[GTALUG] blackmail

Michael Galea michael at galeahome.ca
Sun Aug 5 13:23:48 EDT 2018 

On 08/04/18 00:47, D. Hugh Redelmeier via talk wrote:
> I received a blackmail message by email.  It claimed that they hacked my
> system and had compromising videos from my computer's camera.
> 
> As proof, they gave me what they claimed was my password.  But I only used
> that password on two sites: canadacomputers.com and
> xpresscanada.com (a long-dead Canada Computers site).
> 
> So I'm not worried.
> 
> I informed CC about three weeks ago.  They seemed to ignore the
> report.  I phoned again two weeks ago, and they were interested.  I
> told them if I didn't hear that they'd informed their customers that
> I'd publicize this security breach.
> 
> I've heard nothing else.  So I presume that they have not announced it
> to their customers.
> 
> Today I got another blackmail message with the same password.
> 
> What do you think that I should do?
> 
> PS: my password is a random string generated by mkpasswd(1) so it would
> not have been discovered by an online exhaustive search.  They most likely
> filched the password file from CC.
> 
> PPS: I'm glad that I don't reuse passwords!
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk
> 
I also received such an email, which was amusing because my desktop 
doesn't have a camera.. so I ignored it.

I gpg encrypt my master password file. If any of the systems that have a 
copy (and I do keep copies) were stolen, I can be assured that my 
passwords are still private.

In addition to the passwords, I store a few dozen lines of random 
characters, from which I draw new passwords from.

My default template for a passwords entry is:
<entry Name_Of_Entry>
     user =
     password =
     url =
</entry>
which makes cut n paste of desktop convenient.

My workflow is to use a bash script to accept the master password and 
use it to decrypt the gpg file to a random temp file, and then launch 
vim on it. When vim terminates I check the temp file and re-gpg it if it 
has changed.

I am aware that I am vulnerable for the time that I am reading a 
password from the file.

I have my wife follow my the same procedure on win10 desktop with an 
openoffice encrypted file (oo also uses strong encryption).
My wife was a big password re-user, but clicking on a desktop icon to 
open a odt file to get her old/new password info is within her 
capabilities.


-- 
Michael Galea

More information about the talk mailing list