Tag: Computer Security

Tracking

I wrote a post about VPNs a few months back, referring to the recent repeal of Obama-era regulations that would have prevented ISPs from selling customer browsing history.

There's a common refrain I've seen from people who favor the repeal, both in the government and in Internet comments sections: "Google and Facebook track you and sell your data, and the government doesn't stop them from doing it, so it's not fair to stop your ISP from doing it!"

Now, this argument is fundamentally dishonest, for the following reasons, off the top of my head:

  • Your ISP sits between you and every single site you visit. Google and Facebook have extensive tracking operations, but not that extensive.

  • You can use the Internet without using Facebook or Google. It may not be easy, but it's possible. You can't use the Internet without your ISP.

  • Google and Facebook's business model is that they provide a service and, in exchange, you allow them to gather your personal data and resell it to third parties. Your ISP's business model is that it provides service and, in exchange, you pay them eighty fucking dollars a month. Did I say eighty? They just kicked it up to one-thirty, if you want unlimited data.

    When you give your personal data to Facebook or Google to sell to third parties, you get their service in return. When you give your personal data to your ISP to sell to third parties, you get fucking nothing in return, because you're already paying your ISP money in exchange for Internet service. Is your ISP going to lower your bill in exchange for taking your personal information to sell to third parties? LOLno.

  • Google and Facebook have competitors. Those competitors don't have the dominant market position that Google and Facebook do; hell, maybe they're just plain not as good. But they exist. They're options.

    There is no significant broadband competition in the US. If I don't like my ISP, I can't just switch to another one, because there is no other one available at my address. My choices consist of Cox, no Internet, and moving.

    There's no incentive for your ISP to behave ethically. There's no incentive for your ISP to charge you fairly. There's no incentive for your ISP to provide quality service. My ISP is a monopoly. Yours probably is too. Or, at best, it might have one competitor that does all the same shit.

  • Google and Facebook have pages where you can opt out of tracking.

But. Despite the intellectual dishonesty of the "but Google and Facebook track you!" argument, there is a kernel of truth in there: yes, Google and Facebook track you, yes it's difficult to avoid that tracking, and no, there are no regulations in place to protect your data. This is a problem.

So, shortly after writing that post, I removed the Google Analytics code from this site. And now I've also updated the site so that the fonts it uses are hosted here at corporate-sellout.com, not called from Google Fonts (hat tip to the Disable Google Fonts WordPress plugin). I'm still using a Google Captcha on the Contact page for now, but I'm looking at alternatives. Plus, there are YouTube videos embedded on this site...and, well, there's nothing I can really do about preventing Google from tracking you when you load YouTube videos. Sorry about that.

I'm also planning on adding SSL to the site, eventually, but I haven't gotten around to it yet.

This blog's not a business. Occasionally somebody buys something through an Amazon Associates link, or buys my book (thanks!), but I've got a day job; I'm not here to make money. I write stuff here because I like to write stuff. Sometimes people like it, and that's cool, and it's cool to know that people are reading. But that's as far as my interest in analytics goes.

I don't resell data; I don't do SEO or A/B headlines or clickbait or any other kind of crap to try and drive people here -- hell, I hate all that shit. But I like looking at site stats once in awhile to see where people are coming from, where somebody's mentioned me, and to laugh at search terms like "did stan lee bone at jack kirby's wife".

So I'm looking for a new stats package. Server-side; just for me, not Google.

Meanwhile, I am looking for ways to use Google as little as possible, not just on this site but in general. I think I can probably get a few more posts out of that subject.

Resources for pfSense, Private Internet Access, Netflix, and Hulu

You've probably heard by now that the US Congress just repealed Obama-era regulations preventing Internet service providers from selling their users' browsing data to advertisers. I'll probably talk more about that in future posts. For now, I'm going to focus on a specific set of steps I've taken to prevent my ISP (Cox) from seeing what sites I visit.

I use a VPN called Private Internet Access, and a hardware firewall running pfSense. If that sentence looked like gibberish to you, then the rest of this post is probably not going to help you. I plan on writing a post in the future that explains some more basic steps that people who aren't IT professionals can take to protect their privacy, but this is not that kind of post.

So, for those of you who are IT professionals (or at least comfortable building your own router), it probably won't surprise you that streaming sites like Netflix and Hulu block VPNs.

One solution to this is to use a VPN that gives you a dedicated IP (I hear good things about NordVPN but I haven't used it myself); Netflix and Hulu are less likely to see that you're using a VPN if they don't see a bunch of connections coming from the same IP address. But there are problems with this approach:

  • It costs more.
  • You're giving up a good big chunk of the anonymity that you're (presumably) using a VPN for in the first place; your ISP won't be able to monitor what sites you're visiting, but websites are going to have an easier time tracking you if nobody else outside your household is using your IP.
  • There's still no guarantee that Netflix and Hulu won't figure out that you're on a VPN and block your IP, because VPNs assign IP addresses in blocks.

So I opted, instead, to set up some firewall rules to allow Netflix and Hulu to bypass the VPN.

The downside to this approach is obvious: Cox can see me connecting to Netflix and Hulu, and also Amazon (because Netflix uses AWS). However, this information is probably of limited value to Cox; yes, they know that I use three extremely popular websites, when I connect to them, and how much data I upload and download, but that's it; Netflix, Hulu, and Amazon all force HTTPS, so while Cox can see the IPs, it can't see the specific pages I'm going to, what videos I'm watching, etc. In my estimation, letting Cox see that I'm connecting to those sites is an acceptable tradeoff for not letting Cox see any other sites I'm connecting to.

There are a number of guides on how to get this set up, but here are the three that helped me the most:

OpenVPN Step-by-Step Setup for pfsense -- This is the first step; it'll help you route all your traffic through Private Internet Access. (Other VPNs -- at least, ones that use OpenVPN -- are probably pretty similar.)

Hulu Traffic -- Setting up Hulu to bypass the VPN is an easy and straightforward process; you just need to add an alias for a set of FQDNs and then create a rule routing connections to that alias to WAN instead of OpenVPN.

Netflix to WAN not OPT1 -- Netflix is trickier than Hulu, partly because (as mentioned above) it uses AWS and partly because the list of IPs associated with AWS and Netflix is large and subject to change. So in this case, instead of just a list of FQDNs, you'll want to set up a couple of rules in pfBlockerNG to automatically download, and periodically update, lists of those IPs.

That's it. Keep in mind that VPN isn't a silver bullet solution, and there are still other steps you'll want to take to protect your privacy. I'll plan on covering some of them in future posts.

E-Mails and Passwords

So the other day I decided it was past time to reset all my passwords.

I'm pretty good about password hygiene. I've been using a password locker for years, with a unique, randomly-generated* password for every account I use. But I'll admit that, like most of us, I don't do as good a job of password rotation as I might. That's probably because I've managed to amass over 150 different accounts across different sites, and resetting 150 different passwords is a giant pain in the ass.

(I'm thinking that, from here on in, I should pick a subset of passwords to reset every month, so I never wind up having to reset all 150 at once again. It would also help me to clear out the cruft and not keep logins for sites that no longer exist, or which I'm never going to use again, or where I can't even find the damn login page anymore.)

There was one more reason I decided now was a good time to do a mass update: I've got two E-Mail addresses that have turned into spam holes. As I've mentioned previously, I'm currently looking for work and getting inundated with job spam; unfortunately I went and put my primary E-Mail address at the top of my resume, which in hindsight was a mistake. Never post your personal E-Mail in any public place; always use a throwaway.

Which I do, most of the time -- and that's created a second problem: I've been signing up for websites with the same E-Mail address for 15 years, and also used to use it in my whois information. (I've since switched to dedicated E-Mail addresses that I use only for domain registration.) So now, that E-Mail has turned into a huge spam hole; it's currently got over 500 messages in its Junk folder, and that's with a filter that deletes anything that's been in there longer than a week. My spam filters are well-trained, but unfortunately they only run on the client side, not the server side, so any time Thunderbird isn't running on my desktop, my spam doesn't get filtered. (If I'm out of the house, I can tell if the network's gone down, because I start getting a bunch of spam in my inbox on my phone.)

So now I've gone and created two new E-Mail addresses: one that's just for E-Mails about jobs, and another as my new all-purpose signing-up-for-things address.

My hope is that the companies hammering my primary E-Mail address with job notifications will eventually switch to the new, jobs-only E-Mail address, and I'll get my personal E-Mail address back to normal. And that I can quit using the Spam Hole address entirely and switch all my accounts over to the new address. Which hopefully shouldn't get as spam-filled as the old one since I haven't published it in a publicly-accessible place like whois.

Anyway, some things to take into account with E-Mail and passwords:

  • Don't use your personal E-Mail address for anything but personal communication. Don't give it to anyone you don't know.
  • Keep at least one secondary E-Mail address that you can abandon if it gets compromised or filled up with spam. It's not necessarily a bad idea to have several -- in my case, I've got one for accounts at various sites, several that I use as contacts for web domains, and one that's just for communication about jobs.
  • Use a password locker. 1Password, Keepass, and Lastpass are all pretty highly-regarded, but they're just three of the many available options.
  • Remember all the different devices you'll be using these passwords on.
    • I'm using a Linux desktop, an OSX desktop, a Windows desktop, and an Android phone; that means I need to pick a password locker that will run on all those different OS's.
    • And have some way of keeping the data synced across them.
    • And don't forget that, even with a password locker, chances are that at some point you'll end up having to type some of these passwords manually, on a screen keyboard. Adding brackets and carets and other symbols to your password will make it more secure, but you're going to want to weigh that against the hassle of having to dive three levels deep into your screen keyboard just to type those symbols. It may be worth it if it's the password for, say, your bank account, but it's definitely not worth it for your Gmail login.
  • Of course, you need a master password to access all those other passwords, and you should choose a good one. There's no point in picking a bunch of unique, strong passwords if you protect them with a shitty unsecure password. There are ways to come up with a password that's secure but easy to remember:
    • The "correct horse battery staple" method of creating a passphrase of four random words is a good one, but there are caveats:
      • You have to make sure they're actually random words, words that don't have anything to do with each other. Edward Snowden's example, "MargaretThatcheris110%SEXY.", is not actually very secure; it follows correct English sentence structure, "MargaretThatcher" and "110%" are each effectively one word since they're commonly-used phrases, the word "SEXY" is common as fuck in passwords, and mixed case and punctuation don't really make your password significantly more secure if, for example, you capitalize the beginnings of words or entire words and end sentences with periods, question marks, or exclamation points. Basically, if you pick the words in your passphrase yourself, they're not random enough; use a computer to pick the words for you.
      • And this method unfortunately doesn't work very well on a screen keyboard. Unless you know of a screen keyboard that autocompletes words inside a password prompt but won't remember those words or their sequence. I think this would be a very good idea for screen keyboards to implement, but I don't know of any that do it.
    • There are programs and sites that generate pronounceable passwords -- something like "ahx2Boh8" or "ireeQuaico". Sequences of letters (and possibly numbers) that are gibberish but can be pronounced, which makes them easy to remember -- a little less secure than a password that doesn't follow such a rule, but a lot more secure than a dictionary word. But read reviews before you use one of these services -- you want to make sure that the passwords it generates are sufficiently random to be secure, and that it's reputable and can be trusted not to snoop on you and send that master password off to some third party. It's best to pick one that generates multiple passwords at once; if you pick one from a list it's harder for a third party to know which one you chose.
  • Of course, any password is memorable if you type it enough times.
  • And no password is going to protect you from a targeted attack by a sufficiently dedicated and resourceful attacker -- if somebody's after something you've got, he can probably find somebody in tech support for your ISP, or your registrar, or your hosting provider, or your phone company, or some company you've bought something from, somewhere, who can be tricked into giving him access to your account. Or maybe he'll exploit a zero-day vulnerability. Or maybe one of the sites you've got an account with will be compromised and they'll get everybody's account information. Password security isn't about protecting yourself against a targeted attack. It's about making yourself a bigger hassle to go after than the guy sitting next to you, like the old joke about "I don't have to outrun the tiger, I just have to outrun you." And it's about minimizing the amount of damage somebody can do if he does compromise one of your accounts.
  • And speaking of social engineering, security questions are deliberate vulnerabilities, and they are bullshit. Never answer a security question truthfully. If security questions are optional, do not fill them out. If they are not optional and a site forces you to add a security question, your best bet is to generate a pseudorandom answer (remember you may have to read it over the phone, so a pronounceable password or "correct horse battery staple"-style phrase would be a good idea here, though you could always just use letters and numbers too -- knowing the phonetic alphabet helps) and store it in your password locker alongside your username and password.
  • You know what else is stupid? Password strength indicators. I once used one (it was Plesk's) that rejected K"Nb\:uO`) as weak but accepted P@55w0rd as strong. You can generally ignore password strength indicators, unless they reject your password outright and make you come up with a new one.

* For the purposes of this discussion, I will be using the words "random" and "pseudorandom" interchangeably, because the difference between the two things is beyond the scope of this post.

Getting Sprint LTE to Work on CyanogenMod 12

Update 2015-10-12: My new advice for getting Sprint data to work on a Nexus 5 phone running CyanogenMod 12 is "Don't bother." I never did get it working right, and had to reboot at least once a day to get it working. I've since reverted back to KitKat. Original post follows, but if you want my advice it's "Stick with CM11."


First, let's get one thing out of the way: if you're using a custom Android ROM on your phone (or any device that can receive text messages), you're going to want to make sure it's up-to-date. There's a vulnerability in an Android component called Stagefright that is potentially devastating; it allows an attacker to gain control by doing nothing more than send a text message, and there are now attacks in the wild.

If you've got the stock firmware on your phone, and your phone is relatively recent, you should get the patch to fix this vulnerability automatically. (If, for example, your phone is running Lollipop, either because it came with it or automatically updated to it, you're probably good.)

But if you're running a custom ROM and don't have automatic updates enabled, you're going to want to check on whether you're running a current version that includes the Stagefright fix.

I'm a CyanogenMod user. If you're using the latest version of CyanogenMod 11.0, 12.0, or 12.1, then you've got the Stagefright fix.

I recently took the opportunity to upgrade my phone to the latest 11.x series to get the fix. And I figured while I was at it, why not upgrade to 12.1 and see if it's any good?

So I installed CyanogenMod 12.1, and everything looked like it was working fine at first -- when I was using it in my own house, on my wifi network. It wasn't until a day or two later that I realized my Sprint data connection wasn't working.

It took rather more searching than it should have, but it turns out there's an easy solution (albeit an annoying one if you've already got your phone set up the way you want it, because it involves wiping it to factory again).

mjs2011 at XDA Developers links to a sprint.zip file assembled by somebody named Motcher41, and gives these instructions for use:

The fix should be flashed during initial installation, so:

  1. Flash ROM
  2. Gapps
  3. SU (if necessary)
  4. Sprint APN Fix zip

I can confirm that you don't need to worry about setting up root before sprint.zip; it's fine if you do it afterward (my recovery, for example, sets up su right before reboot). However, I can confirm that you need to install sprint.zip after Gapps and before your first boot; if you install it before Gapps or after your first boot then it won't work.

Update 2015-09-30: After a few days my data connection quit working again. I rebooted to recovery, reinstalled sprint.zip, and it started working again. So never mind about not working if you install it after you've already booted the ROM; it will still work just as well. Unfortunately, "just as well" appears to mean "just for a few days"; I'm not sure what happened that changed my settings to make it stop working, but if I figure it out I'll update this post again.

You may notice that the linked thread is old (it's from November 2013) and was written in reference to pre-11.0 versions of CyanogenMod. However, I can confirm that it applies to the 12.x series too. This issue appears to be a regression; CM fixed it in version 11 but then broke it again in version 12.

So if you're a Sprint customer and you just installed CyanogenMod 12 on your phone and then discovered Sprint data was no longer working, this is what you're gonna wanna do to fix it.

Password Restrictions are Stupid

There are few things more infuriating than submitting a randomly-generated password and seeing it rejected based on some stupid asshole's stupid asshole idea of what constitutes a strong password.

Yesterday I encountered a site that rejected K"Nb\:uO`) as weak but accepted P@55w0rd as strong.

And my first day at my current job, we had to take mandatory security tutorials that, among other helpful hints, suggested that we satisfy the requirement for a capital letter and a symbol by putting the capital letter at the beginning of the password and an exclamation point at the end. Which, for those of you who are as bad at basic arithmetic as whatever moron put that suggestion in a security tutorial, defeats the entire purpose of requiring a capital letter and a symbol.

Which is, of course, why requiring capital letters and symbols in the first place is stupid, because "make the first letter a capital and put an exclamation point at the end" is what pretty much everybody does to satisfy that requirement anyway, even without official company-sanctioned security tutorials assuring them that this is okay and totally better than just having an all-lowercase password because math class is tough.

The Real Questions

I was going to write a post about Edward Snowden.

But then I realized: that's bullshit.

Because this isn't about Edward Snowden.

I just read a great piece by Matt Taibbi titled As Bradley Manning Trial Begins, Press Predictably Misses the Point. He argues, persuasively, that focusing on Manning is what the government wants. It wants the story to be about a person instead of about the information he disclosed.

The NSA story isn't about Snowden, any more than the military leaks are about Manning or Assange. "Hero or traitor?" is a bullshit question.

There are real questions we should be asking. Here are a few courtesy of Bruce Schneier:

We need details on the full extent of the FBI's spying capabilities. We don't know what information it routinely collects on American citizens, what extra information it collects on those on various watch lists, and what legal justifications it invokes for its actions. We don't know its plans for future data collection. We don't know what scandals and illegal actions -- either past or present -- are currently being covered up.

We also need information about what data the NSA gathers, either domestically or internationally. We don't know how much it collects surreptitiously, and how much it relies on arrangements with various companies. We don't know how much it uses password cracking to get at encrypted data, and how much it exploits existing system vulnerabilities. We don't know whether it deliberately inserts backdoors into systems it wants to monitor, either with or without the permission of the communications-system vendors.

And we need details about the sorts of analysis the organizations perform. We don't know what they quickly cull at the point of collection, and what they store for later analysis -- and how long they store it. We don't know what sort of database profiling they do, how extensive their CCTV and surveillance-drone analysis is, how much they perform behavioral analysis, or how extensively they trace friends of people on their watch lists.

All that said: I can't resist linking the petition for Obama to debate Snowden. Obviously it's not going to happen, but if it gets 100,000 signatures, the White House will have to issue an official response.

And presumably up the signature requirement for an official response to 150,000 for next time.

This Week on "Nobody Involved with Bones Gives a Fuck Whether Computers Behave in a Remotely Rational or Coherent Fashion"...

...somebody gets an E-Mail -- "probably spam" -- and it allows Angela to decrypt every encrypted E-Mail she's ever gotten.

This somehow manages to be the stupidest thing in an episode about a mutant virus injected into a blogger with a microneedle that, still attached to her skeleton, then manages to jab one of the interns and infect him too.

Well maybe next week's episode will be less stupid.

...wait. Season finale? Fuck. That means another Pelant episode.

Well, maybe they'll finally just fucking shoot him and next season's premiere will be less stupid.

Skyfallin'

The theme of Skyfall is the conflict between the old and the new. You can tell because every third line of dialogue reminds you of this.

I think the trouble is that the writers and director don't seem quite clear on what that premise actually means.

Spoilers follow.

Does Silver represent the new, because he is a computer hacker and a new kind of enemy? Or does he represent the old, because he's a Cold War-era agent who's gone rogue for reasons that are entirely tied to the way M has run MI6?

There's also the question of the contrast between the original Bond films and the Craig-era ones. This movie makes a big point of bringing back the trappings of the original films -- Moneypenny, Q, a 1960 Aston Marton with machine guns -- but it also makes a big point of how the original movies felt a lot more high-tech and futuristic than the current ones. (The gadgets Q gives Bond are "A radio and a gun -- not exactly Christmas, is it?") So which is the old and which is the new? And that's before you even get into the point that Craig's Bond, and Casino Royale as a whole, are throwbacks to Fleming's novels, the oldest version of Bond there is.

There's another conflict between the old and the not-quite-so-old: the last two Bond films seemed intent on introducing Quantum as the new, non-infringing version of SPECTRE, a shadowy organization that would pose a recurring threat through the rebooted franchise. And then, in Skyfall? No trace of Quantum at all. We're back to isolated, one-off villains -- perhaps because someone at the recovering-from-bankruptcy MGM realized that self-contained movies without recurring villains just make more sense for the film franchise. (Hell, even when the old films were using Blofeld as their go-to villain, they still had a different actor in the role every time; it may as well have been a different character.)

On the whole, though, it all hung together pretty well; I thoroughly enjoyed the first and third act. (The second act was stupid and had Magic Computers. I don't know where the writer picked up the phrase "security through obscurity", but apparently he missed the part where it is not an expression any security professional would ever use without sneering. The less said about the movie's idea of data encryption and depiction of code as a stupid-looking early-1990's wireframe screensaver the better.) But nonetheless, perfectly decent. Though I'm kinda glad I waited to see it at the cheap theater.

Buggy Messes

I had some harsh words yesterday for the EaseUS software for Mac. Mainly, it constantly locked up and didn't do much of anything.

I'm not quite ready to let EaseUS off the hook just yet, but I'm seeing that same behavior in a lot of programs now. At this point I'm pretty confident that, in setting my Mac up to run like a Hackintosh, I have wound up with a system that has all the stability and reliability of a Hackintosh.

Regrettably, I'm having much the same problem with MIUI, which I installed on my phone the other day (as something to do while I waited for diags to run on my Windows 8 drive). It's slow and it crashes like a motherfucker. I really think the monthly release cycle is a pretty poor idea; what we've got is bleeding-edge code (in this case Jelly Bean running on a phone that was never meant to support it) instead of stable code.

Which is a pity because there's really a lot to love about MIUI. For starters, it's the most paranoid OS I've ever seen -- its security settings are granular as hell; it doesn't just tell you what data your program is going to have access to at install time, it defaults to warning you at access time, too -- and giving you the opportunity to refuse.

Trust the Chinese to be thorough about who's listening in on them.

It also comes with a lot of mostly-pretty-useful programs out of the box.

Except that weather program. The one that thinks I live in some place called Temperanceville (and that's not autocomplete on me typing in "Tempe", that's the location it automatically set itself to), consistently tells me I have no network connection even though I have a network connection, and can't be uninstalled. I don't like that one very much.

So I don't think I'll be sticking with MIUI. I guess the question is whether I should just restore CyanogenMod 7 from backup, or try some other ROM.

Decisions, decisions...

LeakedOut

So apparently LinkedIn didn't salt any of its users' passwords before hashing.

Man, if only they'd had some way of finding people who understood basic fucking network security and were looking for work.