Archive for August, 2011

Why Pakistan’s move against online crypto is a dangerous idea

No Comments »

Pakistan newspaper The Express Tribune reports from Karachi that the country's telecommunications regulator is pressing ISPs to comply with recent regulations which restrict the use of end-to-end encryption.

Any technology which conceals communications and prohibits monitoring, it seems, is off the menu.

The Tribune quotes a letter sent to it by an ISP which had been warned by the regulator:

    In line with [the Monitoring & Reconciliation of International Telephone Traffic] Regulations 2010 and national security, [the Pakistan Telecommunication] Authority prohibited usage of all such mechanisms including encrypted virtual private networks (EVPNs) which conceal communication to the extent that prohibits monitoring.

The letter continues by reminding the ISP:

    It is observed that the aforementioned directive has not been followed in true letter and spirit as EVPNs are heavily being used on the Licensees Network.

This concern over the inability of law enforcement to intercept or prevent communication between criminals and militants will no doubt resonate in other countries – notably in the UK, where services such as BlackBerry's instant messaging came under the spotlight after the recent riots there.

Unfortunately, however, an internet in which encryption was banned altogether would be even more dangerous than what we have today.

You've probably heard the gun lobby's truism that "if guns are outlawed, only outlaws will have guns." Yet there are many countries where private ownership of guns – handguns, at least – has been heavily regulated or even banned outright without a concomitant increase in gun crime.

It's tempting, therefore, to argue that if we can ban guns without endangering society, despite the vigorous warnings of a vocal minority, we can do the same with cryptography. Perhaps "if crypto is outlawed, only outlaws will have crypto" is just the crazy slogan of a bunch of libertarian survivalist cypherpunks with something to hide?

The problem is that banning every sort of 'communications concealing' technology online would destroy the very fabric of the internet's law-abiding use. There would be no SSH, no SSL, no TLS, no HTTPS. There would be no WiFi security. Online commerce would implode.

Whether the private ownership of weapons is as big a threat to society as some like to make out is an argument for another day, because cryptography on the internet isn't like handguns in the suburbs.

In most developed countries, you don't routinely need to pack a Browning Hi-Power when you visit your local bank branch. (Even in countries where that's legal, the bank would probably make you lock it in a safety deposit box at the entrance, anyway.)

In contrast, you do routinely need to use an SSL-protected tunnel to the bank when you transact online.

Significantly, the bank needs you to do so, as well. And if you don't, you're actually playing into the hands of the crooks.

So the next time you hear a nanny-state advocate oppose the general availability of strong crypto on the grounds that "if you've got nothing to hide, you don't need to hide anything", don't just sigh in dismay.

Confront them with the inanity of their remark. (Unless they've got a Browning Hi-Power. In that case, give a little smile and leave as soon as you can.)

* If you have nothing to hide, then it doesn't matter whether you choose to hide it or not, does it?

* Online, you do have things to hide. And if you and the rest of us don't hide it as a matter of course, the cybercrooks will plunder our economy more seriously than they're doing already.

In short, if you want to do away with online crypto, you're making things easier for the crooks, not harder. And that, I'm sorry to have to say, is a truism.

Take cryptography seriously. Protecting your own online assets helps protect everyone else, too.

Sources:
http://tribune.com.pk/story/240736/virtual-watchdog-internet-users-banned-from-browsing-privately-for-security-reasons/
http://nakedsecurity.sophos.com/2011/08/29/pakistan-move-against-online-crypto-a-dangerous-idea/?utm_source=facebook&utm_medium=status%2Bmessage&utm_campaign=naked%2Bsecurity


Hacking Firefox and Thunderbird addons to work with new versions of Firefox/Thunderbird

No Comments »

Have you ever got used to a Firefox or Thunderbird addon that you really like, or just can't live without, and then a new version of either Firefox or Thunderbird is released, and suddenly your addon no longer works?

Of course, the generally recommended way is to search http://addon.mozilla.org for a new version, but sometimes when you try to update your addons, you find there is no new version, or it seems like nobody is maintaining the addon any more. I tend to live on the leading edge of new Firefox releases, I want the new features, I want the latest, and I want it now, so I quite frequently hit this problem. Fortunately, there is an easy way to keep using your favorite addons, usually with little or no risk.

The summary for those who just want to skim and jump in:

  • Download the addon file you want to update
  • Rename the addon archive file to add .zip to the end
  • Extract install.rdf
  • Edit install.rdf, find and change maxVersion, save the change
  • Pack install.rdf back into the install archive
  • Rename the file back to it's original .xpi name
  • Install using File, Open

The detail for those who need all the steps:
You will need only two free tools to help you do this job, the totally free 7-Zip or some other ZIP file management utility and hopefully knows how to use it. The other tool is a simple text editor. Microsoft's Notepad will do, but any other text editor will work if you have any particular preference. My preference is NotePad++ which is a good free programming and general purpose text editor.

A warning is the first important note here; always backup your Firefox or Thunderbird installation directory before doing any "hacking". While a problem is extremely rare, problems can happen, and you will only have yourself to blame if you don't take appropriate precautions before making any unsupported changes. I won't take any responsibility for any problems you inflict on yourself through sharing with you what I do on my own computer(s). It is often a good practice anyway to backup your installation directory before installing any new addon, just because you never really know what can happen, though usually by the time anything is approved and available for public download on http://addon.mozilla.org, it has been fairly well tested by others and proved to be safe. At the very least, before following my tips here, backup your profile and addons directories by making a copy of them to some other location on your disk. If you don't know how to do that, or don't know where your profile and other directories (folders) are, I don't suggest you try my tricks. Read Gizmo's article How to Back up Mozilla Firefox and Thunderbird, in which among other things Gizmo mentions using tools such as MozBackup which shields you for knowing how to do it manually.

Once you have taken your backup, the first step is to find and download the latest version of the addon you want, and download a copy to your disk. Remember, at this point you can not simply click the Install link, because you know the installer will tell you the addon is unsupported for your version of Firefox or Thunderbird, which is more than likely why you are reading this article! Normally, you would click the Install button, but in this case, you want to save the file to disk, so right click on the install (or Add to Firefox / Add to Thunderbird) button, and then click 'Save Link As'. Choose a location on your disk, make a new folder if necessary. The file you download will be named something like better_gmail_2-0.6-fx.xpi. On rare occasions you may find that when using Firefox, you just can't click 'Save Link As' for some reason. Try a different browser, you may have better luck saving the file when the browser itself is not capable of actually installing the addon.

Having saved the addon, you will need to extract one file named install.rdf from it, make a change, and then pack it back into the file. Since the addon is just a zip file containing all the supporting files necessary for the addon, the easiest way to extract files is to rename the original by changing the .xpi extension to .zip, or by simply adding .zip to the end of the file name temporarily. You will need to extract the install.rdf file from the zip file, edit it, and then put it back in again, so if you're not comfortable with these tasks without me describing them in great detail, don't try. Ask somebody else who is comfortable using zip to extract a file and pack it back in again to help you with this process.

Once you have the install.rdf file extracted, open it with your text editor, and look for lines like the ones listed below. Many addons don't have these lines, so they are not checking for specific versions, and you should not see any incompatibility messages.

    <em:targetApplication>
      <Description>
        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
        <em:minVersion>1.0</em:minVersion>
        <em:maxVersion>3.0</em:maxVersion>
      </Description>
    </em:targetApplication>

The part you need to change is the line with the maxVersion setting. As long as I am running Firefox 3.0.1, this addon should work for me, but when I upgrade to 3.1, or 4, it will no longer work. The next step is to change the maxVersion setting to at least the version you are currently running, I usually just change it to 9.0 which means I can run any version that will be released for some time to come.

    <em:targetApplication>
      <Description>
        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
        <em:minVersion>1.0</em:minVersion>
        <em:maxVersion>9.0</em:maxVersion>
      </Description>
    </em:targetApplication>

If your install.rdf looks really weird when you open it, and seems to have just a few lines that look really long, and don't all display on the screen, don't panic. Most likely, the addon programmer has used a Unix or Linux system to create the files, or they have used an editor that does not automatically wrap lines. The Unix or Linux option may be the more likely of the two, and if you don't know what I mean by line termination characters and vi, explaining more would only confuse you even more. Either way, some Windows text editors will know what to do with a non-typical Windows text file, Notepad will not, so if you see just a few long lines, just use Ctrl F, or click Edit, Find, and then type maxVersion. All you need is to find this setting, change it, and save it. Don't worry about the strange file formatting.

After making the change, save the install.rdf file, pack it back into the addon zip archive, and rename it back to it's original name ending in .xpi. The last step is to actually install it, and to do this, rather than browsing to http://addon.mozilla.org, simply click File, Open File, select your modified .xpi file and click the Install Now button. At this point, unless you made any mistakes or any other problems were detected during installation, your addon is installed and will be ready for use when you restart Firefox. The procedure is same for Thunderbird addons.

As I said, problems are rare, however you don't know everything the programmer did when writing the addon, so monitor everything carefully until you are sure everything is functioning as it should. There may be specific features in different releases of Firefox or Thunderbird being used by the addon programmer which might really make the addon incompatible with a newer release. In general, unless there is a major change, most things should be safe. The real point is, be careful, and keep backups so that you don't have any reason to curse yourself for making the change, and me for telling you how to do it.


Mounting Windows based shares in Linux

No Comments »

 

Mounting Windows based shares on Linux is a relatively simple process.

If the share is on a Windows XP, Server 2000 or NT machine you can use the following command:

mount -t smbfs -o username=username //server/share /mountpoint

However for Server 2003 the above command will not work so you simply change smbfs for cifs as shown below.

mount -t cifs -o username=username //server/share /mountpoint

The username should be that of your Windows user and in both examples you will be prompted for your windows password.

The command above will work for all versions of Windows. If you are having difficulty mounting or receive an error with invalid file type ensure that the samba-client packages for your distribution are installed


Take control of your bash_history

No Comments »

 

I spend most of my time working in front of a black and white terminal of remote SSH connections to various servers.

This means that I use bash (as my preferred shell) most of the day. And bash history is a very important feature of bash that saves me much time by recalling previous commands I have typed.

Here are some tricks on how you can optimize with some simple configurations settings the usage your bash history.

1. Append to History

history -a

Append the new history lines (history lines entered since the beginning of the current Bash session) to the history file.

2. Clear History

history -c

(clear the history)

3. Write History to file

history -w 

(write to the file – overwrite!)

4. Dont save duplicate commands in the history

HISTCONTROL=ignoreboth

5. Size of the history:

HISTSIZE=500

HISTSIZE: The number of commands to remember in the command history. The default value is 500.

How do you set these 4-5 options? Either export them in your environment in your personal bash configuration file (~/.bashrc) or in the global bash configuration file (/etc/bash.bashrc).

export HISTCONTROL=ignoreboth
export HISTSIZE=500