well I never

It’s not often that I find myself agreeing with GCHQ, but ex GCHQ Director Robert Hannigan’s recent comments in an interview with the BBC Today programme struck a chord.

Hannigan headed GCHQ from April 2014 until his resignation for family reasons last year. Whilst in post he pushed for greater transparency at the SIGINT agency. He was responsible for setting up the National Cyber Security Centre in 2017. And in 2016 he argued publicly in favour of strong encryption and against the idea of “back doors” in crypto software. So, arguably, Hannigan is more liberal and open than is common in GCHQ. Certainly his approach was very different to that of his predecessors Iain Lobban or David Pepper.

Continue reading

Permanent link to this article: https://baldric.net/2018/12/11/well-i-never/

re-encrypting trivia

Back in June 2015 I decided to force all connections to trivia over TLS rather than allow plain unencrypted connections. I decided to do this for the obvious reason that it was (and still is) a “good thing” (TM). In my view, all transactions over the ‘net should be encrypted, preferably using strong cyphers offering perfect forward secrecy – just to stop all forms of “bad guys” snooping on what you are doing. Of course, even in such cases there are still myriad ways said “bad guys” can get some idea what you are doing (unencrypted DNS tells them where you are going for example) but hey, at least we can make the buggers work a bit harder.

Continue reading

Permanent link to this article: https://baldric.net/2018/07/07/re-encrypting-trivia/

database failure

In 1909, Franz Kafka wrote the “Inclusion of Private Automobile Firms in the Compulsory Insurance Program” as part of “The Office Writings”. His experience of tortuous bureaucracy in Insurance and elsewhere was later reflected in one of his most famous novels “Der Process” (known in English translation as “The Trial”).

Back in October last year I bought another motorcycle to go with my GSX 1250. I’d just sold three other older bikes and felt the need to fill up the resultant hole in my garage. Besides, a man can never have too many motorcycles. At the time I bought the new Yamaha I spoke to my insurers about getting it added to my existing policy. Unfortunately they had recently changed their systems and I could no longer have one policy covering both bikes. So I took out a new separate policy. Oddly enough, that policy cost me twice as much as I paid for cover on the GSX, a bike with over twice the power and a lot more grunt than my new Yamaha. I was told that whilst /I/ was still the same risk, the underwriters assumed that my Yamaha was a riskier vehicle to insure. The ways of insurers are odd indeed and beyond the ken of mortal man.

Continue reading

Permanent link to this article: https://baldric.net/2018/02/18/database-failure/

Merry Christmas 2017

I’m a couple of days late this year. I normally post on Christmas Eve, trivia’s birthday, but hey, I’ve been busy (it goes with the territory at this time of year if you are a grandparent). This year I thought I would depart from my usual topic(s) and post a couple of pictures marking the occasion. So here you go.

Last year my lady gave me a rather interesting christmas present – a Mr Potato Head, but home made.

mr potatao head

Not content to leave the joke alone, this year she went slightly upmarket and gave me a Mr Pineapple Head.

mr pineapple head

I’m sure she loves me really. In fact I know that she does. She made the toadstool cake below for our daughter’s boys, and hey, she really does love those boys.

toadstool

Merry Christmas to all my readers, wherever you are (and oddly enough, a lot of you appear to be in China).

Permanent link to this article: https://baldric.net/2017/12/26/merry-christmas-2017/

multilingual chat

I use email fairly extensively for my public communication but I use XMPP (with suitable end-to-end encryption) for my private, personal communication. And I use my own XMPP server to facilitate this. But as I have mentioned in previous posts my family and many of my friends insist on using proprietary variants of this open standard (facebook, whatsapp etc. ad nauseam). I was thus amused to note that I am not alone in having difficulty in keeping track of “which of my contacts use which chat systems“.

XKCD cartoon about multiple chat systems

(My thanks, as ever, to Randall Munroe over at XKCD.)

I must find a client which can handle all of my messaging systems. Better yet, I’d like one which worked, and seamlessly synchronised, across my mobile devices and my linux desktop. Even better again, such a client should offer simple (i.e. easy to use) e-to-e crypto and use an open server platform which I can manage myself.

Proprietary systems suck.

Permanent link to this article: https://baldric.net/2017/10/14/multilingual-chat/

geeks rule

Well, sliderule, actually.

The ‘net is a truly wondrous space. I can’t recall exactly how I stumbled across the “International Sliderule Museum” but it is such a wonderful resource devoted to a tool which most people under the age of 40 will never have used that I just had to post a link to it.

Enjoy.

Permanent link to this article: https://baldric.net/2017/09/30/geeks-rule/

a letter to our dear home secretary

Dear Amber

So,”real people” don’t care about privacy? All they really want is ease of use and a pretty GUI so that they can chat to all their friends on-line? Only “the enemy” (who is that exactly anyway?) needs encryption? Excuse me for asking, but what have you been smoking? Does the Home Office know about that?

I’m a real person. And I care deeply about privacy. I care enough to fund both my own Tor node and various openVPN servers dotted around the world just to get past your ludicrous attempts at gratuitous surveillance of my (and my family’s) routine use of the ‘net. I care about the security and privacy of my transactions with various commercial enterprises, including my bank (which is why I expect them to use TLS on their website). I care about privacy when I correspond with my Doctor and other professionals. I care about privacy when I use an on-line search engine (which, incidentally, is not Google). I care about privacy because privacy matters. I have the right to freedom of thought and expression. I have the right to discuss those thoughts with others of my choice – when I choose and how I choose. You may not like that, but it’s a fact of life. That doesn’t make me “the enemy”. Get over it.

Love and Kisses

Mick

(Note to readers: Aral Balkan has deconstructed Rudd’s ramblings. I commend the article to you.)

Permanent link to this article: https://baldric.net/2017/08/02/a-letter-to-our-dear-home-secretary/

it is now

Back in January 2011, I posted a brief note about a site hosted at the domain “ismycomputeroff.com“. I have just had occasion to look again at that site and found that the domain is now definitely off. It is parked at sedo and is up for sale at the ludicrous price of 599 euros.

Tell you what, you can have my “theinternetisoff.net” domain for the bargain price of half that – after all, it only cost me about a tenner.

[Postscript added February 2020. Since I no longer have this domain, and I chose not to sell it for silly money, you may be able register it yourself if you wish.]

Permanent link to this article: https://baldric.net/2017/06/06/it-is-now/

monday in manchester

At around 22.30 last Monday, Manchester was subjected to an horrific attack at a pop concert. As the world now knows, a suicide bomber deliberately targeted young people and their friends and families as they were leaving a concert by the young pop singer Ariana Grande. In that attack, 22 people, including children as young as 8 years old lost their lives. Many, many more received life changing injuries.

This is the first confirmed suicide bombing attack in the UK since 7 July 2005. On that day, 12 years ago, I was working in London. I can vividly recall the aftermath of that attack. Shock, horror, disbelief, later turning to anger. But I also vividly recall the reactions of Londoners and visitors to London I met, talked to or simply listened to over the days that followed. Only a few days after the 7th I was travelling by bus to a meeting when quite unbidden a middle aged American couple, obviously tourists, told me and everyone else on the bus that they shared our pain and that they were praying for us. I am not a religious man, indeed, I have no faith whatsoever, but I was deeply moved by that couple’s sincerity. Later, towards the end of July, my wife and I were travelling by Tube towards St Pancras on our way to Paris for our wedding anniversary. The driver of that Tube welcomed us (and everyone else) aboard the “up yours al-Qaeda express”. This show of defiance in the face of horror actually raised a number of smiles from those around us. London survived, Londoners endured.

The citizens of Manchester are now all facing profound shock and grief. That shock and grief will also be felt by anyone who has any shred of humanity within them. London was bad – 52 people lost their lives in that series of co-ordinated attacks. But somehow, Manchester feels worse, much worse. The London bombers targeted morning Tube and bus travellers – mainly commuters, some of whom were late for work because of earlier rail disruption that day. They were a soft target. But the Manchester bombing was callously and deliberately aimed at the ultimate soft target – kids; youngsters and their families emerging from what should have been a wonderful night out. Kids simply enjoying themselves at a concert many would have been planning for and looking forward to for months. Ariane Grande’s fanbase is primarily young women and girls. The attacker would have known that and yet he deliberately chose to detonate his bomb at that time and that place. He, and any accomplices he may have had, deserve nothing but our contempt. Manchester will survive, and Mancunians will endure. They have faced this before in the IRA truck bombing in June 1996. That attack didn’t break them. This one won’t either.

Meanwhile, everyone must grieve for the loss of so many young lives in such a pointless, pitiless attack. My thoughts, and those of my family, are with Manchester.

Permanent link to this article: https://baldric.net/2017/05/25/monday-in-manchester/

using a VPN to take back your privacy

With the passage into law of the iniquitous Investigatory Powers (IP) Bill in the UK at the end of November last year, it is way past time for all those who care about civil liberties in this country to exercise their right to privacy.

The new IP Act permits HMG and its various agencies to surveil the entire online population. The Act actually formalises (or in reality, legalises) activity which has long gone on in this country (as in others) in that it gives LEAs and others a blanket right of surveillance.

The Act (PDF) itself states that it is:

“An Act to make provision about the interception of communications, equipment interference and the acquisition and retention of communications data, bulk personal datasets and other information; to make provision about the treatment of material held as a result of such interception, equipment interference or acquisition or retention; to establish the Investigatory Powers Commissioner and other Judicial Commissioners and make provision about them and other oversight arrangements; to make further provision about investigatory powers and national security; to amend sections 3 and 5 of the Intelligence Services Act 1994; and for connected purposes.”

(Don’t you just love the “connected purposes” bit?)

Continue reading

Permanent link to this article: https://baldric.net/2017/05/12/using-a-vpn-to-take-back-your-privacy/

free Dmitry Bogatov

Dmitry Bogatov, aka KAction, is a Russian free software activist and mathematics teacher at Moscow’s Finance and Law University. He was arrested in Russia on 6 April of this year and charged with extremism. He is currently held in a pre-trial detention centre, and is apparently likely to remain there until early June at least, while investigations continue. The Russian authorities claim that Bogatov published messages on a Russian website, “sysadmin.ru”, inciting violent action at the opposition protest demonstration held in Moscow on 2 April.

Bogatov is well known in the free software community as a contributor to debian. As a privacy activist he runs a Tor exit node in Russia and it is this latter point which would appear to have caused his difficulty. Apparently, Bogatov’s Tor exit node was logged as the source address for the inflammatory posts in question. The debian project have taken the precaution of revoking Bogatov’s keys which allow him to post material to the project. They see those keys as compromised following his arrest and the seizure of his computing equipment.

Bogatov claims (with some justification it would appear) that he had nothing to do with the posts of which he is accused. Indeed, at the time of the post from his Tor node he claims that he was at a gym with his wife and visited a supermarket immediately afterwards. CCTV footage from the store supports this claim.

Operating a Tor node is not illegal in Russia, nor is it illegal in many other jurisdictions around the world. However, the act of doing so can draw attention to yourself as a possible “dissident” wherever you may live.

I am a passionate fan of free software, I use debian (and its derivatives) as my preferred operating system. I am an advocate of privacy enhancing tools such as GPG, Tor and OpenVPN, and I run a Tor node.

I hope that Dmitry Bogatov is treated fairly and in due course is proved innocent of the charges he faces. I post this message in support.

Permanent link to this article: https://baldric.net/2017/04/27/free-dmitry-bogatov/

pwned

I recently received a spam email to one of my email addresses. In itself this is annoying, but not particularly interesting or that unusual (despite my efforts to avoid such nuisances). What was unusual was the form of the address because it contained a username I have not used in a long time, and only on one specific site.

The address took the form “username” <realaddress@realdomain> and the email invited me to hook up with a “hot girl” who “was missing me”. The return address was at a Russian domain.

Intrigued as to how this specific UID and address had appeared in my inbox I checked Troy Hunt’s haveibeenpwned database and found that, sure enough, the site I had signed up to with that UID had been compromised. I have since both changed the password on that site (too late of course because it would seem that the password database was stored insecurely) and deleted the account (which I haven’t used in years anyway). I don’t /think/ that I have used that particular UID/password combination anywhere else, but I’m checking nonetheless.

The obvious lesson here is that a) password re-use is a /very/ bad idea and b) even old unused accounts can later cause you difficulty if you don’t manage them actively.

But you knew that anyway. Didn’t you?

Permanent link to this article: https://baldric.net/2017/03/18/pwned/

this is what a scary man looks like

Donal Trump with John Kelly

No, I mean the one on the right – the one Trump is pointing at.

General John Kelly is just one of Trump’s controversial appointments (and not necessarily the worst) and I guess that by writing this now, I have finally nailed down the lid on the coffin of my ever returning to the US. Pity. I had promised my wife that I would take her to San Francisco in the near future so that she could see for herself why I like it. I’ve visited the USA several times in the past, but only on business and never with my lady. Now it would seem that I cannot go, because I will not submit her, nor myself, to the indignity of being treated like a criminal simply because I wish to enter the country.

Today, El Reg reports that General Kelly has said that he wants the right to demand passwords for social media and financial accounts from some visa applicants so that immigration and homeland securty officers can vet Twitter, Facebook or online banking accounts.

Continue reading

Permanent link to this article: https://baldric.net/2017/02/09/this-is-what-a-scary-man-looks-like/

variable substitution – redux

Back in October last year, I posted a note about the usage of variable substitution in lighttpd’s configuration files. In fact I got that post very slightly wrong (now corrected) in that I showed the test I applied in the file as: “$HTTP[“remoteip”] !~ “12.34.56.78″”. (Note the “!~” when I should have used “!=”). This works, in that it would limit access, but it is subtly wrong because it does not limit access in quite the way I intended. I only noticed this when I later came to change the variable assignment to allow access from three separate IP addresses (on which more later) rather than just one.

The “!~” operator is a perl style regular expression “not” match whilst the “!=” operator is the more strict string not equal match. This matters. My construct using the perl regex not wouldn’t actually just limit access solely to remote address 12.34.56.78 but would also allow in addresses of the form n12n.n34n.n56n.n78n where “n” is any other valid numeral (or none). So for example, my construct would have allowed in connections from 125.134.56.178 or 212.34.156.78 or 121.34.156.78 etc. That is not what I wanted at all.

The (correct) assignment and test now looks like this:

var.IP = “12\.34\.56\.78|23\.45\.67\.78|34\.56\.78\.90”

$HTTP[“remoteip”] !~ var.IP {
$HTTP[“url”] =~ “^/wp-admin/” {
url.access-deny = (“”)
}

Which says, allow connections from address 12.34.56.78 or 23.45.67.89 or 34.56.78.90 but no others.

For reference, the BNF like notation used in the basic configuration for lighty is given on the redmine wiki.

Permanent link to this article: https://baldric.net/2017/01/30/variable-substitution-redux/

not welcome here

US President Trump has said that refugees and travellers from seven, mainly majority Muslim, countries are barred from entry to the US. Notwithstanding our own dear PM’s invitation to Trump, some 1.2 million brits have so far signed a Parliamentary petition to “Prevent Donald Trump from making a State Visit to the United Kingdom“.

petition

I do not actually agree with the wording of the petition. As a republican at heart I really don’t care whether the Queen would be “embarrassed” by meeting Trump. Besides, she has met many, arguably worse, leaders in her time (think Robert Mugabe, or Nicolae Ceaușescu). The point here is that to extend an invitation to Trump so quickly, and whilst he is advocating such distateful and divisive policies gives the distinct impression that the UK endorses those policies. We do not, and should be seen to be highly critical of those policies. In her visit to the US last week, Theresa May made much of the UK’s ability as a close friend and partner of the USA to feel free to criticise that partner. She has done no such thing. In my view that is shameful.

When I signed the petition there were around 600,000 other signatories. The total is still climbing. That is encouraging. No doubt the petition will be ignored though.

(Postscript. El Reg has a discussion raging about the petition. Apparently I am a “virtue signaller”. Oh well, I don’t feel bad about it. After all, I’m a blogger so by definition I’m already self interested and vain.)

Permanent link to this article: https://baldric.net/2017/01/30/not-welcome-here/

Merry Christmas 2016

As is now traditional :-) I post today to wish everyone a very merry christmas.

Today is trivia’s birthday – indeed it is trivia’s 10th birthday so I have been writing here for a decade. Good grief. If I had known then what I know now trivia might have been still born. As it is we are both still here – more importantly so is everyone else I really care about.

Here’s to the next 10 years. And I might actually write some more next year.

Best Wishes

Mick

Permanent link to this article: https://baldric.net/2016/12/24/merry-christmas-2016/

if it be your will

A bleak week just got worse. The results of the US Presidential election are, frankly, beyond belief. We now have a xenophobic, racist, misogynistic megalomaniac waiting to move into the White House and become, literally, the most powerful man on earth.

And now Leonard Cohen has died.

Cohen is one of my all time favourite artists. A writer of beautiful poetry and lyrics beyond compare and endowed with a voice capable of moving me to tears. I cry now because that voice is silenced.

In the mid eighties he wrote “If it be your will” which starts:

If it be your will
That I speak no more
And my voice be still
As it was before
I will speak no more
I shall abide until
I am spoken for
If it be your will

This year he wrote in “You want it darker

If You are the dealer, I’m out of the game
If You are the healer, I’m broken and lame
If Thine is the glory, then mine must be the shame
You want it darker – we kill the flame.
Magnified, sanctified is your holy name
Vilified, crucified in the human frame
A million candles burning for the help that never came
You want it darker – Hineni, Hineni, I’m ready, my Lord.

Now he is gone, in the same week the US voted a dangerous buffoon to the Presidency. If there be a God, he has a cruel sense of humour. The world has just got darker.

Permanent link to this article: https://baldric.net/2016/11/11/if-it-be-your-will/

do not click here

I have just noticed that the getsafeonline campaign’s website contains this wonderfully ironic side bar graphic.

GSO_website_side_button_NEW_to_internet

Go on, you know you want to.

Permanent link to this article: https://baldric.net/2016/10/24/do-not-click-here/

NFC? NFW

As is our custom on a Saturday, this morning my wife and I went out to a local cafe for breakfast. We know the proprietress so I was chatting to her whilst paying for the meal. Part way through the chat, the cafe proprietress tore off the receipt from the POS terminal and removed my debit card and handed it back to me.

Me: “Hang on, I haven’t entered my PIN. Are you sure that has been paid?”
CP: “Yes, it says here it’s paid.”
Me: “I have NOT authorised that transaction. It cannot be paid.”
CP: “Oh, don’t worry, we accept “swipe to pay” it probably just authorised that as you put your card in the terminal.”
Me: “That cannot happen. That card is not “swipe to pay” enabled. And I haven’t authorised any payment yet.”
CP (looking at receipt): “It says here “Contactless Sale” and the payment has been authorised”.
Me: “Show me that receipt.”

Sure enough, the receipt showed a “Contactless Sale” for the amount of the breakfast, however, the card type shown, and the last four digits of the card quoted were not those of my debit card. But I did recognise the card type as one I hold in my wallet so I checked that. Sure enough, that card has the WiFi symbol on it and the last four digits matched that on the Cafe receipt. So the POS terminal had taken the payment from a card in my wallet and not the card I had actually inserted.

That should not happen. And the fact that it did worries the hell out of me.

At the time the payment was taken, my wallet holding the other card was in my left hand (I had just removed my debit card from it with my right hand because I am right handed). So I placed that wallet on the counter beside me so that I could pick up the POS terminal in my left hand allowing me push my debit card in with my right hand and then enter my PIN. Replaying that action afterwards I am absolutely certain that at no time was my wallet anywhere nearer than a foot or more away from the POS terminal. Moreover that terminal had a card inserted – my debit card – and it should have been waiting for my PIN authorisation. So what happened?

I don’t know. And as I said above, that worries me.

I have checked both Wikipedia for details of the standards used in passive NFC of the type used in contactless payment and the “Security FAQ” for contactless payments on the Smart Card Alliance site (warning, PDF). Both those references tell me what I thought I already knew – NFC is only supposed to work at ranges of up to 2-4 inches (or 10 cm). No way was my wallet ever anywhere near 10 cm from that POS terminal. The closest it could have been was at least a foot away.

If this can happen to me, then I am certain it must have happened to others. Possibly to others who have been charged for someone else’s transaction simply because their NFC enabled card happens to be within range of the POS in question. In such cases, neither the actual customer nor the unwitting person really charged for the transaction would be any the wiser at the time of the transaction. Nor would the retailer know or care because they have a receipt for a contactless sale.

I’ll bet there have been some interesting conversations between such unwitting payers and their banks when the payment was noticed and then disputed.

Meanwhile, I’m going to find out whether I can get a card without the NFC capability to replace the card I unwittingly used to pay for breakfast. No way do I want this to happen again.

Permanent link to this article: https://baldric.net/2016/10/22/nfc-nfw/

variable substitution in lighttpd

I’ve been a lighty user for many years now, having junked apache when it became obviously overweight for my target devices (the slugs in particular). Trivia is, of course, powered by lighty as are all my other websites.

Lighty’s configuration file syntax is reasonably simple to understand, and is well documented on the Redmine wiki. The guys at Calomel.org have also put together quite a nice introduction to lighty. If you haven’t tried it, and find that apache is becoming too much of a resource hog for you, I’d recommend that you give lighty a run.

I use lighty’s access control mechanisms to prevent random bots and bad guys from reaching trivia’s administrative functions and I do this in much the same way as I limit access to my ssh and openvpn daemons – I restrict access to the fixed IP address assigned to my router by my ISP. So in the lighty virtual host configuration file I use the following construct:

$HTTP[“remoteip”] != “12.34.56.78” {
$HTTP[“url”] =~ “^/wp-admin/” {
url.access-deny = (“”)
}

That says: if the remote IP address is not 12.34.56.78, then deny access to the wp-admin directory.

Now I have several virtual hosts running and I also protect several directories. I also use a similar construct to redirect all my own access to my websites to https on port 443 so that I can always be certain that my own connection is encrypted and my authentication credentials will be protected. This means, of course, that I have several entries of the form: “if this IP address, then take this action” dotted around my configuration files. Not good. A recent change of ISP meant that my IP address has changed and I needed to edit my configuration files or find myself locked out. The most important files to change were my iptables rules so that I could still get ssh access on all my VMs. This didn’t take long because I have all the important configuration details (ssh IP addresses and ports, openvpn port, DNS addresses etc.) defined at the head of the bash script. One change is all that is necessary and bash variable substitution takes care of the rest. But my lighty configuration files were a different matter and I had to check carefully to ensure that I didn’t miss an important change. That’s just daft. Surely lighty allows for variable assignment and substitution? And of course it does, I just hadn’t checked before now.

The syntax looks like this:

At the head of the configuration file make an entry of the form:

# set our fixed remote ip address used in access control

var.IP = “23.45.67.89”

and then change the earlier configuration lines to:

$HTTP[“remoteip”] != var.IP {
$HTTP[“url”] =~ “^/wp-admin/” {
url.access-deny = (“”)
}

Simple, and I feel a complete idiot for not noticing this before.

Permanent link to this article: https://baldric.net/2016/10/19/variable-substitution-in-lighttpd/

show me yours

As Theresa May moves from the Home Office to Number 10, it is perhaps timely to reflect on public attitudes to surveillance as evidenced in Liberty’s campaign film “Show me yours” in April of this year. In the film (shown below), comedian Olivia Lee pursues members of the public with the intention of taking details from their mobile phones of all their recent communications or browsing activity. The reactions of the people approached speak for themselves. Unfortunately, Liberty research suggests that 75% of adults in the UK had never heard of the impending legislation laid out in the Investigatory Powers Bill.

Permanent link to this article: https://baldric.net/2016/07/13/show-me-yours/

raid performance

I have recently been building a new NAS box (of which, possibly, more later). In fact the build is really a rebuild because I initially built the server about three years ago in order to consolidate a bunch of services I was running on assorted separate servers into one place. That first build was a RAID 1 array of two 2 TB disks (to give me a mirrored setup with a total of 2 TB store). At the time that was sufficient to hold all my important data (backed up both to other networked devices and to standalone USB disks for safety). But I have just upgraded my main desktop machine to a nice shiny new core i7 Skylake box with 16 GB of DDR4 and a 3 TB disk. That disk is already two thirds full (my old machine had a rather full 2 TB disk). This meant that my NAS backup storage requirements exceeded the capacity of my RAID 1 setup. Adding disks wouldn’t help of course because all that would do is add mirror capability rather than capacity. So I decided to upgrade the NAS and bought a bunch of new 2 TB disks with the intention of setting up a RAID 5 array of 4 disks, thus giving a total storage capacity of 6 TB (8 TB minus 2 TB for parity). Furthermore I initially looked at using FreeNAS rather than my usual debian or ubuntu server with software RAID simply because it looked interesting and, with plugins, could probably meet most of my requirements. But I could not get the software to install properly and after three abortive attempts I gave up and decided that I didn’t really like freeBSD anyway….

Continue reading

Permanent link to this article: https://baldric.net/2016/05/02/raid-performance/

jibber jabber

For some time mow I have been increasingly fed up with the poor service offered by SMS on my mobile phone. I’m not a hugely prolific sender of text messages, and those I do send are primarily aimed at my wife and kids, but when I do send them, I expect them to get there, on time and reliably. I also expect to be able to send and receive images (by MMS) because that is what I have paid for in my contract. Oh, and I would also like to do this securely, and in privacy.

Guess what? I can’t.

My wife and kids want me to use Facebook’s messenger because that is what they use and they are happy with it. I have signally failed to convince them /not/ to use that application, largely because they already have it installed and use it to send messages to everyone else they know. But then I have also failed to get my kids to understand my concerns about wider Facebook usage. (“There Dad goes again, off on one about Facebook.”).

So, what to do? Answer, set up my own XMPP server and use that. XMPP is an open standard, there are plenty of good FOSS XMPP servers about (jabberd, ejabberd, prosody etc.) and there are also plenty of reasonable looking XMPP clients for both android and linux (the OS’s I care about). And better yet, it is perfectly possible (and relatively easy) to set up the server to accept only TLS encrypted connections so that conversations take place in private. Many clients also now support OTR or OMEMO encryption so the conversations can be made completely secure through end-to-end encryption. Yes, I am aware that OTR is a bit of a kludge, but it is infinitely preferable to clear text SMS over the mobile network. And I like my privacy. Better yet, unlike GPG which I use for email, OTR also provides forward secrecy, so even if my keys should be compromised, my conversations won’t be.

And yes I also know that Facebook messenger itself offers “security and pivacy”, but it also used to be capable of interacting with the open XMPP standard before Zuckerberg made it proprietary a few years ago. And I just don’t trust Facebook. For anything.

So for some time now I have been using my own XMPP server alongside my mail server. It works just fine, and I have even convinced my wife and kids to use it when they converse with me.

I may now move away from using GPG to using OTR in preference. Anyone wishing to contact me can now do so at my XMPP address and may also encrypt messages to me using my OTR key. My fingerprints are published here.

Permanent link to this article: https://baldric.net/2016/03/30/jibber-jabber/

guest network

Last month Troy Hunt posted an interesting comment on his blog about the problems around the etiquette of allowing guests onto your home wifi network. In his post, Hunt notes that guests can be deeply offended at being refused access. This is understandable. If they are guests in your home then they are probably close friends or family. Refusing access can make it seem that you don’t trust them. However, as Hunt goes on to point out, it is not the guests per se you need to worry about. Anyone on your network can cause problems – usually completely unintentionally. In my case I have the particular problem that my kids assume that they can use the network when they are here. Worse, they assume that they may access the network through their (google infested) smart phones. Now try as I might, there is no way I can monitor or control the way my kids (or their partners) set up their phones. Nor should I want to.

Hunt asks how others handle this problem. Like him I don’t much trust the separation offered by “guest” networks on wifi routers. In my case I decided long ago to split my network in two. I have an outer network which connects directly to my ISP and a second, inner network, which connects through another router to my outer network. Both networks use NAT and each uses an address range drawn from RFC1918. Furthermore, the routers are from different manufacturers so, hopefully, any vulnerability in one /may/ not be present in the other. My inner network has all my domestic devices, including my NAS, music and video streaming systems, DNS server etc. attached. These devices are mostly hard wired through a switch to the inner router. I only use wifi where it is not possible to hard wire, or where it would make no sense to do so. For example, my Sonos speakers and the app controlling them on my android tablet must use wifi. However, there is no reason why my kids, who insist on using Facebook, need to have access to my internal systems. So I run a separate wifi network on the outer router and they only have access to that. The only systems on the external screened network is one of my VPN endpoints (useful for when I am out and about and want to appear to be accessing the wider world from my home), and my old slug based webcam. My policy stance on the inner network is to consider the screened outer network as almost as hostile as the wider internet. This has the further advantage that bloody google doesn’t get notification of my internal wifi settings through my kids leaving “backup and restore” active on their android phones.

Permanent link to this article: https://baldric.net/2016/01/24/guest-network/