looking at my heart

I have not blogged about personal stuff in a long time. Sometimes the only thing that will listen in the way that I want to be heard is with a pen and a piece of paper.

It is clear to me that I am an introvert. When it comes to personal matters, I like being by myself and working out my own problems. With that comes cut-throat prioritization and intense moral struggle.

The exception to my independence is when I fall in love with another person. The act of falling in love happens rarely, because it takes a long time for me to identify someone with a mix of characteristics and mannerisms that I thoroughly and thoughtfully enjoy.

When I do fall in love, I fall quickly, and I fall hard.

When I find this person, I think that I know what to do. I actively demonstrate care, humility, and respect. I become super attentive and reactive. I do all of these things because it is what I want:

  • It is how I want to be mutually treated by this person.
  • Because it is an outlet for positive emotion, one that I understand, which makes me happy.
  • And because I need to create feedback loops to–in my opinion, help–verify the integrity of our feelings.

Sometimes one or more of these things scares people. It makes them question their own emotional depth, which creates uncomfortable rifts. I then get frustrated because these people do not seem to be patient with themselves or with me–or is it truly irreversible?

Cities: adopt these privacy laws

To follow up on a my previous post about enacting local initiatives for the people’s right to privacy:

  • A publicly-accessible warrant must be provided to monitor or capture any private voice communication or digital data, at rest or in motion.
  • Only the entities that privately sign digital certificates for the purpose of encrypting voice communication or digital data, at rest or in motion, can decrypt said voice communication or digital data.
  • Only the original creator of a private certificate may own and use, in such a way, that allows said entity to view or record decrypted voice communication or digital data.
  • It is illegal for any entity to attempt to break or subvert any voice or data encryption mechanism.

I foresee some business impacts to these, so some of them probably need to change. Discuss!

Ideas to support the Tor Project: Wikipedia IdeaLab proposal

Special thanks to my open-access comrade-in-arms Lane Rasberry.

Lane emailed me this morning asking for my input on a current proposal that’s on Jimmy Wales very own Wikipedia talk page.

After CC’ing Runa Sandvik from the Tor Project to verify the factuality of my feedback for the Wikipedia community, I posted my comments.

The ongoing issue, that Jacob Appelbaum repeatedly vocalizes, is that Tor users, Jacob included, is not able to protect his identity and contribute to the knowledge base that exists on Wikipedia.

Political activists and dissidents create a critical feedback loop into the controversial dialogue that is only made possible through the Internet and social media. Not only are these people self-empowering, they are the ones most likely to seek out the truth.

From Lane:

If you would be willing to write a brief set of proposals about what Wikipedia should do with Tor, then [Lane] would format those with you in the IdeaLab. This is a space where ideas are stored on Wikipedia so that they would always be found if anyone ever wanted them. I think it would be a good idea just to establish the conversation.

https://meta.wikimedia.org/wiki/Grants:IdeaLab

[If] it is of interest to you, I would help you start a proposal, format it properly, publicize it, and if you know anyone in the Tor community that might want to make a grant proposal for funding to establish and document the relationship between Tor and Wikipedia, then I might be able to advise on how to do that also.

This conversation is happening now live and it does have Jimbo Wales’ attention. It would be awesome to get input from established Tor supporters.

If you would like to create a proposal and have the support of a Wikipedia veteran, please contact Lane directly, and ask for other peoples input! I’m also extremely interested in supporting, I just don’t know what an ideal proposal would look like, and I don’t want to speak on behalf of Tor Project.

Thank you!

Developing an Open Educational Resource on Encryption

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

— Edward Snowden, answering questions live on the Guardian’s website

Society needs an educational resource, covering the complex topics involved with information encryption, that is modular, openly accessible, and freely remixable. This is my proposal to create such a resource.

Open Educational Resources (OER) are freely accessible, openly licensed documents and media that are useful for teaching, learning, educational, assessment and research purposes. The development and promotion of open educational resources is often motivated by a desire to curb the commodification of knowledge[1] and provide an alternate or enhanced educational paradigm.

Utilizing Creative Commons licensing, an OER can be created on oercommons.org, where it will be maintained by a single authority, yet anyone in the world will be able to adapt and create their own work from ours. Oercommons.org provides a long-term support platform for maintaining these resources.

I started publicly asking for help in June of 2013–and I received a very warm welcome. You don’t have to look far to see why.

2013-06-24

August 2013:

2013-08-23 2013-08-23-2

October 2013: KEYNOTE: Journalism in the Age of Surveillance, Threat Modeling: Determining Digital Security for You, [For Journalism] Keeping Under the Security Radar, Improving Your Digital Hygiene

December 2013: United We Stand — and Encrypt by Josh Sterns2013-12-21

December 2013: Arab journalists need training for civil unrest and wars — referencing the CPJ’s Journalist Security Guide

January 2014: A Modest Proposal for Encrypting the Work of Activists by Kate Krauss

2014-01-20

It is clear that a diversity of educational resources are needed. While my original proposal was going to be supported by the United States Open Knowledge Foundation, OKFNUS has since back peddled due to lack of support from central-OKF. I am hoping that the many people behind Crypto.is are interested in spearheading the development of this OER. If they are not, and no other organization is, I will shortly be registering my own domain name to create a project launch page.

The initial launch of the OER can be created using Micah Lee‘s work, of the Freedom of the Press Foundation, Encryption Works: How to Protect Your Privacy (And Your Sources) in the Age of NSA Surveillance. Micah and the Freedom of the Press Foundation graciously licensed this work as CC-BY, allowing us, and even Wikipedia to reuse the work with attribution. I am hoping that Micah, himself, will want to be included in this project.

The target audience, initially, will be journalists, whistle blowers, activists, and dissidents. While these groups are the extreme, their example proves useful for the rest of society.

Please comment on this post, or tweet me, or email me your feedback.

Strip PNG metadata using Ubuntu: pngcrush and optipng

This guide has been tested with Ubuntu Desktop versions 13.11 and 15.04.

PNG optimizing tools reduce size my getting rid of “extra” stuff. Some of that extra stuff is the metadata that can be used to identify who took the picture. I’m no professional metadata-remover, I just did this testing for fun.

sudo apt-get install -y pngcrush libimage-exiftool-perl optipng imagemagick
pngcrush -rem allb -brute -reduce original.png optimized.png && optipng -o7 optimized.png

pngcrush – run the pngcrush program

-rem allb – remove all extraneous data

-brute – attempt all optimization methods

-reduce – eliminate unused colors and reduce bit-depth 4

original.png – the name of the original (unoptimized) PNG file

optimized.png – the name of the new, optimized PNG file

&& – command #2 will be executed if and only if command #1 returns exit status zero

optipng – run the optipng program

-o7 – optimize the image at the highest possible level

optimized.png – the already pngcrush-optimized PNG file that will be further optimized (if possible) with optipng

Let’s test!

Here’s an image that’s CC-BY-SA from Wikipedia: http://upload.wikimedia.org/wikipedia/commons/8/89/Tenaya_Lake_Yosemite_National_Park.png

pngcrush -rem allb -brute -reduce Tenaya_Lake_Yosemite_National_Park.png Tenaya_Lake_Yosemite_National_Park2.png && optipng -o7 Tenaya_Lake_Yosemite_National_Park2.png

Then to check the metadata:

identify -verbose Tenaya_Lake_Yosemite_National_Park.png

Image: Tenaya_Lake_Yosemite_National_Park.png
Format: PNG (Portable Network Graphics)
Class: DirectClass
Geometry: 2048x1536+0+0
Resolution: 70.87x70.87
Print size: 28.898x21.6735
Units: PixelsPerCentimeter
Type: TrueColor
Endianess: Undefined
Colorspace: sRGB
Depth: 8-bit
Channel depth:
red: 8-bit
green: 8-bit
blue: 8-bit
Channel statistics:
Red:
min: 0 (0)
max: 255 (1)
mean: 111.14 (0.435842)
standard deviation: 42.8511 (0.168043)
kurtosis: 0.724192
skewness: 1.17595
Green:
min: 0 (0)
max: 255 (1)
mean: 130.885 (0.513273)
standard deviation: 38.549 (0.151173)
kurtosis: -0.384294
skewness: 0.458422
Blue:
min: 0 (0)
max: 255 (1)
mean: 155.366 (0.609278)
standard deviation: 48.5428 (0.190364)
kurtosis: -0.907909
skewness: -0.00882359
Image statistics:
Overall:
min: 0 (0)
max: 255 (1)
mean: 132.463 (0.519464)
standard deviation: 43.5073 (0.170617)
kurtosis: 0.23089
skewness: 0.637459
Rendering intent: Perceptual
Gamma: 0.454545
Chromaticity:
red primary: (0.64,0.33)
green primary: (0.3,0.6)
blue primary: (0.15,0.06)
white point: (0.3127,0.329)
Interlace: None
Background color: white
Border color: srgb(223,223,223)
Matte color: grey74
Transparent color: black
Compose: Over
Page geometry: 2048x1536+0+0
Dispose: Undefined
Iterations: 0
Compression: Zip
Orientation: Undefined
Properties:
date:create: 2014-01-15T19:41:21-08:00
date:modify: 2014-01-15T19:41:21-08:00
png:cHRM : chunk was found (see Chromaticity, above)
png:gAMA : gamma=0.45454544 (See Gamma, above)
png:iCCP : chunk was found
png:IHDR.bit_depth : 8
png:IHDR.color_type : 2 (Truecolor)
png:IHDR.interlace_method: 0 (Not interlaced)
png:IHDR.width,height : 2048, 1536
png:pHYs : x_res=7087, y_res=7087, units=1
png:sRGB : intent=0 (See Rendering intent)
signature: 4be08d8b3f54c63739c5653a38dd4f817da97114025dddaccbf7e9e533396d56
Profiles:
Profile-icc: 1352 bytes
Description: Camera RGB Profile
Manufacturer: Camera RGB Profile
Model: Camera RGB Profile
Copyright: Copyright 2003 Apple Computer Inc., all rights reserved.
Artifacts:
filename: Tenaya_Lake_Yosemite_National_Park.png
verbose: true
Tainted: False
Filesize: 4.961MB
Number pixels: 3.146M
Pixels per second: 10.49MB
User time: 0.290u
Elapsed time: 0:01.300
Version: ImageMagick 6.7.7-10 2013-09-10 Q16 http://www.imagemagick.org

And compare the optimized copy:

identify -verbose Tenaya_Lake_Yosemite_National_Park2.png

Image: Tenaya_Lake_Yosemite_National_Park2.png
Format: PNG (Portable Network Graphics)
Class: DirectClass
Geometry: 2048x1536+0+0
Resolution: 72x72
Print size: 28.4444x21.3333
Units: Undefined
Type: TrueColor
Endianess: Undefined
Colorspace: sRGB
Depth: 8-bit
Channel depth:
red: 8-bit
green: 8-bit
blue: 8-bit
Channel statistics:
Red:
min: 0 (0)
max: 255 (1)
mean: 111.14 (0.435842)
standard deviation: 42.8511 (0.168043)
kurtosis: 0.724192
skewness: 1.17595
Green:
min: 0 (0)
max: 255 (1)
mean: 130.885 (0.513273)
standard deviation: 38.549 (0.151173)
kurtosis: -0.384294
skewness: 0.458422
Blue:
min: 0 (0)
max: 255 (1)
mean: 155.366 (0.609278)
standard deviation: 48.5428 (0.190364)
kurtosis: -0.907909
skewness: -0.00882359
Image statistics:
Overall:
min: 0 (0)
max: 255 (1)
mean: 132.463 (0.519464)
standard deviation: 43.5073 (0.170617)
kurtosis: 0.23089
skewness: 0.637459
Rendering intent: Perceptual
Gamma: 0.454545
Chromaticity:
red primary: (0.64,0.33)
green primary: (0.3,0.6)
blue primary: (0.15,0.06)
white point: (0.3127,0.329)
Interlace: None
Background color: white
Border color: srgb(223,223,223)
Matte color: grey74
Transparent color: black
Compose: Over
Page geometry: 2048x1536+0+0
Dispose: Undefined
Iterations: 0
Compression: Zip
Orientation: Undefined
Properties:
date:create: 2014-01-15T19:58:34-08:00
date:modify: 2014-01-15T19:58:34-08:00
png:cHRM : chunk was found (see Chromaticity, above)
png:gAMA : gamma=0.45454544 (See Gamma, above)
png:IHDR.bit_depth : 8
png:IHDR.color_type : 2 (Truecolor)
png:IHDR.interlace_method: 0 (Not interlaced)
png:IHDR.width,height : 2048, 1536
png:sRGB : intent=0 (See Rendering intent)
signature: 4be08d8b3f54c63739c5653a38dd4f817da97114025dddaccbf7e9e533396d56
Artifacts:
filename: Tenaya_Lake_Yosemite_National_Park2.png
verbose: true
Tainted: False
Filesize: 4.454MB
Number pixels: 3.146M
Pixels per second: 14.98MB
User time: 0.210u
Elapsed time: 0:01.209
Version: ImageMagick 6.7.7-10 2013-09-10 Q16 http://www.imagemagick.org

Setting up OpenVPN Access Server on Ubuntu server

Updated 2015-Aug-22, revision 61

Originally created for Ubuntu 13.10 but updated for 15.04, so I presume it would work for other equivalent Debian distributions.

About: “OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.”

Advanced configurations: AS command line tools

Server configuration

SSH

Before configuring OpenVPN, I always harden SSH first. If you haven’t, use BetterCrypto.org.

  1. sudo apt-get install fail2ban
  2. sudo ufw limit 22/tcp
  3. sudo ufw start

OpenVPN server

  1. sudo -s
  2. wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
  3. There is no “vivid” repo so i used “trusty”.

  4. echo "deb http://swupdate.openvpn.net/apt trusty main" > /etc/apt/sources.list.d/swupdate.openvpn.net.list
  5. exit
  6. sudo apt-get update
  7. sudo apt-get install openvpn bridge-utils openvpn-blacklist
  8. openvpn --version
  9. You should get > OpenVPN 2.3.8

  10. Download the latest version of OpenVPN-AS by visiting this page and selecting your OS: https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html
  11. wget http://swupdate.openvpn.org/as/openvpn-as-2.0.20-Ubuntu14.amd_64.deb
  12. sudo dpkg -i openvpn-as-2.0.20-Ubuntu14.amd_64.deb
  13. Change the “openvpn” user password that you’ll use to access your VPN (make it a strong password):
    sudo passwd openvpn
  14. sudo ufw allow 443
  15. sudo ufw allow 1194
  16. sudo ufw reload

Harden your crypto

Special thanks to the volunteers behind BetterCrypto.org. I modified their config a little bit (see “Notes” at the bottom of this article).

  1. Log into your OpenVPN-AS control panel at https://server_ip:943/
  2. Under Configuration on the left, click Advanced VPN
  3. Under Additional OpenVPN Config Directives (Advanced), add the following to both Server Config Directives and Client Config Directives
  4. tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    cipher AES-256-CBC
    auth SHA512
  5. Click Save Settings and then Update Running Server

Disable logging

Remember that all virtual servers are vulnerable to the underlying host and its networking environment. Any traffic exiting through a VPN on a VPS is logged by that ISP and possibly under surveillance from the VPS host itself (especially dangerous for Tor hidden services). Physical hosts, even though more expensive to rent, are superior in this way.

Related reading: Shred and secure-delete: tools for wiping files, partitions and disks in GNU/Linux

  1. sudo ufw logging off
  2. sudo /etc/init.d/rsyslog stop
  3. sudo chmod -x /etc/init.d/rsyslog
  4. sudo apt-get install secure-delete
  5. sudo srm -r -v /var/log/*
  6. You can check /var/log from time to time to verify nothing is logging:

  7. sudo ls -alh /var/log

Client configuration

Mac and Windows client notes

If you’re using a Windows client, pay $9 and use the Viscosity client. It properly handles OpenVPN proxies. It’s also free to try. In the AS (server) control panel, allow your user to use the autologin profile then you can just give Viscosity your AS server IP and user credentials once.

Ubuntu client config

  1. sudo -s
  2. wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
  3. There is no “vivid” repo so i used “trusty”.

  4. echo "deb http://swupdate.openvpn.net/apt trusty main" > /etc/apt/sources.list.d/swupdate.openvpn.net.list
  5. exit
  6. sudo apt-get update
  7. sudo apt-get install openvpn

Ovpn files are still not supported through the gnome GUI as described here. Connect via command-line on the client:

  1. Go to https://your_server_ip:443 in your web browser.
  2. Log in with the above user credentials that you created.
  3. Click Yourself (user-locked profile) to download the client.ovpn file.
  4. Open a terminal window and enter:
sudo openvpn --config /home/your_user/Downloads/client.ovpn

5. Verify that you’re using your remote IP address: http://ipchicken.com/

Notes

Before hardening OpenVPN-AS crypto:

Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Then I used BetterCrypto’s OpenVPN configuration without making any changes:

Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Decrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

When connecting with BetterCrypto’s OpenVPN configuration, I was given these warnings:

Deprecated TLS cipher name 'DHE-RSA-AES256-GCM-SHA384', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
Deprecated TLS cipher name 'DHE-RSA-AES256-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'
Deprecated TLS cipher name 'DHE-RSA-AES128-GCM-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'
Deprecated TLS cipher name 'DHE-RSA-AES128-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
Deprecated TLS cipher name 'DHE-RSA-CAMELLIA256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA'
Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
Deprecated TLS cipher name 'DHE-RSA-CAMELLIA128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA'
Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA'
Deprecated TLS cipher name 'CAMELLIA256-SHA', please use IANA name 'TLS-RSA-WITH-CAMELLIA-256-CBC-SHA'
Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
Deprecated TLS cipher name 'CAMELLIA128-SHA', please use IANA name 'TLS-RSA-WITH-CAMELLIA-128-CBC-SHA'
Deprecated TLS cipher name 'AES128-SHA', please use IANA name 'TLS-RSA-WITH-AES-128-CBC-SHA'

I changed the depreciated cipher names to IANA names. Because of the 256 character limit on configuration file line lengths, I dropped the non-DHE suites and made all of the DHE suites ECDHE suites.

Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Decrypt: Using 384 bit message hash 'SHA384' for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Finally, I dropped all of the ciphers that I’ll never use since I control both the server and the client. I also upped the authentication to SHA512. GCM support for the data channel (instead of CBC) will be in OpenVPN 2.4 (so not yet in 2.3.8).

Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

And I have no idea how to use 4096 bit RSA with Access Server. Do you? Please email or tweet at me.

Ubuntu 13.11 + ZFS / raidz2 Samba share

These are the steps that I took and what works for me. I hope it helps someone else. Configure the RAID controller as either JBOD or as each HDD being an independent RAID-0 logical volume. Then install Ubuntu server 13.11 x64 with OpenSSH and Samba.

sudo add-apt-repository ppa:zfs-native/stable
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install ubuntu-zfs python-software-properties
dmesg | grep ZFS
sudo vim /etc/modules

(add the following…)

spl
zavl
znvpair
zunicode
zcommon
zfs

(then run…)

sudo update-initramfs -u
sudo reboot
sudo zpool status
sudo zpool create zfsshare raidz2 /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf -f
sudo zfs list
sudo zfs create zfsshare/backup
sudo zpool status
sudo vim /etc/samba/smb.conf

(configured smb.conf…)

sudo zfs set sharesmb=on zfsshare/backup
sudo chmod 0777 /zfsshare/backup
sudo service samba restart
sudo zfs get sharesmb,sharenfs
sudo zfs set compression=lz4 zfsshare/backup
sudo zdb -b zfsshare
sudo zfs set dedup=on zfsshare/backup

(after copying SQL .bak files, etc, to the share…)

ls -alh /zfsshare/backup/
sudo zfs get compressratio zfsshare/backup
sudo zfs get all |grep comp