The Spark

The Spark

First of all, sorry for taking so long on this post. Writing something personal has always been quite difficult for me, but actually that’s what this is about.

This past semester I enrolled in a course about digital security and privacy, a pretty different and unique course. I knew already who was teaching it, so I enrolled well informed of the teacher’s perspective to teaching: Flipped Classrooms.

My experiences with open and flipped classrooms are always fruitful, maybe my habits, personality and mentality fits this style. Being able to discover by my own (with proper guidance) and learn from things in a way that costed me not only reading and search skills, but also the skill to craft and find the right questions, it’s incomparable.

I know school is finite. My days soon will be over, and the skill I value the most is the one I learned from this kind of courses, being autodidact. Sure, the teacher is there, and hell, he was always, always, ALWAYS, watching. But the freedom was there too, we were told to select from a list of topics and investigate, discuss, ask on twitter, go into the darkest subreddits, and things of such. This allowed me to enjoy and focus on the process and experience of learning, rather than the topic itself.

Sure, I learned about the topic, and I learned a lot. But that depended on me and my own effort. I saw many classmates having trouble deciding what to do without a list of little weekly tasks, and they complained, quite a lot. But let me tell you guys something, the world will never give you a list of activities to do. In a job, they will give you a problem to solve, and your boss will expect you to solve it And if you start asking how to do it, well, he/she probably would ask herself why did they hire you, because I’m pretty sure that the point of hiring someone is to not having to worry about that specific thing no one else has the time to do it. No one will give you a set of rules and tasks if you become a parent, no pet comes with instructions, hell, even video games are avoiding the use of task lists. This world needs you to be a McGyver, not a freaking assembly line robot.

Anyway, this post is named “The Spark” and its because that’s what this course meant to me. I published my fair share (or less) of blog posts about the topic, then I actually created a podcast about security and the teacher allowed us to make it count to the grading. HOW FREAKING AWESOME IS THAT. And now that the course and the semester is over, I have felt the need to keep going, learning, blogging, pod-casting and I call it the spark. A spark that Ken Bauer planted on me while doing this course.

From now on I’ll be publishing my thoughts, investigations & random stuff on this blog, with no strings attached to any course. But let me explain to you why this is very important to me. Lately with the help from friends and very smart people we analyzed my personality and we found stuff rooted in my deepest places which gave me a lot of insight about where does my behavior comes from. Mostly my fear and reluctant position towards sharing my points of view, works and thoughts. And we have come to one big conclusion. It comes from bad teachers. Not only in school, but in life.

For example: as a kid I got once my homework being ripped apart in front of me and my whole classroom because my handwriting wasn’t good enough. This wasn’t the only case of anti-pedagogical stuff that happened to me, but its quite interesting to review. I was used to know that my work was a piece of trash because of stupid rules that don’t even apply to me in the present, like right now, as I’m typing this post on my laptop.

During my school life I’ve been taught to fear the failure. To fear every word I write because someone will say it’s bad. When I wanted to become a writer on middle school a teacher told me that my work was shitty and I quit it, for good. Then I chose my first major out of comments like “men shouldn’t be worrying about things that don’t involve getting their hands dirty”. So my life was full of pretty bad teachers.

And some of it is still there, my family has always been treating me as if my opinion is worthless because I’m younger, the son, the nephew or the grand-something. And it’s quite a living hell when you’re the oldest of my family’s generation, because that made me the perfect worthless opinion guy, thanks to the age gap. My parents told me that they couldn’t understand why I turned into an attention seeker as a kid and teenager, if I had tons and tons of attention. But this year I found out that it wasn’t attention what was missing, it was seriousness towards my thoughts.

And here I am, after all, sharing my thoughts and pretty personal stuff out in the open to the internet to read it. Will someone take them seriously? Perhaps. But I really don’t care, one of the key things Ken taught us, was that blog posts and sharing are for ourselves first. Writing and explaining something means that you fully understand it. And to share it means that you consider it as something useful to another person, that might help him skip two or three steps of trouble if they find themselves on the same situation and that more important than likes or dislikes about your work.

Then again owe this to Ken, one of the best teachers I have ever met. Now I feel this spark guiding me towards not only learning, but sharing. School has been one hell of a ride for my past 16 years. But right now, I can allow myself to shout out loud:

It’s okay to fail.

Advertisements

Requiem for a Disk

Requiem for a Disk

How to properly say farewell to your hardware.

Perhaps we might know how to properly use our data storage devices, we know how to keep them safe, encrypt and take care of their physical health. And thanks to that this devices outlive our expectations spans; and we found ourselves with the necessity of improving our setup.

Sure, you might just RAID your PC, but most of the time improving means replacing. Perhaps it’s time to change that old HDD and replace it with a new SSD, or perhaps your USB memory is no longer big enough. And we immediately embark ourselves into deciding, reviewing and Zero-Moment-Of-Truthing the available technology.

Then we procede to install the new, shiny and beautiful hardware into our systems et voilà, we procede to enjoy the pleasures of capitalism; naturally, we fulfill our consumerist  responsibilities by choosing the path of our late hardware.

I know, disposal is not your first option, don’t worry, neither mine. Perhaps use it as cold storage might be useful, or perhaps you can sell it, lend it, give it away, or mod it to work as an external drive.

Independently of how you decide the future of your device, you might want to format it. According to Wikipedia, formatting is:

Disk formatting is the process of preparing a data storage device such as a hard disk drive, solid-state drive, floppy disk or USB flash drive for initial use. In some cases, the formatting operation may also create one or more new file systems.

By creating a new file system it appears as if your data has been wiped out from the drive, you’re good to go and it becomes just one idle piece of metal. That’s what most of the formatting tools do. I don’t want to break your digital heart but it is as far away from being safe as swimming in a piranha pool.

Creating a new file system on the drive only erases the addresses of your data from a physical direction index, and start a new blank one. This makes your data inaccesible to any regular software and operating system. But it can be read by other means and tools made for recovering data.

Your data is still there, the new table only allows the operating system to write over “deleted” data, but your bytes are still physically written on the drive. Sure, after a certain ammount of use, eventually all your data will be replaced by new one; but we know that eventual security is not effective security.

In fact, there are many people buying second-hand hard disks and memories in order to retrieve that unindexed data. Some for fun, others with ill intentions.

How can I properly delete everything?

Actually, it is very easy, pal. Every common OS offers you the option to do a full reformat and write ceroes in every bit inside your drive. Usually it’s tagged as SLOW FORMAT, or textually offers you the option to write ceroes.

Yep, as easy as that. Obviously is gonna take a while, specially if you’re formating a 4TB HDD. Remember it needs to write ceroes in every one of the 32000000000000 bits available on the drive.

So be patient, grab a coffee and stay safe.

 


Cover image by Christian Cachin, via Flickr.com

Quick Tip: SUDO timeout

Quick Tip: SUDO timeout

So, you’ve been playing with your Ubuntu distribution around, and suddenly you require sudo privileges in order to change or install a special feature. Thus, you enter your password and grant that privilege access to your computer.

I believe I don’t have to remind you that being logged as root is dangerous and you should only run commands and programs as root when you’re 100% sure of what you’re doing. In the default terminal, after you enter the password once, it allows you to run the next commands with the root privileges without password prompt.

On my Linux experience I have typed commands that weren’t mean to be on root access or finding someone (my hacker girlfriend) accessing my root folders without having to input any password.

After digging around I found a, surprisingly easy, way to modify the default sudo settings in order to change the timeout of the root access.

Let us access the configuration file.

 user@pc~$sudo visudo

This command is absolutely necessary in order to modify the file, even on the file it says so:

#This file MUST be edited with the 'visudo' command as root.

Don’t worry, the editor is not vim, it opens it with nano. Almost at the beginning of the file one can see preformed default variables, the one that matters to us is the following:

Defaults env_reset

This is where we can modify the value of timeout, notice that the variable is not even defined at the file. On the same line, we need to append the timeout variable with the following syntax:

timestamp_timeout=x

Now, instead of the x we can add any integer value. This value represent the time in seconds that the terminal will wait before asking for the password again.

If you want the computer to ask for the password for every command that requires root access the value should be 0. Also, if you want the terminal to never ask for your password, which I really don’t recommend it unless you really want your computer to be suicidal, the value you should write is -1.

And, that’s it, remember to ctrl+O to write it out, and ctrl+x to exit the editor.

Stay safe.

The not-so-confortable Interview

The not-so-confortable Interview

The first step on Rebooting a Digital Life is to understand the trouble. I’ve decided to treat this first step as an interview, here I ask some core questions to understand the situation.

For privacy reasons let’s call her P. Stratton, woman, 21.

What do you think about digital reputation?

People should be aware of their personal image and how they show themselves to the world. Usually people are not aware of  the impact of what you say or do online to your real life flesh and bones.

Your current persona is not constant nor available. Why?

Sometimes I see posting on social networks as a waste of time. So I try to focus more on my daily life tasks or agenda instead of being constantly into social media.

Why did you shut down some of your networks?

I thought that shutting down some of my networks would help me concentrate more into my important tasks. I started to get overwhelmed by having to update each of my social media.

Why do you consider your current digital persona a mess?

I had two stages in my social network persona: the one that didn’t take into account building an image and just posting whatever I find interesting and the one that was aware that the past social networks should be refurbished. My social media was time consuming so later on time I figured out that disappearing was a better option.

You told me you have cyber-stalking troubles; what happened?

While in Europe, someone I met in work and befriend him on Facebook started “blackmailing” me. At first, we started flirting with each other and started hanging around. Everything was fine until I noticed he was a violent and insecure person and a manipulator as well. I thought that getting away from him was a better option as I didn’t want to get in trouble relating myself more to him.

When I started to keep my distance, he was pushing me to seeing him, which I refused. He told me that if I didn’t talk to him or answer his texts, Facebook messages or phone calls, he would start posting false things on Facebook and publish some pictures we had of us, which taken out of context could make people believe we were on a relationship and therefore no one could believe me he was stalking and annoying me. I bet he was crazy. He even asked me for my credit card number to purchase some train tickets, which absolutely I didn’t do!

Is there any compromising information or pictures that can still be used to blackmail you?

He still has some pictures of us that easily can be taken out of context if he wanted to. Aside from general information, he doesn’t have any information as credit card numbers or private pictures he can use for blackmailing me. The only thing he has is my phone number.

How would you like to be seen by the world?

Most important of all, I want to be seen as who I really am. I want nobody to play with my personal image. I want people to see all of my positive traits and life as it is. I don’t want to pretend to be someone I’m not, let alone allow others to do so on my behalf.

Each person uses social networks for different reasons, what do you want them to be for you?

I want them to be a connection to the world. A place where I can be aware of what’s happening around with the world and my friends and relatives. Instead of being a place to waste your time, a place to network and build a type of digital CV of yourself to the world.


Cover image by Steve Johnson, via Flickr.com

Talk safely to me

Talk safely to me

One of the main uses of Internet nowadays is definitely communications. From chats in cellphone apps such as Whatsapp to E-Mails, Snapchat Videos and Tweets. Let me define it as “every singe interaction that can is meant to be read by another internet user“.

Now, obviously not every communication can be defined as the same, a Whatsapp message to your mom containing your current location contains sensitive information and should be delivered from one device to another in the most secret way possible. That’s different from your tweet about the new Britney Spears single, which will appear in a public page on the web.

But as we know, the internet is open in concept, so is any communication channel really secure?

Not by itself.

The internet is a public and open protocol, so your direction, as well every “package” of information you’re sending through it is completely public. Imagine you send a real life package from Canada to Mexico. The public address of both the sender and the destination are literally pasted over the box so anyone with access to the physical box can read both, and anyone with ulterior motives could open the box, see what is inside, steal it, document it or even change it and even plant a bomb.

giphy.gif
Some days you just cant get rid of a bomb.

And just like in the real world, in parallel universe of internet communications those labels are public and data can be read, stolen or changed. Which by the way destroys the three measurements for security, if you remember my last post.

So how can I keep my spicy pictures of those hot peppers I bought secure?

peper_02

Hmm, hot peppers. A true Mexican delight. Well, thankfully we nowadays have a crazy little thing called End to End Encryption. 

Remember computers work with data, thanks to the fact that in the internet everything is just a set of ones and zeroes, and no actual peppers are going through it, we can manipulate the insides of package and scramble it in a way no one could ever read it.

To solve this, someone came up with this wonderful security protocols.

SSH

Secure Shell. It allows secure communication over insecure networking, it gives a security layer trough public key encryption. SSH is commonly used to access remote terminals, tunneling (See other’s country Netflix) and transferring files trough SFTP, a secure version of the standard File-Transfer Protocol.

TLS

Transport Layer Security, a successor of SSL, works in a similar way, but for different purposes. TLS encrypts the communications in both server-client and client-client communications. This kind of encryption can be found in your browser, emails, faxes (if there is any left) and now on chats and instant messaging.

Companies, or servers can be certified into having this encryption, aside from installing into their machines the service to make this option available, a third-party company must issue a TLS certificate before a server gains the “trust worthy” status.

Have you ever seen that green lock on the beginning of your URL? It means that your connection is secure, no one will be lurking into your in-transit information.

Selection_023
Trust the lock

Now, I must advice you, and for must advice I mean: really read this…

This only guarantees that there is no one peeping into your coms, this never guarantees that the site you’re in is safe. The website could be certified and still have ill intentions, beware.

Chatting safely?

There are some specific applications, besides browsers that allow you to have IM end to end encryption. Whatsapp lately introduced a system-wide encryption system that works for every conversation. But still let’s remember the fact that a few days ago Facebook showed their real motives for buying the messaging company and send a disclaimer (with a opt-out option which was really hard to find) in which they announced that they’ll be reading our data to boost Facebook’s ad system. So I wouldn’t recommend it so openly.

Instead, Telegram gives you an open alternative to messaging, giving you even the “secret chat”mode which shines in its encryption methods and also feature some cool things such as message auto destruction and screenshot notifications.

In conclusion, secure messaging is nowadays highly available, keep an eye on who has this kind of security measurements in order to keep your safe sites list updated. And please remember that communication security doesn’t guarantee that the other end of the communication doesn’t have ulterior motives.

Thank you for reading, stay safe.


Cover image by Nathan Rupert. Chilli image Image by casualwonder. Both via Flickr.com

Measure this.

Measure this.

After a much needed password therapy let’s take on the generals of what are we protecting. We may know some techniques, and we already know that we want to be safe, but how can we measure it?

giphy (2).gif
Measure like its hot

 

Luckily for us, there are already some guidelines to measure how a safe a system is. But before, just like Rick Lehtinen stated on his book, Computer Security Basics:

No man, or computer is an island.

Nowadays everything you have is connected, even just to properly work and be up to date so don’t start shouting out load that you’re a not a potential target, because you definitely are.

So in order to measure safeness, we can stick to the core C-I-A  three pillars concept, which states that in order to be safe, a system must guarantee:

  • Confidentiality
  • Integrity
  • Availability

Pretty straight forward, no? Lets tackle one by one. Again, I’m talking user/client-side, so don’t expect server-side practices.

Confidentiality

Here is where privacy is at play. As you may remember from my first post, security and privacy are not the same, and that security makes privacy possible.

And that’s precisely what confidentiality is all about, keeping what you want secret in secrecy and what you want public, public. You definitely want you bank accounts, passwords, chats, and perhaps some of yours spicy pictures secret (which you shouldn’t be sending to anyone, by the way); meanwhile you definitively want everyone to know your spoiler free (I wish) Game of Thrones death -rant tweets.

How can my confidentiality be compromised?

Easy, there are some really easy steps in which anyone interested, without even having to be a hacker can destroy your confidentiality, here are some possible breaches.

  • Giving out your password. 
    Gee man, just don’t. If you want to consider yourself as a borrow master it would be great if you set up a guest user (available in every OS), or use something like Applock in your phone to keep the curious eye from your sensitive data.
  • Losing your non encrypted device
    Many users don’t know how easy is to read a disk drive. In five minutes I can take it from the device, connect it to an adapter and see every file you had. Without having to input a password even once.  ENCRYPT YOUR DRIVES.
  • Connecting to a “Free” WiFi network.
    Just don’t. Nothing is this world is free.
  • Non-encrypted communication
    The “s” in https and the green lock on your browser mean something. That your connections are secure, end-to-end. Disregard having personal information running in sites without that lock.
  • Not logging out in borrowed computers.
    Common mistake, rookie. This is, and must be, highly punishable. This may grant someone access to your data and your identity.  And you can’t really know something is odd until it’s too late.

Obviously, this is just the tip of the iceberg on the possible breaches, I’ll be posting some extra ones later on; but remember is your job to inform yourself about this.

Integrity

This all about your system’s data health. The system must be able to treat possible data corruption due to hardware & software failures, viruses, hackers, and even user mistakes.
In this step, you can’t really do much as a user, perhaps a power user can use some Disk and Memory diagnosis tools to check the hardware. Perhaps having some redundancy drives, like with RAID could help too.

Take care physically of your devices. Magnets, falls, heat; most devices are not so tough as they may seem to. This could all lead to compromising the data.

And please, please, please, backup your drives. In a couple of days I’ll be posting a whole topic about backups, but don’t wait for my post, get up and backup everything!

Availability

RANSOMWARE.

Sorry I got carried away. Availability is the about users accessing their data, but not only accessing but also having the right privileges. Maybe the CEO can see and read every inventory status report, but she might not be cleared for modifying none of them. That’s what we need to ensure at this step.

Ransomeware and DDOS are the most known breaches on this category, the first one consists on a malware which encrypts all your, or your company’s data and wont unlock it until you pay an amount of money. The other one manages to take down sites and services by overloading the server’s request capacity.

An antivirus can help a lot in the case of ransomware, by incubating and warning you about malicious viruses. And perhaps a firewall can do some great work in order to filter a Distributed Denial Of Service attack.


Keep asking yourself if you’re safe in the three aspects in order to start securing yourself. And please, remember to act, only reading won’t make you anysafer.

Okay, that’s it for today, keep reading, commenting and sharing. I know this post was a little bit more “lectury”; don’t worry the fun ones are already in the oven.

Be safe.


Cover image Image by Neil Cummings via Flickr.com

What’s the deal with passwords?

What’s the deal with passwords?

Passwords, oh passwords. The keys to our everything, definitely a pain in the arse.

This is my approach on the defense/user side of passwords, if you’re interested on the attacking approach, read Miss F’s post.

I’m sure we’ve all heard hundreds of times how insecure our passwords are, every year or so, another security blog or company sends in their updated new rules and minimal security measures, but as today, there are some basic principles.

  • Never use your name, birth date, security number, house address or telephone numbers. Neither your past ones, or a family ones
  • Never use sequential numbers. 123456Seven sucks, (ping me if you got that reference)
  • Never use words like “password”, “admin”, “qwerty” as a password. Please.
  • Never repeat passwords. Really, that’s just dumb.
  • Keep them long. Try to use at least 12 characters.
  • Add capital letters and symbols.
  • Do not share them, lass.

I know it’s kinda complicated to remember every password ever, so here I gathered some password making techniques.

Prefix-Suffix method.

I used to give a middle school digital crash course, and normally I used this method of password making. I call it the prefix-suffix method, this method is great for memorizing complicated-ish passwords and becomes an easy way to never use the same password. It’s great for defending against brute force attacks, and might help a little with dictionary attacks. Here are the steps:

  1. Choose the name  TV show, movie, character, song; anything you really like, the obscurer the better. For example, the name of a semi-obscure Jedi master: Plo-Koon.
  2. Now grab that name and scramble it in a way you can easy remember, give it a little twist, add some l33t, you name it; just keep it easy to remember, here’s with our Jedi: P1O^Kunn (Notice that I even misspell it). This is your suffix.
  3. This is the magic step, for each site you have an account, you need to add a suffix. This can be made up by the name of the site. In the case of Facebook, for example, we can use just the latter half: book. It is important to keep it readable and easy to remember, so don’t mess with it a lot. Still we can add a post-suffix, and play with lower and capital case, resulting on something like these: BOOk$$
  4. Finally, let’s glue everything together resulting in passwords like the following:
    1. P1O^KunnBOOk$$
    2. P1O^KunnTWIt$$
    3. P1O^KunnGLe$$
    4. P1O^KunnGRAm$$

This method is beginner entry, it really helps a lot when you compare it to your old “password” password. Yes, it might have some issues with dictionary cracking, but it’s a start, it really helps to children and adolescents understand the nature of passwords.

The xkcd method.

If you still want to get safer, you can use the xkcd method, named after the web comic where it was widely spread.

Now, as the computerphile’s video stated, this method is not yet perfect, and there’s a way to enhance it by using words that are rarely used by today’s standards, adding other languages help to.

But in the end…

aint.gif

Enter the magic of a password manager.

Password managers are services, commonly browser plug-ins, which keep record of your passwords and fill the log in forms, most of them are free with a paid upgrade option.

Services like lastpass not only keep them safe and easy to use, but also help you to generate really secure passwords, by generating random sequences of characters with length up to 100 characters, store them and let you use them if you have the plug-in.
Recently lastpass added a phone app and even a second-step verification, adding another layer of security.

Still the services require you to learn one password in order to access it, and you can use one of the methods I talked about to create it.

That’s it for now. Remember to read Miss F’s post about password cracking to get the whole picture.

Be safe.