Featured Articles

WordPress Profiling with XHProf (Debugging & Optimizing Speed)
Crowdfunding on Crowd Supply (Review of my experience)
Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot)
WordPress Multisite on the Darknet (Mercator .onion alias)
Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
Detecting (Malicious) Unicode in GitHub PRs
Continuous Documentation: Hosting Read the Docs on GitHub Pages (2/2)
Hardening Guide for phpList
Introducing BusKill: A Kill Cord for your Laptop
previous arrow
next arrow

Browsing without being tracked via Fingerprinting

Your browser aggrigates a *lot* of data about your computer, and it won’t hesitate to provide all of this data to a nosy web site. In fact, if a website requests a large dataset of your computer’s configuration, concatinates it together, and passes it through a hash function, the resulting hash can be farily unique.

This procedure can be done (and is done) on seperate websites to track users and their activity across multiple websites. If the same procedure [get data, concatenate, hash()] produces the same hash value when done on 2 seperate websites, the website can be fairly certain that you’re the same user. This technique for tracking users is known as Browser Fingerprinting.

Just to get an idea of how effective this is, here’s an excerpt from the above-linked article:

[The EFF] found that, over their study of around 1 million visits to their study website, 83.6% of the browsers seen had a unique fingerprint; among those with Flash or Java enabled, 94.2%. This does not include cookies!

You can test the uniqueness of your browser’s “fingerprint” using this handy EFF tool.

There is a really great document descirbing techniques that could be used to prevent
. . . → Read More: Browsing without being tracked via Fingerprinting

Custom Synapse Shortcuts

I’ve been using Synapse for a few months now. This software is invaluable to my experience on my PC because: # I can *quickly* do what I want to do without fighting with a big, hierarchaial menu # It doesn’t require any huge dependencies (I use XFCE, so I don’t want something that requires Gnome or KDE libraries)

Unfortunately, the documentation is non-existant. So when I wanted to be able to configure Synapse to execute a custom command when I typed a custom keyword, it took me a while to figure it out.

This post explains how to define custom commands in Synapse to execute custom commands in your terminal. For example, I’ll show how to make “Google Drive” open a firefox window to https://drive.google.com

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael


. . . → Read More: Custom Synapse Shortcuts

Github

With each passing day, it’s becoming more and more obvious that Internet users are transitioning to cloud-based storage. Between (1) My home workstation running Arch Linux, (2) my laptop dual-booting in Ubuntu Linux and Windows 7, (3) my netbook running eeebuntu, and (4), public-access PCs at my University, I need a way to open the latest version of our files from any geographic location on any OS.

A few years ago I built a multi-TB storage solution which hosted my personal, online Subversion repository. But power is expensive, so this box ended up getting turned off. In response, I fell into the bad habit of storing my source code merely as files on the cloud without version control.

Several years ago (assuming your file was small enough) this meant emailing an attachment. Or, more recently, uploading it to Google Docs. Then people started using DropBox. Finally, if you cared about the privacy of your data, you moved to Wuala.

But Wuala tends to corrupt my files as I’m editing them in gvim, so I started storing my files locally again–which rocked the boat and convinced me to finally get around to learning git. Git has always been on my to-try
. . . → Read More: Github

UCF Wifi in Ubuntu

This month (September 2011), UCF officially killed the “UCF” SSID to be replaced by “UCF_WPA” and “UCF_WPA2.” Configuring Ubuntu Linux to connect to the UCF WPA2 network is neither trivial nor documented by UCF.

To aid other UCF Ubuntu users, I created a Wireless article on the unofficial UCF wiki. This includes links to the official UCF certificates and instructions on how to connect to the UCF_WPA2 network in Ubuntu.

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/

UCF Wifi Rant

While I frustratingly waited to connect to the UCF Wifi after a recent change to their system, I typed up the following email complaint to the UCF DoIT Manager. If *you* have also had issues with unstable/dropped connections, slow bandwidth, latency, or the inability to connect to the UCF Wifi, I urge you to also contact the UCF Department of Information Technology via:

cst@ucf.edu = General bob.yanckello@ucf.edu = Bob Yanckello (UCF Chief Technology Officer) lou.garcia@ucf.edu = Lou Garcia (UCF Network Manager [responsible for wireless services]) chrisv@mail.ucf.edu = Chris Vakhordjian (Information Security Office) tim.larson@ucf.edu = Tim Larson (ERP Consultant) jim.ennis@ucf.edu = Jim Ennis (Enterprise Systems & Operations) andy.hulsey@ucf.edu = Andy Hulsey (Telecommunications [includes Network Services]) aaron.streimish@ucf.edu = Aaron Streimish (Project Performance & Management Office)

Email below

While I understand the benefit of encrypted wireless communications, UCF’s decision to require all student wireless clients to use WPA without preparing to sufficiently upgrade the wireless infrastructure has rendered the UCF Wifi *unusable*.

Allow me to provide a brief log of my Internet Experience this afternoon (2011-09-15).

12:02 – attempt to connect to WiFi – fail for 9 minutes 12:11 – connected 12:11 – google ’email ucf department of information technology’ 12:12 – disconnected
. . . → Read More: UCF Wifi Rant

RegEx 2 DFA in Python

For my Discrete Mathematics II course at UCF (COT4210), I had to do some implementation with Finite State Machines. My favorite of our tasks (though the most difficult) was to convert a Regular Expression (RE) to an equivalent Deterministic Finite Automata (DFA). And since our professor let us use any language, I tried to branch out from Java & C (which are annoyingly overused in Academia). I decided to teach myself Python. And it turns out, it was a good choice too–considering it’s wonderful built-in functionality for Lists, and the heart of this program is a huge 2D array defining the automata’s transition function. Also, I miss scripting languages–especially when I’m writing a program as a learning experiment as opposed to trying to make it as efficient as possible.

So, without further Ado: here’s my code. It reads a RE in postfix notation from input.txt. Two cautions about postfix REs:

You must explicitly state concatenation The Kleen Star is already a postfix operator in REs, so it doesn’t really work to use a mathematical infix2postfix library, as it treats the kleen star like an infix multiplicative operator. I treat it as an operand and throw it directly into the
. . . → Read More: RegEx 2 DFA in Python

My Search for The Best MP3 Player

I’m going on another cross-country cycling trip this summer, and I’m in the market for a good, solid MP3 player.

Disclaimer: I’m a software guy who likes my devices to be good quality and long lasting. I’m by no means an audiophile, hardware tech, or professional MP3 player reviewer. All of my research was done using Google, and the only MP3 player I’ve owned is the Sansa e260 v2.

Requirements

Note: These are my personal requirements. They effectively eliminated a *lot* of products in the MP3 market.

1. Rockbox Support

First and foremost, I need rockbox support. Rockbox is a must-have FOSS firmware for MP3 players with a fantastic feature list. You can buy an MP3 player with terrific hardware design, but your experience can be absolutely ruined by poorly designed firmware. My old Sansa e260 was this way, but once I installed rockbox, it was like the device was freed from a software prison. And, of course–another benefit of it being open source–you can completely customize the look+feel of your MP3 player with other user’s custom rockbox themes.

Here is a list of MP3 players (targets) and their support status for the Rockbox firmware.

2. Rugged Components that
. . . → Read More: My Search for The Best MP3 Player

Package Manager Search Commands

In a given week, I touch maybe a half dozen different Operating Systems/Distributions. Some are similar to others (centos, rhel), some–not so much (solaris). The common commands are easy enough to remember ( @ls@ vs @dir@ ), but I always forget how to search through each OS’s package manager for a software package. For my reference (and perhaps yours?) here’s a list for each of the OSs’ package managers I use frequently:

yum – RHEL/CentOS

yum list

apt – Debian/Ubuntu

apt-cache search

pacman – Arch

pacman –sync –search pacman -Ss

portage – Gentoo

emerge –search # pkg names only emerge –searchdesc # pkg names & descriptions emerge -S # alias of –searchdesc  

See Also: “Install ‘build-essential’ on RHEL/CentOS and OpenSolaris”:/wp/?p=231

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael

tech.michaelaltfield.net/

Extend GPG Key Expiration

I came back from my “cross-country bicycle trip”:http://1guy2biketrips.michaelaltfield.net to discover I could no longer send signed email because my key expired! I’ve also changed colleges from “SPSU”:http://www.spsu.edu/ to “UCF”:http://www.ucf.edu, and my old college is expiring my email address, so here’s what I need to do:

# Extend my key’s expiration another year # Add new email address to subkey # Save updates to key # Export a new public key

Background Information GPG

“GPG (GNU Privacy Guard)”:http://www.gnupg.org/ (used here) is a popular, cross-platform implementation of “OpenPGP (Pretty Good Privacy)”:http://en.wikipedia.org/wiki/Pretty_Good_Privacy defined in “RFC 4880”:http://tools.ietf.org/html/rfc4880. OpenPGP outlines a standard, open message format for maintaining the “confidentiality”:http://en.wikipedia.org/wiki/Information_security#Confidentiality and “integrity”:http://en.wikipedia.org/wiki/Information_security#Integrity of electronic messages.

Why Subkeys?

“Public Key Cryptography”:http://en.wikipedia.org/wiki/Public-key_cryptography is long, complicated, and well outside the scope of this post. However, one thing I never fully understood was the functional purpose of subkeys. Thankfully, “the GPG documentation”:http://www.gnupg.org/gph/en/manual.html is excellent.

So, there’s 2 major things I want to accomplish by using GPG with my email

# Confidentiality through encryption # Integrity through signatures

The designers of PGP viewed the signature role as indefinitely important while the encryption role as dynamic overtime. Therefore, when we first generate a keypair, 2 keys are created: 1 primary key for
. . . → Read More: Extend GPG Key Expiration

Plausibly Deniable File Encryption

Plausibly deniable encryption is a fascinating concept. For example, “TrueCrypt”:http://www.truecrypt.org/ (a FOSS for hard disk encryption) has a wonderful “Hidden Volume”:http://www.truecrypt.org/docs/?s=hidden-volume feature that provides “Plausible Deniability”:http://www.truecrypt.org/docs/?s=plausible-deniability. The concept is: you install 2 OS instances on your computer–1 in a hidden volume. If, for whatever reason, you were forced to reveal your encrypted data, you could give access to decrypt your fake, but seemingly legitimate, OS instance. If done correctly, this could prevent you from forfeiting your sensitive data.

What if you want to encrypt some data to a file, bury it on a thumbdrive somewhere, and make it appear to be just an obscure filetype (possibly corrupted)? I ran across “the answer”:http://old.nabble.com/Is-it-possible-to-decide-what-is-a-gpg-file–td26392408.html when studying for my Secure Computing final.

I haven’t had a chance to research this potential solution, but there seems to exist a project that builds onto the Blowfish cypher to achieve this plausibly deniable encryption: “Blowfish Updated Re-entrant Project (BURP)”:http://www.geodyssey.com/.

Exerpt from “burp.txt”:http://www.geodyssey.com/cryptography/burp.txt

Unlike many similar programs, BURP writes to the output file only the ciphertext (i.e., it writes no “file headers”, password verification data, system, program or content identification strings, etc.). Consequently, such file can not be “provably” identified as ciphertext, as long as the key
. . . → Read More: Plausibly Deniable File Encryption