Ugly White People, Wearing Masks, and Leaving Facebook

So earlier today, after leaving our local megamart, which in this case is Meijer I was beset by wave after wave of ugly white people not wearing masks. I just cannot stand it, the absolute gall to put the public health at risk all because you want to be a dick about it. It is just beyond acceptable, even in our broken world, so I wrote a Facebook Post. I called them for what they are. Ugly White Pig Fuckers.

The Facebook AI flagged it as “Hate Speech” and so, since I have a long track record of calling out Russians for their shenanigans along with I’m sure other infractions that I have long since forgotten, I have been put in a time-out corner for three days on Facebook.

Almost everyone that I care about is on a shared Signal group, it’s a virtual pub where all my loved ones are also there and I can vent, and listen to my loved ones vent, and we can laugh and share things and because Signal is end-to-end encrypted, there is nobody there to tell me what I can or cannot say.

Very much like this blog too. I always mean to write more here on the blog, and this time-out from Facebook for 3 days is actually not a punishment but rather an invitation I think, to fully abandon the platform. The toxic people, the toxic stories, the endless and sensationalized bottom-of-the-barrel scrape that the wall has become. If I want to visit a wreched den of scum and villainy, at least Reddit doesn’t pretend that it is anything else than just another cultural latrine. Facebook is just a lemon-scented cultural latrine.

I pay for this blog and the service, so I can say whatever I please here without an obnoxious censorship AI locking my account out. Plus, it’s like TV, if you don’t like what I write on this blog, you are very much invited to forget all about it. Just don’t point your browser here, I will not be offended.

So instead of sharing things on Facebook, I’ll share them on this blog. The activity will pick up, maybe if I’m very lucky there will be a new community like Imzy, or perhaps something like LiveJournal before the filthy Russians got their grasping little fingers all over it. Everyone who reads the blog should know, I’m left AF, and while I am not Antifa, I am Antifa sympathetic, especially with the notion that anyone of good standing and solid heart will not hesitate to punch Nazi scum in the face.

So don’t look for me on Facebook. Look for me here. To Hell with Facebook.

Also… WEAR YOUR !@#$ MASKS IN PUBLIC!

YubiKey NFC 5 – Disappointing & Useless

Aside

It doesn’t take much for a technology to excite me and then subsequently fail me. Case in point, a YubiKey 5 NFC security key. I bought it on November 6, 2019 for $51.94. I was excited to use this new bit of technology, thinking that it would at least be a valuable experience for me when it came to 2 factor authentication and honing my security skills. The NFC bits were very attractive and the website clearly displayed iPhone as compatible, so why not? Chip in all the way, it’s only $50!

What I got did not at all match my expectations. The NFC doesn’t work, or at least required at the time a different kind of iPhone than the one I had, which was an iPhone 6S Plus, so that was deceptive advertising leading me nowhere. The NFC part works nowhere, so it’s just marketing mumbo-jumbo for me. I then plugged it in to my USB port on my MacBook and was dismayed to see that it doesn’t really do what I thought it would, no way to get any of my TOTP settings onto the device, no applications to make it convenient to use on my MacBook Pro, but there was a way that I could put my GPG Key for my main account on there. So I did that. Then after doing that I realized that the private key had been moved onto the Yubikey and a stub left on my MacBook Pro, meaning any time I wanted to decrypt anything I needed the YubiKey. I didn’t have a choice when it came to having it in both places, and I accepted that because I rarely if ever use my GPG key since it’s a dead-on-arrival technology itself.

All of this was an immense flash in the pan. I did learn a lot, and I guess it was worth the $50 I spent on it. Maybe I can return it to the manufacturer, as I have returned it to factory specs. If they don’t allow that, then I’ll likely put it up for sale on Facebook, Craigslist, or eBay.

What I got out of Yubico and their Yubikey is that it is like a lot of other security tools, pretty much meant for a very niche marketplace where people who would buy into these sorts of things are sold on the how, just looking for the what. I wouldn’t recommend Yubikey to anyone, it is not easy to use and completely unreliable. A little sidebar to mention here as well, if you wanted to use a YubiKey to secure your desktop or laptop computer, which you could do, they strongly recommend you buy two of them, in case you lose one or one gets stolen. The all-or-nothing deal is a huge cold shower.

Secure Channels

I explored the challenge of establishing a secure channel in a business-to-business use case a few days ago. Between the company I work for and another company, where the information was very sensitive, the risk of it being compromised was unacceptable, and the requirement that I share the information with the other party undeniable.

The goal was to get a secret string of text from my system into the system of another party. I have explored cryptography for a long while and so I was confident that all the tools I had could do the job very well. The real challenge was in establishing a communications protocol and a secure channel. Amongst my explorations, I had the entire suite of OpenSSL library ciphers at hand, I had GPG, and the answer which I sort of knew already even before I started this foray into cybersecurity, that Signal would eventually be my answer.

It was at first exploration of the challenge of it. How could I get a secret alphanumeric string to another party that had none of the tools or the experience of cryptography that I had in my library? All of it was fated before I even started, but I at least wanted to go through the motions and explore this problem as if I was sitting in the middle of it without any view of the win condition at the end. The first stab was GPG, so I searched for any public keys related to the other company, and there were none. That was worth a smirk, and I nodded because I would have been shocked if there was a hit at all, so GPG was a dead end. The next effort was thinking about what sort of cipher could be used. This selection of a cipher was symmetric cryptography. I would need to encode the message so that it would be suitable for email transmission, and encrypt the data using some standard cipher that I knew would be possible for both parties, and then I spent a while trying to figure out the password for the cipher. I knew that base64 would be great for encoding and decoding the message, and I still have faith in AES-256-CTR, but that left me having to select a password that I could use that both sides knew. Any effort to share that password in any other non-secure channel would render all my efforts for nothing because then the cipher would be a mathematical contrivance because the security of the password then became equivalent to the security of the payload. If the password was passed in clear text, then the entire endeavor was meaningless.

So this entry becomes a love letter to Signal. It covered everything I needed. It used encryption end-to-end and it was vetted and secure, it didn’t require public keys, or specifically, the user wasn’t involved with that part of the process, and I could trust that the inbound mobile number matched the intended recipient. I didn’t need to exchange passwords or agree on a cipher or a protocol. The application and service are free as well, so there wasn’t even a cost barrier to this solution! It checks off every box on my list. I was able to copy and paste the secure string of data over Signal to the other person and conclude the task that I set for myself at the beginning of all of this. There is more to Signal than just this use case and I encourage everyone I know to download it, sign in, and start using it.

Derailing Robocalls

If you have an iPhone as your mobile device, you can set up a foolproof filter for pretty much all Robocalls, unwanted solicitations, or anything else that bothers you with multiple calls on your mobile phone.

The first step is to create a Voicemail Greeting that lets people know that they have to introduce themselves with their numbers first, and then once they exist in your Contact List, then your phone will ring and you might answer it. If your callers don’t know, then they will never get through.

The second step is to make sure your Contact List in your iPhone is as up-to-date as you can make it. Trim out any junk, do your best to de-dupe the list, get it so it is nice and tidy.

Third step is to go into Settings, then to Do Not Disturb settings, Turn Do Not Disturb ON, set Schedule if you want it off, although I just leave my phone on DND permanently. Silence Always, and in the Phone section, “Allow Calls From” and set that to “All Contacts”. Turn Repeated Calls off, and any other setting is your personal preference.

When inbound calls arrive, they will be checked via their Caller ID presentation with your Contact List. If they don’t know which number will match in your Contact List, then your phone will never ring. It will obviously ring for the caller, until they arrive in Voicemail, and then they leave a message introducing themselves, which is after all, a civilized way of using these devices. If you met someone IRL, then you’d have to create a contact for them in order for them to ring your iPhone.

If you have any other iOS device, like an iPad, you should configure that the same way as your iPhone so when it is connected over Wifi it doesn’t ring the way you don’t want it to.

After that, you won’t get any more inbound calls unless they are from your Contact List. No fuss, no muss.

Whiteboard Secure?

The first time you start to involve yourself in cryptography you start on a path to suspicion and paranoia. Nearly every discussion about cryptography involves two example parties, Alice and Bob. Alice is always trying to keep secrets from Bob, and these two characters are used to illustrate everything from public key cryptography to man-in-the-middle attacks, and a lot more than just these examples as well.

This entire line of reasoning starts to kindle thoughts about how you go about your everyday life and just how much of your personal data, your privacy, your secrets are all leaking out around the edges. For all the efforts of your own personal Alice, there is a Bob out there, maybe, trying to dig up things you aren’t watching over or never expect.

A portion of cryptography, or more generally espionage in general comes down to the things you leave behind. Some folks think that strip-shredding sensitive papers is enough, while others consider upgrading to crosscut shredding to be the gold standard. For really sensitive papers, I personally have considered the only really effective way to prevent them from being reassembled is through burning and beating with some sort of implement to mix up the ashes. All this is to prevent information from leaking out where you never intend for it to leak out from. A big part of this, and in a lot of film noir detective stories, is phone numbers or passwords written on sticky notes or on a notepad. Sometimes people will write something down on a series-bound stack of papers with something like a ball-point pen, because it’s handy. The ball-point does put ink on paper, but it also can emboss paper below the sheet you are working on, and with a gentle swipe of pencil graphite, the ghost of what was written re-appears.

While I’ve been working at my desk, I got to thinking about convenient surfaces that I could take notes on, which would be handy and easily erased and reused. A while back I stopped at the dollar store and got a nice little whiteboard and a selection of dry-erase markers. Super cheap, super convenient. The whiteboard has proven to be very convenient and useful in my workplace and for $2, a non-issue when it comes to the pricetag. It struck me that this cheap cardboard and plastic whiteboard assembly could also be a very secure way to write temporary notes, say banking details for example. I can write a whole line of values and account numbers, passwords, whatever I like and with a swipe and rub of an eraser rag, whoosh, all of the details are gone forever. As I examined the whiteboard and considered this, I thought of ways that the wiping process could be reversed. There is no embossing onto a lower layer to worry about, and there doesn’t appear to be any order of anything at all on the surface or the wiping rag. So I would at least think on the outset that a whiteboard makes a very fine and secure temporary notepad to write anything on, because once wiped off, perhaps also with alcohol or Windex just to be very careful, I can’t imagine there is any way to unwind the clock on the erasure process. No way to get back what was written.

Now there is no application for this sort of security in my life, other than perhaps writing down account numbers, my SSN, or perhaps the password to some sort of system here at work, but if you are looking for a way to write temporary notes and not have to worry about security – a whiteboard at the dollar store certainly seems to be a solid approach.

C2E2: Will I Be On Camera?

Spotted this gem this morning. There’s something in the tall grass here at C2E2:

The paragraph covering “Will I Be On Camera?” has us scratching our noggins. What does it mean? It could mean facial tracking technology and data sales between customer flow in the exhibitors hall and their subsequent selections on the app for their fandoms. And since all our demographic data is online with ReedPOP, the managing company, they’d have to be dullards to not take advantage of this in all the ways I can think of. So, pinnacle of corruption and deep-cut privacy violations galore! But hey, we all accepted it and frankly my dear, nobody cares or even is worried over it. So I am going to be, in perpetuity (heh heh) the only Watchman shaking his canary cage.

It’s all good. I expect nothing less. Companies are corrupt, all the way to the core. That’s what they are. That is their basic nature. Paging Marcus Aurelius, and Dr. Lecter.

Moo goes the cow. Baa goes the sheep.

Facebook Security

I haven’t logged into Facebook in quite a while and I’ve been doing bits and bloops around the network, like connecting MOD Pizza to my FB account and vastly lower interaction metrics. The Facebook security watchdog noticed!

So they locked me out. I could get back in if I could identify my friends in a quiz format. Fine. Took the quiz, passed. Account password changed and updated.

Hilarious. Facebook is like herpes. I hardly miss the cold sores.

Goodbye Twitter

Today in my email I received this from Twitter Support:

IMG_2439

So if you click on the link, the only option is to self-censor, basically a specially crafted button to blow up whatever the offensive tweet was. In my case, my heartfelt wish that our current human stain in the White House has a stroke or heart attack. I don’t want to do anything to him, I want him to simply sieze up and die all by himself. Fly into a rage, then grab his chest and drop over stone dead.

So, Twitter took it upon themselves to force me to censor myself. Right after I got this message, I most certainly did click the “Remove” button, which blew up the Tweet. Then I downloaded my Twitter archive, once that was safe, I then deactivated my Twitter account. I would much rather it all get blown up to kingdom come than self-censor myself against the pile of waste sitting behind the Resolute desk.

I don’t really care to discuss the First Amendment ramifications, as I’m absolutely positive that Twitter will hide in the tall grass of their TOS. And that’s actually quite fine. I haven’t used Twitter in years, only logging in to lob gems like this one at the pile of fecal matter with a spray tan. I deleted Facebook, I can delete Twitteriffic too.

What am I missing out on? Nah, nothing lost. Peace of mind gained. Goodbye Twitter.

Keybase Redux

The current ecosystem out there in the Internet is not one that wants for communication nor security. Not at least in options for either, but rather in the popularity contest between the oldest forms of communication on the Internet versus all these new ways of communicating out there. There are so many ways!

Email and web-based sites like Reddit and Facebook have all proven themselves over and over again, perhaps not quite as secure as any of us would hope, but in uniquity of use. Everyone had to get over the hump of everyone they knew having an email address or a Facebook account. Once the novelty wore off, the security headaches appeared. Most notably how difficult it is to get people to adopt basic security methods when dealing with email, the death and burial of PGP and GPG technologies rendering email plaintext for anyone to snoop on who might have access to do so.

Then the parade of other sorts of solutions exploded. Signal, WhatsApp, Snapchat, Telegram, and Facebook Messenger exploded. People talking to each other, sometimes privately, sometimes not. Facebook ate a little bit of Signal, but so far I haven’t seen anyone actually use it to protect their chats.

Recently I have come across another app like this, called Confide. It brings forward a lot of the features that attract me to things like Signal and Telegram, the end-to-end security between chat partners without worrying about anyone in between eavesdropping. Confide also eliminates a huge privacy hole present in Snapchat, which is Confide appears to have eliminated the possibility of screen shotting the content of the message so it can break out. This obviously has limits, because you can very well take camera-based pictures of the Confide process and eliminate the screen-shot security, but it does push that envelope further out where people have to perform a lot of extra steps to be clever.

Signal was the first app that I saw that introduced exploding messages to this marketplace. Within the Signal app, and Confide as well I presume, you can set a lifetime counter to a message and after the timer has expired, the message is irretreivable.

There were other solutions that came along as well, more colaborative and team-based, like Slack and Discord, services that supplanted text messages like SMS and iMessage for me, especially at work. The further along I went, the more I realized that for a lot of these systems they unfortunately have two big things running against them, they are a change in how people communicate and change is one of the scariest things out there; the second thing is just how oddly resistant people are to actually collaborate. Quite often I am struck by the dial tone I get from folk when I attempt to explain why collaborative solutions like Google Docs and Slack/Discord are so amazing. So I pretty much make an elevator pitch and then let things lie where they land.

Enter Keybase. Originally the site appeared to be a central hub to link personal identity and personal avatars to PGP/GPG keypairs. I suppose you could affectionately regard it as trying to plug in Frankenstein’s Monster just to get a few more twitches out of the poor bastard. However just today, I received an email inviting me to check out Keybase again. They have teams, chat, files, and exploding bits that seem to mingle elements of Signal and Slack together.

What platform wins? Winning is population. When everyone collectively agrees that a solution is so good that it wins by sheer existence alone, that platform wins. Facebook tried it by manipulating human emotions and reward centers, and monetizing all our data that we wanted to share with each other. Right now the platform du jour is Facebook and the corruption of that system is starting to exact a toll on the people who use it. I have abandoned Facebook, and my life has improved. I don’t have the social reward mechanism in place any longer, but it has given me more time to read books and articles online and helped me become a happier person.

What then for these other applications and what they have to bring to the party? I have almost all of them, but use them all very sparingly. What is the point of a communications platform if you don’t know anybody who is using it? It’s the lesson learned by Google Plus in how it attempted to fight with Facebook. If the people aren’t there, then nobody is there. There is a reflection of this all the way back to the start of email as a communications mechanism. PGP/GPG was released back in the late 90’s, and because it didn’t take off, it spiraled out of control and went pear-shaped when it crashed to the surface.

Only time will tell, but from what I’ve seen of Keybase, I’m pleased and intrigued. However again, without anyone to actually use this platform with, it’s just another app that I don’t use on my phone or computer.

Automatic Blacklisting using iptables

My home server, an elderly Mac Mini with Debian 8 was recently exposed to the public Internet on port 22, sshd service. I did that on purpose, so I could use the dynamic DNS addressing so I could open a secure shell from wherever I might be, even if that’s not home.

Of course, with a port opened up like this, I have exposed this Mac Mini to the wilds of the public Internet, and it has been scanned thoroughly. When I looked at /var/log/auth.log, it was full of attempts to login using root, admin, and pi. The last one, pi, is hilarious because the hostname was never changed when the OS was migrated from running on my Raspberry Pi, so people who scan the IP and get the hostname think it’s a Raspberry Pi.

This has led to a curious exploration of how to prevent people from scanning and attempting to brute-force my sshd server running on this machine. The passwords are complex, so I’m not really worried about anyone breaking into the box, but I do want to dissuade people from even trying. So after some research, I came up with this iptables definition:

iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 86400 –hitcount 3 -j LOGDROP

I adapted a bunch of good ideas floating around on other help pages, and these instructions are rather straightforward until the end. I found the LOGDROP chain to be really useful, it will log and then drop traffic in one call, without having to mess around with multiple log and drop jumps. The next keeps any current SSH shell running no matter what, then everything from loopback, and then everything from my internal network. The next sequence sets up a tracking database in the server, if someone attempts to chat up my sshd server more times than three in a day, their IP addresses are installed in a blacklist and their traffic is dropped.

Obviously this is overkill, and my next step is to add 2FA to PAM on this server so that I will need to enter a password and a six digit 2FA code that changes every 30 seconds and never repeats. If anyone else out there is looking for something similar to this, you’re welcome to try it out. Good luck!