September 2011

S M T W T F S
    123
4 5678910
11121314151617
18192021222324
252627282930 

Style Credit

Expand Cut Tags

No cut tags
hasimir: (Default)
Sunday, April 17th, 2011 12:39 am

There will be a scheduled outage for adversary.org from midnight of the morning of Monday the 18th of April. This is due to a change in IP address resulting from a change with the Internode ADSL link.

This change will affect all services including DNS, mail and web. I have made changes to minimise the length of this outage, but it could last from 2-24 hours. The outage will begin whenever the Internode change goes through, probably 12:30am AEST.

Originally published at Organised Adversary. Please leave any comments there.

Tags:
hasimir: (Default)
Thursday, January 27th, 2011 05:31 am

Recently I have noticed that a number of my friends and acquaintances have had their GMail accounts compromised. While my preferred email address is on my own server, I do have a GMail address too (actually I have a couple, but only one that is really used much) and it has not been compromised. I’ve been asked about it a little bit and I figured it best to add my thoughts here regarding best practices, along with some software recommendations.

The first and most obvious recommendation is to use a strong password, ideally with a minimum of 128 bits of entropy. The best way to achieve this is to generate a suitably strong password with KeePassX (Windows users should use KeePass). KeePassX can also be used to generate and securely store passwords for any other account or site. KeePass and KeePassX store all passwords in a database that is protected by a passphrase and 256-bit AES or Twofish encryption.

The second recommendation is to never under any circumstances use the same password for multiple accounts. Passwords for one service should not be used to link it to another service where it may be exploited by an application or plugin for the second service. This way even if one service is compromised, the potential damage is limited to that service only and won’t be able to affect other accounts on different sites.

The third recommendation is to always connect using SSL/TLS. I always recommend the Mozilla Firefox browser with the EFF’s HTTPS Everywhere plugin. The Google settings for always connecting via HTTPS and enabling either or both of IMAPS and POP3S.

The fourth recommendation is to configure a proper mail client, such as Mozilla Thunderbird, to connect with IMAP over SSL. Using a proper and robust mail client, like Thunderbird, is my preferred method of accessing email, but in the case of GMail and other primarily web based email hosting does not prevent access via the web.

The fifth recommendation is to use the Tor Browser Bundle when connecting to GMail through a public wireless point or public network (e.g. an Internet café). This software includes a modified version of Firefox that incorporates HTTPS Everywhere and will help prevent session hijacking, such as that used by the Firesheep exploit. The Tor Browser Bundle is designed to run from a USB stick and does not require any installation; simply click and run.

These fairly straight forward measures should be enough to protect any GMail account from compromise and may also be applied to other web email hosts such as Hotmail or Yahoo. Although I have not checked the extent of support for SSL/TLS connections to either of those services.

Finally, I still encourage the use of the GNU Privacy Guard for securing correspondence between parties, but that is a different matter to securing the accounts themselves.

Originally published at Organised Adversary. Please leave any comments there.

hasimir: (Default)
Tuesday, January 18th, 2011 02:03 pm

So today I tweaked this site to cross-post entries to both my LiveJournal and DreamWidth accounts. Until now I have only been cross-posting to LiveJournal using this plugin.

I figured that most people who want to cross-post to both LiveJournal and DreamWidth would configure the plugin to update DreamWidth and then configure DreamWidth to update LiveJournal. I decided against this because I did not want to provide DreamWidth with my LiveJournal authentication information, whereas the WordPress data is on my own server. So the answer was clearly to take care of both external sites from WordPress.

My solution was very easy to implement.

The first step was to go to the WordPress plugins directory. Then create a directory called dw-xp/ and copy the lj-xp.php file from the lj-xp directory, renaming it dw-xp.php. Then open it in a text editor (I used Emacs, of course) and do a search and replace for the following (case sensitive): LiveJournal becomes DreamWidth, livejournal.com becomes dreamwidth.org and ljxp becomes dwxp.

Once that is done a DreamWidth plugin will appear in the Dashboard which can be activated and configured as normal. The first search and replace is necessary to make this copy of the plugin appear as being for DreamWidth in the Dashboard. The second one is probably not necessary, but may as well be done. The third one is the most important because it sets the variables in the WordPress database and you don’t want it to conflict with the LiveJournal configuration.

The same process can be used to have a separate plugin for multiple LiveJournal based sites (e.g. DeadJournal).

Originally published at Organised Adversary. Please leave any comments there.

Tags:
hasimir: (Default)
Tuesday, January 4th, 2011 06:24 am

For the last couple of years the Australian government has been strongly pushing a policy of Internet censorship; usually dubbed the Clean Feed, following the UK model. The first ACMA report from 2008 included some detail of attempts to filter more than just web traffic.

The ACMA report prompted me to analyse the methods by which the government might be able to achieve one of the options in the ACMA report: filtering HTTPS traffic. My report, Cleaning A HTTPS Feed: Report on the Filtering of the Hypertext Transfer Protocol over Transport Layer Security or Secure Socket Layer Connections, was first published last year by Atomic MPC Magazine and later by Civil Liberties Australia.

Since last year’s election and the precarious outcome, the government has announced a review of the classification system before making a final decision on how to proceed with an Internet censorship regime. In spite of the significant opposition to the scheme, both the Minister responsible, Senator Stephen Conroy, and Prime Minister Gillard have voiced continued support for censorship of the Internet.

As the government does not wish to drop this policy, I don’t wish my report into the implications of certain aspects of filtering to slip by. My full report on the methods of filtering traffic which is intended to be secure is available here (PDF).

Originally published at Organised Adversary. Please leave any comments there.