Fighting Spam with Project Honey Pot

Ever heard of Project Honey Pot?

It’s an awesome service that’s been around for quite a while now (since 2004!), and is the core part of a community-driven effort to trap and track spammers online, including spam bots, email-address harvesters, and “bad visitors”. If you run a blog (like WordPress) it also tracks comment spam too!

To quote Project Honeypot’s sharing message:

I wanted to let you know about a service called Project Honey Pot.

It allows you to track and help catch spammers who harvest email addresses from your web pages. I signed up myself, added honey pots to my site, donated an MX entry to help the cause and think it might be a service you’d find useful.

At this point, I’ve now donated 141 MX records across 133 Unique domains, with several Honeypots hosted also.

Sound’s like a lot, right? The more donations, the better – If you have a website and/or domain and you (like me) hate Spam, you can sign up and they’ll walk you through getting set up to help catch and blacklist spammers (it’s easy and free!)


Project Honey Pot

Project Honey Pot

Link over TOR


I’ve never filtered TOR network traffic to this site; In fact it’s explicitly allowed in my Web Application Firewall.

But it gets better – This site is also available over TOR at c325lfp3aeuozjfu.onion! The onion URL uses HTTPS, but you may see a certificate warning (don’t worry – that’s normal!).

Check it out! There’s a couple of known issues with web fonts not loading,  mixed-content issues, etc. but content is readable 🙂

Facebook Encrypted Notification Emails

Encrypt your Facebook Notification Emails with PGP

It’s well-known that email isn’t really that secure, with a large percentage of mail servers communicating without TLS, mail clients not being set up to use secure connections, and more commonly easily guessed user passwords.

Using PGP to encrypt messages helps to retain the privacy that age-old email systems don’t give you, keeping your message contents secured between you and the recipient (and back again).

While this is great, a lot of email come from systems and not people – and the contents of the messages can be equally as confidential. Thankfully, Facebook have, as of June 2015, added experimental support for users to add their OpenPGP public keys to their profiles and opt for all mails from Facebook to be encrypted.

Securing your Facebook Mails

Sound good right? Here’s a quick two-step guide how to encrypt your Facebook Notification Emails with PGP! Continue reading

PGP Key Changes: My New & Old Subkeys

Hash: SHA512

This blog post is an update regarding my PGP key with the fingerprint:

    1C6E 2273 D397 06CC 48EF  A543 1C76 31C7 D62

On 11th April 2016, I broke the hardware key containing the private parts for
the following three subkeys:

The following key was revoked on 2016-04-18 by RSA key D62083D0 Daniel Wilson
    sub  2048R/8F0C3D0F  created: 2016-03-19  revoked: 2016-04-18  usage: S
The following key was revoked on 2016-04-18 by RSA key D62083D0 Daniel Wilson
    sub  2048R/348C0DBE  created: 2016-03-19  revoked: 2016-04-18  usage: E
The following key was revoked on 2016-04-18 by RSA key D62083D0 Daniel Wilson
    sub  2048R/13EF1726  created: 2016-03-19  revoked: 2016-04-18  usage: A

I have revoked the above subkeys effective as of 18/04/2016 as they are no
longer usable without the hardware key. I believe this is the best option, for
example; should it be stolen and repaired, I wouldn't want them to be usable.

I have since replaced the broken key with two new hardware keys - A YubiKey Nano
and a YubiKey Neo.

During the setup process, I created and also revoked the following two subkeys:

The following key was revoked on 2016-04-19 by RSA key D62083D0 Daniel Wilson
    sub  2048R/4067FAE2  created: 2016-04-18  revoked: 2016-04-19  usage: S
The following key was revoked on 2016-04-19 by RSA key D62083D0 Daniel Wilson
    sub  2048R/F5303B78  created: 2016-04-18  revoked: 2016-04-19  usage: E

The following four sub-keys are now current for the two new hardware keys:

   sub  2048R/B50A61F7  created: 2016-04-18  expires: 2020-04-17  usage: S
   sub  2048R/2EC2880D  created: 2016-04-18  expires: 2020-04-17  usage: E
   sub  2048R/4CA19410  created: 2016-04-18  expires: 2020-04-17  usage: A
   sub  2048R/55C75F50  created: 2016-04-18  expires: 2020-04-17  usage: A

My updated public key reflecting the above changes is now available from:
 - Common key servers (mit, sks, gnupg, ubuntu)
 - Keybase -
 - This site -

- - - - -
PGP Key Update Blog Post for
Written by Daniel Wilson on Wednesday 20th April 2016 at 12:13:00.

This post will be published under the following address:
PGP Key Changes: My New & Old Subkeys
Current World News Headlines from : - Trump and Clinton win New York vote - Ecuador earthquake deaths pass 500 - Mitsubishi Motors admits falsifying fuel economy tests -----BEGIN PGP SIGNATURE----- Comment: Signed at 20/04/2016 12:15:48 iQEcBAEBCgAGBQJXF2TnAAoJEDmQYjy1CmH3A40H/jSu8k+HDuBC5GsJZeoaUO7C FGCu9Ta8HAt/Fra7XW7q5u8OinnCQz/Sbn2Lscmg+fUcHvTiU2bSAYIU07+xRajI wV7YkG6kvY8/iR4eCd53l38TjH0tkYV6knAsACSYyeMQtVriftNhbZVy9f+p/n81 DKmxsXK0tCw2gQq2C0pAMNooTnSMfrXxGNVoupmYAF2+SgdSn+fFPszSOqWy67Z7 RFQqExpY4FhKafbw8+uaBg0SCQCxiPuRhsQli1dmJawuE2pz4CY3WnBsXNGiz6sl yihd7N9aMrAod812b2iX//8JGw4HJ+B485xAHzY/FwveDwB6zVnrT8aIG+32L4A= =7niu -----END PGP SIGNATURE-----

Sometimes the output of this blog gets tweaked by plugins for URL highlighting, etc; A Downloadable copy is available for verification – Download as a signed text file

If you’re interested, Read How I broke my Yubikey.

GitHub Verified Commit

GitHub add support for GPG Signature Verification

It’s official, GitHub has announced (as of April 5th 2016) that they will now be supporting GPG-signed commit verification!

GitHub GPG Verified Commit Signature

A series of gpg-signed commits, showing the signature verification on GitHub

GitHub now shows signed git commits and tags with a green “Verified” button, not only indicating that the commit or tag is signed, but validating the GPG signature against the keys that are known to that user (set in your GitHub account settings)

The signature verification is also visible within Pull Requests, which is a great feature for large open-source projects to verify that code from trusted project members is really from the right people.

Why Signed Commits Are Important

Continue reading

Broken YubiKey (@Danw33)

I Destroyed The Indestructible (Borked YubiKey)

Hardware Authentication and Security tokens, like the YubiKey, are a great advance in IT Security; they’re accessibility for individuals and low price point makes it easy to secure your IT services, online accounts, and more using a hardware secure-element that is nearly immune to private key leak or theft.

I’ve been using a YubiKey NEO for nearly a month now and I use it daily, on both my MacBook and my mobile (via NFC). It’s smart-card (PIV/CCID) element has three keys on it, a signing key, encryption key, and authentication key which I use for code, email, and git commit signing, as well as secure-shell (SSH) authentication, and more.

The FIDO U2F component also integrates tightly with my digital world, acting as a second (or in some cases third) factor of authentication for all of my online accounts which support it (right now that’s GitHub, Google, and DropBox to name a few). In combination with the OTP modes available, the YubiKey is very powerful bit of kit!

Crush-Proof, Not Dan-Proof

Before I go on, don’t let me put you offYubiKey’s are awesome! I’m sure alternatives are too, but the YubiKey, and Yubico as whole seriously rocks – read on to find out why).

So there I am, finishing some changes to a large (and unfortunately proprietary) project. I always sign my git commits and outgoing mail, so I plug-in my YubiKey NEO, start the GPG-Agent service, and give my code a quick once-over before committing it.

Sweet! Code looks good, I’ll just grab a drink and then this commit is good to go!

This quickly becomes the story of how I destroyed my YubiKey Neo. I broke the unbreakable.
Nothing is Dan-Proof, something which has been proven time and again.

As I placed my MacBook on the seat of the sofa and began to get up, it slid off the edge, falling only a short distance onto its side. As my luck would have it, that side is the side which I just connected my YubiKey.

Mistakes were made!

Continue reading