Subscribe to the RSS feed: RSS feed icon

More secure than my bank’s web site?

Someone once said – and I got this quote from the computer game Sid Meier’s Alpha Centauri, so I’m not sure if they got it from elsewhere – “The pinnacle of military deployment approaches the formless, for if it is formless, then even the deepest spy cannot discern it nor the wise make plans against it.”. I would modify that wisdom to apply to information security: The pinnacle of secure information is the nonexistent, for if it is nonexistent, then even the deepest spy cannot leak it nor the most talented cracker steal it.

I mentioned in a previous post that I was setting up a new web site, dragonsmoke. I set it up because I want to run my own web server at home. Like much of what I create, the final product (the content being served) is less important than the process of creating it (setting up a secure server).

I have been using various automated testing tools to harden my server’s security. The first one I discovered, and the one that has been most helpful so far, is Qualys SSL Labs’ SSL Server Test. I have taken a repetetive-testing approach to web site security: first I got the site running with a Let’s Encrypt HTTPS certificate, then I ran the test, then I fixed whatever it told me to fix, then I ran the test again, and so on. Now I have an A+ rating on that test. A+ is great, but I want perfect.

Out of curiosity, I also ran the SSL Server Test against my bank’s web site: its overall score was identical to mine, A+ but could be better. I did notice one small area where my site did better: On the advice of security expert Steve Gibson, I use OCSP Must Staple. I can see no reason not to; it’s so easy to set up.

I think my score will improve slightly when dragonsmoke gets added to the HSTS preload list. I’ve submitted it for inclusion, now I just have to wait.

The second automated test I discovered was Observatory by Mozilla. It recommended some HTTP headers that I’d never heard of before, which I could configure my web server to send. So that’s a plus. Now dragonsmoke has an A+ rating here too, but again not a perfect score.

I’ve put all this effort into encrypting connections to my web site, making it really hard for any MITM to see or modify any of the data sent between client and server. The most important step in creating information security is not the encryption, though: it is the data itself. The less data there is, the less likely it is for important data to leak. I know that a bank may need to send and receive lots of potentially interesting data: credit card details, names, passwords, PINs, phone numbers, you name it. Dragonsmoke does not need that info, so it provides no means for users to enter that info. No data is collected at all. That is how I know that my site is more secure against data theft than my bank’s site.

I still want perfect scores though. Just because my site is small and niche does not mean I will settle for less.

I love multiple monitors

I got a new monitor today (well, actually a few days ago, but today I put it where I want it).

I heard somewhere that people of my generation (I forget what we’re called, the generation before the millennials) have on average two screens in use at any one time: perhaps a TV and a PDA, or a computer with two displays. I, right now, have four. Plus two more that could be turned on if I wanted to.

  • In use:
    • 1 new 27-inch widescreen LCD computer monitor
    • 1 old ~20-inch 4:3 aspect ratio LCD computer monitor
    • 1 17-inch laptop LCD
    • 1 ~5-inch PDA
  • Not in use but visible from where I’m sitting:
    • 1 old ~21-inch 4:3 aspect ratio LCD computer monitor, currently hooked up to a Raspberry Pi
    • 1 6-inch e-reader

Just a few years ago, I could barely imagine using more than one screen at a time. Now four feels comfortable. Soon I will want more.

Setting up a new web site

so I’ve been looking for a new programming project to work on in my spare time. I know, Cybrinth isn’t finished and Mines-Perfect-Linux never really got started, and AcrylicPaint could always use my help. I’ve just temporarily lost interest in those projects. It happens – I can go several months between commits on Cybrinth, for example, but I’ll never forget it. The same is true for the others.

The other day, I decided on a whim to buy a new domain. Something involving dragons, because dragons. I initially thought I’d just use it for music streaming and file synchronization between my own devices. I am still going to do those things. But I want to do other stuff too.

Recently, the gang over at alt.fan.dragons have been the disappearance of documentation regarding the Dragon Code, a method by which dragons can be described using a minimal number of text characters. That’s what I’ll do with the new domain: set up a simple, low-bandwidth site serving up whatever info I can find about the DC. I’ll code all the pages by hand, and I’ll serve them up from my home server (which I’m in the process of setting up now). That way I can avoid paying hosting costs – even the electricity is essentially free because the physical server I’m using is my router, an essential part of my home network which stays online regardless of whether it’s serving up web pages. Other services, such as NNTP or MUCK servers, can be added later if I feel like they won’t interfere with my neighbors’ internet connections. Or I might set up subdomains with paid hosting.

The downside of hosting at home is that it is a violation of Comcast’s Acceptable Use Policy. Comcast could rate-limit, or even shut down completely, my internet connection. It’s risky, I’ll admit that. But I don’t think they’re going to. For one thing, I’ve been violating their AUP in another way for over a decade and never even received so much as a warning letter: file sharing. BitTorrent, specifically, is what I use now but I’ve used other protocols in the past. Comcast’s network is more than capable of handling all the traffic my family generates now, and I really don’t expect much traffic going to my new HTTPS server. The impression I get from reading various forum posts is that Comcast doesn’t care about small little servers generating virtually undetectable levels of traffic; it’s only when the traffic is enough to cause problems that they step in.

Apps I Use: Security Software & Hardware (Part 1)

In light of the recent huge DDoS attack against Dyn, which Brian Krebs reports (getting his information from Flashpoint) were apparently carried out using a Mirai-powered botnet, I thought it appropriate to highlight some of the security software and hardware I use to try to ensure that my devices don’t become part of the botnet.

My first layer of defense at home is my router. My current router is in serious need of replacement – its software is buggy and it requires reboots approximately once every month or two (far too frequent for a home router, if you ask me). That said, it’s still useful and here’s why:

  • port forwarding: Several of my devices use SSH to automatically synchronize files across my home network. I know SSH is overkill for that kind of thing, but it’s easy to set up. Two of those devices are Raspberry Pis, low-power computers which I run mostly-headless (I can connect a monitor and keyboard if needed) and I use SSH to control them from my laptop or phone. My point is, none of these things need to receive SSH connections over the Internet, so my router doesn’t forward the standard SSH port to any of them. One of the Pis is, on the other hand, used as a BitTorrent seedbox – other BitTorrent peers can connect to it most easily if I make at least one port of my choosing accessible from the Internet.
  • An unencrypted Wi-Fi network for guests: Until yesterday I ran two wireless networks from the same router: one with strong encryption for my family’s use, and one with no encryption for the convenience of guests and strangers. This separation of networks was to ensure that friends could access the Internet quickly if all they wanted was to watch cat videos on YouTube but would still have to talk to me if they wanted to network with my computers. The principle of least privilege is a key component of good computer security. Now I have chosen to disable the guest network to ensure that strangers’ devices can’t unintentionally use my Internet connection to join a botnet. There is little point in simply enabling encryption on the guest network because then guests would have to ask me for a password, the avoidance of which is the reason the guest network existed in the first place.

I am about to order a new router, specifically a Turris Omnia. It’s very expensive at $246 + shipping, but I hope it’s worth the price. Here are features I plan to use and which are not offered by the router I have:

  • “Advanced network monitoring”: I’ve been experiencing a frustrating problem lately: DNS servers are very slow to respond, sometimes timing out. The problem happens randomly throughout the 24-hour day, not all the time. It lasts for only a few minutes. It only happens at home (no problems when I’m at school, so far). It affects every computer on my home network. It probably isn’t related to the DDoS attack I mentioned earlier because this started at least a week earlier. I can find no way to troubleshoot the problem using my current hardware: my router doesn’t offer any kind of network monitoring/traffic analysis feature, and I can’t insert any of my computers between the router and modem because all of my computers have only one wired ethernet port. If I had a computer with two ethernet ports, then theoretically I could transparently capture and analyze every packet using Wireshark. Michael DeCesare described the problem well: “Moving beyond the acknowledged need to be better at patching devices, we must then ask if devices are protected by a robust perimeter security solution and are continuously monitored for suspicious behavior.”. My router is my perimeter security solution, and the one I have does not monitor for suspicious behavior.
  • “Active bandwidth measurement” [source]: Potentially useful for troubleshooting, but mostly I’d just watch the colorful graphs.
  • Software updates for the lifetime of the device: “Omnia offers unattended automatic updates to core components of the system for the lifetime of the device.” [source]. Even if the promised automatic updates never happen, this router runs an open source operating system. I could potentially install my own updated copy. I could potentially write my own updates. Imagine that! Being able to fix things yourself rather than waiting for some monolithic corporation to get around to it! Not that I expect to ever actually write my own updates – I’m busy enough with other programming projects – but I like knowing that it’s a possibility. My current router runs a closed-source OS and hasn’t received any updates for a long time. A lack of bug fixes can be a serious security problem, especially for something as central to your network as your router.
  • A “distributed adaptive firewall” [source]: I haven’t yet found any other router that advertises a feature like this. Read the source for a description; I’m not going to copy it here. While this sounds like a feature that would be useless for a small network like mine, I’m choosing to assume that it will be useful. One of the biggest mistakes you can make in the field of network security is to assume that just because you’re small/unknown, you must therefore be a low-priority target and you don’t have to worry about anything. It is laziness like that which makes you so valuable to crackers: they can easily crack into your systems, then use those compromised systems to DDoS larger targets.

Now, on to the devices themselves. This is an overview, not a complete list. Specific apps may be discussed in future posts.

  • Game consoles: My family has a Nintendo Wii, some DSs, and various other gaming devices. There is no anti-malware software available for these. None at all. We turn these off when not using them, but even that may not be enough: they’re not really off, just in a low-power state that allows them to download software updates. And I don’t think they’ve gotten any updates lately. Which means they are constantly connected to the Internet and running potentially unpatched software.
  • PDAs: As I’ve said before, I use the term “personal digital assistant” to refer to smartphones, tablets, and ebook readers. We’ve got a mix of Android, Ios, and Ubuntu devices. None have firewall or antivirus software installed (Can you recommend some security software? Leave a comment!). I tried to install AFWall+ on my Android phone, but couldn’t run it because it needs root.
  • “Real” computers: Again, different computers have different software. Raspbian on the Pis, Ubuntu and a few versions of Windows on the other computers. Our Windows computers run Norton Security Suite because it’s provided for free by our ISP. On Ubuntu and Raspbian I use Gufw as a firewall and do daily virus scans with ClamAV.

Apps I Use: Acrylic Paint

So I thought I’d start a series of blog posts about PDA apps I use. I have two PDAs: a BQ Aquaris E5 running Ubuntu and a Motorola Moto E running Android. I’ll start with Android apps first since I don’t actively use my Ubuntu phone anymore.

Today’s app is one I installed on a whim a few weeks ago and never really played with until now: Acrylic Paint (f-droid, github).

Acrylic Paint is a very simple app: it lets you draw simple pictures using your device’s touch screen. It’s the kind of thing I might use if I just wanted to quickly sketch out an idea and didn’t have access to a pen & paper. I don’t expect to ever use this app, in part because I do commonly carry pens and paper, and in part because the kind of art I like to do is impromptu photography. Still, as a visual artist, I can see some value in keeping this in my toolbox just in case. The app’s simplicity means it only takes up 434 KB – hardly a large amount.

There is one feature that I think would really increase the usefulness of the app*, and that is the ability to import an image (e.g. a photo from the camera app) and then draw on top of that image. I may try to add this feature myself.

*edit: After publishing this blog post, I actually did add this feature to the app on GitHub. I don’t know how soon the F-Droid build will get updated.

License GPLv3+
Version reviewed 2.1.4

Screenshot of the Android app Acrylic Paint

More Crowdfunding Projects I’m Backing

It’s time for another blog post about crowdfunding. What am I backing this time? Here’s a look:


Fidget Cube

Fidget Cube: A Vinyl Desk Toy -- Kicktraq Mini

Fidget Cube is pretty much what the name makes it sound like: a little cube-shaped desk toy that encourages you to fidget. I like fidgeting with things. My current fidget toy is a flashlight with an interesting-to-feel shape and texture. I look forward to seeing how the Fidget Cube compares.


ZeMarmot

(No graph, sorry!)

ZeMarmot is an open movie, made with free-as-in-freedom software, currently being funded through Patreon.

Marmot likes to sleep, eat, and sleep again. One day, an old migratory bird tells him of the wonders of the world. Marmot decides to leave his home for the trip of his life and find the ultimate napping spot.
From Iran flying carpets to Paradise pacific island, Marmot will wander all over the world and be the first marmot explorer. Will he find what he is looking for?
(quoted from the Patreon page)

Crowdfunding projects I’m backing

As the end of the month, thus payday, approaches, it occurs to me that I’m backing an unusually large number of crowdfunding projects this month. I love crowdfunding: it’s a way that I as a consumer (I can be a consumer when I want to be!) can get a little influence over the products I buy: I spend money, perhaps a bit more than I would at a store, and in return I get the ability to communicate directly with the creators whose products I’m going to receive. Sure I am but one voice among many, but before crowdfunding it was hard to even have a voice. Plus I get the satisfaction of finding and funding products that either never existed before, or were previously too niche to be sold anywhere.

Most of these this month are on Kickstarter. Here they are, in no particular order:


System Shock

System Shock -- Kicktraq Mini

I have fond memories of playing the original System Shock even though I only bought it last year. It stands the test of time thanks to an incredibly well written story, a dark and foreboding atmosphere┬á (not easy to achieve given the graphical limitations of computers in 1994!) and a truly terrifying villain. I refused to buy System Shock Enhanced Edition because it’s Windows only. With this Kickstarter-funded reimagining of the game, Linux support is the first stretch goal and I have no doubt it will be reached.

Link to project


Zed

ZED -- Kicktraq Mini

Another game I’m buying due to nostalgia. I love the look of Myst. I love first-person adventure puzzle games. This is made by one of the same people who worked on Myst. Plus the downloadable demo supports Linux (but no promise that the full game will).

Link to project


Legendary Showdown: Gamer’s Quest

Legendary Showdown: Gamer's Quest -- Kicktraq Mini

I’m not that into card games, but I am into the comic Ctrl+Alt+Del. I’m really buying this for my brother since this looks like exactly the kind of game he’d enjoy playing. I’ll make it a birthday or Christmas present, depending on when it arrives. I know the estimated delivery date is October, but my experience with crowdfunded projects is that those date estimates are totally unreliable.

Link to project


SilentKeys

SilentKeys: A Keyboard that Protects your Privacy & Security -- Kicktraq Mini

Any hardware that attempts to protect your privacy and security gets two thumbs up from me. This is the only project that I’m funding with no expectation of reward.

Link to project


Earth-friendly EOMA68 Computing Devices

Sorry, no graph for this one!

I have to admit, I’ve never heard of Crowd Supply before. I’m a little teeny bit worried about leaving my debit card data with them, but it’s worth the risk to support these earth-friendly computers. Plus they say they expect their Libre Tea Computer Card to earn the Free Software Foundation’s Respects Your Freedom certification. It hasn’t been earned yet, but the fact these guys are even trying speaks volumes.

Link to project