Today, more than ever, with the release of the recent NSA Spying scandal, the new version of CALEA going forward in Washington, and ever present movement by governments to read into the private messaging of individuals, we all need to get smarter, and use tools that we may have never touched before, to regain the privacy in interpersonal communications across the internet. There are many tools out there, and there are many different ways to achieve the same goals, however, today, I’m going to talk about a few p̶r̶o̶d̶u̶c̶t̶s tools that I use on a daily basis for Instant Messaging (IM) from my Windows 7 computer.

First and foremost, I use Pidgin for all my IM needs. Pidgin is available, for free, to anyone, simply by going to http://pidgin.im/. For those of you who are reading this with limited experience with Free Open Source Software (FOSS), this will be a revelation, that yes, there are free tools out there that allow you to download, install, and use, with no charge, no catch, no penalties. Pidgin is my main tool for chatting inside, and outside of work. It also allows me to have multiple connections to different IM services, as seen by the list that they have on their website:

AIM, Bonjour, Facebook Chat, Gadu-Gadu, Google Talk, Groupwise, ICQ, IRC, MSN, MXit, MySpaceIM, SILC, SIMPLE, Sametime, XMPP, Yahoo!, & Zephyr

I’m only using AIM, Google Talk, IRC, MSN, and Yahoo! & also use SIPE, which allows connection to my internal Microsoft Communicator, through the use of the rich plugin architecture built into Pidgin.  Pidgin allows developers to build plug-ins, so that you can extend the functionality of the tool, and SIPE, is one of those that works very well, allowing me to use one client to “rule them all” so to speak, with regards to my Instant Messaging.  While there isn’t a Pidgin for mobile devices yet, (I’m ever so hopeful), this tool does allow me to have all of my IM contacts available in one tool, where I spend the majority of my day, on my computer.  This plugin architecture is critically important for the privacy aspect that I mentioned above, as there is an external plugin that is needed, in order to achieve secure Instant Messaging.

Once you have installed Pidgin, and have gone through the setup of the client, you should easily find how to add your accounts into the tool.  Once this is done, and you’ve tested the functionality with your Instant Messaging contacts, it’s time to go private… Now here is the difficult part.  If you want to encrypt your communications end to end, the person you’re Instant Messaging with, has to have the same type of encryption.  In this write up, we’re talking about the tool called OTR, or Off-The-Record Messaging.  OTR supports several IM clients, to date, they’re Pidgin, from the https://otr.cypherpunks.ca/ page, I see that OTR can function with the following IM clients: Pidgin, Adium, Miranda, Kopete, and they also support an AIM proxy.  You can read more and view video tutorials on their page

Simply put, adding OTR to pidgin is a trivial windows install, requiring that you specify the location of the installed Pidgin program, (if you changed it from the default when you installed Pidgin), and a restart of the Pidgin application.  Once installed, you simply launch Pidgin, go to the Tools menu, select Plugins (or press CTRL-U), in the plugins list, scroll down to Off-the-Record Messaging, put a check in the box to the left of the title, and select the “Configure Plugin” button on the bottom.  Inside the plugin’s configuration dialog box, you’ll find two tabs, Config and Known fingerprints.

Config Tab

The config tab has the configuration for your Default OTR settings, as well as the ability to generate private and public key pairs, for use when communicating secure with someone else.  You will see your defined IM accounts in a drop down list, and you can select each one, and generate a key.  You should only need to generate these keys once per computer, and there are methods to back these keys up, and take them with you, however, I will not be covering that process here.  There are many sources of how to do this on the internet, and google is your friend (giyf).  If you’d like to know how to do this, bookmark this post, and come back to it later, as I’ve added a google search for the instructions here.

Once you have that setup done, now it’s time to find your friends and get them using one of the OTR supported IM clients, and setup some conversations.  I’ve looked through the data that passes through the OTR plugin, and saw that it was completely encrypted, appears as total garbage to whomever is spying on your communications.  Bear in mind, that you are responsible for ensuring that your communications are encrypted, and the OTR plugin adds informational messages into your IM window, showing you the status of your communications.

 

receiving encrypted IM, when you’re not encrypted

 

setup of encrypted communications and confirmation of encryption

 

Note, that even though I do not log my OTR conversations, doesn’t mean whomever I’m communicating with, isn’t logging theirs, so it’s no guarantee that your conversations won’t come back to haunt you, but it does encrypt the transport end-to-end to ensure that no one can snoop on the wire.

When you first setup your communications, you’ll receive a notice that your buddy is not “Authenticated”.  This page, shows how that authentication can be accomplished.  Please use NON IM methods of confirming your identity if you are not sure who you are chatting with.  A more full step through process of how to setup and use Pidgin and OTR can be found here.  (https://securityinabox.org/en/pidgin_securechat – no affiliation)

Once you’ve got everything working, it’s wonderful to know that your communications cannot be intercepted by your employer, your government, your enemies, or anyone else out to remove your privacy from your communications.

 

If I have time, I’ll follow up on how to setup some other methods to increase your privacy on the internet.  Please stay tuned.

 

 

.

Thank you [adult swim]

| June 12th, 2013

Saw this on imgur, and had to animate it… it’s perfect.Piracy

Problem Solver

 

So, a geek friend of mine (we’ll call Joe) has a teenage girl (we’ll call Ana) who started sleeping in late, and skipping her first few classes of school.  “Joe” has a rule for “Ana” about school.  That rule is very simple, “Don’t make me have to talk to the school, ever.”

Well, “Ana’s” behavior was causing the school to contact “Joe” daily, and after discussing the problem with “Ana” for several days, with no real change in her behavior, “Joe” took the problem on as only a geek would do.  He decided that he would wake her up at 0530, to ensure that she could get up, showered, dressed, eat breakfast, and walk to school on time.

At this point of the story, it is important to inform you that “Joe” is a night owl.  He is a very grumpy morning person, if not as bad as me, perhaps a bit worse.

  • He does NOT do mornings.
  • At All.
  • Ever.

So, “Joe” goes down to harbor freight, purchases a “100 dB Old Fashioned Sound ‘Ooga’ Air Horn” , couples it with an Arduino on his home network, places it under “Ana’s” dresser in her bedroom, and sets up a cron job to fire off at 0530.  This was all done while “Ana” was in school.

Fast forward to the next morning…

The cron job fires, 100db of OOoooga Goodness goes off for 5 seconds, and “Ana” bolts out of her room angry, showers, gets dressed, eats breakfast, and gets to school on-time.

That afternoon, when she comes home, she and “Joe” sit down and talk again, and “Joe” asks, “So, you seem to be having a problem with getting up in the morning.  We discussed this problem, and it’s impact on me, as I don’t want to get calls from the school.  So, your problem, became MY problem.  I’m a problem solver.  Are we going to have a problem getting up tomorrow morning? I can set an alarm for you.”

“Ana” replied, “No, we’re not going to have a problem.”

“Joe” is a kindred spirit, we’re problem solvers.  Don’t make YOUR problem MY problem, I WILL solve it.

 

FYI, “Ana” has been getting up in the morning on time ever since…

Defcon Sexism… in a nutshell

| August 17th, 2012

“Exactly two things have made sexism lower at DEFCON since DEFCON 8:
An increased number of women in technology attending, and attendees who now know that they may have to step in to help. Everything else … is security theater.”
–dc0de.

DEFCON… Twenty Years…

| June 30th, 2012

DEFCON 20 Logo

 

Paying Homage to the Community…

As we begin to prepare to go to DEFCON 20 we need to be humbled that something that Dark Tangent (aka Jeff Moss) started twenty years ago, is not only still going on, but is THRIVING more than ever.  When I went to DEFCON in 2000, (DEFCON #8), I never really expected that I would be able to support the community that makes this convention possible.  Not only was I awestruck by the amount of knowledge and camaraderie that defines DEFCON, but also wanted to help continue to give something back to the community that makes DEFCON possible.  As DEFCON grew, and moved from the venerable Alexis Park to the Riviera Hotel, I was asked by noid (Head of Security Goons) to become a Security Goon.  Not only was I honored, but I had very little knowledge of how much work was involved and how great an organization the Security Goons and DEFCON Goons were.

Now that I am a Goon, and this will be my 7th year donating over a week of vacation, personal expense, and compromise to volunteer my time to work at DEFCON.  Some of the maladies that befall a Goon while walking anywhere from 11 to 21 miles per DAY, for at least three days, (This year looks like 4 days of work) include:

  • leg cramps
  • sore feet
  • loss of voice
  • “DEFCON Flu”
  • Sharpie on body parts
  • over ingestion of alcohol
  • verbal and physical abuse
These are only the ones that are safe for work, and that i can publicly post.  For those of you who have attended DEFCON in the past, Thank You!! For those of you who are coming for their first time, please read the DEFCON FAQ‘s…
Here are some links for you to look at, and suggested reading…   Enjoy… as I will… celebrating the 20th Year of a great DEFCON Community…

The hackers life – my weekend at Defcon - Lou Lesko - National Geographic

GOONOLOGY 101 - Technorazzi Magazine

Official DEF CON FAQ v0.95

Who are the Goons of DEF CON?

 

Help find this stolen Motorcycle

| November 7th, 2011
Red 1977/76 Moto Guzzi 850 t3, stolen between 11/4/11 19:30 and 11/5/11 10:00, in San Pedro, CA

Help find this stolen motorcycle.

A friend of mine had his motorcycle stolen between 11/4/11 19:30 and 11/5/11 10:00 near 25th and Gaffey, San Pedro CA. Please be on the look out for it, it’s a 1977/76 Motoguzzi 850 t3, with the following distinguishing features.

• Clutch lever is original Motoguzzi aluminum (as seen in photo)
• Rear brake lever is newer, black, very diff from clutch lever
• The pipes you see in that picture are specific. They aren’t unique but you probably won’t see another Motoguzzi with them
• The tank has a ‘scar’ on the right side just below the Motoguzzi logo
• Seat is new marine vinyl except for the rear section which still has the original material, with a crack, and the original MotoGuzzi silk screened on it
• Has non-stock, aftermarket spoke wheels
• Front tire has a groove in it, just right of center (as your facing it)

If you have any information at all regarding this motorcycle, please contact  flea23b at gmail dot com, or me at mr.dc0de at gmail dot com.  (note that there is a ZERO in my username)

Logo of the United States Federal Financial In...
Image via Wikipedia

I just read this article on computerworld.com, and was happily surprised for the first time in 10 years.

Finally, someone get’s “it”.

The FFIEC is planning on requiring stronger dual authentication methods for online transactions, which is a very good thing.  PCI, Sarbanes-Oxley, HIPAA, GLBA, and a myriad of other regulations and requirements are not keeping pace with the ever shifting threat landscape.  In fact, most of them are so committee driven, it simply takes YEARS to get a new requirement instituted in the standard, and then there are YEARS allowed to implement the new standard.  The FFIEC is a bit different however.  I’ve worked in the financial sector for many years, (12+), and have respected the FFIEC’s direction with information security.  I feel that they set the strongest set of standards today, with the exception of Top Secret Government networks.

The greatest part of the FFIEC, is that their governance has teeth.  If a financial institution fails the audit, and fails to remediate the failings, the FFIEC’s Regulatory Agencies can go so far as to close that financial institution.  This is different from most every other regulation or requirement, as the business is simply closed.  Not fined, not shamed on the front page of national news papers, it simply has it’s doors closed.  Ponder that for a moment, you fail, and you’re closed.  You can’t Risk Manage away the costs of LOSING THE ORGANIZATION, unlike a fine for non-compliance, … so, IMHO, those are REAL TEETH.  I’ve added a link to the FFIEC’s Standards and Regulations at the bottom of this post.

My two favorite comments in the article are  below:

“Obviously, some of the banks thought that it was enough if they simply added cookies or challenge/response-based authentication,” Litan said.

“What has happened is that the FFIEC has realized that some banks need to be told in black and white what they need to do.”

via Banks may soon require new online authentication steps – Computerworld.

http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

It’s the Latency, Stupid.

I was reminded again today of the above rant penned by Stuart Chesire, in May of 1996.  I overheard someone from our “offshore” (see India) team who was having latency issues with their connections from India, to the United States.

Regardless that there are reports that India is far ahead of the United States with regards to Information Technology education, it seems that these SIMPLE things are often overlooked.  Sadly, it’s not just the Indian education system that is overlooking this.  I see this is a VERY common occurrence in my line of work.

Look people, if the road is slow, no amount of lanes across is going to make it faster.  You’re stuck with latency.

Some great examples of latent connections:

  1. India to the United States (Pacific Ocean fiber crossings)
  2. Any “broadband – satellite” connection.  (a single packet path of 44,462 mi, more than twice the earth’s circumference)
  3. Dial up

Get with it folks, we haven’t beat the speed of light yet, so until we do, deal with the latency… kthnxbye

Conversation with thiflannigan3452
(06:53:40) Thi Flannigan: hey cutie
(07:18:49) me: cutie?
(07:19:04) Thi Flannigan: Yay someone to talk to :-) !! how are u?
(07:19:17) me: not too bad, have we met?
(07:19:32) Thi Flannigan: I’m great thanks for chattin with me I found your name in the online members search :) whatcha up to?
(07:20:24) me: getting ready for work.
(07:20:40) Thi Flannigan: I’m not too into exchanging pics .. are you?
(07:21:00) me: no.
(07:21:17) Thi Flannigan: i’d rather see each other u can see the real thing on my cam… u want to?
(07:21:26) me: no thanks.
(07:21:40) Thi Flannigan: no worries..thouhght u wanted to see me naked ..:)
(07:21:59) me: ummm, no. not into watching cams… more into doing the real thing.
(07:22:16) Thi Flannigan: Click http://www.acceptinvite.com/xxxxx it’s a more secure place with my cam u will have to verify your age so I’m not showing my pussy to a minor ;) , i had to do it too but dont worry its 100% FREE and its alot of fun once u get in ;)
(07:22:26) me: nope, don’t do that.
(07:22:41) Thi Flannigan: make sure you click join free in orange at the top,click it k?
(07:22:46) me: no.
(07:22:56) me: I have frogs in my shoes
(07:23:01) Thi Flannigan: ok, fill out your info,first and last name, make sure you put your correct b-day k?
(07:23:10) Thi Flannigan: Credit card, debit card, or atm is just to verify your age hun, your card will NOT be charged just validated see where it says that? like i said it’s FREE… cant show tits and pussy to minors..you know? ;)
(07:23:27) me: have you ever put peanut butter in your pants pockets?
(07:23:43) Thi Flannigan: I’m inside waiting for you.
(07:24:05) me: oh, inside my computer? or inside my car?
(07:24:49) me: Are you there?
(07:27:20) me: oh no, are you trapped in my computer?

Internet Map. Ninian Smart predicts global com...
Image via Wikipedia

New regulations would give law enforcement a “back door” to monitor online communications, threatening civil liberties and stifling innovation in the process.

| web only

Taking a cue from the authoritarian regimes of Saudi Arabia and the United Arab Emirates, American law-enforcement and intelligence agencies are seeking to re-engineer the Internet and other digital communications networks to make them easier to spy on.

It’s hard to blame harried law-enforcement officials for wishing they could freeze time or control disruptive technological changes. They can’t, of course, but they could do a great deal of damage to both the high-tech economy and the security of global communications before they figure that out.

via Wiretapping the Internet | The American Prospect.


© 2008-2014 dc0de\'s notes... & dc0de.com All Rights Reserved -- Copyright notice by Blog Copyright