User:Cronbot/PGP help

Verification FAQ

• Q: What do you mean "unlisted" Tor exit nodes?
• A: The Harvard exit node list does not give a complete map of the Tor network. There are still many nodes that are not seen there.

• Q: How does Cronbot discover these nodes?
• A: By periodically restarting its local Tor system service, which usually establishes a new network path whenever initialized. Yes, this is a basically "random" process. There is currently no other way known by the creator for finding "stealth" exit nodes.

• Q: How does Cronbot report these nodes?
• A: The Tor protocol only allows direct connections to Tor exit nodes through filtering by node nicknames. An IP address cannot be specified. Exit nodes not on the Harvard list have unknown nicks, and are thus uncheckable by this method (and by design the VCN system on WP:OP is presently incapable of testing Tor nodes altogether). The bot connects through these exit nodes as they are given, and attempts to post under the anonymous IP account. This, essentially, is proof that the node is a functional Tor proxy.

• Q: But if the bot posts through random IPs, why can't anyone fake being the bot?
• A: Because Cronbot reports open proxies through their own IP addresses, its identity is questionable by design. Anyone using Starhub, for example, could post a message claiming to be Cronbot and subsequently get most of Singapore blocked by an admin not in the know. The solution used here is PGP. PGP allows the bot to cryptographically sign its posts, which OP project members (or anybody else) can then check against the bot's public key. Only if the verification succeeds can it be reasonably assumed that the post really is from Cronbot through a Tor proxy.

• Q: But how can we trust the public key?
• A: The public key is presumed to stay unmodified indefinitely. To aid in tampering checks, it is also registered on the MIT PGP server. The bot will keep a hardcoded copy of its PGP signature in its permanent template, so any modifications to the page will be erased upon the next restoration. It will be up to the viewer to know when such a change happens by paying attention to the page history. The only automated edits to this particular link on this page should be by User:Cronbot; no other username should be trusted, and IP edits should especially not be trusted, as the bot should never make edits such as these under any account but its own. Indeed, the PGP key and its link should probably never be modified at all, and the only part of the page that is intended to be malleable is the transcluded User:Cronbot/sb/Messages page.

• Q: How can project members verify these posts?
• A: By first downloading and registering Cronbot's public key in their local PGP databases, and then using it to verify PGP signatures by new reports. A popular open source tool for this is Gpg4win — this is the Windows-based software whose setup and very basic usage (for the purposes of this project only) I have detailed below. Linux users can use the popular GNU Privacy Guard (or "GnuPG").

PGP verification setup and usage

Editors using other software or operating system platforms are encouraged to add how-tos as they see fit.

Windows

Setup using Gpg4win

1. Download the newest Gpg4win from http://www.gpg4win.org/download.html.
2. Your best bet is probably to proceed with the default install setup. It's not an intrusive program, and normally only installs on the start menu.
3. Start up the program through Start -> Programs -> GnuPG For Windows -> GPA.
4. Unless you already have one and want to use it with Gpg4win, go ahead and generate a new private PGP key on startup when the dialog box prompts you ("Generate key now"). I was not allowed to leave any fields blank, and the program complained about my alphanumerically strong twelve-character password being "obviously not secure", so you can probably write this off as a bug. On a slow machine (< 400 Mhz), the key generation step took less than thirty seconds.
5. Copy-and-paste the public key listed here (or from the MIT link) into an ASCII text file (preferably through Notepad) and save it. Be sure to get the whole key – that is, everything between and including the all-caps "BEGIN" and "END" lines.
6. Click "Import" in the middle of the main toolbar at the top. Locate the file you saved the public key into and load it. My output box after this step read:

   1 public keys read
1 public keys imported
0 public keys unchanged
0 secret keys read
0 secret keys imported
0 secret keys unchanged

7. Click on the second key, which should be identified with the username "Cronbot" in the rightmost column of the Keyring Editor list.
8. Click Sign, the third toolbar button from the left. Clicking Yes in the dialog that appears afterward will sign Cronbot's public key with your private key. This will eliminate the headache of "invalid" messages just because Cronbot's key hasn't been signed by a trusted key.
9. Enter your private key's password again in the dialog that appears. After this, you should be "ready to go".

Key verification

1. Find the PGP signature in the row of the IP you wish to verify. Click the "Show" link to the right of the Cronbot signature to view the signed message.
2. Copy everything in the expanded cell to your clipboard. You should paste everything between and including the "BEGIN" and "END" separator lines.
3. Paste the signed message into a text file, preferably through Notepad, and save it.
4. With Gpg4win open, click the Files button on the far right of the main screen's toolbar.
5. In the File Manager box, click the Open button on the left and locate the file you just saved. Click OK.
6. With the file in question highlighted on your File Manager list, click the Verify button, which is the fourth from the left on the toolbar.
7. If the signature is valid, you will see "Valid" in bright green letters under the Verify files dialog's Status column. In truth, other error messages may actually indicate success as long as a key is recognized, but if you followed the instructions for setup above, this should not be a concern.
8. If the signature is not recognized or is invalid, please bring it up on this page, as this IP may not be a valid open proxy (or worse, there may be a bot impersonator in our midst).

Linux

Setup using GnuPG

1. wget -O cronbot.pub 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDF8BE9D1'
2. gpg --import cronbot.pub
3. gpg --edit-key Cronbot

4.  tsign

5.  2

6.  1

7.  none

8.  y

9.  Enter your passphrase if needed.

10.  q

11.  y

Key verification

1. gpg --verify
2. Copy and paste the PGP signature at the terminal and hit Ctrl+D.