Welcome!

Hello! I'm Defron and this is my blog.

Data Privacy Day: Passwords

Part One in a five-part exposé for Data Privacy Day

Data Privacy Day: Smartphones

Part two in a five-part exposé for Data Privacy Day

Data Privacy Day: Web Browsing

Part three in a five-part exposé for Data Privacy Day

Thursday, January 31, 2013

Prettify.js Perfection and Decade-Old Bugs

I'm a bit of a perfectionist, as many people who know me will tell you, so naturally I wanted to get prettify.js working exactly the way I want it to. It ended up being a bit more work than I predicted, but a lot of fun.

I already documented my experience with getting overflow working properly in Opera, here's the full documentation on my prettify.js implementation:

Adding it to blogger is simple, it's just a few lines inserted in the header:
<link href='http://google-code-prettify.googlecode.com/svn/trunk/src/prettify.css' rel='stylesheet' type='text/css'/>
<script language='javascript' src='http://google-code-prettify.googlecode.com/svn/trunk/src/prettify.js' type='text/javascript'/>
<script language='javascript' src='http://google-code-prettify.googlecode.com/svn/trunk/src/lang-css.js' type='text/javascript'/>
<script type='text/javascript'>
    document.addEventListener('DOMContentLoaded',function() {
        prettyPrint();
    });
</script>

I wanted alternating line colors, which is simple enough: just add the class linenums to the pre tag and prettify throws the code in an ordered list. Prettify by default only numbers every 5th line, which I wasn't all that thrilled about, so I customized it by overwriting the prettify CSS on my blog. Blogger doesn't allow uploading a css file, so it's all inline in the header, which kinda sucks from a management perspective, but it could be worse. I also wanted to add a line between the numbers and the code to better separate them, that too was simple.

One thing that was a bit tricky was getting alternating line colors to play nice with my overflow. I did quite a bit of Googling before I found out the answer on StackOverflow. Apparently the problem has to do with ordered lists being block elements. Making them display:inline-block took care of it.

Below is my CSS for prettify:
#main-wrapper pre {
    overflow-wrap: normal;
    word-wrap: normal;
    overflow: auto;
    max-height: 800px;
}
ol.linenums {
    display:inline-block !important;
    margin-right: 0px;
}
ol.linenums li {
    border-left: 1px solid #a0e66a;
    padding-left: 5px;
    padding-right: 5px;
}
ol.linenums li.L0, ol.linenums li.L1, ol.linenums li.L2, ol.linenums li.L3, ol.linenums  li.L5, ol.linenums li.L6, ol.linenums li.L7, ol.linenums li.L8 {
    list-style-type: decimal;
}
Finally I wanted to add an option for people to remove the line numbers if they don't like them via a toggle, which was a simple javascript implementaiton:
<script type='text/javascript'>
    //<![CDATA[
        function toggle_visibility() {
            'use strict';
            var list, count;
            list = document.querySelectorAll('ol.linenums');
            count = 0;
            while(count < list.length) {
                if(list[count].style.paddingLeft === '0px') {
                    list[count].style.paddingLeft = '40px';
                } else {
                    list[count].style.paddingLeft = '0px';
                }
                count += 1;
            }
            return;
        }
    //]]>
</script>
With that, I'm pretty happy. I try to always do vanilla javascript instead of using jQuery. Not that there is anything wrong with jQuery: I just prefer to have my code work with as few dependencies as possible. Just call the javascript function with a <a href="#" onclick="toggle_visibility();return false;">Toggle Line Numbers</a> and it's all done.

After that I went around just checking everything out. I copied the script from Firefox into notepad and was dismayed to see that all the white space didn't copy over! Apparently there is a decade-old bug in Firefox where it won't copy whitespace in certain instances even when rendered in the browser. One such instance appears to be ordered lists inside a pre tag. I didn't know that before, though it would explain why PasteBin doesn't do a simple pre tag of an ordered list (it's quite complicated, you should take a look at their page source some time). I never knew this before. Opera does it fine and always has since me using it. I decided to see how other browsers handled it. Chrome did fine with whitespace too; I had no problem copying my script perfectly in Chrome. Then I tried Internet Explorer... Oh man, it was bad. It pasted the entire thing as one giant line. You see, I'm using the pre tag to the fullest: I'm not bothering to declare line breaks in html, since pre tags will honor them natively. Internet Explorer isn't just too stupid to copy whitespace in pre tags, it's too stupid to even copy newlines!

I found it quite entertaining and educating. I do hope that Firefox bug is fixed soon. I couldn't imagine using Firefox as my daily driver with that bug. IE? Talk about a nightmare. Anyone who stumbles upon this looking for an implementation of prettify.js on Blogger, I hope you found it helpful.

EDIT: As you may have noticed, I actually changed my mind after posting this. I'm now using a different theme for prettify.js: Tomorrow Night Eighties (adding "DejaVu Sans Mono", "Bitstream Vera Sans Mono" as fallback fonts for a more uniform cross-platform rendering). My reason for doing this? The whiteness of non linenums prettyprint is far too harsh. At the same time, I don't like how bad that bug about white-space copying in Firefox ended up being. I don't want to penalize Firefox users, so I found a theme that's not so harsh on the eyes (IMO). You should now be able to copy the code posted on here in Firefox with white-space intact. I'll leave the notes about the old way of doing things up here in case it is useful to anyone else.

Wednesday, January 30, 2013

Doing things the hard way and overflow-wrap

Last night I posted a script for GIMP. Naturally, I'd want syntax highlighting and no word wrapping, so I used the pre tag along with prettify. Posted it and was quite happy. Then I check it in Opera and I find the text had wrapped. I couldn't figure out why, I know pre should keep text from wrapping and Opera doesn't wrap other pre tags. I thought I was going insane! I spent an hour looking into it, but just couldn't figure it out. Everywhere else using overflow: auto, Opera would properly add the scroll wheel and not wrap pres. I couldn't find anything in my CSS that would be causing pre to wrap. Even explicitly told it to treat the content like pre, and it still wrapped.

Finally I took a look at the computed stylesheet thanks to Opera Dragonfly. I really should have done this from the beginning. I don't know why I didn't. I found a CSS property I've never heard of before: overflow-wrap. It was set to break-word. I had never heard of it before. I'm no web designer, so there's plenty of CSS I'm unfamiliar with. Naturally I Googled it and found it's a new tag to replace word-wrap (word wrap remains for legacy reasons) I still don't know where it came from; I'll look into that later today if I get the chance. In the end I spent about an hour looking for something that would have been much easier to find if I went about it the right way, and it was a simple fix: all I had to do was put overflow: normal; to my css and it all worked properly.

Why all this effort for Opera? Well, Opera is my browser of choice, so I naturally want my blog to work perfectly in it. I test my site in Opera and Firefox. I'll probably install Chrome to make sure it works fine in there too, but for now just Opera and Firefox. IE I don't bother with, but last night I took a look at it and it too was wrapping because of overflow-wrap. It makes me wonder why Firefox wasn't wrapping due to overflow-wrap. I wonder if Firefox is doing some things different with CSS3...

Anyway, in conclusion, it's amazing how simple something is when you look at what actually is being done and use logic :P Though I'm still having a bit of trouble getting alternating line colors to work with prettyprint when using scroll overflow.

Tuesday, January 29, 2013

GIMP Script: Save as PNG

At my office, we have a few really cool fundus cameras. Well, I think they're cool anyway. Before I got there, they used to use CF cards to transfer photos from the Nidek NM200D (our fundus cameras) to a computer. This was not without problems: sometimes files wouldn't save right, the cameras produced really huge uncompressed tiffs, so not much could be stored, and a few other problems. The NM200D is supposed to be capable of transferring files via USB. Unfortunately, the software designed for it was really bad and unfriendly -- I could never actually get it to work. The drivers seemed fine, though. They are standard TWAIN drivers (but it still called itself a camera...), so I went to find a good solution that would meet my budgetary requirements ($0). There were a few contenders, but I settled on GIMP because it was open source (which I do so love) and would allow the doctors to import photos in quick succession while naming each individually.

We started out with GIMP 2.6. As you may know, GIMP 2.8 changed the way it handles saving by only allowing you to save in the native xcf format. For all other formats you have to export. That's not something that would fly well with the doctors. It's made worse by the fact that exporting to an image file without saving leads to a "scary" warning about unsaved content. There was no real reason to upgrade anyway, so I stayed on 2.6 and worked on other things.

Fast forward to today. I'm in the planning stages of upgrading the computers the fundus machines are connected to, as it's finally time to finish the Windows 7 migration at the office. The cameras actually seem to work great with Windows 7; I was afraid they may not play so kindly with it (though it does have to be 32-bit Windows 7). They actually work better judging from testing so far, as with XP they would only work with USB 1.1 (or fake USB 1.1 by disabling the 2.0 drivers causing Windows to fallback on legacy 1.1 support), but with 7 they seem to work fine with native 2.0. Naturally with an upgrade I'll want to use the latest software like GIMP 2.8, so I looked for solutions to the export problem. I found this "Save as JPG" script. For fundus photos, though, I'd rather have it saved in lossless PNG. I'd also like basic overwrite protection to keep the doctors from accidentally overwriting other fundus photos. A little bit of reading on some GIMP and pygtk documentation (never written a plugin for GIMP or used pygtk), and I had what I wanted: provide basic options for saving as PNG and offer overwrite protection when saving newly created files. Below is the code:

PasteBin
#!/usr/bin/env python

# save_as_png.py
# Provides a simple menu option to save as PNG with
# basic save options and overwrite warning for newly created files.
# Tested in GIMP 2.8.2 on Windows 7 (64 and 32-bit)
# Contact: Kevin Thomer (Defron) | http://blog.defron.org/
# Provided free and as-is under GPL v2.
#
# Based off of:

# save_as_jpg.py
# version 1.0 [gimphelp.org]
# last modified/tested by Paul Sherman
# 12/20/2012 on GIMP-2.8
#
# ==== Original Information ====================================================
# Save or export the current image -- do the right thing whether it's
# XCF (save) or any other format (export). This will mark the image clean,
# so GIMP won't warn you when you exit.
# Warning: this does not show a lot of extra dialogs, etc. or warn you
# if you're about to overwrite something! Use with caution.

# Copyright 2012 by Akkana Peck, http://www.shallowsky.com/software/
# You may use and distribute this plug-in under the terms of the GPL v2
# or, at your option, any later GPL version.
# ========================================================

from gimpfu import *
import gtk
import os, sys
import collections

def python_export_clean(img, drawable, interlace, background, compression) :
    filename = img.filename
    #These typecasts isn't really necessary in Python, just a habit of mine
    bg = int(background)
    interlacing = int(interlace)
# fullpath = pdb.gimp_image_get_uri(img)
# pdb.gimp_message(filename)

    if not filename :
        chooser = gtk.FileChooserDialog(
            title=None,action=gtk.FILE_CHOOSER_ACTION_SAVE,
            buttons=(gtk.STOCK_CANCEL,gtk.RESPONSE_CANCEL,gtk.STOCK_SAVE,gtk.RESPONSE_OK)
            )
        # save folder will be desktop
        save_dir = os.path.join(os.path.expanduser('~'), 'Desktop')
            
        chooser.set_current_folder(save_dir)
        chooser.set_current_name("UNTITLED.png")
        chooser.set_do_overwrite_confirmation(True)
        
        filter = gtk.FileFilter()
        filter.set_name("Save as png")
        filter.add_pattern("*.png")
        chooser.add_filter(filter) 
        
        response = chooser.run()
        if response != gtk.RESPONSE_OK:
            return
        filename = chooser.get_filename()
        img.filename = filename
        chooser.destroy()
    
        pdb.file_png_save(img, drawable, filename, filename, interlacing, compression, bg, 0, 0, 1, 1)
        pdb.gimp_image_clean_all(img)  
            
        
    else:
        base = os.path.splitext(filename)[0]
        newname = base + ".png"

        pdb.gimp_edit_copy(img.active_drawable)
        image2 = pdb.gimp_edit_paste_as_new()
        pdb.file_png_save(image2, drawable, newname, newname, interlacing, compression, bg, 0, 0, 1, 1)
        pdb.gimp_image_delete(image2)  
        pdb.gimp_image_clean_all(img)


register(
        "python_fu_save_as_png",
        "Save the image as a PNG file, set interlacing & saving bg color\n\nFor more options and a proper file overwrite protected dialog, \nuse the FILE > EXPORT menu item when saving as a PNG.\n\n",
        "",
        "Kevin Thomer (Defron)",
        "GPL",
        "2013",
        "Save as PNG",
        "*",
        [
            (PF_IMAGE, "image", "Input image", None),
            (PF_DRAWABLE, "drawable", "Input drawable", None),
            (PF_TOGGLE, "interlace", "Interlacing (Adam7)", 0),
            (PF_TOGGLE, "background", "Save background color", 1),
            (PF_SLIDER, "Compression", "Set the PNG Compression Level", 9, (0, 9, 1) )
        ],
        [],
        python_export_clean,
        menu = "<Image>/File/Save/"
)

main()

It only has basic options, but that actually works out better for the doctors (simpler). It also has one more added benefit: before, the doctors would occasionally accidentally save fundus images as GIMP xcf files; with the new method it'll always be PNG. A real win-win.

One thing to note: this will only export the current layer, it doesn't flatten the image or anything. It's not really a problem in my case since the images are imported one at a time and saved separately, so I didn't bother looking into merging or flattening.

Monday, January 28, 2013

OpenVPN Server on Windows

UPDATE: Every once and a while someone will reach out to me about this and ask about if I have any plans to update it. I no longer use Windows as my primary OS (switched to Linux) and no longer use OpenVPN either. The below guide may have issues, especially on Windows 10, which I don't use.

OpenVPN is a wonderful VPN system, but it's not so simple to set up on Windows. When I first created this how-to, there wasn't a real cohesive and precise instruction set on how to get an OpenVPN server working on Windows where Windows clients could have all traffic go through the VPN (the alternative is where only directed traffic goes through the VPN: Split tunneling). I prefer all my traffic going through a VPN when connected, less likely for information to leak out.

NOTES:
 1. Throughout this guide I will use two words: over and over again: server and client1. Feel free to modify these, but be sure to modify them EVERYWHERE they are repeated. To help you out I bolded and italicized them everywhere you should change them (except in the config files, they need to be changed in those as well)

 2. Everywhere you see quotation marks, it is to signify what you should type (which would be the stuff inside the quotation marks), DO NOT TYPE THE QUOATATION MARKS UNLESS OTHERWISE SPECIFIED!

 3. I know this seems long, but it really isn't, I just broke everything down into as basic of steps as I could and explain everything as thoroughly as I can. In the end, it pays off, you have a secure multi-client VPN offering that definitely beats PPTP in terms of security and robustness.

 4. A relatively common practice with OpenVPN is to configure it to use TCP port 443, as this is the port normally associated with HTTPS, so even the most most draconian of firewalls won't block it. I don't cover this, instead cover OpenVPN using the default port of 1194 UDP. Changing it is simple, just edit the server and client configuration files to use proto tcp and port 443. Make sure to also change your forwarded port and firewall rules to match as well.

 5. This guide uses the 192.168.137.0/24 block for the OpenVPN network. This is the default for Internet Connection Sharing (a needed utility to get Internet through OpenVPN on Windows) for Windows 7, which is why I chose it (it should also be the default for Windows Vista, though I cannot test this) On Windows XP, ICS uses 192.168.0.0/24 by default, which isn't very useful for a VPN (as it's a popular subnet and would lead to conflicts in various situations). If you wish to change the subnet for OpenVPN, you must change it in the config file for the server as well as for ICS. This can be done through a registry setting. In HKLM\System\CurrentControlSet\services\SharedAccess\Parameters you will need to change ScopeAddress and ScopeAddressBackup to the first IP address in the range you wish to use. I am not certain if Windows XP can change it or not, but it's worth a shot. Here is a registry file of the 192.168.137.1 ICS configuration, change the network numbers and run it to change to a different subnet (or do it manually). You can also find it on PasteBin.

 6. You will also need to know your public IP address or set up a Dynamic DNS service. This can be done by visiting http://www.whatismyip.com/ on your server. Better is to set up no-ip on your server and use their free dynamic dns service (as it'll work even if your home IP changes). You will need to do this for PPTP VPN servers and SSH servers. I will mention this again when we get to the client configuration file.

Pre-Install

This guide assumes two things: You've properly set up a static IP for the will-be server and you have configured any firewall on the will-be server correctly. I will do a quick run-down of how to do this on Windows Vista/7 with Windows Firewall (which are the same in this matter).


Windows Firewall setup:
  1. run wf.msc
  2. Click Inbound rules on the left panel, and on the right panel click "New Rule..."
  3. Select Port for the rule type and click next. Image of steps 2-3 
  4. Select UDP and enter in port 1194 and click next
  5. Select Allow the connection and click next
  6. Select which networks to allow the rule, to be safe, allow for all and click next
  7. Name the rule "openvpn in" (without quotes) and click finish.

Install Process

  1. Download OpenVPN onto the will-be OpenVPN server and run the installer (as administrator if you are using Windows Vista/7)
  2. . When you get to the "Install Location" part of the setup, I highly recommend installing it to C:\OpenVPN rather than the default install path. Especially on Vista/7 as this will save you headaches. Proceed to finish the install
  3. Navigate to the installation folder (C:\OpenVPN if you followed my advice), then enter the config folder (C:\OpenVPN\config).
  4. Here, create a file server.ovpn. It should look like this:  http://pastebin.com/wU0MeHKL

    About the server.ovpn configuration file:

    You can modify the port number to any number you want, just remember what you set it to. Same for proto (short for protocol) you can change that to tcp, just remember you did so (udp will give you better performance, but may be blocked on some draconian networks)

    Line 5 is one that may need changing. First, you need to keep "server" as server (it's a configuration line dictating the VPN server IP range). Later on we'll enable Internet Connection Sharing and you may need to change 192.168.137.0 to match any IP address being forced on you by Internet Connection Sharing (for me this was 192.168.137.0/24 but it may be different for you) I'll remind you of this when we get to Server Configuration.

    You need to specify the DNS servers, I chose OpenDNS as it makes it easy to test if the tunnel is being used without running something like Wireshark (which is nice), but any DNS server will do.
  5. Open up the command line (As administrator on Vista/7)
  6. type "cd C:\OpenVPN\easy-rsa" (without quotes, everywhere you see quotes from now on, it's to signify what you should type) and hit enter
  7. type "init-config" and hit enter
  8. navigate to C:\OpenVPN\easy-rsa in explorer if you haven't already. find the vars.bat file, right-click it and edit it
  9. Edits to make to vars.bat:

    Mandatory: change HOME path from "%programfiles%\OpenVPN\easy-rsa" to "C:\OpenVPN\easy-rsa" (if you don't do this you will get an error complaining about unable to write random state)

    You also need to fill (found near the bottom of the file):

    set KEY_COUNTRY=
    set KEY_PROVINCE=
    set KEY_CITY=
    set KEY_ORG=
    set KEY_EMAIL=

    Technically, any value will do, including the default ones, but I suggest filling them in with your information

    You also need to set KEY_NAME and KEY_OU . I usually set name to my name and OU to VPNers just because it's simple.

    -------- DO NOT CHANGE KEY_CN, IT NEEDS TO BE CONFIGURED ON A PER-RUN BASIS ----------
  10. Save vars.bat and return to the command line (reopen it as administrator and navigate back to C:\OpenVPN\easy-rsa if you closed it)
  11. type "vars" and hit enter
  12. type "clean-all" and hit enter (it's normal for this to kick up an error, it just means the folder "keys" didn't exist before it was ran)
  13. type "build-ca" and hit enter. This will start the creation process for the ca.crt file. You will be prompted for various things. The default values are fine until you get to COMMON NAME
  14. WHEN YOU GET TO Common Name enter in "server"
  15. "build-key-server server"
  16. Leave the password blank unless you want to read OpenVPN documentation. same for company name
  17. answer "y" to signing and committing to the certificates.
  18. type "build-dh" and hit enter
  19. copy ca.crt, server.crt, server.key, and dh1024.pem from the keys folder in easy-rsa to C:\OpenVPN\config
  20.  type "build-key client1" and hit enter
  21. WHEN YOU GET TO Common Name enter in "client1"
  22. Leave the password blank unless you want to read OpenVPN documentation. same for company name
  23. answer "y" to signing and committing to the certificates.
  24. Install OpenVPN on the client computer EXACTLY the same as on the server (ok, it doesn't really need to be exactly the same, I'm just too lazy to tell you what you do and don't need)
  25. copy ca.crt, client1.crt, and client1.key from the server's keys folder to the client computer's OpenVPN config folder (C:\OpenVPN\config if you installed it like I said)
  26. in the config folder on the client, you will need to create a client1.ovpn file. It should look like this:  http://pastebin.com/42ekkJtL
About the client configuration file:

You need to use the same protocol as you specified on the server configuration file.

On line 5, for remote, you need to specify the PUBLIC IP address of the server OR the DNS entry for it. Refer to Note #6 for this information. After the ip address or DNS listing, specify the port. This needs to be the same port as in the server configuration file.

Almost done! Just have some configuration left on the server to go.

Server Configuration

  1. On the server open up services (run services.msc). Find OpenVPN, right-click it and go to properties. Set it to automatic and start it.
  2.  Still on the server in services, find Routing and Remote Access (shorthand: RRAS). Set it to automatic and start it. NOTE: At least in a couple of my goes with this, enabling RRAS made my network indicator in the notifications tray signify I had no connection -- I Still had a connection despite being told otherwise. It only happened on a few of my computers, so it may or may not happen to you (if it does, see if you can access any website. If you can there's no problem)
  3. You will need to modify a registry entry, so open up regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. In there change IPEnableRouter to 1 (defualt is 0).
    IPEnableRouter.reg file download | PasteBin
  4. You may need to reboot before the registry change takes effect
  5. Still on the server, go Control Panel->Network and Sharing Center and click on "Change Adapter Settings"
  6. If you use my config it is necessary to change the TAP name (as the default name is random). Right-click the adapter that says TAP-Win32(or WIN-64) Adapter and select "Rename". Rename it to "MyTap".
  7. Right-click the newly-named MyTap and go to properties. Uncheck IPv6 if it's available (Vista/7 + some XP computers with it configured).

    Now we go onto Internet Connection Sharing (ICS) configuration. You may wish to review Note #5 as it covers some details on how to use a different subnet, as well as the "Some Things Very Important To Note" section for possible issues. A reminder is my guide assumes you are using 192.168.137.0/24, which is not the case on Windows XP. Edit as appropriate.
  8. This part is not necessary if you have checked the registry entry for ICS and made sure it is correct for your needs, but is a useful way to double-check as you'll get a warning popup. While still having the MyTap Properties open, Select IPv4 and click properties. Give it a static IP of 192.168.137.1 with a 255.255.255.0 subnet mask.
  9. Right-click your LAN adapter (the one you gave a static IP in step zero) and go to Properties. Go to the sharing tab (advanced on Windows XP) and check "Allow other computers to connect through this computer's Internet Connection"
  10. If there is a drop-down list you can select from, select MyTap. If not, don't worry: that just means you have no other adapters to share with other than MyTap. Image of Steps 9+10
  11. Uncheck the lower box titled "Allow other network users to control or disable the shared Internet Connection" if it is checked.
  12. Click OK. If you did optional step 8 for Server Configuration, you'll get a popup that says something about how MyTap will be set to 192.168.137.1. If yours said a different IP address, you will need to modify server.ovpn to use that subnet (same first 3 sets of numbers, last one a zero) and restart the OpenVPN service, alternatively you can set the ICS network range in your registry. Run this registry file to use the guide's 192.168.137.1 (Pastebin) or configure it manually using regedit and navigating to HKLM\System\CurrentControlSet\services\SharedAccess\Parameters and editing ScopeAddress and ScopeAddressBackup to use the desired IP address range (you specify the first IP address in the range). You can check to make sure that the IP address for MyTap is correct by running ipconfig /all in the command line and making sure it matches that in your server.ovpn config file.
Now you just need to port forward for OpenVPN so you can access it over the Internet.

Client Configuration

  1. Still on the client, go Control Panel->Network and Sharing Center and click on "Change Adapter Settings"
  2.  If you use my config it is necessary to change the TAP name (as the default name is random). Right-click the adapter that says TAP-Win32(or WIN-64) Adapter and select "Rename". Rename it to "MyTap".
  3. You can try out OpenVPN now on your LAN to make sure all is working. Just change your client1.ovpn to connect to your server's LAN ip address (NOT the address you set for MyTAP on the server, but the static IP you set for the LAN adapter).
  4. Launch OpenVPN GUI (as Administrator on Vista/7). A tray Icon should appear for OpenVPN (a little red-monitored computer with a globe). Right-click it and select "Connect"
  5. A window like this will appear. After a few seconds to a minute, you should hopefully connect and be assigned an IP address. To verify traffic is going through the tunnel, assuming you used OpenDNS, you can test it simply using an OpenDNS check.
I know it's been a lot of work, but it's worth it. You now have a secure basic VPN setup More robust than Microsoft's default PPTP offering as well as allowing multiple clients. You can improve the security by looking into ta.key, maxclients, client filtering, choosing the cipher, and password authentication. You'll need to go elsewhere to learn how to do these, or I may cover them in a future post. Finally, there are a few things you should know

Some Things Very Important To Note

  • If you have issues with resolving DNS, uncomment register-dns from the client file.
  • On some networks with a short dhcp timeout, your client may have issues with getting a new address lease due to OpenVPN sending the request through the VPN. Disconnecting from OpenVPN and running "ipconfig /release" followed by "ipconfig /renew" in the command prompt will solve the issue (until it times out again).
  • Internet Connection Sharing (ICS) is a tricky one, but I've gotten it mostly figured out through the SharedAccess registry options. You can read up on configuring ICS here. On Windows XP it uses 192.168.0.1 by default and I've yet to verify if that can be changed.
  • Strictly speaking, the subnetting you are giving your OpenVPN server may not be absolutely correct. This doesn't matter for a handful (3) clients, but it may stop you from having too many clients. This appears to either be related to the version of Windows used, related to the NIC used, or related to whether the NIC used is a wireless NIC and cannot be changed. You should get subnet mask of 255.255.255.0, but may get less (lowest I got was 255.255.255.252 -- 3 clients + the server would max that out). When the OpenVPN client should pull the correct information when it connects, so as long as you don't exceed the limit, it's not an issue. Slightly related is the below:
  • I don't know if this was because my virtual machine is crashy, but I noticed that the MyTap adapter would randomly change to using APIPA (Automatic Private IP-Adressing) and therefore having the 169.254.0.0/16 block. It's simple enough to fix. NOTE: This happens when RRAS runs into an issue and the DHCP server fails, to fix this issue, follow the below 3 steps:
First, disable sharing on the LAN adapter.

Second, reset the MyTap to use a static IPv4 address (IP and default gateway the same, in my case 192.168.137.1).

Third, re-enable sharing on the LAN adapter for MyTap.
  • I suggest disabling sleep/hibernation on the server (I mean, if the server isn't online when you need to connect, it's kinda useless) anyway. And whenever you reboot for updates, just check to make sure the MyTap properly has the first IP address in the block your OpenVPN server gives.
  • I've yet to find a way to get the OpenVPN network to be identified by anything less than a Public Network on Windows 7. It doesn't make much of a big deal unless you want to access network shares on the OpenVPN server (which may not be possible since Windows may block sharing since it's a public network). NOTE: This is due to OpenVPN's network not having a default gateway. Some steps on potential workarounds can be found on the Internet.

Sunday, January 27, 2013

Data Privacy Day Prep Part 5: Network Security

Data Privacy Day is one of my favorite holidays and falls on this upcoming Monday. Every year, for the days leading up to it, I like to talk and publish reminders about. I normally post this on the Bethesda forums, where I'm quite active, but now that I have a blog, why not also add it on here? Here's part 5; it's about Network Security. It's long, so maybe read it in chunks. It'll always be here for you to refer to later :P

The goal of Data Privacy Day is to make people more informed about their data and privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after the summer of 2011 hacks and the ones that followed in 2012, I think we are all familiar with that).

An important definition:
  •  Man-in-the-Middle attack: Any attack wherein someone intercepts data you receive and send to someone else by acting as a relay ("in the middle"). This can be done in numerous ways (arp and DNS poisoning being two common methods, though many other methods exist) but the end effect is the same: your information and communication is compromised. Your passwords can be stolen and your sessions hijacked. This threat is an increasingly common problem on wireless networks, and can even affect mobile telecommunication networks (for around $500 and enough know-how is the current going rate, FYI).

Networks

Your local network is an important point of security. A properly set up one will allow easy sharing and collaboration while simultaneously keeping out those who would intrude on it from the outside. This section will cover your local network, your local computer, and how to protect your computer and privacy when on public networks.

Your Wired Network

For a wired network, you don't have as much to worry about. Make sure not to use the DMZ your router allows: this is a black hole for security and offers nothing over properly forwarded ports. Any forwarded port should have a distinct purpose, otherwise don't forward them. Disable remote/WAN administration (might be buried in there somewhere). Make sure to keep the router nice and updated with any new firmware releases (better yet, use custom firmware like DD-WRT, OpenWRT, or Tomato), as they patch various security flaws. Next you should change the username/password for logging into your router. Finally make sure your router firewall is enabled; it's one of the nicest features they have. While not necessary, disabling UPnP can add a little more security by closing any vulnerabilities it may have that are unpatched and keeping rogue software for dynamically forwarding ports. Being careful is simpler and more friendly, though.

Your Wireless Network

Wireless networks are another thing. On top of all the above, you NEED to be using WPA2 with AES. Nothing else is secure!!!! Well, nothing you can reasonably implement, at least. This checklist is pretty good; the only two things I disagree with are using MAC filtering and disabling SSID broadcasting. If someone knows how to crack a WEP key, they can easily find out how to spoof a MAC address or uncover an invisible network. Both also come with significant disadvantages while offering no real security. As mentioned in that checklist, make your WPA2 key very complex. You don't need to worry about forgetting it: write it down and stick it to your router. If someone is in your house, your WPA2 password isn't going to keep them out of your network. If you want to be secure with your WPA2 key, consider using the same password strategies mentioned in the passwords section.

 But what about your WEP-only devices? I've not tried it yet myself, but here is a guide on how to set up a virtual wireless network for your WEP devices. Other options are to set up a wireless access point with WEP for when you want to use your DS/other WEP-only devices, and just unplug the WAP when not using it. Everything else will be on your normal WPA2 connection.

 A very new happening in attacking WPA/WPA2 networks is to ignore trying to break the WPA/WPA2 encryption and instead have the router give you the password. A common feature included in many modern routers is Wi-Fi Protected Setup (WPS). Unfortunately, this is a weakness as it is a simple (generally hardcoded) PIN that is very easy to brute-force. Lifehacker did a full rundown of this attack vector and the primary tool to abuse it (Reaver), which I suggest you read so you can stop it from happening to you. A redditer created a wonderful spreadsheet of many common household routers and whether they are vulnerable to Reaver and whether you can disable WPS on them (some routers cannot have the feature disabled even if there is an option on the web interface to do so). One thing to immunize yourself against this attack is to flash a custom firmware on the router, such as DD-WRT. Many custom firmwares do not have support for WPS, so it nullifies this vulnerability.

Your Computer (localhost)

Your computer can leak information out of your local network if you are not careful. The browser section covered many of the most common leaks, but if you computer is infected with a keylogger or other malware, data may be leaked and all of your network security can be bypassed. Likewise, on an open network, someone may try to break into your computer over the network. There are a few things you can do to mitigate these risks:

 Keep your Operating System updated. It's easy to fall into the cycle of not getting the latest updates for your OS. These often patch security holes that can be exploited. Along the same lines, keep your software updated, especially major programs and anything that uses the Internet. Along these lines is NOT using an unsupported OS. Windows Vista Home and Ultimate editions reach end of support this year in April, so upgrade before then or it'll only be a matter of time before an unpatched hole allows for unassisted malware installation on your computer due to running an unsupported OS.

 Just as important to keeping your OS updated, is keeping your software updated. Key programs that should be kept updated are your Antivirus/antimalware/firewall solutions, your web browser of choice, your pdf viewer, Java (if installed), Microsoft Office (if installed, can be updated through Windows update), and your media player.

 Use a password! Windows passwords are trivial to overwrite if someone has access to your PC (which is where encryption comes in), but they are VERY useful in keeping other, unwanted people on the network out of your shared folders. You should also, of course, disable shared folders on public wifi networks.

 Install a firewall. Your router has one, but when on open networks like your laptop may often connect to, your router firewall won't be of any help. With Windows Vista/7, the built in firewall is pretty good (and can be improved with Windows7FirewallControl -- which works with Vista/XP as well). The best free one is Comodo's Firewall. the Defense+ feature also is a basic HIPS program (Host-based Intrusion Prevention System) that will stop rogue programs from doing naughty things. This does an excellent job on keeping keyloggers, trojans, and worms from sending data out from your computer (keyloggers can also be effectively nulled with the use of a password manager such as KeePass and LastPass). Lately Comodo has been getting bloated, a good HIPS-based alternative is PrivateFirewall.

 Keep your antivirus/antimalware/antispyware solutions up-to-date and scan as you feel needed. Whther you run full-fledged real-time protection antivirus + antimalware solution, or a free antivirus and something to occaionally scan with like Malwarebytes, it's better to have it on your system now and not need it then need it and not have it. Some malware make it near-impossible to install antimalware programs and/or update them successfully. Instantly being able to do a scan after you think you've been compromised is a very nice thing. The next-best thing is to instantly shut down your computer and use live rescue CDs like Kaspersky offers (there's tons of them). Antivirus/antimalware/antispyware, whether proactive or retroactive, should always be considered your last line of defense.

 Disable file sharing when you don't need it. This is of particular importance when on public wifi. In Windows 7 this is done simply by going Control Panel > Network and Sharing Center > Change Advanced Sharing Settings (left panel item). Expand the Public profile. Turn off Network Discovery (not really necessary, it doesn't offer any real security), Turn off File and Printer Sharing, and Turn off Public Folder Sharing. Save the changes and exit. Next, disable your administrative shares. Disabling shares you don't need is important for those "oops" moments when you connect to a network and accidentally make it a home or work network instead of of a public one.

Shared and Public Computers

Shared and public computers are of particular risk. With shared computers, it's possible someone else using it has unwittingly installed some privacy-invading software or may try to snoop your files. On public computers you never know if there's a keylogger or some other malice acts going on. It's best to do your best to minimize your risks on these computers. With shared computers, you should verify that other user accounts cannot access your data by checking folder permissions and make sure other accounts don't have read (or execute) access. Another thing you can do is set up email alerts for whenever someone logs in to your computer. It may be handy if you think someone is snooping around. I personally prefer blat for sending emails from the command line on Windows, though sendemail is fine too. SendEmail is also available for Mac OS X and Linux, and the instructions given there will mostly apply, but you'll need to create a shell script to run them on those platforms and set it to run at start-up. An alternative program for Linux and Mac OS X is ssmtp, which I find a bit simpler than sendemail. Here are some instructions on ssmtp's basic set up and some Mac OS X instructions.

 Public computers are especially scary because there's so much unknown about them. The best bet is to reboot into Linux if possible. It's not always possible with public computers, but when it is it'll provide you the best option. A privacy and security-minded Linux distro is Tails. Of course, booting into Linux isn't always possible on public PCs (being able to do it is actually a really bad sign) so instead you may have to make due with some portable apps. I'd recommend avoid using passwords when possible, and using only accounts with two-factor authentication otherwise. Definitely use a portable version of your web browser of choice all tricked out with your favorite privacy plugins. Only save stuff to the usb stick and only run stuff from it. Pretend every program on the computer is a poisonous snake trying to eat your mouse (pointer). Besides that, there isn't much you can do besides following some good practices.

Foreign (public) Wireless Networks

Foreign, public wireless networks are a war zone, especially the open ones. Ones properly protected and configured with 802.1x (aka, WPA2 Enterprise) can be safe networks, but assume that any 802.1x network is poorly configured and multiple people have the same key you do and can see your traffic. Man-in-the-Middle attacks happen with more and more frequency, and the skill required to initiate them is at an all-time low (can be done with just a smartphone). There are two primary technologies you can use to secure your roaming on such networks: SSH Tunnels and Virtual Private Networks (VPNs).

 NOTES:

 1. For all server installs, you will need to know the pubic IP of your server. This can be done by visiting http://www.whatismyip.com/ on your server. Better is to set up no-ip on your server (the computer running SSH or your VPN) and use their free dynamic dns service (it'll work even if your home IP changes). No-ip is so simple, it hardly warrants directions, but no-ip provides them for a simple setup anyway. You will need to do this for PPTP VPN servers and SSH servers.

 2. You will also need to set a static IP for your server. This is simple enough

Static IP - Mac OS X

Static IP - Linux (various)

Static IP - Windows XP/Vista/7

 3. A simple tool to use to see if an ARP poisoning attack is happening on the public wifi is DecaffeinatID. It keeps track of the default gateway MAC address and will alert you if it changes.
SSH Tunnels

An SSH tunnel is a simple, yet effective way to protect your web browsing (and select other traffic) while on public wifi when properly configured and relatively simple to set up. Setting up an ssh server is simple on Mac OS X and Linux; windows is simple after installing a program. Your tunnel will be a SOCKS proxy, and Firefox with QuickProxy makes switching to that proxy simple to secure your web browsing traffic (I recommend using Firefox because of QuickProxy, and also because Firefox can be configured to send DNS requests through the tunnel, something I've yet to find out how to do in Opera or Chrome).

 NOTE: You may wish to get email alerts whenever someone logs in via SSH to your server. It's simple to do. These instructions apply to openssh, so should work for both Linux (assuming OpenSSH is your SSH Server) and Mac OS X. If you use my recommended program of BitVise for Windows, you'll have an option to run a program after successful logins, so you'd just create a batch file that uses either sendemail or blat to send the email.

 First, you need access to an SSH server to log into and create the tunnel. This computer needs to be located at home and always on.

 Mac OS X: Enable Remote Login for Mac OS X

 You will then need to forward port 22 from your Mac on your router so you can access the ssh while on the go. Locate your router on PortForward and follow the instructions for SSH.

 Linux: Simply install OpenSSH (or your SSH server of choice). Your distro should have sufficient instructions on how to activate key-based authentication and disable keyboard authentication in their documentation. It won't be any different than the instructions for Mac OS X if you use OpenSSH. Then likewise forward port 22 from your Linux PC on your router so you can access the ssh while on the go. Locate your router on PortForward and follow the instructions for SSH.

 Windows: Windows lacks a built-in SSH server, though there is a very good free (for personal use) SSH Server provided by BitVise. It offers very fine-grained controls, public key authentication, virtual users, jailing, and everything else you could want in an SSH server. If you have any questions, feel free to ask me as I'm very familiar with BitVise's SSH server. Don't forget to forward your port, though.
 
 I HIGHLY suggest setting up key-based authentication for SSH to prevent brute-force attacks on your SSH server. Then just disable keyboard-authentication. (the instructions are for PuTTY as it's fairly cross-platform and allows for me to just post a single set of instructions. Feel free to use any client you wish, though).

Now that your server is configured, time to configure your client (probably your laptop). I will do my instructions through PuTTY (for simplicity once again) so download and install putty. On Mac OS X, you will need to use MacPorts to get putty

 Launch Putty. Type the dynamic DNS (or IP) address into the Hostname/IP box. Looks like this

 Under Connections in SSH, select tunnels. Change Enter in 7070 for the destination (technically any port will do, I just always use 7070 because it's easy for me to remember), set it as Dynamic and Auto. Click the Add button. Looks like this.

 It isn't absolutely necessary, but I highly suggest saving this configuration, which requires going back to the session panel. Enter some title in the "saved sessions" box (like sockstunnel) and hit Save. Now in the future you will just have to select sockstunnel and click load.

 Now click the open button. A window that looks like a command prompt will open up and ask for your username, so enter it. If using keyboard authentication, enter your password. If using key-based authentication with a passphrase, enter your passphrase (the earlier linked howtoforge guide for key-based logins with putty explained how to load a key into putty). Leave this window open.

 Now we configure Firefox. Download QuickProxy as this makes things simpler (you'll be able to switch to your proxy with the click of a button).

 In Firefox go Tools>Options. Go to Advanced. In Advanced, go to the Network tab. Under "Connections" click the settings button. Select "Manual Proxy Settings". Enter a SOCKS Host of 127.0.0.1 and a port of 7070. It should look like this. Change back to "No Proxy" and OK out of all open windows.

 One more thing needs to be changed: go to about:config. Enter in socks as your filter. Change network.proxy.socks_remote_dns to true. Should look like this.

 Now Firefox can be configured to use the proxy (when logged into the SSH server in putty) by just hitting the QuickProxy button.

 When you're done using your SSH tunnel, disable the proxy by once again clicking the QuickProxy button and type "logout" ("exit" if it's a BitVise server running on Windows) into the putty terminal window to end the session. 
 
PPTP VPN

 Windows has a basic VPN built-in that used the Point-to-Point Tunneling Protocol. It is limited in that you can only have one remote connection, it uses your Windows password (so it must be strong), and it won't work when the CLIENT is behind old or improperly configured routers. From a security standpoint, PPTP has been broken, and can be broken by someone proficient with the right tools, but from a average user standpoint, people getting their MitM on are going after easy fish, and short of someone coming after you in particular, PPTP should be sufficiently secure. Also in its favor: it's simple to set up.

 Server configuration:

 NOTE: both guides also include information on port forwarding for PPTP, which involces port forwarding TCP 1723 and enabling PPTP Passthrough -- this second part is important because PPTP uses a non-TCP/UDP protocol: GRE. You may have to look around a bit to find where PPTP Passthrough is on your router (GRE is also the reason why PPTP won't work when the client is behind some old routers, as they drop the GRE packet before it leaves the network).

 1. PPTP Server on Windows XP

 2. PPTP Server on Windows 7 (Vista is almost identical)

 Client configuration:

 3. PPTP client on Windows XP

 4. PPTP client on Windows 7 (Vista is almost identical)

 5. PPTP client on Mac OS X

 6. PPTP client on Linux (GNOME)

Make sure to always test that your PPTP VPN tunnel is being used as the default gateway. This is default behavior for Windows clients.

Hamachi VPN with Privoxy and ProXPN Free

Finally, the last option is to use Hamachi VPN and Privoxy. It's a cross-platform solution and Lifehacker has a write-up on how to do it here.

 A managed, simple, free VPN service is ProXPN Free. Note that you are using their service, so they are your exit point. To me, this is less ideal as you do not control the exit point. Also, you have to use their [proprietary] VPN implementation, as the free service does not include PPTP access. Their free service VPN implementation is incompatible with all other VPN clients I know of. Still, for simplicity it wins hands-down and it will protect you from Man-in-the-Middle Attacks on public wifi.

 That's all for this section. By following some of these tips, your public wifi browsing is now secured. and you have much less to worry about.

Saturday, January 26, 2013

Data Privacy Day Prep Part 4: Encryption

Data Privacy Day is one of my favorite holidays and falls on this upcoming Monday. Every year, for the days leading up to it, I like to talk and publish reminders about. I normally post this on the Bethesda forums, where I'm quite active, but now that I have a blog, why not also add it on here? Here's part 4; it's about encryption. It's long, so maybe read it in chunks. It'll always be here for you to refer to later :P

The goal of Data Privacy Day is to make people more informed about their data and privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after the summer of 2011 hacks and the ones that followed in 2012, I think we are all familiar with that).

Encryption remains the same as ever mostly. AES is still going strong, in spite of a very tiny chink in the armor being found over a year ago now (still unexploitable because even with the chink it takes hundreds of years to decrypt).

Email Encryption

Most people send emails fairly frequently, sometimes even containing confidential information. The Dead-simple file encryption options listed below are excellent for attaching encrypted attachments, but what about the email message itself? Well, there's been a long-standing encryption for email known as PGP (Pretty Good Privacy) and it is still going today. Some derivatives of it are OpenPGP and GnuPG, but they all play nice with each other.

 One caveat about PGP until recently was you needed a dedicated email client to use it. It's still probably the easiest way, but it's no longer the only option. If you want to go this route, I recommend GnuPG + Thunderbird + Enigmail. Here are some instructions on how to set it up.

 Most of us, though, probably use a web browser for our email. Now there are PGP encryption options directly in your browser thanks to OpenPGP.js -- an open source Javascript library. There are two browser plugins useing it: Mailvelope, which has a Firefox and Chrome plugin, and MyMail-crypt for Gmail which is a Chrome-only plugin. Once more, Mailvelope works with numerous webmail platforms, not just Gmail, so is an option for more people. OpenPGP.js (and these plugins) are still under active development, and not quite 100% stable, so issues may be encountered. An advantage, though, is that they'll work with any OpenPGP/GnuPG program, being fully compatible.

 The downside to Mailvelope and MyMail-Crypt being fully compatible with OpenPGP/GnuPG is that they have the same barriers to entry as regular OpenPGP/GnuPG -- in order to use them you must generate a private and public key pair, and so must anyone you want to securely send email to. For you to send email to someone securely, you encrypt it with their public key. They can then decrypt it. To reply they must encrypt the reply with your public key for you to be able to decrypt it with your private key.

 A simpler solution is SafeGmail. It's Gmail-only and Chrome-only, but a Firefox plugin is in the works. It's an open source project and tries to make PGP simpler and more friendly to newcomers. On the plus side is that only you need the plugin installed, the recipient doesn't need to mess with keys or anything. They just click a link, enter in a password you sent them/answer a question, paste the encrypted text, and press the decrypt button. The downside is that you are dependant on SafeGmail, and without looking at the source code I can't say with 100% confidence that no snooping is being done, though I do believe it's a strong candidate for being 100% secure.

Dead-Simple File Encryption

TrueCrypt is a great tool and all, but it's not the best choice out there for simple file encryption. You have to create a virtual container and then put the files in there, it's a bit of a hassle and waste. The problems with TrueCrypt are amplified if you are trying to share files with someone else securely, especially if that other person isn't very computer literate. Thankfully there are alternatives. The big ones are AxCrypt, AES Crypt, and 7-Zip.

AXCrypt - AxCrypt is a simple file encryption tool that uses AES-128 available in installed and portable versions. The advantage of the installed version is that it offers context menu integration, allowing simple right-clicks to decrypt and encrypt. Another advantage of the tool is it offers a portable Decrypt-only tool. This makes it simple for your non-savvy friends to decrypt files you send them. Unfortunately it is currently Windows-only, but version 2.0 will be cross-platform (through Mono). If you have a Mac OS X friend you'd like to send encrypted files to, thoguh, they can use the prerelease. Linux also has a prerelease, but you have to register on the AXCrypt website to access it. My experience with the prerelease has been positive so far, though getting your friends to install Mono may be a bit hard (it's a separate installer). Once they do, they simply launch AxCrypt from the download and click the unlocked icon to decrypt files. Simple enough for even a Mac OS X user (in jest, I promise).

AES Crypt - AES Crypt isn't as slick as AxCrypt, but has the advantage of having a stable cross-platform release. Context menu available once again and the Mac OS X application is simple drag-and-drop. It lacks the portable or decrypt-only Windows options that AxCrypt has, but that's the price to pay for a cross-platform application.

7-Zip - When combined with the AES-256 encryption option available for .zip and .7z archives, 7-Zip becomes a powerful encryption tool. It's made even simpler with the SFX archive option (Self-extracting archive) when using .7z. This creates a .exe archive that when run will ask for the password and extract the contents once entered in properly. It's not without problems, though. First, AES-256 .zip files are a bit of a hack, and not compatible with all archiving programs (for example, Windows can't handle them natively). Second, 7-Zip isn't properly cross-platform. You'll have to direct your Mac OS X and Linux friends to an alternative tool for them to decrypt the files. Thirdly, you'll find it hard to email self-extracting archives to people as most email programs will block .exe attachments (so you'll need to use a file hosting service). Still, it's a viable option especially for Windows users.

Drive Encryption

Drive encryption is the ultimate in data privacy and security. There are many encryption tools out there, but for the purposes of discussion here I will only talk about TrueCrypt. TrueCrypt offers many advantages over other options, including BitLocker. In being cross-platform, it makes recovery in any situation possible. Other encryption schemes may offer advantages over TrueCrypt (for example, if interested in TPM), so it may not necessarily be the right choice for you.

 There are three basic encryption options, as well as the choice between hidden and non-hidden volumes. These options are: an encrypted file container, an encrypted non-system partition or drive, and an encrypted system partition/drive (this last option is currently only available on Windows). Two-factor authentication is also available through the use of keyfiles, though it isn't an option for system encryption (but two-factor authentication still can be achieved).

 Encrypted file container: This option is the simplest to implement. You create a volume that appears to be a normal file (you can make it any filetype you want), but when you mount it with the proper password (and/or keyfile) it reveals the truth. You can make it a hidden volume for even added privacy/security (a would-be attacker may uncover the outer volume in one way or another, but the hidden volume remains secure). The disadvantage to making an encrypted file container is it is relatively simple to just copy the file container to a removable drive where the attacker can try and crack it at their leisure without you being aware of it (a keyfile would drastically lower their ability to succeed, if the keyfile and file container are not stored in the same location).

 Encrypted non-system drive/partition: This option is relatively simple to implement. The advantage is it looks like just unallocated disk space to the untrained eye, and, in the case of removable storage, the user would be prompted to format it before use. Of course in removable storage you must be careful to not format it yourself. Once again the use of a hidden volume and keyfile can be used for increased privacy/security.

System drive/partition Encryption

SSD users: Please note that there is currently no way to verifiably securely wipe an SSD short of drive destruction. As such I highly recommend encrypting SSDs.

 This one is a bit more advanced than the earlier options, but offers significantly greater security and privacy as well. On your system there are temporary files and various files tied to programs that make it hard (though not necessarily impossible) to seamlessly use file containers or encrytped non-system drives/partitions to protect their contents from prying eyes. For example, say you stored your IM logs, program profiles, and bookmarks in an encrypted file container. It would be relatively simple to accidentally start up the program those files are related to without unencrypting the container, which could either cause instability or write new files to an unencrypted area. System drive/partition encryption allows for seamless encryption of all system/program files you want out of prying eyes. You can make it a hidden volume if you choose, which LifeHacker did a good job at covering.

Unfortunately keyfiles do not work with system encryption, but you can still get two-factor authentication. Before you encrypt the system, you will be prompted to create a recovery disc in case anything goes wrong, which you can use to restore the TrueCrypt boot loader, boot into the encrypted system, restore the original system loader, or permanently decrypt your system. By restoring the original system loader, or installing a new boot loader to the MBR (such as GRUB2), you would be required to boot from the rescue disc, making a two-factor authentication setup (you must know the password, and you must have the recovery disk). This can be further streamlined if your computer can boot from USB by loading a USB drive with the recovery disk. You'd then do something like booting the TrueCrypt ISO from Grub4Dos.

Dual-booting is complicated for Linux-TrueCrypted Windows (Windows-Windows can be simply done through the use of the hidden operating system feature), but not impossible. You can do the above and have GRUB2 written to MBR and use the CD/USB to boot into Windows, or you can force GRUB2 to install to the root (or boot) partition. Here's a guide to doing this.

If Linux is already installed, simply restore GRUB2 from the TrueCrypt rescue disc, boot into it, force GRUB2 to install to your root/boot partition, and then reinstall TrueCrypt Boot Loader to the MBR from the rescue disc. If you are using the two-factor authentication method, all you need to do is restore GRUB2. Since you don't need TrueCrypt on the MBR, GRUB2 can happily rest there.

 If Linux isn't already installed, make sure you have the necessary unencryped partition to install it to. You cannot partition a TrueCrypt encrypted volume, so the partitioning for Linux needs to be done before encryption (or if you have a non-system partition/drive already, you could further partition that). Encrypt Windows with TrueCrypt and install the Linux distro of your choice. After installation force GRUB2 to the root/boot partition and restore TrueCrypt to the MBR (once again, this last step can be skipped if you are going to use the two-factor authentication method for TrueCrypt).

 Linux can also be encrypted. Many distros offer options to encrypt Home at install. Full encryption, including root, requires more work and generally not included as options from live CD install. Just look through the distro documentation for dm-crypt/LUKS or Google your distro along with those terms and you will find a guide on how to do it.

Mac OS X offers built-in full-system encryption in the since 10.7 Lion through Filevault 2. Apple posted excellent instructions on how to do this on their knowledge base. Older versions of Mac OS X could only encrypt their home directory.

There is one disadvantage to system encryption: it will slow down your OS. This is mitigated with a good hard drive and a modern processors that has AES-NI when using just AES encryption -- to the point it is negligible to unnoticable. Currently most i5s and newer i7s (the entire i5 and i7 line for Sandy Bridge) support it as well as AMD's Bulldozer line, but still something you should be aware of.

 Further reading:

TrueCrypt Docs: Keyfiles
TrueCrypt Docs: Hidden Volumes
TrueCrypt Docs: TrueCrypt Rescue Disk

 With that, you can properly encrypt your important data and keep it from prying eyes.

Friday, January 25, 2013

Data Privacy Day Prep Part 3: Web Browsing

Data Privacy Day is one of my favorite holidays and falls on this upcoming Monday. Every year, for the days leading up to it, I like to talk and publish reminders about. I normally post this on the Bethesda forums, where I'm quite active, but now that I have a blog, why not also add it on here? Here's part 3, it's about web browsing and websites. It's long, so maybe read it in chunks. It'll always be here for you to refer to later :P

The goal of Data Privacy Day is to make people more informed about their data and privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after the summer of 2011 hacks and the ones that followed in 2012, I think we are all familiar with that).

Web Browsing

There's not a single person reading this who doesn't do it. We all are doing it right now, in fact. Web browsing is a part of all of our lives, but without proper care it can be quite dangerous.

 When randomly searching for things, you never know if that next search result is going to contain malware. Your antivirus software may have a rating feature, and your browser may have some protections (as does the search engine itself), but for more information a website reputation tool is needed. There are various ones out there, but the one that I feel does the best job is WOT: Web of Trust. Like any web rating site, it is prone to users downrating, but overall I feel it does a very good job. It does collect information on "you", as to get ratings it needs to know the domains you are looking at. This is true for any web rating service, though, so if you want to have this functionality, you'll have to allow the data be collected. WOT has an extension for Firefox, Google Chrome, IE, Opera, and Safari. Other browsers can use a bookmarklet for the service.

 In recent years, there's been widespread coverage of packet sniffing. The main tool to this end is Firesheep, which can collect password cookies sent over non-secure connections. Firesheep in particular can be countered with Blacksheep, but other tools can do a similar job, such as Wireshark. To combat these other tools, the most effective way is to always establish a secure connection. To that end the Tor Project and EFF have teamed up and made an extension called HTTPS Everywhere for Firefox (NoScript can also do it, but it is a bit more complicated. Here is the FAQ). Similar extensions exist for Chrome (HTTPS Everywhere is in alpha) and Opera also exist, but are not as foolproof.

 Also note two things: Using these plugins is NOT enough to guarantee you are secure, especially on public wifi. In recent months an attack to defeat earlier versions of SSL/TLS has proven successful known as BEAST. To make matters worse, very few browsers support TLS 1.1 and 1.2 (the only two versions not vulnerable to BEAST) and as such few websites use them, making virtually all of HTTPS vulnerable to BEAST. Of course BEAST is rare right now, but there is an older attack possible on wifi known as SSLStrip. SSLStrip does not break HTTPS, but instead acts as a proxy, removing SSL from requested pages. It is a type of Man-in-the-Middle attack. Still, these are really only threats on public wifi (which I'll talk about another day), but just be aware of them.

Cookies and LSOs

Cookies are not necessarily bad, in fact there is a cookie keeping you logged in to this forum right now. However, advertisers often use cookies to track you around the web. Given the usefulness of cookies in general, you probably don't want to outright disable them, however blocking third-party cookies will block practically all advertiser cookies without hindering your web experience.

 One big win happened this year on the tracking cookie front: the introduction of Do Not Track. It's gaining widespread adoption. Enable it if you don't want to be tracked. It's not guaranteed to be honored, but it'll keep the respectable websites from tracking you.

 Firefox: Tools > Options > Privacy > Use Custom Settings for History > Uncheck "Accept third-party cookies"

 Google Chrome: Wrench/Tools icon > Options > Under the Hood > Content Settings > Cookies > Check "Block all third-party cookies without exception"

 Opera: Tools > Preferences > Advanced > Cookies > Select "Accept cookies only from the site I visit"

 Local Shared Objects (LSOs), also known as flash cookies, are a part of Adobe Flash and are becoming an ever-more prevalent way of storing data on your computer as well as tracking your whereabouts. Note that as before, LSOs do have legitimate uses, so don't think that they are all bad. There are a few things that can be done. The one thing that is the same for everyone is to go to Adobe's Online Flash Settings page and delete/disable the storage for various websites. This has one significant advantage over other options: You can set those websites that do use flash cookies to track you to 0kb. That way they can't store data and you don't have to worry about a new one being created. Firefox and Chrome have addons for flash cookies, that being BetterPrivacy for Firefox and Click&Clean for Google Chrome. Both of which can automatically delete LSOs on browser close. Another way to go about this is to block Flash except when needed.

 Firefox: NoScript can block flash perfectly fine. If you are not a fan of NoScript, there is Flashblock (Flashblock and NoScript don't work well together, and since NoScript does what Flashblock does by default, it isn't necessary)

 Google Chrome: FlashBlock is available here as well.

 Opera: Flashblock for Opera -- Even though it doesn't specify Opera 11, it works fine in it.

 One more: The Evercookie. Evercookie is new on the field and is a javascript that creates multiple files through multiple methods to store data on your computer. It is not wide-spread yet, but may be in the future. The only truely effective way to deal with the evercookie is to block the javascript.

 Using an ad-blocking feature, add the following entry: */evercookie.js*

Ad-blockers and Script-blockers

Ad-blocking does more than just remove annoying ads (though that is the most obvious) -- it also adds security. ads are not controlled by the website they are displayed on, and there are many cases of malicious ads infecting users, the most recent example I can remember was not even a year ago on SlickDeals.net. I am all for supporting websites you visit, but when the ads don't run on their own server, you are taking a risk. Thankfully whitelists are fairly popular for ad-blockers, so you can get rid of the annoying/dangerous ones while still supporting your favorite websites. For extra privacy, consider adding the Track-blocking lists from here.

 Script-blocking is similar. Many scripts from domains other than the one you are on can be dangerous or track you.

 Firefox: Does it really need to be said? Adblock Plus! Undeniably the king of Ad-blockers.

 The Previously mentioned NoScript is the add-on of choice for script-blocking.

 Google Chrome: There are two popular ones: AdBlock and the port of Adblock Plus. Pick the one that suits your tastes.

 For Script Blocking it is NotScript, and another option is ScriptNo

 Opera: Opera has a built-in Content Blocker that is best used with the Fan-boy filter list. Right-click any page and select "Block Content" to access the blocker. Hold shift while clicking to block specific items. Both AdBlock and AdBlock Plus also exist on Opera now, if you prefer those.

 Chrome's NotScript was ported to Opera 11 and is available here

URL Unshorteners

With the advent of microblogging, URL Shorteners have grown in popularity. However, just randomly clicking a shortened link is very dangerous, as the site on the other side may be crawling with all sorts of nasty malware. Luckily, there are ways to unshorten a URL.

 Firefox: Long URL Please

 Google Chrome: LongURL

 Opera: Unshorten

 You can also always just use unshort.me for those urls that don't want to unshorten.

Private Browsing and Deleting Browser Data

Private browsing is supported in Firefox, Google Chrome, and Opera. It allows you to browse the web without leaving a trace (not really, but for the most part, yes). It is great for when you occasionally want to browse without leaving a trace, but if you are willing to go futher, you can clear all or at least select browser data every time on close. Why would you want to do this? Your browser cache and cookies are insecure. If someone gains access to your computer and you leave don't clear out your cache and cookies they will be able to gain access to your accounts since you are still logged in. This can be remedied in Firefox, Chrome, and Opera in different ways by deleting your browser data on browser close.

 Firefox: Tools > Options > Privacy > Check "Clear history when Firefox closes". Proceed to click the "Settings" button. Cookies, Cache, and Active logins should definitely be cleared on close. It does mean you'll have to log in to your sites every time, but that is what password managers are for. For extra security clear your Form & Search History and Download history. If extra paranoid and you won't miss it, clear your Browsing history as well. super-paranoid people may also want to consider clearing offline website data and site preferences to not leave a trace behind.

 Google Chrome: Google Chrome only supports deleting cookies on browser close. To enable this go Wrench/Tools icon > Options > Under the Hood > Content Settings > Cookies > Check "Clear Cookies and other site data when I close my browser". You need previously mentioned Click&Clean to completely clear out your private data on browser close. It is an option under the extension options.

 Opera:
 Cache: Tools > Preferences > Advanced > History > On "Disk Cache" check "Empty on exit".
 Cookies: Tools > Preferences > Advanced > Cookies > Check "Delete New Cookies when Exiting Opera"
 Download: opera:config#TransferWindow|KeepEntriesDays and set to "0"
 If feeling extra paranoid: Tools > Preferences > Advanced > History > Set History Addresses to "0" and uncheck "remember content on visited pages" and set opera:config#UserPrefs|SavePasswordProtectedPages to 0

The Remaining stuff: Web domains and Browser Plugins

The single greatest thing you can do to check if you are on a phishing website is to check the domain. Modern web browsers all highlight the actual domain of the site making it all the easier. Doing that alone will greatly lower your risk of being a phishing victim.

 The last thing to talk about is plug-ins. Plug-ins are insecure, to put it simply. They aren't updated automatically with your browser, and it is very easy to miss one that is a security risk. The biggest security risks in general to your computer are: Adobe Flash, Adobe Acrobat/Reader, Java, Silverlight, and Quicktime (a video on the vulnerabilities and flaws of the PDF format). On top of not updating with your browser, these plugins also have a great deal more permissions than your standard browser extension does. Ask yourself if you really need those plugins, and then, even for those you do, think about at least making your addons on-demand (I currently run with Java always disabled, being the least useful in the modern web and one of the most dangerous). Mozilla made a wonderful plug-in checker that is available here, use it often. It works with Firefox, Google Chrome, and Opera. I also highly recommend using an alternative to Adobe Reader. Sumatra PDF is my favorite on Windows (Mac OS X includes it's own great built-in one, and on Linux whichever comes with your desktop environment is probably plenty good). Take a moment to see what plugins you have installed in your browser. This can be done simply by typing about:plugins into your url bar for Firefox/Chrome and opera:plugins for Opera.

 This year saw a huge resurgence in Java attacks, many zero-day exploits happened this year. Ask your self: Do I need Java installed on my computer? If not, UNINSTALL IT. If you do need it on your computer, ask yourself: Do I have any websites that need Java? Most likely you don't, as very few modern websites require Java. I HIGHLY suggest going a step beyond plugins on demand for Java and just plain disabling it in your default browser. If you happen to need it, have a backup browser JUST for Java. It's easy with the plethora of web browsers out there today.

 Firefox: NoScript is the closest thing to plug-ins on demand. If you don't want to block javascript, you can set it up so that only plugins are disabled. To do this Go into the Options for NoScript. Under General, select "Scripts Globally Allowed (dangerous)", then on the "Embeddings" tab, forbid java, flash, silverlight and other plugins, select "Apply these restrictions to whitelisted sites too". Plugins are now effectively on-demand.

 Chrome: Plug-ins on Demand

 Opera: Plug-ins on Demand

 Note that running plugins on demand may break some sites.

Specific Websites

On the various websites we share all sorts of information. These sites generally have various security and privacy settings so you can control who can see that information and how secure your account is.

Webmail

Currently Gmail is set to always use HTTPS for secure email browsing, which is a good thing, but if you changed this yourself you can fix it under the General tab in Settings. Windows Live Mail/Outlook recently added this feature, which you can set by going here. Unfortunately Yahoo! has not added this feature for free users. If using Yahoo! you should request this very important security feature be added, or better yet: switch to Gmail or Windows Live Mail. Likewise if you are still stuck on AOL mail SWITCH NOW!

WLM/Outlook also has a single-use code system for signing in on computers that are not your own. For information on how to set it up, read WLM's FAQ. Gmail does not offer this, but does offer Two-step authentication, which significantly boosts your security. Enabling it is easy, as Google explains how to enable two-step authentication in their blog.

 Google also offers the ability to recover your account via SMS or your smartphone. To add this feature, Go to your Google Account's Password recovery options. Windows Live also offers this feature. Go to Account Overview and under Account Settings there is a line that says "Security Info". Click Manage and you will have the option to enter a phone number for recovery use.

 A Feature unique to Windows Live Mail is Trusted PC. On the plus side it makes password recovery dead-simple from a single PC, the downside is it's useless if you use it on a laptop, and unfortunately you need Windows Live Essentials installed as well as use Internet Explorer, making it out of the realm of possibility for Mac OS X or Linux users.

 Gmail offers the ability to remotely log out of any computer, which can be very useful if you leave yourself logged in somewhere on accident.

 An alternative webmail service is Lavabit which stresses privacy above all else. It doesn't log IPs, it doesn't retain your sent emails past 7 days, and it encrypts everything. Of course it's a big switch.

Facebook

Last year it was Timeline, this year Facebook is introducing Social Search. Lifehacker's guide to Facebook has been updated appropriately.

I was ready to do this big expose on Facebook privacy settings, but then I found out about Lifehacker's always-up-to-date guide to Facebook Privacy. Read it, bookmark it, check it every now and then.

Facebook rolled out HTTPS across the site and it can be found in your Account Settings, I highly recommend enabling it ASAP if it isn't already.

Facebook now can notify you when your account is logged in from a new device. I love services like this, so recommend you enable it to keep tabs on your account.

 Now go to Account Settings to get the last little bit of Privacy and security settings:

 Set up your mobile phone with Facebook, and you can get one-time passwods through SMS for Facebooking anywhere you don't feel 100% safe (like those public wifi networks previously mentioned). In "Account Settings" you can also remotely log out any other active computer connected to your account.

 For the last thing, head over to the "Facebook Ads" tab in your account settings. Set to "No one" both "Allow ads on platform pages to show my information to" and "Show my social actions in Facebook Ads to". With that, your Facebook is now nice and secure.

 Also: be aware that linking to content from your profile IS a leak that can lead to your profile being uncovered. Be aware of this when linking to images you've uploaded to your Facebook account. Likewise be weary of Facebook Connect. If you Facebook login information is compromised, so are these sites. It can also be used to track down your Facebook page if your profile picture is tunneled through FB Connect.

 Be aware of how much information leaks through to Apps when using them. The WSJ did a good writeup on this:

 "The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities."

 Your Facebook ID is always collected, so it isn't fully anonymous, this data is linked directly to you:

 "Defenders of online tracking argue that this kind of surveillance is benign because it is conducted anonymously. In this case, however, the Journal found that one data-gathering firm, RapLeaf Inc., had linked Facebook user ID information obtained from apps to its own database of Internet users, which it sells. RapLeaf also transmitted the Facebook IDs it obtained to a dozen other firms, the Journal found."

Google

Pretty much all of us use it, and it knows a ton about most of us. Thankfully Google does give you some control.

 Google+ users check out this Guide to Google+ Privacy. One thing I really do admire about Google was how up-front they are about the privacy settings for Google+.

Google Privacy Center - Learn it, love it, visit it often. Click on Privacy Tools to get to the settings. The rest is just information. In privacy tools you will see many options.

 Google Dashboard: The important one is Google Dashboard, which will tell you what Google products you are using and what Google knows about you through them. It is a central point of control for all your use of all Google products.

 Ads Preference Manager: this will allow you to control what ads Google will show you. In doing so you tell Google what you like so you get more accurate/relevant ads.

 Data Liberation Front: If you are looking into biting the bullet and leaving Google entirely, head here. This site will tell you how to get any and all your data from all the Google services out so you can switch to different options. It's drastic, but if you are THAT worried about Google, it may be interesting.

 Google Encrypted search: This secures your connection between you and Google for your searches, and in recent months, Google has been rolling it out as default for all logged-in Google users. Google still stores your information, and scroogle is no more. Your best option if you don't like this is to use DuckDuckGo, which has a very fair privacy policy, much less invasive than Google.

 Web History Controls: This is a setting you may have inadvertently enabled. It uses your previous web searches to "help" you in the future as well as potentially storing other web usage information. It doesn't remove your searches from Google's servers, but it may still be useful especially in a multi-user environment.

 Google Analytics Opt-out. You can opt-out of being tracked through Google Analytics. You will need to install a browser extension, and currently only supports Firefox, Google Chrome, and Internet Explorer. This can, of course, also be done through a content blocker.

 Search Personalization Opt-out: If you are using Web History, this is enabled. Instructions on how to disable it when not signed into a Google Account are also explained.

Other sites & Web App Permissions

Microsoft's gotten into the game this year, and now offers a dashboard for your privacy settings and personal info like Google. If you're a big Microsoft/Windows Live/Bing user, you should check it out: https://choice.microsoft.com/Data/?lc=1033

Beyond that, just check out the sites you use and make sure everything seems right according to you. If you use a password manager, figuring out what sites you use and maybe don't visit often is very simple.

 Also, a simple way to check your website's app permissions is with MyPermissions. It's a one-stop link shop for finding out who has permission to your various social network sites. Clean out any apps for all of them you don't need (I checked myself at the beginning of the year, and the only thing I had was an email app for my main gmail account -- an app I still use, so I was 100% clean). Another service is Adjust Your Privacy. There's some overlap between the two, but AdjustYourPrivacy offers some links that MyPermissions lacks (and vice-versa).

Some General Privacy Remarks and Tricks for the Web

If you want to send a note to someone over the Internet, but don't want to leave it around afterwards, a cool tool is Burn Note. You can also recreate this in Google Docs if you prefer that route.

 WikiHow has a pretty cool trick for helping you spot identity theft by making Google play for your side via Search Alerts. Of course, this means giving Google some information on you.

 The EFF released a star rating system for who cares about your privacy. It may surprise you that Google didn't score that bad. THe worst offenders, besides ISPs, were FourSquare, MySpace, Apple, Microsoft, and Yahoo (Skype is now owned by Microsoft, so I didn't list it, but it also scored zero).