Finished reading “Little Brother”

I took my copy of Cory Doctrow’s “Little Brother with me on a recent business trip, and thanks to severe weather delays, I managed to spend over 8 hours waiting in airports and was able to finish the book in one day.

While it’s no fun being stuck in an airport, it turned out to be the perfect environment to read this book. The story follows a high school hacker as he fights the “Department of Homeland Security” to reclaim American civil liberties after anti-terror tactics are taken to a new level. Having the real DHS making announcements in the background about threat levels and unattended baggage, only makes the story more real.

The book targets a younger audience than myself, but it’s still enjoyable. Doctrow does a wonderful job keeping the story believable, and explaining the security implications of the technology we use on a daily basis. Given the theme of the book, I do hope he’s successful in reaching a wide audience and sparking a healthy debate about “national security”, privacy, and civil liberties.

SSH Tunneling on public networks

I’ve been traveling a bit this week, which means I’ve also been accessing the net on untrusted networks. For general web surfing this doesn’t both me, but when it comes to editing my blogs or accessing any web service that doesn’t authenticate over SSL, I’d feel better if I knew my passwords weren’t floating past some coffee shop’s network admin in clear text. Fortunately, there’s an easy solution: SSH tunneling.

There’s plenty of information online that describes how SSH tunneling works and how to set it up, but not surprisingly, you have to do a bit of Googling to actually find concise, step-by-step instructions that actually work. So here we go: Erik’s Three-Step Plan for Looking Like You Know What You’re Doing SSH Tunneling. (For the record, I’m using a PowerBook running OS X, tunneling to a server running Ubuntu Linux.)

[STEP 1] On the remote server I’m running Privoxy (an HTTP proxy.) On a Debian/Ubuntu box, getting Prixovy running is as complicated as typing: sudo apt-get install privoxy

[STEP 2] Assuming you can SSH into your remote server (ie., no firewall blockage), launch Terminal.app and issue something like this: ssh -N -L 8118:127.0.0.1:8118 remoteuser@serveraddress (changing “remoteuser” and “serveraddress” appropriately.) Using the -N flag you’ll still need to authenticate with the server, but you won’t actually get a command prompt — the window will just look like nothing’s happening.

[STEP 3] Tell your browser to use a proxy for HTTP and HTTPS running at 127.0.0.1 on port 8118.

You’re done! You can now hit WhatIsMyIP to see it working.

Of course, just like other three-step programs, there’s a little fine print and few extra details that might help to know:

  1. Privoxy is an HTTP proxy, which translated means that instead of your browser asking a server for a web page, you’ll be asking Privoxy and Prixovy will relay the request and pass the resulting content back your way. Using a proxy is handy when: (1) You want to tunnel your browsing activity, and/or (2) When you’d like to have the proxy do some content manipulation for you (which is what Privoxy was written to do.) This content manipulation can be anything you want, but most of the time it means stripping out advertisements and possibly cleaning up bad HTML before the browser sees it.
  2. If you haven’t used Privoxy before, you might want to read the docs and poke around in the config files to tweak as needed.
  3. By default Privoxy runs on port 8118, hence the 8118 mapping the ssh statement.
  4. Save yourself some time by storing your proxy settings for future toggling. To cover most OS X apps you’ll be creating a new Network Location for this. Go to the Apple Menu / Location / Network Preferences to create a new location profile. Toggling can be done using the Location menu under the Apple menu. For Firefox (which ignores the system-wide proxy settings), you’ll need to enter the settings directly into the Firefox’s Preferences or install the SwitchProxy Firefox plugin to enable a pop-up menu for proxy switching from the Firefox status bar.

Happy Surfing!

diggdot, texas sues Sony, and other news…

diggdot.us launched (a Digg / del.icio.us / Slashdot aggregator.) Normally this wouldn’t be news for me, but this site happens to be built using TurboGears, a Python web stack that I happen to be building a few toys with as well. (Via “Instantly Hooked on Diggdot.us“)

In other news…

Texas Sues Sony Under Anti-Spyware Law

“AUSTIN, Texas – The state sued Sony BMG Music Entertainment on Monday under its new anti-spyware law, saying anti-piracy technology the company slipped into music CDs leaves huge security holes on consumers’ computers.”

A piece of tape defeats any CD DRM:

“Applying a piece of opaque tape to the outer edge of the disk renders the data track of the CD unreadable. A computer trying to play the CD will then skip to the music without accessing the bundled DRM technology.”

Hackers Cracked Gmail (Here’s how)

“Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into people’s Gmail accounts to read messages and pose as legitimate email users.”

More reasons to feel safe

Lately I’ve been putting most of my bookmarks on del.icio.us instead of here, but these three recent articles on WIRED NEWS were worth pointing out:

First, “Known Hole Aided T-Mobile Breach.” We’ve all heard plenty about what’s her name’s Sidekick getting owned, but the less recent T-Mobile breach has me a bit more concerned. According to this article, the back-door wasn’t nearly as elaborate as one would have hoped — it was simply an un-patched version of BEA WebLogic that let Jacobsen in. According to the article, older versions of WebLogic had a “feature” that allowed any file on the server to be read or replaced using an undocumented HTTP parameter. That’s right, someone designing the software decided that they would enable a full-on backdoor, but not tell anyone. You’ve got to be kidding. Worse still is that the flaw was discovered and a patch was issued, but T-Mobile simple failed to update their web servers.

But it get’s better. According to this article, the U.S. Government has decided that there will be “No Encryption for E-Passports.” Well that’s just great. How about just issuing T-Shirts and ball-caps with our social security numbers on them, and requiring travelers to hand out business cards with all their personal information to everyone they see. At least they thought about the issue enough to suggest that wrapping one’s passport in tin foil and duct tape should protect your personal information.

Of course, even with proper security measures, none if it will matter if the people who collect and sell this information don’t care who they sell it to. The article, “California Woman Sues ChoicePoint“, describes a case against ChoicePoint, “a data broker that collects financial, medical and other personal information on billions of people”, for apparently selling personal records to identity thieves.