Category Archives: Security

Help Yourself

Leave a reply

In light of recent revelations about the suspected warrantless wiretapping being conducted by the NSA on citizens I felt it was only appropriate to write a brief how-to guide on getting and using GPG for the Mac. The GPG system is the GNU (GPL Public Licensed) version of PGP, which stands for Pretty Good Privacy. The design is relatively easy once you see how it works. PGP is a encryption standard that creates two keys. One key is public and the other is secret. The public key can be given out freely to anyone who wants it, there are also Key Servers which you can query using names, email addresses, or key ID’s to obtain the public PGP key of someone you are trying to reach. You keep your secret key safe, that’s what enables you to decrypt anything that was encrypted with your public key.

An example is perfect for this, lets say I wish to have a private conversation with my friend Chris. He has my public key and I have his public key. I open up my Mail.app application on my Mac and I address the mail to Chris and I select his public key. I want the message to be encrypted and signed so only he can read it. I send the message, it arrives at his system and he uses his Mail application to decrypt the message and verify that I really sent it. Nobody but Chris and I have any idea about what the conversation is about. You can do this with emails, chats, and files. All you have to do is make sure the public Keyservers have your public key and that you ensure that your secret key is well and truly secret.

This makes wiretapping meaningless. If everyone is (and they should) communicate with each other using PGP (or GPG) then there is no reason to fear wiretapping of any kind. If your message is intercepted by an unknown third party, like the government, they can’t decrypt the message because they don’t have the recipients secret key.

Now, on to the nitty-gritty details:

1) Download and then Install GPGtools starting here: https://gpgtools.org/installer/index.html
2) Open GPGTools–2013.5.20.dmg and install GPGTools.
3) If you don’t have a secret key, the installer will start the GPG Keychain Access program and offer to help you create public and secret keys for all the email accounts that you have associated with yourself in your Addressbook. If you have secret keys to import, skip this step.
4) Eject GPGTools–2013.5.20.dmg disk image.
5) Follow instructions here: http://support.gpgtools.org/kb/how-to/first-steps-where-do-i-start-where-do-i-begin
6) Find, Download, and Install GPGMail–2.0b6.dmg
7) Start Mail.app, enjoy.

Once more people adopt encryption strategies like this, along with other ways to protect yourself, such as 1Password, AES–256 encrypted sparsebundle disk images and openssl, you can take an active role in protecting yourself. There is no point in expecting the government to alter their design, there is nothing in it for them. It’s a fools errand to discuss right and wrong in this situation, the best thing any of us can do is take that extra step and secure our communications by ourselves. The natural and proper response to the violated trust between citizens and their government lies not in some form of meaningless expulsion of hot air but rather technology through encryption. It’s fine if they want to snoop, snoop not on text, but on encrypted data.

I’ve written about this before, but not on this scale. Before I wrote about how you should not trust cloud services like Dropbox or Google Drive. You can still use them as the mules that they are, keeping data in sync and ubiquitous, but in order to be fully secure, well, a great idiom comes to mind “God helps those who help themselves”. Deploying a AES–256 encrypted sparsebundle disk image in Dropbox is the best of both worlds. You get the protections that Dropbox and Amazon offer (HA HA HA) and you get the protections your AES–256 disk image provides. You know you are safe no matter what anyone tries to do to break in. For the time being, AES–256 is a great way to secure your communications, virtual belongings, and your freedom online.

Encrypt it all.

P.S. You can find all my public keys on the key servers as well as here: http://www.windchilde.com/bluedepth/pgp-public-keys/

PAD 5/7/2013 – Key Takeaway

Leave a reply

Give your newer sisters and brothers-in-WordPress one piece of advice based on your experiences blogging.

If you’re a new blogger, what’s one question you’d like to ask other bloggers?

The best advice I can give is to be honest but have control over what you say. Honesty is the best policy, as the old adage is fond of saying and it keeps blogging simple as you don’t need to remember any lies you’ve written in order to keep your blog internally consistent. However, honesty has it’s limits, and that has more to do with sharing and privacy. Depending on why you blog, sometimes you may find yourself wanting to write about something private. I think that assigning posts passwords is a great feature to WordPress and makes sharing securable.

Some things are worth talking about, writing about. Some things you share aren’t really meant for your coworkers of your employer and then the best policy here is to slap a password on the posts and keep them private from wandering eyes.

There are a lot of great reasons too, to blog independently from WordPress.com. Having control over your content, not having to worry about quotas or paying for extra services all make self-hosting with WordPress.org really worth it in the long run, especially with the right hosting provider. I’ve found a lot of the plugins that enrich the self-hosted option of WordPress.org makes the product really shine. Here are some things to look into if you think blogging may be for you:

1. Fixing your .htaccess file on your blog. This can be configured to restrict your blog from foreign browsers. I’ve decided to ban entire countries from reading my blog mostly because I don’t agree with their politics, and in the case of China, I’ve gotten quite tired of comment spam. By limiting incoming traffic from browsers using this file, you can preclude them from ever being a problem. Just because the Internet is global doesn’t mean that you should feel forced to respect that globality.

2. Blacklist & IP Filter – These two plugins help identify unwanted IP addresses that are unwanted on your blog and the plugin IP Filter helps you block those with more configurability than you can get with .htaccess.

3. Akismet and Jetpack really help protect and extend your blog. Every blog I host has these two plugins and once you get them configured properly they add so many wonderful features to your blog that it’s difficult to imagine using the blogs without them.

4. PhotoDropper – This plugin makes searching for and inserting pictures in your blog posts a cakewalk. It takes care of searching for the terms you want, only shows you Creative Commons licensed imagery so you don’t accidentally run afoul of image copyright holders and automatically includes credit lines to your posts to help respect the people who are sharing the imagery you are using on your blog. It’s about as turnkey as I’ve been able to find when it comes to finding and crediting blog pictures that I use to enrich my blog posts.

Beyond plugins it’s also worth it to mention AgileTortiose’s iOS app Drafts. This app makes writing anything, journal entires, emails, and blog posts a snap. You can update on any connected device until you are ready and the destination selector feature makes pushing your updates out to various service a snap. I journal with DayOne and I post to WordPress using Poster. Drafts has options for these other apps and a dizzying array of more just for the tapping.

C2E2: Creating Comics with Comixology

Leave a reply

While sitting in listening to the Comixology staff hawk their Submit technology, which is quite nice to see especially for independent comic book creators there was a point raised at the end of the panel by one of the attendees. That some people are hesitant to engage with digital comic books because they perceive their purchases not as licensing but rather as chattel. When I buy an issue of Comic X for $1.99 in paper, I have that comic and I can put it somewhere safe and always go back and enjoy it. What then for the digital comics? What if Comixology collapses? This touches more than just comics and the real discussion is actually cloud escrow. Cloud services could collapse at any time taking their content with them, right down the drain. Evernote, Dropbox, Comixology, and even Google itself could founder and collapse leaving behind a smoking corpse and no way for customers to retain the data they consider as theirs.

The industry has perhaps accidentally selected this as a possibility by only conducting business in a cloud infrastructure way, it’s a thin veil on digital rights management — a way for content creators to secure their goods for sale (DRM) without driving away their customers, that veil works quite well. Except for when things utterly fail. What happens when fail comes to call?

When this fear pops up in other, more serious business discussions there is usually a section devoted to source code escrow services from escrow surety companies. So is there room for cloud escrow services in today’s world? Would that be enough to help keep people feel safer so that they would presumably give digital comic books a chance?

I can’t deny that this could be a great niche for a middleman company to step up and offer a kind of data presence insurance. The cloud products you buy are safe, permanently so, not by the companies that fail, but by the escrow service that vouchsafes the data in question.

What’s to keep the escrow service safe? This may be a irreducible hall-of-mirrors. There may be no way for people to feel absolutely safe until content is delivered in an open non-DRM format. I seriously doubt that DRM will go anywhere soon, so this may all have to be sidelined as an argument for some other time.

What started out as a blog post about escrow services has apparently turned into a railing against DRM. There may be no way out of the argument over DRM. It all comes down to “Who do you trust?” And “Can you?”.

C2E2: Digital Comic Panel

Leave a reply

Attending a panel from a company called iVerse about Digital Comics. Lots of talk about price points, acknowledging the 800 pound silverback in the room, Apple, and talking about digital libraries. Social networking is still the red-headed stepchild, phrases like “… Twitter, whatever.” which I find *hilarious*.

What I find really interesting is when these digital comics will become so mainstream that they feel comfortable moving forward with a Netflix model where you pay a monthly fee and can access as much as you like.

Now we’ve entered the dimly lit world of licensing versus ownership, flooding, fire, or company collapse. How can you secure your digital goods if you lose access one way or another? Thinking about this topic with some of the things I’ve experienced in my professional life you would just need a source-escrow agreement so when the company fails, the content you purchased is made available to you in an open format. This doesn’t exist now, but it could.

IP Filter Plugin – Blacklist Page

Leave a reply

Barricade SignsI came across two great plugins – WP-Blacklister and IP Filter for WordPress. The first lists all the IP addresses for all the spam comments that a blog gets. The spam is identified by Akismet, I grab the IP addresses and then put them into TextWrangler. I sort the lines, find the really obnoxious networks, the ones with the same three octets over and over again, so something like 5.5.5.1 and 5.5.5.2, and 5.5.5.3, these, depending on how they resolve in an IP lookup get a block, either 5.5.5.* or 5.5.*.* or 5.*.*.*. From the left to the right there you block off more and more of the network. The more *’s in the block, the more stations are simply thrown off.

And then there is IP Filter plugin, I assemble a list of naughty IP’s and then fill in the details for this plugin. If an incoming IP address matches any of my blocks, they get no content and a short blurb stating that their network was either a source of spam, malware, or otherwise is unwanted traffic. I applied this list to all my blogs and I had spam comment rates which were about 30 per hour go to zero.

I will be creating a new page on my blog that lists these bad networks and IP addresses. Feel free to get this plugin and enter these blocks for yourself if you wish. I’ll be updating it as I find more spam or Limit Logon Attempt Plugin lockouts.

There is a wee part of me that is toying around with blocking the 141.218 subnet. We’ll see. :)

photo by: The Tire Zoo

Limit Login Attempts Plugin

1 Reply

IMG_0025I recently added to my WordPress blog security now that blogs like these are being targeted by botnets. I’ve found a great plugin called “Limit Login Attempts” which allows me to set lockout values to people who try to guess what the ‘admin’ account password is.

First, lets just say that the level of entropy in my admin accounts is so high that there isn’t enough time left in the Universe to try every combination – but that being said, my values for this plugin would make this a non-issue. I give people 4 attempts to try the ‘admin’ account, after that they are locked out for 1440 minutes, a day. If they lockout twice, the lockout penalty goes to 720 hours, or a month. There is 4320 hour span until retries are reset, that’s 6 months.

Of course, the filter also captures the IP address, so I’m going to look into getting a IP blacklist plugin and adding these captured IP addresses to that blacklist. They’ll never be allowed to my blog. This line of reasoning led me to think about an immune system for the Internet. If an IP does something wrong, it is blacklisted and that fact is then sent to every other site and they blacklist it as well. One false move and you are suddenly banished from the network. I think this would radically change how people behave online. There would definitely be a lot of noise raised when people are suddenly unable to communicate with any host whatsoever because their systems were filthy, compromised, or malevolent. That would add a certain value of responsibility. It would only be a little bit more to establish a site like Digg where people vote on the malevolence of comment traffic, putting trolls right along with botnets and black-hats, out in the cold, banished where they all belong.

I can smell an RFC forming. :)

photo by: katerha

WordPress Security

Leave a reply

Bank vault doorI run a gaggle of WordPress blogs, both for personal reasons and for work reasons. My SupportPress site runs on WordPress.org and the host I’ve been using all along, iPage sent me an email informing me that they have detected a botnet-sourced cyberattack directed at the login pages of WordPress.org installations. They also informed all their customers that they have installed network limits on these attacks, but that even though the attacks have been greatly reduced, that it shouldn’t lead to a flagging of security vigilance.

No time like the present to get things installed on all my WordPress blogs. The first thing I can think of since all my passwords are 16 to 20 characters long, randomized, stored for me in 1Password, and stored in such a way that even I don’t know them – is to install a plugin called Limit Login Attempts to all the WordPress blogs I manage. This will prevent people from screwing up their login attempts and it will email me when they try. So far this blog is covered and I don’t really expect any problems here.

Thanks to social networking, especially Twitter and my good friend @wyrdsmyth, and my hosting provider iPage I have been protected all along. More security is usually a good thing and in this case, warranted with this extra plugin. Next stop are all the other blogs I manage.

photo by: walla2chick

e-Cycle and Gas Station Sushi

Leave a reply

Used 1985 Cadillac EldoradoI sent three old iPhone 4’s to e-Cycle for recycling, they had a relatively good buy-back rate for the old devices. Of the three that I sent, only one was accepted. The other two were shredded and I got nothing for them, other than the vague satisfaction that the hazardous materials in them were recycled, probably.

I can’t really blame the company, it’s all there in black and white. Don’t send phones with active lines on them. Oops, that was my fault, but after hearing that they had this problem I thought I could just go into Verizon’s site and mark the lines as suspended. That didn’t do the trick. So the phones were summarily destroyed and recycled. I think that’s the part I don’t get, the rush to obliteration. Then again, I do get it, it’s a company trying to maximize all their angles and this is a rather convenient angle. It strikes me that they could have simply shipped the phones back to me or perhaps told me that my attempt at suspend didn’t work. Instead, they took the silent and cheap way out – shred the phones and mark the Unit Price as $0.00.

So, do I do business with e-Cycle in the future? I don’t know. I have learned my lesson at least, a phone you haven’t used in six months may still have a line on it. I don’t think I’ll be doing any further business with e-Cycle. It’s not because of anything overtly naughty, but just the sense that they didn’t care to even get back to me after I tried to disconnect the lines – that haste to simply shred and zero-balance fills me with doubt as to whether I got a fair shake on that deal, or not. I’m thinking not. While it wasn’t against any of the fine print, it did leave a rather bitter taste in my mouth, and I did learn a lot dealing with them, so perhaps in the end, it was good for everyone. I got a lesson, they lost a customer, and I’m wiser next time.

Now, to see if e-Cycle has any competitors.

UPDATE: They do have competitors, so at least there is a wide field available. Also turns out that the reports of the devices shredding were perhaps premature. They were found in a box, waiting for Verizon to disconnect them, since I sent that little nugget to Verizon today, it may take a bit for those devices to register as disconnected. I’ll update more as events unfold.

Crumbling

Leave a reply

End of a BridgeSince I had all the Twitter traffic from @MichiganDOT and @MDOT_Southwest automatically sent to my phone via SMS I’ve been able to catch various things that they post on their Twitter stream. One of those things is a political advertisement from Michigan farmers and their campaign “Just Fix The Roads”.

I stand behind the farmers for improved maintenance of our roads and I certainly support Michigan DOT in their efforts to raise awareness of our crumbling infrastructure problem. Every day I have to dodge potholes, wide cracks, poor drainage, and bridges that I really don’t trust completely. Every day I cross many bridges, across train tracks, across the Kalamazoo River, those sorts, and I have faith, weak as it is, that my trips across the bridges and over these roads won’t put me in danger. It’s faith, have to have it that way because our infrastructure has been ignored for so very long that what once was new and strong is now weak and crumbling.

After watching that video on YouTube, I can’t help but think back to around 2003 when we, as a nation, decided that declaring war on Iraq and Afghanistan was a really great idea. Back then it was before the housing bubble broke and before the criminal banks were unmasked for being as corrupt as we eventually discovered – and we thought two unfunded wars would be just neat as hell. Well, now that we have made our bed, it is time to sleep in it. I sympathize with the Michigan farmers, and I certainly support infrastructure repair, but what money do any of us plan to assign to such an expensive endeavor? It’s going to take a whole lot of cash to do correctly what must be done. Where will that money come from? The Federal Government can’t help – they just beat out the sequester, the federal budget is a rotten mess, congress is idle, filled with backbiting idle celebrities behaving poorly. So it’s up to the state to fix it’s roads, again, where is the money?

So this is what two unfunded wars get us. Awesome cosmic military powers come at a cost and surprise! This is what many of us on the left were trying to say while the right was busy getting it’s patriotic on. There is a lot of blame to go around, most certainly, but in the end it does the rest of us no good. Not only do the farmers struggle with our crumbling roads, but also the rest of us who have no choice but to dare the paths that Michigan calls roads and to dare our rusted out bridges. It was going to be expensive before the unfunded wars, now it might actually kill us. Either the roads will kill us (slowly, by a billion paper cuts) or financial apocalypse will because we’ve saddled our government with prosecuting wars when we should have been directing them to work on internal matters, like roads.

So, feel good about our proud military. They’ll have the funds and resources to do their job. Their incredibly important, more-important-than-everything-else job in Iraq and Afghanistan. Feel good, wrap yourself up in the flag, and be the proudest chief patriot when the bridge your car was on failed, the roadway crumbled and you ended up with the front-end of your very expensive SUV stuck in the mire of the filthy Kalamazoo River.

photo by: Kecko

Rather Than Fix The CFAA, House Judiciary Committee Planning To Make It Worse… Way Worse | Techdirt

Leave a reply

Rather Than Fix The CFAA, House Judiciary Committee Planning To Make It Worse… Way Worse | Techdirt.

This is wretched and wrong. The TL;DR here is that there is a law already on the books called the Computer Fraud And Abuse Act and this bill is seeking to amend the law on the books and take it in very wrong and upsetting new directions. One of the biggest things that I spotted on that really has me upset is the redefinition of talking about an offense as equal to actually completing that offense. If you say you are going to do something that breaks this law, save your bus fare, you’re already guilty of committing the crime! The other part is even more insidious and that is even if you are given authorization to access a machine, if you use it for a different purpose, then the authorization is void and you are committing a crime.

This makes my work more complicated. Now I have to be careful about what I say, as this bill, if passed would curtail my first amendment rights to free speech and then that second bit would legally prevent me from noticing anything else wrong with a computer if I was just fixing something adjacent or unrelated to the original problem.

What a mess. Encourage your congress-critter to vote no on this bill!