View post on imgur.com
I'm signed up for the LetsEncrypt.org beta! You can sign up too by filling out this form (link taken from this page).
I'm seriously considering getting a Yubikey as well. This seems to be the week of shoring up security at home. (Because I'm totally a high-value target.)
My little DSL modem has crapped out twice in the last month. I may need to replace it. And the old, old Dell laptop that the kids are using (with Debian 8, natch) has started to make squealy squealy sounds when it shuts down. And if I buy another wireless router without tcpdump, you can kick me in the head.
I've just put in an order for a new phone: a Google Nexus 5X. Turns out my current phone, a Samsung Galaxy Core, was something of a poor choice; it's on Android 4.4 and will not be getting upgraded to something without a stupid, stupid vulnerability this side of Doomsday. I am not happy at all about having a computer that I cannot upgrade easily. However.
Years ago, when I got into Linux, I somehow managed to persuade my father that he should run Linux too. I was surprised, but I shouldn't have been; he had a better Internet connection than I did for many years, we'd talk about which 286 system we'd buy (WordPerfect 4eva!), and he had a Blackberry long before I had anything remotely comparable.
Yesterday, I helped him get Tor going. He downloaded the browser bundle (64-bit Linux, natch), and I talked him through unpacking it, starting it up, and setting up a menu launcher for it. It was all done over the phone, which took me back to my days on the help desk: anticipating what the other person will see, telling them what to do and remembering to be explicit at all times. Three's so much you can skip over when you're familiar with the process; there's so much you realize is entrusted to muscle memory, never actually rising to consciousness anymore.
But it worked -- he got connected, he got a feel for how slow things can be, he logged into Facebook (and knew not to click on the "Enable Flash plugin" button), he logged into his bank (!) and even GMail. We discussed what Tor would bring (increased privacy) and wouldn't bring (security). (Complicated; my feeling is that, although NoScript and not having Flash does a lot, it's not their primary concern. If security was my main focus, I'd probably start looking at SELinux or Qubes.) And we talked about what using Tor would do for others: provide cover, camouflage, for some who really need it.
Of course, he's probably the only Tor user within a 50km radius. (No, really -- he lives outside a small town.) So he sticks out like a sore thumb now. We joked about a pixel lighting up on a map in Maryland, analysts scratching their heads and wondering "Is that in the US?" But still: little, tiny, worthwhile things.
Canada's CSEC tracked travellers at Canadian airports who used the free WiFi. Not only that, tracked 'em afterward and backward as they showed up at other public hotspots across Canada. Oh, lovely.
A TSA screener explains: Yes, we saw you naked and we laughed.
ESR writes about dragging Emacs forward -- switching to git, and away from Texinfo, all to keep Emacs relevant. There are about eleven thousand comments. Quote:
And if the idea of RMS and ESR cooperating to subvert Emacs's decades-old culture from within strikes you as both entertaining and bizarrely funny...yeah, it is. Ours has always been a more complex relationship than most people understand.
My wife takes out our younger son's stuffed dogs for the day, and gets all the space she needs at Costco. WIN.
Looks like the supernova in Ursa Major has peaked at magnitude 10.5 or so.
Have I mentioned Adlibre backup before? 'Cos it's really quite awesome. Written in shell, uses rsync and ZFS to back up hosts. Simple and good.
Maclean's sent a sketch artist to cover Justin Bieber getting booked. I'd like to sketch that well.
The other day, my wife mentioned an Internets I had to read. "Ooh, that sounds good," I said, and since I had my laptop on I visited the site. Sequence went like this:
Pop-up window asking permission to set a cookie; denied.
Site looks like crap, so fiddle with RequestPolicy and allow the site to request from the CDN.
Site still looks like crap, so fiddle with NoScript to temporarily allow the site and its CDN to run JavaScript (grr).
Each of these steps prompted a refresh, which took a while because I mostly surf with TOR on these days. (Good thing the site didn't just block me because I'm coming from a TOR node, the way some sites do...)
All this was reflex. My wife watched what I was doing and smiled. "Your epitaph is going to be, 'He went to a lot of trouble. No adversary was too small.'"
And I smiled because that's true. Each of these things slows me down, is a pain in the ass, is one more thing that leaves other people shaking their head and wondering "Why bother?" But each one has its reason:
Cookies: do I really have to explain? If you're reading this, probably not.
NoScript and RequestPolicy really cut down on ads, plus there's the whole privacy benefit of not requesting every single web beacon out there.
TOR: a few reasons. First, to piss off the NSA. (Yes, that's a bit juvenile.) Second, to make bulk surveillance harder for them and others. Third, to provide cover for people who really need it (human rights activists, say).
All this reminds me of the "just one more thing..." breadcrumb trail that'd leave me, say, gradually funnelling all my money to a 419 scam. (I think it's unlikely I'll go too far, though. How private can you be when you're on Twitter?)
I'm starting to run into this sort of question with the kids. They want iPhones and Android phones and iPads and laptops and PS3s and I don't know what-all. My response so far has been to say "No," then "Not 'til you're 16 and you can give me an essay on 'Privacy before and after the Snowden revelations.'" And then my son asks, "What do you mean by that?" Trying to answer that, while simultaneously trying to figure out how to explain opsec and why it's necessary to a seven year-old, while simultaneously second- and third-guessing myself (I really do realize how crazy this all is), leads to about a 20 bit-per-minute communication rate during these conversations. And then the kids just wander next door to use the neighbour kid's iPad and dream of the day when they can buy their own.
It's enough to make me want to look up an NSA analyst and ask how they deal with it. (I bet I'd have to disqualify the answer on the grounds of "'If you have nothing to hide...' isn't acceptable." But maybe that's unfair.)
And since I can't think of a good way to end this, I'm just going to post it.
Bruce Schneier is beginning an NSA-exploit-of-the-day series with DEITYBOUNCE, a BIOS exploit aimed at Dell 1850/1950/2850/2950 servers. The info comes from the leaked NSA exploit catalog, and he's inviting comments about how the exploits would likely work and have been improved since the catalog's preparation in 2008.
For future reference: this Stack Exchange question asks how best to scan a PDF for malware. There are a number of links suggested:
I've got some reading to do.
Trying to take care of the HP RFU vulnerability. Miss the bit that says my printer doesn't have the ability to disable this built into the web interface. Decide I need to download HP Jet WebAdmin. Forced to register for an "HP Passport Account". Fill in country of origin, among other details. Click to go back to download page, get "Sorry, we can't do that" message. Navigate back to download page. Fill in country of origin again. Fill in name of company. Download -- 300 MB. Go to download documentation; I see "installation instructions", "terms of use" and "post-sales support." What a crock.
-- Oh, and now I discover that it's going to install Microsoft SQL Server. Fucking hell. And that's not even including the rat's nest of menus.
Don't get me wrong: I can see how this would be immensely useful for a large number of printers. (And I strongly suspect that "large" means "greater than one".) But for one printer, it's an amazing overhead for such a small thing. Worse, I'm willing to bet that my whole task could be reduced to a single SNMP set command. But I'm too lazy to install Wireshark and figure out what that would be.
Holy crap. PDF supports multimedia, javascript, and launching arbitrary programs. Haven't checked the standard (warning: PDF) yet to see if they support the evil bit.
define command{
command_name check_wp_admins
command_line $USER1$/check_mysql_query -q 'SELECT COUNT(wp_users.user_login) AS "Admins"
FROM wp_users, wp_usermeta
WHERE wp_usermeta.meta_value LIKE "%administrator%" AND
wp_usermeta.user_id=wp_users.ID' -H $HOSTADDRESS$ $ARG1$
}
define command{
command_name check_wp_nasty_posts
command_line $USER1$/check_mysql_query -q 'SELECT COUNT(*)
FROM wp_posts
WHERE post_content REGEXP "iframe|noscript|display"' -H $HOSTADDRESS$ $ARG1$
}
The more I work with Python, the more I don't just like it but admire it.
Ugh...not much more right now. I've got a blocked eustachian tube that I'm self-medicating with a Python script^W^Wcold medicine, and the acetominiphen in it is making me hazy.
"I say we take off and nuke the entire site from orbit. It's the only way to be sure."
Saturday afternoon my home web server got cracked. I found out because Google started refusing my searches, asking me to fill out a CAPTCHA form (incidentally, I hate the word CAPTCHA, and even typing it gives me hives) to prove I was human. What the hell?
So I checked on the server, which is also our firewall, which isn't good but frankly I was tired of maintaining a complex network at home, and sure enough there was some perl script running as user www-data (which Debian uses to run the webserver), sending off tons of Google queries and taking commands on IRC the way I keep hearing nobody does anymore. Crap.
Fortunately I've been running Bacula for a while now, backing up to an external hard drive, and so I figured that even though it probably would go away when I rebooted, I'd Do The Right Thing(tm) and rebuild from scratch.
This had to wait 'til the evening, so I shut down the webserver, ran backups a bunch more times, got more info, and moved the machine (a tiny li'l Shuttle box) from my youngest son's bedroom (apparently the only room in the house w/a phone outlet not covered by an ADSL filter) to our bedroom upstairs, running the network cable up the stairs.
In the end, it all went pretty smoothly. I was able to get all my packages back and restore from backup; the only thing I messed up was getting the ownership wrong on my restored crontab. (Debian uses a pool of UIDs for daemons, so you're not guaranteed to get the same UIDs if you reinstall.)
As a bandaid, I've firewalled off www-data from initiating connections out. I should have done this long before. Now I'm starting to think about the next step -- Xen, maybe, or SELinux. (I did briefly consider other distros, or even a BSD: CentOS for SELinux, FreeBSD for pf and jails. But I decided that one problem at a time was quite enough, thanks.)
Okay, so as I mentioned I'm trying to get a Subversion repository working in a way that a) keeps the repository safely on an NFS-exported, mirrored set of drives, and b) does not require YAFPF. Today I've been banging my head against Apache2 + mod_auth_pam. The problem is that while passwords are successfully checked (hurray! one less FPF!), group membership is not. this does not work:
AuthPAM_Enabled on
AuthPAM_FallThrough on
AuthGROUP_Enabled on
AuthGROUP_FallThrough on
AuthType Basic
AuthGroupFile /etc/group
AuthName "secure area"
Require group subversion
(For one brief, spastic moment I thought Satisfy any was the missing
magic. Then I tried it without typing in a password. Sigh.) We're
using FreeBSD and NIS; from what I've been able to find so far, that
might be problematic. OTOH, I might have the entirely wrong idea about
PAM and its ability to check group membership.
UPDATE: Logical as it seems, AuthGroupFile has no place in the modern kitchen. Removing that directive allowed everything to work. Whee!
I found a link on Gecko's blog to Project Honeypot. Turns out it's a project to watch for, and attempt to track, spammer-run robots that scrape pages for email. I was intrigued, but a little put off by the terms of use. I did a big more digging around, and found I wasn't the only person who thought that way. However, there were some strong rebuttals from the SpamCop forums, discussion on SURBL mailing list, and from one of the principals (who also replied here).
Reassured, I signed up. It's still in the early stages, so there hasn't been a lot of spam received yet (350-odd pieces, according to the stats page on the site). Still, I'm hopeful it'll be a Good Thing.
Another approach: a Java SMTP honeypot. Huh.