This post is part 32 of 37 in the series Taming the Terminal

This is the fourth SSH instalment. So far we’ve learned how to securely execute terminal commands on remote computers, how to securely copy files across the network using SSH, and how to add both security and convenience to both those operations with SSH key pairs.

As we saw in the previous instalment, SSH’s ability to provide a secure connection between two computers can be used in many different ways. In this instalment we’ll learn about three more ways to encapsulate other network traffic within an SSH connection, adding encryption to that traffic.

Running commands and copying files are the kinds of things most people do, so the three SSH instalments to date have been quite generally applicable. That is not the case for this instalment. The three SSH features we’ll be discussing are all very useful to those who need them, but only a minority will have a use for any one of these features. However, even if you don’t need these features today, I would argue that it’s good to know these features exist, because they could well solve a problem you’ll have in the future.

There will be illustrations of the uses for these technologies, but not commands you type into your terminal to play along at home. That makes this an unusual instalment, but I hope you will still find it worthwhile.

Read more

Tagged with:

This post is part 30 of 37 in the series Taming the Terminal

In the previous instalment we saw how we can use SSH to execute a single command on a remote computer, or, to get a command shell on a remote computer. We also saw how SSH uses host keys to protect us from man-in-the-middle (MITM) attacks.

In this instalment we’re going to look at how we can improve both SSH security and convenience with SSH keys.

Read more

Tagged with:

This post is part 29 of 37 in the series Taming the Terminal

In the previous six instalments we looked in detail at how TCP/IP networks tick. In these instalments we worked our way up from the bottom of the four-layer TCP/IP network model to the top, finishing off with a look at two protocols in the Application Layer at the top of the stack. Those two protocols, DHCP & DNS exist in the top layer, but are different to most other top layer protools in that they can reasonably be described as forming part of the infrastructure of the internet. The email and web protocols may site within the same network layer, but they still rely on DNS to function.

For the remainder of the networking section in this series we’ve moving away from infrastructure-like protocols, and focusing on the user-facing Application Layer protocols. The first of these we’ll be looking at is the Secure Shell, or SSH. This protocol is one of the absolute work-horses of the internet, and a vital tool for all Linux, Unix, and OS X sysadmins.

At it’s simplest level SSH allows you to execute commands on a remote computer, but because it was designed around the concept of a secure tunnel between two systems, SSH has expanded to allow all kinds of advanced features. The least-generous description of this could be that SSH has become a kind of sysadmins fridgeoven. But I don’t buy that, I prefer the alternative interpretation – it simply makes sense not to re-invent the wheel, and to allow as much information as possible to flow throw the secure connection SSH provides between the two end-points.

Today we’re just going to start with the basics, but in future instalments we’ll move on to the more advanced features.

Read more

Tagged with:

XKPasswd.net Updated

Filed Under Computers & Tech, Security on November 10, 2014 | 10 Comments

After quiet a few months of work, I’ve just re-launched my secure memorable password generator – www.xkpasswd.net. The entire interface has been re-designed, and under the hood the site now uses version 2 of my XKPasswd.pm perl module.

The interface has been completely re-designed with an eye to making it easier to understand what the various configuration settings mean. The configuration is sections, and each section is headed by an English description of the current settings. You can read down through the headings to get a very good understanding of the configuration. Additionally, there is now a diagram showing the structure of the password that will be generated, and whether or not it will contain mixed case, digits, and symbols.

You can now generate multiple passwords at once, people often like to generate a few and choose one that speaks to them, so while not make that easier! Once passwords are generated, their strength, or Entropy, is reported, and colour-coded – green is good 🙂

I’ll be adding some more features over the next few months. I’ll mainly be focusing on adding more dictionaries, and allowing users to create their own custom dictionaries by mixing and matching separate word lists. What I have in mind is a set of base language dictionaries like English, and French, and so on, and then a selection of special dictionaries like place names, scientific terms, scifi characters and places, animals, fore names, and so on. I’m also planning to add the ability to store your own custom presets locally using HTML5’s local storage feature.

If you have any comments or suggestions, please do share them.

Tagged with:

“Behind People’s Backs”

Filed Under Computers & Tech, Security on October 24, 2014 | 2 Comments

I’m fed up with people being dishonest about the new search feature in Yosemite. You can have reasonable discussions about the pros and cons of this feature, but for goodness sake enough with the fact-free hyperbole.

I’ve lost count of how many people insist Apple is sending this information back to Apple “behind people’s backs”. Sorry, but that is a fact-free assertion. The screenshot below shows the search feature in question:

Yosemite Spotlight Popover

Here it is again with the important aspects highlighted:

Yosemite Spotlight Popover (Anotated)

If that’s “behind people’s backs” then I’m the pope!

Something I will agree with critics on is that I think that link to instructions should be a button or checkbox to disable the feature. A link to instructions is nice, a button would be perfect!

This data is not being sent for no reason, it’s being sent to offer people a richer search experience, and Apple were actually playing catchup in this regard. Here’s what Microsoft say Windows 8.1 does:

By default, the Search charm searches the apps, files, and settings on your PC and OneDrive, plus the web.

The real question is whether or not Apple have thought about our privacy when implementing this feature, and whether or not they have designed the feature well. Here is what Apple say they do:

We are absolutely committed to protecting our users’ privacy and have built privacy right into our products. For Spotlight Suggestions we minimize the amount of information sent to Apple. Apple doesn’t retain IP addresses from users’ devices. Spotlight blurs the location on the device so it never sends an exact location to Apple. Spotlight doesn’t use a persistent identifier, so a user’s search history can’t be created by Apple or anyone else. Apple devices only use a temporary anonymous session ID for a 15-minute period before the ID is discarded.
We also worked closely with Microsoft to protect our users’ privacy. Apple forwards only commonly searched terms and only city-level location information to Bing. Microsoft does not store search queries or receive users’ IP addresses.
You can also easily opt out of Spotlight Suggestions, Bing or Location Services for Spotlight.

So, your searches are not tied to your Apple ID or any other persistent ID, instead, your device creates a new random identifier every 15 minutes, so your searches are anonymous, and most importantly, they can’t be profiled because the IDs are ephemeral. The fact that the device fuzzes the location before sending it on is also very good. The fact that IP details are not logged is also good. Finally, the fact that only a sub-set of the request is sent on to Bing is great.

I do not believe Apple would blatantly lie to users. For a start, as a publicly traded company that would almost certainly be criminal, but even leaving that aside, it would be spectacularly damaging for Apple to be caught lying about stuff like this.

Bottom line, Apple have been very open about this, Apple have implemented this feature with privacy in mind, and this feature is not unique to Apple OSes. Finally, if you want to opt-out, you can.

If this really is such a scandal, why is Windows 8.1 not coming under the same fire? *cough* link bait *cough*

Tagged with:

It’s hard to believe, but it’s been nearly three years since I released my first attempt at a Perl library for generating secure memorable passwords. The original spark of inspiration came when Steve Gibson released and talked about his Password Haystacks page at around the same time as the now famous correct horse battery staple XKCD comic was released. Take the idea of using words as the basis for passwords from XKCD, add computers to introduce real randomness (we humans are terrible at being random), and season with come well-chosen and intuitively placed symbols and digits to increase the size of your haystack, and voila, passwords are are both human-friendly and secure!

The first version of the library worked, as evidenced by it’s years of service powering www.xkpasswd.net. That’s not a bad start. But, it was a first attempt at solving the problem, and, I was still a Perl padawan back then. Some of my early design decisions resulted in a less than ideal API making the library a lot less developer-friendly than it could have been, and I’ve learned a lot about Perl, and Perl best practices since 2011!

I’ve spent the past half year or so re-implementing the same basic idea from scratch. In terms of functionality very little has changed, there are a few additions, but the big change is in the API. Basically, the old API was a mess – you needed one config hashref to instantiate the object, then a different config hashref to call the password generation function. Nonsense! That’s not intuitive, not obvious, and not efficient! The new API allows you to achieve the same result with less code, and the code you will have will be easier to read and understand.

You’ll find the project page for the new library at the link below – this page provides links for downloading the code, and links to the module’s very detailed documentation.

XKPasswd 2 Project Page (http://bartb.ie/xkpasswd)

Read more

Tagged with:

I sometimes take some stick for having a very defensive coding style. When ever I find myself making an assumption I throw in code to test it. “This function will only ever be called with a positive number”, OK, then add a test to throw an exception should a negative number be passed. You don’t want bad data ricocheting through your code because goodness knows what damage it will do! Similarly, my style is to always use explicit syntax, and, to avoid syntax shortcuts – sure, the ternary operator takes up less space on the screen, but there’s a price to pay for that terseness – it makes your code harder to read and hence to debug and maintain.

However, one of my very biggest bug-bears is the failure to brace control statements like conditionals and loops when they’re operating on a single line of code. This is the trap Apple fell into so spectacularly this week.

Read more

www.xkpasswd.net Updated

Filed Under Computers & Tech, Security on August 6, 2012 | 2 Comments

www.xkpasswd - A Secure Memorable Password GeneratorThis afternoon I updated www.xkpasswd.net to version 0.2.1 of the XKpasswd.pm Perl module, and added the needed UI to expose some of the new features introduced in version 0.2.* of the module:

  1. It is now possible not to use any separator between the words that form the basis of your randomly generated password
  2. The padding character can now be set to be randomly chosen, independently of the separator character. This is now the default setting, and provides more entropy by default.
  3. An additional care transform has been added, you can now choose to have the capitalisation alternate on each subsequent word.

Tagged with:

This is a minor bug-fix update for XKpasswd (my Perl random password generation module). It squashes two minor bugs which came to light while updating www.xkpasswd.net to use version 2 of the module.

  1. When the custom_separator option was left blank, no separator was used, rather than the expected random separator.
  2. When the custom_separator option was left blank or set to RANDOM, and the pad_char option to SEPARATOR, the results were un-expected, different random character was used for each, rather than the same random character.

For documentation and detailed release notes on version 2 of the module, see the release notes for version 2.0.

Download

Tagged with:

With the recent Flashback outbreak, Mac security has become very topical, getting a lot more discussion than it has for some time now. Unfortunately, I’ve seen a lot of FUD doing the rounds, particularly from AV vendors, who want to capitalise on the situation to scare as many people as possible into paying them for their products. People are looking for a simple message, but the reality is not at all simple. There is truth in most of the arguments you hear, but rarely the whole truth. This is because Apple are simultaneously badly behind on some of the simple stuff, and miles ahead of the pack on some of the more advanced stuff.

Read more

Tagged with:

« go backkeep looking »