I am officially the coolest dude in Brooklyn (in my head at least). I have my very own Tor t-shirt! A few weeks ago one of the developers of the software emailed me to let me know that I had been running a fast Tor server for some time now and he asked me if I wanted a free t-shirt. Naturally I said yes. Soon after, I received a package with the shirt. It’s the coolest, ever. Click the thumbnails if you want a better look at the front and back.

Tor is a free program that provides onion routing anonymity for just about any program using the TCP protocol (browsing, blogging, instant messaging, IRC and SSH to name a few of the uses). In this day and age, with privacy rights getting raped, prison-style and draconian governments throwing people in prisons for thought crimes, it’s a good and necessary thing to have and to support. I run Tor on a Linux server (Ubuntu) I rent somewhere in Florida to give back to the network I occasionally use. I don’t really use the server for much, so I don’t limit the bandwidth I give to Tor, allowing it to be one of the faster middlemen in the web of servers that make up the Tor network. I think it’s pretty cool shit.

Tor is available for Linux, Windows and Mac. The project is non-profit and is supported by the Electronic Frontier Foundation and people like you (if you’re cool) and me (I’m so totally neat). You should download Tor, in case you should ever need it. If you have some free bandwidth, consider running a Tor server. You can also help the project by donation. If all of this isn’t your bag of nuts, you might want to think about becoming a member of the EFF and supporting the fight to protect digital rights and privacy. It’s all good shit.

I know it’s only Tuesday, but I think that nothing’s come close to (or will surpass) making my week than this article about a man, afflicted with an anal fistula, who for one reason or another, flagged the attention of some U.S. Immigration officials and earned himself a cavity search.

Some exciting excerpts:

“Arriving on holiday in New York in August last year, the unnamed 48-year-old was interrogated and searched by immigration officers… The rectal examination discovered a device called a seton, which doctors in the UK had inserted into the fistula to help control long-term infection.”

“The man had an anal fistula, which is a painful channel that can develop deep into the anus, caused by infection or digestive conditions such as Crohn’s disease.”

“US immigration officials insisted the sufferer of an anal infection remove a small piece of medical thread which was being used by doctors to treat the condition. The man required treatment under general anaesthetic as a result.”

“…After one baffled immigration officer pulled “very hard” on the seton, the patient was given the choice by the baffled immigration officers of either getting on the next plane home, or submitting himself to a procedure to have it removed.”

Fortunately, the whole fiasco caused no extra damage to the guy’s ass, although they did have to knock him out to remove the seton. Awesome.

I just read this article on security advice by Kevin Mitnick and I’m equal parts pissed and laughing at it. It’s a classic case of ignoring the elephant in the room and it really makes me wonder where Mitnick’s integrity is since I don’t think he’s a particularly stupid person.

He starts the article with the old “We live in dangerous times. Evil hackers can attack you with their viruses!” line and then proceeds to outline ten steps he feels will increase your safety and security. Some are common sense recommendations that I agree with:

1. Back up everything
2. Choose strong passwords
3. Be diligent with applying security updates
4. Use encryption for sensitive data
5. Disable unused services
6. Use a firewall/router to restrict/limit access to your machine
7. Encrypt your wireless networks with uber-strong passwords using WPA

All these points I agree with. All are basic, simple, common sense things everyone should do, but often do not. His other recommendations are what give me pause:

8. Use commercial antivirus products
9. Use one or more anti-spyware applications
10. Avoid Internet Explorer and disable scripts in your email client

This is where I completely disagree. Recommendations 8-10 can be simplified to one step:

1. Stop fucking using Windows already

(more…)

Several times a day, computers somewhere in India or China (usually) launch brute force and dictionary attacks on my server to try and get SSH access. To anyone running their own server who regularly browses their SSH logs (/var/log/secure or /var/log/auth.log, depending on your distro) this is old news. Checking my logs, I’d see 80-100 failed login attempts from a single IP address trying a whole ass-load of non-existant user names and passwords.

I have SSH locked down fairly well, with remote root logins off and disabling password authentication in favor of RSA based keys. However, I opted to leave SSH on the default port 22, which undoubtedly accounts for all the attacks. Usually, I’d place the offending IP in my /etc/hosts.deny file, banning it for eternity with an “ALL:[bad IP address]“. Still, this meant that I banned them after the fact.

So, I installed DenyHosts. It’s a python script that can run as a daemon, monitoring my /var/log/auth.log for login attempts using non-valid users and/or passwords. After a few failed or invalid logins, the attacking IP is automatically added to /etc/hosts.deny, nipping a prolonged attack in the bud—just the way I like it.

DenyHosts is highly configurable, letting you you specify all types of rules such as how many failed logins are allowed before banning, specifics of what services to ban and for how long (hours, years, eternity). You can have DenyHosts email reports to you and also have it synchronize against a master list of bad IPs that’s bolstered by over 4,000 users. It’s pretty damn cool. In one day, I had three separate attacks, promptly caught and banned.

Web filters are retarded. The only times I ever butt against a company’s web filter seem to be when in search of legitimate, non-offensive information. I’m not into breaking the law. I’m not into downloading porn at work. Why penalize me when I try and look up some technical information because an application like SmartFilter or SonicWall considers some geek’s tutorial on getting an Open Source application up and running, “Free Software/Downloads—Forbidden”, even though no actual software or source code is stored on the site? Or blocking a website as pornography because the author of the page has the unfortunate last name of “Dyke”. SmartFilter kind of seems like one big oxymoron. Perhaps StupidFilter is more appropriate. I could give a rat’s ass whether it kept kids away from pornography, all I know is that it often keeps me from accessing harmless, legal and innoffensive information—usually technical in nature. Fuck that.

Sick of being hamstrung by obtuse internet filters I set up a proxy on my server using squid that I tunnel to via SSH. Once connected, I bypass all web filtering wherever I am and as a bonus, all information sent to and from my browser and my server is encrypted and therefore private to anyone snooping on the local network. Here’s how.

(more…)

While I’ve known that Gmail uses SSL to log in, someone recently pointed out to me that while my password is sent to Google fully encrypted, once logged in, all pages that I view are sent via http, meaning that all the emails I read and send can be scooped right out of the ether at any open hotspot.

One remedy I found is to manually change the address from
http://mail.google.com/mail/ to https://mail.google.com/mail/
and for that session, you should be using https and all the pages you view in Gmail will be encrypted. Very cool, but I have to remember to manually check this every time I log in. I smoked way too much weed as a teenager. Half the time I don’t even know what day of the week it is. No lie. How am I supposed to consistently remember this?

Looking further, I found this great extension for Firefox that takes care of the problem for me. CustomizeGoogle lets you set a whole mess of options for a variety of Google services. I won’t get into most of the details since they don’t apply, but check them out because a lot of them are pretty cool. One option that is relevant is that once installed, you can set an option for Gmail to always use https by default. Just check off that one option and from that point on, you have worry-free, encrypted Gmail sessions as a default. Pretty damn useful. CustomizeGoogle also lets you set an https default option for Google Calendar as well. Even sweeter.

Unfortunately, Safari, Konqueror and other browser users are out of luck (IE users, you deserve what you get.) with this extension, so unless there’s something else out there, they have to manually check the session every time or set a bookmark using https in the URL and be consistent about accessing Gmail through that bookmark.

Dongle! It’s true, the only purpose of this post is to use “dongle” as many times as possible. Dongle, dongle, dongle. *sigh*

Seriously though, daveb has been struggling all day with a technical conundrum and endless googling turned up scarce and confusing info. Having finally figured it out, he feels bound to post the steps as simply as he can so that other brain-damaged squirrel humpers like himself can get the job done. With that said, daveb presents to you:

How to install your GPG keys to a USB dongle for WIN XP

1. Install the latest binary version of GnuPG
2. Attach your USB dongle and create a folder named keys, or whatever’s appropriate for you. If you have pre-existing keyrings, place them here.
3. Open REGEDIT (START > RUN > type regedit)
4. In REGEDIT, navigate to HKEY_CURRENT_USER\Software\GNU\GnuPG
5. Right click in the folder and select NEW > STRING VALUE
6. Name it “HomeDir” (without the parenthsis, of course)
7. Right-click the entry and select MODIFY.
8. Under VALUE DATA, type the full path to your desired key folder. For example, daveb’s is F:\keys\ (”F” being the USB dongle). Hit OK.
9. Open a command prompt and type “gpg –version” or “gpg –list-keys”. Check for the Home that is listed, it should now be your dongle and any keys in that folder should now be listed. You’re done!

Now that you’re finished, use a file-shredding program like Eraser to destroy any locally saved copies of your keys. With that done, the only way to encrypt or decrypt with your keys is to have possessin of the dongle. So, keep it safe. You also might want to consider hiding a backup on floppy somewhere (safe deposit box, deserted island, anal cavity) due to the fact that although dongles last a long time, they do have a write-life, depending on your model.