Keeping your passwords safe in a safe safe.

Passwords.

Keepass logo

I’m a huge fan of Keepass. Keepass is a free program that will remember your passwords for you.

It is very easy to use and it features ‘auto-type’ so you don’t even have to copy your usernames and passwords, Keepass handles that for you.

Lastpass logo

A little while ago I heard of Lastpass. It basically does the same thing and nicely integrates with your browser, Android and IOS devices. I installed it, imported the Keepass data (which works quite well but not 100% accurately) and I used it. It’s good. It does what you should expect of it.

Then however I started wondering where Lastpass stores its data. With Keepass you have an encrypted file on your computer that holds your passwords. You can synchronise that to all your other devices by sticking it in Dropbox, Google Drive or any other file sharing system you prefer. Not so with Lastpass. I couldn’t find where that file is stored so I went looking.

It turns out that your password file is stored on the Internet, on the Lastpass servers. Each time you connect to the Internet, Lastpass will synchronise the file on the device you’re currently using.

Cloud.

Internet Cloud

So here’s the deal. You use Lastpass and you’re a happy camper. Understand that your passwords are not only on your system (in a spot that’s hard to locate; I tried and didn’t find it) but it’s also on a machine that’s outside your control. I can imagine that’s fine for vacation pictures and your collection of recipes for lasagna and hot tamales, but I didn’t feel very good about that. It’s my collection of usernames and passwords. Of course, you may argue that I’m paranoid, that Lastpass will treat your file with care and loving attention, but…

How many loving, caring systems that contain your files have been hacked lately? Yahoo for instance has a great track record of being hacked. Imagine that a hacker gets access to the file that contains your passwords, slaps some ransomware over it and next time you sync your Lastpass – kazaam, there you are with nothing left to show except a kind note from a hacker to hand over a lot of money for your files. Okay, okay, hackers can also do that to Google Drive and Dropbox (which is why I don’t keep those files there).

Control.

I like to keep things that are mine in my own hands. I’m one of the lucky people with a Synology NAS which gives me my personal cloud system (google ‘Synology Cloud Station‘). There are other ways to set up your personal cloud, I’m sure. Worst case you can always e-mail the file to yourself and download it to your device.

The potential security issue I just described made me go back to Keepass. Because I like my passwords in a safe place, one that I can decide on.

Control freak? Perhaps. But for my entire collection of credentials for online access I am happy with that title.

Android and its ROMs

Yes, ROMs. Not Romulans, as this is not Star Trek. Alas.

A while ago I got an Android update on my smartphone. It was for Android 4.4.2. I installed it and I was not a happy camper: suddenly only Google’s own apps could manipulate the SD card! The trick would be to ROOT the phone (breaking it open, in a way, to give me all the permissions again). It was quite an experience.

How to root your phone: first you need a Recovery Rom. Best known are CWM (ClockWork Mod) and TWRP (no idea, I didn’t use this one).

I used Philz Touch CWM rom. Note: find the version that works for your phone. Mine was N7100. Make sure you pick the right one. Please use Google or Bing or so to locate this file, there are many versions. Search for “Philz Touch recovery tar md5“. You will also need a Windows-program called Odin. This is what you need to put the recovery rom on your phone. The last one I know of is Odin3 3.09.

Online you can find information how to do this, but the quick rundown is: run Odin. Point the ‘AP‘ location to the tar.md5 file with Philz Touch Recover. Put your phone in DOWNLOAD mode. Connect USB cable. Wait for Odin to recognise the phone. Press start. Wait until Odin reports Success.

Once you did that you can locate a ROM you want to put on the phone. The one I finally had success with was the TigraRom v4. This one runs Android 4.3, is rooted and gave me back read/write access to the SD card. This is the one I’m currently running. To install a new ROM, first backup your stuff. Then make sure you’ve backed up your stuff. Find the ROM that works for your phone. Really, read that again. Download it and put the ZIPfile on your phone or on the SD Card. Boot your phone into Recovery mode (usually Volume-up and Power, but my phone also needed the Home button pressed so look that up for your phone). You’ll be put into Philz Touch Recovery.

Start sweating: select Wipe Data/Factory reset and confirm you want to do this. return to this menu (is easy). Select ADVANCED and select Wipe Dalvik Cache. Confirm.

Then select ‘Install Zip’.  Locate the zipfile on your device and make it so. This is where the magic happens: the new ROM is loaded onto your phone. After that: reboot system now. That’s all there is to it. After that it’s up to you to find if the ROM works for you. I found Tigra to work after 8 or 9 disappointments. Flashing a ROM gets easy after a while, trust me. 😉

I have no clue about Linux so I have to stick with Windows.

 

 

Tux. The Linux mascotte.

 

I saw this a while ago:

“I have no clue about Linux so I have to stick with Windows.”

No, you don’t. Why not? The short version: get a clue about Linux. Of course, this is very short. Allow me to dispel a few myths about Linux.

Linux is difficult. You have to be a tech geek who can type in all those things like “ls -1 | grep *#@) | awk -F\ ‘{print $5}’ > /dev/null” and understand what it means.

Yes, absolutely true some 15 years ago. Back then you needed something like that. Today however you pop a CD or DVD in your computer (or a bootable USB stick), boot from it and you’re presented with something like:

(You can click the image for a larger version.) For ease of use I keep referring to Ubuntu as that is what I use, but the same thing happens for Fedora, Mint and a lot of other versions of Linux.

Yes, you can actually “Try” the system. Click Try Ubuntu (yes, really, just click, not type in some complicated command!) and a complete Linux system will load. And the best part: it won’t affect anything on your computer. Of course it will be slower than from a hard disk – it runs from CD/DVD.

After booting the disc, you can see something like this:

Can?” Yes. Linux offers you several interfaces, you can use whichever you like best. Up here is the new GNOME interface showing some of the applications that are installed. Have we typed in anything like “ls -1 | grep *#@) | awk -F\ ‘{print $5}’ > /dev/null” yet?

But nothing runs in Linux! I need my almost-official version of MS Office 2012 that someone else bought, and Firefox, and MS-outlook!

There is a HOST of software available for Linux. If you like Firefox, you can run Firefox in Linux. Or Google Chrome, or a few others. If you insist on Internet explorer… tough. That won’t run in Linux. But then, we already determined that nothing runs in Linux.

For MS Office, you can go to LibreOffice (also runs in Windows and on Mac OS). It’s free and works pretty well with MS Office documents. The same goes for OpenOffice. Or the AbiWord word processor and the Gnumeric spreadsheet.

To compete with Outlook we have Evolution, Kmail, Balsa, Aethera, Claws Mail or Sylpheed. And a bunch of others, but I won’t bore you with endless lists of software. Especially Evolution will feel a lot like your home on the Outlook range. On LINUXRSP you can find an extensive list of software with Linux equivalents for Microsoft products.

There are no games for Linux. Well, not everything for windows exists in Linux, indeed. But there is http://store.steampowered.com/browse/linux/ and the Linux Game DataBase, to start with.

But my anti virus software won’t run in Linux. True. I have to disappoint you there. The sad fact remains that for every 10,000 virusses in Windows there probably is 1 for Linux. I admit that Linux still has a long way to go here.

Here is another screenshot from a Linux machine. Still no ls, grep, awk or other gobbledigook in sight. Sorry.

If you want to know more about the core of Linux, have a look at http://www.linux.org. Otherwise you can just grab one of the many free CD- or DVD-images, boot from it and play around with it a little without (or before) installing it.

Linux Trojan

ZDnet reported about a sort of successful Linux Trojan. It looks like a real threat, even Engadget mentioned it. It’s not a trojan that needs you to go into immediate lock-down; before it works you will need to click a link so a malicious website can do its job, but still the Linux Desktop must be gaining popularity when someone goes through the trouble to actually do this.

As ZDNet reports:

This appears to be a variation on a very common theme in contemporary Windows malware: A banking Trojan.

Here the name of the game is to grab your personal login and password data with a “Form grabber” as you enter it into your bank or other online system. This information consists of your stolen credentials, the timestamp of when you visited a site, which Web sites you visited, and possibly your Web browser’s cookies. Finally, all this is then passed on over the Internet to a command-and control server. From there the crooks can get to work selling your information to people who will start running up your credit-card bills.

So take care, people. This is real. Only click links that you can verify. Go to your banking system through your bookmarks and you should be safe.

Keeping your data safe in the cloud the cheap way – part 2

Note: This page was updated on 2016-12-03. Truecrypt is no longer in use as it contained errors. If you want to find some alternatives for your system, have a look here.

A while ago I posted about a cheap way to keep your data safe in “the cloud”. Most people know Dropbox, Skydrive and Google drive, and that none of these systems are encrypted on your end. Because of that I installed Truecrypt and did some experiments.

Let’s set this as a case. You have 5MB of data you want to keep in the cloud. Dropbox gives you 2GB for free, 5MB fits in there easily. But your MBs are only encrypted by Dropbox, any CIA/FBI/NSA/TSA John Doodle can walk in and look at them. Dropbox will hand them the encryption key. Be one step ahead.

Truecrypt interface

Set up Truecrypt and create a 10MB container. (See the previous post on the how-to and such.) Set up the container outside Dropbox is my advice. Stick your 5MB worth of data inside the new drive (which is the truecrypt container) and happily use it. Once in a while copy the 10MB container to Dropbox so it gets saved to the cloud, encrypted by truecrypt. Do NOT copy the files from the container to Dropbox, then Truecrypt will decrypt them first. So if you set up the container in c:\mycrypt\container which you linked to drive T:, copy c:\mycrypt\container to Dropbox, not everything in T:.

Why not create the container directly in a Dropbox folder? Dropbox will the continuously update the entire 10MB to the cloud, which might affect the rest of your internet access. If you’re okay with that, go ahead and put the container directly inside a Dropbox folder.

And why 10MB for 5MB of data? That’s to have some space for when your amount of data grows. You can make it 6MB, but when you get to 6.1MB of data, you’ll need to create a new container in truecrypt and copy things over. It’s just some planning ahead.

Hope this helps someone.

Dutch Government: Number of Internet Taps Has Quintupled In One Year

Via /. :

“A Dutch newspaper has a digital version of the letter Mr. Opstelten, Secretary of Justice and Security, sent to Dutch Parliament (PDF in Dutch), in which he quietly admits to 56,825 phone taps (a 3% rise in one year) and to 16,676 internet taps in 2012, a 400% rise, or a fivefold increase, in one year. An older report already exposed the Netherlands as one of the biggest wiretappers in the western world. Slate also knew, back in 2006, that Europeans actually love wiretapping and internet tapping. In the Netherlands, a country with a population of only 16 million, the practice has risen to the level of a staggering 1 in 1,000 phones being tapped.”

Beat that, America!

(Read the original on Slashdot.)

Keeping your data safe in the cloud the cheap way

Security and safety of data. You may not be concerned about it. I am. Especially since I like Cloud solutions.

spideroak_nav_mainI have an account with a cloud provider called SpiderOak where your data are stored encrypted. Your computer first encrypts your stuff and then sends it to SpiderOak’s servers. They don’t have your key, so if you lose it and you lock yourself out of the client on your computer, you’re royally buggered up. They can’t help you. SpiderOak offers 2GB free, other accounts cost money ($100/year, $10/month for 100GB). See their site for other pricing options if you’re interested.

What if you can’t afford that but you have a huge Skydrive with Microsoft, or this enormous space on Google Drive? The answer: Truecrypt.

Truecrypt is a helper program that allows you to encrypt stuff. You can make it encrypt a file, a disk partition or even your entire computer. For this post I stick to the file.

When you start Truecrypt you have the options:

Truecrypt 1

Note that this is a shot from Linux, in Windows it’ll look as good as the same. To set up an encrypted file, you click ‘create volume’, enter the name of the file and follow the prompts (the entire procedure is laid out in their Beginner’s Tutorial, so I’m not copying all that here. When you have followed the wizard, you have created a new volume.

Next step is to mount the file (volume). The fun bit is that you can mount the truecrypt file as a drive (e.g. /media/truecrypt in Linux, or to a drive letter like M: or V: in windows):
truecrypt 2

Via ‘select file’ you browse to your file (or you type in the name) and click Mount. Truecrypt asks you for the password you assigned to the file in the creation process and if that matches your file is mounted as a disk (as mine is in Slot 1. Windows will show you actual drive letters to assign something to).

Stick your work in the new drive, unmount it and back up that file to Google Drive, Dropbox, MS Skydrive etc, provided you have ample space there. If you created a 4GB Truecrypt file and you try to store that to a 2GB dropbox account, you’ll get yelled at by Dropbox.

The file (your new drive) will be fully encrypted, no one can read it. I have read that the FBI spent months trying to hack a Truecrypted drive from the infamous DotCom affaire and gave up. If you need your file back, just download it from wherever, mount it and voila, there are your files. For your eyes only, and no one else’s. Again: lose the password and you’re buggered.

Warning:

! Note that I don’t know if syncing a Truecrypt file “live” to Dropbox (e.g. you have the Truecrypt file INSIDE your Dropbox directory) works fine. I haven’t tried that.

I assume it will, as Truecrypt only has unencrypted data in memory and always writes encrypted data to disk. Dropbox then should move the update to the cloud, but understand that if you update e.g. a 1GB file (your drive), each update will cause the entire 1GB file to be Dropboxed, not just the 25 words you added to the file inside your Truecrypt-drive. For Truecrypt it’s a drive, for Dropbox it’s a big file. That is why I suggest copying the Truecrypt file to Dropbox when you’re done for the day or so.

Questions?

Google to the encryption-rescue

As found on cnet:

Google tests encryption to protect users’ Drive files against government demands

The search giant is seeking ways to armor user files, sources say, a move that could curb government surveillance attempts.

Google has begun experimenting with encrypting Google Drive files, a privacy-protective move that could curb attempts by the U.S. and other governments to gain access to users’ stored files.

Two sources told CNET that the Mountain View, Calif.-based company is actively testing encryption to armor files on its cloud-based file storage and synchronization service. One source who is familiar with the project said a small percentage of Google Drive files is currently encrypted.

The move could differentiate Google from other Silicon Valley companies that have been the subject of ongoing scrutiny after classified National Security Agency slides revealed the existence of government computer software named PRISM. The utility collates data that the companies are required to provide under the Foreign Intelligence Surveillance Act — unless, crucially, it’s encrypted and the government doesn’t possess the key.

“Mechanisms like this could give people more confidence and allow them to start backing up potentially their whole device,” said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation in San Francisco.

Major Web companies routinely use encryption, such as HTTPS, to protect the confidentiality of users’ communications while they’re being transmitted. But it’s less common to see files encrypted while stored in the cloud, in part because of the additional computing expense and complexity and the difficulties in indexing and searching encrypted data.

Google previously had said that user files were transmitted in encrypted form, but stored in its data centers in an unencrypted manner, as detailed in an April 2012 post on a Google product forum from a community manager.

Jay Nancarrow, a Google spokesman, declined to answer questions about Google Drive encryption.

Secure encryption of users’ private files means that Google would not be able to divulge the contents of stored communications even if NSA submitted a legal order under the Foreign Intelligence Surveillance Act or if police obtained a search warrant for domestic law enforcement purposes.

Read the entire article on cnet.

IT Administrator song

#stopcispa
IT Administrator Song, or A Few Of My Fav’rite Net Things.  This is a pretty old video (this version was uploaded in 2008) but check out this prescient verse: When my page stalls, Or they pass laws to invade free net speech I simply remember that it could be worse.  At least there’re still sites i reach!

The full lyrics:

Route aggregation and increasing payload
Multiway peering and net-friendly C code
Boxes that filter on source-routed pings
These are a few of my fav’rite net things

Multicast native and option-free packets
VLANs that don’t break and short A.S. path lengths
End-to-end measures with meaning to bring
These are a few of my fav’rite net things

When my link’s toast
When the spam grows
When my throughput hits ground
i simply remember my fav’rite net things
and then i don’t feeeel sooo down

Far reaching coverage and routing that’s stable
Aggregate flow stats and mice that are able
to back off when shown that the Net’s being zinged
These are a few of my fav’rite net things

Routers that do red and balanced net loading
Video apps with hierarchical coding
Raw packet traces to dissect and see
all of my absolute fav’rite net things

when DNS freaks
when my routes leak
when i lose a peer
I try to remember my favorite net things
and then go buy more net gear

Visualizations of virtual networks
Discovering “features” in new IOS quirks
Vendor built stacks that respect TCP
These are a few of my fav’rite net things

SNMP tools like MRTG
Knowing how to unconfig your P.V.C.’s
Measurement boxes that sniff OC3
These are a few of my fav’rite net things

When my page stalls
Or they pass laws
to invade free net speech
i simply remember that it could be worse
at least there’re still sites i reach

Cool network geeks and their company perks
Analysis tools in which true insight lurks
Stable peer sessions and route symmetry
These are a few of my fav’rite net things

Multi-mode fiber with an optical splitter
BGP sessions config’d not to litter
Reverting from ATM back to IP
These are a few of my fav’rite net things

When popups leap
when copyrights creep
into my browser’s cache
i simply remember that SDMI
will most likely buuurn & crash

Stock trading web sites that haven’t yet crashed
MP3 players with plenty of flash
having my cell phone talk to my PC
These are a few of my fav’rite net things

Linux and Open- and FreeBSD
Persistence in TCP’s HTTP
Finally remembering my PGP key
All of my abosolute fav’rite net things

When Backhoes sting
or TIME_WAITs bring
servers to the ground
i simply remember my fav’rite net things
and then i don’t feeeel sooo down

(None of this is my work, I just copied it from Google+ for posterity and entertainment.)