Your browser aggrigates a *lot* of data about your computer, and it won’t hesitate to provide all of this data to a nosy web site. In fact, if a website requests a large dataset of your computer’s configuration, concatinates it together, and passes it through a hash function, the resulting hash can be farily unique.
This procedure can be done (and is done) on seperate websites to track users and their activity across multiple websites. If the same procedure [get data, concatenate, hash()] produces the same hash value when done on 2 seperate websites, the website can be fairly certain that you’re the same user. This technique for tracking users is known as Browser Fingerprinting.
Just to get an idea of how effective this is, here’s an excerpt from the above-linked article:
[The EFF] found that, over their study of around 1 million visits to their study website, 83.6% of the browsers seen had a unique fingerprint; among those with Flash or Java enabled, 94.2%. This does not include cookies!
You can test the uniqueness of your browser’s “fingerprint” using this handy EFF tool.
I came back from my “cross-country bicycle trip”:http://1guy2biketrips.michaelaltfield.net to discover I could no longer send signed email because my key expired! I’ve also changed colleges from “SPSU”:http://www.spsu.edu/ to “UCF”:http://www.ucf.edu, and my old college is expiring my email address, so here’s what I need to do:
# Extend my key’s expiration another year # Add new email address to subkey # Save updates to key # Export a new public key
Background Information GPG
“GPG (GNU Privacy Guard)”:http://www.gnupg.org/ (used here) is a popular, cross-platform implementation of “OpenPGP (Pretty Good Privacy)”:http://en.wikipedia.org/wiki/Pretty_Good_Privacy defined in “RFC 4880”:http://tools.ietf.org/html/rfc4880. OpenPGP outlines a standard, open message format for maintaining the “confidentiality”:http://en.wikipedia.org/wiki/Information_security#Confidentiality and “integrity”:http://en.wikipedia.org/wiki/Information_security#Integrity of electronic messages.
Why Subkeys?
“Public Key Cryptography”:http://en.wikipedia.org/wiki/Public-key_cryptography is long, complicated, and well outside the scope of this post. However, one thing I never fully understood was the functional purpose of subkeys. Thankfully, “the GPG documentation”:http://www.gnupg.org/gph/en/manual.html is excellent.
So, there’s 2 major things I want to accomplish by using GPG with my email
# Confidentiality through encryption # Integrity through signatures
The designers of PGP viewed the signature role as indefinitely important while the encryption role as dynamic overtime. Therefore, when we first generate a keypair, 2 keys are created: 1 primary key for . . . → Read More: Extend GPG Key Expiration
Plausibly deniable encryption is a fascinating concept. For example, “TrueCrypt”:http://www.truecrypt.org/ (a FOSS for hard disk encryption) has a wonderful “Hidden Volume”:http://www.truecrypt.org/docs/?s=hidden-volume feature that provides “Plausible Deniability”:http://www.truecrypt.org/docs/?s=plausible-deniability. The concept is: you install 2 OS instances on your computer–1 in a hidden volume. If, for whatever reason, you were forced to reveal your encrypted data, you could give access to decrypt your fake, but seemingly legitimate, OS instance. If done correctly, this could prevent you from forfeiting your sensitive data.
What if you want to encrypt some data to a file, bury it on a thumbdrive somewhere, and make it appear to be just an obscure filetype (possibly corrupted)? I ran across “the answer”:http://old.nabble.com/Is-it-possible-to-decide-what-is-a-gpg-file–td26392408.html when studying for my Secure Computing final.
I haven’t had a chance to research this potential solution, but there seems to exist a project that builds onto the Blowfish cypher to achieve this plausibly deniable encryption: “Blowfish Updated Re-entrant Project (BURP)”:http://www.geodyssey.com/.
Exerpt from “burp.txt”:http://www.geodyssey.com/cryptography/burp.txt
Unlike many similar programs, BURP writes to the output file only the ciphertext (i.e., it writes no “file headers”, password verification data, system, program or content identification strings, etc.). Consequently, such file can not be “provably” identified as ciphertext, as long as the key . . . → Read More: Plausibly Deniable File Encryption
So, I got into a discussion with a friend of mine in my Computer Security class at UCF about this script. I’m posting this for historical and educational purposes only. As always, I never condone the implementation of any of my content for malicious intent. Moreover, this script has flaws that * would make it useless in such a scenario. Don’t do it!
Here’s a script I hacked up last semester when I was playing with MITM attacks and packet eavesdropping with ettercap:. This scripts will automatically:
fake its MAC Address get a new IP Address collect a list of hosts on the same subnet as itself iterate through and ARP poison: each of these hosts one at a time for 5 minutes each save all data collected in host-specific files in a timestamped directory repeat until the hard drive is full Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
I recently reformatted my hard drive–switching from pure Gentoo to the Sabayon fork. Sabayon did for Gentoo what Ubuntu did for Debian. It’s generally a lot easier to use, but–unlike Ubuntu–it doesn’t sacrifice functionality for ease-of-use.
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
I went to send an email the other day and I was halted when I discovered that my key had expired. I can’t believe that I’ve been using GPG for 6 months, but the time had come to generate a new keypair.
This post outlines the process to gererate a new keypair once your old keypair has expired.
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
Jesus. It’s only the second week of school and I’ve already pulled my first all-nighter. This time, however, it was not for school. I was determined to get my OpenVPN server properly setup so that I could finally browse the web securely from the dorms. I only expected this to take a few minutes, but I ended up spending over 7 hours of research, troubleshooting, and configuration changes.
This post will contain a slew of information about smoothwall, zerina, openvpn, and iptables. I’m mostly just going to throw all of my findings here without much of any logical flow.
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
A few weeks ago, I finally got around to downloading and installing 4 updates to my smoothwall box. Unlike Ubuntu upgrades, this process was farily painless except for one thing: my Zerina OpenVPN ‘plugin’ broke.
Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
I’ve wanted to setup a serious linux-based firewall for my home network for some time now, and I finally got around to it yesterday.
There are TON of linux router distros out there, but instead of spending 8 hours picking & choosing, comparing & contrasting, nitpicking & debating, I asked someone else ;). Two buddies of mine have a similar setup at their homes: one uses Smooth Wall; one uses IPCop. I arbitrarily chose Smooth Wall (after actually setting it up, though, I think IPCop would have been a better choice–c’est la vie.
The installation is supposed to be quite painless, and it was–for the most part. The documentation and install process was intuitive and easy to follow, but it didn’t work OOTB. I probably only had so much difficulty because of hardware issues (fried NICs?) which is by no means Smooth Wall’s fault. Nevertheless, it took ~5 hours of bang-your-head-against-the-table troubleshooting ’till I could finally unhook the monitor & keyboard, shove it in a corner, and get some sleep.
I was also disappointed with two things that didn’t work as I had expected OOTB:
DHCP DNS VPN Michael Altfield
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and . . . → Read More: Smooth Wall
So, it turned out that–by some miraculus chance–the day I decide to move my blog from wordpress.com to my own server is the day after a major upgrade of wordpress is released (v2.3 to 2.5). I figured that, while I was at it, I would upgrade the server that I setup a few weeks back (I’ve been planning this move for a while now, just never really got around to finishing). I’m pretty sure I followed the installation process just fine, but when I tried to go to any page on my fresh, new site (including wp-admin/upgrade.php) I got slammed with this lovely error:
Fatal error: Call to undefined function require_wp_db()
Eventually I decided “fuck the installation instructions.” I was able to install it by copying my config file and other data TO the new wordpress folder (the suggested process is the reverse: copying the new files into your current, older install).
It’s a bitch of a thing to search, too. If you search for that error (at least now, anyway) you get a bunch of popular blog sites that have since been fixed. There is no info from the webmaster or blog author as to HOW they fixed it, . . . → Read More: Blog Moved & Upgraded
