computer, you import that into your AGP program on your phone.
|
||||
And then from there, you can go through and search the public keys. And you can, it'll allow you to, I believe AGP allows you to sign it right there.
|
||||
Okay, so we'll put a link to that in the show notes folks. AGP. This is an Android application.
|
||||
That's right. Yeah, an AGP works really well with the the K mail client. And that's what I use.
|
||||
Okay, I have to find out it is is K mails different from K nine.
|
||||
Oh, you know what you're right. It is K nine mail. That's what I use. And K nine mail because they work along together, you can decrypt mail messages right on your phone.
|
||||
You can encrypt and you can.
|
||||
You see your keys and that uses your keys.
|
||||
Okay, so I presume then you can synchronize the key ring on your phone with the one that's on the server.
|
||||
Or how does that work? Let's say I've got a key ring on my laptop computer and I've got 30 keys there.
|
||||
How do I get that onto my phone?
|
||||
That's a good question. I've only tentatively used the AGP to the point where I didn't do any synchronizing.
|
||||
I went through and found them separately for each person and added them to my phone.
|
||||
Okay, so if anyone out there listening to this knows a really good way to do that, drop us a line.
|
||||
And I'll make sure that we get that into a subsequent episode in our security and privacy, because it sounds like it's an interesting thing to take a look at.
|
||||
Well, Tony, I think we've got a really good bunch of information here for folks.
|
||||
And I want to thank you for coming on this episode and doing this one with me.
|
||||
Yeah, you're welcome. I think we should get to get and do more of these.
|
||||
Yeah, I'd love to do that.
|
||||
And we're trying to do, I've committed to trying to do one episode a month in security and privacy.
|
||||
And so far, it's been focused on encryption, because that was a starting point for a lot of people.
|
||||
But I know you work for like a hospital. Do I recall that correctly?
|
||||
Yeah, that's right. I work for a local hospital system. I'm the field tech there.
|
||||
You probably are familiar with a lot of security stuff. I used to work for a hospital.
|
||||
And I know there's this law in the United States called HIPAA that says,
|
||||
if you release any patient's information, the government comes down on you like a sledgehammer.
|
||||
I actually go to a lot harder than that.
|
||||
Yeah, they definitely do come down as a sledgehammer.
|
||||
But even if you're viewing patient data that you're not supposed to be,
|
||||
if I, because I'm an IT person, if I view any patient's data, then technically,
|
||||
I'm violating HIPAA because I'm not a patient.
|
||||
I'm not a patient advocate. I'm not a caregiver.
|
||||
So then I'm not supposed to be looking at that.
|
||||
And even technically, I'm not supposed to look at my own data.
|
||||
Unless I have submitted the right paper work.
|
||||
Yeah, I remember I first went to work for St. Joe's hospital.
|
||||
And I made some joke about looking up my own medical record and was very quickly put in my place.
|
||||
It says, you know, you do that. We'll fire you.
|
||||
That's right. Yeah.
|
||||
Okay. Well, Pat, so there's plenty of stuff we can take a look at down the road.
|
||||
Security and privacy is such a big area that I don't think we will ever run out of things
|
||||
to talk about. But I think for now, it's time to sign off.
|
||||
So on behalf of Tony from the Sunday Morning Linux review and the Hacker Public Radio,
|
||||
this is Ahuka reminding you as always, please support free software.
|
||||
You have been listening to Hacker Public Radio or Hacker Public Radio does all right.
|
||||
We are a community podcast network that releases shows every weekday and Monday through Friday.
|
||||
Today's show, like all our shows, was contributed by a HPR listener like yourself.
|
||||
If you ever consider recording a podcast, then visit our website to find out how easy it really is.
|
||||
Hacker Public Radio was founded by the digital dog pound and the infonomicum computer club.
|
||||
HPR is funded by the binary revolution at binref.com.
|
||||
All binref projects are proudly sponsored by Lina Pages.
|
||||
From shared hosting to custom private clouds, go to LinaPages.com for all your hosting needs.
|
||||
Unless otherwise stasis, today's show is released under a creative commons,
|
||||
attribution, share a like, read us our license.
|
||||
Reference in New Issue
Block a user