Beware: what goes up, sometimes stays up!

Regain security

Regain email privacy & security

Part #3 of the Data Liberation series

Is there ever time in the day to reconsider your online security? I mean, really consider it?

Take the most common access point for communication in the 21st century – email. Yes, you read that right. It’s still email. Email is the root of online authentication for people worldwide, not only allowing them a “safe place” to recover lost account credentials, but also facilitating properly secured communications with the use of PGP signed and encrypted email. But is your email storage secure?

The woes of web mail

The “problem” with email is that its ubiquity spawned, some years ago, the explosion of “free” web mail services. All the big players provide it. These services are advertising-supported. In other words, the cost of providing such services are met by revenue generated from scanning your email and providing “relevant” adverts within your browser to click on. Each click is tracked and the advertiser billed accordingly.

An issue here, then, is that your email is scanned. All your emails are read by an indexing process which scours every single nugget of information. What information could that include? How could it be used? How about this little list for starters:

  • the date & time
  • the sender’s name and email address
  • their computer’s name
  • their network (i.e. their email provider, their ISP, any intervening mail routers)
  • their probable native language
  • their approximate location when sending the message (obtained from their original IP address)
  • your approximate location when reading the email (based on your IP address)
  • yours and their exact locations if using any location service

That’s not all

If the sender is using the same “free” web-mail service as you:

  • if they use a calendar in that service, what they were doing when they emailed you (giving an insight into the sender’s thought processes…)
  • if they maintain a contact list / address book in that web-mail service, that service may “know” you are a friend or family member of the sender
  • in this case, it will also know their friends – and your friends – and any shared friends too.  It can start to build up a map of contacts – who knows who and possibly why.
  • Knowing “who knows who” means those related contacts’ web-mail services can be interrogated for commonalities, such as shared events (in a calendar), shared interests via a social network, and so on.

Web cam

There are yet more ways your data can be exposed. If they are not using the same “free” web-mail service, but are using another service which they log into using their web mail service’s credentials:

  • that web-mail service provider could poll the other services to see what data you are sending (e.g. what you are posting) to those services
  • it can map any correspondence to or from your contact via its services even when not in relation to your email – e.g. It can expose a contact’s movements, their communications and interests in a given time-frame.
  • they can even be exposed by their use of related services from that provider. For example, new photos into a flickr or instagram account which is public, can be mapped back from their date, time and location to the IP address that was used to query location services.

Finally, a crucial problem with all online services is that there is no guarantee your data is actually deleted when you choose to delete it.  After hitting “delete” through a web site, this could simply flag the email to be removed from your visible account and stored in MegaWebCorp’s vault of “deleted” email, remaining there forever.  Or until needed…

This is the risk of putting data into another provider’s hands – what gets uploaded or stored in your name, stays there in your name, forever.  What goes up, sometimes stays up.

Resolving the privacy crisis

Coming back to email, then, the first priority for someone who wants to maintain some privacy with respect to their life activity needs first to remove the source of indexing from MegaWebCorp’s database – the link between all things you do, your email address.

When the email address is removed from the purview of MegaWebCorp’s systems, your online activity can start to become your business – not the advertiser’s.

Getting your own address is simple.  You can register a domain name with any of numerous providers around the world and sign up for a low-cost hosting plan.  For any person who values their privacy and the sanctity of anonymity, this is a small hurdle to overcome.

For the gain in privacy you can achieve by hosting your own web site, the price attached to a “free” web-mail account may seem rather high.

Bootnote

ArsTechnica has an interesting article published yesterday (30 March 2014) on “metadata as surveillance” .

 

Show what you know...EmailTwitterGoogle+FacebookLinkedInPinterestRedditStumbleUpontumblr

Naughtyware.

Screenshot of Android with ebay app crashing.Naughtyware. No, not that sort.

It looks like some app development may be taking a dark turn. Since ebay has released a new version of its app, the old version no longer works on my phone.

I start it, it crashes and then it kindly notifies me that a new version of the app is available.

The new version requires the location privilege, where the old location did not, and now to use ebay on my phone I have little choice but to install it and switch off location services while I use it.

Sigh.

Show what you know...EmailTwitterGoogle+FacebookLinkedInPinterestRedditStumbleUpontumblr

“Fun” with Windows 7

“Fun” with Windows 7

So.. been having lots of fun with Windows 7 this morning.  Got hold of a refurb PC for doing some client system testing.

Win7 install completes and there are 3 updates to do.  Start the update process and two modal windows open up behind the update window, waiting for me to do something.  Have to click on task bar’s flashing icon to bring windows to the front.  On Windows.  Windows.

Anyway, I give the “OK” for Microsoft Security Essentials to install and it does, then starts to run an update within itself (!).  Due (perhaps) to the length of time of this process on this ageing P4, the main MS software updater kicks out another window saying “The application Microsoft Essentials may not have installed correctly.”

I’m sorry.  ”May“??

Choices are “That’s ok, it installed correctly” or “Reinstall this application”.  Except the application is installed and already running an update.  Err…?  So.. how do I know it has installed correctly?  Because it’s running…(?!)  (Does the computer not know??!)

With 20 minutes of Windows use this morning, I can’t believe just how bad things are on the other side of the fence.  Someone fresh to Windows will see all this flashing icons, hidden windows, alerts, worries…  and not have the first clue what to do.

Someone close to me was one of those unfortunate souls.  She’d persisted for about a year with her Win7 machine and was constantly anxious with its scaremongering.  Hardly a productive environment.

Luckily, she’s now running #debian   #wheezy  with the #gnomeshell  and immediately found it intuitive and straightforward.  Go #freesoftware !!

Show what you know...EmailTwitterGoogle+FacebookLinkedInPinterestRedditStumbleUpontumblr

The less said, the worse

If there is one thing I become acutely aware of, as time rolls by, it’s that the effort to write a page on my blog never diminishes. As the length of time since my last post increases, so does the psychological pressure to produce the next post. But one has to question, why is there this innate need to compose something, share it to the world and possibly see no return for the effort?

As strange as it sounds, I am intrugued by blogs that appear to have “stopped” at some point in time. When you come across a really useful post from a blog that was last updated three years ago, you can’t help feeling a bit sadenned by it. What happened to the poster? Did he/she get busy doing more even interesting stuff – so much more interesting and so much more busy, that they have neither the time nor the inclination to share?

This is a problem I have and I suspect I’m not alone. Sharing what goes on in my daily life is sometimes not possible. People count on me to provide web hosting support the moment they need it, not after I write a blog post. Working with a number of UK graphic design agencies, my days are kept busy and varied. Staying on top of the latest technical developments – often blogged by others in the industry, means I have little time to share this newly-acquired knowledge myself.

To address this issue, I am going to start worrying a little less about the content of my blog posts and more about their timeliness. Sound strange? Perhaps. Having read others’ blogs, though, it seems that social, political and technical comment is still a sought-after item of value in cyberspace. It all comes down to trust. Do you trust the opinion of the writer of this blog?

In our increasingly exposed digital world, establishing trust is something that comes from interactions and being able to judge a person’s character through what they share. As time rolls on, I will attempt to share more of my thoughts and observations through this blog and other social media sites, and worry a little less that I’m not providing a how-to on “everything you ever needed to know”.

If you have any comments, please feel free to add them below. Thanks.

Show what you know...EmailTwitterGoogle+FacebookLinkedInPinterestRedditStumbleUpontumblr

Playing with Mozilla Firefox Sync on Virtualmin

Part #2 of the Data Liberation series

Mozilla, the organisation behind the ubiquitous Firefox web browser, kindly publishes its source code powering a key service which it provides – Firefox Sync.  Because of this, we are able to run our own password sync servers securely and not necessarily be the target of a large-scale data-mining break-in, such as might be performed by a malicious cracker, or the NSA.  Sorry, of course they are the same thing.

FFirefox logoirefox Sync is a neat service which allows you to, quite literally, sync your settings in Firefox across multiple devices.  These settings can include bookmarks, web browsing history, cookies, form-filling data and passwords.  Anyway, I too was keen to run my own password sync server, so I set about doing just that.

I host quite a bit of stuff using Virtualmin, another superbly produced piece of software which facilitates the set-up of multiple domains on a single box. Setting up Firefox Sync on your own server under virtualmin is actually very straightforward.

The main task at hand is to follow the detailed instructions published by Mozilla.

As per the instructions, I had to run the following, in order to install required software:

# apt-get install python-dev mercurial sqlite3 python-virtualenv libssl-dev

In addition, I also needed to install and enable the WSGI Apache module, which wasn’t present on my system (drawing in dependencies as needed):

# apt-get install libapache2-mod-wsgi

I decided to install the Mozilla sync software in the home directory of my newly created domain, which in Virtualmin is either “/home/domain” or “/home/domain/domains/subdomain”, depending on whether you have created a subdomain for this specific purpose or not.  In the subdomain situation, the folder path would end up being: /home/domain/domains/subdomain/server-full.

Once installed, I inspected the Apache config file. A key change I had to make was to the WSGI configuration within this file. On my Debian box, the Apache config files are located in the standard place: /etc/apache2/sites-available – the same would be true for Ubuntu (on CentOS and other RHEL/Fedora derivatives, you’ll probably find them in /etc/httpd/conf.d/). Once you have created your domain in Virtualmin, your domain’s config file should be within this folder, appropriately named “domain.com.conf”.

In the “domain.com.conf”, there are a few lines to add and one to edit:

Firstly, find the DocumentRoot declaration:

DocumentRoot /home/mydomain/domains/subdomain/public_html

and change it to:
DocumentRoot /home/mydomain/domains/subdomain/server-full

Next, you’ll need to insert the following lines, within the same stanza as DocumentRoot (the best thing is to adjust and paste these lines directly after DocumentRoot:

WSGIProcessGroup sync-http
WSGIDaemonProcess sync-http user=<your-virtualmin-domain's-user> group=<your-virtualmin-domain's-group> processes=2 threads=25
WSGIPassAuthorization On
WSGIScriptAlias / /home/mydomain/domains/subdomain/server-full/sync.wsgi

The above example assumes that you are working within the :80> stanza. If you have enabled SSL on your virtual server, within Virtualmin, then you’ll also have a :443> stanza to add these lines to, with one or two exceptions!

A WSGIDaemonProcess is assigned to each virtual server in Apache. In doing so, it creates a system process which requires a name. According to the WSGI docs, this name must be unique:

“[...] note that the name of the daemon process group must be unique for the whole server. That is, it is not possible to use the same daemon process group name in different virtual hosts.

When you come to pasting in the additional lines in your :443 stanza, you are dealing with a separate virtual server in Apache.  So, within your Apache config file, be sure to rename your WSGIDaemonProcess process name. E.g.:

WSGIProcessGroup sync-https
WSGIDaemonProcess sync-https user=<your-virtualmin-domain's-user> group=<your-virtualmin-domain's-group> processes=2 threads=25

This configuration should now be valid. You can test this with:

service apache2 reload

This won’t stop the current Apache process, but it will attempt to load the new configuration file. If it fails to load the config, it will tell you without stopping Apache.

Once this works, simply issue:

service apache2 restart

Syncing on mobile

If you intend to use Firefox on Android, or any other mobile Firefox (or clone) that supports the same syncing protocol, there is one caveat.  If you are using an unsigned or self-signed SSL certificate on your sync server, you should visit the site first in your mobile Firefox and add a permanent exception.  Once done, set up firefox sync in the normal way, by typing the characters into your desktop browser’s sync dialog, and the two browsers will shortly be synced up nicely!

Show what you know...EmailTwitterGoogle+FacebookLinkedInPinterestRedditStumbleUpontumblr

Rebels with a cause: propping up the small players

It takes heroes like Edward Snowden to reveal how malicious governments can become. The Snowden revelations during the summer of 2013 showed that not only does everyone have to be wary of internet-based “threats”, but that those threats could be in the form of legally-appointed agencies seeking to catch out anyone who accidentally clicks something they shouldn’t.

Worryingly, despite the big players’ assurances of high levels of security, a post on Ars Technica discusses (and links to) slides created by the NSA, and leaked by Snowden, showing how Google’s international internet traffic was intercepted, analysed and understood – for a variety of its services. Thankfully, more heroes have recently stepped forwards with updates of their own.

My heroes today are +Brandon Downey and +Mike Hearn, who have voiced their contempt for the authoritarian misuse of power with, as we like to call it, the two-fingered salute (this would be one finger in the US…).

Google, too, has a data-collection objective

Let us not forget who Google is and what it does.  Yes, while its employees might be upset that their systems’ security has been brought into question, their employer’s mission “is to organize the world’s information and make it universally accessible and useful”.  So Google, too, has a data-collection objective.

The good thing about the Snowden revelations, if indeed any of them can be “good”, is that it has revealed how much work still needs to be done and how much we assume our data won’t be intercepted and inspected. It’s no longer safe to think like that, and the use of encryption should be mandatory between two end-points.

But now that the larger players are catching up with better security implementations, who is there to help the smaller players? Running a hosting outfit myself, I know how much time is required to stay informed with regards to common exploits and vulnerabilities, as well as implementing working solutions when certain zero-day exploits are revealed. Every internet service provider, hosting company and other entity transacting business via the internet has a responsibility towards safeguarding confidential data. How many take it seriously enough?

It’s time the larger players stepped up and started working collectively in a security community designed to help the smaller players in the market, rather than try to pwn the market itself; if that were to happen, the purpose of the internet would be destroyed and the argument moot.

Show what you know...EmailTwitterGoogle+FacebookLinkedInPinterestRedditStumbleUpontumblr

How to migrate your passwords from Chrome to Firefox

Part #1 of the Data Liberation series

Although Google Chrome is a very fast browser, it lacks one key feature which seems designed to lock users in – any account migration facilities to support moving to other browsers.  This post is intended to help you move your saved passwords from Chrome to Firefox.

Follow the instructions in that post, but while doing so, please take note of these steps below before you close your browser. If you have also set up a separate encryption password for your browser, don’t worry – this method still allows access.

  1. Image of Google Chrome settings

    Disconnect Google account in Settings

    In Chrome settings, as a precation, I disconnected my Google account before closing the browser. Therefore, any changes I could make to this temporary session wouldn’t ever be uploaded back to Google.

  2. Once you have the saved CSV file from Chrome, keep hold of it – we need to edit it. In Firefox, install the Password Exporter add-on: https://addons.mozilla.org/en-US/firefox/addon/password-exporter/?src=search
  3. Image of Password Exporter

    Exporting passwords

    Password Exporter allows you to import passwords too, so you can avoid the need to install any third-party workarounds like LastPass (which again require you to upload all your browser data).Firstly, though, using Password Exporter in Firefox (Tools > Add ons … Extensions > Password Exporter > Preferences), we can export a sample CSV file to see how Password Exporter expects its import data. Simply click “Export Passwords” and save the file to your home directory.

    NOTE: This requires that at least one password is saved in Firefox already.

  4. The headings in the exported file are as follows:

hostname username password formSubmitURL httpRealm usernameField passwordField

This is the format that Password Exporter will expect its import data.

The data’s headings that you have just exported from Chrome are a little different:

origin_url action_url username_element username_value password_element password_value submit_element signon_realm ssl_valid preferred date_created blacklisted_by_user scheme password_type possible_usernames times_used

We need to match up the firefox CSV headings with the corresponding Chrome CSV headings. To do this quickly, use a spreadsheet tool I used LibreOffice Calc.

This is what I arrived at:

(FF = Firefox; GC = Google Chrome)

FF: hostname username password formSubmitURL httpRealm usernameField passwordField
GC: origin_url username_value password_value action_url signon_realm username_element password_element

Once the fields are mapped, there’s a couple more important steps to undertake.

Export dialog

Export in the right format!

Firstly, when you come to exporting from your spreadsheet application, make sure you choose to edit the output filter. In the Export Text File dialog, make sure “Quote all text cells” does not have a check (tick) in the box.

For good measure, I also selected ASCII/US in encoding type,  as that is the format used by Password Exporter when exporting.   I think the importer should handle ISO-8859-1 and/or UTF-8, but your mileage may vary.

Now export it.

Remember seeing the additional header in the exported CSV file? It might have looked something like this:

In order to tell Password Exporter what format to expect its data in, this heading needs to be added back. However… the best way to do this is via a text editor, not in a spreadsheet program.

Open up GEdit, Emacs, Vi… whatever. Add that line to the top, but remove any trailing commas! It should now look like this:

"hostname","username","password","formSubmitURL","httpRealm","usernameField","passwordField"

One more step before you import!

A side-effect of exporting your CSV in LibreOffice is that empty cells are not quoted. In other words, the comma-separated values may appear like this:

"someusername","somepassword","someUrl",,"someusernameField"

Did you see those two commas with nothing between? The Password Exporter won’t like that when trying to import, so do a quick search-and-replace:

Search for ,, and replace with ,”",

Finally, save the file.  Again, ENSURE the file type is US/ASCII.

The importer dialog

Successfully importing passwords!

Now open up the Password Exporter dialog from Firefox and click Import Passwords – you should see progress in the dialog shortly.

CAVEAT #1: BUG WHEN IMPORTING v1.2-EXPORTED DATA

There is an import bug when the version header is declared as 1.1. However, you can get around this by “fudging” the import header to an older version (I used 1.0.4). If you have trouble importing, adjust your header in the file to look like this:

"hostname","username","password","formSubmitURL","httpRealm","usernameField","passwordField"

After importing, you may see that not all passwords were imported. This is because duplicates are not imported. You can view the details in the link.

CAVEAT #2: SOME LOGINS, PASSWORDS, ETC ARE QUOTED

So far I’ve not had time to find a way around this. It’s to do with the import format.

The adventurous can investigate the source code, here: https://github.com/fligtar/password-exporter/blob/master/passwordexporter/chrome/content/pwdex-loginmanager.js

Hopefully you have now successfully liberated your passwords!

Problems?  Comment below!

Show what you know...EmailTwitterGoogle+FacebookLinkedInPinterestRedditStumbleUpontumblr

Becoming a Slacker

INTRODUCTION

Enough was enough. I rocked and rolled along with one mainstream distribution after another, since I started using GNU/Linux in 2000. It was time for something else. Something that wasn’t trying to be everything.

Even I was slightly surprised then that, knowing so little about it, I chose Slackware Linux as my next distribution.

Here are some rough-and-ready notes from my installation, in case they’re of help to anyone else.

INSTALLATION

To install on an encrypted drive, I followed Juan Valencia’s blog:

http://www.jveweb.net/en/archives/2010/10/installing-slackware-in-an-encrypted-lvm.html

Apart from the natural modifications expected, i.e. kernel versions, the instructions were completely sound and the installation proceeded without issue.

INITRD KEYMAP

One LILO was installed, and the system rebooted, I had two issues:

  1. The USB devices attached to my ThinkPad’s docking station weren’t activating at boot time
  2. The keymap of the initial ram disk was set to US, so to decrypt my drive I had to observe the alternative placement of certain characters… ;)

To resolve these issues, I found the “IT Debris” blog (amusingly sub-titled: “Nothing lasts, nothing is finished, nothing is perfect”):

http://blog.beulink.org/slackware-initrd-luks-usb-keyboard/

To the command line (mkinitrd -c -k 3.2.7 -f ext4 -r /dev/vgl01/lvroot -m usb-storage:ehci-hcd:usbhid:jbd2:mbcache:ext4 -C /dev/sda2 -L -u -o /boot/initrd.gz) I added the flag “-l uk”, which loaded the UK keymap by default into the initial ramdisk.

Not forgetting to run lilo afterwards!

LILO’S KEYMAP

LILO’s keymap was also set to US. I decided to take a look at this. While the documentation is pretty comprehensive, the instructions for this particular issue were met with a slight problem – the file locations and names had changed in the 13 years since the documentation was written.

keytab-lilo is the recommended tool for updating LILO’s keyboard mapping.

keytab-lilo expects a US map and the other map (in your language, that you want to use) in order to create a mapping between them.

According to the docs, as referenced in /usr/share/doc/LILO…/doc/README’s web link, keytab-lilo expected keyboard mappigns in /usr/lib/kbd. This directoty doesn’t exist, so I did this:

mkdir usr/lib/kbd mkdir /usr/lib/kbd/keytables

loadkeys uk

cd usr/lib/kbd/keytables

cp /usr/share/kbd/keymaps/i386/qwerty/uk.map.gz . cp /usr/share/kbd/keymaps/i386/qwerty/us.map.gz . gunzip uk.map.gz gunzip us.map.gz

mv us.map us.kmap mv uk.map uk.kmap

keytab-lilo uk > /boot/uk.ktl

.. FINALLY, edit /etc/lilo.conf in your favourite editor:

emacs -nw /etc/lilo.conf

boot = /dev/sda keytable = /boot/uk.ktl

NOTE: the remapping doesn’t seem perfect. The hash (“pound” in en_US) symbol (#) is mapped to two keys and the UK pound (£) symbol is not mapped to number 3 at all, but in the main this is a usable UK mapping for me.

AND.. THE SYSTEM KEYMAP!

Edit /etc/profile.d/lang.sh, adjusting from en_US to en_GB

POST-INSTALL STUFF

After this, there were a couple of issues which I wanted to resolve. When using Ubuntu, I recall there was an issue with using a ThinkPad T420 (my machine) and possibly other ThinkPads with audio output via the docking station‘s analogue port. The issue was also addressed in a Ubuntu forum post.

I created /etc/modprobe.d/t420.conf and added the following:

options snd-hda-intel model=thinkpad

options iwlcore led_mode=1

.. then rebooted. Perfect – audio came up as expected. The flashing LED still appears to be flashing, though, so this requires further investigation.

INSTALL GOOGLE CHROME

http://www.infinityperl.org/post/2009/12/09/How-to-install-Google-Chrome-on-Slackware-13.html

(+ hangouts plugin): http://slackblogs.blogspot.co.uk/2010/08/videovoice-chat-works-in-slackware.html

TERMINAL – modifying the prompt

A long trip arouind the documentation and understanding how bash is invoked made me realise that the easiest thing to do is go into XFCE’s Terminal preferences, and tick the box that says “Run Command as login shell”. Then I get my nice prompt with my login, hostname and path instead of just “sh-4.20$”.

PSEUDO SUMMARY

These are my first steps at installing and configuring Slackware Linux. So far, so good. And not a single crash, which is what I expect from a sensible GNU/Linux distribution.

Show what you know...EmailTwitterGoogle+FacebookLinkedInPinterestRedditStumbleUpontumblr