JDPFu.com 2024

Saw this on a forum by an AC today:

I think that my freedom is more important than my security.
I prefer to live in a free but insecure world than in a perfectly safe but not free world.

When govts try for a perfectly safe world, they need to be reminded of this stance.

Also, New Zealand has a law that fines someone refusing to unlock their electronics at the border with NZD$5,000. The claim is that they must have a good reason to demand access, but that is a little late. The article also said that the device would be in “airplane mode” for the searches.

7 things all travelers with smartphones and computers should do to be secure while traveling.

Another example of why you shouldn’t trust consumer routers. d-link

It isn’t just this specific d-link router. We’ve seen the same issues over and over and over with pretty much every non-enterprise vendor.

Plus we don’t want our devices used by crackers to DDoS Brian Krebs anymore, right?

We are Linux people. We CAN do this ourselves.

LXC is getting easier and easier to use.
Flockport seems to be the easiest way to stay mostly standard, yet still be LXC-based.

It doesn’t seem to be as flexible or complex as Canonical’s Juju’s or Docker’s highly advertised stuff. Docker is great at advertising, just sayin’.

Flockport seems to be exactly what I needed – mostly standard, easy to use, LXC deployments for development and testing. Not planning to use any for internet-facing needs. Just too new with LXC to be comfortable trusting the security and my skill to know about the unpublished issues (security and others) with containers. For spinning up a quick internal web-app instance … perfect.

Every time I read the ssh manpage, I learn something new. This is after over 15+ yrs of using ssh. It is an amazing tool. It is the sonic screwdriver for UNIX systems connectivity.

But ssh does more than just normal connectivity stuff. Much more.

Everyone could learn a little more about ssh and stop doing things the hard way – PLUS using ssh is likely more secure than whatever we are doing today. Win-Win. Both more efficient AND more secure. How often does that happen in the real world?

For example, did you know that vim supports remote editing of files through ssh and rsync?

$ vim rsync://dev/projects/gallery/src/templates/search.html.tt

Smylers’s article SSH Can Do That? Productivity Tips for Working with Remote Servers is a great resource for all these magical techniques. I won’t repeat it here – let’s just say that in 15+ yrs using ssh, I learned 4 new, useful, things from that article. Time to get modifying my ~/.ssh/config files now.

If you are completely new to ssh features, here’s a nice, short, article from diogemelo to get you started. These are fairly standard uses.

ssh is enough for

• secure remote access to files via sftp
• secure remote filesystem access via sshfs
• secure remote CLI/shell access to systems with plain ssh
• secure remote desktops via x2go/freenx
• secure remote file replication with rsync (ssh is the default rsync protocol)
• secure port forwarding of selected ports
• secure remote editing with vim/gvim and other editors
• pseudo-VPN with sshuttle <— this may be helpful.

ssh really is the toolbox for remote connectivity.
A good resource about all things ssh is the wikibooks OpenSSH Client Conf entry.

Of course, ssh security doesn’t start and stop with using keys. We need to do more.

Are there great ssh things that you know NOT in his article?

I’ve been traveling overseas more and have discussed security issues with others in the IT security industry. Here is what I’ve decided.

With the recent HeartBleed issue in the openSSL libraries that impacted 80% of websites and the GnuTLS issue from last month, what should we do when security is needed most?

BTW, the NSA admitted to using the HeartBleed bug for years. My 20 yrs of professional experience with software tells me that there are probably 50 other issues like this in the openssl and gnutls software libraries. They are the best options for HTTPS traffic, but really shouldn’t be trusted when real security is needed.

What do I do?

11/2018 Update

For Ubuntu 18.04, the commands have changed for network setup thanks to netplan, but the major ideas are still the same.
Hammond is active on the Ubuntu Forums. He has many server setup guides

6/2016 Update

Nothing major, just minor tweaks and a few details added.

4/2015 Update

Seems that lots of people are interested in extremely basic security of Linux systems and would like to see what others do initially on their fresh servers or VMs. So, I did a little googling (DRY, right?) to see what a few others are doing and to compare that with my setup steps. We all come from different places, backgrounds, and have different things we want out of our servers.

This is about basic, first-pass security, not securing Apache, MySQL, Tomcat, email, or any webapp. The box has an ssh-server, known login, DHCP IP and is ready for other stuff. That is our starting point.

Let’s get started.

As usual, security and convenience ride a fulcrum. As things are easier to use, security usually suffers. That applies to full disk encryption too.

What?

I was reviewing a B-sides talk by Tom Kopchak on defeating full-disk encryption. Tom was able to gain administrative access to a Windows laptop with full-disk encryption enabled. We aren’t always safe.

Recently update the System Maintenance for APT-based Linux PCs article here. Seems that some things that used to be handled automatically are NOT handled automatically anymore.

BTW, the article was published on Lifehacker a few years ago. I based it on their Maintenance for MS-Windows PC article. As you know, maintaining Linux systems ist 100x easier than maintaining MS-Windows.

Most nerds accept that email is not private. We are willing to send unencrypted emails to our friends, family and coworkers because it is convenient. We forget that email is really like a postcard, not a letter, so anyone along the way can read all the contents.

A few people use encrypted email. There are 2 main forms of this – x.509 and gpg. I’ve been using gpg more and more for unimportant communications, because it is my right to have private conversations over the internet. What is said between me and the other party is nobody elses’ business. Really, we are just chatting, but that isn’t the point.

Recently, a brave businessman has probably risked jail by not saying that his company was not asked to provide access to encrypted email sent by customers. There have been 2 encrypted email services shutdown by their owners in the last week. We don’t know why, but suspect a gag order by the US government prevents these businesses from talking.

Last time I checked, the 1st amendment to our Constitution expressly provided for free speech. It says (this is a direct quote):

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

It has been some very sad years since 2001. The terrorist have won. The US government is more of an enemy now than anyone else in the world, I’m sad to say.

While I wouldn’t trust any 3rd party service for my encrypted email needs, I know how difficult and non-convenient using gpg is. It is a hassle, but I encourage everyone to use it for all their emails. What we say in our email is nobody elses damn business. We shouldn’t need to fear what we say privately and shouldn’t have to worry that our more and more oppressive government is reading those conversations.

So, google “how-to gpg email” for your platform and email program and get setup with your own gpg keys. This is very important for people using those free, huge, email providers like gmail.

A few related articles:

• What Petraeus did Wrong
• KeePassX, Pinentry, and Enigmail
• Options to Securely Share Files

Now the government has made me sound like a lunatic, but at least I feel better.