Category: Security

Safety of Information In the Cloud

Posted by – October 19, 2009

This will be me someday...

This will be me someday...

Most of us have probably heard about how T-Mobile failed pretty epically by losing all of their customer’s sidekick data (as the device has no storage of it’s own, it’s all stored in the cloud).  Luckily Microsoft has stated they have been able to recover “most, if not all” of the information.  However consider the fact that when this news broke, T-Mobile openly admitted to not having backups.

Like many Internet users I rely on Google a great deal of the time.  I use their email service, their RSS reader, their office document suite and of course their search engine.  It appears to me Google has a lot of relaly smart people in their ranks and I not only assume but can pretty confidently say I KNOW they keep backups.  How comprehensive these backups are, and how often it’s backed-up I don’t know.

So it seems I put a lot of faith in Google to keep my information safe, but then again I would have thought T-Mobile would have the same obligation.  This is why I was quite amazed upon hearing of The Data Liberation Front which is a team, well I’ll quote the website:

The Data Liberation Front is an engineering team at Google whose singular goal is to make it easier for users to move their data in and out of Google products.  We do this because we believe that you should be able to export any data that you create in (or import into) a product. We help and consult other engineering teams within Google on how to “liberate” their products.

So basically Google is working to allow YOU (the user) to keep and regulate your own backups without having to find crazy work-arounds like many other services (where their business model is to make it difficult for you to leave).

While most of their help will only help those who are technically minded (such as knowing  to use their forwarding/popmail to grab a copy of all your email as a backup) it’s definitely a step in the right direction.  While cloud computing is definitely making lives easier, it also raises the stakes for catastrophic data loss and we need to be careful to ensure a bad day at Google isn’t a bad year for us.

I’m probably going to write a few guides over the next several weeks on configuring tools and scripts to automating the backup process (as I have been backing up Gmail and other web services for years).

Setting Up SSH Tunnels With Putty

Posted by – March 3, 2009

Always ensure secure network connections.

Always ensure secure network connections.

I’ve been playing around with VPN’s and ssh tunnels to try and get my ipod touch to use something secure when I’m connecting to random wireless networks.  Needless to say it’s not working so great.  I want my itouch to tunnel everything through ssh to my server at home, but Apple hasn’t ever thought of that nor can I find any application to do so (and probably won’t as it would need to run in the background which Apple doesn’t allow, at least when your not jailbroken).  It’s leaving me little choice but to jailbreak or else I can’t have secure connections without setting up a VPN over IPsec which is about as fun as it sounds.

So while I was toying around with different things, it occurred to me that many people don’t know how to secure their traffic and prevent people form listening in.  I’m going to show you how you can take a windows PC or laptop, and route web traffic through a shell account you have ssh access to.  I’ll then show you how to setup FireFox and the SwitchProxy extension to use the tunnel efficiently, as well as the basic premise to make any program you have access the tunnel as well.

First I guess I should explain just why you’d want to go to the trouble of doing all this.  Well, whenever you use someone else’s connection whether it be a wireless access point at a coffee shop, shopping mall, neighbor’s or even plugged into a school’s network the bulk of your web traffic is sent as plain text.  This means anyone who wants to can probably listen in on anything you say to your friends on an IM client, or even check your email if your not enforcing SSL.  Even on a WPA or WEB enabled wireless connection your data would be easy enough to sniff if the  attacker has time enough to crack the key.  I know many people who even go to a coffee shop and setup their own laptop to act like an access point, collecting all the information for anyone who connects to it, in a classic man-in-the-middle attack.

Alright, so the first thing you need to do is open Putty.  If you don’t have Putty already get it, it’s one of if not the best terminal program for Windows!  Alright now that it’s open to go ‘SSH > Tunnels’ on the left hand menu.  In this section, click on the radio button marked ‘Dynamic’ and put ‘9999’ (or any port of your choosing, providing it’s not in use) in the ‘Source port’ text box, click “Add”.

Setting Up The SSH Tunnel in Putty.

Setting Up The SSH Tunnel in Putty.

Now go to the ‘Session’ Menu on the left side again, and enter the server information.  Then Name it, and click save.  it should look something like this:

Saving the Session in Putty.

Saving the Session in Putty.

Alright so now that the session is saved with your tunnel settings your now ready to go.  Login to your shell, and just leave it there for now (you can do anything you’d normally do, except leave [which will close the tunnel]), and open FireFox.  Go to Tools > Options, then select the ‘Advanced’ Tab and click on ‘Settings’ where it says “Connection: Configure how FireFox connects to the Internet”.

Firefox connection settings, to put in the address of the SSH tunnel.

Firefox connection settings, to put in the address of the SSH tunnel.

Now select “Manual Proxy Configuration” and for the “SOCKS Host” enter ‘localhost’ and ‘9999’ for the port (unless you specified something else earlier).  Accept all changes.  Your now browsing the web through FireFox securely through your new SSH tunnel.  Keep in mind if you close your Putty terminal you’ll get ‘connection refused’ messages until you either reconnect to the shell or you go into your settings and remove the proxy.

Firefox Proxy Settings.

Firefox Proxy Settings.

Now that you have the basic premise of how to setup your SSH tunnel through Putty, we’re going to install the SwitchProxy Firefox extention to make the switch to secure browsing simple and quick.  SO go ahead and grab a copy of SwitchProxy from the Mozilla Add-on website.  Install it, then restart FireFox (as required).  You’ll now notice that in the bottom right corner it’ll say “Proxy: None”.  You’ll also notice an annoying toolbar, which you can right-click on and remove luckily.

Alright, so right-click the bottom right corner, and select “Manage Proxies”, click “Add” then select “Standard”, name it, enter ‘localhost’ for the ‘SOCKS proxy’ and ‘9999’ for the port, and finally select “SOCKS v5″ and save changes.  You can now right-click SwitchProxy in the bottom corner, and select ‘SSH Tunnel” (or whatever you named it) and switch effortless back and forth between secure and default connections.

Adding the SSH tunnel to SwitchProxy.

Adding the SSH tunnel to SwitchProxy.

Phew.  That seemed like a bit of work, but it’s well worth it to have this setup for whenever you may find yourself in unknown territory.  Keep in mind you can set ‘localhost’ and port ‘9999’ as ANY proxy you find in any program you use in order to secure it.  Pidgin, MSN, AIM are all good candidates as are POP3 and IMAP mail clients if they aren’t (and even if they are) SSL enabled.

I hope this guide helps at least someone out there.  If anyone has an ideas on how to tunnel through on an ipod touch be sure to let me know.

Edit: You may also want to go into FireFox’s about:config (but entering it into the address bar) and changing network.proxy.socks_remote_dns to true.  This will send DNS requests to the tunnel as well for added anonymity.

The Great Facebook Scandal of 2009

Posted by – February 19, 2009

For those of you who are a bit behind in the news, Facebook has changed their Terms of Service as reported by the Consumerist.  These changes stated that not only does Facebook own all your information and content you upload (Pictures, blog posts etc) but they can keep it FOREVER even if you remove your account.

This change has created GIANT ripples throughout the intertubes, causing Facebook to recoil and revert to their old TOS.  Even Mark Zuckerberg had to weigh in to try to calm the masses.  This of course didn’t work so well as people started leaving Facebook which prompted them to add this to the “Delete Your Account” Page:

Please don't leave, we're sorry!  We promise not to do it again until you're not looking!

Please don't leave, we're sorry! We promise not to do it again until you're not looking!

It’s still up in the air whether I’ll decide to leave myself.  It’s nice to be able to stay in contact with others but it’s not worth my information being used for uses I may not agree with.  Not to mention ANY pictures of me, including ones other people upload become the property of Facebook forever.  I’m still not sure how to prevent this, unless it’s already against current privacy or copyright laws.

3 Interesting Videos

Posted by – August 9, 2008

I’ve been slacking off on this blog, so in an effort to liven it up, I thought it’d be nice to post a few of the videos I’ve been watching in my spare time.  I’m not sure whether the original uploader has permission to post these, or what license these were put out under.I’ll keep this short though, and get to the videos :

Discovery Channel’s “The History Of Hacking” Documentary

Interesting and if nothing else, entertaining look at the History of Hacking.  Title sort of tells it all.

Documentary on Google

Although I had a good understanding of the first days of Google and the current goings-on, I found this video quite entertaining and informative.  Definitely a must-see for anyone like me who uses Google Services for almost everything.

Randy Pausch’s Last Lecture

If you haven’t seen this, you must live in a cave as this video has been making the rounds on the Internet for quite awhile.  Probably due to the sadness of the fact that the world lost such a great professor but hopefully more-so the fact that this lecture has a lot of inspiration and is a great motivator for people to really channel their skills and accomplish their dreams.

No Protection in Canada

Posted by – January 26, 2008

I had never imagined myself being a pro-gun sort of person as I had always thought of it as leading to more violence, however as I have grown up and hopefully grown wiser I now know this to not be the case.

I was reading 50 Things You’re Not Supposed To Know and Dial 911 and Die (one lead to the other) and was rather shocked to find a plethora of cases where it was stated by precedent that the police and fire department are not legally required to protect you in any way. It even goes on to state that during a triple murder, rape, and kidnapping, the police didn’t bother to respond till much later and sent only one officer to find the suspects, and when they were found the kidnapped twelve year old girl was already long dead.

This of course, got me thinking about how at times, one can feel somewhat vulnerable walking the streets of my neighborhood especially when it gets dark. Not to say I live in a bad neighborhood, but it is in the middle of downtown where it is unfortunately common to see homeless people, drug addicts and the occasional mugging or random assault.

Under Canadian law, one cannot carry any weapon for means of protection. No mace, no pocket knives, no guns, no big sticks. So the only people who can carry such an item are criminals. Coupled with the fact that police are not required to protect you in the event your life or possessions are in danger, how on earth are you supposed to cope?

This is a very troubling predicament that I believe many Canadians are oblivious to, until it’s way too late. It’s startling that a society would allow itself to be disarmed to the point of helplessness with nothing to fall back upon.

Although I don’t condone carrying an M16 with grenade launcher attachments or AK47s, I think more thought should be put into the legislation process, and to possibly overturn parts of the criminal code to allow the protection of oneself if the police cannot be counted upon to help in these situations.