Tag Archives: geek

Anything IT related (which is most things I say) :-)

MONA, Hobart

I was down in Hobart a couple weeks ago for PyCon AU 2013, a Python programming conference organised by a friend of mine. Whilst I don’t do that much in Python currently, it was just a good excuse to go hang out with a bunch of interesting people and friends for a couple days and to get out of Sydney for a bit.

I’ve been to Hobart before, it’s a nice place for a visit, with a very NZ-like climate and fauna and an interesting mix of small town with a blend of great coffee, bars and distilleries mixed in.

mmm, cool fresh air - just like back home!

mmm, cool fresh air – just like back home!

Soaking up some fresh air and sun before retreating into a dark room with my laptop for the rest of the day.

Soaking up some fresh air and sun before retreating into a dark room with my laptop for the rest of the day.

This Hobart pub has a better beer selection than most of the places near my home and work in Sydney's CBD.

This Hobart pub has a better beer selection than most of the places near my home and work in Sydney’s CBD – it’s like being back in New Zealand again!

One of my other big motivators was to go and visit MONA, the Museum of Old and New Art, a massive underground museum created by an eccentric wealthy Tasmanian who has built an amazing collection of contemporary art.

It’s an absolutely stunning collection, worthy enough of making a weekend visit to Hobart purely to check it out. Sadly I only had a couple hours allocated to explore it, but I could have possibly spent a whole day there – particularly with them having a bar in the museum!

I am the data lord!

I am the data lord!

Is that the source up there?

Is that the source up there?

Where old art and new art meets.

Where old art and new art meets.

It’s easy to get out there with a short ferry trip from the town, so sit back with a craft beer or go and admire all the street art around the boat whilst it whisks you past Hobart.

Art! And not just me, the stuff on the wall!

Art! And not just me, the stuff on the wall!

Upon arrival, iPod-based guides are handed out, which were actually much more useful than the traditional approach of having everyone crowding around a small plaque on the wall, as it allowed you to select and read in your own space and time.

One of the nice things about MONA is how they manage to not take themselves too seriously, with easter eggs and other playful pokes at themselves around the place.

Love it!

Love it!

I thoroughly enjoyed my trip to MONA and certainly recommend it as a must-see if you visit Hobart and a worthy contender to be a reason for making a trip to MONA solely for it in particular.

Git & GitHub Enabled

GitHub Goodness

GitHub Goodness

I’ve been developing software for a little while now and have build up a few repositories for my applications, with all my open source ones being available publicly. Sometimes people find some of my applications useful and I get thanks, patches or PHP hate mail. :-)

For a long time I’ve been using SVN for storing my code, along with Indefero as my project tracker at projects.jethrocarr.com. It’s a good combination, very similar to Google Code in many respects and generally a lightweight application with a good core feature set.

The only issue has been that with the explosion in popularity of Git and the socalisation of coding with sites such as GitHub, users have gotten tired of the “diff and email patch” approach when submitting contributions and want to take advantage of shiner features such as pull requests which make contributes much easier, as well as more recognisable to others.

Whilst I’m keen to do as much as possible to make it easier to get commits and users, switching to any one particular hosted provider is of concern to me – whilst they may be popular now, will they still be as popular in 10 years time? (Remember SourceForge anyone?).

The solution is that undergoing the pain to migrate existing repositories from SVN to Git (a lot more messing around than you might think) opens up the ability to pull and push to multiple repositories, which means that I now have all my open source projects on GitHub and in addition have my own hosted Indefero server which has a full copy of all my code.
This allows me to engage with users on GitHub, whilst still maintaining control of my own issue tracker and full copies of my repositories and data. It also avoids users from setting up their own GitHub repositories of my projects and having them confused as official ones – with my own in place, it’s a starting place for forks to occur from.
I’m going to trial this for a few months – if it all works well, I’m going to take a look at adding in easy support to Indefero to create and push/pull from a GitHub repository automatically as part of creating a new project. And if needed I could add additional Git providers to mirror to as well (eg BitBucket) should other popular hives of activity appear.

Attack vectors for personal computers

The sad thing is, I ran out of space to keep adding arrows.

Click image to enlarge

I’ve put together a (very) simplified overview of various attack vectors for an end user’s personal computer. For a determined attacker with the right resources, all of the above is potentially possible, although whether an attacker would go to this much effort, would depend on the value of the data you have vs the cost of obtaining it.

By far the biggest risk is you, the end user – strong, unique passwords and following practices such as disk encryption and not installing software from questionable vendors is the biggest protection from a malicious attacker and will protect against most of the common attacks including physical theft and remote attacks via the internet.

Where is gets nasty is when you’re up against a more determined attacker who can get hardware access to install keyloggers, can force a software vendor to push a backdoored software patch to your system via an update channel (ever wondered what the US government could make Microsoft distribute via Windows Update for them?), or has the knowledge on how to pull of an advanced attack such as putting your entire OS inside a hypervisor by attacking UEFI itself.

Of course never forget the biggest weakness – beating a user with a wrench until they give up their password is a lot cheaper than developing a sophisticated exploit if someone just wants access to some existing data.

Why SSL is really ISL

Secure transmission of data online is extremely important to avoid attackers intercepting data or claiming to be a site that they are not. To provide this, a technology called SSL/TLS (and commonly seen in the form of https://) was developed to provide security between an end user and a remote system to guarantee no interception or manipulation of data can occur during communications.

SSL is widely used for a huge number of websites ranging from banks, companies, and even this blog, as well as other protocols such as IMAP/SMTP (for Email) and SSH (for remote server shell logins).

As a technology, we generally believe that the cryptography behind SSL is not currently breakable (excluding attacks against some weaker parts of older versions) and that there’s no way of intercepting traffic by breaking the cryptography. (assuming that no organisation has broken it and is staying silent on that fact for now).

However this doesn’t protect users against an attack by the attacker going around SSL and attacking at other weak points outside the cryptography, such as the validation of certificate identity or by avoiding SSL and faking connections for users which is a lot easier than having to break strong cryptography.

 

Beating security measures by avoiding them entirely

It’s generally much easier to beat SSL by simply avoiding it entirely. A technology aware user will always check for the https:// URL and for the lock symbol in their browser, however even us geeks sometimes forget to check when in a hurry.

By intercepting a user’s connection, an attacker can communicate with the secure https:// website, but then replay it to the user in an unencrypted form. This works perfectly and unless the user explicitly checks for the https:// and lock symbol, they’ll never notice the difference.

Someone is going to be eating a lot of instant noodles for the next few years...

If you see this, you’re so, so, fucked. :-(

Anyone on the path of your connection could use this attack, from the person running your company network, a flatmate on your home LAN with a hacked router or any telecommunications company that your traffic passes through.

However it’s not particularly sophisticated attack and a smart user can detect when it’s taking place and be alerted due to a malicious network operator trying to attach them.

 

“Trusted” CAs

Whilst SSL is vendor independent, by itself SSL only provides security of transmission between yourself and a remote system, but it doesn’t provide any validation or guarantee of identity.

In order to verify whom we are actually talking to, we rely on certificate authorities – these are companies which for a fee validate the identify of a user and sign an SSL certificate with their CA. Once signed, as long as your browser trusts the CA, your certificate will be accepted without warning.

Your computer and web browsers have an inbuilt list of hundreds of CAs around the world which you trust to be reliable validators of security – as long as none of these CAs sign a certificate that they shouldn’t, your system remains secure. If any one of these CAs gets broken into or ordered by a government to sign a certificate, then an attacker could fake any certificate they want to and intercept your traffic without you ever knowing.

I sure hope all these companies have the same strong validation processes and morals that I'd have when validating certificates.

I sure hope all these companies have the same strong validation processes and morals that I’d have when validating certificates…

You don’t even need to be a government to exploit this – if you can get access to the end user device that’s being used, you can attack it.

A system administrator in a company could easily install a custom CA into all the desktop computers in the company By doing this, that admin could then generate certificates faking any website they want, with the end user’s computer accepting the certificate without complaint.

The user can check for the lock icon in their browser and feel assured of security, all whilst having their data intercepted in the background by a malicious admin. This is possible due to the admin-level access to the computer, but what about external companies that don’t have access to your computer, such as Internet Service Providers (ISPs) or an organisation like government agencies*? (* assuming they don’t have a backdoor into your computer already).

An ISP’s attack options are limited since they can’t fake a signed certificate without help from a CA. There’s also no incentive to do so, stealing customer data will ensure you don’t remain in business for a particularly long time. However an ISP could be forced to do so by a government legal order and is a prime place for the installation of interception equipment.

A government agency could use their own CA to sign fake certificates for a target they wish to intercept, or force a CA in their jurisdiction to sign a certificate for them with their valid trusted CA if they didn’t want to give anything away by signing certificates under their organisation name. (“https://wikileaks.org signed by US Government” doesn’t look particularly legit to a cautious visitor, but would “https://wikileaks.org signed by Verisign” raise your suspicions?)

If you’re doubting this is possible, keep in mind that your iOS or Android devices already trust several government CAs, and even browsers like Firefox include multiple government CAs.

http://support.apple.com/kb/ht5012

http://support.apple.com/kb/ht5012

Even the open source kids are pwned

It’s getting even easier for a government to intercept if desired –  more and more countries are legislating lawful interception requirements into ISP legalisation, requiring ISPs to intercept a customer’s traffic and provide it to a government authority upon request.

This could easily include an ISP being legally required to route traffic for a particular user(s) through a sealed devices provided by the government which could be performing any manner of attacks, including serving up intercepted SSL certs to users.

 

So I’m fucked, what do I do now?

Having established that by default, your SSL “secured” browser is probably prime for exploit, what is the fix?

Fortunately the trick of redirecting users to unsecured content is getting harder with browsers using methods such as Extended Validation certs to make the security more obvious – but unless you actually check that the site you’re about to login to is secure, all these improvements are meaningless.

Some extensions such as HTTPS Everywhere have limited whitelists of sites that it knows should always be SSL secured, but it’s not a complete list and can’t be relied on 100%. Generally the only true fix for this issue, is user education.

The CA issue is much more complex – one can’t browse the web without certificate authorities being trusted by your browser so you can’t just disable them. There are a couple approaches you could consider and it really depends whether or not you are concerned about company interception or government interception.

If you’re worried about company interception by your employer, the only true safe guard is not using your work computer for anything other than work. I don’t do anything on my work computer other than my job, I have a personal laptop for any of my stuff and in addition to preventing a malicious sysadmin from installing a CA, by using a personal machine also gives me legal protections against an employer reading my personal data on the grounds of it being on a company owned device.

If you’re worried about government interception, the level you go to protect against it depends whether you’re worried about interception in general, or whether you must ensure security to some particular site/system at all cost.

A best-efforts approach would be to use a browser plugin such as Certificate Patrol, which alerts when a certificate on a site you have visited has changed – sometimes it can be legitimate, such as the old one expiring and a new one being registered, or it could be malicious interception taking place. It would give some warning of wide spread interception, but it’s not an infallible approach.

A more robust approach would be to have two different profiles of your browser installed. The first for general web browsing and includes all the standard CAs. The second would be a locked down one for sites where you must have 100% secure transmission.

In the second browser profile, disable ALL the certificate authorities and then install the CAs or the certificates themselves for the servers you trust. Any other certificates, including those signed by normally trusted CAs would be marked as untrusted.

In my case I have my own CA cert for all my servers, so can import this CA into an alternative browser profile and can safely verify that I’m truly taking to my servers directly, as no other CA or cert will ever be accepted.

 

I’m a smart user and did all this, am I safe now?

Great stuff, you’re now somewhat safer, but a determined attacker still has several other approaches they could take to exploit you, by going around SSL:

  1. Malicious software – a hacked version of your browser could fake anything it wants, including accepting an attackers certificate but reporting it as the usual trusted one.
  2. A backdoored operating system allows an attacker to install any software desired. For example, the US Government could legally force Apple, Google or Microsoft to distribute some backdoor malware via their automatic upgrade systems.
  3. Keyboard & screen logging software stealing the output and sending it to the attacker.
  4. Some applications/frameworks are just poorly coded and accept any SSL certificate, regardless of whether or not it’s valid, these applications are prime to exploit.
  5. The remote site could be attacked, so even though your communications to it are secured, someone else could be intercepting the data on the server end.
  6. Many, many more.

 

The best security is awareness of the risks

There’s never going to be a way to secure your system 100%  – but by understanding some of the attack vectors, you can decide what is a risk to you and make the decision about what you do and don’t need to secure against.

You might not care about any of your regular browsing being intercepted by a government agency, in that case, keep browsing happily.

You might be worried about this since you’re in the region of an oppressive regime, or are whistle-blowing government secrets, in which case you may wish to take steps to ensure your SSL connections aren’t being tampered with.

And maybe you decided that you’re totally screwed and resort to communicating by meeting your friends in person in a Faraday cage in the middle of nowhere. It all comes down to the balance of risk and usability you wish to have.

PRISM Break

The EFF has put together a handy website for anyone looking to replace some of their current proprietary/cloud controlled systems with their own components.

You can check our their guide at: http://prism-break.org/

Generally it’s pretty good, although I have concerns around a couple of their recommendations:

  • DuckDuckGo is a hosted proprietary service, so whilst they claim to not track or record searches, it’s entirely possible that they could be legally forced to do so for a particular user/IP address and have a gag order on that. Having said this, it sounds like they’re the type of company that would push back against such requests as much as possible.
  • Moving from Gmail to something like Riseup is just replacing one centralised provider with another, it doesn’t add any additional protection against PRISIM.

As always, the only truly secure (excluding security bugs etc) is one you control entirely. If a leak of your data must be avoided at all costs, you need to be running a server.

python-twitter 1.0 for API 1.1

With Twitter turning of the older API 1.0 today in favour of API 1.1, developers of bots and applications that used the older API need to either upgrade their apps, or they’re die a sad and lonely death.

I have a couple bots written using python-twitter module which broke – thankfully it’s just an easy case of updating the module to version 1.0 (an unfortunate version they should have made it version 1.1 to match Twitter). ;-)

If you’re using RHEL/CentOS/etc, EPEL includes a python-twitter package, but it’s way out of date. Instead, I have RPMs of version 1.0 available for EL5/6 in my repositories. You will want to enable both EPEL and the “amberdms-os” repository before you can install the RPM – EPEL includes a number of Python dependencies I don’t ship myself.

SMStoXMPP

Having moved to AU means that I now have two cell phones – one with my AU SIM card and another with my NZ SIM card which I keep around in order to receive the odd message from friends/contacts back home and far too many calls from telemarketers.

I didn’t want to have to carry around a second mobile and the cost of having a phone on roaming in AU makes it undesirably expensive to keep in touch with anyone via SMS messaging, so went looking for a solution that would let me get my SMS messages from my phone to my laptop and phone in a more accessible form.

I considered purchasing an SMS gateway device, but they tend to be quite expensive and I’d still have to get some system in place for getting messages from the device to me in an accessible form.

Instead I realised that I could use one of the many older Android cellphones that I have lying around as a gateway device with the right software. The ability to run software makes them completely flexible and with WiFi and 3G data options, it would be entirely possible to leave one in NZ and take advantage of the cheaper connectivity costs to send SMS back to people from within the country.

I was able to use an off-the-shelf application “SMS Gateway” to turn the phone into an SMS gateway, with the option of sending/receiving SMS messages via HTTP or SMTP/POP3.

However emails aren’t the best way to send and reply to SMS messages, particularly if your mail client decides to dump in a whole bunch of MIME data. I decided on a more refined approach and ended up writing a program called “SMStoXMPP“.

Like the name suggestions, SMStoXMPP is lightweight PHP-based SMS to XMPP (Jabber) bi-directional gateway application which receives messages from an SMS gateway device/application and relays them to the target user via XMPP instant messages. The user can then reply via XMPP and have the message delivered via the gateway to the original user.

For me this solves a major issue and means I can leave my NZ cell phone at my flat or even potentially back in NZ and get SMS on my laptop or phone via XMPP no matter where I am or what SIM card I’m on.

smstoxmpp_layout

To make conversations even easier, SMStoXMP does lookups of the phone numbers against any CardDAV address book (such as Google Contacts) and displays your chosen name for the contact. It even provides search functions to make it even easier to find someone to chat to.

Chatting with various contacts via SMStoXMPP with Pidgin as a client.

Chatting with various contacts via SMStoXMPP with Pidgin as a client.

I’ve released version 1.0.0 today, along with documentation for installing, configuring gateways and documentation on how to write your own gateways if you wish to add support for other applications.

Generally it’s pretty stable and works well – there are a few enhancements I want to make to the code and a few bits that are a bit messy, but the major requirements of not leaking memory and being reliably able to send and receive messages have been met. :-)

Whilst I’ve only written support for the one Android phone base gateway, I’m working on getting a USB GSM modem to work which would also be a good solution for anyone with a home server.

It would also be trivial to write in support for one of the many online HTTP SMS gateways that exist if you wanted a way to send messages to people and didn’t care about using your existing phone number.

 

Don’t abandon XMPP, your loyal communications friend

Whilst email has always enjoyed a very decentralised approach where users can be expected to be on all manner of different systems and providers, Instant Messaging has not generally enjoyed the same level of success and freedom.

Historically many of my friends used proprietary networks such as MSN Messenger, Yahoo Messenger and Skype. These networks were never particularly good IM networks, rather what made those networks popular at the time was the massive size of their user bases forcing more and more people to join in order to chat with their friends.

This quickly lead to a situation where users would have several different chat clients installed, each with their own unique user interfaces and functionalities in order to communicate with one another.

Being an open standards and open source fan, this has never sat comfortably with me – thankfully in the last 5-10yrs, a new open standard called XMPP (also known as Jabber) has risen up and had wide spread adoption.

500px-XMPP_logo.svg

XMPP brought the same federated decentralised nature that we are used to in email to instant messaging, making it possible for users on different networks to communicate, including users running their own private servers.

Just like with email, discovery of servers is done entirely via DNS and there is no one centralised company, organisation or person with control over the system -each user’s server is able to run independently and talk directly to the destination user’s server.

With XMPP the need to run multiple different chat programs or connect to multiple providers was also eliminated.  For the first time I was able to chat using my own XMPP server (ejabberd) to friends using their own servers, as well as friends who just wanted something “easy” using hosted services like Google Talk which support(ed) XMPP, all from a single client.

Since Google added XMPP into Google Talk, it’s made the XMPP user base even larger thanks to the strong popularity of Gmail creating so many Google Talk users at the same time. With so many of my friends using it, is has been so easy to add them to my contacts and interact with them on their preferred platform, without violating my freedom and losing control over my server ecosystem.

Sadly this is going to change. Having gained enough critical mass, Google is now deciding to violate their “Don’t be evil” company moral and is moving to lock users into their own proprietary ecosystem, by replacing their well established Google Talk product with a new “Hangouts” product which drops XMPP support.

There’s a very good blog write up here on what Google has done and how it’s going to negatively impact users and how Google’s technical reasons are poor excuses, which I would encourage everyone to read.

The scariest issue is the fact that a user upgrading to Hangouts get silently disconnected from being able to communicate with their non-Google XMPP using friends. If you use Google Talk currently and upgrade to Hangouts, you WILL lose the ability to chat with XMPP users, who will just appear as offline and unreachable.

It’s sad that Google has taken this step and I hope long term that they decide as a company that turning away from free protocols was a mistake and make a step back in the right direction.

Meanwhile, there are a few key bits to be aware of:

  1. My recommendation currently is do not upgrade to Hangouts under any circumstance – you may be surprised to find who drops off your chat list, particularly if you have a geeky set of friends on their own domains and servers.
  2. Whilst you can hang onto Google Talk for now, I suspect long term Google will force everyone onto Hangouts. I recommend considering new options long term for when that occurs.
  3. It’s really easy to get started with setting up an XMPP server. Take a look at the powerful ejabberd or something more lightweight like Prosody. Or you could use a free hosted service such as jabber.org for a free XMPP account hosted by a third party.
  4. You can use a range of IM clients for XMPP accounts, consider looking at Pidgin (GNU/Linux & Windows), Adium (MacOS) and Xabber (Android/Linux).
  5. If you don’t already, it’s a very good idea to have your email and IM behind your own domain like “jethrocarr.com”. You can point it at a provider like Google, or your own server and it gives you full control over your online identity for as long as you wish to have it.

I won’t be going down the path of using Hangouts, so if you upgrade, sorry but I won’t chat to you. Please get an XMPP account from one of the many providers online, or set up your own server, something that is generally a worth while exercise and learning experience.

If someone brings out a reliable gateway for XMPP to Hangouts, I may install it, but there’s no guarantee that this will be possible – people have been hoping for a gateway for Skype for years without much luck, so it’s not a safe assumption to have.

Be wary of some providers (Facebook and Outlook.com) which claim XMPP support, but really only support XMPP to chat to *their* users and lack XMPP federation with external servers and networks, which defeats the whole point of a decentralised open network.

If you have an XMPP account and wish to chat with me, add me using my contact details here. Note that I tend to only accept XMPP connections from people I know – if you’re unknown to me but want to get in touch, email is best at first.

Firefox Mobile for Android CAs

I’ve been using Firefox Mobile on Android for a while (thanks to the fact that it means I can use Firefox Sync between my laptop and mobile to share data). Overall it’s pretty good and the last few releases have fixed up a lot of the past stability issues and UI problems, it’s in a pretty decent state now.

One of the unfortunate problems I’ve had with it until recently is that the application was refusing to import custom certificate authorities. Whilst Android has it’s own CA store, add on browsers (inc Firefox Mobile) can have their own CA stores and the manageability of these can vary a lot.

In the case of Firefox Mobile, the ability to manage certificates was not ported across from the desktop version, meaning that none of my web applications would validate against my custom CA.

However as a passable solution, it’s now possible to import the CA file by downloading a PEM version of the CA certificate in the browser. Just upload a copy of the PEM formatted certificate to a webserver and download the file with the browser to install.

Installing CAs into Firefox Mobile (PEM formatted file).

Installing CAs into Firefox Mobile (PEM formatted file).

Now the biggest problem left is sites and applications that have poorly written user agent detection and assume that the only mobile devices that possibly exist are devices that have the iPhone or stock Android user agent. :-( *glares at Atlassian in particular*

Android VNC

Recently I’ve been using a few of my older Android smartphones for various projects where I’ll need to have the phones in a remote location or having the phones in a non-easily accessible location.

A conventional Linux system would be remote managed via SSH, but I need access to the graphical environment of the Android phones to run standard GUI touch applications. Generally I avoid VNC due to the fact it’s an unencrypted, insecure protocol, but in my case I was able to resolve the security concerns by tunnelling all my connections via a SSL VPN, which made VNC acceptable.

A few friends have asked me about VNC solutions for Android – in my case, I’ve been using a program helpfully named “VNC server” (click here for app store) on a mix of devices including older Android 2.2 devices running Cyanogenmod.

The power is mine!

Generally it works well, but there are a few limitations with the application to be aware of:

  1. The application requires the phone to be rooted.
  2. It doesn’t always reliably resume following a reboot of the phone.
  3. Android can end up terminating the application due to low memory available, particularly on the older phones. This isn’t a fault with the application specifically, but rather an architecture and design limitation of Android. If it happens, there’s not much you can do about it.

Once the application is installed and configured, it’s easily accessed using any regular VNC application from your computer. The main commands are:

  • Touch – Left Click
  • Back Button – Right-click
  • Home Button – Home key
  • Instant Lock Screen – End key

Note that there is one confusing quirk – when the phone screen locks, VNC displays the last thing that was on the screen. This can be confusing when you login and the phone doesn’t respond to any actions.

Unfortunately lock screen status is not correctly reflected...

Something isn’t quite right here….

The fix is to press the home key which makes the lock screen display and then to swipe in the usual manner by clicking and dragging the mouse. Sometimes the lock screen can take a while to render on VNC, so I tend to end up pressing home and then dragging before it even renders the lock screen.

You will also want to disable screen rotation, otherwise if you leave the phone in a rotated state inadvertently, it makes for a very annoying user experience.

Control all the phones!

Control all the phones!

So far I’ve found it pretty useful, but because of the way the Android OS handles memory, I would hesitate before relying on it 100% – there’s always the risk that my phone may have another process wanting to consume memory and it then suspending the VNC process to allocate more. I suspect there are some tweaks/hacks I could apply to the platform to make it more robust and there may be some stuff already in the app store that will help.

Having said all this, it’s worth nothing that cheap cost and high feature set of Android phones makes them an idea hacking platform and I’m using them for a few projects already such as cheap GSM SMS gateways, as well as considering using the older phones as wireless IP cameras.