Slightly less Random Ramblings

September 12, 2017

Setting up a killswitch for your VPN provider under Ubuntu

Filed under: computing, encryption, linux, OpenVPN, security — Robert Wicks @ 1:54 am

Run these commands to allow your Ubuntu machine to connect over VPN, but deny other traffic, so that if the VPN goes down, the server only allows local subnet access (for SSH so you can fix it).

 

#allow UDP traffic so that VPN works.ufw allow out 1194/udp

ufw allow out 1194/udp
ufw allow out 1198/udp

#Allow DNS queries
ufw allow out 53/udp

Allow connections over all interfaces of Ubuntu updates:

ufw allow out proto tcp to 23.246.0.0/18 port 80
ufw allow out proto tcp to 23.246.0.0/18 port 443
ufw allow out proto tcp to 54.239.54.0/23 port 80
ufw allow out proto tcp to 54.239.54.0/23 port 443
ufw allow out proto tcp to 54.239.13.128/25 port 80
ufw allow out proto tcp to 54.239.13.128/25 port 443
for x in 54.239.122.0 54.239.126.128; do for y in 80 443; do ufw allow out proto tcp to ${x}/25 port ${y}; done; done
ufw allow out proto tcp to 64.15.0.0/16 port 80
ufw allow out proto tcp to 64.15.0.0/16 port 443
for x in 54.239.145.0/24 54.239.145.0/24 64.15.119.0/24 91.189.91.23 91.189.91.26 91.189.88.149 91.189.88.152 91.189.88.162 91.189.88.161; do for y in 80 443; do ufw allow out proto tcp to ${x} port ${y}; done; done

#Get the interface addresses and allow stuff on the local subnet(s)
for y in $(ifconfig | awk ‘/inet/ && / 192/ || / 172\.16/ || / 10\./ {print $2}’); do ufw allow to ${y}/24; ufw allow in from ${y}/24; done

#get the IP addresses for the VPN servers. In this case, privateinternetaccess.com
for z in $(for x in ca ca-toronto sweden swiss france germany israel; do host ${x}.privateinternetaccess.com; done|awk ‘{print $NF}’| sort | uniq); do ufw allow in from ${z} to any; done

#allow traffic on tun0, the VPN interface.

ufw allow in on tun0 from any to any
ufw allow out on tun0 from any to any

#Deny connections by default
ufw default deny incoming
ufw default deny outgoing

#Enable the firewall
ufw enable

September 11, 2017

My Favorite Router for the Home

Filed under: computing, encryption, OpenVPN, OpenWRT, security — Tags: , — Robert Wicks @ 12:03 pm

I’ve been a longtime OpenWRT user. I still use it, however, I have finally found a router suitable for the home which made it worth my while to use in its stead: the Ubiquiti Edgerouter X. I listened to Steve Gibson of GRC sing its praises on the Security Now podcast and discovered, to my delight, that his praise was well-earned. The ease of use, throughput, feature set, and amazingly low price combine to make it a nearly ideal home router. For $50, you get five gigabit ports, and the router is capable of providing nearly that amount in throughput. For people who work from home, the ability to have multiple WAN connections for failover is a godsend. It allows you to set up your own OpenVPN server as well. Some might consider the lack of wifi to be a negative. I am not among that number. Decoupling wireless access from the actual Internet allows for much more flexibility and much lower cost.

December 28, 2016

Bizarre issue using the xfinitywifi hotspot (solved)

Filed under: computing, encryption, OpenVPN — Robert Wicks @ 1:49 am

OpenVPN over UDP is broken. I get a connection, but rarely pass traffic, and never make an https connection. When I switch to TCP port 443 on my server, everything works.

March 18, 2016

The Process or the Product?

Filed under: crime, encryption, Police, Technology, terrorism — Tags: , , , , , — Robert Wicks @ 5:29 pm
codebook

Cipher for Telegraphic Correspondence — a code book used by Union General Joseph Hooker’s code clerk

When I was younger, I often heard people debating whether the state should attempt to ensure equality of opportunity for people or equality of outcome. This has generally focused on areas associated with race or gender. Libertarians have consistently maintained that equality of opportunity is all that the government should properly enforce. The most progressive people push for equality of outcome in some situations, though many will say that historical biases are being overcome, so it is meaningful equality of opportunity that they seek. It strikes me however, that the recent public confrontation between Apple and the FBI provides us with similar arguments being made.

The state has long had the recognized authority to seize property and search it with a warrant. Many of the discussions surrounding the iPhone in question mention that the government can issue orders to look through private property and that the iPhone in question is no different. I’ve seen comparisons, for example to breaking into a home and taking papers for examination.

This is where I think the parallels to civil rights situations can come into play. If the police take your papers, do they have the right to the intelligibility of those papers and effects, or simply to the effects themselves. That is, if the papers are in some language or code that they do not know, do they have the right to force someone to translate it or to teach them the language? In the cases of both plain English papers and the iPhone, they have the same opportunity to examine, but the lack of knowledge (of the pass code, password, or encryption key) may make the outcomes very different.

Another analogy I have seen is that of a safe. Imagine a safe with a completely impregnable lock. What does the state do? Well, there are ways to get into safes without using the lock. You could cut your way in, or blow it up. However, it is at least possible that these other methods may destroy something of value within the safe. Does the government have the right to force the  to come up with a method for opening the lock? Further, do they have the right to force  to only make locks which can be opened without the owner’s consent? In the case of the confiscated iPhone, there may well be ways to “open” the data without the owner’s consent, but those methods may destroy the information which is sought.

It is entirely possible that this case may have effects which reach outside of the world of technology. The most fundamental of notions being examined are whether the state is entitled to a process or a product? The process is the issuing of warrants and the collection of property. The seizure of property is no guarantee of specific uses of that property. And it is the specific uses that the state demands. Is it appropriate for the state to insist on a specific outcome for a policy or is it appropriate that an agreed upon process be followed? In the justice system, I have heard many times over the years that the purpose is to follow the process. Justice is the ideal outcome, but a particular outcome is not what the state promises citizens. It promises them a process. Yet, it appears as though the state is not satisfied to have the same situation in cases involving itself: it demands an outcome. As we move forward and various technologies are developed, this guarantee of outcome will necessarily create greater and greater burdens on hardware and software developers. It may be effectively illegal for a small independent developer to create an encrypted product, for example, because the day may come where each instance of a product will require some sort of individualized method for accessing whatever data is held within it. That implies a substantial data handling infrastructure which companies, and individuals, may soon be required to maintain.

 

July 5, 2014

Using Tor and a VPN service for privacy

Filed under: encryption — Tags: , , , , — Robert Wicks @ 5:36 pm

In light of recent revelations that the government specifically targets for surveillance people who do searches for Tor, here is how I suggest you use Tor:

1) Get one of the VPN services, install it and verify that traffic is sent out by default over the tunnel.
2) Use this link to obtain Tor. Set it up so that it runs as a SOCKS proxy locally (the default way, but you can also install it without a browser as just a proxy
3) Keep the VPN and Tor services running all the time, with the kill switch feature such that if the VPN link goes down, the Internet shuts down.
4) Configure Firefox in private mode (about:config) permanently. Configure it to use the Tor proxy
5) Disable geolocation in all browsers
6) Leave everything else default.

What this means is that all your traffic goes onto the Internet at the remote proxy location. If you don’t torrent, you can even make that exit point in the USA, which may help you do stuff like banking or services which require that you access them from the USA. Or you can just switch VPN endpoints when you need to. Whenever you want to do something with stronger anonymity, run Firefox or the Tor browser. This will put you on the Tor network. By disabling geolocation, you gain some additional protection against Javascript, which is still on in Firefox (turn that off if you don’t need it, but I use Firefox in this was specifically in cases where I need a full-featured browser, but still run it through Tor. Note that Flash will actually bypass proxies, so it will go out through the VPN connection. As as additional safeguard to your anonymity, pay for the VPN service using bitcoin, and use an email anonymizing service such as Guerrilla Mail.

May 29, 2014

Stick with Truecrypt 7.1a and Wait for more Information

Filed under: encryption, security, software, Truecrypt — Tags: , , , , — Robert Wicks @ 8:57 am

Yesterday, The homepage for the popular full disk encryption solution, Truecrypt, changed to reflect the following:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

The page goes on to describe how to configure Bitlocker encryption and remove Truecrypt.

The message is very odd, as there were no indications of the project ending. Truecrypt does very specific things. It is not the sort of software which requires expansive numbers of new features. It works well with Windows 7, which is a huge part of the market. I have not attempted to use it on Windows 8, but Microsoft’s own page on it indicates that it works fine. My reasons for distrusting the new message, despite the fact that the issuer of that message has access to the correct keys to sign the TC release are:

  • There are no details of the security issues with Truecrypt.
    Assuming this message is actually from the same people who have been developing Truecrypt, they should have no problem at all clearly describing the nature of the vulnerabilities. They have more ability to do this, once those vulnerabilities are known, than anyone else. The lack of detail makes me suspicious.
  • The endorsement of Bitlocker flies in the face of the history of the project.
    The developers of Truecrypt have shown a consistent (and justified) pattern of paranoia. The sudden endorsement of a closed source security solution is a completely different (and worse) attitude towards security. Among the most suspicious aspects of this is the fact that TC has explicitly avoided dependence on the TPM module due to a lack of trust, yet the “solution” suggested by the homepage currently explicitly endorses using that functionality in moving to Bitlocker.
  • The new release appears to not actually correct bugs or improve functionality.
    7.2 appears to do nothing more than issue warnings and disable encryption. The users of Truecrypt tend to be a savvy lot. They have the skills to decrypt data should that become necessary. Issuing a version with the encryption function disabled is nonsensical.

May 17, 2014

A Chat on Cybersecurity

Filed under: encryption, Firewall, OpenVPN, OpenWRT, security, Truecrypt, Windows — Robert Wicks @ 5:47 pm

I was recently interviewed by Manuel Lora for Liberty.me on the topic of cybersecurity. You can listen to it here.

August 21, 2013

OpenVPN Not Passing Traffic on Windows 8 Professional using UDP

Filed under: computing, encryption, OpenVPN, security, Windows — Tags: , , , , , , — Robert Wicks @ 7:25 am

Windows 8 Pro (which is the version I have. I cannot comment on other versions) appears to have an issue with a normal OpenVPN tunnel. When using UDP, my VPN does not pass traffic. It does pass that traffic when I use TCP. Additionally, a Cisco SSL VPN (also UDP based) I use does not work. After browsing about a bit, I found that the UDP encapsulation settings have an effect on this. The registry setting which needs to be changed is:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
“AssumeUDPEncapsulationContextOnSendRule”=dword:00000002

After rebooting, both of my VPNs worked, fixing an issue which nearly made me abandon Windows 8.

January 24, 2013

Windows 7 VPN Routing to StrongSwan

Filed under: encryption, linux, security — Tags: , , , , , , , , , , — Robert Wicks @ 12:41 am

One thing which always bugged me about my VPN setup is that whenever I used IPSec on Windows 7, I had to specify the route into my home network using a command prompt in Windows (with elevated permissions) where I had to use the “route add” command (you can view the link to see my example.) I finally have a way around this, by using the tip here. Just follow these directions, but instead of a script, specify the route command, with the flags “add 192.168.0.0 mask 255.255.255.0 10.8.8.1” from the example in my VPN setup post. Check the box “run with highest permissions” and save it. Now, every time you connect to your VPN, the task will automatically set your route. Obviously, you could make this a script with any number of commands or multiple routes, so adjust things accordingly.

January 10, 2012

Thank you Asus!

Filed under: encryption, security, Truecrypt, Windows — Tags: , , , , , , , , — Robert Wicks @ 6:56 am

I bought an Asus U56E from Fry’s, which has an Intel i5-2410M CPU. The laptop has been very good, having excellent battery life and good performance. I replaced the internal optical drive with a drive caddy so that I could replace the internal drive with an SSD, but have an additional spinning drive in order to have a larger amount of space. My SSD has built-in encryption, however the spinning drive does not. I use Truecrypt. I wanted the i5 because I was under the mistaken impression that they all supported AES-NI. I later discovered that Intel has issued a microcode update for this CPU which enables the feature, but the BIOS manufacturer needed to enable it in the system BIOS. Asus has now enabled this feature in version 213 of the BIOS. Truecrypt’s benchmark performance has increased 5x since the update.

Older Posts »

Blog at WordPress.com.

%d bloggers like this: