Category Archives: Privacy

Installing a secure Apache webserver to run Perl

So, you want to run Perl on the web, because it’s the 90s all over again. You want HTTPS, because… no, there’s no because. You want HTTPS. Who wouldn’t? Here’s what you do on a Debian Linux such as Ubuntu:
sudo apt-get install apache2 libapache2-mod-perl2
mod-perl is an Apache module that allows Perl programs to be executed from Apache.

Our goal is to get /var/www/html/index.pl running at http://www.example.com/index.pl:

#!/usr/bin/perl
print "Hello World"

Disable the default Apache virtual host:

sudo a2dissite 000-default.conf

Create an example.com.conf file in /etc/apache2/sites-available with your text editor, replacing instances of example.com with your own domain name in both the configuration file and in the file name /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
     ServerName example.com
     ServerAlias www.example.com
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     <Directory /var/www/>
              Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
              AllowOverride None
              AddHandler cgi-script .pl
              Require all granted
     </Directory>
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerName example.com
     ServerAlias www.example.com
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     <Directory /var/www/>
              Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
              AllowOverride None
              AddHandler cgi-script .pl
              Require all granted
     </Directory>
</VirtualHost>
</IfModule>

If you have multiple sites, you’ll want to do things with DocumentRoot to isolate them from each other. But that’s for another post.

You might add in DirectoryIndex /index.pl to make http://www.example.com/ execute your program.

The Directory section above allows you to isolate executable code from served code, which is good practice. For this example we’re dumping the executable in with everything else, which is questionable.

Repeat this process for any other domains you host.

sudo a2ensite example.com.conf sudo ln -r -s /etc/apache2/sites-available/example.com.conf /etc/apache2/sites-enabled/example.com.conf sudo service apache2 restart

Punch holes in your firewall for ports 80 and 443. Navigate to http://www.example.com/index.pl to check all is okay. You ought to see Hello World displayed for your website.

Having security used to be a pain. SSL certificates signed by a recognised CA cost money, and then you’d have to keep them up to date, and there wasn’t process automation, so you’d do all that stuff by hand. LetsEncrypt address all these problems, handing out free certificates and scripted everything.

Now it’s time for the S part of HTTPS:
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache sudo certbot --apache
certbot renew
If that works, we’ll automatically renew our 90-day certificates every month:
echo '@monthly root /usr/bin/certbot renew >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab

Done. You’ll never have to worry about certificates again. Now alter your Apache sites-available file (look in /etc/apache2/sites-available/) to include the (optional) redirect HTTP to HTTPS and the mandatory location of the SSL certificates:

<VirtualHost *:80>
....
# Only allow HTTPS
RewriteEngine on
RewriteCond %{SERVER_NAME} = example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
...
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Now make the secure version live, and in the process the insecure one… shy? When a request is made for a http page, like http://example.com/index.html, the response will be “Here’s https://example.com/index.html where what you asked for has moved to… forever!”:
sudo service apache2 restart
Now requesting http://www.example.com/index.pl ought to deliver you to https://www.example.com/index.pl

Install exim4 STARTTLS using a free LetsEncrypt certificate

Here we are on a Debian Linux, such as Ubuntu and we want to run a mail server. Exim4 is currently the most popular email server, but getting it up and working for free is a hassle – who wants to pay for a SSL certificate, on an ongoing basis? And then there’s the maintenance of the security of it – constant renewal, renouncing and re-installation of the certificates.

Wherever you see example.com, swap in your Fully Qualified Domain Name. That may be mail.example.com
It’s assumed you’re not logged in as root, but user ubuntu
Wherever you see 1.2.3.4, swap in your machine’s local IP address, from
ifconfig | grep "inet addr" | grep -v "127.0.0.1"

Security is all handled automatically by LetsEncrypt’s certbot. I’ll let you look that one up yourself. Run it up and get your certificate for example.com

Once you’ve got that handled, punch a hole in your firewall so that port 25 can get through from the outside world to your machine. Be aware: the outside world is filled full of botnets trying to hack into your machine. After installing exim, keep an eye on the logs in /var/log/exim4/ for a while.

Let’s install exim4:
sudo apt-get install exim4
sudo dpkg-reconfigure exim4-config

pick “Internet site”
system mail name is example.com
IP address is 1.2.3.4 (the one returned by ifconfig, not the externally accessable one)
Other destinations: example.com
No relays
No smarthost
No Dial-on-Demand
mbox format (or whatever)
Split the files
ubuntu for postmaster mail

Check we’re now running a mail server:
sudo netstat -napt
should show
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 1.2.3.4:25 0.0.0.0:* LISTEN 25700/exim4

Now we have a mail server, the world needs to find it. Check your nameserver setting to ensure mail is destined this machine. You probably want only one MX record.

Check the Internet can send mail to our server. After allowing for the appropriate propagation delay for your nameserver changes, use gmail or something to send an email to ubuntu@example.com – you should be able to read it by typing
mail

Now it’s time to enable MTA-MTA link encryption for secure transport of mail, by enabling STARTTLS on exim4 using our LetsEncrypt certificate
sudo nano /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
Enable STARTTLS by adding/setting in the tlsoptions section:
MAIN_TLS_ENABLE = yes MAIN_TLS_CERTKEY = no
before any of the IF shenanigans. Also add/replace pointers to the certificates:
tls_certificate = /etc/letsencrypt/live/example.com/fullchain.pem tls_privatekey = /etc/letsencrypt/live/example.com/privkey.pem

The MAIN_TLS_CERTKEY = no entry fixes an exim4 log message
2017-04-16 09:13:24 TLS error on connection from your.home.ip.com (IcePlanet) [5.6.7.8] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.key): Error while reading file.
You will see this when testing with swaks:
$ swaks -a -tls -q HELO -s example.com -au test -ap '<>'
=== Trying example.com:25... === Connected to example.com. < - 220 your.vps.host.com ESMTP Exim 4.86_2 Ubuntu Sun, 16 Apr 2017 09:13:24 +0000 -> EHLO IcePlanet < - 250-your.vps.host.com Hello your.home.ip.com [5.6.7.8] STARTTLS < ** 454 TLS currently unavailable *** STARTTLS attempted but failed -> QUIT < - 221 your.vps.host.com closing connection === Connection closed with remote host.

Allow exim (which when running runs as user Debian-exim) to get to the certificates:

sudo groupadd privkey_users
sudo usermod -aG privkey_users Debian-exim
sudo sudo chmod g+rx /etc/letsencrypt/live/
sudo sudo chmod g+rx /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/cert1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/chain1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/privkey1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/fullchain1.pem
sudo chown root:privkey_users /etc/letsencrypt/live/
sudo chown root:privkey_users /etc/letsencrypt/live/example.com/

Changing these permissions doesn’t affect apache2’s ability to get them.
The reason we’ve used a group here is to allow both exim and any other app (for example, a secondary service that wants to use 8080 to serve up a configuration page) to access the private keys; just add any other user that needs to use the private keys to the privkey_users group.

These permission changes prevent the following error message in your log file:
2008-06-03 08:27:35 TLS error on connection from me.at.home.com ([1.2.3.4]) [5.6.7.8] (cert/key setup: cert=/etc/ssl/certs/server.pem key=/etc/ssl/private/server.key): Error while reading file.

Restart the service and the TLS settings ought to be working
sudo service exim4 restart
Test STARTTLS is working from another machine
swaks -a -tls -q HELO -s example.com -au test -ap '<>'
There shouldn’t be any obvious complaining.

Done!

Melbourne IT Privacy Policy: so protective of my details, they don’t know who I am

A lot of AU companies are revising their privacy policies at the moment, in line with new legislation.

I found this one amusing.

Internet privacy: hard work, but doable

Ever since I came across browser fingerprinting, it’s been very hard to ignore that little voice in my head that tells me they’re out to get you. I routinely rock the Internet with JavaScript and Flash disabled thanks to NoScript and the similar NotScripts on Chrome, and have, in the past, been satisfied that these precautions were enough to stop the bad people on the Internet. If my browser was dumb, it couldn’t hurt me.

I routinely leave cookies enabled because they don’t present a system security threat. There are cross-site supercookies, but they’re implemented outside of the HTML cookie world — they’re done with Flash and JavaScript, so not so much of a problem with my configuration. In the future I’ll be disabling third-party cookies.

Disabling third party cookies doesn’t do much good with browser fingerprinting. I hadn’t realised how unique my browsers are. So Firefox gets FireGloves, which will work even for pages where I’ve enabled JavaScript et al. FireGloves changes HTTP request headers so that instead of my systems actual values, the most generic values found in the Internet are used instead; it can also cycle through them randomly.

Because of the interminable delay in page redirection on my grossly underspec’d netbook, I’ve added Don’t track me Google (which Chrome will download but then leads you to believe it won’t let you install, but if you click *->Tools->Extensions, then drag from the download bar onto the Extensions list will install just fine).

Because the Australian government seems increasingly intent to read my mail, I’ve gotten quite interested in preventing them doing so. Encrypted communications provide private browsing — what goes back and forth is a secret, but not who are having the conversation. The EFF’s HTTPS Everywhere (which works on Firefox, and kinda on Chrome) enforces a preference for SSL communications where available. However, in the real-world parallel to the electronic, that ensures that instead of my ISP being able to see me walk around the streets and then into glass-walled buildings, the buildings now become opaque. They still know what buildings I’ve walked into. The government wants to know what buildings I’ve walked into because… ummm… the building which has bomb-making instructions… we can prove… ummm… something. But now we’re safe! The ineptitude of the government’s censorship plans leaves me with no desire to allow random ISP and government employees to rifle through whatever-it-is-I-do-on-the-Internet whenever they feel like it.

As such, the next step is to start using an anonymising network; initially I2P seemed to be just the ticket. I2P is an unofficial top level domain, and under it you can find — amongst other things — eepsites, anonymously hosted web sites. Problem is, they serve HTML, and the pages could refer you off the .i2p TLD thus exposing your IP address (they might do this via a web-bug or something as innocuous as externally hosted CSS file). I2P is primarily a darknet, not an anonymising proxy; it’s an internet that doesn’t play by the same rules, and the effect is that no-one on it can identify anyone else on it (with some demonstrated exceptions). The I2P network seems to be populated by scary people and paranoid people. By far the biggest problem is that I2P doesn’t work very well for surfing the Internet, due to it’s limited out-bound connection (outproxy) to the wider Internet. Given the http://i2p.to proxy allows viewing this darknet from outside, there’s not much point running I2P unless you want to anonymously publish information.

So while I2P isn’t enough on it’s own to hide your identify online, it isn’t really enough anyway. I don’t want to wander the darknet, I want to be out in the light of the Internet using my Cloak of Invisibility. This is where the only (non-VPN) game in town comes in, along with all its demonstrated weaknesses: Tor. The Tor network is accessed via the TorButton plugin.

When using TorButton, to minimize your risk profile you can’t run random crap on your browser — you’ve got to just browse. As such, the Tor developers recommend you use TorButton with a bunch of other tools (many of which I’ve already mentioned), which are all helpfully bundled up into the Tor Browser bundle, a secured version of FireFox — not a plugin — that uses the Tor network. They’re also very down on embedded environments like Flash, Sliverlight, Quicktime, RealPlayer… you get the idea. In addition, those datafiles that carry active content — .DOC and .PDF — scare the willies out of them, and they want you to only open them once you’re disconnected from the Tor network.

In fact, they go so far as to recommend Tails running inside a VM, which means all your traffic goes via Tor. That seems to be the optimal solution.

Google blurs Colonel Sanders? Maybe.

Oh lordy. I wonder if this is some kind of joke, or if it’s true?

The Telegraph reports that Google has blurred the image of Colonel Sanders on KFC signs in the UK, on the basis that he’s a real person.

The company says it took the decision because he is ‘a real person’ – despite him passing away in December 1980 aged 90.

If it’s true, then can I just say: IDIOTS!

1. It’s a cartoon image, not a photographic likeness.

2. He’s been dead for 29 years.

3. What, you think we won’t know who it is? “Hey, who’s that on the KFC sign?” “Dunno, could be any southern American military guy who knows about chicken.”

4. Are they doing the same for cartoons and photos of real people on billboards and the like?

5. How is the late Colonel’s privacy being spoilt if people could see the cartoon image of his face? Hasn’t the horse already bolted on that, given the image of him is up on thousands of KFC outlets all over the planet?

Of course, it could be that the whole story is a crock.

Or maybe they just haven’t implemented their policy (whatever it is) very well.

The reason I offer these two possibilities is that I found this unobscured KFC sign, and this one too, both in London.

Certainly it appears the Colonel in Australia is freely visible:

If they did institute such a policy in Australia, I wonder what they’d do about other cartoon face logos, especially of people who are still alive. Dick Smith is one who springs to mind, though now I think about it, I think they’re phasing out use of his face on their signs and literature.

Name and address, please.

Those of us in AU who used to frequent Tandy Electronics might recall that they always asked for a name and address — ostensibly for customer service, but in practice to send you catalogues. I had a CompSci teacher in year 12 who refused to provide it; he found it ridiculous to do be asked, especially when buying something like a single resistor.

Raymond Chen writes about this happening at the affiliated Radio Shack stores in the USA, and tells a funny story refusing to give his name.

Wireless Skate Speedometer – a solution looking for a problem?

Finally, a Wireless Skate Speedometer, so now you can know how fast you’re skating. As an added bonus, it’s water resistant at up to 30ft/10m, for when you accidentally skate into a swimming pool.

You have to turn it on and off, because the batteries will only last 300hrs. I can’t imagine that would be hard to do, given where the wheel is – on the bottom of your shoe. And heaven help you if you forget, two weeks later your speedo will be knackered.

Of course, the wheels and bearings wear out, but they thought of that. Just buy your wheels and bearings from them! An electronics company! They’ll also sell you a battery kit, I guess because it uses special batteries or something. Or perhaps because they know you’re going to forget to turn the darn thing off.

They’ve got a big write-up on their site about how pushbikes have the wheel in contact with the ground all the time, but skates don’t, so their computer has to do all sorts of tricks to figure out the right answer. Perhaps hooking up a GPS might have been a better idea?

And of course, you have to consider the privacy implications or wireless transmission of personal data like your velocity…

This is God calling

Yesterday I answered the ‘phone. Because I was home, having a holiday, which is soon to be rudely interrupted by a short working stint, but that’s by-the-by. I could tell that whomever had called didn’t know anyone in the house; the phone’s listed in my girlfriends name. “Hello, Mr [Girlfriend’s-name]?” is a dead giveaway that they’ve pulled the number from the phonebook, and immediately puts me on the defensive. Which is why I have no interest in having the phone in my name. I can spot low-life scum a mile away with the arrangement as it is.

Now, the first thing I do when I have a telemarketer on the phone is to get them to tell me who they are. The lass weasled about, talking about a survey. Surveys don’t care about the identity of the respondent; this was marketting. Eventually she said she was representing the Jehovah’s Witnesses, at which point I terminated the call; religous fundamentalists get up my nostril.

Neither Cathy nor I get any telemarketing calls – oh, well maybe we get a couple a year from local gyms. It’s because we’re signed up to the ADMA’s do-no-call list. If you’re not signed up, stop reading, and go sign up now. The local gyms get the line “we only purchase goods from members of the Australian Direct Marketting Association” and they’re taken care of.

So, here we have technology being used for evil. Evil, not only because it’s evangelical fundamentalists at work, but because they claim they’re doing a survey about how people in the local neighbourhood feel about stuff. Because it’s a survey, that would be covered by the Australian Market & Social Research Society, which (they would claim to keep the statistics clean) doesn’t operate a do-not-call list (in spite of the fact that people that don’t want to be surveyed are going to do all sorts of bad things to their stats).

Worst of all, I don’t think there’s much I can do about it, except I remember hearing about a guy who had installed a PABX with and IVR – “if you want to talk to Cathy, press 1 now. To talk to Josh, press 2 now. Pressing 3 now will let you talk at Owen, but don’t expect a cogniscient conversation out of him.” Apparently, in the US, he was getting zero telemarketing calls – which is quite a feat.

Questions:

Has the obesity epidemic reached the point where the Jehovah’s Witnesses can’t be bothered leaving the house to recruit souls so that they can, pyramid-sales-scheme-like, go to heaven?
Why don’t the Jehovah’s Witnesses tell people up front you’re not going to heaven, even if you convert (there’s only 144,000 spots – what are the chances you’ll be goody-two-shoes-super-converter enough to get in)?
Why doesn’t the AMSRS operate a do-not-call list?
Why doesn’t the government ban harrassment like this?
What can I do to stop this from happening again?

Pornzilla

As everyone knows, the web is the best place for finding and viewing high quality pornography in the comfort of your own home. Or internet cafe.

Pornzilla is a collection of tools for surfing porn with Firefox. These bookmarklets and extensions make it easier to find and view porn, letting you spend more time looking at smut you like.

I love the tools including the one that allows you to “… find galleries similar to one you have open without using the keyboard”

They need funding:

“Since nobody has contributed to our testing budget, these tools have only been tested with free porn sites.”

Is it good that they’re being kept off the streets? Perhaps you’d like to give the authors jobs?

Gads

When I look at this site, in the Google Ad I consistently get public service announcements, or more commonly, an advert for a Word to HTML conversion tool.

When I looked at this site at Tony’s place, it came up with ads for AFL memorabilia on eBay.

Interesting, very interesting. Tony’s a big AFL fan, and I can only speculate that Google is doing some tracking of sites visited.

Other ad operators such as DoubleClick got flack when they originally started doing that, serving tracker cookies with their ads, building up usage patterns. I don’t recall hearing about Google doing the same thing, but I wouldn’t be surprised. After all there’s thousands upon thousands of sites using Google AdSense now, plus they could track your Google searches (it’s known that they do use a user cookie to keep your preferences). Might be time to trawl through Google’s T&Cs again.

PS. Okay, I just got an AFL ad. Maybe they’re not tracking?